| < draft-so-vdcs-01.txt | draft-so-vdcs-02.txt > | |||
|---|---|---|---|---|
| Network N. So | ||||
| Internet Draft D. McDysan | ||||
| Intended status: Informational Verizon, Inc | ||||
| Expires: April 2012 H.Yu | ||||
| TW Telecom | ||||
| J. Heinz | ||||
| Century Link | ||||
| Operations and Management Area Working Group N. So | October 26, 2011October 25, 2011 | |||
| Internet Draft Verizon, Inc | ||||
| Intended status: Informational P. Unbehagen | ||||
| Expires: December 2011 Avaya | ||||
| L. Dunbar | ||||
| Huawei Technologies | ||||
| H.Yu | ||||
| TW Telecom | ||||
| Bhumip Khasnabish | ||||
| LiZhong Jin | ||||
| ZTE | ||||
| J. Heinz | ||||
| CenturyLink | ||||
| N.Figueira | ||||
| Brocade | ||||
| Zhengping You | ||||
| AFORE Solutions | ||||
| July 11, 2011 | ||||
| Requirement and Framework for VPN-Oriented Data Center Services | ||||
| draft-so-vdcs-01.txt | ||||
| Status of this Memo | ||||
| This Internet-Draft is submitted in full conformance with the | ||||
| provisions of BCP 78 and BCP 79. | ||||
| This Internet-Draft is submitted in full conformance with the | ||||
| provisions of BCP 78 and BCP 79. This document may not be modified, | ||||
| and derivative works of it may not be created, and it may not be | ||||
| published except as an Internet-Draft. | ||||
| This Internet-Draft is submitted in full conformance with the | ||||
| provisions of BCP 78 and BCP 79. This document may not be modified, | ||||
| and derivative works of it may not be created, except to publish it | ||||
| as an RFC and to translate it into languages other than English. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF), its areas, and its working groups. Note that | ||||
| other groups may also distribute working documents as Internet- | ||||
| Drafts. | ||||
| Internet-Drafts are draft documents valid for a maximum of six | ||||
| months and may be updated, replaced, or obsoleted by other documents | ||||
| at any time. It is inappropriate to use Internet-Drafts as | ||||
| reference material or to cite them other than as "work in progress." | ||||
| The list of current Internet-Drafts can be accessed at | ||||
| http://www.ietf.org/ietf/1id-abstracts.txt | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | ||||
| http://www.ietf.org/shadow.html | ||||
| This Internet-Draft will expire on January 11, 2012. | ||||
| Copyright Notice | ||||
| Copyright (c) 2011 IETF Trust and the persons identified as the | ||||
| document authors. All rights reserved. | ||||
| This document is subject to BCP 78 and the IETF Trust's Legal | ||||
| Provisions Relating to IETF Documents | ||||
| (http://trustee.ietf.org/license-info) in effect on the date of | ||||
| publication of this document. Please review these documents | ||||
| carefully, as they describe your rights and restrictions with | ||||
| respect to this document. Code Components extracted from this | ||||
| document must include Simplified BSD License text as described in | ||||
| Section 4.e of the Trust Legal Provisions and are provided without | ||||
| warranty as described in the Simplified BSD License. | ||||
| Abstract | ||||
| This contribution addresses the service providers' requirements to | ||||
| support VPN-Oriented data center services. It describes the | ||||
| characteristics and the framework of VPN-oriented data center | ||||
| services and specifies the requirements on how to maintain and | ||||
| manage the virtual resources within data center resources and the | ||||
| supporting network infrastructures for those services. | ||||
| Table of Contents | ||||
| 1. Introduction.......................................................3 | ||||
| 2. Conventions used in this document..................................4 | ||||
| 3. Service defination and requirements................................4 | ||||
| 3.1. VPN-oriented data center computing services....................4 | ||||
| 3.1.1. VPN-oriented data center computer service requirements.....4 | ||||
| 3.2. VPN-oriented data center storage services......................5 | ||||
| 3.2.1. VPN-oriented data center storage services requirments......5 | ||||
| 4. Requirments for data center networks in supporting VDCS............6 | ||||
| 4.1. Requirments for extending VPNs into data center using VPN | ||||
| gateways.......................................................6 | ||||
| 4.2. Requirments for extending VPNs into data center using | ||||
| intra-data center VPN..........................................8 | ||||
| 5. Data center resource management requirments for VDCS...............8 | ||||
| 6. Security requirements..............................................9 | ||||
| 7. Other requirements................................................10 | ||||
| 8. VDCS framework....................................................10 | ||||
| 9. References........................................................13 | ||||
| 10. Acknowledgements.................................................14 | ||||
| 1. Introduction | ||||
| Layer 2 and 3 VPN services offer secure and logically dedicated | ||||
| connectivity among multiple sites for enterprises. VPN-oriented data | ||||
| center service is for those VPN customers who want to offload some | ||||
| dedicated user data center operations such as software, compute, and | ||||
| storage, to the shared carrier data centers. Those customers often | ||||
| do not want to use public Internet as the primary network accessing | ||||
| and handling the traffic between the customer (user and user data | ||||
| centers) and the carrier data centers. Instead, they would prefer | ||||
| to use the carrier data center as an nature extension of the VPN | ||||
