< draft-ietf-nvo3-use-case-10.txt   draft-ietf-nvo3-use-case-11.txt >
Network Working Group L. Yong Network Working Group L. Yong
Internet Draft L. Dunbar Internet Draft L. Dunbar
Category: Informational Huawei Category: Informational Huawei
M. Toy M. Toy
A. Isaac A. Isaac
Juniper Networks Juniper Networks
V. Manral V. Manral
Ionos Networks Ionos Networks
Expires: March 2017 September 22, 2016 Expires: April 2017 October 3, 2016
Use Cases for Data Center Network Virtualization Overlays Use Cases for Data Center Network Virtualization Overlays
draft-ietf-nvo3-use-case-10 draft-ietf-nvo3-use-case-11
Abstract Abstract
This document describes Data Center (DC) Network Virtualization over This document describes data center network virtualization over
Layer 3 (NVO3) use cases that can be deployed in various data layer (NVO3) use cases that can be deployed in various data centers
centers and serve different applications. and serve different applications.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with This Internet-Draft is submitted to IETF in full conformance with
the provisions of BCP 78 and BCP 79. the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 45 skipping to change at page 1, line 45
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 22, 2017. This Internet-Draft will expire on April 3, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License. warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................3
1.1. Terminology...............................................4 1.1. Terminology...............................................4
2. Basic Virtual Networks in a Data Center........................5 2. Basic NVO3 Networks............................................5
3. DC Virtual Network and External Network Interconnection........6 3. DC NVO3 Network and External Network Interconnection...........6
3.1. DC Virtual Network Access via the Internet................6 3.1. DC NVO3 Network Access via the Internet...................6
3.2. DC VN and SP WAN VPN Interconnection......................8 3.2. DC NVO3 Network and SP WAN VPN Interconnection............8
4. DC Applications Using NVO3.....................................9 4. DC Applications Using NVO3.....................................8
4.1. Supporting Multiple Technologies..........................9 4.1. Supporting Multiple Technologies..........................9
4.2. DC Application with Multiple Virtual Networks.............9 4.2. DC Application with Multiple Virtual Networks.............9
4.3. Virtual Data Center (vDC)................................10 4.3. Virtual Data Center (vDC)................................10
5. Summary.......................................................11 5. Summary.......................................................12
6. Security Considerations.......................................12 6. Security Considerations.......................................12
7. IANA Considerations...........................................12 7. IANA Considerations...........................................12
8. References....................................................12 8. References....................................................13
8.1. Normative References.....................................12 8.1. Normative References.....................................13
8.2. Informative References...................................12 8.2. Informative References...................................13
Contributors.....................................................13 Contributors.....................................................14
Acknowledgements.................................................14 Acknowledgements.................................................14
Authors' Addresses...............................................14 Authors' Addresses...............................................14
1. Introduction 1. Introduction
Server Virtualization has changed the Information Technology (IT) Server virtualization has changed the Information Technology (IT)
industry in terms of the efficiency, cost, and speed of providing industry in terms of the efficiency, cost, and speed of providing
new applications and/or services such as cloud applications. However new applications and/or services such as cloud applications. However
traditional Data Center (DC) networks have some limits in supporting traditional data center (DC) networks have some limits in supporting
cloud applications and multi tenant networks [RFC7364]. The goal of cloud applications and multi tenant networks [RFC7364]. The goal of
Network Virtualization Overlays in the DC is to decouple the data center network virtualization overlay (NVO3) network is to
communication among tenant systems from DC physical infrastructure decouple the communication among tenant systems from DC physical
networks and to allow one physical network infrastructure to provide: infrastructure networks and to allow one physical network
infrastructure to provide:
o Multi-tenant virtual networks and traffic isolation among the o Multi-tenant virtual networks and traffic isolation among the
virtual networks over the same physical network. virtual networks over the same physical network.
o Independent address spaces in individual virtual networks such as o Independent address spaces in individual virtual networks such as
MAC, IP, TCP/UDP etc. MAC, IP, TCP/UDP etc.
o Flexible Virtual Machines (VM) and/or workload placement o Flexible Virtual Machines (VM) and/or workload placement
including the ability to move them from one server to another including the ability to move them from one server to another
without requiring VM address and configuration changes, and the without requiring VM address and configuration changes, and the
ability to perform a "hot move" with no disruption to the live ability to perform a "hot move" with no disruption to the live
application running on VMs. application running on VMs.
These characteristics of NVO3 help address the issues that cloud These characteristics of NVO3 help address the issues that cloud
applications face in Data Centers [RFC7364]. applications face in Data Centers [RFC7364].
