The MPLS WG Archive

Cell Relay Retreat>MPLS WG Archive>month:2004-Jan> msg00088



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

draft-ietf-mpls-in-ip-or-gre-04.txt

  • From: Rahul Aggarwal <rahul@juniper.net>
  • Date: Fri, 30 Jan 2004 10:05:36 -0800 (PST)
  • cc: Yakov Rekhter <yakov@juniper.net>, "" <mpls@UU.NET>, "" <zinin@psg.com>


Hi Eric,

This looks good. Thanks for making the change. One minor comment:

On Fri, 30 Jan 2004, Eric Rosen wrote:

>
> Rahul, based on your suggestions, I propose the following:
> -------------------------------------------------------------------------------
>     The MPLS-in-IP or MPLS-in-GRE  encapsulated packets should be considered
>     as originating at  the tunnel head and as being  destined for the tunnel
>     tail; IPsec transport mode SHOULD thus be used.
>
> <new stuff follows>
>
>     The IP  header of the MPLS-in-IP  packet becomes the outer  IP header of
>     the resulting  packet when  IPsec transport mode  is used to  secure the
>     MPLS-in-IP  packet, by  the ingress  PE. This  is followed  by  an IPsec

Maybe replace ingress PE by tunnel head.

rahul


>     header followed by  the MPLS label stack. The IPsec  header needs to set
>     the payload  type to MPLS by  using the IP protocol  number specified in
>     section 3.  If IPsec transport  mode is applied on a MPLS-in-GRE packet,
>     the GRE header follows the IPsec header.
>
>     At  the tunnel tail,  IPsec outbound  processing recovers  the contained
>     MPLS-in-IP/GRE packet.  The egress PE then strips  off the encapsulating
>     IP/GRE  header to  recover  the  MPLS packet,  which  is then  forwarded
>     according to its label stack.
>
>     Recall that  the tunnel  tail and the  tunnel head are  LSP adjacencies,
>     which means that the topmost label of any packet sent through the tunnel
>     must be one which was distributed by the tunnel tail to the tunnel head.
>     The tunnel tail  MUST know precisely which labels  it has distributed to
>     the tunnel heads of IPsec-secured  tunnels.  Labels in this set MUST NOT
>     be  distributed by the  tunnel tail  to any  LSP adjacencies  other than
>     those  which are  tunnel heads  of  IPsec-secured tunnels.   If an  MPLS
>     packet is  received without an  IPsec encapsulation, and if  its topmost
>     label is in this set, then the packet MUST be discarded.
>
> <end of new stuff>
>
>     An   IPsec-secured  MPLS-in-IP  or   MPLS-in-GRE  tunnel   MUST  provide
>     authentication  and  integrity.    (Note  that  the  authentication  and
>     integrity will apply to the entire MPLS packet, including the MPLS label
>     stack.)
> -------------------------------------------------------------------------------
> Is that okay?
>