| they are already using, realizing the benefits of a multi-tenant | ||||
| data center while retaining as much control as possible. For | ||||
| example, they want to maintain the restrictive control on what and | ||||
| how the virtualized data center resources, e.g., computing power, | ||||
| disk spaces, and/or application licenses, can be shared. | ||||
| VPN-Oriented Data center Services allow the VPN services to be | Requirements for VPN-Oriented Data Center Services | |||
| extended into carrier data centers and to control the virtual | draft-so-vdcs-02.txt | |||
| resources sharing functions. As a carrier, a VPN-Oriented data | ||||
| center service product may be offered globally across multiple data | ||||
| centers. Some of the data centers may be owned by the carrier, while | ||||
| others may be owned by a user/partner/vendor. In addition, multiple | ||||
| VPN-oriented data center Service products can be offered from the | ||||
| same data center. | ||||
| VPN-Oriented data center services differentiate it from other | Status of this Memo | |||
| carrier services in the following aspects: | ||||
| o Strictly maintaining the secure, reliable, and logical isolation | This Internet-Draft is submitted in full conformance with the | |||
| characteristics of VPN for the end-to-end services provided. | provisions of BCP 78 and BCP 79. | |||
| o Making the traditional data center services (like computing, | This Internet-Draft is submitted in full conformance with the | |||
| storage space, or application licenses) as additional attributes | provisions of BCP 78 and BCP 79. This document may not be modified, | |||
| to VPNs. | and derivative works of it may not be created, and it may not be | |||
| published except as an Internet-Draft. | ||||
| o VPN having the control on how and what data center resources to | This Internet-Draft is submitted in full conformance with the | |||
| be associated with the VPN. | provisions of BCP 78 and BCP 79. This document may not be modified, | |||
| and derivative works of it may not be created, except to publish it | ||||
| as an RFC and to translate it into languages other than English. | ||||
| This draft describes the characteristics of those services, the | Internet-Drafts are working documents of the Internet Engineering | |||
| service requirements, and the corresponding requirements to data | Task Force (IETF), its areas, and its working groups. Note that | |||
| center networks. It also describes a list of the problems that this | other groups may also distribute working documents as Internet- | |||
| service is causing to the network provider/operator, especially for | Drafts. | |||
| the existing VPN customers. These issues must be addressed in order | ||||
| for service providers to facilitate the addition of virtualized | ||||
| services to the VPNs of existing customers. | ||||
| 2. Conventions used in this document | Internet-Drafts are draft documents valid for a maximum of six | |||
| months and may be updated, replaced, or obsoleted by other documents | ||||
| at any time. It is inappropriate to use Internet-Drafts as | ||||
| reference material or to cite them other than as "work in progress." | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The list of current Internet-Drafts can be accessed at | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| document are to be interpreted as described in RFC-2119 [RFC2119]. | ||||
| In this document, these words will appear with that interpretation | The list of Internet-Draft Shadow Directories can be accessed at | |||
| only when in ALL CAPS. Lower case uses of these words are not to be | http://www.ietf.org/shadow.html | |||
| interpreted as carrying RFC-2119 significance. | ||||
| 3. Service definitions and requirements | This Internet-Draft will expire on April 26,25, 2012. | |||
| 3.1. VPN-oriented data center computing service | Copyright Notice | |||
| This refers to Virtual Machines (VMs) and/or physical servers in a | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| virtualized carrier data center being attached to a customer VPN. | document authors. All rights reserved. | |||
| The customer can choose different properties on the computing power, | ||||
| such as dedicated servers, preference on which data center to host | ||||
| those servers, or special VMs which are shared with a group of other | ||||
| VPN customers, and etc. | ||||
| 3.1.1. VPN-oriented data center computing services requirements | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | ||||
| (http://trustee.ietf.org/license-info) in effect on the date of | ||||
| publication of this document. Please review these documents | ||||
| carefully, as they describe your rights and restrictions with | ||||
| respect to this document. Code Components extracted from this | ||||
| document must include Simplified BSD License text as described in | ||||
| Section 4.e of the Trust Legal Provisions and are provided without | ||||
| warranty as described in the Simplified BSD License. | ||||
| These requirements apply to all VPN-oriented data center services | Abstract | |||
| described in this draft unless specified otherwise. | ||||
| o Any virtualized carrier data center providing the VPN-oriented | This contribution addresses the service providers' requirements to | |||
| computing services SHOULD be able to automatically provision | support VPN-Oriented data center services. It describes the | |||
| and/or change the required resources based on the specified | characteristics and the framework of VPN-oriented data center | |||
| properties associated with a VPN. | services and specifies the requirements on how to maintain and | |||
