| < draft-ietf-rtgwg-net2cloud-problem-statement-06.txt | draft-ietf-rtgwg-net2cloud-problem-statement-07.txt > | |||
|---|---|---|---|---|
| Network Working Group L. Dunbar | Network Working Group L. Dunbar | |||
| Internet Draft Futurewei | Internet Draft Futurewei | |||
| Intended status: Informational Andy Malis | Intended status: Informational Andy Malis | |||
| Expires: August 5, 2020 Independent | Expires: August 14, 2020 Independent | |||
| C. Jacquenet | C. Jacquenet | |||
| Orange | Orange | |||
| M. Toy | M. Toy | |||
| Verizon | Verizon | |||
| February 5, 2020 | February 14, 2020 | |||
| Dynamic Networks to Hybrid Cloud DCs Problem Statement | Dynamic Networks to Hybrid Cloud DCs Problem Statement | |||
| draft-ietf-rtgwg-net2cloud-problem-statement-06 | draft-ietf-rtgwg-net2cloud-problem-statement-07 | |||
| Abstract | Abstract | |||
| This document describes the problems that enterprises face today | This document describes the problems that enterprises face today | |||
| when interconnecting their branch offices with dynamic workloads in | when interconnecting their branch offices with dynamic workloads in | |||
| third party data centers (a.k.a. Cloud DCs). There can be many | third party data centers (a.k.a. Cloud DCs). There can be many | |||
| problems associated with network connecting to or among Clouds, many | problems associated with network connecting to or among Clouds, many | |||
| of which probably are out of the IETF scope. The objective of this | of which probably are out of the IETF scope. The objective of this | |||
| document is to identify some of the problems that need additional | document is to identify some of the problems that need additional | |||
| work in IETF Routing area. Other problems are out of the scope of | work in IETF Routing area. Other problems are out of the scope of | |||
| skipping to change at page 2, line 21 ¶ | skipping to change at page 2, line 21 ¶ | |||
| months and may be updated, replaced, or obsoleted by other documents | months and may be updated, replaced, or obsoleted by other documents | |||
| at any time. It is inappropriate to use Internet-Drafts as | at any time. It is inappropriate to use Internet-Drafts as | |||
| reference material or to cite them other than as "work in progress." | reference material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||
| This Internet-Draft will expire on August 5, 2020. | This Internet-Draft will expire on August 14, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 7 ¶ | skipping to change at page 3, line 7 ¶ | |||
| 1. Introduction...................................................3 | 1. Introduction...................................................3 | |||
| 1.1. Key Characteristics of Cloud Services:....................3 | 1.1. Key Characteristics of Cloud Services:....................3 | |||
| 1.2. Connecting to Cloud Services..............................3 | 1.2. Connecting to Cloud Services..............................3 | |||
| 1.3. The role of SD-WAN in connecting to Cloud Services........4 | 1.3. The role of SD-WAN in connecting to Cloud Services........4 | |||
| 2. Definition of terms............................................5 | 2. Definition of terms............................................5 | |||
| 3. High Level Issues of Connecting to Multi-Cloud.................6 | 3. High Level Issues of Connecting to Multi-Cloud.................6 | |||
| 3.1. Security Issues...........................................6 | 3.1. Security Issues...........................................6 | |||
| 3.2. Authorization and Identity Management.....................6 | 3.2. Authorization and Identity Management.....................6 | |||
| 3.3. API abstraction...........................................7 | 3.3. API abstraction...........................................7 | |||
| 3.4. DNS for Cloud Resources...................................8 | 3.4. DNS for Cloud Resources...................................8 | |||
| 3.5. NAT for Cloud Services....................................8 | 3.5. NAT for Cloud Services....................................9 | |||
| 3.6. Cloud Discovery...........................................9 | 3.6. Cloud Discovery...........................................9 | |||