An NVO3 network may interconnect with another NVO3 virtual network, An NVO3 network may interconnect with another NVO3 network on the
or another physical network (i.e., not the physical network that the same physical network, or another physical network (i.e., not the
NVO3 network is over), via a gateway. The use case examples for the physical network that the NVO3 network is over), via a gateway. The
latter are: 1) DCs that migrate toward an NVO3 solution will be done use case examples for the latter are: 1) DCs that migrate toward an
in steps, where a portion of tenant systems in a VN is on NVO3 solution will be done in steps, where a portion of tenant
virtualized servers while others exist on a LAN. 2) many DC systems in a VN is on virtualized servers while others exist on a
applications serve to Internet users who are on physical networks; 3) LAN. 2) many DC applications serve to Internet users who are on
some applications are CPU bound, such as Big Data analytics, and may physical networks; 3) some applications are CPU bound, such as Big
not run on virtualized resources. Some inter-VN policies can be Data analytics, and may not run on virtualized resources. Some
enforced at the gateway. inter-VN policies can be enforced at the gateway.
This document describes general NVO3 use cases that apply to various This document describes general NVO3 use cases that apply to various
data centers. The use cases described here represent DC provider's data centers. The use cases described here represent DC provider's
interests and vision for their cloud services. The document groups interests and vision for their cloud services. The document groups
the use cases into three categories from simple to advance in term the use cases into three categories from simple to advance in term
of implementation. However the implementations of these use cases of implementation. However the implementations of these use cases
are outside the scope of this document. These three categories are are outside the scope of this document. These three categories are
highlighted below: highlighted below:
o Basic NVO3 virtual networks in a DC (Section 2). All Tenant o Basic NVO3 networks (Section 2). All Tenant Systems (TS) in the
Systems (TS) in the virtual network are located within the same network are located within the same DC. The individual networks
DC. The individual virtual networks can be either Layer 2 (L2) or can be either Layer 2 (L2) or Layer 3 (L3). The number of NVO3
Layer 3 (L3). The number of NVO3 virtual networks in a DC is much networks in a DC is much higher than what traditional VLAN based
higher than what traditional VLAN based virtual networks [IEEE virtual networks [IEEE 802.1Q] can support. This case is often
802.1Q] can support. This case is often referred as to the DC referred as to the DC East-West traffic.
East-West traffic.
o Virtual networks that span across multiple Data Centers and/or to o A virtual network that spans across multiple Data Centers and/or
customer premises, i.e., an NVO3 virtual network where some to customer premises where NVO3 networks are constructed and
tenant systems in a DC attach to interconnect another virtual or interconnect another virtual or physical network outside the data
physical network outside the data center. An enterprise customer center. An enterprise customer may use a traditional carrier VPN
may use a traditional carrier VPN or an IPsec tunnel over the or an IPsec tunnel over the Internet to communicate with its
Internet to communicate with its systems in the DC. This is systems in the DC. This is described in Section 3.
described in Section 3.
o DC applications or services require an advanced network that o DC applications or services require an advanced network that
contains several NVO3 virtual networks that are interconnected by contains several NVO3 networks that are interconnected by the
the gateways. Three scenarios are described in Section 4: 1) gateways. Three scenarios are described in Section 4: 1)
supporting multiple technologies; 2) constructing several virtual supporting multiple technologies; 2) constructing several virtual
networks as a tenant network; 3) applying NVO3 to a virtual Data networks as a tenant network; 3) applying NVO3 to a virtual Data
Center (vDC). Center (vDC).
The document uses the architecture reference model defined in The document uses the architecture reference model defined in
[RFC7365] to describe the use cases. [RFC7365] to describe the use cases.
1.1. Terminology 1.1. Terminology
This document uses the terminologies defined in [RFC7365] and This document uses the terminologies defined in [RFC7365] and
skipping to change at page 5, line 4 skipping to change at page 4, line 49
DNS: Domain Name Service [RFC1035] DNS: Domain Name Service [RFC1035]
DC Operator: A role who is responsible to construct and manage cloud DC Operator: A role who is responsible to construct and manage cloud
service instances in their life-cycle and manage DC infrastructure service instances in their life-cycle and manage DC infrastructure
that runs these cloud instances. that runs these cloud instances.
DC Provider: A company that uses its DC infrastructure to offer DC Provider: A company that uses its DC infrastructure to offer
cloud services to its customers. cloud services to its customers.
NAT: Network Address Translation [RFC3022] NAT: Network Address Translation [RFC3022]
vGW: virtual Gateway; a gateway component used for an NVO3 virtual vGW: virtual Gateway; a gateway component used for an NVO3 virtual
network to interconnect with another virtual/physical network. network to interconnect with another virtual/physical network.
