Quality of Service (QoS) Signaling in a Nested Virtual Private Network
RFC 4923
Network Working Group F. Baker
Request for Comments: 4923 Cisco Systems
Category: Informational P. Bose
Lockheed Martin
August 2007
Quality of Service (QoS) Signaling in a Nested Virtual Private Network
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
Some networks require communication between an interior and exterior
portion of a Virtual Private Network (VPN) or through a concatenation
of such networks resulting in a nested VPN, but have sensitivities
about what information is communicated across the boundary,
especially while providing quality of service to communications with
different precedence. This note seeks to outline the issues and the
nature of the proposed solutions based on the framework for
Integrated Services operation over Diffserv networks as described in
RFC 2998.
Baker & Bose Informational [Page 1]
RFC 4923 QoS in a Nested VPN August 2007
Table of Contents
1. Introduction ....................................................3
1.1. Problem Statement ..........................................3
1.2. Background Information and Terminology .....................4
1.3. Nested VPNs ................................................5
1.4. Signaled QoS Technology ....................................7
1.5. The Resource Reservation Protocol (RSVP) ...................9
1.6. Logical Structure of a VPN Router .........................10
2. Reservation and Preemption in a Nested VPN .....................13
2.1. Reservation in a Nested VPN ...............................14
2.2. Preemption in a Nested VPN ................................16
2.3. Working through an Example ................................17
2.3.1. Initial Routine Reservations - Generating
Network State ......................................18
2.3.2. Initial Routine Reservations - Request
Reservation ........................................19
2.3.3. Installation of a Reservation Using Precedence .....20
2.3.4. Installation of a Reservation Using Preemption .....21
3. Data Flows within a VPN Router .................................24
3.1. VPN Routers That Carry Data across the
Cryptographic Boundary ....................................24
3.1.1. Plaintext to Ciphertext Data Flows .................24
3.1.2. Ciphertext to Plaintext Data Flows .................27
3.2. VPN Routers That Use the Network Guard for
Signaling across the Cryptographic Boundary ...............28
3.2.1. Signaling Flow .....................................29
3.2.2. Use Case with Network Guard ........................30
4. Security Considerations ........................................33
5. Acknowledgements ...............................................34
6. References .....................................................34
6.1. Normative References ......................................34
6.2. Informative References ....................................35
Baker & Bose Informational [Page 2]
RFC 4923 QoS in a Nested VPN August 2007
1. Introduction
1.1. Problem Statement
More and more networks wish to guarantee secure transmission of IP
traffic across public LANs or WANs and therefore use Virtual Private
Networks. Some networks require communication between an interior
and exterior portion of a VPN or through a concatenation of such
networks resulting in a nested VPN, but have sensitivities about what
information is communicated across the boundary, especially while
providing quality of service to communications with different
precedence. This note seeks to outline the issues and the nature of
the proposed solutions. The outline of the QoS solution for real-
time traffic has been described at a high level in [RFC4542]. The
key characteristics of this proposal are that
o it uses standardized protocols,
o it includes reservation setup and teardown for guaranteed and
controlled load services using the standardized protocols,
o it is independent of link delay, and therefore consistent with
high delay*bandwidth networks as well as the more common variety,
o it has no single point of failure, such as a central reservation
manager,
Show full document text