| 4. Interconnecting Enterprise Sites with Cloud DCs................9 | 4. Interconnecting Enterprise Sites with Cloud DCs...............10 | |||
| 4.1. Sites to Cloud DC........................................10 | 4.1. Sites to Cloud DC........................................10 | |||
| 4.2. Inter-Cloud Interconnection..............................12 | 4.2. Inter-Cloud Interconnection..............................12 | |||
| 5. Problems with MPLS-based VPNs extending to Hybrid Cloud DCs...13 | 5. Problems with MPLS-based VPNs extending to Hybrid Cloud DCs...14 | |||
| 6. Problem with using IPsec tunnels to Cloud DCs.................15 | 6. Problem with using IPsec tunnels to Cloud DCs.................15 | |||
| 6.1. Scaling Issues with IPsec Tunnels........................15 | 6.1. Scaling Issues with IPsec Tunnels........................15 | |||
| 6.2. Poor performance over long distance......................15 | 6.2. Poor performance over long distance......................16 | |||
| 7. Problems of Using SD-WAN to connect to Cloud DCs..............16 | 7. Problems of Using SD-WAN to connect to Cloud DCs..............16 | |||
| 7.1. More Complexity to Edge Nodes............................16 | 7.1. More Complexity to Edge Nodes............................17 | |||
| 7.2. Edge WAN Port Management.................................17 | 7.2. Edge WAN Port Management.................................17 | |||
| 7.3. Forwarding based on Application..........................17 | 7.3. Forwarding based on Application..........................18 | |||
| 8. End-to-End Security Concerns for Data Flows...................17 | 8. End-to-End Security Concerns for Data Flows...................18 | |||
| 9. Requirements for Dynamic Cloud Data Center VPNs...............17 | 9. Requirements for Dynamic Cloud Data Center VPNs...............18 | |||
| 10. Security Considerations......................................18 | 10. Security Considerations......................................19 | |||
| 11. IANA Considerations..........................................18 | 11. IANA Considerations..........................................19 | |||
| 12. References...................................................18 | 12. References...................................................19 | |||
| 12.1. Normative References....................................18 | 12.1. Normative References....................................19 | |||
| 12.2. Informative References..................................19 | 12.2. Informative References..................................19 | |||
| 13. Acknowledgments..............................................19 | 13. Acknowledgments..............................................20 | |||
| 1. Introduction | 1. Introduction | |||
| 1.1. Key Characteristics of Cloud Services: | 1.1. Key Characteristics of Cloud Services: | |||
| Key characteristics of Cloud Services are on-demand, scalable, | Key characteristics of Cloud Services are on-demand, scalable, | |||
| highly available, and usage-based billing. Cloud Services, such as, | highly available, and usage-based billing. Cloud Services, such as, | |||
| compute, storage, network functions (most likely virtual), third | compute, storage, network functions (most likely virtual), third | |||
| party managed applications, etc. are usually hosted and managed by third parties Cloud Operators. Here are some examples of Cloud network | party managed applications, etc. are usually hosted and managed by rd 3 parties Cloud Operators. Here are some examples of Cloud network | |||
| functions: Virtual Firewall services, Virtual private network | functions: Virtual Firewall services, Virtual private network | |||
| services, Virtual PBX services including voice and video | services, Virtual PBX services including voice and video | |||
| conferencing systems, etc. Cloud Data Center (DC) is shared | conferencing systems, etc. Cloud Data Center (DC) is shared | |||
| infrastructure that hosts the Cloud Services to many customers. | infrastructure that hosts the Cloud Services to many customers. | |||
| 1.2. Connecting to Cloud Services | 1.2. Connecting to Cloud Services | |||
| With the advent of widely available third-party cloud DCs and | With the advent of widely available third-party cloud DCs and | |||
