MPLS VPN关键技术研究及在ACR中的设计与实现
摘要
随着社会的发展,用户对VPN(Virtual Private Network)的需求也日渐增长。作为NGN(下一代网络)的核心接入设备,ACR(大规模接入汇聚路由器)要为用户提供完善的VPN服务。BGP/MPLS VPN由于在安全性,扩展性,灵活性等方面的优点,成为了ACR系统为用户提供VPN服务最理想的方式。本文结合国家863计划信息技术领域重大项目“大规模接入汇聚路由器(ACR)系统性能与关键技术研究”,深入研究在ACR系统上实现BGP/MPLS VPN的设计方案。
针对ACR-S需要接入大量VPN用户,且端口数量有限的问题,提出了将VPN功能进行划分,由ACR-S和EMD协作完成的方案,从而解决了ACR实现BGP/MPLS VPN的难题。对于BGP/MPLS VPN的具体实现,给出了详细的协议流程设计。
针对ACR-S系统转发设计,分为MPLS基本转发和BGP/MPLS VPN转发两部分,给出了详细的转发处理流程和VRF,FTN,ILM的设计方案。对查表方式进行了修改,将串行查表方式改为并行查表方式,提高了查表的效率。对于下发到转发板的FTN,ILM表项,提出了3层标记的设计思想,使VPN数据转发只需要一次查表,代替了循环查表。
在ACR上对BGP/MPLS VPN进行测试,给出了多种测验方案,通过测验结果证明了方案在ACR能够高效的实现BGP/MPLS VPN。
With the development of society, The demand Of end users for VPN (Virtual Private Network) has increased .As the access equipment at the core of NGN (next generation network), ACR (large-scale Access Convergence Router)shall provide a comprehensive set of VPN services for users. Because of BGP VPN in security, scalability, flexibility and so on the merits, ACR system has become the best way to provide users with VPN services. Based on the "large-scale Access Convergence Router (ACR) performance and key technology research",which is the state's 863 major projects planned in the field of information technology, in systemic function and key technologies ,the article further study the schemes of BGP VPN program in ACR system .
As ACR-S needs to access lots of VPN end users, and the amount of interface is limited, the article points outs the schemes that it should divide the function of VPN completed by the collaboration of ACR-S and EMD. Thus it has settled the difficult problem of the realization of BGP/MPLS VPN for ACR. For the specific realization of BGP/MPLS VPN, the article gives out specific agreement flow design.
Because ACR-S system transmit design include two part :MPLS basic transmit and BGP/MPLS VPN transmit, this article gives out the specific transmit process flow and the design of VRF, FTN, ILM. It also adjust the way of table look-up, and change the series look-up table method into parallel table look-up way. Thus it raises the efficiency of look-up table. As for the FTN, ILM table descended to the transmit plane, this article proposes the design idea of 3-layer mark. Therefore, it makes the VPN only need one time to look up table rather than use the recycled way.
It test BGP\MPLSAVPN in ACR, and also gives out lots of test plan. Through out the test effect, it proves that the scheme of ACR can efficiently prompt the realization of BGP\MPLS VPN.
针对ACR-S需要接入大量VPN用户,且端口数量有限的问题,提出了将VPN功能进行划分,由ACR-S和EMD协作完成的方案,从而解决了ACR实现BGP/MPLS VPN的难题。对于BGP/MPLS VPN的具体实现,给出了详细的协议流程设计。
针对ACR-S系统转发设计,分为MPLS基本转发和BGP/MPLS VPN转发两部分,给出了详细的转发处理流程和VRF,FTN,ILM的设计方案。对查表方式进行了修改,将串行查表方式改为并行查表方式,提高了查表的效率。对于下发到转发板的FTN,ILM表项,提出了3层标记的设计思想,使VPN数据转发只需要一次查表,代替了循环查表。
在ACR上对BGP/MPLS VPN进行测试,给出了多种测验方案,通过测验结果证明了方案在ACR能够高效的实现BGP/MPLS VPN。
With the development of society, The demand Of end users for VPN (Virtual Private Network) has increased .As the access equipment at the core of NGN (next generation network), ACR (large-scale Access Convergence Router)shall provide a comprehensive set of VPN services for users. Because of BGP VPN in security, scalability, flexibility and so on the merits, ACR system has become the best way to provide users with VPN services. Based on the "large-scale Access Convergence Router (ACR) performance and key technology research",which is the state's 863 major projects planned in the field of information technology, in systemic function and key technologies ,the article further study the schemes of BGP VPN program in ACR system .
