< draft-ietf-teas-enhanced-vpn-03.txt   draft-ietf-teas-enhanced-vpn-04.txt >
TEAS working group J. Dong
Internet-Draft Huawei
Intended status: Informational S. Bryant
Expires: July 2020 Futurewei
Z. Li
China Mobile
T. Miyasaka
KDDI Corporation
Y.Lee
Sung Kyun Kwan University
January 23, 2020
TEAS Working Group J. Dong A Framework for Enhanced Virtual Private Networks (VPN+) Services
Internet-Draft Huawei
Intended status: Informational S. Bryant
Expires: March 15, 2020 Futurewei
Z. Li
China Mobile
T. Miyasaka
KDDI Corporation
Y. Lee
Sung Kyun Kwan University
September 12, 2019
A Framework for Enhanced Virtual Private Networks (VPN+) Service draft-ietf-teas-enhanced-vpn-04
draft-ietf-teas-enhanced-vpn-03
Abstract Abstract
This document specifies a framework for using existing, modified and This document describes the framework for Enhanced Virtual Private
potential new networking technologies as components to provide an Network (VPN+) service. The purpose is to support the needs of new
Enhanced Virtual Private Network (VPN+) service. The purpose is to applications, particularly applications that are associated with 5G
support the needs of new applications, particularly applications that services, by utilizing an approach that is based on existing VPN and
are associated with 5G services, by utilizing an approach that is TE technologies and adds features that specific services require
based on existing VPN and TE technologies and adds features that over and above traditional VPNs.
specific services require over and above traditional VPNs.
Typically, VPN+ will be used to form the underpinning of network Typically, VPN+ will be used to form the underpinning of network
slicing, but could also be of use in its own right. It is not slicing, but could also be of use in its own right providing
envisaged that large numbers of VPN+ instances will be deployed in a enhanced connectivity services between customer sites.
network and, in particular, it is not intended that all VPNs
supported by a network will use VPN+ techniques. It is envisaged that enhanced VPNs will be delivered using a
combination of existing, modified, and new networking technologies.
This document provides an overview of relevant technologies and
identifies some areas for potential new work.
It is not envisaged that large numbers of VPN+ instances will be
deployed in a network and, in particular, it is not intended that
all VPNs supported by a network will use VPN+ related techniques.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six
and may be updated, replaced, or obsoleted by other documents at any months and may be updated, replaced, or obsoleted by other documents
time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 15, 2020. This Internet-Draft will expire on July 22, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with
to this document. Code Components extracted from this document must respect to this document. Code Components extracted from this
include Simplified BSD License text as described in Section 4.e of document must include Simplified BSD License text as described in
the Trust Legal Provisions and are provided without warranty as Section 4.e of the Trust Legal Provisions and are provided without
described in the Simplified BSD License. warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction ................................................ 3
2. Overview of the Requirements . . . . . . . . . . . . . . . . 6 2. Overview of the Requirements ................................ 6
2.1. Isolation between Virtual Networks . . . . . . . . . . . 6 2.1. Isolation between Virtual Networks ..................... 6
2.1.1. A Pragmatic Approach to Isolation . . . . . . . . . . 7 2.1.1. A Pragmatic Approach to Isolation ................. 8
2.2. Performance Guarantee . . . . . . . . . . . . . . . . . . 8 2.2. Performance Guarantee .................................. 8
2.3. Integration . . . . . . . . . . . . . . . . . . . . . . . 10 2.3. Integration ........................................... 10
2.3.1. Abstraction . . . . . . . . . . . . . . . . . . . . . 11 2.3.1. Abstraction ...................................... 11
2.4. Dynamic Management . . . . . . . . . . . . . . . . . . . 11 2.4. Dynamic Management .................................... 11
2.5. Customized Control . . . . . . . . . . . . . . . . . . . 12 2.5. Customized Control .................................... 12
2.6. Applicability . . . . . . . . . . . . . . . . . . . . . . 12 2.6. Applicability ......................................... 12
2.7. Inter-Domain and Inter-Layer Network . . . . . . . . . . 12 2.7. Inter-Domain and Inter-Layer Network .................. 12
3. Architecture of Enhanced VPN . . . . . . . . . . . . . . . . 13 3. Architecture of Enhanced VPN ............................... 13
3.1. Layered Architecture . . . . . . . . . . . . . . . . . . 15 3.1. Layered Architecture .................................. 15
3.2. Multi-Point to Multi-Point (MP2MP) . . . . . . . . . . . 16 3.2. Multi-Point to Multi-Point (MP2MP) Connectivity ....... 17
3.3. Application Specific Network Types . . . . . . . . . . . 16 3.3. Application Specific Network Types .................... 18
3.4. Scaling Considerations . . . . . . . . . . . . . . . . . 16 3.4. Scaling Considerations ................................ 18
4. Candidate Technologies . . . . . . . . . . . . . . . . . . . 17 4. Candidate Technologies ..................................... 19
4.1. Layer-Two Data Plane . . . . . . . . . . . . . . . . . . 17 4.1. Layer-Two Data Plane .................................. 19
4.1.1. FlexE . . . . . . . . . . . . . . . . . . . . . . . . 18 4.1.1. Flexible Ethernet ................................ 19
4.1.2. Dedicated Queues . . . . . . . . . . . . . . . . . . 18 4.1.2. Dedicated Queues ................................. 20
4.1.3. Time Sensitive Networking . . . . . . . . . . . . . . 19 4.1.3. Time Sensitive Networking ........................ 20
4.2. Layer-Three Data Plane . . . . . . . . . . . . . . . . . 19
4.2.1. Deterministic Networking . . . . . . . . . . . . . . 19
4.2.2. MPLS Traffic Engineering (MPLS-TE) . . . . . . . . . 20
4.2.3. Segment Routing . . . . . . . . . . . . . . . . . . . 20
4.3. Non-Packet Data Plane . . . . . . . . . . . . . . . . . . 21
4.4. Control Plane . . . . . . . . . . . . . . . . . . . . . . 21
4.5. Management Plane . . . . . . . . . . . . . . . . . . . . 22
4.6. Applicability of Service Data Models to Enhanced VPN . . 23
4.6.1. Enhanced VPN Delivery in ACTN Architecture . . . . . 24
4.6.2. Enhanced VPN Features with Service Data Models . . . 25
4.6.3. 5G Transport Service Delivery via Coordinated Data
Modules . . . . . . . . . . . . . . . . . . . . . . . 28
5. Scalability Considerations . . . . . . . . . . . . . . . . . 30
5.1. Maximum Stack Depth of SR . . . . . . . . . . . . . . . . 31
5.2. RSVP Scalability . . . . . . . . . . . . . . . . . . . . 31
5.3. SDN Scaling . . . . . . . . . . . . . . . . . . . . . . . 31
6. OAM Considerations . . . . . . . . . . . . . . . . . . . . . 31
7. Telemetry Considerations . . . . . . . . . . . . . . . . . . 32
8. Enhanced Resiliency . . . . . . . . . . . . . . . . . . . . . 32
9. Operational Considerations . . . . . . . . . . . . . . . . . 33
10. Security Considerations . . . . . . . . . . . . . . . . . . . 33
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 34
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 35
14.1. Normative References . . . . . . . . . . . . . . . . . . 35
14.2. Informative References . . . . . . . . . . . . . . . . . 36
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 4.2. Layer-Three Data Plane ................................ 21
4.2.1. Deterministic Networking ......................... 21
4.2.2. MPLS Traffic Engineering (MPLS-TE) ............... 21