| services in diverse geographic locations and the advancement of | services in diverse geographic locations and the advancement of | |||
| tools for monitoring and predicting application behaviors, it is | tools for monitoring and predicting application behaviors, it is | |||
| skipping to change at page 8, line 27 ¶ | skipping to change at page 8, line 27 ¶ | |||
| For enterprises utilizing Cloud services by different cloud | For enterprises utilizing Cloud services by different cloud | |||
| operators, it is necessary to establish policies and rules on | operators, it is necessary to establish policies and rules on | |||
| how/where to forward DNS queries to. When applications in one Cloud | how/where to forward DNS queries to. When applications in one Cloud | |||
| need to communication with applications hosted in another Cloud, | need to communication with applications hosted in another Cloud, | |||
| there could be DNS queries from one Cloud DC being forwarded to the | there could be DNS queries from one Cloud DC being forwarded to the | |||
| enterprise's on premise DNS, which in turn be forwarded to the DNS | enterprise's on premise DNS, which in turn be forwarded to the DNS | |||
| service in another Cloud. Needless to say, configuration can be | service in another Cloud. Needless to say, configuration can be | |||
| complex depending on the application communication patterns. | complex depending on the application communication patterns. | |||
| However, even with carefully managed policies and configurations, | ||||
| collisions can still occur. If you use an internal name like .cloud | ||||
| and then want your services to be available via or within some other | ||||
| cloud provider which also uses .cloud, then it can't work. | ||||
| Therefore, it is better to use the global domain name even when an | ||||
| organization does not make all its namespace globally resolvable. An | ||||
| organization's globally unique DNS can include subdomains that | ||||
| cannot be resolved at all outside certain restricted paths, zones | ||||
| that resolve differently based on the origin of the query, and zones | ||||
| that resolve the same globally for all queries from any source. | ||||
| Globally unique names do not equate to globally resolvable names or | ||||
| even global names that resolve the same way from every perspective. | ||||
| Globally unique names do prevent any possibility of collision at the | ||||
| present or in the future and they make DNSSEC trust manageable. It's | ||||
| not as if there is or even could be some sort of shortage in | ||||
| available names that can be used, especially when subdomains and the | ||||
| ability to delegate administrative boundaries are considered. | ||||
| 3.5. NAT for Cloud Services | 3.5. NAT for Cloud Services | |||
| Cloud resources, such as VM instances, are usually assigned with | Cloud resources, such as VM instances, are usually assigned with | |||
| private IP addresses. By configuration, some private subnets can | private IP addresses. By configuration, some private subnets can | |||
| have the NAT function to reach out to external network and some | have the NAT function to reach out to external network and some | |||
| private subnets are internal to Cloud only. | private subnets are internal to Cloud only. | |||
| Different Cloud operators support different levels of NAT functions. | Different Cloud operators support different levels of NAT functions. | |||
| For example, AWS NAT Gateway does not currently support connections | For example, AWS NAT Gateway does not currently support connections | |||
| towards, or from VPC Endpoints, VPN, AWS Direct Connect, or VPC | towards, or from VPC Endpoints, VPN, AWS Direct Connect, or VPC | |||
| skipping to change at page 12, line 34 ¶ | skipping to change at page 13, line 19 ¶ | |||
| globally routable CIDR from private IPv4 address ranges as specified | globally routable CIDR from private IPv4 address ranges as specified | |||
| by RFC1918. To establish IPsec tunnel between two Cloud DCs, it is | by RFC1918. To establish IPsec tunnel between two Cloud DCs, it is | |||
| necessary to exchange Public routable addresses for applications in | necessary to exchange Public routable addresses for applications in | |||
