[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 02

Network Working Group                                            D. Wang
Internet-Draft                                                     Q. Wu
Intended status: Standards Track                                  Huawei
Expires: April 24, 2014                                 October 21, 2013


         Multi-Service Virtualization Using Virtual Line Cards
               draft-wang-msv-using-virtual-line-card-00

Abstract

   There are many example procedures in our mind which can benefit from
   the service virtualization and the service pooling.  Therefore, we
   come up with this idea of multi-service virtualization, not only
   supports service resource pooling to realize intelligent resource
   sharing, but also makes the service much more flexible and reliable.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 24, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Wang & Wu                Expires April 24, 2014                 [Page 1]


Internet-Draft        MSV using virtual line cards          October 2013


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions used in this document . . . . . . . . . . . . . .   2
   3.  Overview of Multi-Service Virtualization  . . . . . . . . . .   3
     3.1.  Virtual Line Cards Registration . . . . . . . . . . . . .   4
     3.2.  Tunnel Setup  . . . . . . . . . . . . . . . . . . . . . .   4
     3.3.  Policy Configuration  . . . . . . . . . . . . . . . . . .   4
     3.4.  Heartbeat Monitoring and Service Reliability  . . . . . .   5
     3.5.  Service Virtualization and Service Pooling  . . . . . . .   6
   4.  Example Procedures  . . . . . . . . . . . . . . . . . . . . .   7
     4.1.  Virtual line card selection procedure . . . . . . . . . .   7
     4.2.  Procedure of physical slot failover using virtual line
           card  . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   5.  Conclusions . . . . . . . . . . . . . . . . . . . . . . . . .  10
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  10
   8.  Normative References  . . . . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   A growing tendency is that serious kinds of services such as security
   (e.g., FW, AV) have to be deployed simultaneously.  Both the inline
   and bypass disposition pattern of traditional network pose great
   challenges in this situation, e.g., difficulty with planning safety
   path, fragmentation in security employment, complexity of bypass
   deployment, and so on.  At the same time, physical line cards expose
   significant shortcomings in practical use, such as scalability issue,
   lack of flexibility and reliability, et., al.  In this context, we
   introduce an idea of multi-service virtualization, not only supports
   service resource pooling to realize intelligent resource sharing, but
   also makes the service much more flexible and reliable.

2.  Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC2119 [RFC2119].

   MSV: Multi-service Virtualization

   pSlot: Physical Slot

   vSlot: Virtual Slot

   Line Card ID: Identity number of line card




Wang & Wu                Expires April 24, 2014                 [Page 2]


Internet-Draft        MSV using virtual line cards          October 2013


3.  Overview of Multi-Service Virtualization

   The idea of Multi-Service Virtualization (MSV) we propose includes
   physical line card virtualization, service pooling, and service
   chaining.  In our proposal, physical line cards are virtualized into
   virtual line cards and can be attached to LAN switches (either
   integrated switch or core switch) optionally.  Accordingly, physical
   slots on LAN switches are virtualized into virtual slots as well.
   Then Virtual line cards can be attached to certain virtual slots on
   the LAN Switches.  Those virtualized line cards form a service pool
   which can be shared to provide service, which may introduce service
   resilience.  Through policy configuration, different service-chains
   can be distinguished for different users according to their
   identities, authority and service type, et.al.

   Figure 1 shows an applicable framework of the MSV system in our mind.
   It is just used to facilitate our description of the example
   procedures we present in Section 4 and is not intend to invent any
   scheme.

                                        +----------+
                                        |Controller|
                                        +----------+
                                            ^ ^
                                            | |
                                        ----  |   Service Pool
                                       |      |
                  +------------+       |( ----------- )
                  |    Core    |______(|___+-----+     )
                  |   Switch   |\   (  |   | IPS |      )
                  +------------+ \ (   |   +-----+     )
                        /\        \    |              )
                       /  \      ( \   |             )
                      /    \    (   \+----+         )
                     /      \   (    | FW |        )
                    /        \   (   +----+       )
                   /          \    ( _ _ _ _ _ _ )
                  /            \
       +------------+        +------------+
       | Integrated O vSlot1 | Integrated O vSlot3
       |   Switch   O vSlot2 |   Switch   O vSlot4
       +------------+        +------------+
                        Figure 1 Framework of MSV


   In this framework, there're multiple virtual line cards in the
   service pool, each representing a certain service it can provide,
   such as IPS, FW, and so on.  They register to the core switch and



Wang & Wu                Expires April 24, 2014                 [Page 3]


Internet-Draft        MSV using virtual line cards          October 2013


   provide service as a service pool.  Both vSlot1 and vSlot2 in the
   service pool are attached to these two integrated switches
   simultaneously.  They conduct safety detection for the attached
   integrated switch.  GRE channels are created by which LAN switches
   can communicate with the vSlot.  Policy configurations are performed
   by the controller and virtual line cards are grouped together and
   provide service chains to users.