| manage the virtual resources within data center resources and the | ||||
| supporting network infrastructures for those services. | ||||
| o VPN customers SHALL be able to automatically instantiate or | Table of Contents | |||
| remove Virtual Machines (VMs) to/from the VPN's associated hosts | ||||
| or dedicated servers through the changing of the customer's VPN | ||||
| properties. | ||||
| o VPN customers SHOULD be able to move VMs among customer private | 1. Introduction....................................................3 | |||
| data centers and carrier data centers based on their own load | 2. Conventions used in this document...............................4 | |||
| balancing criteria and algorithm. | 3. Service defination and requirements.............................4 | |||
| 3.1. VPN-oriented data center computing services...................4 | ||||
| 3.1.1. VPN-oriented data center computer service requirements......4 | ||||
| 3.2. VPN-oriented data center storage services.....................5 | ||||
| 3.2.1. VPN-oriented data center storage services requirments.......5 | ||||
| 4. Requirments for data center networks in supporting VDCS.........6 | ||||
| 4.1. Requirments for extending VPNs into data center using VPN | ||||
| gateways...........................................................6 | ||||
| 4.2. Requirments for extending VPNs into data center using intra- | ||||
| data center VPN....................................................8 | ||||
| 5. Data center resource management requirments for VDCS............8 | ||||
| 6. Security requirements...........................................9 | ||||
| 7. Other requirements..............................................9 | ||||
| 8. References.....................................................10 | ||||
| 9. Acknowledgements...............................................13 | ||||
| o VPN customers SHALL be able to monitor, log, and track all VM | 1. Introduction | |||
| usage information on per user, per resource pool, and per | ||||
| application basis. | ||||
| o VPN customers and the service provider SHALL be able to monitor, | Layer 2 and 3 VPN services offer secure and logically dedicated | |||
| log, and track all VM user information. | reachability among multiple sites for enterprises. VPN-oriented data | |||
| center service is for those VPN customers who want to offload some | ||||
| dedicated user data center operations such as software, compute, and | ||||
| storage, to the shared carrier data centers. Those customers often | ||||
| do not want to use public Internet as the primary network accessing | ||||
| and handling the traffic between the customer (user and user data | ||||
| centers) and the carrier data centers. Instead, they would prefer | ||||
| to use the carrier data center as a natural extension of the VPN | ||||
| they are already using, realizing the benefits of a multi-tenant | ||||
| data center while retaining as much control as possible. For | ||||
| example, they want to maintain the restrictive control on what and | ||||
| how the virtualized data center resources, e.g., computing power, | ||||
| disk space, and/or application licenses, can be shared. | ||||
| o VPN customers SHALL be able to automatically add/remove physical | VPN-Oriented Data center Services allow the VPN services to be | |||
| servers associated with the VPN through the changing of the | extended into carrier data centers and to control the virtual | |||
| customer's VPN properties. | resource sharing functions. As a carrier, a VPN-Oriented data center | |||
| service product may be offered globally across multiple data | ||||
| centers. Some of the data centers may be owned by the cloud service | ||||
| provider, while others may be owned by a partner of the service | ||||
| provider and/or an enterprise user. In addition, multiple VPN- | ||||
| oriented data center Service products (e.g. SaaS and PaaS) can be | ||||
| offered from the same data center. | ||||
| o VPN customers SHOULD be able to provision a new VPN and new | VPN-Oriented data center services differentiate it from other | |||
| service based on the properties associated with an existing VPN | carrier data center services in the following aspects: | |||
| and service using the same set (or sub set) of existing physical | ||||
| infrastructure. | ||||
| o VPN customers SHALL be able to control if and how VM mobility can | o Strictly maintaining the secure, reliable, and logical isolation | |||
| occur. | characteristics of VPN for the end-to-end services provided. | |||
| 3.2. VPN-oriented data center storage service | o Making the traditional data center services (like computing, | |||
| storage space, or application licenses) as additional attributes | ||||
| attached to VPNs. | ||||
| This refers to disk space, either virtual or actual blocks of hard | o VPN is aware of how and what data center resources are associated | |||
| drives in data centers, being added to a customer's VPN | with the VPN. | |||
| 3.2.1. VPN-oriented data center storage service requirements | This draft describes the characteristics of those services, the | |||
| service requirements, and the corresponding requirements to data | ||||
| center networks. It also describes a list of the problems that this | ||||
| service is causing to the network provider/operator, especially for | ||||
| the existing VPN customers. These issues must be addressed in order | ||||
| for service providers to facilitate the addition of virtualized | ||||
| services to the VPNs of existing customers. | ||||
| o The VPN customer SHOULD be able to choose different content | 2. Conventions used in this document | |||