4.2.3. Segment Routing .................................. 21
4.3. Non-Packet Data Plane ................................. 22
4.4. Control Plane ......................................... 22
4.5. Management Plane ...................................... 23
4.6. Applicability of Service Data Models to Enhanced VPN .. 23
4.6.1. Enhanced VPN Delivery in the ACTN Architecture ... 24
4.6.2. Enhanced VPN Features with Service Data Models ... 25
4.6.3. 5G Transport Service Delivery via Coordinated Data
Modules ................................................. 27
5. Scalability Considerations ................................. 29
5.1. Maximum Stack Depth of SR ............................. 30
5.2. RSVP Scalability ...................................... 30
5.3. SDN Scaling ........................................... 30
6. OAM Considerations ......................................... 30
7. Telemetry Considerations ................................... 31
8. Enhanced Resiliency ........................................ 31
9. Operational Considerations ................................. 33
10. Security Considerations ................................... 33
11. IANA Considerations........................................ 33
12. Contributors .............................................. 34
13. Acknowledgments ........................................... 34
14. References ................................................ 34
14.1. Normative References ................................. 34
14.2. Informative References ............................... 36
Authors' Addresses ............................................ 40
1. Introduction
Virtual private networks (VPNs) have served the industry well as a Virtual private networks (VPNs) have served the industry well as a
means of providing different groups of users with logically isolated means of providing different groups of users with logically isolated
access to a common network. The common or base network that is used connectivity over a common network. The common or base network that
to provide the VPNs is often referred to as the underlay, and the VPN is used to provide the VPNs is often referred to as the underlay,
is often called an overlay. and the VPN is often called an overlay.
Customers of a network operator may request enhanced overlay services Customers of a network operator may request a connectivity services
with advanced characteristics such as complete isolation from other with advanced characteristics such as complete isolation from other
services so that changes in one service (such as changes in network services so that changes in some other service (such as changes in
load, or events such as congestion or outages) have no effect on the network load, or events such as congestion or outages) have no
throughput or latency of other services provided to the customer. effect on the throughput or latency of the services provided to the
customer. These services are "enhanced VPNs" (known as VPN+) in that
they are similar to VPN services as they provide the customer with
required connectivity, but have enhanced characteristics.
Driven largely by needs surfacing from 5G, the concept of network Driven largely by needs surfacing from 5G, the concept of network
slicing has gained traction [NGMN-NS-Concept] [TS23501] [TS28530] slicing has gained traction [NGMN-NS-Concept] [TS23501] [TS28530]
[BBF-SD406]. In [TS23501], Network Slice is defined as "a logical [BBF-SD406]. According to [TS28530], a 5G end-to-end network slice
network that provides specific network capabilities and network consists of three major types network segments: Radio Access Network
characteristics", and Network Slice Instance is defined as "A set of (RAN), Transport Network (TN) and Mobile Core Network (CN). The
Network Function instances and the required resources (e.g. compute, transport network provides the required connectivity between
storage and networking resources) which form a deployed Network different entities in RAN and CN segments of an end-to-end network
Slice". According to [TS28530], an end-to-end network slice consists slice, with specific performance commitment. VPN+ could be used to
of three major network segments: Radio Access Network (RAN), form the underpinning of network slicing, but could also be of use
Transport Network (TN) and Core Network (CN). Transport network in general cases providing enhanced connectivity services between
provides the required connectivity within and between RAN and CN customer sites.
parts, with specific performance commitment. For each end-to-end
network slice, the topology and performance requirement on transport
network can be very different, which requires transport network to
have the capability of supporting multiple different transport
network slices.
A transport network slice is a virtual (logical) network with a A transport network slice is a virtual (logical) network with a
particular network topology and a set of shared or dedicated network particular network topology and a set of shared or dedicated network
resources, which are used to provide the network slice consumer with resources, which are used to provide the network slice consumer with
the required connectivity, appropriate isolation and specific Service the required connectivity, appropriate isolation and specific
Level Agreement (SLA). A transport network slice could span multiple Service Level Agreement (SLA) or Service Level Objective (SLO).
technology (IP, Optical) and multiple administrative domains.
Depends on the consumer's requirement, a transport network slice
could be isolated from other, often concurrent transport network
slices in terms of data plane, control plane and management plane.
In the following sections of this document, network slice refers to A transport network slice could span multiple technologies (such as
transport network slice, and is interchangable with enhanced VPN. IP or Optical) and multiple administrative domains. Depending on the
End-to-end network slice is used to refer to the 5G network slice. consumer's requirement, a transport network slice could be isolated
from other, often concurrent transport network slices in terms of
data plane, control plane, and management plane resources.
Network abstraction is a technique that can be applied to a network In this document the term "network slice" refers to a transport
domain to select network resources by policy to obtain a view of network slice, and is considered as one typical use case of enhanced
potential connectivity and a set of service functions. VPN.
Network slicing builds on the concept of resource management, network Network slicing builds on the concept of resource management,
virtualization and abstraction to provide performance assurance, network virtualization, and abstraction to provide performance
flexibility, programmability and modularity. It may use techniques assurance, flexibility, programmability and modularity. It may use
such as Software Defined Networking (SDN) [RFC7149] and Network techniques such as Software Defined Networking (SDN) [RFC7149],
Function Virtualization (NFV) [RFC8172][RFC8568] to create multiple network abstraction [RFC7926] and Network Function Virtualization
logical (virtual) networks, each tailored for a set of services or a (NFV) [RFC8172] [RFC8568] to create multiple logical (virtual)
particular tenant or a group of tenants that share the same set of networks, each tailored for a set of services or a particular tenant
requirements, on top of a common network. How the network slices are or a group of tenants that share the same or similar set of
engineered can be deployment-specific. requirements, on top of a common network. How the network slices
are engineered can be deployment-specific.
