< draft-ietf-nvo3-use-case-15.txt   draft-ietf-nvo3-use-case-16.txt >
Network Working Group L. Yong Network Working Group L. Yong
Internet Draft L. Dunbar Internet Draft L. Dunbar
Category: Informational Huawei Category: Informational Huawei
M. Toy M. Toy
Verizon Verizon
A. Isaac A. Isaac
Juniper Networks Juniper Networks
V. Manral V. Manral
Ionos Networks Ionos Networks
Expires: June 2017 December 21, 2016 Expires: July 2017 February 10, 2017
Use Cases for Data Center Network Virtualization Overlay Networks Use Cases for Data Center Network Virtualization Overlay Networks
draft-ietf-nvo3-use-case-15 draft-ietf-nvo3-use-case-16
Abstract Abstract
This document describes data center network virtualization overlay This document describes data center network virtualization overlay
(NVO3) network use cases that can be deployed in various data (NVO3) network use cases that can be deployed in various data
centers and serve different data center applications. centers and serve different data center applications.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with This Internet-Draft is submitted to IETF in full conformance with
skipping to change at page 1, line 45 skipping to change at page 1, line 45
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 21, 2017. This Internet-Draft will expire on July 21, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License. warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................3
1.1. Terminology...............................................4 1.1. Terminology...............................................4
2. Basic NVO3 Networks............................................5 1.2. NVO3 Background...........................................5
3. DC NVO3 Network and External Network Interconnection...........6 2. DC with Large Number of Virtual Networks.......................6
3.1. DC NVO3 Network Access via the Internet...................6 3. DC NVO3 virtual network and External Network Interconnection...6
3.2. DC NVO3 Network and SP WAN VPN Interconnection............7 3.1. DC NVO3 virtual network Access via the Internet...........7
4. DC Applications Using NVO3.....................................8 3.2. DC NVO3 virtual network and SP WAN VPN Interconnection....8
4. DC Applications Using NVO3.....................................9
4.1. Supporting Multiple Technologies..........................9 4.1. Supporting Multiple Technologies..........................9
4.2. DC Application with Multiple Virtual Networks.............9 4.2. DC Applications Spanning Multiple Physical Zones.........10
4.3. Virtual Data Center (vDC)................................10 4.3. Virtual Data Center (vDC)................................10
5. Summary.......................................................12 5. Summary.......................................................12
6. Security Considerations.......................................12 6. Security Considerations.......................................12
7. IANA Considerations...........................................12 7. IANA Considerations...........................................13
8. Informative References........................................13 8. Informative References........................................13
Contributors.....................................................14 Contributors.....................................................14
Acknowledgements.................................................14 Acknowledgements.................................................14
Authors' Addresses...............................................14 Authors' Addresses...............................................15
1. Introduction 1. Introduction
Server virtualization has changed the Information Technology (IT) Server virtualization has changed the Information Technology (IT)
industry in terms of the efficiency, cost, and speed of providing industry in terms of the efficiency, cost, and speed of providing
new applications and/or services such as cloud applications. However new applications and/or services such as cloud applications. However
traditional data center (DC) networks have some limits in supporting traditional data center (DC) networks have limits in supporting
cloud applications and multi tenant networks [RFC7364]. The goal of cloud applications and multi tenant networks [RFC7364]. The goals of
data center network virtualization overlay (NVO3) networks is to data center network virtualization overlay (NVO3) networks are to
decouple the communication among tenant systems from DC physical decouple the communication among tenant systems from DC physical
infrastructure networks and to allow one physical network infrastructure networks and to allow one physical network
infrastructure: infrastructure to:
o Carry many NVO3 networks and isolate different NVO3 network o Carry many NVO3 virtual networks and isolate the traffic of
traffic on a physical network that carries NVO3 network traffic. different NVO3 virtual networks on a physical network.
o Independent address spaces in individual NVO3 networks such as o Provide independent address space in individual NVO3 virtual
MAC and IP. network such as MAC and IP.
o Flexible Virtual Machines (VM) and/or workload placement o Support flexible Virtual Machines (VM) and/or workload placement
including the ability to move them from one server to another including the ability to move them from one server to another
without requiring VM address changes and physical infrastructure without requiring VM address changes and physical infrastructure
network configuration changes, and the ability to perform a "hot network configuration changes, and the ability to perform a "hot
move" with no disruption to the live application running on VMs. move" with no disruption to the live application running on those
VMs.
These characteristics of NVO3 networks help address the issues that These characteristics of NVO3 virtual networks help address the
cloud applications face in data centers [RFC7364]. issues that cloud applications face in data centers [RFC7364].
