The MPLS WG Archive

Cell Relay Retreat>MPLS WG Archive>month:2004-Jan> msg00087



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

draft-ietf-mpls-in-ip-or-gre-04.txt

  • From: Eric Rosen <erosen@cisco.com>
  • Date: Fri, 30 Jan 2004 12:44:01 -0500
  • cc: Yakov Rekhter <yakov@juniper.net>, "" <mpls@UU.NET>, "" <zinin@psg.com>
  • User-Agent: EMH/1.14.1 SEMI/1.14.3 (Ushinoya) FLIM/1.14.3(Unebigoryōmae) APEL/10.3 Emacs/21.3(sparc-sun-solaris2.8) MULE/5.0 (SAKAKI)


Rahul, based on your suggestions, I propose the following:
-------------------------------------------------------------------------------
    The MPLS-in-IP or MPLS-in-GRE  encapsulated packets should be considered
    as originating at  the tunnel head and as being  destined for the tunnel
    tail; IPsec transport mode SHOULD thus be used.

<new stuff follows>

    The IP  header of the MPLS-in-IP  packet becomes the outer  IP header of
    the resulting  packet when  IPsec transport mode  is used to  secure the
    MPLS-in-IP  packet, by  the ingress  PE. This  is followed  by  an IPsec
    header followed by  the MPLS label stack. The IPsec  header needs to set
    the payload  type to MPLS by  using the IP protocol  number specified in
    section 3.  If IPsec transport  mode is applied on a MPLS-in-GRE packet,
    the GRE header follows the IPsec header.

    At  the tunnel tail,  IPsec outbound  processing recovers  the contained
    MPLS-in-IP/GRE packet.  The egress PE then strips  off the encapsulating
    IP/GRE  header to  recover  the  MPLS packet,  which  is then  forwarded
    according to its label stack.

    Recall that  the tunnel  tail and the  tunnel head are  LSP adjacencies,
    which means that the topmost label of any packet sent through the tunnel
    must be one which was distributed by the tunnel tail to the tunnel head.
    The tunnel tail  MUST know precisely which labels  it has distributed to
    the tunnel heads of IPsec-secured  tunnels.  Labels in this set MUST NOT
    be  distributed by the  tunnel tail  to any  LSP adjacencies  other than
    those  which are  tunnel heads  of  IPsec-secured tunnels.   If an  MPLS
    packet is  received without an  IPsec encapsulation, and if  its topmost
    label is in this set, then the packet MUST be discarded. 

<end of new stuff>

    An   IPsec-secured  MPLS-in-IP  or   MPLS-in-GRE  tunnel   MUST  provide
    authentication  and  integrity.    (Note  that  the  authentication  and
    integrity will apply to the entire MPLS packet, including the MPLS label
    stack.)
-------------------------------------------------------------------------------
Is that okay?