| RFC 9837 | VPN Service Destination Option | August 2025 |
| Bonica, et al. | Experimental | [Page] |
This document describes an experiment in which VPN service information is encoded in an experimental IPv6 Destination Option. The experimental IPv6 Destination Option is called the VPN Service Option.¶
One purpose of this experiment is to demonstrate that the VPN Service Option can be deployed in a production network. Another purpose is to demonstrate that the security measures described in this document are sufficient to protect a VPN. Finally, this document encourages replication of the experiment.¶
This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation.¶
This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9837.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Generic Packet Tunneling[RFC2473] allows a router in one network to encapsulate a packet in an IP header and send it to a router in another network. The receiving router removes the outer IP header and forwards the original packet into its own network. This facilitates connectivity between networks that share a private addressing[RFC1918][RFC4193] plan but are not connected by a direct link.¶
The IETF refined this concept in the Framework for VPN[RFC2764]. The IETF also standardized the following VPN technologies:¶
IPsec VPNs cryptographically protect all traffic from customer endpoint to customer endpoint. All of the other VPN technologies mentioned above share the following characteristics:¶
An ingress Provider Edge (PE) router encapsulates customer data in a tunnel header. The tunnel header includes service information. Service information identifies a Forwarding Information Base (FIB) entry on an egress PE router.¶
The ingress PE router sends the encapsulated packet to the egress PE router.¶
The egress PE router receives the encapsulated packet.¶
The egress PE router searches its FIB for an entry that matches the incoming service information. If it finds one, it removes the tunnel header and forwards the customer data to a Customer Edge (CE) device, as per the FIB entry. If it does not find a matching FIB entry, it discards the packet.¶
This document describes an experiment in which VPN service information is encoded in an experimental IPv6 Destination Option[RFC8200]. The experimental IPv6 Destination Option is called the VPN Service Option.¶
The solution described in this document offers the following benefits:¶
It does not require configuration on CE devices.¶
It encodes service information in the IPv6 extension header. Therefore, it does not require any non-IPv6 headers (e.g., MPLS headers) to carry service information.¶
It supports many VPNs on a single egress PE router.¶
When a single egress PE router supports many VPNs, it does not require an IP address per VPN.¶
It does not rely on any particular control plane.¶
One purpose of this experiment is to demonstrate that the VPN Service Option can be deployed in a production network. Another purpose is to demonstrate that the security measures described inSection 7 of this document are sufficient to protect a VPN. Finally, this document encourages replication of the experiment, so that operational issues can be discovered.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The VPN Service Option is an IPv6 Destination Option encoded according to rules defined in[RFC8200].¶
As described inSection 4.2 of [RFC8200], an IPv6 Destination Option contains three fields: Option Type, Opt Data Len, and Option Data. In the VPN Service Option, these fields are used as follows:¶
Option Type: 8-bit selector. VPN Service Option. This fieldMUST be set to 0x5E (RFC3692-style Experiment)[V6MSG]. See NOTE below.¶
Opt Data Len: 8-bit unsigned integer. Length of the option, in bytes, excluding the Option Type and Option Length fields. This fieldMUST be set to 4.¶
Option Data: 32 bits. VPN service information that identifies a FIB entry on the egress PE. The FIB entry determines how the egress PE will forward customer data to a CE device.¶
A single VPN Service OptionMAY appear in a Destination Options headerthat immediately precedes an upper-layer header. ItMUST NOT appear in any otherextension header. If a receiver finds the VPN Service Option in any otherextension header, itMUST NOT recognize the option. The packetMUST be processed according to the setting of the two highest-order bits of the Option Type (see NOTE below).¶
NOTE: For this experiment, the Option Type is set to '01011110', i.e.,0x5E. The highest-order two bits are set to 01, indicating that therequired action by a destination node that does not recognize the optionis to discard the packet. The third highest-order bit is set to 0,indicating that Option Data cannot be modified along the path betweenthe packet's source and its destination. The remaining low-order bitsare set to '11110' to indicate the single IPv6 Destination Option Typecode point available in the "Destination Options and Hop-by-Hop Options" registry[V6MSG] for experimentation.¶
The ingress PE encapsulates the customer data in a tunnel header. The tunnel headerMUST contain an IPv6 header and a Destination Options header that immediately precedes the customer data. ItMAY also include any legal combination of IPv6 extension headers.¶
The IPv6 Header contains the following (all defined in[RFC8200]):¶
Version -MUST be equal to 6.¶
Traffic Class¶
Flow Label¶
Payload Length¶
Next Header¶
Hop Limit¶
Source Address - Represents an interface on the ingress PE router. This addressSHOULD be chosen according to guidance provided in[RFC6724].¶
Destination Address - Represents an interface on the egress PE router. This addressSHOULD be chosen according to guidance provided in[RFC6724].¶
The IPv6 Destination Options Extension Header contains the following (all defined in[RFC8200]):¶
The FIB can be populated by:¶
An operator, using a Command-Line Interface (CLI)¶
A controller, using the Path Computation ElementCommunication Protocol (PCEP)[RFC5440] or the NetworkConfiguration Protocol (NETCONF)[RFC6241]¶
A routing protocol¶
Routing protocol extensions that support the VPN Service Option are beyond the scope of this document.¶
This document has no IANA actions.¶
A VPN is characterized by the following security policy:¶
Nodes outside of a VPN cannot inject traffic into the VPN.¶
Nodes inside a VPN cannot send traffic outside of the VPN.¶
A set of PE routers cooperate to enforce this security policy. If a device outside of that set could impersonate a device inside of the set, it would be possible for that device to subvert security policy. Therefore, impersonation must not be possible. The following paragraphs describe procedures that prevent impersonation.¶
The VPN Service Option can be deployed:¶
When the VPN Service Option is deployed on the global Internet, the tunnel that connects the ingress PE to the egress PEMUST be cryptographically protected by one of the following:¶
When the VPN Service Option is deployed in a limited domain, all nodes at the edge of limited domainMUST maintain Access Control Lists (ACLs). These ACLsMUST discard packets that satisfy the following criteria:¶
Contain a VPN Service Option¶
Contain an IPv6 Destination Address that represents an interface inside of the limited domain¶
The mitigation techniques mentioned above operate in fail-open mode. That is, they requireexplicit configuration in order to ensure that packetsusing the approach described in this document do not leak out of a domain.See[SAFE-LIM-DOMAINS] for a discussion of fail-open and fail-closed modes.¶
For further information on the security concerns related to IP tunnels and the recommended mitigation techniques, please see[RFC6169].¶
The VPN Service Option is imposed by an ingress PE and processed by anegress PE. It is not processed by any other nodes along the delivery pathbetween the ingress PE and egress PE.¶
However, some networks discard packets that include IPv6 Destination Options. This is an impediment to deployment.¶
Because the VPN Service Option uses an experimental code point, thereis a risk of collisions with other experiments. Specifically, theegress PE may process packets from another experiment that uses thesame code point.¶
As with all experiments with IETF protocols, it is expected thatcare is taken by the operator to ensure that all nodes participatingin an experiment are carefully configured.¶
Because the VPN Service Destination Option uses an experimental code point,processing of this optionMUST be disabled by default. Explicit configurationis required to enable processing of the option.¶
Parties participating in this experiment should publish experimental results within one year of the publication of this document. Experimental results should address the following:¶
Thanks toGorry Fairhurst,Antoine Fressancourt,Eliot Lear, andMark Smith for their reviews and contributions to this document.¶