An NVO3 network may interconnect with another NVO3 network on the Hosts in one NVO3 virtual network may communicate with hosts in
same physical network, or another physical network (i.e., not the another NVO3 virtual network that is carried by the same physical
physical network that the NVO3 network is carried over), via a network, or different physical network, via a gateway. The use case
gateway. The use case examples for the latter are: 1) DCs that examples for the latter are: 1) DCs that migrate toward an NVO3
migrate toward an NVO3 solution will be done in steps, where a solution will be done in steps, where a portion of tenant systems in
portion of tenant systems in a VN is on virtualized servers while a VN are on virtualized servers while others exist on a LAN. 2) many
others exist on a LAN. 2) many DC applications serve to Internet DC applications serve to Internet users who are on different
users who are on physical networks; 3) some applications are CPU physical networks; 3) some applications are CPU bound, such as Big
bound, such as Big Data analytics, and may not run on virtualized Data analytics, and may not run on virtualized resources. The inter-
resources. Some inter-VN policies can be enforced at the gateway. VN policies are usually enforced by the gateway.
This document describes general NVO3 network use cases that apply to This document describes general NVO3 virtual network use cases that
various data centers. The use cases described here represent DC apply to various data centers. The use cases described here
provider's interests and vision for their cloud services. The represent DC provider's interests and vision for their cloud
document groups the use cases into three categories from simple to services. The document groups the use cases into three categories
advance in term of implementation. However the implementations of from simple to sophiscated in terms of implementation. However the
these use cases are outside the scope of this document. These three implementation details of these use cases are outside the scope of
categories are highlighted below: this document. These three categories are highlighted below:
o Basic NVO3 networks (Section 2). All Tenant Systems (TS) in the o Basic NVO3 virtual networks (Section 2). All Tenant Systems (TS)
network are located within the same DC. The individual networks in the network are located within the same DC. The individual
can be either Layer 2 (L2) or Layer 3 (L3). The number of NVO3 networks can be either Layer 2 (L2) or Layer 3 (L3). The number
networks in a DC is much higher than what traditional VLAN based of NVO3 virtual networks in a DC is much larger than the number
virtual networks [IEEE 802.1Q] can support. This case is often that traditional VLAN based virtual networks [IEEE 802.1Q] can
referred as to the DC East-West traffic. support.
o A virtual network that spans across multiple Data Centers and/or o A virtual network that spans across multiple Data Centers and/or
to customer premises where NVO3 networks are constructed and to customer premises where NVO3 virtual networks are constructed
interconnect another virtual or physical network outside the data and interconnect other virtual or physical networks outside the
center. An enterprise customer may use a traditional carrier VPN data center. An enterprise customer may use a traditional
or an IPsec tunnel over the Internet to communicate with its carrier-grade VPN or an IPsec tunnel over the Internet to
systems in the DC. This is described in Section 3. communicate with its systems in the DC. This is described in
Section 3.
o DC applications or services require an advanced network that o DC applications or services require an advanced network that
contains several NVO3 networks that are interconnected by the contains several NVO3 virtual networks that are interconnected by
gateways. Three scenarios are described in Section 4.1) gateways. Three scenarios are described in Section 4. (1)
supporting multiple technologies; 2) constructing several virtual supporting multiple technologies; (2) constructing several
networks as a tenant network; 3) applying NVO3 to a virtual Data virtual networks as a tenant network; (3) applying NVO3 to a
Center (vDC). virtual Data Center (vDC).
The document uses the architecture reference model defined in The document uses the architecture reference model defined in
[RFC7365] to describe the use cases. [RFC7365] to describe the use cases.
1.1. Terminology 1.1. Terminology
This document uses the terminologies defined in [RFC7365] and This document uses the terminology defined in [RFC7365] and
[RFC4364]. Some additional terms used in the document are listed [RFC4364]. Some additional terms used in the document are listed
here. here.
ASBR: Autonomous System Boarder Routers (ASBR)
DMZ: Demilitarized Zone. A computer or small sub-network that sits DMZ: Demilitarized Zone. A computer or small sub-network that sits
between a trusted internal network, such as a corporate private LAN, between a more trusted internal network, such as a corporate private
and an un-trusted external network, such as the public Internet. LAN, and an un-trusted or less trusted external network, such as the
public Internet.
DNS: Domain Name Service [RFC1035] DNS: Domain Name Service [RFC1035]
DC Operator: A role who is responsible to construct and manage cloud DC Operator: An entity that is responsible for constructing and
service instances in their life-cycle and manage DC infrastructure managing all resources in data centers, including, but not limited
that runs these cloud instances. to, compute, storage, networking, etc.
DC Provider: A company that uses its DC infrastructure to offer DC Provider: An entity that uses its DC infrastructure to offer
cloud services to its customers. services to its customers.
NAT: Network Address Translation [RFC3022] NAT: Network Address Translation [RFC3022]
vGW: virtual Gateway; a gateway component used for an NVO3 virtual vGW: virtual Gateway; a gateway component used for an NVO3 virtual
network to interconnect with another virtual/physical network. network to interconnect with another virtual/physical network.
2. Basic NVO3 Networks NVO3 virtual network: a virtual network that is implemented based
NVO3 architecture [NVO3-ARCH].
An NVO3 network provides communications among Tenant Systems (TS) in PE: Provider Edge
a DC. A TS can be a physical server/device or a virtual machine (VM)
on a server, i.e., end-device [RFC7365]. A DC provider often uses
NVO3 networks for its internal applications in which each
application runs on many VMs or physical services and requires
application segregation.