Note that a virtual network in this document refers to an NVO3 2. Basic NVO3 Networks
virtual network in a DC [RFC7365].
2. Basic Virtual Networks in a Data Center
A virtual network in a DC enables communications among Tenant An NVO3 network provides communications among Tenant Systems (TS) in
Systems (TS). A TS can be a physical server/device or a virtual a DC. A TS can be a physical server/device or a virtual machine (VM)
machine (VM) on a server, i.e., end-device [RFC7365]. A Network on a server, i.e., end-device [RFC7365]. A DC provider often uses
Virtual Edge (NVE) can be co-located with a TS, i.e., on the same NVO3 networks for its internal applications in which each
end-device, or reside on a different device, e.g., a top of rack application runs on many VMs or physical services and requires
switch (ToR). A virtual network has a virtual network identifier application segregation.
(can be globally unique or locally significant at NVEs).
Tenant Systems attached to the same NVE may belong to the same or A Network Virtual Edge (NVE) is an NVO3 architecture component
different virtual networks. An NVE provides tenant traffic [RFC7365]]. It is responsible to forward and encapsulate the NVO3
forwarding/encapsulation and obtains tenant systems reachability traffic in outbound direction; and decapsulate and forward the NVO3
information from a Network Virtualization Authority (NVA)[NVO3ARCH]. traffic in inbound direction [NVO3ARCH]. A Network Virtualization
DC operators can construct multiple separate virtual networks, and Authority (NVA) is another NVO3 architecture component [RFC7365]. An
provide each with own address space. NVE obtains the reachability information of tenant systems in a NVO3
network from the NVA. The tenant systems attached to the same NVE
may belong to a same or different NVO3 networks.
Network Virtualization Overlay in this context means that a virtual The network virtualization overlay in this context means that a
network is implemented with an overlay technology, i.e., within a DC virtual network is implemented with an overlay technology, i.e.,
that has IP infrastructure, tenant traffic is encapsulated at its within a DC, NVO3 traffic is encapsulated at an NVE and carried by a
local NVE and carried by a tunnel to another NVE where the packet is tunnel to another NVE where the packet is decapsulated and sent to a
decapsulated and sent to a target tenant system. This architecture target tenant system [NVO3ARCH]. This architecture decouples a NVO3
decouples tenant system address space and configuration from the network construction from the DC physical network configuration,
infrastructure's, which provides great flexibility for VM placement which provides the flexibility for VM placement and mobility. It
and mobility. It also means that the transit nodes in the also means that the nodes in the infrastructure network (except
infrastructure are not aware of the existence of the virtual tunnel end point nodes) carry encapsulated NVO3 traffic but not
networks and tenant systems attached to the virtual networks. The aware of the existence of NVO3 networks. In the architecture
tunneled packets are carried as regular IP packets and are sent to [NVO3ARCH], one tunnel can carry NVO3 traffic belonging to different
NVEs. One tunnel may carry the traffic belonging to multiple virtual NVO3 networks; a virtual network identifier is used in an NVO3
networks; a virtual network identifier is used for traffic encapsulation protocol to differentiate NVO3 traffic.
demultiplexing. A tunnel encapsulation protocol is necessary for NVE
to encapsulate the packets from Tenant Systems and encode other
information on the tunneled packets to support NVO3 implementation.
A virtual network implemented by NVO3 may be an L2 or L3 domain. The An NVO3 network may be an L2 or L3 domain. The network provides
virtual network can carry unicast traffic and/or multicast, switching (L2) or routing (L3) capability to support host (i.e.
broadcast/unknown (for L2 only) traffic from/to tenant systems. tenent systems) communications. An NVO3 network may required to
There are several ways to transport virtual network BUM traffic carry unicast traffic and/or multicast, broadcast/unknown (for L2
[NVO3MCAST]. only) traffic from/to tenant systems. There are several ways to
transport NVO3 network BUM traffic [NVO3MCAST].
It is worth mentioning two distinct cases regarding to NVE location. It is worth mentioning two distinct cases regarding to NVE location.
The first is where TSs and an NVE are co-located on a single end The first is where TSs and an NVE are co-located on a single end
host/device, which means that the NVE can be aware of the TS's state host/device, which means that the NVE can be aware of the TS's state
at any time via an internal API. The second is where TSs and an NVE at any time via an internal API. The second is where TSs and an NVE
are not co-located, with the NVE residing on a network device; in are not co-located, with the NVE residing on a network device; in
this case, a protocol is necessary to allow the NVE to be aware of this case, a protocol is necessary to allow the NVE to be aware of
the TS's state [NVO3HYVR2NVE]. the TS's state [NVO3HYVR2NVE].