   The controller in this framework plays the role of administrator,
   holding necessary information of virtual line cards in the service
   pool.

3.1.  Virtual Line Cards Registration

   The administrator chooses appropriate virtual line cards based on the
   topology information and virtual line cards' capabilities, and then
   bond them with certain LSW.  In this way, a MSV group is formed,
   which consists of the LAN Switch and those chosen virtual line cards.
   As shown in Figure 1, the integrated switch 1, the virtual FW as well
   as vSlot1 and the virtual IPS as well as vSlot2 are grouped as a MSV
   group.  For simplicity, the LAN Switch in the MSV group is named as
   MSV-LSW, and MSV-SEC represents the virtual line card in MSV group in
   this context.  Each virtual line card register itself to the
   administrator.  Through registration, service types as well as
   remaining throughput of the virtual line cards are registered onto
   the administrator.

3.2.  Tunnel Setup

   In the framework described before, two GRE channels, the transmit
   channel (TX) and the receive channel (RX), are created between the
   LAN switch and each attached virtual line card, as shown in Figure 2.
   Through these channels, registration information, heart beat
   messages, and service flow are all transmitted between MSV-LSW and
   MSV-SEC.

                              LAN
          +------------+  RX            +-------------+
          | Lan Switch |----------------|   Firewall  |
          | (MSV-LSW)  |----------------|  (MSV-SEC)  |
          +------------+            TX  +-------------+
                   Figure 2 Tunnel Setup


3.3.  Policy Configuration

   We've pre-defined a set of policy templates, as shown in Figure 3.
   By configuring policies, different service-chains are defined and



Wang & Wu                Expires April 24, 2014                 [Page 4]


Internet-Draft        MSV using virtual line cards          October 2013


   provided to users.  The controller is in charge of policy
   configuration.  For example, the "DATA_SEC" template defined in
   Figure 3 implies you can choose either "permit" or "deny" to employ
   this template as you wish, also you can choose random combinations of
   these services provided in the "Service-chain" list.  In this way,
   different service-chains are defined.

       Policy Template                   Service-chain

                                            DLP      AUTH
           DATA_SEC          Permit         AV       VLAN
                             Deny           IPS      PRI
                                            DPI      Bandwidth
                                            SIP      WAAS
                     Figure 3 Policy Template


3.4.  Heartbeat Monitoring and Service Reliability

   While a virtual line card is bond with the certain LAN switch, both
   the transmit channel and the receive channel are created
   automatically.  The link availability can be detected from heartbeat
   messages through these two GRE channels.  As shown in Figure 4, once
   a virtual line card (e.g., virtual FW) fails, the following traffic
   will bypass the failed virtual line card.  In this way, the service
   will not be interrupted and the service reliability is improved.

                                       ^          ^
                                       |          |
                                    +--|----------|--+
                 ___________________|__|          |  |
                |                   |             |  |
        +----------+   Heartbeat    |             |  |
        |virtual FW|--------------->O vSLot       |  |
        +----------+                |  LAN Switch |  |
                | __________________|__           |  |
                      Fail          |  |          |  |
                                    +--|----------|--+
                                       |          |
                                       |          |
                                       |          |
                                 Security       Failure
                                 Detection ---->
                                 Process        Bypass
                  Figure 4 Heartbeat Monitoring Process






Wang & Wu                Expires April 24, 2014                 [Page 5]


Internet-Draft        MSV using virtual line cards          October 2013


   As shown in Figure 4, while a vSlot (e.g., FW vSlot) fails, the
   following traffic will bypass the failed vSlot.  In this way, the
   service will not be interrupted.

3.5.  Service Virtualization and Service Pooling

   A network device such as security devices can be virtualized into a
   set of virtual line cards.  A group of virtual line cards with
   various kinds of functions forms a service pool, providing
   distinguished service chains for users.  These virtual line cards can
   be shared by access/integrated/core switches with high-level
   security.