A Network Virtual Edge (NVE) is an NVO3 architecture component SP: Service Provider
[RFC7365]]. It is responsible to forward and encapsulate the NVO3
traffic in outbound direction; and decapsulate and forward the NVO3
traffic in inbound direction [NVO3ARCH]. A Network Virtualization
Authority (NVA) is another NVO3 architecture component [RFC7365]. An
NVE obtains the reachability information of tenant systems in a NVO3
network from the NVA. The tenant systems attached to the same NVE
may belong to a same or different NVO3 networks.
The network virtualization overlay in this context means that a TS: A TS can be a physical server/device or a virtual machine (VM)
virtual network is implemented with an overlay technology, i.e., on a server, i.e., end-device [RFC7365].
within a DC, NVO3 traffic is encapsulated at an NVE and carried by a
tunnel to another NVE where the packet is decapsulated and sent to a
target tenant system [NVO3ARCH]. This architecture decouples an NVO3
network construction from the DC physical network configuration,
which provides the flexibility for VM placement and mobility. The
architecture supports one tunnel to carry NVO3 traffic belonging to
different NVO3 networks; thus the NVO3 encapsulation header carries
a virtual network identifier to differentiate NVO3 traffic in a
tunnel.
An NVO3 network may be an L2 or L3 domain. The network provides VRF-LITE: Virtual Routing and Forwarding - LITE [VRF-LITE]
switching (L2) or routing (L3) capability to support host (i.e.
tenent systems) communications. An NVO3 network may required to
carry unicast traffic and/or multicast, broadcast/unknown (for L2
only) traffic from/to tenant systems. There are several ways to
transport NVO3 network BUM traffic [NVO3MCAST].
It is worth mentioning two distinct cases regarding to NVE location. VN: NVO3 virtual network.
The first is where TSs and an NVE are co-located on a single end
host/device, which means that the NVE can be aware of the TS's state
at any time via an internal API. The second is where TSs and an NVE
are not co-located, with the NVE residing on a network device; in
this case, a protocol is necessary to allow the NVE to be aware of
the TS's state [NVO3HYVR2NVE].
One NVO3 network can provide connectivity to many TSs that attach to WAN VPN: Wide Area Network Virtual Private Network [RFC4364]
many different NVEs in a DC. TS dynamic placement and mobility [RFC7432]
results in frequent changes of the binding between a TS and an NVE.
The TS reachability update mechanisms need be fast enough so that
the updates do not cause any communication disruption/interruption.
The capability of supporting many TSs in a virtual network and many
more virtual networks in a DC is critical for the NVO3 solution.
If a virtual network spans across multiple DC sites, one design 1.2. NVO3 Background
using NVO3 is to allow the network to seamlessly span across the
sites without DC gateway routers' termination. In this case, the
tunnel between a pair of NVEs can be carried within other
intermediate tunnels over the Internet or other WANs, or an intra DC
tunnel and inter DC tunnel(s) can be stitched together to form an
end-to-end tunnel between the pair of NVEs that are in different DC
sites. Both cases will form one virtual network across multiple DC
sites.
3. DC NVO3 Network and External Network Interconnection An NVO3 virtual network is a virtual network in a DC that is
implemented based on the NV03 architecture [RFC8014]. This
architecture is often referred to as an overlay architecture. The
traffic carried by an NVO3 virtual network is encapsulated at a
Network Virtual Edge (NVE) [RFC8014] and carried by a tunnel to
another NVE where the traffic is decapsulated and sent to a
destination Tenant System (TS). The NVO3 architecture decouples NVO3
virtual networks from the DC physical network configuration. The
architecture uses common tunnels to carry NVO3 traffic that belongs
to multiple NVO3 virtual networks.
Many customers (an enterprise or individuals) who utilize a DC An NVO3 virtual network may be an L2 or L3 domain. The network
provides switching (L2) or routing (L3) capability to support host
(i.e., tenant systems) communications. An NVO3 virtual network may
be required to carry unicast traffic and/or multicast,
broadcast/unknown-unicast (for L2 only) traffic from/to tenant
systems. There are several ways to transport NVO3 virtual network
BUM (Broadcast, Unknown-unicast, Multicast) traffic [NVO3MCAST].
An NVO3 virtual network provides communications among Tenant Systems
(TS) in a DC. A TS can be a physical server/device or a virtual
machine (VM) on a server end-device [RFC7365].
2. DC with Large Number of Virtual Networks
A DC provider often uses NVO3 virtual networks for internal
applications where each application runs on many VMs or physical
servers and the provider requires applications to be segregated from
each other. A DC may run a larger number of NVO3 virtual networks to
support many applications concurrently, where traditional IEEE802.1Q
based VLAN solution is limited to 4094 VLANs.
Applications running on VMs may require different quantity of
computing resource, which may result in computing resource shortage
on some servers and other servers being nearly idle. Shortage of
computing resource may impact application performance. DC operators
desire VM or workload movement for resource usage optimization. VM
dynamic placement and mobility results in frequent changes of the
binding between a TS and an NVE. The TS reachability update
mechanisms should take significantly less time than the typical
TCP/SCTP re-transmission Time-out window, so that end points'
TCP/SCTP connections won't be impacted by a TS becoming bound to a
different NVE. The capability of supporting many TSs in a virtual
network and many virtual networks in a DC is critical for an NVO3
solution.