| replication properties. For example, the customer can control if | ||||
| the content has to be replicated locally or has to be replicated | ||||
| at a geographically different location (identifiable by the | ||||
| customer if needed); if the storage has to be co-located with | ||||
| certain VMs/hosts; or which VMs/hosts have access to the content, | ||||
| and etc. | ||||
| o These storage properties SHOULD be associated with the VPN. Any | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| data center providing the storage space for a VPN SHOULD be able | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| to automatically provision or change the required storage space | document are to be interpreted as described in RFC-2119 [RFC2119]. | |||
| based on the properties associated with the VPN. | ||||
| o The VPN customer SHOULD be able to automatically add disc space | In this document, these words will appear with that interpretation | |||
| or remove disc space to the VPN's associated storage through the | only when in ALL CAPS. Lower case uses of these words are not to be | |||
| changing of the VPN properties. | interpreted as carrying RFC-2119 significance. | |||
| o The VPN customer SHALL have the ability to limit the mobility of | 3. Service definitions and requirements | |||
| the stored data based on the VPN's reachability. | ||||
| o The VPN customer SHOULD have the ability to specify the stored | 3.1. Virtual Private Computing Service (VPCS) | |||
| content life cycle management properties. Those properties | ||||
| include but not limited to how long the stored content shall be | ||||
| stored and how it should be erased/deleted. | ||||
| 4. Requirements for Data Center networks in support of VPN-Oriented | This refers to Virtual Machines (VMs) and/or physical servers in a | |||
| Data center Services | virtualized carrier data center being attached to a customer VPN. It | |||
| is also known as National Institute of Science and Technology | ||||
| (NIST)'s Infrastructure-as-a-Service (IssS) being attached to a | ||||
| customer VPN. The customer can choose different properties on the | ||||
| computing power, preference on which data center to host those | ||||
| servers, and etc. | ||||
| The success of VPN services in the enterprise and the government | 3.1.1. Virtual private computing services requirements | |||
| world is largely due to its ability to virtually segregate the | ||||
| customer traffic at layer 2 and layer 3. The lower the layer that | ||||
| segregation can be maintained, the safer it is for the customers | ||||
| from security and privacy perspectives. Today's Data Centers use | ||||
| VLANs to segregate servers and traffic from different customers. | ||||
| Since each customer usually needs multiple service zones to place | ||||
| different applications, each customer usually needs multiple VLANs. | ||||
| Even small data centers today can have thousands of VLANs. | ||||
| Therefore, pure VLAN segregation is not enough for large data | ||||
| centers. In addition, since carrier data center resources can be | ||||
| viewed as added attributes to VPNs, traffic segregation per VPN | ||||
| becomes an essential requirement to VPN-oriented data center | ||||
| services because of its ability to control the data center virtual | ||||
| resources' assignments, thus ensuring end-to-end resource allocation | ||||
| for service level performance insurance as well as manageability. | ||||
| 4.1. Requirement for extending VPNs into data center networks using | These requirements apply to all VPN-oriented data center services | |||
| VPN gateways | defined in this draft unless specified otherwise. | |||
| When a data center does not use L2VPN or L3VPN as the intra-data | o Any virtualized carrier data center providing VPCS SHALL be able | |||
| center network, but still wants to provide the VPN-oriented data | to automatically provision and/or change the resources associated | |||
| center services for external VPN customers, a VPN gateway function | with the VM/Servers based on the signaled messages through the | |||
| can be added to the data center networks to extend the external VPNs | VPN. For example, the resources CAN be bandwidth, amount of | |||
| into the data center networks and to connect with the VMs and | memory, and/or CPU cycles associated with the VMs. | |||
| virtual storages. (None L2/3 data center network technology used | ||||
| can include TRILL, PBB, SPB, OpenFlow, STP, and etc.) The VPN | ||||
| gateway function has to meet the following requirements: | ||||
| o Each external VPN SHALL be given a unique Identification | o VPN customers SHALL be able to automatically instantiate or | |||
| (ID), and the traffic separation within the data center SHALL | remove Virtual Machines (VMs) inside the provider's DC using | |||
| be maintained per ID. | inband signaling requests sent by the user's host (VM/server). | |||
| o Each data center Service associated with a VPN SHALL be | ||||
| transmitted over an unique set of intra-data center network | ||||
| connections (logical or physical). | ||||
| o The VPN gateway SHOULD maintain a record and the mapping of | ||||
| virtual and physical data center resources to | ||||
| physical/logical connections associated with each specific | ||||
| VPN running the VPN-oriented data center services. | ||||
| o The VPN gateway SHOULD be able to control the traffic flow | ||||
| and assign the dedicated virtual resources accordingly. | ||||
| o The carrier and the customer SHALL be able to monitor the | ||||
| resource assignment and usage per VPN per service. | ||||
