One document matched: draft-hy-nvo3-gue-4-nvo-00.txt
Network Working Group L. Yong
Internet-Draft Huawei USA
Intended status: Standard Track T. Herbert
Google
Expires: April 2015 October 27, 2014
Generic UDP Encapsulation (GUE) for Network Virtualization Overlay
draft-hy-nvo3-gue-4-nvo-00
Abstract
This document describes network virtualization encapsulation scheme
by use of generic UDP encapsulation (GUE) [GUE].
Status of This Document
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 27, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Yong & Herbert [Page 1]
Internet-Draft Generic UDP Encapsulation for NVO October 2014
Table of Contents
1. Introduction...................................................3
2. Terminology....................................................3
2.1. Requirements Language.....................................3
3. Generic UDP Encapsulation (GUE) for NVO........................3
4. Encapsulation/Decapsulation Operation..........................6
5. IANA Considerations............................................7
6. Security Considerations........................................7
7. References.....................................................7
7.1. Normative References......................................7
7.2. Informative References....................................8
8. Authors' Addresses.............................................8
Yong & Herbert [Page 2]
Internet-Draft Generic UDP Encapsulation for NVO October 2014
1. Introduction
Network Virtualization Overlay (NVO3) [RFC7365] aims to a virtual
network solution over an IP network in a DC with multi-tenant
environment. Virtual network traffic between any pair of network
virtualization edges (NVE) is encapsulated with a network
virtualization header and is sent from ingress NVE to egress NVE as
of an IP packet. This is known as a tunnel mechanism.
UDP based tunnel mechanism provides several merits for such
tunneling applications.[GRE-in-UDP] This document specifies network
virtualization encapsulation schema by use of generic UDP
encapsulation (GUE) [GUE]. This allows NVEs to adopt GUE tunnel
implementation.
This document specifies one flag (1 bit) for Network Virtualization
Overlay (NVO) indication in GUE header and a Virtual Network ID
field in GUE optional fields. It also specifies optional use of GUE
secure transport capability for NVO.
2. Terminology
The terms defined in [RFC768] are used in this document.
2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Generic UDP Encapsulation (GUE) for NVO
Generic UDP Encapsulation adds a 32 bits basic GUE header after UDP
header. GUE header contains some key fields that a UDP tunnel
application needs. These key fields are version, control message
indication (c), Header Length (HLen), and Protocol Type (or ctype).
It also contains some undefined flags, which are reserved for tunnel
applications. Figure 1 illustrates GUE structure and key fields. For
the detail specification, see [GUE].
Yong & Herbert [Page 3]
Internet-Draft Generic UDP Encapsulation for NVO October 2014
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source port | Destination port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x0 |C| Hlen | Proto/ctype | Flags |P|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Fields (optional) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Private flags(optional) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Private fields (optional) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1 GUE Header Format
This document proposes to allocate one flag bit from GUE undefined
flags for the Network Virtualization Overlay (NVO) and defines
Virtual Network Identifier (VN ID) field for NVO in GUE optional
fields. It also specifies use of GUE secure transport for NVO. The
network virtualization header format is shown in figure 2 and the
specification is followed.
Yong & Herbert [Page 4]
Internet-Draft Generic UDP Encapsulation for NVO October 2014
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source port | Destination port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x0 |C| Hlen | Proto/ctype |V|SEC| Flags |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Virtual Network ID (VN ID) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Security (Optional) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2 GUE for Network Virtualization Overlay
o 'V' Virtualization flag. Indicates presence of the Virtual
Network Identifier (VN ID) field in GUE optional fields. This
flag MUST be set when GUE is used for network virtualization
overlay (NVO).
o Virtual Network ID (4 octets): Used in network virtualization
overlay to identify a virtual network that packet was sent on.
This field only presents if 'V' virtualization flag is set. Use
and semantics of this field should be defined in separate
documents.
o 'SEC' Security flags: Indicates presence of security field
[GUE4SEC. It provides secure transport for a tunneled protocol.
NVO MAY use it to provide secure transport. Thus this is optional
fields for NVO. If the flag is set, i.e. not 00, the egress NVE
MUST process the security field that is placed after VNI field.