As ACR-S needs to access lots of VPN end users, and the amount of interface is limited, the article points outs the schemes that it should divide the function of VPN completed by the collaboration of ACR-S and EMD. Thus it has settled the difficult problem of the realization of BGP/MPLS VPN for ACR. For the specific realization of BGP/MPLS VPN, the article gives out specific agreement flow design.
Because ACR-S system transmit design include two part :MPLS basic transmit and BGP/MPLS VPN transmit, this article gives out the specific transmit process flow and the design of VRF, FTN, ILM. It also adjust the way of table look-up, and change the series look-up table method into parallel table look-up way. Thus it raises the efficiency of look-up table. As for the FTN, ILM table descended to the transmit plane, this article proposes the design idea of 3-layer mark. Therefore, it makes the VPN only need one time to look up table rather than use the recycled way.
It test BGP\MPLSAVPN in ACR, and also gives out lots of test plan. Through out the test effect, it proves that the scheme of ACR can efficiently prompt the realization of BGP\MPLS VPN.
引文
[1]国家数字交换系统工程技术研究中心.大规模接入汇聚路由器(ACR)总体技术规范[R].2005年2月.
[2]倪剑虹,吕光宏.基于VPN的不同实现方式的技术研究[J].计算机应用研究,2005.7.;257-260.
[3]梁琦,张力军.MPLS VPN不同解决方案的比较分析[J].电信工程技术与标准化,2005.6;15-20.
[4]中华人民共和国通信行业标准,多协议标记交换(MPLS)(总体技术要求)[S].YD/T ⅩⅩⅩⅩ ⅩⅩⅩⅩ-- --.2000,2000 ⅩⅩ ⅩⅩ发布.
[5]E.Rosen,Y.Rekhter.BGP/MPLS VPNs[S].IETF RFC 2547,March 1999.
[6]吴江,赵慧玲.下一代的IP骨干网络技术--多协议标记交换[M].人民邮电出版社.2001;15-39.
[7]彭晖等.新型的骨干网络路由平台--MPLS[M].人民邮电出版社,2002;25-90.
[8]李晓东.MPLS技术与实现[M].电子工业出版社 2002;12-46.
[9]Y.Rekhter,T.Li,A Border Gateway Protocol 4[S],IETF RFC 1654,March 1995.
[10]Ivan Pepelnjak,Jim Guichard,MPLS and VPN Architectures;A practical guide to understanding,designing and deploying MPLS and MPLS-enabled VPNs[M].Cisco Press,2001.
[11]Eric C.Rosen Cisco Systems Yakov Rekhter Juniper Networks,Using BGP as an Auto-Discovery Mechanism for Provider-provisioned VPNs[M],February 2004.
[12]D.Katz Juniper Networks,Multiprotocol Extensions for BGP-4[S],IETF RFC 2858.June 2000.
[13]T..Bates,R.Chandra,D.Katz,Y.Rekhter.Multiprotocol Extensions for BGP-4[S].IETF RFC2283.February 1998.
[14]Ivan PepenInjak.Jim Guichard.MPLS和VPN体系结构(第2卷)[M].人民邮电出版社,2004;5-14.
[15]ZebOS Advanced Routing Suite Version 6.1.2,MPLS Layer-3 VPN Configuration Guide February[M],2004.
[16]Chandra,R.Traina,P.and T.Li BGP Communities Attribute[S],IETF RFC 1997,August 1996
[17]冯径等.多协议标记交换技术[M].北京人民邮电出版社,2002.9-34.
[18]石晶林,丁炜.MPLS宽带网络互连技术[M].中国通信学会主编.人民邮电出版社,2001;7-35
[19]E.Rosen,A,Viswanathan,R.Callon,Multi-protocol Label Switching Architecture[S],IETF RFC 3031,January 2001.
[20]E.Rosen,D.Tappan,G.Fedorkow,Y.Rekhter,D.Farinacci,T.Li,A.Conta,MPLS Label Stack Encoding[S],IETF RFC 3032,January 2001.
[21]Puneet Agarwal,Bora A.Akyol,TTL Processing in MPLS Networks[S],IETF RFC3443,January 2003.
[22]Bloornberg L.P.A,Viswanathan Multiprotocol Label Switching(MPLS)Forwarding Equivalence Class To Next Hop Label Forwarding Entry(FEC-To-NHLFE)Management Information Base(MIB)[S],RFC 3814,June 2004.
[23]Network Working Group S.Bradner,Benchrnarking Methodology for Network Interconnect Devices[S],RFC2588,March 1999.