When NVO3 virtual networks segregate VMs belonging to different
applications, DC operators can independently assign MAC and/or IP
address space to each virtual network. This addressing is more
flexible than requiring all hosts in all NVO3 virtual networks to
share one address space. In contrast, typical use of IEEE 802.1Q
VLANs requires a single common MAC address space.
3. DC NVO3 virtual network and External Network Interconnection
Many customers (enterprises or individuals) who utilize a DC
provider's compute and storage resources to run their applications provider's compute and storage resources to run their applications
need to access their systems hosted in a DC through Internet or need to access their systems hosted in a DC through Internet or
Service Providers' Wide Area Networks (WAN). A DC provider can Service Providers' Wide Area Networks (WAN). A DC provider can
construct a NVO3 network that provides connectivity to all the construct a NVO3 virtual network that provides connectivity to all
resources designated for a customer and allows the customer to the resources designated for a customer and allows the customer to
access the resources via a virtual gateway (vGW). This, in turn, access the resources via a virtual gateway (vGW). WAN connectivity
becomes the case of interconnecting an NVO3 network and the virtual to the virtual gateway can be provided by VPN technologies such as
private network (VPN) on the Internet or wide-area networks (WAN). IPsec VPNs [RFC4301] and BGP/MPLS IP VPNs [RFC 4364].
Note that a VPN is not implemented by NVO3 solution. Two use cases
are described here.
3.1. DC NVO3 Network Access via the Internet If a virtual network spans multiple DC sites, one design using NVO3
is to allow the network to seamlessly span the sites without DC
gateway routers' termination. In this case, the tunnel between a
pair of NVEs can be carried within other intermediate tunnels over
the Internet or other WANs, or an intra-DC tunnel and inter DC
tunnel(s) can be stitched together to form an end-to-end tunnel
between the pair of NVEs that are in different DC sites. Both cases
will form one NVO3 virtual network across multiple DC sites.
A customer can connect to an NVO3 network via the Internet in a Two use cases are described in the following sections.
secure way. Figure 1 illustrates an example of this case. The NVO3
network has an instance at NVE1 and NVE2 and the two NVEs are 3.1. DC NVO3 virtual network Access via the Internet
connected via an IP tunnel in the Data Center. A set of tenant
systems are attached to NVE1 on a server. NVE2 resides on a DC A customer can connect to an NVO3 virtual network via the Internet
Gateway device. NVE2 terminates the tunnel and uses the VNID on the in a secure way. Figure 1 illustrates an example of this case. The
packet to pass the packet to the corresponding vGW entity on the DC NVO3 virtual network has an instance at NVE1 and NVE2 and the two
GW (the vGW is the default gateway for the virtual network). A NVEs are connected via an IP tunnel in the Data Center. A set of
tenant systems are attached to NVE1 on a server. NVE2 resides on a
DC Gateway device. NVE2 terminates the tunnel and uses the VNID on
the packet to pass the packet to the corresponding vGW entity on the
DC GW (the vGW is the default gateway for the virtual network). A
customer can access their systems, i.e., TS1 or TSn, in the DC via customer can access their systems, i.e., TS1 or TSn, in the DC via
the Internet by using an IPsec tunnel [RFC4301]. The IPsec tunnel is the Internet by using an IPsec tunnel [RFC4301]. The IPsec tunnel is
configured between the vGW and the customer gateway at the customer configured between the vGW and the customer gateway at the customer
site. Either a static route or iBGP may be used for prefix site. Either a static route or Interior Border Gateway Protocol
advertisement. The vGW provides IPsec functionality such as (iBGP) may be used for prefix advertisement. The vGW provides IPsec
authentication scheme and encryption; iBGP protocol traffic is functionality such as authentication scheme and encryption; iBGP
carried within the IPsec tunnel. Some vGW features are listed below: protocol traffic is carried within the IPsec tunnel. Some vGW
features are listed below:
o The vGW maintains the TS/NVE mappings and advertises the TS o The vGW maintains the TS/NVE mappings and advertises the TS
prefix to the customer via static route or iBGP. prefix to the customer via static route or iBGP.
o Some vGW functions such as firewall and load balancer can be o Some vGW functions such as firewall and load balancer can be
performed by locally attached network appliance devices. performed by locally attached network appliance devices.
o If the NVO3 network uses different address space than external o If the NVO3 virtual network uses different address space than
users, then the vGW needs to provide the NAT function. external users, then the vGW needs to provide the NAT function.
o More than one IPsec tunnel can be configured for redundancy. o More than one IPsec tunnel can be configured for redundancy.
o The vGW can be implemented on a server or VM. In this case, IP o The vGW can be implemented on a server or VM. In this case, IP
tunnels or IPsec tunnels can be used over the DC infrastructure. tunnels or IPsec tunnels can be used over the DC infrastructure.
o DC operators need to construct a vGW for each customer. o DC operators need to construct a vGW for each customer.