| different Cloud DCs. [BGP-SDWAN] describes one method. Other methods | different Cloud DCs. [BGP-SDWAN] describes one method. Other methods | |||
| are worth exploring. | are worth exploring. | |||
| In summary, here are some approaches, available now (which might | In summary, here are some approaches, available now (which might | |||
| change in the future), to interconnect workloads among different | change in the future), to interconnect workloads among different | |||
| Cloud DCs: | Cloud DCs: | |||
| a) Utilize Cloud DC provided inter/intra-cloud connectivity | a) Utilize Cloud DC provided inter/intra-cloud connectivity | |||
| services (e.g., AWS Transit Gateway) to connect workloads | services (e.g., AWS Transit Gateway) to connect workloads | |||
| instantiated in multiple VPCs. Such services are provided with | instantiated in multiple VPCs. Such services are provided with | |||
| the cloud gateway to connect to external networks (e.g., AWS | the cloud gateway to connect to external networks (e.g., AWS | |||
| DirectConnect Gateway). | DirectConnect Gateway). | |||
| b) Hairpin all traffic through the customer gateway, meaning all | b) Hairpin all traffic through the customer gateway, meaning all | |||
| workloads are directly connected to the customer gateway, so | workloads are directly connected to the customer gateway, so | |||
| that communications among workloads within one Cloud DC must | that communications among workloads within one Cloud DC must | |||
| traverse through the customer gateway. | traverse through the customer gateway. | |||
| c) Establish direct tunnels among different VPCs (AWS' Virtual | c) Establish direct tunnels among different VPCs (AWS' Virtual | |||
| Private Clouds) and VNET (Azure's Virtual Networks) via | Private Clouds) and VNET (Azure's Virtual Networks) via | |||
| client's own virtual routers instantiated within Cloud DCs. | client's own virtual routers instantiated within Cloud DCs. | |||
| DMVPN (Dynamic Multipoint Virtual Private Network) or DSVPN | DMVPN (Dynamic Multipoint Virtual Private Network) or DSVPN | |||
| (Dynamic Smart VPN) techniques can be used to establish direct | (Dynamic Smart VPN) techniques can be used to establish direct | |||
| Multi-point-to-Point or multi-point-to multi-point tunnels | Multi-point-to-Point or multi-point-to multi-point tunnels | |||
| among those client's own virtual routers. | among those client's own virtual routers. | |||
| Approach a) usually does not work if Cloud DCs are owned and managed | Approach a) usually does not work if Cloud DCs are owned and managed | |||
| by different Cloud providers. | by different Cloud providers. | |||
| skipping to change at page 19, line 31 ¶ | skipping to change at page 20, line 24 ¶ | |||
| [RFC4664] L. Andersson and E. Rosen, "Framework for Layer 2 Virtual | [RFC4664] L. Andersson and E. Rosen, "Framework for Layer 2 Virtual | |||
| Private Networks (L2VPNs)", Sept 2006. | Private Networks (L2VPNs)", Sept 2006. | |||
| [BGP-SDWAN] L. Dunbar, et al. "BGP Extension for SDWAN Overlay | [BGP-SDWAN] L. Dunbar, et al. "BGP Extension for SDWAN Overlay | |||
| Networks", draft-dunbar-idr-bgp-sdwan-overlay-ext-03, | Networks", draft-dunbar-idr-bgp-sdwan-overlay-ext-03, | |||
| work-in-progress, Nov 2018. | work-in-progress, Nov 2018. | |||
| 13. Acknowledgments | 13. Acknowledgments | |||
| Many thanks to Alia Atlas, Chris Bowers, Ignas Bagdonas, Michael | Many thanks to Alia Atlas, Chris Bowers, Paul Vixie, Paul Ebersman, | |||
| Huang, Liu Yuan Jiao, Katherine Zhao, and Jim Guichard for the | Timothy Morizot, Ignas Bagdonas, Michael Huang, Liu Yuan Jiao, | |||
| discussion and contributions. | Katherine Zhao, and Jim Guichard for the discussion and | |||
| contributions. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Linda Dunbar | Linda Dunbar | |||
| Futurewei | Futurewei | |||
| Email: Linda.Dunbar@futurewei.com | Email: Linda.Dunbar@futurewei.com | |||
| Andrew G. Malis | Andrew G. Malis | |||
| Independent | Independent | |||
| Email: agmalis@gmail.com | Email: agmalis@gmail.com | |||
| End of changes. 17 change blocks. | ||||
| 24 lines changed or deleted | 44 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||