   In Figure 5, there're three blocks (Block0, Block1, Block2).  The
   service pool consists of various kinds of virtual line card which can
   be shared among these three blocks.  GRE channels are created among
   these blocks, and the flow among them can be controlled through
   policy configuration via GRE channels.

































Wang & Wu                Expires April 24, 2014                 [Page 6]


Internet-Draft        MSV using virtual line cards          October 2013


                         ____________________       Service Pool
                 Block0 |                    |
                        |   +------------+   |    ( ----------- )
                        |   |    Core    |___|__(____+-----+     )
                        |   |   Switch   |\  |(      | IPS |      )
                        |   +------------+ \ |(      +-----+     )
                        |________ /\ _______\|(                  )
                                 /  \      ( \                 )
                                /    \    (   \+----+         )
                               /      \   (    | FW |        )
                              /        \   (   +----+       )
             Block1          /          \    ( _ _ _ _ _ _ )
            ________________/____    ____\__________________
           |     +------------+  |  |  +------------+       | Block2
           |     | Integrated O vSlot1 | Integrated O vSlot3|
           |     |   Switch   O vSlot2 |   Switch   O vSlot4|
           |     +------------+  |  |  +------------+       |
           |           /\        |  |        /\             |
           |          /  \       |  |       /  \            |
           |         /    \      |  |      /    \           |
           |        /      \     |  |     /      \          |
           |   +------+  +------+|  |+------+ +------+      |
           |   |Access|  |Access||  ||Access| |Access|      |
           |   |Switch|  |Switch||  ||Switch| |Switch|      |
           |   +------+  +------+|  |+------+ +------+      |
           |_____________________|  |_______________________|

           Figure 5 Service Virtualization and Service Pooling


4.  Example Procedures

4.1.  Virtual line card selection procedure

   Figure 6 presents one of the representative scenarios of our
   proposal, virtual line card selection procedure.  In this use case,
   the PM (Procedure Manager) plays the role of a centralized control
   point, which is responsible of updating the switch information and
   creating bindings between the LAN Switch and the line card ID.  It
   also can calculate and choose the appropriate virtual line cards for
   the users due to their requirements.  Security devices such as FWs
   are replaced by virtualized line cards attached to the LAN Switch.
   The virtual line cards register themselves to the PM, carrying
   corresponding information with them, such as virtual line card ID,
   service type and bandwidth capability.  And then PM collects and
   maintains the virtual line cards' information as well as enable query
   of certain line cards which can satisfy user's requirements.
   Virtualized line cards can either be local or remote to the LAN



Wang & Wu                Expires April 24, 2014                 [Page 7]


Internet-Draft        MSV using virtual line cards          October 2013


   Switch which they are attached to.  They provide services as a
   service pool together.  The LAN Switch talks with its attached
   virtual line cards through GRE channels and monitors their state
   through heartbeat messages.

                         +------+    +----+
                         | ALTO |    | PM |
                         |Server|    +----+               Service Pool
                         +------+       ^
                            ^ ^         | 6    (~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~)
                            | |         |_____(   +----------+   +----------+   )
                            | |_____________ (    |  virtual |   |  virtual |    )
                           3|        1       (    |line card1|   |line card2|   )
                            |                 (   |    (FW)  |   |   (IPS)  |  )
                            |                  (  +----------+   +----------+ )
                            |                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       +------+         +---------+  +------+               |   ^
       | User |-------->| NMS/OSS |  | Core |               |   |
       +------+    2    |   (PU)  |  |Switch|<---------------   |
           |            +---------+  +------+        5          |
           |                            /\                      |
           |                           /  \                     |
           |                          /    \                    |
           |                         /      \                   |
           |              +------------+   +------------+       |
           |       vSlot1 O Integrated |   | Integrated O vSlot3|
           |       vSlot2 O   Switch   |   |   Switch   O vSlot4|
           |              +------------+   +------------+       |
           |____________________________________________________|
                                     4
                   Figure 6 Virtual Line Card Selection Procedure


   The basic process flow of this example procedure is as following.

   1.  The virtual line cards (virtual FW, virtual IPS) register and
   tell its certain information to the PM separately.

   2.  The user sends a service request to the NMS/OSS, which can
   specify the certain tenant, location or a certain area, as well as
   configure the policies.

