One document matched: draft-so-vdcs-00.txt
Operations and Management Area Working Group N. So
Internet Draft Verizon
Intended status: Standard Track P. Unbehagen
Expires: Sept 2011 Avaya
L. Dunbar
Huawei
H.Yu
TW Telecom
Bhumip Khasnabish
LiZhong Jin
ZTE
J. Heinz
CenturyLink
N.Figueira
Brocade
Zhengping You
AFORE Solutions
June 30, 2011
Requirement and Framework for VPN-Oriented Data Center Services
draft-so-vdcs-00.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on December 30, 2011.
Copyright Notice
So Expires December 30, 2011 [Page 1]
Internet-Draft VPN-oriented Cloud Services March 2011
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
Abstract
This contribution addresses the service providers' requirements to
support VPN-Oriented data center services. It describes the
characteristics and the framework of VPN-oriented data center
services and specifies the requirements on how to maintain and manage
the virtual resources within data center resources and the supporting
network infrastructures for those services.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119.
Table of Contents
1. Introduction ................................................ 3
2. Terminology ................................................. 4
3. Service definitions and requirements......................... 4
4. Requirements of Data Center networks in support of VPN-Oriented
Cloud Services ................................................. 6
5. Data Center Resource Management Requirements for VPN-oriented
Cloud Service .................................................. 8
6. Security Requirement ........................................ 9
7. Other Requirements .......................................... 9
8. IANA Considerations ......................................... 9
9. Acknowledgments ............................................ 12
10. References ................................................ 12
Authors' Addresses ............................................ 12
Intellectual Property Statement................................ 13
Disclaimer of Validity ........................................ 14
So Expires Sept30, 2011 [Page 2]
Internet-Draft VPN-oriented Cloud Services March 2011
1. Introduction
Layer 2 and 3 VPN services offer secure and logically dedicated
connectivity among multiple sites for enterprises. VPN-oriented data
center service is for those VPN customers who want to offload some
dedicated user data center operations such as software, compute, and
storage, to the shared carrier data centers. Those customers often
do not want to use public Internet as the primary network accessing
and handling the traffic between the customer (user and user data
centers) and the carrier data centers. Instead, they would prefer to
use the carrier data center as an nature extension of the VPN they
are already using, realizing the benefits of a multi-tenant data
center while retaining as much control as possible. For example,
they want to maintain the restrictive control on what and how the
virtualized data center resources, e.g., computing power, disk
spaces, and/or application licenses, can be shared.
VPN-Oriented Data center Services allow the VPN services to be
extended into carrier data centers and to control the virtual
resources sharing functions. As a carrier, a VPN-Oriented data center
service product may be offered globally across multiple data centers.
Some of the data centers may be owned by the carrier, while others
may be owned by a user/partner/vendor. In addition, multiple VPN-
oriented data center Service products can be offered from the same
data center.
VPN-Oriented data center services differentiate it from other carrier
services in the following aspects:
Strictly maintaining the secure, reliable, and logical isolation
characteristics of VPN for the end-to-end services provided;
Making the traditional data center services (like computing,
storage space, or application licenses) as additional attributes to
VPNs.
VPN having the control on how and what data center resources to be
associated with the VPN.
This draft describes the characteristics of those services, the
service requirements, and the corresponding requirements to data
center networks. It also describes a list of the problems that this
service is causing to the network provider/operator, especially for
So Expires Sept30, 2011 [Page 3]
Internet-Draft VPN-oriented Cloud Services March 2011
the existing VPN customers. These issues must be addressed in order
for service providers to facilitate the addition of virtualized
services to the VPNs of existing customers.
2. Terminology
DC: Data Center
VM: Virtual Machines
VPN: Virtual Private Network
3. Service definitions and requirements
3.1 VPN-oriented data center computing service
This refers to Virtual Machines (VMs) and/or physical servers in a
virtualized carrier data center being attached to a customer VPN. The
customer can choose different properties on the computing power, such
as dedicated servers, preference on which data center to host those
servers, or special VMs which are shared with a group of other VPN
customers, and etc.
