The IPv6 VPN Service Destination Option Juniper Networks
Herndon Virginia United States of America rbonica@juniper.net
CERNET Center/Tsinghua University
Beijing China xing@cernet.edu.cn
Old Dog Consulting
United Kingdom adrian@olddog.co.uk
NTT DOCOMO BUSINESS
Chiyoda-ku, Tokyo Japan y.kamite@ntt.com
Verizon
Richardson Texas United States of America luay.jalil@one.verizon.com
INT 6man IPv6 Destination Option VPN This document describes an experiment in which VPN service information is encoded in an experimental IPv6 Destination Option. The experimental IPv6 Destination Option is called the VPN Service Option. One purpose of this experiment is to demonstrate that the VPN Service Option can be deployed in a production network. Another purpose is to demonstrate that the security measures described in this document are sufficient to protect a VPN. Finally, this document encourages replication of the experiment.
Status of This Memo This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation. This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .
Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
Table of Contents
  • .  Introduction
  • .  Conventions and Definitions
  • .  The VPN Service Option
  • .  Forwarding Plane Considerations
  • .  Control Plane Considerations
  • .  IANA Considerations
  • .  Security Considerations
  • .  Deployment Considerations
  • .  Experimental Results
  • References
    • .  Normative References
    • .  Informative References
  • Acknowledgements
  • Authors' Addresses
Introduction Generic Packet Tunneling allows a router in one network to encapsulate a packet in an IP header and send it to a router in another network. The receiving router removes the outer IP header and forwards the original packet into its own network. This facilitates connectivity between networks that share a private addressing plan but are not connected by a direct link. The IETF refined this concept in the Framework for VPN . The IETF also standardized the following VPN technologies:
  • IPsec VPN
  • Layer 3 VPN (L3VPN)
  • Virtual Private LAN Service (VPLS)
  • Layer 2 VPN (L2VPN)
  • Ethernet VPN (EVPN)
  • Pseudowires
  • Segment Routing over IPv6 (SRv6)
  • EVPN / Network Virtualization over Layer 3 (NVO3)
IPsec VPNs cryptographically protect all traffic from customer endpoint to customer endpoint. All of the other VPN technologies mentioned above share the following characteristics:
  • An ingress Provider Edge (PE) router encapsulates customer data in a tunnel header. The tunnel header includes service information. Service information identifies a Forwarding Information Base (FIB) entry on an egress PE router.
  • The ingress PE router sends the encapsulated packet to the egress PE router.
  • The egress PE router receives the encapsulated packet.
  • The egress PE router searches its FIB for an entry that matches the incoming service information. If it finds one, it removes the tunnel header and forwards the customer data to a Customer Edge (CE) device, as per the FIB entry. If it does not find a matching FIB entry, it discards the packet.
This document describes an experiment in which VPN service information is encoded in an experimental IPv6 Destination Option . The experimental IPv6 Destination Option is called the VPN Service Option. The solution described in this document offers the following benefits:
  • It does not require configuration on CE devices.
  • It encodes service information in the IPv6 extension header. Therefore, it does not require any non-IPv6 headers (e.g., MPLS headers) to carry service information.
  • It supports many VPNs on a single egress PE router.
  • When a single egress PE router supports many VPNs, it does not require an IP address per VPN.
  • It does not rely on any particular control plane.
One purpose of this experiment is to demonstrate that the VPN Service Option can be deployed in a production network. Another purpose is to demonstrate that the security measures described in of this document are sufficient to protect a VPN. Finally, this document encourages replication of the experiment, so that operational issues can be discovered.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
The VPN Service Option The VPN Service Option is an IPv6 Destination Option encoded according to rules defined in . As described in , an IPv6 Destination Option contains three fields: Option Type, Opt Data Len, and Option Data. In the VPN Service Option, these fields are used as follows:
  • Option Type: 8-bit selector. VPN Service Option. This field MUST be set to 0x5E (RFC3692-style Experiment) . See NOTE below.
  • Opt Data Len: 8-bit unsigned integer. Length of the option, in bytes, excluding the Option Type and Option Length fields. This field MUST be set to 4.
  • Option Data: 32 bits. VPN service information that identifies a FIB entry on the egress PE. The FIB entry determines how the egress PE will forward customer data to a CE device.
A single VPN Service Option MAY appear in a Destination Options header that immediately precedes an upper-layer header. It MUST NOT appear in any other extension header. If a receiver finds the VPN Service Option in any other extension header, it MUST NOT recognize the option. The packet MUST be processed according to the setting of the two highest-order bits of the Option Type (see NOTE below). NOTE: For this experiment, the Option Type is set to '01011110', i.e., 0x5E. The highest-order two bits are set to 01, indicating that the required action by a destination node that does not recognize the option is to discard the packet. The third highest-order bit is set to 0, indicating that Option Data cannot be modified along the path between the packet's source and its destination. The remaining low-order bits are set to '11110' to indicate the single IPv6 Destination Option Type code point available in the "Destination Options and Hop-by-Hop Options" registry for experimentation.