Server+---------------+ Server+---------------+
| TS1 TSn | | TS1 TSn |
| |...| | | |...| |
| +-+---+-+ | Customer Site | +-+---+-+ | Customer Site
| | NVE1 | | +-----+ | | NVE1 | | +-----+
| +---+---+ | | CGW | | +---+---+ | | GW |
+------+--------+ +--+--+ +------+--------+ +--+--+
| * | *
L3 Tunnel * L3 Tunnel *
| * | *
DC GW +------+---------+ .--. .--. DC GW +------+---------+ .--. .--.
| +---+---+ | ( '* '.--. | +---+---+ | ( '* '.--.
| | NVE2 | | .-.' * ) | | NVE2 | | .-.' * )
| +---+---+ | ( * Internet ) | +---+---+ | ( * Internet )
| +---+---+. | ( * / | +---+---+. | ( * /
| | vGW | * * * * * * * * '-' '-' | | vGW | * * * * * * * * '-' '-'
| +-------+ | | IPsec \../ \.--/' | +-------+ | | IPsec \../ \.--/'
| +--------+ | Tunnel | +--------+ | Tunnel
+----------------+ +----------------+
DC Provider Site DC Provider Site
Figure 1 - DC Virtual Network Access via the Internet Figure 1 - DC Virtual Network Access via the Internet
3.2. DC NVO3 Network and SP WAN VPN Interconnection 3.2. DC NVO3 virtual network and SP WAN VPN Interconnection
In this case, an Enterprise customer wants to use a Service Provider In this case, an Enterprise customer wants to use a Service Provider
(SP) WAN VPN [RFC4364] [RFC7432] to interconnect its sites with an (SP) WAN VPN [RFC4364] [RFC7432] to interconnect its sites with an
NVO3 network in a DC site. The Service Provider constructs a VPN for NVO3 virtual network in a DC site. The Service Provider constructs a
the enterprise customer. Each enterprise site peers with an SP PE. VPN for the enterprise customer. Each enterprise site peers with an
The DC Provider and VPN Service Provider can build an NVO3 network SP PE. The DC Provider and VPN Service Provider can build an NVO3
and a WAN VPN independently, and then interconnect them via a local virtual network and a WAN VPN independently, and then interconnect
link, or a tunnel between the DC GW and WAN PE devices. The control them via a local link, or a tunnel between the DC GW and WAN
plane interconnection options between the DC and WAN are described Provider Edge (PE) devices. The control plane interconnection
in RFC4364 [RFC4364]. Using Option A with VRF-LITE [VRF-LITE], both options between the DC and WAN are described in [RFC4364]. Using the
ASBRs, i.e., DC GW and SP PE, maintain a routing/forwarding table option A specified in [RFC4364] with VRF-LITE [VRF-LITE], both
(VRF). Using Option B, the DC ASBR and SP ASBR do not maintain the Autonomous System Boarder Routers (ASBR), i.e., DC GW and SP PE,
VRF table; they only maintain the NVO3 network and VPN identifier maintain a routing/forwarding table (VRF). Using the option B
mappings, i.e., label mapping, and swap the label on the packets in specified in [RFC4364], the DC ASBR and SP ASBR do not maintain the
the forwarding process. Both option A and B allow the NVO3 network VRF table; they only maintain the NVO3 virtual network and VPN
and VPN using own identifier and two identifiers are mapped at DC GW. identifier mappings, i.e., label mapping, and swap the label on the
With option C, the VN and VPN use the same identifier and both ASBRs packets in the forwarding process. Both option A and B allow the
perform the tunnel stitching, i.e., tunnel segment mapping. Each NVO3 virtual network and VPN using their own identifiers and two
option has pros/cons [RFC4364] and has been deployed in SP networks identifiers are mapped at DC GW. With the option C in [RFC4364], the
depending on the applications in use. BGP is used with these options VN and VPN use the same identifier and both ASBRs perform the tunnel
for route distribution between DCs and SP WANs. Note that if the DC stitching, i.e., tunnel segment mapping. Each option has pros/cons
is the SP's Data Center, the DC GW and SP PE in this case can be [RFC4364] and has been deployed in SP networks depending on the
merged into one device that performs the interworking of the VN and application requirements. BGP is used in these options for route
VPN within an AS. distribution between DCs and SP WANs. Note that if the DC is the
SP's Data Center, the DC GW and SP PE in this case can be merged
into one device that performs the interworking of the VN and VPN
within an AS.