3.1.1 VPN-oriented data center computing services requirements
These requirements apply to all VPN-oriented data center services
described in this draft unless specified otherwise.
Any virtualized carrier data center providing the VPN-oriented
computing services SHOULD be able to automatically provision
and/or change the required resources based on the specified
properties associated with a VPN.
VPN customers SHALL be able to automatically instantiate or
remove Virtual Machines (VMs) to/from the VPN's associated
hosts or dedicated servers through the changing of the
customer's VPN properties.
VPN customers SHOULD be able to move VMs among customer private
data centers and carrier data centers based on their own load
balancing criteria and algorithm.
So Expires Sept30, 2011 [Page 4]
Internet-Draft VPN-oriented Cloud Services March 2011
VPN customers SHALL be able to monitor, log, and track all VM
usage information on per user, per resource pool, and per
application basis.
VPN customers and the service provider SHALL be able to
monitor, log, and track all VM user information.
VPN customers SHALL be able to automatically add/remove
physical servers associated with the VPN through the changing
of the customer's VPN properties.
VPN customers SHOULD be able to provision a new VPN and new
service based on the properties associated with an existing VPN
and service using the same set (or sub set) of existing
physical infrastructure.
VPN customers SHALL be able to control if and how VM mobility
can occur.
3.2 VPN-oriented data center storage service
This refers to disk space, either virtual or actual blocks of hard
drives in data centers, being added to a customer's VPN.
3.2.1 VPN-oriented data center storage service requirements
The VPN customer SHOULD be able to choose different content
replication properties. For example, the customer can control
if the content has to be replicated locally or has to be
replicated at a geographically different location
(identifiable by the customer if needed); if the storage has
to be co-located with certain VMs/hosts; or which VMs/hosts
have access to the content, and etc.
These storage properties SHOULD be associated with the VPN. Any
data center providing the storage space for a VPN SHOULD be
able to automatically provision or change the required storage
space based on the properties associated with the VPN.
The VPN customer SHOULD be able to automatically add disc space
or remove disc space to the VPN's associated storage through
the changing of the VPN properties.
So Expires Sept30, 2011 [Page 5]
Internet-Draft VPN-oriented Cloud Services March 2011
The VPN customer SHALL have the ability to limit the mobility
of the stored data based on the VPN's reachability.
The VPN customer SHOULD have the ability to specify the stored
content life cycle management properties. Those properties
include but not limited to how long the stored content shall
be stored and how it should be erased/deleted.
4. Requirements of Data Center networks in support of VPN-Oriented Data
center Services
The success of VPN services in the enterprise and the government
world is largely due to its ability to virtually segregate the
customer traffic at layer 2 and layer 3. The lower the layer that
segregation can be maintained, the safer it is for the customers from
security and privacy perspectives. Today's Data Centers use VLANs to
segregate servers and traffic from different customers. Since each
customer usually needs multiple service zones to place different
applications, each customer usually needs multiple VLANs. Even small
data centers today can have thousands of VLANs. Therefore, pure VLAN
segregation is not enough for large data centers. In addition, since
carrier data center resources can be viewed as added attributes to
VPNs, traffic segregation per VPN becomes an essential requirement to
VPN-oriented data center services because of its ability to control
the data center virtual resources' assignments, thus ensuring end-to-
end resource allocation for service level performance insurance as
well as manageability.
