Operations and Management Area Working Group N. So Internet Draft Verizon, Inc Intended status: Informational P. Unbehagen Expires: December 2011 Avaya L. Dunbar Huawei Technologies H.Yu TW Telecom Bhumip Khasnabish LiZhong Jin ZTE J. Heinz CenturyLink N.Figueira Brocade Zhengping You AFORE Solutions July 11, 2011 Requirement and Framework for VPN-Oriented Data Center Services draft-so-vdcs-01.txt Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, and it may not be published except as an Internet-Draft. This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, except to publish it as an RFC and to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents So Expires December 8,2011 [Page 1] Internet-Draft VPN-oriented Data Center Services July 2011 at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on January 11, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Abstract This contribution addresses the service providers' requirements to support VPN-Oriented data center services. It describes the characteristics and the framework of VPN-oriented data center services and specifies the requirements on how to maintain and manage the virtual resources within data center resources and the supporting network infrastructures for those services. Table of Contents 1. Introduction.......................................................3 2. Conventions used in this document..................................4 3. Service defination and requirements................................4 3.1. VPN-oriented data center computing services....................4 3.1.1. VPN-oriented data center computer service requirements.....4 3.2. VPN-oriented data center storage services......................5 So Expires December 11,2011 [Page 2] Internet-Draft VPN-oriented Data Center Services July 2011 3.2.1. VPN-oriented data center storage services requirments......5 4. Requirments for data center networks in supporting VDCS............6 4.1. Requirments for extending VPNs into data center using VPN gateways.......................................................6 4.2. Requirments for extending VPNs into data center using intra-data center VPN..........................................8 5. Data center resource management requirments for VDCS...............8 6. Security requirements..............................................9 7. Other requirements................................................10 8. VDCS framework....................................................10 9. References........................................................13 10. Acknowledgements.................................................14 1. Introduction Layer 2 and 3 VPN services offer secure and logically dedicated connectivity among multiple sites for enterprises. VPN-oriented data center service is for those VPN customers who want to offload some dedicated user data center operations such as software, compute, and storage, to the shared carrier data centers. Those customers often do not want to use public Internet as the primary network accessing and handling the traffic between the customer (user and user data centers) and the carrier data centers. Instead, they would prefer to use the carrier data center as an nature extension of the VPN they are already using, realizing the benefits of a multi-tenant data center while retaining as much control as possible. For example, they want to maintain the restrictive control on what and how the virtualized data center resources, e.g., computing power, disk spaces, and/or application licenses, can be shared. VPN-Oriented Data center Services allow the VPN services to be extended into carrier data centers and to control the virtual resources sharing functions. As a carrier, a VPN-Oriented data center service product may be offered globally across multiple data centers. Some of the data centers may be owned by the carrier, while others may be owned by a user/partner/vendor. In addition, multiple VPN-oriented data center Service products can be offered from the same data center. VPN-Oriented data center services differentiate it from other carrier services in the following aspects: o Strictly maintaining the secure, reliable, and logical isolation characteristics of VPN for the end-to-end services provided. So Expires December 11,2011 [Page 3] Internet-Draft VPN-oriented Data Center Services July 2011 o Making the traditional data center services (like computing, storage space, or application licenses) as additional attributes to VPNs. o VPN having the control on how and what data center resources to be associated with the VPN. This draft describes the characteristics of those services, the service requirements, and the corresponding requirements to data center networks. It also describes a list of the problems that this service is causing to the network provider/operator, especially for the existing VPN customers. These issues must be addressed in order for service providers to facilitate the addition of virtualized services to the VPNs of existing customers. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119]. In this document, these words will appear with that interpretation only when in ALL CAPS. Lower case uses of these words are not to be interpreted as carrying RFC-2119 significance. 