Network Working Group L. Yong Internet-Draft Huawei USA Intended status: Standard Track T. Herbert Google Expires: April 2015 October 27, 2014 Generic UDP Encapsulation (GUE) for Network Virtualization Overlay draft-hy-nvo3-gue-4-nvo-00 Abstract This document describes network virtualization encapsulation scheme by use of generic UDP encapsulation (GUE) [GUE]. Status of This Document This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 27, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Yong & Herbert [Page 1] Internet-Draft Generic UDP Encapsulation for NVO October 2014 Table of Contents 1. Introduction...................................................3 2. Terminology....................................................3 2.1. Requirements Language.....................................3 3. Generic UDP Encapsulation (GUE) for NVO........................3 4. Encapsulation/Decapsulation Operation..........................6 5. IANA Considerations............................................7 6. Security Considerations........................................7 7. References.....................................................7 7.1. Normative References......................................7 7.2. Informative References....................................8 8. Authors' Addresses.............................................8 Yong & Herbert [Page 2] Internet-Draft Generic UDP Encapsulation for NVO October 2014 1. Introduction Network Virtualization Overlay (NVO3) [RFC7365] aims to a virtual network solution over an IP network in a DC with multi-tenant environment. Virtual network traffic between any pair of network virtualization edges (NVE) is encapsulated with a network virtualization header and is sent from ingress NVE to egress NVE as of an IP packet. This is known as a tunnel mechanism. UDP based tunnel mechanism provides several merits for such tunneling applications.[GRE-in-UDP] This document specifies network virtualization encapsulation schema by use of generic UDP encapsulation (GUE) [GUE]. This allows NVEs to adopt GUE tunnel implementation. This document specifies one flag (1 bit) for Network Virtualization Overlay (NVO) indication in GUE header and a Virtual Network ID field in GUE optional fields. It also specifies optional use of GUE secure transport capability for NVO. 2. Terminology The terms defined in [RFC768] are used in this document. 2.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Generic UDP Encapsulation (GUE) for NVO Generic UDP Encapsulation adds a 32 bits basic GUE header after UDP header. GUE header contains some key fields that a UDP tunnel application needs. These key fields are version, control message indication (c), Header Length (HLen), and Protocol Type (or ctype). It also contains some undefined flags, which are reserved for tunnel applications. Figure 1 illustrates GUE structure and key fields. For the detail specification, see [GUE]. Yong & Herbert [Page 3] Internet-Draft Generic UDP Encapsulation for NVO October 2014 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source port | Destination port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x0 |C| Hlen | Proto/ctype | Flags |P| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Fields (optional) ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Private flags(optional) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Private fields (optional) ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1 GUE Header Format This document proposes to allocate one flag bit from GUE undefined flags for the Network Virtualization Overlay (NVO) and defines Virtual Network Identifier (VN ID) field for NVO in GUE optional fields. It also specifies use of GUE secure transport for NVO. The network virtualization header format is shown in figure 2 and the specification is followed. Yong & Herbert [Page 4] Internet-Draft Generic UDP Encapsulation for NVO October 2014 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source port | Destination port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x0 |C| Hlen | Proto/ctype |V|SEC| Flags |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Virtual Network ID (VN ID) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Security (Optional) ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2 GUE for Network Virtualization Overlay o 'V' Virtualization flag. Indicates presence of the Virtual Network Identifier (VN ID) field in GUE optional fields. This flag MUST be set when GUE is used for network virtualization overlay (NVO). o Virtual Network ID (4 octets): Used in network virtualization overlay to identify a virtual network that packet was sent on. This field