   3.  The NMS/OSS queries appropriate virtual line cards from PM
   according to the user's service request.

   4.  The policies are configured to the specified tenant.





Wang & Wu                Expires April 24, 2014                 [Page 8]


Internet-Draft        MSV using virtual line cards          October 2013


   5.  The virtual line cards register their location to the switch
   fabric.  Then the virtual line card is attached to the switch fabric.

   6.  The service pool updates the switch location to the PM.  And the
   switch is bond with the virtual line card ID.

4.2.  Procedure of physical slot failover using virtual line card

   Figure 7 presents another example procedure.  It is known that in
   many cases, the physical line cards are insufficient and the
   scalability issue is an obvious bottleneck.  Also, once the physical
   line cards break down, the service will be interrupted which may lead
   to poor user experience.  In order to overcome these shortcomings,
   the idea of virtualized line cards comes up to us.  The function and
   the performance of the virtualized line cards are close to or even
   the same as the physical line cards.  A group of virtual line cards
   with various functions can be assembled together as a package and
   attached to certain LAN switches providing services to certain users.
   They can be assembled in various ways with much more flexibility.
   Also, in the case of virtual line cards' breaking down, other virtual
   line cards of the same functions can replace it and the service will
   be recovered in a short period that the user cannot even notice.
   Likewise, while a physical line card breaks down, it can be replaced
   by one or a set of virtual line cards of the same functions.

                                                 Service Pool

                            +------------+        ( ----------- )
                            |    Core    |______(____+-----+     )
                            |   Switch   |\   (      | IPS |      )
                            +------------+ \ (       +-----+     )
                                  /\        \                   )
                                 /  \      ( \                 )
                                /    \    (   \+----+         )
                               /      \   (    | FW |        )
                              /        \   (   +----+       )
                             /          \    ( _ _ _ _ _ _ )
                            /            \
                 +------------+        +------------+
                 | Integrated O pSlot1 | Integrated O pSlot3
                 |   Switch   O vSlot2 |   Switch   O vSlot4
                 +------------+        +------------+

              Figure 7 Procedure of pSlot Failover Using vSlot


   The basic flow process of this example procedure is described as
   following.



Wang & Wu                Expires April 24, 2014                 [Page 9]


Internet-Draft        MSV using virtual line cards          October 2013


   1.  The virtual line card registers to and thus binds with a certain
   LAN switch.

   2.  Each virtual slotreports its breakdown and the load condition to
   the switch fabric through heartbeat messages.

   3.  Once the virtual/physical line card breaks down, the PM will
   recalculate and choose a new line card that can satisfy the
   requirements for it.

   4.  The new assigned virtual/physical line card is registered to the
   switch fabric and bond with it.  The virtual line card breaking down
   is replaced.

5.  Conclusions

   There are many example procedures in our mind which can benefit from
   the service virtualization and the service pooling.  Therefore, we
   come up with this idea of multi-service virtualization.  In this
   framework, the physical line cards are virtualized and serve together
   as a service pool.  According to different requirements, certain
   virtual line cards will be picked up and grouped together to provide
   services.  Two GRE channels are created for each LAN switch and
   virtual line card pair, which can be used to register virtual line
   card's information to LAN Switch as well as configure specific
   polices to the virtual line card.  Heartbeat monitoring messages sent
   from virtual line card to LAN Switch can help detect virtual line
   cards' breakdown.

   Therefore, the idea of multi-service virtualization can benefit a lot
   to many example procedures and brings a series of advantages.  First
   of all, the service pool can provide a service chain to the user.
   Secondly, heartbeat monitoring messages between LAN Switch and
   virtual line card can lead to service reliability.  Thirdly, virtual
   line card can replace fail physical line card in a short period which
   may avoid service interruption and improve user service experience.
   Also, in some particular situations, service pooling based
   authentications can reduce the chance of duplicate identity
   certification.

6.  Security Considerations

7.  IANA Considerations

8.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", March 1997.



Wang & Wu                Expires April 24, 2014                [Page 10]


Internet-Draft        MSV using virtual line cards          October 2013


Authors' Addresses

   Danhua Wang
   Huawei
   101 Software Avenue, Yuhua District
   Nanjing, Jiangsu  210012
   China

   Email: wangdanhua@huawei.com


   Qin Wu
   Huawei
   101 Software Avenue, Yuhua District
   Nanjing, Jiangsu  210012
   China

   Email: sunseawq@huawei.com

































Wang & Wu                Expires April 24, 2014                [Page 11]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/