3. Service definitions and requirements 3.1. VPN-oriented data center computing service This refers to Virtual Machines (VMs) and/or physical servers in a virtualized carrier data center being attached to a customer VPN. The customer can choose different properties on the computing power, such as dedicated servers, preference on which data center to host those servers, or special VMs which are shared with a group of other VPN customers, and etc. 3.1.1. VPN-oriented data center computing services requirements These requirements apply to all VPN-oriented data center services described in this draft unless specified otherwise. o Any virtualized carrier data center providing the VPN-oriented computing services SHOULD be able to automatically provision and/or change the required resources based on the specified properties associated with a VPN. So Expires December 11,2011 [Page 4] Internet-Draft VPN-oriented Data Center Services July 2011 o VPN customers SHALL be able to automatically instantiate or remove Virtual Machines (VMs) to/from the VPN's associated hosts or dedicated servers through the changing of the customer's VPN properties. o VPN customers SHOULD be able to move VMs among customer private data centers and carrier data centers based on their own load balancing criteria and algorithm. o VPN customers SHALL be able to monitor, log, and track all VM usage information on per user, per resource pool, and per application basis. o VPN customers and the service provider SHALL be able to monitor, log, and track all VM user information. o VPN customers SHALL be able to automatically add/remove physical servers associated with the VPN through the changing of the customer's VPN properties. o VPN customers SHOULD be able to provision a new VPN and new service based on the properties associated with an existing VPN and service using the same set (or sub set) of existing physical infrastructure. o VPN customers SHALL be able to control if and how VM mobility can occur. 3.2. VPN-oriented data center storage service This refers to disk space, either virtual or actual blocks of hard drives in data centers, being added to a customer's VPN 3.2.1. VPN-oriented data center storage service requirements o The VPN customer SHOULD be able to choose different content replication properties. For example, the customer can control if the content has to be replicated locally or has to be replicated at a geographically different location (identifiable by the customer if needed); if the storage has to be co-located with certain VMs/hosts; or which VMs/hosts have access to the content, and etc. o These storage properties SHOULD be associated with the VPN. Any data center providing the storage space for a VPN SHOULD be able to automatically provision or change the required storage space based on the properties associated with the VPN. So Expires December 11,2011 [Page 5] Internet-Draft VPN-oriented Data Center Services July 2011 o The VPN customer SHOULD be able to automatically add disc space or remove disc space to the VPN's associated storage through the changing of the VPN properties. o The VPN customer SHALL have the ability to limit the mobility of the stored data based on the VPN's reachability. o The VPN customer SHOULD have the ability to specify the stored content life cycle management properties. Those properties include but not limited to how long the stored content shall be stored and how it should be erased/deleted. 4. Requirements for Data Center networks in support of VPN-Oriented Data center Services The success of VPN services in the enterprise and the government world is largely due to its ability to virtually segregate the customer traffic at layer 2 and layer 3. The lower the layer that segregation can be maintained, the safer it is for the customers from security and privacy perspectives. Today's Data Centers use VLANs to segregate servers and traffic from different customers. Since each customer usually needs multiple service zones to place different applications, each customer usually needs multiple VLANs. Even small data centers today can have thousands of VLANs. Therefore, pure VLAN segregation is not enough for large data centers. In addition, since carrier data center resources can be viewed as added attributes to VPNs, traffic segregation per VPN becomes an essential requirement to VPN-oriented data center services because of its ability to control the data center virtual resources' assignments, thus ensuring end-to-end resource allocation for service level performance insurance as well as manageability. 