4.1 Requirement for extending VPNs into data center networks using VPN
gateways:
When a data center does not use L2VPN or L3VPN as the intra-data
center network, but still wants to provide the VPN-oriented data
center services for external VPN customers, a VPN gateway function
can be added to the data center networks to extend the external VPNs
into the data center networks and to connect with the VMs and virtual
storages. (None L2/3 data center network technology used can include
TRILL, PBB, SPB, OpenFlow, STP, and etc.) The VPN gateway function
has to meet the following requirements:
So Expires Sept30, 2011 [Page 6]
Internet-Draft VPN-oriented Cloud Services March 2011
o Each external VPN SHALL be given a unique Identification (ID),
and the traffic separation within the data center SHALL be
maintained per ID.
o Each data center Service associated with a VPN SHALL be
transmitted over an unique set of intra-data center network
connections (logical or physical).
o The VPN gateway SHOULD maintain a record and the mapping of
virtual and physical data center resources to physical/logical
connections associated with each specific VPN running the VPN-
oriented data center services.
o The VPN gateway SHOULD be able to control the traffic flow and
assign the dedicated virtual resources accordingly.
o The carrier and the customer SHALL be able to monitor the
resource assignment and usage per VPN per service.
o The customer SHOULD be able to dynamically re-configure the
data center resources assignment and allocation per services
and/or per VM through the re-configuration of its VPN
properties.
o VPN gateway SHALL support multiple services per VPN.
o VPN gateway SHOULD have the capability to differentiate QoS
within the VPN on per service basis. For example, storage
service may have higher QoS requirement than computing
service.
o VPN gateway SHOULD support multiple external VPN instances and
SHOULD be able to map them to the associated services.
o VPN gateway SHALL maintain the reportable record of how
traffic separation per VPN is achieved through the data center
network.
o VPN Gateway SHOULD be able to allocated intra-data center
network resources according to external VPN network's
requirements dynamically for bandwidth, QoS and traffic
engineering purpose.
4.2 Requirement for extending VPNs into data center networks using
intra-data center VPN
When a L2/3 VPN is used as the network technology inside the data
center, each external VPN SHALL be mapped to a unique internal VPN.
So Expires Sept30, 2011 [Page 7]
Internet-Draft VPN-oriented Cloud Services March 2011
5. Data Center Resource Management Requirements for VPN-oriented Data
center Services
Today, data center server resources are managed by data center
servers' administrators or management systems, and supported by
hypervisors on the servers. This process is invisible to the
underlying networks. The data center management functions include
managing servers, instantiating hosts to VMs, managing disk space,
and etc.
Traffic loading and balancing and QoS assignments for data center
networks are not considered by Data Center's server administration
systems. Therefore, there is an interworking gap between the networks
and the Data Center's server administration systems. This gap needs
to be filled in order for the VPN-oriented data center service to
operate.
The resources in data center MUST be partitioned per VPN instead
of per customer.
The data center service orchestration system SHALL have the
ability to dedicate a specific block of disk space per services
per VPN. The dedicated block of disk space CAN be maintained
permanently or temporarily per VPN requirement, controlled by the
associated properties of VPN.
The carrier and the VPN customer SHALL be able to monitor the
dedicated block of disk space per VPN per services.
If a VPN specifies its associated storage space to be accessible
only by certain hosts, the VPN customer SHALL have the ability to
indicate the mechanism used to prevent the unwanted data retrieval
for the block of disk space after it is no longer used by the VPN,
before it can be re-used by other parties.
The VPN SHALL have the ability to request dedicated network
resources within the data center such as bandwidth and QoS
settings.
The VPN SHALL have the ability to hold the requested resources
without sharing with any other parties.
The external VPN's QoS assignments SHOULD be able to synchronize
with the data center virtual resources' QoS assignments.
So Expires Sept30, 2011 [Page 8]
Internet-Draft VPN-oriented Cloud Services March 2011
6. Security Requirements
VPN-Oriented Data center Service SHOULD support a variety of
security measures in securing tenancy of virtual resources such
as resource locking, containment, authentication, access
control, encryption, integrity measure, and etc.
The VPN-Oriented Data center Service SHOULD allow the security
to be configured end-to-end on a per-VPN/per-service/per-user
basis. For example, the Data center Systems SHOULD be able to
resource-lock resources such as memory, and also SHOULD be able
provide a cleaning function to insure confidentiality before
being reallocated.