The configurations above allow the enterprise networks to These solutions allow the enterprise networks to communicate with
communicate with the tenant systems attached to the NVO3 network in the tenant systems attached to the NVO3 virtual network in the DC
the DC without interfering with the DC provider's underlying without interfering with the DC provider's underlying physical
physical networks and other NVO3 networks in the DC. The enterprise networks and other NVO3 virtual networks in the DC. The enterprise
can use its own address space in the NVO3 network. The DC provider can use its own address space in the NVO3 virtual network. The DC
can manage which VM and storage elements attach to the NVO3 network. provider can manage which VM and storage elements attach to the NVO3
The enterprise customer manages which applications run on the VMs virtual network. The enterprise customer manages which applications
without knowing the location of the VMs in the DC. (See Section 4 run on the VMs without knowing the location of the VMs in the DC.
for more) (See Section 4 for more)
Furthermore, in this use case, the DC operator can move the VMs Furthermore, in this use case, the DC operator can move the VMs
assigned to the enterprise from one sever to another in the DC assigned to the enterprise from one sever to another in the DC
without the enterprise customer being aware, i.e., with no impact on without the enterprise customer being aware, i.e., with no impact on
the enterprise's 'live' applications. Such advanced technologies the enterprise's 'live' applications. Such advanced technologies
bring DC providers great benefits in offering cloud services, but bring DC providers great benefits in offering cloud services, but
add some requirements for NVO3 [RFC7364] as well. add some requirements for NVO3 [RFC7364] as well.
4. DC Applications Using NVO3 4. DC Applications Using NVO3
NVO3 technology provides DC operators with the flexibility in NVO3 technology provides DC operators with the flexibility in
designing and deploying different applications in an end-to-end designing and deploying different applications in an end-to-end
virtualization overlay environment. The operators no longer need to virtualization overlay environment. The operators no longer need to
worry about the constraints of the DC physical network configuration worry about the constraints of the DC physical network configuration
when creating VMs and configuring a network to connect them. A DC when creating VMs and configuring a network to connect them. A DC
provider may use NVO3 in various ways, in conjunction with other provider may use NVO3 in various ways, in conjunction with other
physical networks and/or virtual networks in the DC for a reason. physical networks and/or virtual networks in the DC. This section
This section highlights some use cases for this goal. highlights some use cases for this goal.
4.1. Supporting Multiple Technologies 4.1. Supporting Multiple Technologies
Servers deployed in a large data center are often installed at Servers deployed in a large data center are often installed at
different times, and may have different capabilities/features. Some different times, and may have different capabilities/features. Some
servers may be virtualized, while others may not; some may be servers may be virtualized, while others may not; some may be
equipped with virtual switches, while others may not. For the equipped with virtual switches, while others may not. For the
servers equipped with Hypervisor-based virtual switches, some may servers equipped with Hypervisor-based virtual switches, some may
support a standardized NVO3 encapsulation, some may not support any support a standardized NVO3 encapsulation, some may not support any
encapsulation, and some may support a documented encapsulation encapsulation, and some may support a documented encapsulation
protocol (e.g. VxLAN [RFC7348], NVGRE [RFC7637]) or proprietary protocol (e.g. VxLAN [RFC7348], NVGRE [RFC7637]) or proprietary
encapsulations. To construct a tenant network among these servers encapsulations. To construct a tenant network among these servers
and the ToR switches, operators can construct one traditional VLAN and the ToR switches, operators can construct one traditional VLAN
network and two virtual networks where one uses VxLAN encapsulation network and two virtual networks where one uses VxLAN encapsulation
and the other uses NVGRE, and interconnect these three networks via and the other uses NVGRE, and interconnect these three networks via
a gateway or virtual GW. The GW performs packet a gateway or virtual GW. The GW performs packet
encapsulation/decapsulation translation between the networks. encapsulation/decapsulation translation between the networks.
Another case is that some software of a tenant is high CPU and Another case is that some software of a tenant has high CPU and
memory consumption, which only makes a sense to run on metal servers; memory consumption, which only makes a sense to run on standalone
other software of the tenant may be good to run on VMs. However servers; other software of the tenant may be good to run on VMs.
provider DC infrastructure is configured to use NVO3 to connect to However provider DC infrastructure is configured to use NVO3 to
VMs and VLAN [IEEE802.1Q] connect to metal services. The tenant connect VMs and VLAN [IEEE802.1Q] to physical servers. The tenant
network requires interworking between NVO3 and traditional VLAN. network requires interworking between NVO3 and traditional VLAN.
4.2. DC Application with Multiple Virtual Networks 4.2. DC Applications Spanning Multiple Physical Zones
A DC application may necessarily be constructed with multi-tier A DC can be partitioned into multiple physical zones, with each zone
zones, where each zone has different access permissions and runs having different access permissions and runs different applications.
different applications. For example, a three-tier zone design has a For example, a three-tier zone design has a front zone (Web tier)
front zone (Web tier) with Web applications, a mid zone (application with Web applications, a mid zone (application tier) where service
tier) where service applications such as credit payment or ticket applications such as credit payment or ticket booking run, and a
booking run, and a back zone (database tier) with Data. External back zone (database tier) with Data. External users are only able to
users are only able to communicate with the Web application in the communicate with the Web application in the front zone; the back
front zone; the back zone can only receive traffic from the zone can only receive traffic from the application zone. In this
application zone. In this case, communications between the zones case, communications between the zones must pass through one or more
must pass through a GW/firewall. Each zone can be implemented by one security functions in a physical DMZ zone. Each zone can be
NVO3 network and a GW/firewall can be used to between two NVO3 implemented by one NVO3 virtual network and the security functions
networks, i.e., two zones. As a result, a tunnel carrying NVO3 in DMZ zone can be used to between two NVO3 virtual networks, i.e.,
network traffic must be terminated at the GW/firewall where the NVO3 two zones. If network functions (NF), especially the security
traffic is processed. functions in the physical DMZ can't process encapsulated NVO3
traffic, the NVO3 tunnels have to be terminated for the NF to
perform its processing on the application traffic.