Thus, there is a need to create virtual networks with enhanced Thus, there is a need to create virtual networks with enhanced
characteristics. The tenant of such a virtual network can require a characteristics to support enhanced VPN services. The tenant of
degree of isolation and performance that previously could not be such a virtual network can require a degree of isolation and
satisfied by traditional overlay VPNs. Additionally, the tenant may performance that previously could not be satisfied by traditional
ask for some level of control to their virtual networks, e.g., to overlay VPNs. Additionally, the tenant may ask for some level of
customize the service paths in a network slice. control to their virtual networks, e.g., to customize the service
paths in a network slice.
These enhanced properties cannot be met with pure overlay networks, These enhanced properties cannot be met by simple overlay networks,
as they require tighter coordination and integration between the as they require tighter coordination and integration between the
underlay and the overlay network. This document introduces a new underlay and the overlay network. This document introduces the
network service called Enhanced VPN: VPN+. VPN+ is built from a Enhanced VPN (otherwise known as VPN+). VPN+ is built from a virtual
virtual network which has a customized network topology and a set of network which has a customized network topology and a set of
dedicated or shared network resources, including invoked service dedicated or shared network resources, optionally including invoked
functions, allocated from the underlay network. Unlike a traditional service functions, allocated from the underlay network. Unlike a
VPN, an enhanced VPN can achieve greater isolation with strict traditional VPN, an enhanced VPN can achieve greater isolation with
performance guarantees. These new properties, which have general strict performance guarantees. These new properties, which have
applicability, may also be of interest as part of a network slicing general applicability, may also be of interest as part of a network
solution, but it is not envisaged that VPN+ techniques will be slicing solution, but it is not envisaged that VPN+ services will
applied to normal VPN services that can continue to be deployed using replace traditional VPN services that can continue to be deployed
pre-existing mechanisms. Furthermore, it is not intended that large using pre-existing mechanisms. Furthermore, it is not intended that
numbers of VPN+ instances will be deployed within a single network. large numbers of VPN+ instances will be deployed within a single
See Section 5 for a discussion of scalability considerations. network. See Section 5 for a discussion of scalability
considerations.
This document specifies a framework for using existing, modified and This document specifies a framework for using existing, modified,
potential new technologies as components to provide a VPN+ service. and potential new technologies as components to provide a VPN+
Specifically we are concerned with: service. Specifically we are concerned with:
o The design of the enhanced data plane. o The design of the enhanced data plane.
o The necessary protocols in both the underlay and the overlay of o The necessary protocols in both the underlay and the overlay
the enhanced VPN. of the enhanced VPN.
o The mechanisms to achieve integration between overlay and o The mechanisms to achieve integration between overlay and
underlay. underlay.
o The necessary Operation, Administration, and Management (OAM) o The necessary Operation, Administration, and Management (OAM)
methods to instrument an enhanced VPN to make sure that the methods to instrument an enhanced VPN to make sure that the required
required Service Level Agreement (SLA) is met, and to take any Service Level Agreement (SLA) is met, and to take any corrective
corrective action to avoid SLA violation, such as switching to an action to avoid SLA violation, such as switching to an alternate
alternate path. path.
The required layered network structure to achieve this is shown in The required layered network structure to achieve this is shown in
Section 3.1. Section 3.1.
Note that, in this document, the four terms "VPN", "Enhanced VPN" (or Note that, in this document, the four terms "VPN", "Enhanced VPN"
"VPN+"), "Virtual Network (VN)", and "Network Slice" may be (or "VPN+"), "Virtual Network (VN)", and "Network Slice" may be
considered as describing similar concepts dependent on the viewpoint considered as describing similar concepts dependent on the viewpoint
from which they are used. from which they are used.
o An enhanced VPN can be considered as a form of VPN, but with o An enhanced VPN can be considered as an evolution of VPN, but
additional service-specific commitments. Thus, care must be taken with additional service-specific commitments. Thus, care must be
with the term "VPN" to distinguish normal or legacy VPNs from VPN+ taken with the term "VPN" to distinguish normal or legacy VPNs from
instances. VPN+ instances.
o A Virtual Network is a type of service that connects customer edge o A Virtual Network (VN) is a type of service that connects
points with the additional possibility of requesting further customer edge points with the additional possibility of requesting
service characteristics in the manner of an enhanced VPN. further service characteristics in the manner of an enhanced VPN.
o An enhanced VPN or VN is made by creating a slice through the o An enhanced VPN or VN is made by creating a slice through the
resources of the underlay network. resources of the underlay network.
o The general concept of network slicing in a TE network is a larger o The general concept of network slicing in a TE network
problem space than is addressed by VPN+ or VN, but those concepts provides tools to address some aspects or realizations of enhanced
are tools to address some aspects or realizations of network VPN.
slicing.
2. Overview of the Requirements 2. Overview of the Requirements
In this section we provide an overview of the requirements of an In this section we provide an overview of the requirements of an
enhanced VPN. enhanced VPN service.
2.1. Isolation between Virtual Networks 2.1. Isolation between Virtual Networks
One element of the SLA demanded for an enhanced VPN is the degree of One element of the SLA demanded for an enhanced VPN is a guarantee
isolation from other services in the network. Isolation is a feature that the service offered to the customer will not be perturbed by
requested by some particular customers in the network. Such a any other traffic flows in the network. One way for a service
feature is offered by a network operator where the traffic from one provider to guarantee the customer's SLA is by controlling the
service instance is isolated from the traffic of other services. degree of isolation from other services in the network. Isolation
There are different grades of isolation that range from simple is a feature that can be requested by customers. There are
separation of traffic on delivery (ensuring that traffic is not different grades of how isolation may be enabled by a network
delivered to the wrong customer) all the way to complete separation operator and that may result in different levels of service
within the underlay so that the traffic from different services use perceived by the customer. These range from simple separation of
service traffic on delivery (ensuring that traffic is not delivered
to the wrong customer), all the way to complete separation within
the underlay so that the traffic from different services use
distinct network resources. distinct network resources.