only presents if 'V' virtualization flag is set. Use and semantics of this field should be defined in separate documents. o 'SEC' Security flags: Indicates presence of security field [GUE4SEC. It provides secure transport for a tunneled protocol. NVO MAY use it to provide secure transport. Thus this is optional fields for NVO. If the flag is set, i.e. not 00, the egress NVE MUST process the security field that is placed after VNI field. Use two bits for 'SEC' flag to convey the security field length as following. o 00 - No security field o 01 - 64 bit security field o 10 - 128 bit security field o 11 - 256 bit security field Yong & Herbert [Page 5] Internet-Draft Generic UDP Encapsulation for NVO October 2014 The use of the security field is expected to be negotiated out of band between two NVEs. Potential uses of the security field for NVO is described in Section of Security Considerations. The usage of the key fields in the GUE header [GUE] for network virtualization encapsulation is described as below: o Type: Set to 0x0 for network virtualization overlay encapsulation. o Control flag: When set, indicates the packet contains a control message. An OAM packet for the virtual network instance can be carried when it sets. Control or OAM processing MUST occur. The OAM protocol is out of scope for this document. o Hlen: 1 if Security flags are clear. When Security flags are set, 1+ 2 ^ number(SEC flags) o Protocol: Contain the protocol of the encapsulated payload packet, i.e. next header. The next header begins at the offset provided by Hlen. For network virtualization, the payload protocol can be Ethernet, IPv4 or IPv6. o CType: Reserved for control message type. The VN ID can be used with CType to direct control message for the VN layer. o 'P' Private flag. It is the last bit in the GUE header. This flag SHOULD be clear for the network virtualization encapsulation. UDP header usage for network virtualization overlay is: UDP dst port SHOULD be filled with GUE port [GUE]; UDP src port MAY be filled with virtual network flow entropy. The checksum and length implementation MUST be compliant with GUE implementation [GUE]. 4. Encapsulation/Decapsulation Operation The network virtualization encapsulation schema specified in this document applies to both IPv4 and IPv6 underlay networks. The outer IP address must be NVE egress IP address (dst) and NVE ingress IP address (src). The network virtualization edge (NVE) implementation must compliant with the tunnel implementation specified in GUE [GUE] including GUE header process precedence. When use of secure transport, NVE egress MUST perform security validation prior to the payload processing. Yong & Herbert [Page 6] Internet-Draft Generic UDP Encapsulation for NVO October 2014 5. IANA Considerations The document does not require any IANA action. 6. Security Considerations Network Virtualization Edge (NVE) implements the UDP tunnel mechanism specified in [GUE] so it adopts the same security concern stated in Section of Security Considerations in [GUE]. Security option described in this document can be used improve the security in data plane for NVO applications. The security field may be used as a cookie. This would be similar to cookie mechanism described in L2TP [RFC3931], and the general properties should be the same. The cookie may be used to validate the encapsulation. The cookie is a shared value between ingress NVE and egress NVE which should be chosen randomly and may be changed periodically. Different cookies may used for logical flows between the ingress NVE and egress NVE, for instance packets sent with different VNIs in network virtualization might have different cookies. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC2119, March 1997. [RFC3931] Lau, J., Townsley, M., et al, "Layer Two Tunneling Protocol - Version 3 (L2TPv3)", RFC3931, 2005 [RFC7365] Lasserre, M., el al, "Framework for Data Center (DC) Network Virtualization". [GUE] Herbert T. and Yong, L., "Generic UNP Encapsulation", draft- herbert-gue-02, work in progress. [GUE4SEC] Yong, L., Herbert, T., "Generic UDP Encapsulation (GUE) for Secure Transport", draft-hy-gue-4-secure-transport-00, work in progress. Yong & Herbert [Page 7] Internet-Draft Generic UDP Encapsulation for NVO October 2014 7.2. Informative References [GRE-in-UDP] Grabbe, E., Yong, L., Xu, X., "Generic UDP Encapsulation for IP Tunneling", draft-ietf-tsvwg-gre-in- udp-encap-03, work in progress 8. Authors' Addresses Lucy Yong Huawei USA 5340 Legacy Dr. Plano, TX 75024 US Email: lucy.yong@huawei.com Tom Herbert Google 1600 Amphitheatre Parkway Mountain View, CA US Email: therbert@google.com Yong & Herbert [Page 8]