Introduction to NX VPN

It's an IP network running on top of the Internet. You should know what VPN are before getting seriously involved in the NX VPN. We use the IP addresses. Sometimes, we expose addresses from, but no permanent connection to such networks is planned. Also, we might someday link with another VPN, which uses addresses.

The VPN has a core, made of routers designed to accept connections from leaf nodes. As of the writing of this document, there is only one router in the core (November, 2001). A few other routers should soon link to the core.

Between them, core routers may use any protocol they like to grant connectivity : PPP/SSH, CIPE, GRE ... Most links are encrypted, but it's not mandatory ; so one should never transmit sensitive data in clear.

Core routers may accept connections from leaf nodes using whatever protocol they like. The current core node accepts PPP/SSH connections, and this site has documentation explaining how to setup your own PPP/SSH core node. Future nodes may accept different types of connections.

Routing is entirely done using BGP protocol. It's not mandatory for a leaf node to run a BGP peer, except if it wants to connect more than a single IP address to the VPN, or if it wants to be multi-homed.

When a simple leaf node links to the VPN, the related core node has to provide routing (advertise the address of the leaf node, or a network comprising its address).

Advertising of short prefixes is not a very good practice, but may be used internally or between 2 core nodes to provide special services, like IPV4 mobility. Core nodes should however accept any prefix shorter than 25 bits.

The AS numbers used are in the range 65000-65520. When a network is to be connected to NX VPN, an AS number is derived from the IP address of the network ; i.e. 192.168.XXX.0/24 yields 65XXX ; 192.168.XXX.0/25 yields 65XXX too, and 192.168.XXX.128/25 yields 65YYY with YYY=256+XXX. No subnet smaller than 128 addresses will be allocated directly by the core.

When a network is assigned to an administrative entity, it can delegate addressing as it likes, but the delegated networks can't be multi-homed directly (as small prefixes aren't granted to be advertised between core nodes).

An IPV6 experiment is onward, and we plan to provide different kinds of IPV6 links : native links, 6over4 tunnels running atop existing IPV4 VPN links, and mixed-mode links (this makes sense for PPP links, where the same link can carry many protocols). BGP routing can be done either with native BGP4+ peering (running directly on IPV6) or with BGP4+ over BGP4 peering (useful when running in 6over4 or mixed mode, where an IPV4 connectivity and peering already exists).

Various documentations are available, or will be available :

All comments, remarks, corrections, whatsoever... are welcome.