[e2e] How can the VPN service level agreement be enforced crossing ASs?

Andrew Smith ah_smith at pacbell.net
Thu Apr 5 18:43:42 PDT 2001


AFAIK, this is an unsolved problem, or at least it has undeployed solutions.
But there are people talking of supporting such services soon. I think it
does need further standards work to make it happen in a multi-vendor way.
The PPVPN WG is supposed to identify some of the issues with this:
http://www.ietf.org/html.charters/ppvpn-charter.html says, amongst other

"The [PPVPN] working group is expected to consider at least three specific
approaches including BGP-VPNs (e.g. RFC 2547), virtual routers and
port-based VPNs (i.e., where the SP provides a Layer 2 interface, such as
Frame Relay or ATM, to the VPN customer, while using IP-based mechanisms in
the provider infrastructure to improve scalability and configurability over
traditional L2 networks). Multiple approaches are being developed as each
approach has particular characteristics and differing scope of

The working group will consider inter-AS (SP) VPN interconnects so that VPNs
are able to span multiple ASs (SPs)."

But don't hold your breath as they are not scheduled to finish deliberating
until March 2002 ... I think you'll see some commercial deployments before
then though.


-----Original Message-----
From: end2end-interest-admin at postel.org
[mailto:end2end-interest-admin at postel.org]On Behalf Of Yingfei Dong
Sent: Thursday, April 05, 2001 2:11 PM
To: end2end-interest at postel.org
Subject: [e2e] How can the VPN service level agreement be enforced
crossing ASs?

hi, there,

I have a question about the implementation of VPN across different ASs.
How can the VPN service level agreement be enforced crossing ASs?
(If this is not the right list to post this question, please let me where
I need post this. Thanks.)

The service guarantee in a single domain is not too difficult to achieve.
However, if a src and a des of a VPN pipe are in two different ASs, how
the VPN is implemented? We can buy bandwidth guarantee from two
ISPs, but how to connect the two separarted pipe as a whole VPN pipe at
the edge of ASs?

The whole VPN pipe either crosses a NAP or goes through a private peering
link between the two ASs. If it crosses a NAP, there is no control for the
VPN pipe at the NAP. If it crosses a private peering link, are there some
service agreements (e.g., bandwidth provision) on the private peering link
between two ISPs?  (Most likely, the agreement is only about reachibility
through BGP policies.) If no service provision on the peering link, the
SLA of the VPN pipe is broken at the link.

So, it is not clear how the SLA of a crossing-domian VPN is achieved
Could anyone point out some references about this?

One possible example I know is InterNAP, but they don't give any details
about their implementation.
InterNAP sets up service agreements with ISPs and builds their own Private
NAPs. They claim that using their Private NAPs (which run their
intelligent optimzed routing algorithms) can direct the traffic to
a proper AS to achieve certain service quality.
How to implement the private NAPs is very interesting.

Looking forward to your comments or references. thanks a lot,


Yingfei Dong
Ph.D student, U of Minnesota,
4-192 EECS Building,
200 Union Street, SE            Tel: 612-626-7526
Minneapolis, MN 55455           FAX: 612-625-0572

More information about the end2end-interest mailing list