| o The customer SHOULD be able to dynamically re-configure the | ||||
| data center resources assignment and allocation per services | ||||
| and/or per VM through the re-configuration of its VPN | ||||
| properties. | ||||
| o VPN gateway SHALL support multiple services per VPN. | ||||
| o VPN gateway SHOULD have the capability to differentiate QoS | ||||
| within the VPN on per service basis. For example, storage | ||||
| service may have higher QoS requirement than computing | ||||
| service. | ||||
| o VPN gateway SHOULD support multiple external VPN instances | ||||
| and SHOULD be able to map them to the associated services. | ||||
| o VPN gateway SHALL maintain the reportable record of how | ||||
| traffic separation per VPN is achieved through the data | ||||
| center network. | ||||
| o Each external VPN SHALL be given a unique Identification | o VPN customers SHOULD be able to move VMs among customer private | |||
| (ID), and the traffic separation within the data center SHALL | data centers and carrier data centers based on their own load | |||
| be maintained per ID. | balancing criteria and algorithm. | |||
| o Each data center Service associated with a VPN SHALL be | ||||
| transmitted over an unique set of intra-data center network | ||||
| connections (logical or physical). | ||||
| o The VPN gateway SHOULD maintain a record and the mapping of | ||||
| virtual and physical data center resources to | ||||
| physical/logical connections associated with each specific | ||||
| VPN running the VPN-oriented data center services. | ||||
| o The VPN gateway SHOULD be able to control the traffic flow | ||||
| and assign the dedicated virtual resources accordingly. | ||||
| o The carrier and the customer SHALL be able to monitor the | o VPN customers SHALL be able to monitor, log, and track all | |||
| resource assignment and usage per VPN per service. | VM/server related usage information on per VPN basis. | |||
| o The customer SHOULD be able to dynamically re-configure the | ||||
| data center resources assignment and allocation per services | ||||
| and/or per VM through the re-configuration of its VPN | ||||
| properties. | ||||
| o VPN gateway SHALL support multiple services per VPN. | ||||
| o VPN gateway SHOULD have the capability to differentiate QoS | ||||
| within the VPN on per service basis. For example, storage | ||||
| service may have higher QoS requirement than computing | ||||
| service. | ||||
| o VPN gateway SHOULD support multiple external VPN instances | ||||
| and SHOULD be able to map them to the associated services. | ||||
| o VPN gateway SHALL maintain the reportable record of how | ||||
| traffic separation per VPN is achieved through the data | ||||
| center network. VPN Gateway SHOULD be able to allocated | ||||
| intra-data center network resources according to external VPN | ||||
| network's requirements dynamically for bandwidth, QoS and | ||||
| traffic engineering purpose. | ||||
| 4.2. Requirement for extending VPNs into data center networks using | o VPN customers SHALL be able to control if and how VM mobility can | |||
| intra-data center VPN | occur. | |||
| When a L2/3 VPN is used as the network technology inside the data | 3.2. Virtual private storage service (VPSS) | |||
| center, each external VPN SHALL be mapped to a unique internal VPN. | ||||
| 5. Data Center Resource Management Requirements for VPN-oriented Data | This refers to disk space, either virtual or actual blocks of hard | |||
| center Services | drives in data centers, being added to a customer's VPN | |||
| Today, data center server resources are managed by data center | 3.2.1. VPN-oriented data center storage service requirements | |||
| servers' administrators or management systems, and supported by | ||||
| hypervisors on the servers. This process is invisible to the | ||||
| underlying networks. The data center management functions include | ||||
| managing servers, instantiating hosts to VMs, managing disk space, | ||||
| and etc. | ||||
| Traffic loading and balancing and QoS assignments for data center | o The VPN customer SHOULD be able to choose different content | |||
| networks are not considered by Data Center's server administration | replication properties. For example, the customer can control if | |||
| systems. Therefore, there is an interworking gap between the | the content has to be replicated locally or has to be replicated | |||
| networks and the Data Center's server administration systems. This | at a geographically different location (identifiable by the | |||
| gap needs to be filled in order for the VPN-oriented data center | customer if needed and subject to latency constraint); if the | |||
| service to operate. | storage has to be co-located with certain VMs/hosts; or which | |||
| VMs/hosts have access to the content, and etc. | ||||
| o The resources in data center MUST be partitioned per VPN instead | o These storage properties SHOULD be associated with the VPN. Any | |||
| of per customer. | data center providing the storage space for a VPN SHOULD be able | |||
| to automatically provision or change the required storage space | ||||
| based on the properties associated with the VPN. | ||||
| o The data center service orchestration system SHALL have the | o The VPN customer SHOULD be able to automatically add disc space | |||
| ability to dedicate a specific block of disk space per services | or remove disc space to the VPN's associated storage through the | |||
| per VPN. The dedicated block of disk space CAN be maintained | changing of the VPN properties. | |||
| permanently or temporarily per VPN requirement, controlled by the | ||||
| associated properties of VPN. | ||||