One virtual network can provide connectivity to many TSs that attach One NVO3 network can provide connectivity to many TSs that attach to
to many different NVEs in a DC. TS dynamic placement and mobility many different NVEs in a DC. TS dynamic placement and mobility
results in frequent changes of the binding between a TS and an NVE. results in frequent changes of the binding between a TS and an NVE.
The TS reachability update mechanisms need be fast enough so that The TS reachability update mechanisms need be fast enough so that
the updates do not cause any communication disruption/interruption. the updates do not cause any communication disruption/interruption.
The capability of supporting many TSs in a virtual network and many The capability of supporting many TSs in a virtual network and many
more virtual networks in a DC is critical for the NVO3 solution. more virtual networks in a DC is critical for the NVO3 solution.
If a virtual network spans across multiple DC sites, one design is If a virtual network spans across multiple DC sites, one design
to allow the network to seamlessly span across the sites without DC using NVO3 is to allow the network to seamlessly span across the
gateway routers' termination. In this case, the tunnel between a sites without DC gateway routers' termination. In this case, the
pair of NVEs can be carried within other intermediate tunnels over tunnel between a pair of NVEs can be carried within other
the Internet or other WANs, or the intra DC and inter DC tunnels can intermediate tunnels over the Internet or other WANs, or an intra DC
be stitched together to form a tunnel between the pair of NVEs that tunnel and inter DC tunnel(s) can be stitched together to form an
are in different DC sites. Both cases will form one virtual network end-to-end tunnel between the pair of NVEs that are in different DC
across multiple DC sites. sites. Both cases will form one virtual network across multiple DC
sites.
3. DC Virtual Network and External Network Interconnection 3. DC NVO3 Network and External Network Interconnection
Many customers (an enterprise or individuals) who utilize a DC Many customers (an enterprise or individuals) who utilize a DC
provider's compute and storage resources to run their applications provider's compute and storage resources to run their applications
need to access their systems hosted in a DC through Internet or need to access their systems hosted in a DC through Internet or
Service Providers' Wide Area Networks (WAN). A DC provider can Service Providers' Wide Area Networks (WAN). A DC provider can
construct a virtual network that provides connectivity to all the construct a NVO3 network that provides connectivity to all the
resources designated for a customer and allows the customer to resources designated for a customer and allows the customer to
access the resources via a virtual gateway (vGW). This, in turn, access the resources via a virtual gateway (vGW). This, in turn,
becomes the case of interconnecting a DC virtual network and the becomes the case of interconnecting an NVO3 network and the virtual
network at customer site(s) via the Internet or WANs. Two use cases private network (VPN) on the Internet or wide-area networks (WAN).
Note that a VPN is not implemented by NVO3 solution. Two use cases
are described here. are described here.
3.1. DC Virtual Network Access via the Internet 3.1. DC NVO3 Network Access via the Internet
A customer can connect to a DC virtual network via the Internet in a A customer can connect to an NVO3 network via the Internet in a
secure way. Figure 1 illustrates this case. The DC virtual network secure way. Figure 1 illustrates an example of this case. The NVO3
has an instance at NVE1 and NVE2 and the two NVEs are connected via network has an instance at NVE1 and NVE2 and the two NVEs are
an IP tunnel in the Data Center. A set of tenant systems are connected via an IP tunnel in the Data Center. A set of tenant
attached to NVE1 on a server. NVE2 resides on a DC Gateway device. systems are attached to NVE1 on a server. NVE2 resides on a DC
NVE2 terminates the tunnel and uses the VNID on the packet to pass Gateway device. NVE2 terminates the tunnel and uses the VNID on the
the packet to the corresponding vGW entity on the DC GW (the vGW is packet to pass the packet to the corresponding vGW entity on the DC
the default gateway for the virtual network). A customer can access GW (the vGW is the default gateway for the virtual network). A
their systems, i.e., TS1 or TSn, in the DC via the Internet by using customer can access their systems, i.e., TS1 or TSn, in the DC via
an IPsec tunnel [RFC4301]. The IPsec tunnel is configured between the Internet by using an IPsec tunnel [RFC4301]. The IPsec tunnel is
the vGW and the customer gateway at the customer site. Either a configured between the vGW and the customer gateway at the customer
static route or iBGP may be used for prefix advertisement. The vGW site. Either a static route or iBGP may be used for prefix
provides IPsec functionality such as authentication scheme and advertisement. The vGW provides IPsec functionality such as
encryption; iBGP protocol traffic is carried within the IPsec tunnel. authentication scheme and encryption; iBGP protocol traffic is
Some vGW features are listed below: carried within the IPsec tunnel. Some vGW features are listed below:
o The vGW maintains the TS/NVE mappings and advertises the TS o The vGW maintains the TS/NVE mappings and advertises the TS
prefix to the customer via static route or iBGP. prefix to the customer via static route or iBGP.