The terms hard and soft isolation are introduced to identify The terms hard and soft isolation are used to identify different
different isolation cases. A VPN has soft isolation if the traffic levels of isolation. A VPN has soft isolation if the traffic of one
of one VPN cannot be received by the customers of another VPN. Both VPN cannot be received by the customers of another VPN. Both IP and
IP and MPLS VPNs are examples of soft isolated VPNs because the MPLS VPNs are examples of VPNs with soft isolation: the network
network delivers the traffic only to the required VPN endpoints. delivers the traffic only to the required VPN endpoints. However,
However, with soft isolation, traffic from one or more VPNs and with soft isolation, traffic from VPNs and regular non-VPN traffic
regular non-VPN traffic may congest the network resulting in packet may congest the network resulting in packet loss and delay for other
loss and delay for other VPNs operating normally. The ability for a VPNs operating normally. The ability for a VPN service or a group
VPN or a group of VPNs to be sheltered from this effect is called of VPN services to be sheltered from this effect is called hard
hard isolation, and this property is required by some critical isolation, and this property is required by some applications. Hard
applications.
The requirement is for an operator to offer its customers a choice of
different degrees of isolation ranging from soft isolation up to hard
isolation so that the traffic of tenants/applications using one
enhanced VPN can be separated from the traffic of tenants/
applications using another enhanced VPN appropriately. Hard
isolation is needed so that applications with exacting requirements isolation is needed so that applications with exacting requirements
can function correctly, despite other demands (perhaps a burst of can function correctly, despite other demands (perhaps a burst of
traffic in another VPN) competing for the underlying resources. In traffic in another VPN) competing for the underlying resources. In
practice isolation may be offered as a spectrum between soft and practice isolation may be offered as a spectrum between soft and
hard, and in some cases soft and hard isolation may be used in a hard, and in some cases soft and hard isolation may be used in a
hierarchical manner. hierarchical manner. An operator may offer its customers a choice
of different degrees of isolation ranging from soft isolation up to
hard isolation.
An example of the requirement for hard isolation is a network An example of the requirement for hard isolation is a network
supporting both emergency services and public broadband multi-media supporting both emergency services and public broadband multi-media
services. During a major incident the VPNs supporting these services services. During a major incident the VPNs supporting these
would both be expected to experience high data volumes, and it is services would both be expected to experience high data volumes, and
important that both make progress in the transmission of their data. it is important that both make progress in the transmission of their
data. In these circumstances the VPN services would require an
In these circumstances the VPNs would require an appropriate degree appropriate degree of isolation to be able to continue to operate
of isolation to be able to continue to operate acceptably. acceptably. On the other hand, VPNs servicing ordinary bulk data
may expect to contest for network resources and queue packets so
that traffic is delivered within SLAs, but with some potential
delays and interference.
In order to provide the required isolation, resources may have to be In order to provide the required level of isolation, resources may
reserved in the data plane of the underlay network and dedicated to have to be reserved in the data plane of the underlay network and
traffic from a specific VPN or a specific group of VPNs to form dedicated to traffic from a specific VPN or a specific group of VPNs
different network slices in the underlay network. This may introduce to form different enhanced VPNs in the network. This may introduce
scalability concerns, thus some trade-off needs to be considered to scalability concerns, thus some trade-off needs to be considered to
provide the required isolation between network slices while still provide the required isolation between some enhanced VPNs while
allowing reasonable sharing inside each network slice. still allowing reasonable sharing.
An optical layer can offer a high degree of isolation, at the cost of An optical layer can offer a high degree of isolation, at the cost
allocating resources on a long term and end-to-end basis. Such an of allocating resources on a long term and end-to-end basis. On the
arrangement means that the full cost of the resources must be borne other hand, where adequate isolation can be achieved at the packet
by the service that is allocated with the resources. On the other layer, this permits the resources to be shared amongst a group of
hand, where adequate isolation can be achieved at the packet layer, services and only dedicated to a service on a temporary basis.
this permits the resources to be shared amongst many services and
only dedicated to a service on a temporary basis. This in turn,
allows greater statistical multiplexing of network resources and thus
amortizes the cost over many services, leading to better economy.
However, the different degrees of isolation required by network
slicing cannot be entirely met with existing mechanisms such as
Traffic Engineered Label Switched Paths (TE-LSPs). This is because
most implementations enforce the bandwidth in the data-plane only at
the PEs, but at the P routers the bandwidth is only reserved in the
control plane, thus bursts of data can accidentally occur at a P
router with higher than committed data rate.
There are several new technologies that provide some assistance with There are several new technologies that provide some assistance with
these data plane issues. Firstly there is the IEEE project on Time these data plane issues. Firstly there is the IEEE project on Time
Sensitive Networking [TSN] which introduces the concept of packet Sensitive Networking [TSN] which introduces the concept of packet
scheduling of delay and loss sensitive packets. Then there is scheduling of delay and loss sensitive packets. Then there is
[FLEXE] which provides the ability to multiplex multiple channels [FLEXE] which provides the ability to multiplex multiple channels
over one or more Ethernet links in a way that provides hard over one or more Ethernet links in a way that provides hard
isolation. Finally there are advanced queueing approaches which isolation. Finally there are advanced queueing approaches which
allow the construction of virtual sub-interfaces, each of which is allow the construction of virtual sub-interfaces, each of which is
provided with dedicated resource in a shared physical interface. provided with dedicated resource in a shared physical interface.
These approaches are described in more detail later in this document. These approaches are described in more detail later in this document.
In the remainder of this section we explore how isolation may be Section 2.1.1 explores pragmatic approaches to isolation in packet
achieved in packet networks. networks.
2.1.1. A Pragmatic Approach to Isolation
A key question is whether it is possible to achieve hard isolation in 2.1.1. A Pragmatic Approach to Isolation
packet networks, which were never designed to support hard isolation.
On the contrary, they were designed to provide statistical
multiplexing, a significant economic advantage when compared to a
dedicated, or a Time Division Multiplexing (TDM) network. However
there is no need to provide any harder isolation than is required by
the application. Pseudowires [RFC3985] emulate services that would
have had hard isolation in their native form. An approximation to
this requirement is sufficient in most cases.