VPN-Oriented Data center Service SHOULD be able to specify an
authentication mechanism based for both header and payload.
Encryption algorithm CAN also be specified to provide additional
security.
Security boundaries CAN be specified and created per VPN to
maintain domains of TRUSTED, UNTRUSTED, and Hybrid. Within each
domain access control, additional techniques MAY be specified to
secure resources and administrative domains.
7. Other Requirements
The VPN-Oriented Data center Service SHALL support automatic
end-to-end network configuration.
The VPN-Oriented data center service solution MUST have
sufficient OAM mechanisms in place to allow consistent end-to-
end management of the solution in existing deployed networks.
The solution SHOULD use existing protocols (e.g., IEEE 802.1ag,
ITU-T Y.1731, BFD) wherever possible to facilitate
interoperability with existing OAM deployments.
8. VPN-oriented Data center Service Framework
VPN-oriented data center services do not alter the physical
connectivity of the service supporting infrastructure. Instead, the
framework augments the VPN associated properties on the carrier's VPN
PE router. In addition, it provides a generic interworking framework
between the VPN and the data center network, exposing the IP/MAC
address of the VMs directly to the VPN.
So Expires Sept30, 2011 [Page 9]
Internet-Draft VPN-oriented Cloud Services March 2011
The VPN-oriented data center services are flexible on the identities
of service end points, covering all VPN use cases in existence today.
It can be point-to-point and/or multi-point-to-multi-point, and
everything in between. The service can be between carrier data
center and enterprise private data center, or between carrier data
center and a remote VPN user.
Below are three framework diagrams illustrating L3VPN-oriented data
center services. The frameworks for L2VPN-oriented data center
services would be very similar to the ones shown here, using MAC
addresses instead of IP addresses.
Figure 1 shows an exemplary framework where 4 unique VPNs (customer
LAN) accessing a carrier multi-tenant data center.
Figure 2 shows the logical view of the framework from the vantage
point of the data center PE router.
Figure 3 shows the logical view of the service from the vantage point
of the individual VM and/or VPN customer. Please note that
VM/customer belong to each VPN can only see everything within its own
VPN, although all 4 VPNs are shown on the drawing.
10.1.x.x 10.130.x.x - - - - - -- -- -- -- -- -- - - - - - | | | | | |-----|SW|---|CE|---|PE|---- ----|PE|---|CE|---|SW|----| | | | | | - - - - - -- -- -- \ / -- -- -- - - - - - VPN-1 \ / VPN-2 __________________ ---- Backbone ---- __________________ 100.12.x.x / | \ 170.4.x.x - - - - - -- -- -- / | \ -- -- -- - - - - - | | | | | |-----|SW|---|CE|---|PE|---- | ----|PE|---|CE|---|SW|----| | | | | | - - - - - -- -- -- | -- -- -- - - - - - VPN-3 | VPN-4 --------- | DC PE | |(Gateway)| --------- | | --------- | DC CE | --------- | | - - - - - - |-|-|-|-|-|-| - - - - - -
So Expires Sept30, 2011 [Page 10]
Internet-Draft VPN-oriented Cloud Services March 2011
10.2.x.x VPN-1 10.120.x.x VPN-2 101.30.x.x VPN-3 170.10.x.x VPN-4
Figure 1. Physical View of L3VPN-oriented data center services