o Some vGW functions such as firewall and load balancer can be o Some vGW functions such as firewall and load balancer can be
performed by locally attached network appliance devices. performed by locally attached network appliance devices.
o If the virtual network in the DC uses different address space o If the NVO3 network uses different address space than external
than external users, then the vGW needs to provide the NAT users, then the vGW needs to provide the NAT function.
function.
o More than one IPsec tunnel can be configured for redundancy. o More than one IPsec tunnel can be configured for redundancy.
o The vGW can be implemented on a server or VM. In this case, IP o The vGW can be implemented on a server or VM. In this case, IP
tunnels or IPsec tunnels can be used over the DC infrastructure. tunnels or IPsec tunnels can be used over the DC infrastructure.
o DC operators need to construct a vGW for each customer. o DC operators need to construct a vGW for each customer.
Server+---------------+ Server+---------------+
| TS1 TSn | | TS1 TSn |
skipping to change at page 8, line 4 skipping to change at page 7, line 42
| * | *
DC GW +------+---------+ .--. .--. DC GW +------+---------+ .--. .--.
| +---+---+ | ( '* '.--. | +---+---+ | ( '* '.--.
| | NVE2 | | .-.' * ) | | NVE2 | | .-.' * )
| +---+---+ | ( * Internet ) | +---+---+ | ( * Internet )
| +---+---+. | ( * / | +---+---+. | ( * /
| | vGW | * * * * * * * * '-' '-' | | vGW | * * * * * * * * '-' '-'
| +-------+ | | IPsec \../ \.--/' | +-------+ | | IPsec \../ \.--/'
| +--------+ | Tunnel | +--------+ | Tunnel
+----------------+ +----------------+
DC Provider Site DC Provider Site
Figure 1 - DC Virtual Network Access via the Internet Figure 1 - DC Virtual Network Access via the Internet
3.2. DC VN and SP WAN VPN Interconnection 3.2. DC NVO3 Network and SP WAN VPN Interconnection
In this case, an Enterprise customer wants to use a Service Provider In this case, an Enterprise customer wants to use a Service Provider
(SP) WAN VPN [RFC4364] [RFC7432] to interconnect its sites with a (SP) WAN VPN [RFC4364] [RFC7432] to interconnect its sites with an
virtual network in a DC site. The Service Provider constructs a VPN NVO3 network in a DC site. The Service Provider constructs a VPN for
for the enterprise customer. Each enterprise site peers with an SP the enterprise customer. Each enterprise site peers with an SP PE.
PE. The DC Provider and VPN Service Provider can build a DC virtual The DC Provider and VPN Service Provider can build an NVO3 network
network (VN) and VPN independently, and then interconnect them via a and a WAN VPN independently, and then interconnect them via a local
local link, or a tunnel between the DC GW and WAN PE devices. The link, or a tunnel between the DC GW and WAN PE devices. The control
control plane interconnection options between the DC and WAN are plane interconnection options between the DC and WAN are described
described in RFC4364 [RFC4364]. Using Option A with VRF-LITE [VRF- in RFC4364 [RFC4364]. Using Option A with VRF-LITE [VRF-LITE], both
LITE], both ASBRs, i.e., DC GW and SP PE, maintain a ASBRs, i.e., DC GW and SP PE, maintain a routing/forwarding table
routing/forwarding table (VRF). Using Option B, the DC ASBR and SP (VRF). Using Option B, the DC ASBR and SP ASBR do not maintain the
ASBR do not maintain the VRF table; they only maintain the VN and VRF table; they only maintain the NVO3 network and VPN identifier
VPN identifier mappings, i.e., label mapping, and swap the label on mappings, i.e., label mapping, and swap the label on the packets in
the packets in the forwarding process. Both option A and B allow VN the forwarding process. Both option A and B allow the NVO3 network
and VPN using own identifier and two identifiers are mapped at DC GW. and VPN using own identifier and two identifiers are mapped at DC GW.
With option C, the VN and VPN use the same identifier and both ASBRs With option C, the VN and VPN use the same identifier and both ASBRs
perform the tunnel stitching, i.e., tunnel segment mapping. Each perform the tunnel stitching, i.e., tunnel segment mapping. Each
option has pros/cons [RFC4364] and has been deployed in SP networks option has pros/cons [RFC4364] and has been deployed in SP networks
depending on the applications in use. BGP is used with these options depending on the applications in use. BGP is used with these options
for route distribution between DCs and SP WANs. Note that if the DC for route distribution between DCs and SP WANs. Note that if the DC
is the SP's Data Center, the DC GW and SP PE in this case can be is the SP's Data Center, the DC GW and SP PE in this case can be
merged into one device that performs the interworking of the VN and merged into one device that performs the interworking of the VN and
VPN within an AS. VPN within an AS.