Forwarding Plane Considerations The ingress PE encapsulates the customer data in a tunnel header. The tunnel header MUST contain an IPv6 header and a Destination Options header that immediately precedes the customer data. It MAY also include any legal combination of IPv6 extension headers. The IPv6 Header contains the following (all defined in ):
  • Version - MUST be equal to 6.
  • Traffic Class
  • Flow Label
  • Payload Length
  • Next Header
  • Hop Limit
  • Source Address - Represents an interface on the ingress PE router. This address SHOULD be chosen according to guidance provided in .
  • Destination Address - Represents an interface on the egress PE router. This address SHOULD be chosen according to guidance provided in .
The IPv6 Destination Options Extension Header contains the following (all defined in ):
  • Next Header - MUST identify the protocol of the customer data.
  • Hdr Ext Len
  • Options - In this experiment, the Options field MUST contain exactly one VPN Service Option as defined in of this document. It MAY also contain any legal combination of other Destination Options.
Control Plane Considerations The FIB can be populated by:
  • An operator, using a Command-Line Interface (CLI)
  • A controller, using the Path Computation Element Communication Protocol (PCEP) or the Network Configuration Protocol (NETCONF)
  • A routing protocol
Routing protocol extensions that support the VPN Service Option are beyond the scope of this document.
IANA Considerations This document has no IANA actions.
Security Considerations A VPN is characterized by the following security policy:
  • Nodes outside of a VPN cannot inject traffic into the VPN.
  • Nodes inside a VPN cannot send traffic outside of the VPN.
A set of PE routers cooperate to enforce this security policy. If a device outside of that set could impersonate a device inside of the set, it would be possible for that device to subvert security policy. Therefore, impersonation must not be possible. The following paragraphs describe procedures that prevent impersonation. The VPN Service Option can be deployed:
  • On the global Internet
  • Inside of a limited domain
When the VPN Service Option is deployed on the global Internet, the tunnel that connects the ingress PE to the egress PE MUST be cryptographically protected by one of the following:
  • The IPv6 Authentication Header (AH)
  • The IPv6 Encapsulating Security Payload (ESP) Header
When the VPN Service Option is deployed in a limited domain, all nodes at the edge of limited domain MUST maintain Access Control Lists (ACLs). These ACLs MUST discard packets that satisfy the following criteria:
  • Contain a VPN Service Option
  • Contain an IPv6 Destination Address that represents an interface inside of the limited domain
The mitigation techniques mentioned above operate in fail-open mode. That is, they require explicit configuration in order to ensure that packets using the approach described in this document do not leak out of a domain. See for a discussion of fail-open and fail-closed modes. For further information on the security concerns related to IP tunnels and the recommended mitigation techniques, please see .
Deployment Considerations The VPN Service Option is imposed by an ingress PE and processed by an egress PE. It is not processed by any other nodes along the delivery path between the ingress PE and egress PE. However, some networks discard packets that include IPv6 Destination Options. This is an impediment to deployment. Because the VPN Service Option uses an experimental code point, there is a risk of collisions with other experiments. Specifically, the egress PE may process packets from another experiment that uses the same code point. As with all experiments with IETF protocols, it is expected that care is taken by the operator to ensure that all nodes participating in an experiment are carefully configured. Because the VPN Service Destination Option uses an experimental code point, processing of this option MUST be disabled by default. Explicit configuration is required to enable processing of the option.
Experimental Results Parties participating in this experiment should publish experimental results within one year of the publication of this document. Experimental results should address the following:
  • Effort required to deploy
    • Was deployment incremental or network-wide?
    • Was there a need to synchronize configurations at each node, or could nodes be configured independently?
    • Did the deployment require a hardware upgrade?
  • Effort required to secure
    • Performance impact
    • Effectiveness of risk mitigation with ACLs
    • Cost of risk mitigation with ACLs
  • Mechanism used to populate the FIB
  • Scale of deployment
  • Interoperability
    • Did you deploy two interoperable implementations?
    • Did you experience interoperability problems?
  • Effectiveness and sufficiency of Operations, Administration, and Maintenance (OAM) mechanisms
    • Did PING work?
    • Did TRACEROUTE work?
    • Did Wireshark work?
    • Did TCPDUMP work?