4.3. Virtual Data Center (vDC) 4.3. Virtual Data Center (vDC)
An enterprise data center today may deploy routers, switches, and An enterprise data center today may deploy routers, switches, and
network appliance devices to construct its internal network, DMZ, network appliance devices to construct its internal network, DMZ,
and external network access; it may have many servers and storage and external network access; it may have many servers and storage
running various applications. With NVO3 technology, a DC Provider running various applications. With NVO3 technology, a DC Provider
can construct a virtual Data Center (vDC) over its physical DC can construct a virtual Data Center (vDC) over its physical DC
infrastructure and offer a virtual Data Center service to enterprise infrastructure and offer a virtual Data Center service to enterprise
customers. A vDC at the DC Provider site provides the same customers. A vDC at the DC Provider site provides the same
capability as the physical DC at a customer site. A customer manages capability as the physical DC at a customer site. A customer manages
its own applications running in its vDC. A DC Provider can further its own applications running in its vDC. A DC Provider can further
offer different network service functions to the customer. The offer different network service functions to the customer. The
network service functions may include firewall, DNS, load balancer, network service functions may include firewall, DNS, load balancer,
gateway, etc. gateway, etc.
Figure 2 below illustrates one such scenario at service abstraction Figure 2 below illustrates one such scenario at the service
level. In this example, the vDC contains several L2 VNs (L2VNx, abstraction level. In this example, the vDC contains several L2 VNs
L2VNy, L2VNz) to group the tenant systems together on a per- (L2VNx, L2VNy, L2VNz) to group the tenant systems together on a per-
application basis, and one L3 VN (L3VNa) for the internal routing. A application basis, and one L3 VN (L3VNa) for the internal routing. A
network firewall and gateway runs on a VM or server that connects to network firewall and gateway runs on a VM or server that connects to
L3VNa and is used for inbound and outbound traffic processing. A L3VNa and is used for inbound and outbound traffic processing. A
load balancer (LB) is used in L2VNx. A VPN is also built between the load balancer (LB) is used in L2VNx. A VPN is also built between the
gateway and enterprise router. An Enterprise customer runs gateway and enterprise router. An Enterprise customer runs
Web/Mail/Voice applications on VMs within the vDC. The users at the Web/Mail/Voice applications on VMs within the vDC. The users at the
Enterprise site access the applications running in the vDC via the Enterprise site access the applications running in the vDC via the
VPN; Internet users access these applications via the VPN; Internet users access these applications via the
gateway/firewall at the provider DC site. gateway/firewall at the provider DC site.
skipping to change at page 12, line 9 skipping to change at page 12, line 9
The enterprise customer decides which applications should be The enterprise customer decides which applications should be
accessible only via the intranet and which should be assessable via accessible only via the intranet and which should be assessable via
both the intranet and Internet, and configures the proper security both the intranet and Internet, and configures the proper security
policy and gateway function at the firewall/gateway. Furthermore, an policy and gateway function at the firewall/gateway. Furthermore, an
enterprise customer may want multi-zones in a vDC (See section 4.2) enterprise customer may want multi-zones in a vDC (See section 4.2)
for the security and/or the ability to set different QoS levels for for the security and/or the ability to set different QoS levels for
the different applications. the different applications.
The vDC use case requires an NVO3 solution to provide DC operators The vDC use case requires an NVO3 solution to provide DC operators
with an easy and quick way to create an NVO3 network and NVEs for with an easy and quick way to create an NVO3 virtual network and
any vDC design, to allocate TSs and assign TSs to the corresponding NVEs for any vDC design, to allocate TSs and assign TSs to the
NVO3 network, and to illustrate vDC topology and manage/configure corresponding NVO3 virtual network, and to illustrate vDC topology
individual elements in the vDC in a secure way. and manage/configure individual elements in the vDC in a secure way.
5. Summary 5. Summary
This document describes some general and potential NVO3 use cases in This document describes some general NVO3 use cases in DCs. The
DCs. The combination of these cases will give operators the combination of these cases will give operators the flexibility and
flexibility and capability to design more sophisticated cases for capability to design more sophisticated support for various cloud
various cloud applications. applications.
DC services may vary, from infrastructure as a service (IaaS), to DC services may vary, NVO3 virtual networks make it possible to
platform as a service (PaaS), to software as a service (SaaS). scale a large number of virtual networks in DC and ensure the
In these services, NVO3 networks are just a portion of such services. network infrastructure not impacted by the number of VMs and dynamic
workload changes in DC.
NVO3 uses tunnel techniques to deliver NVO3 traffic over DC physical NVO3 uses tunnel techniques to deliver NVO3 traffic over DC physical
infrastructure network. A tunnel encapsulation protocol is infrastructure network. A tunnel encapsulation protocol is
necessary. An NVO3 tunnel may in turn be tunneled over other necessary. An NVO3 tunnel may in turn be tunneled over other
intermediate tunnels over the Internet or other WANs. intermediate tunnels over the Internet or other WANs.