Thus, for example, using FlexE or a virtual sub-interface together A key question is whether it is possible to achieve hard isolation
with packet scheduling as the isolation mechanism of interface in packet networks that were never designed to support hard
resources, optionally along with the partitioning of node resources, isolation. On the contrary, they were designed to provide
a type of hard isolation can be provided that is adequate for many statistical multiplexing, a significant economic advantage when
enhanced VPN applications. Other applications may be either compared to a dedicated, or a Time Division Multiplexing (TDM)
satisfied with a classical VPN with or without reserved bandwidth, or network. However, there is no need to provide any harder isolation
may need a dedicated point to point underlay connection. The needs than is required by the applications. An approximation to this
of each application must be quantified in order to provide an requirement is sufficient in most cases. Pseudowires [RFC3985]
economic solution that satisfies those needs without over- emulate services that would have had hard isolation in their native
engineering. form.
This spectrum of isolation is shown in Figure 1: This spectrum of isolation is shown in Figure 1:
O=================================================O O=================================================O
| \---------------v---------------/ | \---------------v---------------/
Statistical Pragmatic Absolute Statistical Pragmatic Absolute
Multiplexing Isolation Isolation Multiplexing Isolation Isolation
(Traditional VPNs) (Enhanced VPN) (Dedicated Network) (Traditional VPNs) (Enhanced VPN) (Dedicated Network)
Figure 1: The Spectrum of Isolation Figure 1 The Spectrum of Isolation
At one end of the above figure, we have traditional statistical Figure 1 shows the spectrum of isolation that may be delivered by a
network. At one end of the figure, we have traditional statistical
multiplexing technologies that support VPNs. This is a service type multiplexing technologies that support VPNs. This is a service type
that has served the industry well and will continue to do so. At the that has served the industry well and will continue to do so. At
opposite end of the spectrum, we have the absolute isolation provided the opposite end of the spectrum, we have the absolute isolation
by dedicated transport networks. The goal of enhanced VPN is provided by dedicated transport networks. The goal of enhanced VPNs
pragmatic isolation. This is isolation that is better than is is "pragmatic isolation". This is isolation that is better than is
obtainable from pure statistical multiplexing, more cost effective obtainable from pure statistical multiplexing, more cost effective
and flexible than a dedicated network, but which is a practical and flexible than a dedicated network, but which is a practical
solution that is good enough for the majority of applications. solution that is good enough for the majority of applications.
Mechanisms for both soft isolation and hard isolation would be needed Mechanisms for both soft isolation and hard isolation would be
to meet different levels of service requirement. needed to meet different levels of service requirement.
2.2. Performance Guarantee 2.2. Performance Guarantee
There are several kinds of performance guarantees, including There are several kinds of performance guarantee, including
guaranteed maximum packet loss, guaranteed maximum delay and guaranteed maximum packet loss, guaranteed maximum delay, and
guaranteed delay variation. Note that these guarantees apply to the guaranteed delay variation. Note that these guarantees apply to
conformance traffic, the out-of-profile traffic will be handled conformance traffic, out-of-profile traffic will be handled
following other requirements. according to other requirements.
Guaranteed maximum packet loss is a common parameter, and is usually Guaranteed maximum packet loss is a common parameter, and is usually
addressed by setting the packet priorities, queue size and discard addressed by setting packet priorities, queue size, and discard
policy. However this becomes more difficult when the requirement is policy. However this becomes more difficult when the requirement is
combined with the latency requirement. The limiting case is zero combined with latency requirements. The limiting case is zero
congestion loss, and that is the goal of the Deterministic Networking congestion loss, and that is the goal of the Deterministic
work that the IETF [DETNET] and IEEE [TSN] are pursuing. In modern Networking work that the IETF [DETNET] and IEEE [TSN] are pursuing.
optical networks, loss due to transmission errors already approaches In modern optical networks, loss due to transmission errors already
zero, but there are the possibilities of failure of the interface or approaches zero, but there are the possibilities of failure of the
the fiber itself. This can only be addressed by some form of signal interface or the fiber itself. This can only be addressed by some
duplication and transmission over diverse paths. form of signal duplication and transmission over diverse paths.
Guaranteed maximum latency is required in a number of applications Guaranteed maximum latency is required in a number of applications
particularly real-time control applications and some types of virtual particularly real-time control applications and some types of
reality applications. The work of the IETF Deterministic Networking virtual reality applications. The work of the IETF Deterministic
(DetNet) Working Group [DETNET] is relevant; however the scope needs Networking (DetNet) Working Group [DETNET] is relevant; however
to be extended to methods of enhancing the underlay to better support additional methods of enhancing the underlay to better support the
the delay guarantee, and to integrate these enhancements with the delay guarantees may be needed, and these methods will need to be
overall service provision. integrated with the overall service provisioning mechanisms.
Guaranteed maximum delay variation is a service that may also be Guaranteed maximum delay variation is a service that may also be
needed. [RFC8578] calls up a number of cases where this is needed, needed. [RFC8578] calls up a number of cases where this is needed,
for example electrical utilities have an operational need for this. for example in electrical utilities. Time transfer is one example of
Time transfer is one example of a service that needs this, although a service that needs this, although it is in the nature of time that
it is in the nature of time that the service might be delivered by the service might be delivered by the underlay as a shared service
the underlay as a shared service and not provided through different and not provided through different virtual networks. Alternatively
virtual networks. Alternatively a dedicated virtual network may be a dedicated virtual network may be used to provide this as a shared
used to provide this as a shared service. service.
This suggests that a spectrum of service guarantee be considered when This suggests that a spectrum of service guarantee be considered
deploying an enhanced VPN. As a guide to understanding the design when deploying an enhanced VPN. As a guide to understanding the
requirements we can consider four types: design requirements we can consider four types:
o Best effort o Best effort
o Assured bandwidth o Assured bandwidth
o Guaranteed latency o Guaranteed latency
o Enhanced delivery o Enhanced delivery
Best effort service is the basic service that current VPNs can Best effort service is the basic service that current VPNs provide.
provide.
An assured bandwidth service is one in which the bandwidth over some An assured bandwidth service is one in which the bandwidth over some
period of time is assured, this can be achieved either simply based period of time is assured. This can be achieved either simply based
on best effort with over-capacity provisioning, or it can be based on on best effort with over-capacity provisioning, or it can be based
TE-LSPs with bandwidth reservation. The instantaneous bandwidth is on TE-LSPs with bandwidth reservation. The instantaneous bandwidth
however, not necessarily assured, depending on the technique used. is however, not necessarily assured, depending on the technique used.
Providing assured bandwidth to VPNs, for example by using per-VPN
TE-LSPs, is not widely deployed at least partially due to
scalability concerns.
Providing assured bandwidth to VPNs, for example by using TE-LSPs, is
not widely deployed at least partially due to scalability concerns.
