Operations and Management Area Working GroupNetwork N. So
Internet Draft Verizon, Inc D. McDysan
Intended status: Informational P. Unbehagen Verizon, Inc
Expires: December 2011 Avaya
L. Dunbar
Huawei Technologies April 2012 H.Yu
TW Telecom
Bhumip Khasnabish
LiZhong Jin
ZTE
J. Heinz
CenturyLink
N.Figueira
Brocade
Zhengping You
AFORE Solutions
July 11,
Century Link
October 26, 2011October 25, 2011
Requirement and Framework
Requirements for VPN-Oriented Data Center Services
draft-so-vdcs-01.txt
draft-so-vdcs-02.txt
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. This document may not be modified,
and derivative works of it may not be created, and it may not be
published except as an Internet-Draft.
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. This document may not be modified,
and derivative works of it may not be created, except to publish it
as an RFC and to translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on January 11, April 26,25, 2012.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Abstract
This contribution addresses the service providers' requirements to
support VPN-Oriented data center services. It describes the
characteristics and the framework of VPN-oriented data center
services and specifies the requirements on how to maintain and
manage the virtual resources within data center resources and the
supporting network infrastructures for those services.
Table of Contents
1. Introduction.......................................................3 Introduction....................................................3
2. Conventions used in this document..................................4 document...............................4
3. Service defination and requirements................................4 requirements.............................4
3.1. VPN-oriented data center computing services....................4 services...................4
3.1.1. VPN-oriented data center computer service requirements.....4 requirements......4
3.2. VPN-oriented data center storage services......................5 services.....................5
3.2.1. VPN-oriented data center storage services requirments......5 requirments.......5
4. Requirments for data center networks in supporting VDCS............6 VDCS.........6
4.1. Requirments for extending VPNs into data center using VPN
gateways.......................................................6
gateways...........................................................6
4.2. Requirments for extending VPNs into data center using
intra-data intra-
data center VPN..........................................8 VPN....................................................8
5. Data center resource management requirments for VDCS...............8 VDCS............8
6. Security requirements..............................................9 requirements...........................................9
7. Other requirements................................................10 requirements..............................................9
8. VDCS framework....................................................10 References.....................................................10
9. References........................................................13
10. Acknowledgements.................................................14 Acknowledgements...............................................13
1. Introduction
Layer 2 and 3 VPN services offer secure and logically dedicated
connectivity
reachability among multiple sites for enterprises. VPN-oriented data
center service is for those VPN customers who want to offload some
dedicated user data center operations such as software, compute, and
storage, to the shared carrier data centers. Those customers often
do not want to use public Internet as the primary network accessing
and handling the traffic between the customer (user and user data
centers) and the carrier data centers. Instead, they would prefer
to use the carrier data center as an nature a natural extension of the VPN
they are already using, realizing the benefits of a multi-tenant
data center while retaining as much control as possible. For
example, they want to maintain the restrictive control on what and
how the virtualized data center resources, e.g., computing power,
disk spaces, space, and/or application licenses, can be shared.
VPN-Oriented Data center Services allow the VPN services to be
extended into carrier data centers and to control the virtual
resources
resource sharing functions. As a carrier, a VPN-Oriented data center
service product may be offered globally across multiple data
centers. Some of the data centers may be owned by the carrier, cloud service
provider, while others may be owned by a user/partner/vendor. partner of the service
provider and/or an enterprise user. In addition, multiple
VPN-oriented VPN-
oriented data center Service products (e.g. SaaS and PaaS) can be
offered from the same data center.
VPN-Oriented data center services differentiate it from other
carrier data center services in the following aspects:
o Strictly maintaining the secure, reliable, and logical isolation
characteristics of VPN for the end-to-end services provided.
o Making the traditional data center services (like computing,
storage space, or application licenses) as additional attributes
attached to VPNs.
o VPN having the control on is aware of how and what data center resources to
be are associated
with the VPN.
This draft describes the characteristics of those services, the
service requirements, and the corresponding requirements to data
center networks. It also describes a list of the problems that this
service is causing to the network provider/operator, especially for
the existing VPN customers. These issues must be addressed in order
for service providers to facilitate the addition of virtualized
services to the VPNs of existing customers.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].
In this document, these words will appear with that interpretation
only when in ALL CAPS. Lower case uses of these words are not to be
interpreted as carrying RFC-2119 significance.
3. Service definitions and requirements
3.1. VPN-oriented data center computing service Virtual Private Computing Service (VPCS)
This refers to Virtual Machines (VMs) and/or physical servers in a
virtualized carrier data center being attached to a customer VPN. It
is also known as National Institute of Science and Technology
(NIST)'s Infrastructure-as-a-Service (IssS) being attached to a
customer VPN. The customer can choose different properties on the
computing power,
such as dedicated servers, preference on which data center to host those
servers, or special VMs which are shared with a group of other
VPN customers, and etc.