The configurations above allow the enterprise networks to The configurations above allow the enterprise networks to
communicate with the tenant systems attached to the VN in a DC communicate with the tenant systems attached to the NVO3 network in
without interfering with the DC provider's underlying physical the DC without interfering with the DC provider's underlying
networks and other virtual networks. The enterprise can use its own physical networks and other NVO3 networks in the DC. The enterprise
address space in the VN. The DC provider can manage which VM and can use its own address space in the NVO3 network. The DC provider
storage elements attach to the VN. The enterprise customer manages can manage which VM and storage elements attach to the NVO3 network.
which applications run on the VMs in the VN without knowing the The enterprise customer manages which applications run on the VMs
location of the VMs in the DC. (See Section 4 for more) without knowing the location of the VMs in the DC. (See Section 4
for more)
Furthermore, in this use case, the DC operator can move the VMs Furthermore, in this use case, the DC operator can move the VMs
assigned to the enterprise from one sever to another in the DC assigned to the enterprise from one sever to another in the DC
without the enterprise customer being aware, i.e., with no impact on without the enterprise customer being aware, i.e., with no impact on
the enterprise's 'live' applications. Such advanced technologies the enterprise's 'live' applications. Such advanced technologies
bring DC providers great benefits in offering cloud services, but bring DC providers great benefits in offering cloud services, but
add some requirements for NVO3 [RFC7364] as well. add some requirements for NVO3 [RFC7364] as well.
4. DC Applications Using NVO3 4. DC Applications Using NVO3
NVO3 technology provides DC operators with the flexibility in NVO3 technology provides DC operators with the flexibility in
designing and deploying different applications in an end-to-end designing and deploying different applications in an end-to-end
virtualization overlay environment. The operators no longer need to virtualization overlay environment. The operators no longer need to
worry about the constraints of the DC physical network configuration worry about the constraints of the DC physical network configuration
when creating VMs and configuring a virtual network. A DC provider when creating VMs and configuring a network to connect them. A DC
may use NVO3 in various ways, in conjunction with other physical provider may use NVO3 in various ways, in conjunction with other
networks and/or virtual networks in the DC for a reason. This physical networks and/or virtual networks in the DC for a reason.
section highlights some use cases for this goal. This section highlights some use cases for this goal.
4.1. Supporting Multiple Technologies 4.1. Supporting Multiple Technologies
Servers deployed in a large data center are often installed at Servers deployed in a large data center are often installed at
different times, and may have different capabilities/features. Some different times, and may have different capabilities/features. Some
servers may be virtualized, while others may not; some may be servers may be virtualized, while others may not; some may be
equipped with virtual switches, while others may not. For the equipped with virtual switches, while others may not. For the
servers equipped with Hypervisor-based virtual switches, some may servers equipped with Hypervisor-based virtual switches, some may
support VxLAN [RFC7348] encapsulation, some may support NVGRE support VxLAN [RFC7348] encapsulation, some may support NVGRE
encapsulation [RFC7637], and some may not support any encapsulation. encapsulation [RFC7637], and some may not support any encapsulation.
skipping to change at page 9, line 51 skipping to change at page 9, line 46
A DC application may necessarily be constructed with multi-tier A DC application may necessarily be constructed with multi-tier
zones, where each zone has different access permissions and runs zones, where each zone has different access permissions and runs
different applications. For example, a three-tier zone design has a different applications. For example, a three-tier zone design has a
front zone (Web tier) with Web applications, a mid zone (application front zone (Web tier) with Web applications, a mid zone (application
tier) where service applications such as credit payment or ticket tier) where service applications such as credit payment or ticket
booking run, and a back zone (database tier) with Data. External booking run, and a back zone (database tier) with Data. External
users are only able to communicate with the Web application in the users are only able to communicate with the Web application in the
front zone; the back zone can only receive traffic from the front zone; the back zone can only receive traffic from the
application zone. In this case, communications between the zones application zone. In this case, communications between the zones
must pass through a GW/firewall. Each zone can be implemented by one must pass through a GW/firewall. Each zone can be implemented by one
virtual network and a GW/firewall can be used to between two virtual NVO3 network and a GW/firewall can be used to between two NVO3
networks, i.e., two zones. A tunnel carrying virtual network traffic networks, i.e., two zones. As a result, a tunnel carrying NVO3
has to be terminated at the GW/firewall where overlay traffic is network traffic must be terminated at the GW/firewall where the NVO3
processed. traffic is processed.