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Security Concerns with IP Tunneling A number of security concerns with IP tunnels are documented in this memo. The intended audience of this document includes network administrators and future protocol developers. The primary intent of this document is to raise the awareness level regarding the security issues with IP tunnels as deployed and propose strategies for the mitigation of those issues. [STANDARDS-TRACK] Default Address Selection for Internet Protocol Version 6 (IPv6) This document describes two algorithms, one for source address selection and one for destination address selection. The algorithms specify default behavior for all Internet Protocol version 6 (IPv6) implementations. They do not override choices made by applications or upper-layer protocols, nor do they preclude the development of more advanced mechanisms for address selection. The two algorithms share a common context, including an optional mechanism for allowing administrators to provide policy that can override the default behavior. In dual-stack implementations, the destination address selection algorithm can consider both IPv4 and IPv6 addresses -- depending on the available source addresses, the algorithm might prefer IPv6 addresses over IPv4 addresses, or vice versa. Default address selection as defined in this specification applies to all IPv6 nodes, including both hosts and routers. This document obsoletes RFC 3484. [STANDARDS-TRACK] Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Internet Protocol, Version 6 (IPv6) Specification This document specifies version 6 of the Internet Protocol (IPv6). It obsoletes RFC 2460. Informative References Address Allocation for Private Internets This document describes address allocation for private internets. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Generic Packet Tunneling in IPv6 Specification This document defines the model and generic mechanisms for IPv6 encapsulation of Internet packets, such as IPv6 and IPv4. [STANDARDS-TRACK] A Framework for IP Based Virtual Private Networks This document describes a framework for Virtual Private Networks (VPNs) running across IP backbones. This memo provides information for the Internet community. Use of IPsec Transport Mode for Dynamic Routing IPsec can secure the links of a multihop network to protect communication between trusted components, e.g., for a secure virtual network (VN), overlay, or virtual private network (VPN). Virtual links established by IPsec tunnel mode can conflict with routing and forwarding inside VNs because IP routing depends on references to interfaces and next-hop IP addresses. The IPsec tunnel mode specification is ambiguous on this issue, so even compliant implementations cannot be trusted to avoid conflicts. An alternative to tunnel mode uses non-IPsec IPIP encapsulation together with IPsec transport mode, which we call IIPtran. IPIP encapsulation occurs as a separate initial step, as the result of a forwarding lookup of the VN packet. IPsec transport mode processes the resulting (tunneled) IP packet with an SA determined through a security association database (SAD) match on the tunnel header. IIPtran supports dynamic routing inside the VN without changes to the current IPsec architecture. IIPtran demonstrates how to configure any compliant IPsec implementation to avoid the aforementioned conflicts. IIPtran is also compared to several alternative mechanisms for VN routing and their respective impact on IPsec, routing, policy enforcement, and interactions with the Internet Key Exchange (IKE). This memo provides information for the Internet community. Unique Local IPv6 Unicast Addresses This document defines an IPv6 unicast address format that is globally unique and is intended for local communications, usually inside of a site. These addresses are not expected to be routable on the global Internet. [STANDARDS-TRACK] IP Authentication Header This document describes an updated version of the IP Authentication Header (AH), which is designed to provide authentication services in IPv4 and IPv6. This document obsoletes RFC 2402 (November 1998). [STANDARDS-TRACK] IP Encapsulating Security Payload (ESP) This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK] BGP/MPLS IP Virtual Private Networks (VPNs) This document describes a method by which a Service Provider may use an IP backbone to provide IP Virtual Private Networks (VPNs) for its customers. This method uses a "peer model", in which the customers' edge routers (CE routers) send their routes to the Service Provider's edge routers (PE routers); there is no "overlay" visible to the customer's routing algorithm, and CE routers at different sites do not peer with each other. Data packets are tunneled through the backbone, so that the core routers do not need to know the VPN routes. [STANDARDS-TRACK] Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling Virtual Private LAN Service (VPLS), also known as Transparent LAN Service and Virtual Private Switched Network service, is a useful Service Provider offering. The service offers a Layer 2 Virtual Private Network (VPN); however, in the case of VPLS, the customers in the VPN are connected by a multipoint Ethernet LAN, in contrast to the usual Layer 2 VPNs, which are point-to-point in nature. This document describes the functions required to offer VPLS, a mechanism for signaling a VPLS, and rules for forwarding VPLS frames across a packet switched network. [STANDARDS-TRACK] Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling This document describes a Virtual Private LAN Service (VPLS) solution using pseudowires, a service previously