MPLS VPNs or not?

Vadim Antonov avg at exigengroup.com
Wed Aug 8 10:18:36 UTC 2001




On Wed, 8 Aug 2001, Yakov Rekhter wrote:

> Then to be consistent with your own position, you certainly should agree 
> that 2547 is "the way to do" VPNs, as with 2547 all the VPN-related 
> information is confined to the PEs (where "PE" stands for provider *edge*),
> and none of the P (core) routers maintain any VPN-related information.

Ghm. Unless you do not count MPLS labels as routing information, that's
it.

  "All that matters for the VPN architecture is
   that some label switched path between the router and its BGP next hop
   exists."  [sic]

I particularly liked discussion of using border routers for inter-AS VPN
routing.  These are precisely the ones which are usually in deep poo-poo
in case of any routing instability.

  "PE routers (and ASBRs which redistribute VPN-IPv4 addresses) need to
   insert /32 address prefixes for themselves into the IGP routing
   tables of the backbone.  This enables MPLS, at each node in the
   backbone network, to assign a label corresponding to the route to
   each PE router.  (Certain procedures for setting up label switched
   paths in the backbone may not require the presence of the /32 address
   prefixes.)"

I hope i understood that right. Inserting _any_ additional stuff into
backbone IGP is pretty much close to suicide.  The first rapidly flapping
circuit or box will get your backbone crash and burn.  How many PE routers
are attached to a typical backbone? What is the probability of one of them
going banana (or getting a loose cluster LAN connection, or a flap attack 
from _within_ customer VPN, saturating its processor to the point that it 
loses backbone IGP timeouts? I.e. all it takes to kill the backbone is
one smartass with gated on his workstation - insides of VPNs are not known
for stringent filtering of routing information).

A good rule for a backbone operator is to have _only_ core routers (not
customer access concentrator boxes) to participate in IGP, injecting one
prefix each, to hang iBGP mesh off.  (As a side note - does anyone do flap
damping in IGPs?)  That was the reason why i asked Paul and Tony to make a
knob to allow preservation of next-hop addresses in border BGP routers in
the first place (yep, and to hang off all those tiny AS-es off 1239 :)

Handwaving, Yakov.  Saying that 2547's VPN routing information is confined
to PEs is a case of selective vision.  _Interior_ VPN information is
hidden, yes, but exterior of VPNs is quite visible. And in the words "this
enables MPLS, at each node in the backbone network, to assign a label
corresponding to the route to each PE router" are hidden all those teeny
weeny label information exchanges, which have to happen every time IGP
hiccups.

Compare that with tunnelled or NAT-based VPNs which do not force backbone
boxes to do anything but native IPv4 routing; and, yes, allows them to
aggregation, too.  And it does not require cross-provider exchange of /32s
or any new bugs in BGP engines.

What i see is an attempt to drag in new features to solve a problem which
was adequately solved years ago in ways which do not contribute to core
network instability.  2547 is a neat idea, but falls short of criteria of
being safe and absolutely necessary to deliver VPN service.  Sometimes
older ways are simply better.

--vadim




More information about the NANOG mailing list