Guaranteed latency and enhanced delivery are not yet integrated with Guaranteed latency and enhanced delivery are not yet integrated with
VPNs. VPNs. A guaranteed latency service has a latency upper bound
provided by the network. Assuring the upper bound is sometimes more
A guaranteed latency service has a latency upper bound provided by important than minimizing latency.
the network. Assuring the upper bound is more important than
achieving the minimum latency.
In Section 2.1 we considered the work of the IEEE Time Sensitive
Networking (TSN) project [TSN] and the work of the IETF DetNet
Working group [DETNET] in the context of isolation. The TSN and
DetNet work is of greater relevance in assuring end-to-end packet
latency. It is also of importance in considering enhanced delivery.
An enhanced delivery service is one in which the underlay network (at
layer 3) attempts to deliver the packet through multiple paths in the
hope of eliminating packet loss due to equipment or media failures.
It is these last two characteristics that an enhanced VPN adds to a There are several new technologies that provide some assistance with
VPN service. performance guarantee. Firstly there is the IEEE project on Time
Sensitive Networking [TSN] which introduces the concept of packet
scheduling of delay and loss sensitive packets. Then the DetNet work
is also of greater relevance in assuring upper bound of end-to-end
packet latency. Flex Ethernet [FLEXE] is also useful to provide
these guarantees.
Flex Ethernet [FLEXE] is a useful underlay to provide these An enhanced delivery service is one in which the underlay network
guarantees. This is a method of providing time-slot based (at Layer 3) attempts to deliver the packet through multiple paths
channelization over an Ethernet bearer. Such channels are fully in the hope of eliminating packet loss due to equipment or media
isolated from other channels running over the same Ethernet bearer. failures.
As noted elsewhere this produces hard isolation but makes the
reclamation of unused bandwidth more difficult.
These approaches can be used in tandem. It is possible to use FlexE It is these last two characteristics (guaranteed upper bound to
to provide tenant isolation, and then to use the TSN/Detnet approach latency and elimination of packet loss) that an enhanced VPN adds to
to provide a performance guarantee inside the a slice or tenant VPN. a VPN service.
2.3. Integration 2.3. Integration
The only way to achieve the enhanced characteristics provided by an The only way to achieve the enhanced characteristics provided by an
enhanced VPN (such as guaranteed or predicted performance) is by enhanced VPN (such as guaranteed or predicted performance) is by
integrating the overlay VPN with a particular set of network integrating the overlay VPN with a particular set of network
resources in the underlay network. This needs be done in a flexible resources in the underlay network which are allocated to meet the
and scalable way so that it can be widely deployed in operator service requirement. This needs be done in a flexible and scalable
networks to support a reasonable number of enhanced VPN customers. way so that it can be widely deployed in operator networks to
support a reasonable number of enhanced VPN customers.
Taking mobile networks and in particular 5G into consideration, the Taking mobile networks and in particular 5G into consideration, the
integration of network and the service functions is a likely integration of network and the service functions is a likely
requirement. The work in IETF SFC working group [SFC] provides a requirement. The work in IETF SFC working group [SFC] provides a
foundation for this integration. foundation for this integration.
2.3.1. Abstraction 2.3.1. Abstraction
Integration of the overlay VPN and the underlay network resources Integration of the overlay VPN and the underlay network resources
does not need to be a tight mapping. As described in [RFC7926], does not need to be a tight mapping. As described in [RFC7926],
abstraction is the process of applying policy to a set of information abstraction is the process of applying policy to a set of
about a TE network to produce selective information that represents information about a TE network to produce selective information that
the potential ability to connect across the network. The process of represents the potential ability to connect across the network. The
abstraction presents the connectivity graph in a way that is process of abstraction presents the connectivity graph in a way that
independent of the underlying network technologies, capabilities, and is independent of the underlying network technologies, capabilities,
topology so that the graph can be used to plan and deliver network and topology so that the graph can be used to plan and deliver
services in a uniform way. network services in a uniform way.
Virtual networks can be built on top of an abstracted topology that Virtual networks can be built on top of an abstracted topology that
represents the connectivity capabilities of the underlay network as represents the connectivity capabilities of the underlay network as
described in the framework for Abstraction and Control of TE Networks described in the framework for Abstraction and Control of TE
(ACTN) described in [RFC8453] as discussed further in Section 4.5. Networks (ACTN) described in [RFC8453] as discussed further in
Section 4.5.
2.4. Dynamic Management 2.4. Dynamic Management
Enhanced VPNs need to be created, modified, and removed from the Enhanced VPNs need to be created, modified, and removed from the
network according to service demand. An enhanced VPN that requires network according to service demand. An enhanced VPN that requires
hard isolation must not be disrupted by the instantiation or hard isolation (section 2.1) must not be disrupted by the
modification of another enhanced VPN. Determining whether instantiation or modification of another enhanced VPN. Determining
modification of an enhanced VPN can be disruptive to that VPN, and in whether modification of an enhanced VPN can be disruptive to that
particular whether the traffic in flight will be disrupted can be a VPN, and in particular whether the traffic in flight will be
difficult problem. disrupted can be a difficult problem.
The data plane aspects of this problem are discussed further in The data plane aspects of this problem are discussed further in
Section 4. Sections 4.1, 4.2, and 4.3.
The control plane aspects of this problem are discussed further in The control plane aspects of this problem are discussed further in
Section 4.4. Section 4.4.
The management plane aspects of this problem are discussed further in The management plane aspects of this problem are discussed further
Section 4.5 in Section 4.5
Dynamic changes both to the VPN and to the underlay transport network Dynamic changes both to the VPN and to the underlay transport
need to be managed to avoid disruption to services that are sensitive network need to be managed to avoid disruption to services that are
to the change of network performance? sensitive to the change of network performance.
In addition to non-disruptively managing the network as a result of In addition to non-disruptively managing the network as a result of
gross change such as the inclusion of a new VPN endpoint or a change gross change such as the inclusion of a new VPN endpoint or a change
to a link, VPN traffic might need to be moved as a result of traffic to a link, VPN traffic might need to be moved as a result of traffic
volume changes. volume changes.