4.1. Requirement for extending VPNs into data center networks using VPN gateways When a data center does not use L2VPN or L3VPN as the intra-data center network, but still wants to provide the VPN-oriented data center services for external VPN customers, a VPN gateway function can be added to the data center networks to extend the external VPNs into the data center networks and to connect with the VMs and virtual storages. (None L2/3 data center network technology used can include TRILL, PBB, SPB, OpenFlow, STP, and etc.) The VPN gateway function has to meet the following requirements: So Expires December 11,2011 [Page 6] Internet-Draft VPN-oriented Data Center Services July 2011 o Each external VPN SHALL be given a unique Identification (ID), and the traffic separation within the data center SHALL be maintained per ID. o Each data center Service associated with a VPN SHALL be transmitted over an unique set of intra-data center network connections (logical or physical). o The VPN gateway SHOULD maintain a record and the mapping of virtual and physical data center resources to physical/logical connections associated with each specific VPN running the VPN-oriented data center services. o The VPN gateway SHOULD be able to control the traffic flow and assign the dedicated virtual resources accordingly. o The carrier and the customer SHALL be able to monitor the resource assignment and usage per VPN per service. o The customer SHOULD be able to dynamically re-configure the data center resources assignment and allocation per services and/or per VM through the re-configuration of its VPN properties. o VPN gateway SHALL support multiple services per VPN. o VPN gateway SHOULD have the capability to differentiate QoS within the VPN on per service basis. For example, storage service may have higher QoS requirement than computing service. o VPN gateway SHOULD support multiple external VPN instances and SHOULD be able to map them to the associated services. o VPN gateway SHALL maintain the reportable record of how traffic separation per VPN is achieved through the data center network. o Each external VPN SHALL be given a unique Identification (ID), and the traffic separation within the data center SHALL be maintained per ID. o Each data center Service associated with a VPN SHALL be transmitted over an unique set of intra-data center network connections (logical or physical). o The VPN gateway SHOULD maintain a record and the mapping of virtual and physical data center resources to physical/logical connections associated with each specific VPN running the VPN-oriented data center services. o The VPN gateway SHOULD be able to control the traffic flow and assign the dedicated virtual resources accordingly. So Expires December 11,2011 [Page 7] Internet-Draft VPN-oriented Data Center Services July 2011 o The carrier and the customer SHALL be able to monitor the resource assignment and usage per VPN per service. o The customer SHOULD be able to dynamically re-configure the data center resources assignment and allocation per services and/or per VM through the re-configuration of its VPN properties. o VPN gateway SHALL support multiple services per VPN. o VPN gateway SHOULD have the capability to differentiate QoS within the VPN on per service basis. For example, storage service may have higher QoS requirement than computing service. o VPN gateway SHOULD support multiple external VPN instances and SHOULD be able to map them to the associated services. o VPN gateway SHALL maintain the reportable record of how traffic separation per VPN is achieved through the data center network. VPN Gateway SHOULD be able to allocated intra-data center network resources according to external VPN network's requirements dynamically for bandwidth, QoS and traffic engineering purpose. 4.2. Requirement for extending VPNs into data center networks using intra-data center VPN When a L2/3 VPN is used as the network technology inside the data center, each external VPN SHALL be mapped to a unique internal VPN. 5. Data Center Resource Management Requirements for VPN-oriented Data center Services Today, data center server resources are managed by data center servers' administrators or management systems, and supported by hypervisors on the servers. This process is invisible to the underlying networks. The data center management functions include managing servers, instantiating hosts to VMs, managing disk space, and etc. Traffic loading and balancing and QoS assignments for data center networks are not considered by Data Center's server administration systems. Therefore, there is an interworking gap between the networks and the Data Center's server administration systems. This gap needs to be filled in order for the VPN-oriented data center service to operate. So Expires December 11,2011 [Page 8] Internet-Draft VPN-oriented Data Center Services July 2011 o The resources in data center MUST be partitioned per VPN instead of per customer. o The data center service orchestration system SHALL have the ability to dedicate a specific block of disk space per services per VPN. The dedicated block of disk space CAN be maintained permanently or temporarily per VPN requirement, controlled by the associated properties of VPN. o The carrier and the VPN customer SHALL be able to monitor the dedicated block of disk space per VPN per services. o If a VPN specifies its associated storage space to be accessible only by certain hosts, the VPN customer SHALL have the ability to indicate the mechanism used to prevent the unwanted data retrieval for the block of disk space after it is no longer used by the VPN, before it can be re-used by other parties. o The VPN SHALL have the ability to request dedicated network resources within the data center such as bandwidth and QoS settings. o The VPN SHALL have the ability to hold the requested resources without sharing with any other parties. o The external VPN's QoS assignments SHOULD be able to synchronize with the data center virtual resources' QoS assignments. 