3.1.1. VPN-oriented data center Virtual private computing services requirements
These requirements apply to all VPN-oriented data center services
described
defined in this draft unless specified otherwise.
o Any virtualized carrier data center providing the VPN-oriented
computing services SHOULD VPCS SHALL be able
to automatically provision and/or change the required resources associated
with the VM/Servers based on the specified
properties signaled messages through the
VPN. For example, the resources CAN be bandwidth, amount of
memory, and/or CPU cycles associated with a VPN. the VMs.
o VPN customers SHALL be able to automatically instantiate or
remove Virtual Machines (VMs) to/from the VPN's associated hosts
or dedicated servers through inside the changing of provider's DC using
inband signaling requests sent by the customer's VPN
properties. user's host (VM/server).
o VPN customers SHOULD be able to move VMs among customer private
data centers and carrier data centers based on their own load
balancing criteria and algorithm.
o VPN customers SHALL be able to monitor, log, and track all VM
VM/server related usage information on per user, per resource pool, and per
application basis.
o VPN customers and the service provider SHALL be able to monitor,
log, and track all VM user information.
o VPN customers SHALL be able to automatically add/remove physical
servers associated with the VPN through the changing of the
customer's VPN properties.
o VPN customers SHOULD be able to provision a new VPN and new
service based on the properties associated with an existing VPN
and service using the same set (or sub set) of existing physical
infrastructure. basis.
o VPN customers SHALL be able to control if and how VM mobility can
occur.
3.2. VPN-oriented data center Virtual private storage service (VPSS)
This refers to disk space, either virtual or actual blocks of hard
drives in data centers, being added to a customer's VPN
3.2.1. VPN-oriented data center storage service requirements
o The VPN customer SHOULD be able to choose different content
replication properties. For example, the customer can control if
the content has to be replicated locally or has to be replicated
at a geographically different location (identifiable by the
customer if needed); needed and subject to latency constraint); if the
storage has to be co-located with certain VMs/hosts; or which
VMs/hosts have access to the content, and etc.
o These storage properties SHOULD be associated with the VPN. Any
data center providing the storage space for a VPN SHOULD be able
to automatically provision or change the required storage space
based on the properties associated with the VPN.
o The VPN customer SHOULD be able to automatically add disc space
or remove disc space to the VPN's associated storage through the
changing of the VPN properties.
o The VPN customer SHALL have the ability to limit the mobility of
the stored data based on the VPN's reachability.
o The VPN customer SHOULD have the ability to specify the stored
content life cycle management properties. Those properties
include but not limited to how long the stored content shall be
stored and how it should be erased/deleted.
o Control of whether data is encrypted.
o Specify required access speed for a storage hierarchy.
4. Requirements for Data Center networks in support of VPN-Oriented
Data center Services
The success of VPN services in the enterprise and the government
world is largely due to its ability to virtually segregate the
customer traffic at layer 2 and layer 3. The lower the layer that
segregation can be maintained, the safer it is for the customers
from security and privacy perspectives. Today's Data Centers use
VLANs to segregate servers and traffic from different customers.
Since each customer usually needs multiple service zones to place
different applications, each customer usually needs multiple VLANs.
Even small data centers today can have thousands of VLANs.
Therefore, pure VLAN segregation is not enough for large data
centers. In addition, since carrier data center resources can be
viewed as added attributes to VPNs, traffic segregation per VPN
becomes an essential requirement to VPN-oriented data center
services because of its ability to control the data center virtual
resources' assignments, thus ensuring end-to-end resource allocation
for service level performance insurance as well as manageability.
4.1. Requirement for extending VPNs into data center networks using
VPN gateways
When a data center does not use L2VPN or L3VPN as the intra-data
center network, but still wants to provide the VPN-oriented data
center services for external VPN customers, a VPN gateway function
can be added to the data center networks to extend the external VPNs
into the data center networks and to connect with the VMs and
virtual storages. (None storage. (Note that L2/3 data center network technology
used can include TRILL, PBB, SPB, OpenFlow, STP, and etc.) The VPN
gateway function has to meet the following requirements:
o Each external VPN L2/L3VPN SHALL be given a unique Identification
(ID), and the traffic separation within the data center SHALL
be maintained per ID.
o Each data center Service associated with a VPN SHALL be
transmitted over an unique set of intra-data center network
connections (logical or physical).
o The VPN gateway SHOULD maintain a record and the mapping of
virtual and physical data center resources to
physical/logical connections associated with each specific
VPN running the VPN-oriented data center services.
o The VPN gateway SHOULD be able to control the traffic flow
and assign the dedicated virtual resources accordingly.
o The carrier and the customer SHALL be able to monitor the
resource assignment and usage per VPN per service.