10.1.x.x 10.130.x.x - - - - - ---------------- ---------------- - - - - - | | | | | |-----|PE (VPN Gateway)|---- ----|PE (VPN Gateway)|----| | | | | | - - - - - ---------------- \ / ---------------- - - - - - VPN-1 \ / VPN-2 __________________ ---- Backbone ---- __________________ 100.12.x.x / | \ 170.4.x.x - - - - - ---------------- / | \ ---------------- - - - - - | | | | | |-----|PE (VPN Gateway)|---- | ----|PE (VPN Gateway)|----| | | | | | - - - - - ---------------- | ---------------- - - - - - VPN-3 | VPN-4 --------- | PE | | VPN | |(Gateway)| --------- | | - - - - - - |-|-|-|-|-|-| - - - - - - 10.2.x.x VPN-1 10.120.x.x VPN-2 101.30.x.x VPN-3 170.10.x.x VPN-4
Figure 2. Logical View at Data Center VPN PE Router
10.1.x.x 10.130.x.x - - - - - -- -- -- -- -- -- - - - - - | | | | | |-----|SW|---|CE|---|PE|---- ----|PE|---|CE|---|SW|----| | | | | | - - - - - -- -- -- \ / -- -- -- - - - - - |-|-| VPN-1 10.2.x.x \ / 10.120.x.x VPN-2 |-|-| - - __________________ - -
So Expires Sept30, 2011 [Page 11]
Internet-Draft VPN-oriented Cloud Services March 2011
---- Backbone ---- __________________ 100.12.x.x / \ 170.4.x.x - - - - - -- -- -- / \ -- -- -- - - - - - | | | | | |-----|SW|---|CE|---|PE|---- ----|PE|---|CE|---|SW|----| | | | | | - - - - - -- -- -- -- -- -- - - - - - |-|-| VPN-3 101.30.x.x 170.10.x.x VPN-4 |-|-| - - - -
Figure 3. Logical View of L3VPN-oriented data center services
9. IANA Considerations
10. Acknowledgments
This document was prepared using 2-Word-v2.0.template.dot.
11. References
Authors' Addresses
Ning So
Verizon Inc.
2400 N. Glenville Ave.,
Richardson, TX75082
ning.so@verizonbusiness.com
Paul Unbehagen
Avaya
unbehagen@avaya.com
Linda Dunbar
Huawei Technologies
5340 Legacy Drive, Suite 175
Plano, TX 75024, USA
Linda.dunbar@huawei.com
Henry Yu
TW Telecom
10475 Park Meadows Dr.
Littleton, CO 80124
Henry.yu@twtelecom.com
Bhumip Khasnabish
ZTE
vumip1@gmail.com
So Expires Sept30, 2011 [Page 12]
Internet-Draft VPN-oriented Cloud Services March 2011
LiZhong Jin
ZTE
889 Bibo Road
Shanghai, 201203, China
lizhong.jin@zte.com.cn
John M. Heinz
CenturyLink
600 New Century PKWY
KSNCAA0420-4B116
New Century, KS 66031
john.m.heinz@centurylink.com
Norival Figueira
Brocade Networks
130 Holger Way
San Jose, CA 95134
nfigueir@brocade.com
Zhengping You
AFORE Solutions
2680 Queensview Dr.,
Ottawa, Ontario Canada K2B819
Zhengping.you@aforesolutions.com
Intellectual Property Statement
The IETF Trust takes no position regarding the validity or scope of
any Intellectual Property Rights or other rights that might be
claimed to pertain to the implementation or use of the technology
described in any IETF Document or the extent to which any license
under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any
such rights.
Copies of Intellectual Property disclosures made to the IETF
Secretariat and any assurances of licenses to be made available, or
the result of an attempt made to obtain a general license or
permission for the use of such proprietary rights by implementers or
users of this specification can be obtained from the IETF on-line IPR
repository at http://www.ietf.org/ipr
So Expires Sept30, 2011 [Page 13]
Internet-Draft VPN-oriented Cloud Services March 2011
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
any standard or specification contained in an IETF Document. Please
address the information to the IETF at ietf-ipr@ietf.org.
Disclaimer of Validity
All IETF Documents and the information contained therein are provided
on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE
IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE
ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
So Expires Sept30, 2011 [Page 14]
| PAFTECH AB 2003-2026 | 2026-04-24 07:31:04 |