2.5. Customized Control 2.5. Customized Control
In some cases it is desirable that an enhanced VPN has a customized In some cases it is desirable that an enhanced VPN has a customized
control plane, so that the tenant of the enhanced VPN can have some control plane, so that the tenant of the enhanced VPN can have some
control to the resources and functions allocated to this enhanced control of how the resources and functions allocated to this
VPN. For example, the tenant may be able to specify the service enhanced VPN are used. For example, the tenant may be able to
paths in his own enhanced VPN. Depending on the requirement, an specify the service paths in his own enhanced VPN. Depending on the
enhanced VPN may have its own dedicated controller, or it may be requirement, an enhanced VPN may have its own dedicated controller,
provided with an interface to a control system which is shared with a which may be provided with an interface to the control system
set of other tenants, or it may be provided with an interface to the provided by the network operator. Note that such control is within
control system provided by the network operator. the scope of the tenant's enhanced VPN, any change beyond that would
require some intervention of the operator.
Further detail on this requirement will be provided in a future
version of the draft.
A description of the control plane aspects of this problem are A description of the control plane aspects of this problem are
discussed further in Section 4.4. A description of the management discussed further in Section 4.4. A description of the management
plane aspects of this feature can be found in Section 4.5. plane aspects of this feature can be found in Section 4.5.
2.6. Applicability 2.6. Applicability
The technologies described in this document should be applicable to a The technologies described in this document should be applicable to
number types of VPN services such as: a number of types of VPN services such as:
o Layer 2 point to point services such as pseudowires [RFC3985] o Layer 2 point-to-point services such as pseudowires [RFC3985]
o Layer 2 VPNs [RFC4664] o Layer 2 VPNs [RFC4664]
o Ethernet VPNs [RFC7209] o Ethernet VPNs [RFC7209]
o Layer 3 VPNs [RFC4364], [RFC2764] o Layer 3 VPNs [RFC4364], [RFC2764]
Where such VPN types need enhanced isolation and delivery Where such VPN types need enhanced isolation and delivery
characteristics, the technology described here can be used to provide characteristics, the technologies described in section 4 can be used
an underlay with the required enhanced performance. to provide an underlay with the required enhanced performance.
2.7. Inter-Domain and Inter-Layer Network 2.7. Inter-Domain and Inter-Layer Network
In some scenarios, an enhanced VPN services may span multiple network In some scenarios, an enhanced VPN services may span multiple
domains. A domain is considered to be any collection of network network domains. A domain is considered to be any collection of
elements within a common realm of address space or path computation network elements within a common realm of address space or path
responsibility[RFC5151]. And in some domains the operator may own a computation responsibility [RFC5151]. In some domains the operator
multi-layered network, for example, a packet network over an optical may manage a multi-layered network, for example, a packet network
network. When enhanced VPNs are provisioned in such network over an optical network. When enhanced VPNs are provisioned in such
scenarios, the technologies used in different network plane (data network scenarios, the technologies used in different network planes
plane, control plane and management plane) need to provide necessary (data plane, control plane, and management plane) need to provide
mechanisms to support multi-domain and multi-layer coordination and mechanisms to support multi-domain and multi-layer coordination and
integration, so as to provide the required service characteristics integration, so as to provide the required service characteristics
for different enhanced VPNs, and improve network efficiency and for different enhanced VPNs, and improve network efficiency and
operational simplicity. operational simplicity.
3. Architecture of Enhanced VPN 3. Architecture of Enhanced VPN
A number of enhanced VPN services will typically be provided by a A number of enhanced VPN services will typically be provided by a
common network infrastructure. Each enhanced VPN consists of both common network infrastructure. Each enhanced VPN consists of both
the overlay and a specific set of dedicated network resources and the overlay and a specific set of network resources and functions
functions allocated in the underlay to satisfy the needs of the VPN allocated in the underlay to satisfy the needs of the VPN tenant.
tenant. The integration between overlay and various underlay The integration between overlay and various underlay resources
resources ensures the isolation between different enhanced VPNs, and ensures the required isolation between different enhanced VPNs, and
achieves the guaranteed performance for different services. achieves the guaranteed performance for different services.
An enhanced VPN needs to be designed with consideration given to: An enhanced VPN needs to be designed with consideration given to:
o A enhanced data plane o An enhanced data plane
o A control plane to create enhanced VPN, making use of the data o A control plane to create enhanced VPNs, making use of the
plane isolation and guarantee techniques data plane isolation and performance guarantee techniques
o A management plane for enhanced VPN service life-cycle management o A management plane for enhanced VPN service life-cycle
management.
These required characteristics are expanded below: These required characteristics are expanded below:
o Enhanced data plane o Enhanced data plane
* Provides the required resource isolation capability, e.g. * Provides the required resource isolation capability, e.g.
bandwidth guarantee. bandwidth guarantee.
* Provides the required packet latency and jitter * Provides the required packet latency and jitter
characteristics. characteristics.
* Provides the required packet loss characteristics. * Provides the required packet loss characteristics.
* Provides the mechanism to identify network slice and the * Provides the mechanism to associate a packet with the set
associated resources. of resources allocated to the enhanced VPN which the packet belongs.
o Control plane o Control plane
* Collect the underlying network topology and resources available * Collect information about the underlying network topology
and export this to other nodes and/or the centralized and resources available and export this to nodes in the network
controller as required. and/or the centralized controller as required.
* Create the required virtual networks with the resource and * Create the required virtual networks with the resource and
properties needed by the enhanced VPN services that are properties needed by the enhanced VPN services that are assigned to
assigned to it. them.
* Determine the risk of SLA violation and take appropriate * Determine the risk of SLA violation and take appropriate
avoiding action. avoiding action.
* Determine the right balance of per-packet and per-node state * Determine the right balance of per-packet and per-node
according to the needs of enhanced VPN service to scale to the state according to the needs of enhanced VPN service to scale to the
required size. required size.
o Management plane o Management plane
* Provides an interface between the enhanced VPN provider (e.g. * Provides an interface between the enhanced VPN provider
the Transport Network (TN) Manager) and the enhanced VPN (e.g., the Transport Network Manager) and the enhanced VPN clients
clients (e.g. the 3GPP Management System) such that some of the (e.g., the 3GPP Management System) such that some of the operation
operation requests can be met without interfering with the requests can be met without interfering with the enhanced VPN of
enhanced VPN of other clients. other clients.
* Provides an interface between the enhanced VPN provider and the * Provides an interface between the enhanced VPN provider and
enhanced VPN clients to expose transport network capability the enhanced VPN clients to expose transport network capability
information toward the enhanced VPN client. information toward the enhanced VPN client.
* Provides the service life-cycle management and operation of * Provides the service life-cycle management and operation of
enhanced VPN (e.g. creation, modification, assurance/monitoring enhanced VPN (e.g. creation, modification, assurance/monitoring and
and decommissioning). decommissioning).