| o The carrier and the VPN customer SHALL be able to monitor the | o The VPN customer SHOULD have the ability to specify the stored | |||
| dedicated block of disk space per VPN per services. | content life cycle management properties. Those properties | |||
| include but not limited to how long the stored content shall be | ||||
| stored and how it should be erased/deleted. | ||||
| o If a VPN specifies its associated storage space to be accessible | o Control of whether data is encrypted. | |||
| only by certain hosts, the VPN customer SHALL have the ability to | ||||
| indicate the mechanism used to prevent the unwanted data | ||||
| retrieval for the block of disk space after it is no longer used | ||||
| by the VPN, before it can be re-used by other parties. | ||||
| o The VPN SHALL have the ability to request dedicated network | o Specify required access speed for a storage hierarchy. | |||
| resources within the data center such as bandwidth and QoS | ||||
| settings. | ||||
| o The VPN SHALL have the ability to hold the requested resources | 4. Requirements for Data Center networks in support of VPN-Oriented | |||
| without sharing with any other parties. | Data center Services | |||
| o The external VPN's QoS assignments SHOULD be able to synchronize | The success of VPN services in the enterprise and the government | |||
| with the data center virtual resources' QoS assignments. | world is largely due to its ability to virtually segregate the | |||
| customer traffic at layer 2 and layer 3. The lower the layer that | ||||
| segregation can be maintained, the safer it is for the customers | ||||
| from security and privacy perspectives. Today's Data Centers use | ||||
| VLANs to segregate servers and traffic from different customers. | ||||
| Since each customer usually needs multiple service zones to place | ||||
| different applications, each customer usually needs multiple VLANs. | ||||
| Even small data centers today can have thousands of VLANs. | ||||
| Therefore, pure VLAN segregation is not enough for large data | ||||
| centers. In addition, since carrier data center resources can be | ||||
| viewed as added attributes to VPNs, traffic segregation per VPN | ||||
| becomes an essential requirement to VPN-oriented data center | ||||
| services because of its ability to control the data center virtual | ||||
| resources' assignments, thus ensuring end-to-end resource allocation | ||||
| for service level performance insurance as well as manageability. | ||||
| 6. Security Requirements | 4.1. Requirement for extending VPNs into data center networks using | |||
| VPN gateways | ||||
| o VPN-Oriented Data center Service SHOULD support a variety of | When a data center does not use L2VPN or L3VPN as the intra-data | |||
| security measures in securing tenancy of virtual resources such | center network, but still wants to provide the VPN-oriented data | |||
| as resource locking, containment, authentication, access control, | center services for external VPN customers, a VPN gateway function | |||
| encryption, integrity measure, and etc. | can be added to the data center networks to extend the external VPNs | |||
| into the data center networks and to connect with the VMs and | ||||
| virtual storage. (Note that L2/3 data center network technology | ||||
| used can include TRILL, PBB, SPB, OpenFlow, STP, etc.) The VPN | ||||
| gateway function has to meet the following requirements: | ||||
| o The VPN-Oriented Data center Service SHOULD allow the security to | o Each external L2/L3VPN SHALL be given a unique Identification | |||
| be configured end-to-end on a per-VPN/per-service/per-user basis. | (ID), and the traffic separation within the data center SHALL | |||
| For example, the Data center Systems SHOULD be able to resource- | be maintained per ID. | |||
| lock resources such as memory, and also SHOULD be able provide a | o Each data center Service associated with a VPN SHALL be | |||
| cleaning function to insure confidentiality before being | transmitted over an unique set of intra-data center network | |||
| reallocated. | connections (logical or physical). | |||
| o The VPN gateway SHOULD maintain a record and the mapping of | ||||
| virtual and physical data center resources to | ||||
| physical/logical connections associated with each specific | ||||
| VPN running the VPN-oriented data center services. | ||||
| o The carrier and the customer SHALL be able to monitor the | ||||
| resource assignment and usage per VPN per service. | ||||
| o VPN-Oriented Data center Service SHOULD be able to specify an | o The customer SHOULD be able to dynamically re-configure the | |||
| authentication mechanism based for both header and payload. | data center resources assignment and allocation per services | |||
| Encryption algorithm CAN also be specified to provide additional | and/or per VM through the re-configuration of its VPN | |||
| security. | properties. | |||
| o Beyond L2/L3 reachability, VPN gateway SHALL support multiple | ||||
| services per VPN. | ||||
| o VPN gateway SHOULD have the capability to differentiate QoS | ||||
| within the VPN on per service basis. For example, storage | ||||
| service may have higher QoS requirement than computing | ||||
| service. | ||||
| o VPN gateway SHOULD support multiple external VPN instances | ||||
| and SHOULD be able to map them to the associated services. | ||||
| o VPN gateway SHALL maintain the reportable record of how | ||||
| traffic separation per VPN is achieved through the data | ||||
| center network. | ||||
| o Each external VPN SHALL be given a unique Identification | ||||
| (ID), and the traffic separation within the data center SHALL | ||||