[24]史先琳.IPSec VPN和MPLS VPN技术分析及比较[J].四川测绘,第28卷第2期 2005.6;85-88.
[25]饶兰兰,陈涛.MPLS VPN网络收敛性问题研究[J].网络运营与管理,2006.3.24-29.
[26]Michael,H.Behringer,Analysis of the Security of BGP/MPLS IP VPNs draft-behringer-mpls-security-04.txt[EB],IETF.org,May 2003.
[27]任宇清.IP组播在BGP/MPLSVPN环境中的实现与分析[J].现代电信科技,2005.7;16-21.
[2]倪剑虹,吕光宏.基于VPN的不同实现方式的技术研究[J].计算机应用研究,2005.7.;257-260.
[3]梁琦,张力军.MPLS VPN不同解决方案的比较分析[J].电信工程技术与标准化,2005.6;15-20.
[4]中华人民共和国通信行业标准,多协议标记交换(MPLS)(总体技术要求)[S].YD/T ⅩⅩⅩⅩ ⅩⅩⅩⅩ-- --.2000,2000 ⅩⅩ ⅩⅩ发布.
[5]E.Rosen,Y.Rekhter.BGP/MPLS VPNs[S].IETF RFC 2547,March 1999.
[6]吴江,赵慧玲.下一代的IP骨干网络技术--多协议标记交换[M].人民邮电出版社.2001;15-39.
[7]彭晖等.新型的骨干网络路由平台--MPLS[M].人民邮电出版社,2002;25-90.
[8]李晓东.MPLS技术与实现[M].电子工业出版社 2002;12-46.
[9]Y.Rekhter,T.Li,A Border Gateway Protocol 4[S],IETF RFC 1654,March 1995.
[10]Ivan Pepelnjak,Jim Guichard,MPLS and VPN Architectures;A practical guide to understanding,designing and deploying MPLS and MPLS-enabled VPNs[M].Cisco Press,2001.
[11]Eric C.Rosen Cisco Systems Yakov Rekhter Juniper Networks,Using BGP as an Auto-Discovery Mechanism for Provider-provisioned VPNs[M],February 2004.
[12]D.Katz Juniper Networks,Multiprotocol Extensions for BGP-4[S],IETF RFC 2858.June 2000.
[13]T..Bates,R.Chandra,D.Katz,Y.Rekhter.Multiprotocol Extensions for BGP-4[S].IETF RFC2283.February 1998.
[14]Ivan PepenInjak.Jim Guichard.MPLS和VPN体系结构(第2卷)[M].人民邮电出版社,2004;5-14.
[15]ZebOS Advanced Routing Suite Version 6.1.2,MPLS Layer-3 VPN Configuration Guide February[M],2004.
[16]Chandra,R.Traina,P.and T.Li BGP Communities Attribute[S],IETF RFC 1997,August 1996
[17]冯径等.多协议标记交换技术[M].北京人民邮电出版社,2002.9-34.
[18]石晶林,丁炜.MPLS宽带网络互连技术[M].中国通信学会主编.人民邮电出版社,2001;7-35
[19]E.Rosen,A,Viswanathan,R.Callon,Multi-protocol Label Switching Architecture[S],IETF RFC 3031,January 2001.
[20]E.Rosen,D.Tappan,G.Fedorkow,Y.Rekhter,D.Farinacci,T.Li,A.Conta,MPLS Label Stack Encoding[S],IETF RFC 3032,January 2001.
[21]Puneet Agarwal,Bora A.Akyol,TTL Processing in MPLS Networks[S],IETF RFC3443,January 2003.
[22]Bloornberg L.P.A,Viswanathan Multiprotocol Label Switching(MPLS)Forwarding Equivalence Class To Next Hop Label Forwarding Entry(FEC-To-NHLFE)Management Information Base(MIB)[S],RFC 3814,June 2004.
[23]Network Working Group S.Bradner,Benchrnarking Methodology for Network Interconnect Devices[S],RFC2588,March 1999.
[24]史先琳.IPSec VPN和MPLS VPN技术分析及比较[J].四川测绘,第28卷第2期 2005.6;85-88.
[25]饶兰兰,陈涛.MPLS VPN网络收敛性问题研究[J].网络运营与管理,2006.3.24-29.
[26]Michael,H.Behringer,Analysis of the Security of BGP/MPLS IP VPNs draft-behringer-mpls-security-04.txt[EB],IETF.org,May 2003.
[27]任宇清.IP组播在BGP/MPLSVPN环境中的实现与分析[J].现代电信科技,2005.7;16-21.