o The customer SHOULD be able to dynamically re-configure the
data center resources assignment and allocation per services
and/or per VM through the re-configuration of its VPN
properties.
o Beyond L2/L3 reachability, VPN gateway SHALL support multiple
services per VPN.
o VPN gateway SHOULD have the capability to differentiate QoS
within the VPN on per service basis. For example, storage
service may have higher QoS requirement than computing
service.
o VPN gateway SHOULD support multiple external VPN instances
and SHOULD be able to map them to the associated services.
o VPN gateway SHALL maintain the reportable record of how
traffic separation per VPN is achieved through the data
center network.
o Each external VPN SHALL be given a unique Identification
(ID), and the traffic separation within the data center SHALL
be maintained per ID.
o Each data center Service associated with a VPN SHALL be
transmitted over an unique set of intra-data center network
connections (logical or physical).
o The VPN gateway SHOULD maintain a record and the mapping of
virtual and physical data center resources to
physical/logical connections associated with each specific
VPN running the VPN-oriented data center services.
o The VPN gateway SHOULD be able to control the traffic flow
and assign the dedicated virtual resources accordingly.
o The carrier and the customer SHALL be able to monitor the
resource assignment and usage per VPN per service.
o The customer SHOULD be able to dynamically re-configure the
data center resources assignment and allocation per services
and/or per VM through the re-configuration of its VPN
properties.
o VPN gateway SHALL support multiple services per VPN.
o VPN gateway SHOULD have the capability to differentiate QoS
within the VPN on per service basis. For example, storage
service may have higher QoS requirement than computing
service.
o VPN gateway SHOULD support multiple external VPN instances
and SHOULD be able to map them to the associated services.
o VPN gateway SHALL maintain the reportable record of how
traffic separation per VPN is achieved through the data
center network. VPN Gateway SHOULD be able to allocated
intra-data center network resources according to external VPN
network's requirements dynamically for bandwidth, QoS and
traffic engineering purpose.
4.2. Requirement for extending VPNs into data center networks using
intra-data center VPN
When a L2/3 VPN is used as the network technology inside the data
center, each external VPN SHALL be mapped to a unique internal VPN.
5. Data Center Resource Management Requirements for VPN-oriented Data
center Services
Today, data center server resources are managed by data center
servers' administrators or management systems, and supported by
hypervisors on the servers. This process is invisible to the
underlying networks. The data center management functions include
managing servers, instantiating hosts to VMs, managing disk space,
and etc.
Traffic loading and balancing and QoS assignments for data center
networks are not easily considered by some Data Center's Center server
administration systems. Therefore, there is an interworking gap
between the networks and the Data Center's server administration
systems. This gap needs to be filled in order for the VPN-oriented
data center service to operate.
o The resources in data center MUST be partitioned per VPN instead
of per customer. VPN.
o The data center service orchestration system SHALL have the
ability to dedicate a specific block of disk space per services
per VPN. The dedicated block of disk space CAN be maintained
permanently or temporarily per VPN requirement, controlled by the
associated properties of VPN.
o The carrier and the VPN customer SHALL be able to monitor the
dedicated block of disk space per VPN per services.
o If a VPN specifies its associated storage space to be accessible
only by certain hosts, the VPN customer SHALL have the ability to
indicate the mechanism used to prevent the unwanted data
retrieval for the block of disk space after it is no longer used
by the VPN, before it can be re-used by other parties.
o The VPN SHALL have the ability to request dedicated network
resources within the data center such as bandwidth and QoS
settings.
o The VPN SHALL have the ability to hold the requested resources
without sharing with any other parties.
o The external VPN's QoS assignments SHOULD be able to synchronize
with the data center virtual resources' QoS assignments.
6. Security Requirements
o VPN-Oriented Data center Service SHOULD support a variety of
security measures in securing tenancy of virtual resources such
as resource locking, containment, authentication, access control,
encryption, integrity measure, and etc.
o The VPN-Oriented Data center Service SHOULD allow the security to
be configured end-to-end on a per-VPN/per-service/per-user basis.
For example, the Data center Systems SHOULD be able to resource-
lock resources such as memory, and also SHOULD be able provide a
cleaning function to insure confidentiality before being
reallocated.
o VPN-Oriented Data center Service SHOULD be able to specify an
authentication mechanism based for both header and payload.
Encryption algorithm CAN also be specified to provide additional
security.
o Security boundaries CAN be specified and created per VPN to
maintain domains of TRUSTED, UNTRUSTED, and Hybrid. Within each
domain access control, additional techniques MAY be specified to
secure resources and administrative domains.
7. Other Requirements
o The VPN-Oriented Data center Service SHALL support automatic end-
to-end network configuration. host-to-host
configuration exchanges via inband signaling.
o The VPN-Oriented data center service solution MUST have
sufficient OAM mechanisms in place to allow consistent end-to-end
management of the solution in existing deployed networks. The
solution SHOULD use existing protocols (e.g., IEEE 802.1ag, ITU-T
Y.1731, BFD) wherever possible to facilitate interoperability
with existing OAM deployments.
