| Internet-Draft | Svc. Dest. Opt. | May 2025 |
| Bonica, et al. | Expires 7 November 2025 | [Page] |
This document describes an experiment in which VPN service information is encoded in an experimental IPv6 Destination Option. The experimental IPv6 Destination Option is called the VPN Service Option.¶
One purpose of this experiment is to demonstrate that the VPN Service Option can be deployed in a production network. Another purpose is to demonstrate that the security measures described in this document are sufficient to protect a VPN. Finally, this document encourages replication of the experiment.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 November 2025.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Generic Packet Tunneling [RFC2473] allows a router in one network to encapsulate a packet in an IP header and send it through the Internet to another router in another network. The receiving router removes the outer IP header and forwards the original packet into its own network. This facilitates connectivity between networks that share a private addressing [RFC1918] [RFC4193] plan but are not connected by a direct link.¶
The IETF refined this concept in a Framework For Virtual Private Networks (VPN) [RFC2764]. It also standardized the following VPN technologies:¶
The VPN technologies mentioned above share the following characteristics:¶
An ingress Provider Edge (PE) router encapsulates customer data in a tunnel header. The tunnel header includes service information. Service Information identifies a Forwarding Information Base (FIB) entry on an egress PE router.¶
The ingress PE router sends the encapsulated packet to the egress PE router.¶
The egress PE router receives the encapsulated packet.¶
The egress PE router searches its FIB for an entry that matches the incoming service information. If it finds one, it removes the tunnel header and forwards the customer data to a Customer Edge (CE) device, as per the FIB entry. If it does not find a matching FIB entry, it discards the packet.¶
The IPv6 VPN Service Destination Option approach offers the following benefits:¶
It does not require configuration on CE devices.¶
It supports many VPNs on a single egress PE router.¶
When a single egress PE router supports many VPNs, it does not require an IP address per VPN.¶
It does not require the use of a sub-IP data plane (e.g., MPLS) to carry service information.¶
It is independent of any traffic engineering solution.¶
None of the VPN solutions mentioned above offer all of these benefits.¶
This document describes an experiment in which VPN service information is encoded in an experimental IPv6 Destination Option [RFC8200]. The experimental IPv6 Destination Option is called the VPN Service Option.¶
One purpose of this experiment is to demonstrate that the VPN Service Option can be deployed in a production network. Another purpose is to demonstrate that the security measures described in Section 7 of this document are sufficient to protect a VPN. In particular, experimenters should report vulnerabilities that:¶
allow nodes outside of the VPN to exchange packets with nodes inside of the VPN¶
allow nodes outside of the VPN to inject packets into the VPN¶
allow nodes outside of the VPN to attract VPN packets to themselves¶
Finally, this document encourages replication of the experiment, so that operational issues can be discovered.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The VPN Service Option is an IPv6 Destination Option encoded according to rules defined in [RFC8200].¶
As described in section 4.2 of [RFC8200] a IPv6 Destination Option contains three fields: Option Type, Opt Data Len, and Option Data. In the VPN Service Option these fields are used as follows:¶
Option Type: 8-bit selector. VPN Service Option. This field MUST be set to RFC3692-style Experiment (0x5E) [V6MSG]. See Note below.¶
Opt Data Len - 8-bit unsigned integer. Length of the option, in bytes, excluding the Option Type and Option Length fields. This field MUST be set to 4.¶
Option Data - 32 bits. VPN Service Information that identifies a FIB entry on the egress PE. The FIB entry determines how the egress PE will forward customer data to a CE device.¶
The VPN Service Option MAY appear in a Destination Options header that immediately precedes an upper-layer header. It MUST NOT appear in any other extension header. If a receiver finds the VPN Service Option in any other extension header, it MUST NOT recognize the option. The packet MUST be processed according to the setting of the two highest order bits of the Option Type (see NOTE below).¶
