[c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?

Alastair Johnson aj at sneep.net
Tue Aug 26 19:45:54 EDT 2008 

Tim Franklin wrote:
> On Thu, August 21, 2008 12:59 am, Brandon Price wrote:
>> Other than just saying "its bad" can you give some specifics as to the
>> problems you've run into using private addresses for PE-CE links? As
>> long as the SP hands out unique addresses across all of the links, what
>> does it matter whether they are "private" or "public" ?
> 
> Customers using *all* of RFC1918 space (or at least claiming they do).
> 
> e.g. if you have WAN links as /30s out of 10.11.12.0/24, and the customer
> has that range on a LAN somewhere, each site will be unable to reach the
> particular hosts on it's WAN /30.  (At least - if you're redistributing
> WAN routes into BGP / MBGP, the lack of visibility gets worse).

Most[1] large telcos I've seen[2] offering IP-VPN services tend to use 
RFC1918 addressing for CE-PE infrastructure.  Using public addressing 
for much of this just often doesn't scale - thinking of some IP-VPNs 
which have thousands of CE elements.

Most of them make this clear when doing the pre-sales design work, and 
have very clear exclusion lists for prefixes that *will not* be accepted 
into the IP-VPN under any circumstances.  The majority of customers I've 
worked with have been comfortable with this, given that it's generally a 
small number of /30s or /31s and very rarely (in fact, I can't think of 
a time) is there a conflict.  In the odd case, if the customer refuses 
to work with the telco.... the telco will just not accept the customer 
without doing some form of Network Special Deal which results in the 
customer paying a whole bunch more for the service to cover the 
deviation costs.[3]

My own employer, a multinational in 100+ countries, uses RFC1918 
extensively but our WAN group has managed to work around conflicts with 
the multitude of IP-VPN services that use RFC1918 on the WAN.

aj

[1] Obviously this doesn't include all of them. I have a couple of 
IP-VPNs which do make use of public /31 infrastructure but this is rare. 
I have a feeling that these /31s may be re-used across multiple IP-VPN 
services.
[2] I tend to have a slightly incumbent/tier 1 view of the world.
[3] This is usually *very* expensive for the customer.  If the customer 
wants it bad enough... they'll pay.... but see [2]. :)

More information about the cisco-nsp mailing list