8. VPN-oriented Data center Service Framework
VPN-oriented data center services do not alter the physical
connectivity of the service supporting infrastructure. Instead, the
framework augments the VPN associated properties on the carrier's
VPN PE router. In addition, it provides a generic interworking
framework between the VPN and the data center network, exposing the
IP/MAC address of the VMs directly References
Thanks to the VPN.
The VPN-oriented data center services are flexible on the identities
of service end points, covering all VPN use cases in existence
today. It can be point-to-point and/or multi-point-to-multi-point,
and everything in between. The service can be between carrier data
center and enterprise private data center, or between carrier data
center Paul Unbehagen, Linda Dunbar, Bhumip Khasnabish, LiZhong Jin,
Norival Figueira, and a remote VPN user.
Below are three framework diagrams illustrating L3VPN-oriented data
center services. The frameworks Zhengping You for L2VPN-oriented data center
services would be very similar to the ones shown here, using MAC
addresses instead of IP addresses.
Figure 1 shows an exemplary framework where 4 unique VPNs (customer
LAN) accessing a carrier multi-tenant data center.
Figure 2 shows the logical view of the framework from the vantage
point of the data center PE router.
Figure 3 shows the logical view of the service from the vantage
point of the individual VM and/or VPN customer. Please note that
VM/customer belong to each VPN can only see everything within its
own VPN, although all 4 VPNs are shown on the drawing.
VPN1[10.1.X.X]-SW-CE-PE---- ----PE-CE-SW-VPN2[10.130.X.X]
\ /
\ /
BACKBONE
/ | \
/ | \
VPN3[100.12.X.X]-SW-CE-PE-- | --PE-CE-SW-VPN4[170.4.X.X]
|
|
DC PE
|
|
DC CE
|
|
VPN1[10.2.X.X]
VPN2[10.120.X.X]
VPN3[101.30.X.X]
VPN4[170.10.X.X]
Figure 1 Physical View of L3VPN-oriented Data Center Services
VPN1[10.1.X.X]-PE{VPN GATEWAY} PE{VPN GATEWAY}-VPN2[10.130.X.X]
\ /
\ /
BACKBONE
/ | \
/ | \
VPN3[100.12.X.X]-PE{VPN GATEWAY} | PE{VPN GATEWAY}-VPN4[170.4.X.X]
|
|
PE{VPN GATEWAY}
|
|
VPN1[10.2.X.X]
VPN2[10.120.X.X]
VPN3[101.30.X.X]
VPN4[170.10.X.X]
Figure 2. Logical View at Data Center VPN PE Router
VPN1[10.1.X.X] VPN2[10.130.X.X]
-PE{VPN GATEWAY} PE{VPN GATEWAY}-
VPN1[10.2.X.X] \ / VPN2[10.120.X.X]
\ /
\ /
BACKBONE
/ \
/ \
VPN3[100.12.X.X] / \ VPN4[170.4.X.X]
-PE{VPN GATEWAY} PE{VPN GATEWAY}-
VPN3[101.30.X.X] VPN4[170.10.X.X]
Figure 3. Logical View of L3VPN-ORIENTED Data Center Services
9. References review this draft and providing
valuble inputs.
Authors' Addresses
Ning So
Verizon Inc.
2400 N. Glenville Ave.,
Richardson, TX75082
ning.so@verizonbusiness.com
Paul Unbehagen
Avaya
unbehagen@avaya.com
Linda Dunbar
Huawei Technologies
5340 Legacy Drive, Suite 175
Plano, TX 75024, USA
Linda.dunbar@huawei.com
ning.so@verizon.com
Dave McDysan
Verizon Inc.
22001 Loudoun County PKWY.
Ashburn, VA 20147
Dave.mcdysan@verizon.com
Henry Yu
TW Telecom
10475 Park Meadows Dr.
Littleton, CO 80124
Henry.yu@twtelecom.com
Bhumip Khasnabish
ZTE
vumip1@gmail.com
LiZhong Jin
ZTE
889 Bibo Road
Shanghai, 201203, China
lizhong.jin@zte.com.cn
John M. Heinz
CenturyLink
600 New Century PKWY
KSNCAA0420-4B116
New Century, KS 66031
john.m.heinz@centurylink.com
Norival Figueira
Brocade Networks
130 Holger Way
San Jose, CA 95134
nfigueir@brocade.com
Zhengping You
AFORE Solutions
2680 Queensview Dr.,
Ottawa, Ontario Canada K2B819
Zhengping.you@aforesolutions.com
10.
9. Acknowledgments
This document was prepared using 2-Word-v2.0.template.dot.