4.3. Virtual Data Center (vDC) 4.3. Virtual Data Center (vDC)
An Enterprise Data Center today may deploy routers, switches, and An enterprise data center today may deploy routers, switches, and
network appliance devices to construct its internal network, DMZ, network appliance devices to construct its internal network, DMZ,
and external network access; it may have many servers and storage and external network access; it may have many servers and storage
running various applications. With NVO3 technology, a DC Provider running various applications. With NVO3 technology, a DC Provider
can construct a virtual Data Center (vDC) over its physical DC can construct a virtual Data Center (vDC) over its physical DC
infrastructure and offer a virtual Data Center service to enterprise infrastructure and offer a virtual Data Center service to enterprise
customers. A vDC at the DC Provider site provides the same customers. A vDC at the DC Provider site provides the same
capability as the physical DC at a customer site. A customer manages capability as the physical DC at a customer site. A customer manages
its own applications running in its vDC. A DC Provider can further its own applications running in its vDC. A DC Provider can further
offer different network service functions to the customer. The offer different network service functions to the customer. The
network service functions may include firewall, DNS, load balancer, network service functions may include firewall, DNS, load balancer,
skipping to change at page 10, line 36 skipping to change at page 11, line 18
application basis, and one L3 VN (L3VNa) for the internal routing. A application basis, and one L3 VN (L3VNa) for the internal routing. A
network firewall and gateway runs on a VM or server that connects to network firewall and gateway runs on a VM or server that connects to
L3VNa and is used for inbound and outbound traffic processing. A L3VNa and is used for inbound and outbound traffic processing. A
load balancer (LB) is used in L2VNx. A VPN is also built between the load balancer (LB) is used in L2VNx. A VPN is also built between the
gateway and enterprise router. An Enterprise customer runs gateway and enterprise router. An Enterprise customer runs
Web/Mail/Voice applications on VMs within the vDC. The users at the Web/Mail/Voice applications on VMs within the vDC. The users at the
Enterprise site access the applications running in the vDC via the Enterprise site access the applications running in the vDC via the
VPN; Internet users access these applications via the VPN; Internet users access these applications via the
gateway/firewall at the provider DC site. gateway/firewall at the provider DC site.
The Enterprise customer decides which applications should be
accessible only via the intranet and which should be assessable via
both the intranet and Internet, and configures the proper security
policy and gateway function at the firewall/gateway. Furthermore, an
enterprise customer may want multi-zones in a vDC (See section 4.2)
for the security and/or the ability to set different QoS levels for
the different applications.
The vDC use case requires an NVO3 solution to provide DC operators
with an easy and quick way to create a VN and NVEs for any vDC
design, to allocate TSs and assign TSs to the corresponding VN, and
to illustrate vDC topology and manage/configure individual elements
in the vDC in a secure way.
Internet ^ Internet Internet ^ Internet
| |
^ +--+---+ ^ +--+---+
| | GW | | | GW |
| +--+---+ | +--+---+
| | | |
+-------+--------+ +--+---+ +-------+--------+ +--+---+
|Firewall/Gateway+--- VPN-----+router| |Firewall/Gateway+--- VPN-----+router|
+-------+--------+ +-+--+-+ +-------+--------+ +-+--+-+
| | | | | |
skipping to change at page 11, line 31 skipping to change at page 11, line 44
: L2VNx : : L2VNy : : L2VNz : : L2VNx : : L2VNy : : L2VNz :
....... ....... ....... ....... ....... .......
|..| |..| |..| |..| |..| |..|
| | | | | | | | | | | |
Web App. Mail App. VoIP App. Web App. Mail App. VoIP App.
Provider DC Site Provider DC Site
Figure 2 - Virtual Data Center Abstraction View Figure 2 - Virtual Data Center Abstraction View
The enterprise customer decides which applications should be
accessible only via the intranet and which should be assessable via
both the intranet and Internet, and configures the proper security
policy and gateway function at the firewall/gateway. Furthermore, an
enterprise customer may want multi-zones in a vDC (See section 4.2)
for the security and/or the ability to set different QoS levels for
the different applications.
The vDC use case requires an NVO3 solution to provide DC operators
with an easy and quick way to create an NVO3 network and NVEs for
any vDC design, to allocate TSs and assign TSs to the corresponding
NVO3 network, and to illustrate vDC topology and manage/configure
individual elements in the vDC in a secure way.
5. Summary 5. Summary
This document describes some general and potential NVO3 use cases in This document describes some general and potential NVO3 use cases in
DCs. The combination of these cases will give operators the DCs. The combination of these cases will give operators the
flexibility and capability to design more sophisticated cases for flexibility and capability to design more sophisticated cases for
various cloud applications. various cloud applications.