Use two bits for 'SEC' flag to convey the security field length
as following.
o 00 - No security field
o 01 - 64 bit security field
o 10 - 128 bit security field
o 11 - 256 bit security field
Yong & Herbert [Page 5]
Internet-Draft Generic UDP Encapsulation for NVO October 2014
The use of the security field is expected to be negotiated out of
band between two NVEs. Potential uses of the security field for NVO
is described in Section of Security Considerations.
The usage of the key fields in the GUE header [GUE] for network
virtualization encapsulation is described as below:
o Type: Set to 0x0 for network virtualization overlay encapsulation.
o Control flag: When set, indicates the packet contains a control
message. An OAM packet for the virtual network instance can be
carried when it sets. Control or OAM processing MUST occur. The
OAM protocol is out of scope for this document.
o Hlen: 1 if Security flags are clear. When Security flags are set,
1+ 2 ^ number(SEC flags)
o Protocol: Contain the protocol of the encapsulated payload packet,
i.e. next header. The next header begins at the offset provided
by Hlen. For network virtualization, the payload protocol can be
Ethernet, IPv4 or IPv6.
o CType: Reserved for control message type. The VN ID can be used
with CType to direct control message for the VN layer.
o 'P' Private flag. It is the last bit in the GUE header. This flag
SHOULD be clear for the network virtualization encapsulation.
UDP header usage for network virtualization overlay is: UDP dst port
SHOULD be filled with GUE port [GUE]; UDP src port MAY be filled
with virtual network flow entropy. The checksum and length
implementation MUST be compliant with GUE implementation [GUE].
4. Encapsulation/Decapsulation Operation
The network virtualization encapsulation schema specified in this
document applies to both IPv4 and IPv6 underlay networks. The outer
IP address must be NVE egress IP address (dst) and NVE ingress IP
address (src). The network virtualization edge (NVE) implementation
must compliant with the tunnel implementation specified in GUE [GUE]
including GUE header process precedence.
When use of secure transport, NVE egress MUST perform security
validation prior to the payload processing.
Yong & Herbert [Page 6]
Internet-Draft Generic UDP Encapsulation for NVO October 2014
5. IANA Considerations
The document does not require any IANA action.
6. Security Considerations
Network Virtualization Edge (NVE) implements the UDP tunnel
mechanism specified in [GUE] so it adopts the same security concern
stated in Section of Security Considerations in [GUE].
Security option described in this document can be used improve the
security in data plane for NVO applications. The security field may
be used as a cookie. This would be similar to cookie mechanism
described in L2TP [RFC3931], and the general properties should be
the same. The cookie may be used to validate the encapsulation. The
cookie is a shared value between ingress NVE and egress NVE which
should be chosen randomly and may be changed periodically. Different
cookies may used for logical flows between the ingress NVE and
egress NVE, for instance packets sent with different VNIs in network
virtualization might have different cookies.
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC2119, March 1997.
[RFC3931] Lau, J., Townsley, M., et al, "Layer Two Tunneling
Protocol - Version 3 (L2TPv3)", RFC3931, 2005
[RFC7365] Lasserre, M., el al, "Framework for Data Center (DC)
Network Virtualization".
[GUE] Herbert T. and Yong, L., "Generic UNP Encapsulation", draft-
herbert-gue-02, work in progress.
[GUE4SEC] Yong, L., Herbert, T., "Generic UDP Encapsulation (GUE)
for Secure Transport", draft-hy-gue-4-secure-transport-00,
work in progress.
Yong & Herbert [Page 7]
Internet-Draft Generic UDP Encapsulation for NVO October 2014
7.2. Informative References
[GRE-in-UDP] Grabbe, E., Yong, L., Xu, X., "Generic UDP
Encapsulation for IP Tunneling", draft-ietf-tsvwg-gre-in-
udp-encap-03, work in progress
8. Authors' Addresses
Lucy Yong
Huawei USA
5340 Legacy Dr.
Plano, TX 75024
US
Email: lucy.yong@huawei.com
Tom Herbert
Google
1600 Amphitheatre Parkway
Mountain View, CA
US
Email: therbert@google.com
Yong & Herbert [Page 8]
| PAFTECH AB 2003-2026 | 2026-04-23 19:11:00 |