6. Security Requirements o VPN-Oriented Data center Service SHOULD support a variety of security measures in securing tenancy of virtual resources such as resource locking, containment, authentication, access control, encryption, integrity measure, and etc. o The VPN-Oriented Data center Service SHOULD allow the security to be configured end-to-end on a per-VPN/per-service/per-user basis. For example, the Data center Systems SHOULD be able to resource- lock resources such as memory, and also SHOULD be able provide a cleaning function to insure confidentiality before being reallocated. So Expires December 11,2011 [Page 9] Internet-Draft VPN-oriented Data Center Services July 2011 o VPN-Oriented Data center Service SHOULD be able to specify an authentication mechanism based for both header and payload. Encryption algorithm CAN also be specified to provide additional security. o Security boundaries CAN be specified and created per VPN to maintain domains of TRUSTED, UNTRUSTED, and Hybrid. Within each domain access control, additional techniques MAY be specified to secure resources and administrative domains. 7. Other Requirements o The VPN-Oriented Data center Service SHALL support automatic end- to-end network configuration. o The VPN-Oriented data center service solution MUST have sufficient OAM mechanisms in place to allow consistent end-to-end management of the solution in existing deployed networks. The solution SHOULD use existing protocols (e.g., IEEE 802.1ag, ITU-T Y.1731, BFD) wherever possible to facilitate interoperability with existing OAM deployments. 8. VPN-oriented Data center Service Framework VPN-oriented data center services do not alter the physical connectivity of the service supporting infrastructure. Instead, the framework augments the VPN associated properties on the carrier's VPN PE router. In addition, it provides a generic interworking framework between the VPN and the data center network, exposing the IP/MAC address of the VMs directly to the VPN. The VPN-oriented data center services are flexible on the identities of service end points, covering all VPN use cases in existence today. It can be point-to-point and/or multi-point-to-multi-point, and everything in between. The service can be between carrier data center and enterprise private data center, or between carrier data center and a remote VPN user. Below are three framework diagrams illustrating L3VPN-oriented data center services. The frameworks for L2VPN-oriented data center services would be very similar to the ones shown here, using MAC addresses instead of IP addresses. So Expires December 11,2011 [Page 10] Internet-Draft VPN-oriented Data Center Services July 2011 Figure 1 shows an exemplary framework where 4 unique VPNs (customer LAN) accessing a carrier multi-tenant data center. Figure 2 shows the logical view of the framework from the vantage point of the data center PE router. Figure 3 shows the logical view of the service from the vantage point of the individual VM and/or VPN customer. Please note that VM/customer belong to each VPN can only see everything within its own VPN, although all 4 VPNs are shown on the drawing. VPN1[10.1.X.X]-SW-CE-PE---- ----PE-CE-SW-VPN2[10.130.X.X] \ / \ / BACKBONE / | \ / | \ VPN3[100.12.X.X]-SW-CE-PE-- | --PE-CE-SW-VPN4[170.4.X.X] | | DC PE | | DC CE | | VPN1[10.2.X.X] VPN2[10.120.X.X] VPN3[101.30.X.X] VPN4[170.10.X.X] Figure 1 Physical View of L3VPN-oriented Data Center Services So Expires December 11,2011 [Page 11] Internet-Draft VPN-oriented Data Center Services July 2011 VPN1[10.1.X.X]-PE{VPN GATEWAY} PE{VPN GATEWAY}-VPN2[10.130.X.X] \ / \ / BACKBONE / | \ / | \ VPN3[100.12.X.X]-PE{VPN GATEWAY} | PE{VPN GATEWAY}-VPN4[170.4.X.X] | | PE{VPN GATEWAY} | | VPN1[10.2.X.X] VPN2[10.120.X.X] VPN3[101.30.X.X] VPN4[170.10.X.X] Figure 2. Logical View at Data Center VPN PE Router VPN1[10.1.X.X] VPN2[10.130.X.X] -PE{VPN GATEWAY} PE{VPN GATEWAY}- VPN1[10.2.X.X] \ / VPN2[10.120.X.X] \ / \ / BACKBONE / \ / \ VPN3[100.12.X.X] / \ VPN4[170.4.X.X] -PE{VPN GATEWAY} PE{VPN GATEWAY}- VPN3[101.30.X.X] VPN4[170.10.X.X] Figure 3. Logical View of L3VPN-ORIENTED Data Center Services So Expires December 11,2011 [Page 12] Internet-Draft VPN-oriented Data Center Services July 2011 9. References Authors' Addresses Ning So Verizon Inc. 2400 N. Glenville Ave., Richardson, TX75082 ning.so@verizonbusiness.com Paul Unbehagen Avaya unbehagen@avaya.com Linda Dunbar Huawei Technologies 5340 Legacy Drive, Suite 175 Plano, TX 75024, USA Linda.dunbar@huawei.com Henry Yu TW Telecom 10475 Park Meadows Dr. Littleton, CO 80124 Henry.yu@twtelecom.com Bhumip Khasnabish ZTE vumip1@gmail.com LiZhong Jin ZTE 889 Bibo Road Shanghai, 201203, China lizhong.jin@zte.com.cn John M. Heinz CenturyLink 600 New Century PKWY KSNCAA0420-4B116 New Century, KS 66031 john.m.heinz@centurylink.com So Expires December 11,2011 [Page 13] Internet-Draft VPN-oriented Data Center Services July 2011 Norival Figueira Brocade Networks 130 Holger Way San Jose, CA 95134 nfigueir@brocade.com Zhengping You AFORE Solutions 2680 Queensview Dr., Ottawa, Ontario Canada K2B819 Zhengping.you@aforesolutions.com 10. Acknowledgments This document was prepared using 2-Word-v2.0.template.dot. So Expires December 11,2011 [Page 14]