implemented over other tunneling technologies and known as Transparent LAN Services (TLS). A VPLS creates an emulated LAN segment for a given set of users; i.e., it creates a Layer 2 broadcast domain that is fully capable of learning and forwarding on Ethernet MAC addresses and that is closed to a given set of users. Multiple VPLS services can be supported from a single Provider Edge (PE) node. This document describes the control plane functions of signaling pseudowire labels using Label Distribution Protocol (LDP), extending RFC 4447. It is agnostic to discovery protocols. The data plane functions of forwarding are also described, focusing in particular on the learning of MAC addresses. The encapsulation of VPLS packets is described by RFC 4448. [STANDARDS-TRACK] Path Computation Element (PCE) Communication Protocol (PCEP) This document specifies the Path Computation Element (PCE) Communication Protocol (PCEP) for communications between a Path Computation Client (PCC) and a PCE, or between two PCEs. Such interactions include path computation requests and path computation replies as well as notifications of specific states related to the use of a PCE in the context of Multiprotocol Label Switching (MPLS) and Generalized MPLS (GMPLS) Traffic Engineering. PCEP is designed to be flexible and extensible so as to easily allow for the addition of further messages and objects, should further requirements be expressed in the future. [STANDARDS-TRACK] Network Configuration Protocol (NETCONF) The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK] Layer 2 Virtual Private Networks Using BGP for Auto-Discovery and Signaling Layer 2 Virtual Private Networks (L2VPNs) based on Frame Relay or ATM circuits have been around a long time; more recently, Ethernet VPNs, including Virtual Private LAN Service, have become popular. Traditional L2VPNs often required a separate Service Provider infrastructure for each type and yet another for the Internet and IP VPNs. In addition, L2VPN provisioning was cumbersome. This document presents a new approach to the problem of offering L2VPN services where the L2VPN customer's experience is virtually identical to that offered by traditional L2VPNs, but such that a Service Provider can maintain a single network for L2VPNs, IP VPNs, and the Internet, as well as a common provisioning methodology for all services. This document is not an Internet Standards Track specification; it is published for informational purposes. BGP MPLS-Based Ethernet VPN This document describes procedures for BGP MPLS-based Ethernet VPNs (EVPN). The procedures described here meet the requirements specified in RFC 7209 -- "Requirements for Ethernet VPN (EVPN)". Pseudowire Setup and Maintenance Using the Label Distribution Protocol (LDP) Layer 2 services (such as Frame Relay, Asynchronous Transfer Mode, and Ethernet) can be emulated over an MPLS backbone by encapsulating the Layer 2 Protocol Data Units (PDUs) and then transmitting them over pseudowires (PWs). It is also possible to use pseudowires to provide low-rate Time-Division Multiplexed and Synchronous Optical NETworking circuit emulation over an MPLS-enabled network. This document specifies a protocol for establishing and maintaining the pseudowires, using extensions to the Label Distribution Protocol (LDP). Procedures for encapsulating Layer 2 PDUs are specified in other documents. This document is a rewrite of RFC 4447 for publication as an Internet Standard. Segment Routing over IPv6 (SRv6) Network Programming The Segment Routing over IPv6 (SRv6) Network Programming framework enables a network operator or an application to specify a packet processing program by encoding a sequence of instructions in the IPv6 packet header. Each instruction is implemented on one or several nodes in the network and identified by an SRv6 Segment Identifier in the packet. This document defines the SRv6 Network Programming concept and specifies the base set of SRv6 behaviors that enables the creation of interoperable overlays with underlay optimization. Applicability of Ethernet Virtual Private Network (EVPN) to Network Virtualization over Layer 3 (NVO3) Networks An Ethernet Virtual Private Network (EVPN) provides a unified control plane that solves the issues of Network Virtualization Edge (NVE) auto-discovery, tenant Media Access Control (MAC) / IP dissemination, and advanced features in a scablable way as required by Network Virtualization over Layer 3 (NVO3) networks. EVPN is a scalable solution for NVO3 networks and keeps the independence of the underlay IP Fabric, i.e., there is no need to enable Protocol Independent Multicast (PIM) in the underlay network and maintain multicast states for tenant Broadcast Domains. This document describes the use of EVPN for NVO3 networks and discusses its applicability to basic Layer 2 and Layer 3 connectivity requirements and to advanced features such as MAC Mobility, MAC Protection and Loop Protection, multihoming, Data Center Interconnect (DCI), and much more. No new EVPN procedures are introduced. Safe(r) Limited Domains Google, LLC Alston Networks Cisco Cisco Independent Work in Progress Destination Options and Hop-by-Hop Options Internet Assigned Numbers Authority
Acknowledgements Thanks to , , , and for their reviews and contributions to this document.
Authors' Addresses Juniper Networks
Herndon Virginia United States of America rbonica@juniper.net
CERNET Center/Tsinghua University
Beijing China xing@cernet.edu.cn
Old Dog Consulting
United Kingdom adrian@olddog.co.uk
NTT DOCOMO BUSINESS
Chiyoda-ku, Tokyo Japan y.kamite@ntt.com
Verizon
Richardson Texas United States of America luay.jalil@one.verizon.com