DC services may vary, from infrastructure as a service (IaaS), to DC services may vary, from infrastructure as a service (IaaS), to
platform as a service (PaaS), to software as a service (SaaS). platform as a service (PaaS), to software as a service (SaaS).
In these services, NVO3 virtual networks are just a portion of such In these services, NVO3 networks are just a portion of such services.
services.
NVO3 uses tunnel techniques to deliver VN traffic over an IP network.
A tunnel encapsulation protocol is necessary. An NVO3 tunnel may in
turn be tunneled over other intermediate tunnels over the Internet
or other WANs.
An NVO3 virtual network in a DC may be accessed by external users in NVO3 uses tunnel techniques to deliver NVO3 traffic over DC physical
a secure way. Many existing technologies can help achieve this. infrastructure network. A tunnel encapsulation protocol is
necessary. An NVO3 tunnel may in turn be tunneled over other
intermediate tunnels over the Internet or other WANs.
NVO3 implementations may vary. Some DC operators prefer to use a An NVO3 network in a DC may be accessed by external users in a
centralized controller to manage tenant system reachability in a secure way. Many existing technologies can help achieve this.
virtual network, while other operators prefer to use distribution
protocols to advertise the tenant system location, i.e., NVE
location. When a tenant network spans across multiple DCs and WANs,
each network administration domain may use different methods to
distribute the tenant system locations. Both control plane and data
plane interworking are necessary.
6. Security Considerations 6. Security Considerations
Security is a concern. DC operators need to provide a tenant with a Security is a concern. DC operators need to provide a tenant with a
secured virtual network, which means one tenant's traffic is secured virtual network, which means one tenant's traffic is
isolated from other tenants' traffic as well as from underlay isolated from other tenants' traffic as well as from underlay
networks. DC operators also need to prevent against a tenant networks. DC operators also need to prevent against a tenant
application attacking their underlay DC network; further, they need application attacking their underlay DC network; further, they need
to protect against a tenant application attacking another tenant to protect against a tenant application attacking another tenant
application via the DC infrastructure network. For example, a tenant application via the DC infrastructure network. For example, a tenant
skipping to change at page 14, line 4 skipping to change at page 14, line 18
[VRF-LITE] Cisco, "Configuring VRF-lite", http://www.cisco.com [VRF-LITE] Cisco, "Configuring VRF-lite", http://www.cisco.com
Contributors Contributors
Vinay Bannai Vinay Bannai
PayPal PayPal
2211 N. First St, 2211 N. First St,
San Jose, CA 95131 San Jose, CA 95131
Phone: +1-408-967-7784 Phone: +1-408-967-7784
Email: vbannai@paypal.com Email: vbannai@paypal.com
Ram Krishnan Ram Krishnan
Brocade Communications Brocade Communications
San Jose, CA 95134 San Jose, CA 95134
Phone: +1-408-406-7890 Phone: +1-408-406-7890
Email: ramk@brocade.com Email: ramk@brocade.com
Kieran Milne Kieran Milne
Juniper Networks Juniper Networks
1133 Innovation Way 1133 Innovation Way
Sunnyvale, CA 94089 Sunnyvale, CA 94089
Phone: +1-408-745-2000 Phone: +1-408-745-2000
Email: kmilne@juniper.net Email: kmilne@juniper.net
Acknowledgements Acknowledgements
Authors like to thank Sue Hares, Young Lee, David Black, Pedro Authors like to thank Sue Hares, Young Lee, David Black, Pedro
Marques, Mike McBride, David McDysan, Randy Bush, Uma Chunduri, Eric Marques, Mike McBride, David McDysan, Randy Bush, Uma Chunduri, Eric
Gray, David Allan, Joe Touch, and Olufemi Komolafe for the review, Gray, David Allan, Joe Touch, Olufemi Komolafe, and Matthew Bocci
comments, and suggestions. for the review, comments, and suggestions.
Authors' Addresses Authors' Addresses
Lucy Yong Lucy Yong
Huawei Technologies Huawei Technologies
Phone: +1-918-808-1918 Phone: +1-918-808-1918
Email: lucy.yong@huawei.com Email: lucy.yong@huawei.com
Linda Dunbar Linda Dunbar
Huawei Technologies, Huawei Technologies,
5340 Legacy Dr. 5340 Legacy Dr.
Plano, TX 75025 US Plano, TX 75025 US
Phone: +1-469-277-5840 Phone: +1-469-277-5840
Email: linda.dunbar@huawei.com Email: linda.dunbar@huawei.com
Mehmet Toy Mehmet Toy
 End of changes. 43 change blocks. 
182 lines changed or deleted 171 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/