| be maintained per ID. | ||||
| o The VPN gateway SHOULD maintain a record and the mapping of | ||||
| virtual and physical data center resources to | ||||
| physical/logical connections associated with each specific | ||||
| VPN running the VPN-oriented data center services. | ||||
| o The VPN gateway SHOULD be able to control the traffic flow | ||||
| and assign the dedicated virtual resources accordingly. | ||||
| o The carrier and the customer SHALL be able to monitor the | ||||
| resource assignment and usage per VPN per service. | ||||
| o The customer SHOULD be able to dynamically re-configure the | ||||
| data center resources assignment and allocation per services | ||||
| and/or per VM through the re-configuration of its VPN | ||||
| properties. | ||||
| o VPN gateway SHALL support multiple services per VPN. | ||||
| o VPN gateway SHOULD have the capability to differentiate QoS | ||||
| within the VPN on per service basis. For example, storage | ||||
| service may have higher QoS requirement than computing | ||||
| service. | ||||
| o VPN gateway SHOULD support multiple external VPN instances | ||||
| and SHOULD be able to map them to the associated services. | ||||
| o VPN gateway SHALL maintain the reportable record of how | ||||
| traffic separation per VPN is achieved through the data | ||||
| center network. VPN Gateway SHOULD be able to allocated | ||||
| intra-data center network resources according to external VPN | ||||
| network's requirements dynamically for bandwidth, QoS and | ||||
| traffic engineering purpose. | ||||
| o Security boundaries CAN be specified and created per VPN to | 4.2. Requirement for extending VPNs into data center networks using | |||
| maintain domains of TRUSTED, UNTRUSTED, and Hybrid. Within each | intra-data center VPN | |||
| domain access control, additional techniques MAY be specified to | ||||
| secure resources and administrative domains. | ||||
| 7. Other Requirements | When a L2/3 VPN is used as the network technology inside the data | |||
| center, each external VPN SHALL be mapped to a unique internal VPN. | ||||
| o The VPN-Oriented Data center Service SHALL support automatic end- | 5. Data Center Resource Management Requirements for VPN-oriented Data | |||
| to-end network configuration. | center Services | |||
| o The VPN-Oriented data center service solution MUST have | Today, data center server resources are managed by data center | |||
| sufficient OAM mechanisms in place to allow consistent end-to-end | servers' administrators or management systems, and supported by | |||
| management of the solution in existing deployed networks. The | hypervisors on the servers. This process is invisible to the | |||
| solution SHOULD use existing protocols (e.g., IEEE 802.1ag, ITU-T | underlying networks. The data center management functions include | |||
| Y.1731, BFD) wherever possible to facilitate interoperability | managing servers, instantiating hosts to VMs, managing disk space, | |||
| with existing OAM deployments. | and etc. | |||
| 8. VPN-oriented Data center Service Framework | Traffic loading and balancing and QoS assignments for data center | |||
| networks are not easily considered by some Data Center server | ||||
| administration systems. Therefore, there is an interworking gap | ||||
| between the networks and the Data Center's server administration | ||||
| systems. This gap needs to be filled in order for the VPN-oriented | ||||
| data center service to operate. | ||||
| VPN-oriented data center services do not alter the physical | o The resources in data center MUST be partitioned per VPN. | |||
| connectivity of the service supporting infrastructure. Instead, the | ||||
| framework augments the VPN associated properties on the carrier's | ||||
| VPN PE router. In addition, it provides a generic interworking | ||||
| framework between the VPN and the data center network, exposing the | ||||
| IP/MAC address of the VMs directly to the VPN. | ||||
| The VPN-oriented data center services are flexible on the identities | o The data center service orchestration system SHALL have the | |||
| of service end points, covering all VPN use cases in existence | ability to dedicate a specific block of disk space per services | |||
| today. It can be point-to-point and/or multi-point-to-multi-point, | per VPN. The dedicated block of disk space CAN be maintained | |||
| and everything in between. The service can be between carrier data | permanently or temporarily per VPN requirement, controlled by the | |||
| center and enterprise private data center, or between carrier data | associated properties of VPN. | |||
| center and a remote VPN user. | ||||
| Below are three framework diagrams illustrating L3VPN-oriented data | o The carrier and the VPN customer SHALL be able to monitor the | |||
| center services. The frameworks for L2VPN-oriented data center | dedicated block of disk space per VPN per services. | |||
| services would be very similar to the ones shown here, using MAC | ||||
| addresses instead of IP addresses. | ||||
| Figure 1 shows an exemplary framework where 4 unique VPNs (customer | o If a VPN specifies its associated storage space to be accessible | |||
| LAN) accessing a carrier multi-tenant data center. | only by certain hosts, the VPN customer SHALL have the ability to | |||
| indicate the mechanism used to prevent the unwanted data | ||||
| retrieval for the block of disk space after it is no longer used | ||||
| by the VPN, before it can be re-used by other parties. | ||||
| Figure 2 shows the logical view of the framework from the vantage | o The VPN SHALL have the ability to request dedicated network | |||