An NVO3 network in a DC may be accessed by external users in a An NVO3 virtual network in a DC may be accessed by external users in
secure way. Many existing technologies can help achieve this. a secure way. Many existing technologies can help achieve this.
6. Security Considerations 6. Security Considerations
Security is a concern. DC operators need to provide a tenant with a Security is a concern. DC operators need to provide a tenant with a
secured virtual network, which means one tenant's traffic is secured virtual network, which means one tenant's traffic is
isolated from other tenants' traffic as well as from underlay isolated from other tenants' traffic and is not leaked to the
networks. DC operators also need to prevent against a tenant underlay networks. Tenants are vulnerable to observation and data
application attacking their underlay DC network; further, they need modification/injection by the operator of the underlay and should
to protect against a tenant application attacking another tenant only use operators they trust. DC operators also need to prevent a
tenant application attacking their underlay DC network; further,
they need to protect a tenant application attacking another tenant
application via the DC infrastructure network. For example, a tenant application via the DC infrastructure network. For example, a tenant
application attempts to generate a large volume of traffic to application attempts to generate a large volume of traffic to
overload the DC's underlying network. An NVO3 solution has to overload the DC's underlying network. This can be done by limiting
address these issues. the bandwidth of such communications.
7. IANA Considerations 7. IANA Considerations
This document does not request any action from IANA. This document does not request any action from IANA.
8. Informative References 8. Informative References
[IEEE802.1Q] IEEE, "IEEE Standard for Local and metropolitan area [IEEE802.1Q] IEEE, "IEEE Standard for Local and metropolitan area
networks -- Media Access Control (MAC) Bridges and Virtual networks -- Media Access Control (MAC) Bridges and Virtual
Bridged Local Area", IEEE Std 802.1Q, 2011. Bridged Local Area", IEEE Std 802.1Q, 2011.
[NVO3HYVR2NVE] Li, Y., et al, "Hypervisor to NVE Control Plane [NIST] National Institute of Standards and Technology, "The NIST
Requirements", draft-ietf-nvo3-hpvr2nve-cp-req-05, work in Definition of Cloud Computing", SP 880-145, September,
progress. 2011.
[NVO3ARCH] Black, D., et al, "An Architecture for Overlay Networks
(NVO3)", draft-ietf-nvo3-arch-08, work in progress.
[NVO3MCAST] Ghanwani, A., Dunbar, L., et al, "A Framework for [NVO3MCAST] Ghanwani, A., Dunbar, L., et al, "A Framework for
Multicast in Network Virtualization Overlays", draft-ietf- Multicast in Network Virtualization Overlays", draft-ietf-
nvo3-mcast-framework-05, work in progress. nvo3-mcast-framework-05, work in progress.
[RFC1035] Mockapetris, P., "DOMAIN NAMES - Implementation and [RFC1035] Mockapetris, P., "DOMAIN NAMES - Implementation and
Specification", RFC1035, November 1987. Specification", RFC1035, November 1987.
[RFC3022] Srisuresh, P. and Egevang, K., "Traditional IP Network [RFC3022] Srisuresh, P. and Egevang, K., "Traditional IP Network
Address Translator (Traditional NAT)", RFC3022, January Address Translator (Traditional NAT)", RFC3022, January
skipping to change at page 14, line 5 skipping to change at page 14, line 8
[RFC7365] Lasserre, M., Motin, T., et al, "Framework for DC Network [RFC7365] Lasserre, M., Motin, T., et al, "Framework for DC Network
Virtualization", RFC7365, October 2014. Virtualization", RFC7365, October 2014.
[RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A. and [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A. and
J. Uttaro, "BGP MPLS Based Ethernet VPN", RFC7432, J. Uttaro, "BGP MPLS Based Ethernet VPN", RFC7432,
February 2015 February 2015
[RFC7637] Garg, P., and Wang, Y., "NVGRE: Network Virtualization [RFC7637] Garg, P., and Wang, Y., "NVGRE: Network Virtualization
using Generic Routing Encapsulation", RFC7637, Sept. 2015. using Generic Routing Encapsulation", RFC7637, Sept. 2015.
[RFC8014] Black, D., et al, "An Architecture for Overlay Networks
(NVO3)", rfc8014, January 2017.
[VRF-LITE] Cisco, "Configuring VRF-lite", http://www.cisco.com [VRF-LITE] Cisco, "Configuring VRF-lite", http://www.cisco.com
Contributors Contributors
David Black
Dell EMC
176 South Street
Hopkinton, MA 01748
David.Black@dell.com
Vinay Bannai Vinay Bannai
PayPal PayPal
2211 N. First St, 2211 N. First St,
San Jose, CA 95131 San Jose, CA 95131
Phone: +1-408-967-7784 Phone: +1-408-967-7784
Email: vbannai@paypal.com Email: vbannai@paypal.com
Ram Krishnan Ram Krishnan
Brocade Communications Brocade Communications
San Jose, CA 95134 San Jose, CA 95134
 End of changes. 58 change blocks. 
226 lines changed or deleted 265 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/