NOTE: For this experiment, the Option Type is set to '01011110', i.e., 0x5E. The highest-order two bits are set to 01 indicating that the required action by a destination node that does not recognize the option is to discard the packet. The third highest-order bit is set to 0 indicating that Option Data cannot be modified along the path between the packet's source and its destination. The remaining low-order bits are set to '11110' to indicate the single IPv6 Destination Option Type code point available in the registry for experimentation.¶
The ingress PE encapsulates the customer data in a tunnel header. The tunnel header MUST contain an IPv6 header and a Destination Options header that immediately precedes the customer data. It MAY also include any legal combination of IPv6 extension headers.¶
The IPv6 header contains:¶
Source Address - Defined in [RFC8200]. Represents an interface on the ingress PE router. This address SHOULD be chosen according to guidance provided in [RFC6724].¶
Destination Address - Defined in [RFC8200]. Represents an interface on the egress PE router. This address SHOULD be chosen according to guidance provided in [RFC6724].¶
The IPv6 Destination Options Extension Header contains:¶
Next Header - Defined in [RFC8200]. MUST identify the protocol of the customer data.¶
Options - Defined in [RFC8200]. In this experiment, the Options field MUST contain exactly one VPN Service Option as defined in Section 3 of this document. It MAY also contain any legal combination of other Destination Options.¶
The FIB can be populated:¶
By an operator, using a Command Line Interface (CLI).¶
By a controller, using the Path Computation Element (PCE) Communication Protocol (PCEP) [RFC5440] or the Network Configuration Protocol (NETCONF) [RFC6241].¶
By a routing protocol.¶
Routing protocol extensions that support the IPv6 VPN Service Destination Option are beyond the scope of this document. However, experimenters can use existing Border Gateway Protocol (BGP) [RFC4271] [RFC4760] machinery for expediency. In this case, BGP creates a FIB entry exactly as it would if VPN service information were encoded in an MPLS service label. The forwarding plane searches for this FIB entry when processing the VPN Service Destination Option.¶
This document does not make any IANA requests.¶
However, if the experiment described herein succeeds, the authors will reissue this document, to be published on the Standards Track. The reissued document will request an IPv6 Destination Option number, and contain operational recommendations regarding a migration to a new code point.¶
IETF VPN technologies assume that PE devices trust one another. If an egress PE processes a VPN Service Option from an untrusted device, VPN boundaries can be breached.¶
The following are acceptable methods of risk mitigation:¶
Authenticate the tunnel connecting the ingress PE to the egress PE using the IPv6 Authentication Header (AH) [RFC4302] or the IPv6 Encapsulating Security Payload (ESP) Header [RFC4303].¶
Maintain a limited domain.¶
All nodes at the edge limited domain maintain Access Control Lists (ACLs) that discard packets that satisfy the following criteria:¶
Contain an IPv6 VPN Service option.¶
Contain an IPv6 Destination Address that represents an interface inside of the secure limited domain.¶
The mitigation techniques mentioned above operate in fail-open mode. See Section 3 of [I-D.wkumari-intarea-safe-limited-domains] for a discussion of fail-open and fail-closed modes.¶
The mitigation techniques mentioned above also address the tunneling concerns raised in [RFC6169].¶
The VPN Service Option is imposed by an ingress PE and processed by an egress PE. It is not processed by any nodes along the delivery path between the ingress PE and egress PE. So, it is safe to deploy the VPN Service Option across the Internet.¶
However, some networks discard packets that include IPv6 Destination Options. This is an impediment to deployment.¶
Because the VPN Service Option uses an experimental code point, there is a risk of collisions with other experiments. Specifically, the egress PE may process packets from another experiment that uses the same code point.¶
It is expected that, as with all experiments with IETF protocols, care is taken by the operator to ensure that all nodes participating in an experiment are carefully configured.¶
Because the VPN Service Destination Option uses an experimental code point, processing of this option MUST be disabled by default. Explicit configuration is required to enable processing of the option.¶
Parties participating in this experiment should publish experimental results within one year of the publication of this document. Experimental results should address the following:¶
Thanks to Gorry Fairhurst, Antoine Fressancourt, Eliot Lear and Mark Smith for their reviews and contributions to this document.¶