| point of the data center PE router. | resources within the data center such as bandwidth and QoS | |||
| settings. | ||||
| Figure 3 shows the logical view of the service from the vantage | o The VPN SHALL have the ability to hold the requested resources | |||
| point of the individual VM and/or VPN customer. Please note that | without sharing with any other parties. | |||
| VM/customer belong to each VPN can only see everything within its | ||||
| own VPN, although all 4 VPNs are shown on the drawing. | ||||
| VPN1[10.1.X.X]-SW-CE-PE---- ----PE-CE-SW-VPN2[10.130.X.X] | o The external VPN's QoS assignments SHOULD be able to synchronize | |||
| \ / | with the data center virtual resources' QoS assignments. | |||
| \ / | ||||
| BACKBONE | ||||
| / | \ | ||||
| / | \ | ||||
| VPN3[100.12.X.X]-SW-CE-PE-- | --PE-CE-SW-VPN4[170.4.X.X] | ||||
| | | ||||
| | | ||||
| DC PE | ||||
| | | ||||
| | | ||||
| DC CE | ||||
| | | ||||
| | | ||||
| VPN1[10.2.X.X] | ||||
| VPN2[10.120.X.X] | ||||
| VPN3[101.30.X.X] | ||||
| VPN4[170.10.X.X] | ||||
| Figure 1 Physical View of L3VPN-oriented Data Center Services | 6. Security Requirements | |||
| VPN1[10.1.X.X]-PE{VPN GATEWAY} PE{VPN GATEWAY}-VPN2[10.130.X.X] | o VPN-Oriented Data center Service SHOULD support a variety of | |||
| \ / | security measures in securing tenancy of virtual resources such | |||
| \ / | as resource locking, containment, authentication, access control, | |||
| BACKBONE | encryption, integrity measure, and etc. | |||
| / | \ | ||||
| / | \ | ||||
| VPN3[100.12.X.X]-PE{VPN GATEWAY} | PE{VPN GATEWAY}-VPN4[170.4.X.X] | ||||
| | | ||||
| | | ||||
| PE{VPN GATEWAY} | ||||
| | | ||||
| | | ||||
| VPN1[10.2.X.X] | ||||
| VPN2[10.120.X.X] | ||||
| VPN3[101.30.X.X] | ||||
| VPN4[170.10.X.X] | ||||
| Figure 2. Logical View at Data Center VPN PE Router | o The VPN-Oriented Data center Service SHOULD allow the security to | |||
| be configured end-to-end on a per-VPN/per-service/per-user basis. | ||||
| For example, the Data center Systems SHOULD be able to resource- | ||||
| lock resources such as memory, and also SHOULD be able provide a | ||||
| cleaning function to insure confidentiality before being | ||||
| reallocated. | ||||
| VPN1[10.1.X.X] VPN2[10.130.X.X] | o VPN-Oriented Data center Service SHOULD be able to specify an | |||
| -PE{VPN GATEWAY} PE{VPN GATEWAY}- | authentication mechanism based for both header and payload. | |||
| VPN1[10.2.X.X] \ / VPN2[10.120.X.X] | Encryption algorithm CAN also be specified to provide additional | |||
| \ / | security. | |||
| \ / | ||||
| BACKBONE | ||||
| / \ | ||||
| / \ | ||||
| VPN3[100.12.X.X] / \ VPN4[170.4.X.X] | ||||
| -PE{VPN GATEWAY} PE{VPN GATEWAY}- | ||||
| VPN3[101.30.X.X] VPN4[170.10.X.X] | ||||
| Figure 3. Logical View of L3VPN-ORIENTED Data Center Services | o Security boundaries CAN be specified and created per VPN to | |||
| maintain domains of TRUSTED, UNTRUSTED, and Hybrid. Within each | ||||
| domain access control, additional techniques MAY be specified to | ||||
| secure resources and administrative domains. | ||||
| 9. References | 7. Other Requirements | |||
| Authors' Addresses | o The VPN-Oriented Data center Service SHALL support host-to-host | |||
| configuration exchanges via inband signaling. | ||||
| Ning So | o The VPN-Oriented data center service solution MUST have | |||
| Verizon Inc. | sufficient OAM mechanisms in place to allow consistent end-to-end | |||
| 2400 N. Glenville Ave., | management of the solution in existing deployed networks. The | |||
| Richardson, TX75082 | solution SHOULD use existing protocols (e.g., IEEE 802.1ag, ITU-T | |||
| ning.so@verizonbusiness.com | Y.1731, BFD) wherever possible to facilitate interoperability | |||
| with existing OAM deployments. | ||||
| Paul Unbehagen | 8. References | |||
| Avaya | ||||
| unbehagen@avaya.com | ||||
| Linda Dunbar | Thanks to Paul Unbehagen, Linda Dunbar, Bhumip Khasnabish, LiZhong Jin, | |||
| Huawei Technologies | Norival Figueira, and Zhengping You for review this draft and providing | |||
| 5340 Legacy Drive, Suite 175 | valuble inputs. | |||
| Plano, TX 75024, USA | ||||
| Linda.dunbar@huawei.com | ||||
| Henry Yu | Authors' Addresses | |||
| TW Telecom | ||||
| 10475 Park Meadows Dr. | ||||
| Littleton, CO 80124 | ||||
| Henry.yu@twtelecom.com | ||||
| Bhumip Khasnabish | Ning So | |||
| ZTE | Verizon Inc. | |||
| vumip1@gmail.com | 2400 N. Glenville Ave., | |||
| Richardson, TX75082 | ||||
| ning.so@verizon.com | ||||
| LiZhong Jin | Dave McDysan | |||
| ZTE | Verizon Inc. | |||
| 889 Bibo Road | 22001 Loudoun County PKWY. | |||
| Shanghai, 201203, China | Ashburn, VA 20147 | |||
| lizhong.jin@zte.com.cn | Dave.mcdysan@verizon.com | |||
| John M. Heinz | Henry Yu | |||
| CenturyLink | TW Telecom | |||
| 600 New Century PKWY | 10475 Park Meadows Dr. | |||
| KSNCAA0420-4B116 | Littleton, CO 80124 | |||
| New Century, KS 66031 | Henry.yu@twtelecom.com | |||
| john.m.heinz@centurylink.com | ||||
| Norival Figueira | ||||
| Brocade Networks | ||||
| 130 Holger Way | ||||
| San Jose, CA 95134 | ||||
| nfigueir@brocade.com | ||||
| Zhengping You | John M. Heinz | |||
| AFORE Solutions | CenturyLink | |||
| 2680 Queensview Dr., | 600 New Century PKWY | |||
| Ottawa, Ontario Canada K2B819 | KSNCAA0420-4B116 | |||
| Zhengping.you@aforesolutions.com | New Century, KS 66031 | |||
| john.m.heinz@centurylink.com | ||||
| 10. Acknowledgments | 9. Acknowledgments | |||
| This document was prepared using 2-Word-v2.0.template.dot. | This document was prepared using 2-Word-v2.0.template.dot. | |||
| End of changes. 84 change blocks. | ||||
| 480 lines changed or deleted | 345 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||