OAM o Operations, Administration, and Maintenance (OAM)
* Provides the OAM tools to verify the connectivity and * Provides the OAM tools to verify the connectivity and
performance of the enhanced VPN. performance of the enhanced VPN.
* Provide the OAM tools to verify whether the underlay network * Provide the OAM tools to verify whether the underlay
resources are correctly allocated and operated properly. network resources are correctly allocated and operated properly.
o Telemetry o Telemetry
* Provides the mechanism to collect the data plane, control plane * Provides the mechanism to collect data plane, control plane,
and management plane data of the network, more specifically: and management plane information about the network. More
specifically:
* + Provides the mechanism to collect network data from the
underlay network for overall performance evaluation and the enhanced
VPN service planning.
+ Provides the mechanism to collect network data of the + Provides the mechanism to collect network data about
underlay network for overall performance evaluation and the each enhanced VPN for monitoring and analytics of the
enhanced VPN service planning. characteristics and SLA fulfilment of enhanced VPN services.
+ Provides the mechanism to collect network data of each 3.1. Layered Architecture
enhanced VPN for the monitoring and analytics of the
characteristics and SLA fulfilment of enhanced VPN services.
3.1. Layered Architecture The layered architecture of an enhanced VPN is shown in Figure 2.
The layered architecture of enhanced VPN is shown in Figure 2. Underpinning everything is the physical network infrastructure layer
which provide the underlying resources used to provision the
separated virtual networks. This includes the partitioning of link
and/or node resources. Each subset of link or node resource can be
considered as a virtual link or virtual node used to build the
virtual networks.
+-------------------+ } A
| Network Controller| } Centralized | |
+-------------------+ } Control +-------------------+ Centralized
. . . . . | Network Controller| Control& Management
. . . . . +-------------------+
. N----N----N . } ||
. / / . } \/
N-----N-----N----N-----N } __________________________
N----N } / o----o----o /
/ / \ } Virtual / / / / Virtual
N-----N----N----N-----N } Networks / o-----o-----o----o----o / Network-1
N----N } /_________________________/
/ / } __________________________
N-----N-----N----N-----N } / o----o /
/ / / \ / Virtual
/ o-----o----o----o-----o / Network-2
/_________________________/
...... ...
___________________________
/ o----o /
/ / / / Virtual
/ o-----o----o----o-----o / Network-N
/__________________________/
+----+ ===== +----+ ===== +----+ ===== +----+ } ++++ ++++ ++++
+----+ ===== +----+ ===== +----+ ===== +----+ } Physical +--+===+--+===+--+
+----+ ===== +----+ ===== +----+ ===== +----+ } Network +--+===+--+===+--+
+----+ +----+ +----+ +----+ } ++++ +++-\ ++++ Physical
N L N L N L N || || \\ ||
|| || \\ || Network
++++ ++++ ++++ \\+++ ++++
+--+===+--+===+--+===+--+===+--+ Infrastructure
+--+===+--+===+--+===+--+===+--+
++++ ++++ ++++ ++++ ++++
N = Partitioned node O Virtual Node
L = Partitioned link
+----+ = Partition within a node -- Virtual Link
+----+
====== = Partition within a link ++++
+--+ Physical Node with resource partition
+--+
++++
== Physical Link with resource partition
Figure 2: The Layered Architecture Figure 2 The Layered Architecture
Underpinning everything is the physical network infrastructure layer Various components and techniques discussed in Section 4 can be used
consisting of partitioned links and nodes which provide the to enable resource partition, such as FlexE, Time Sensitive
underlying resources used to provision the separated virtual Networking, Deterministic Networking, Dedicated queues, etc. These
networks. Various components and techniques as discussed in partitions may be physical, or virtual so long as the SLA required
Section 4 can be used to provide the resource partition, such as by the higher layers is met.
FlexE, Time Sensitive Networking, Deterministic Networking, etc.
These partitions may be physical, or virtual so long as the SLA
required by the higher layers is met.
These techniques can be used to provision the virtual networks with Based on the network resources provided by the physical network
the dedicated resources that they need. To get the required infrastructure, multiple virtual networks can be provisioned, each
functionality there needs to be integration between these overlays with customized topology and other attributes to meet the
and the underlay providing the physical resources. requirement of different enhanced VPNs or different groups of
enhanced VPNs. To get the required characteristic, each virtual
network needs to be mapped to a set of network nodes and links in
the network infrastructure. And on each node or link, the virtual
network is mapped to a set of resources which are allocated for the
service processing of the virtual network. Such mapping provides the
integration between the virtual networks and the required underlying
network resources.
The centralized controller is used to create the virtual networks, to The centralized controller is used to create the virtual networks,
allocate the resources to each virtual network and to provision the to instruct the network nodes to allocate the required resources to
enhanced VPN services within the virtual networks. A distributed each virtual network and to provision the enhanced VPN services
control plane may also be used for the distribution of the topology within the virtual networks. A distributed control plane may also
and attribute information of the virtual networks. be used for the distribution of the topology and attribute
information between nodes within the virtual networks.
The creation and allocation process needs to take a holistic view of The process used to create virtual networks and to allocate physical
the needs of all of its tenants, and to partition the resources resources for use by virtual networks needs to take a holistic view
accordingly. However within a virtual network these resources can, of the needs of all of its tenants (i.e., of all customers and their
if required, be managed via a dynamic control plane. This provides virtual networks), and to partition the resources accordingly.
the required scalability and isolation. However, within a virtual network these resources can, if required,
be managed via a dynamic control plane. This provides the required
scalability and isolation.
3.2. Multi-Point to Multi-Point (MP2MP) 3.2. Multi-Point to Multi-Point (MP2MP) Connectivity
At the VPN service level, the connectivity is usually mesh or At the VPN service level, the required connectivity is usually mesh
partial-mesh. To support such kinds of VPN service, the or partial-mesh. To support such kinds of VPN service, the
corresponding underlay is also an abstract MP2MP medium. However corresponding underlay is also an abstract MP2MP medium. Other
when service guarantees are provided, the point-to-point path through service requirements may be expressed at different granularity, some
the underlay of the enhanced VPN needs to be specifically engineered of which can be applicable to the whole service, while some others
to meet the required performance guarantees. may be only applicable to some pairs of end points. For example,
when performance guarantee is required, the point-to-point path
through the underlay of the enhanced VPN may need to be specifically
engineered to meet the required performance guarantee.
3.3. Application Specific Network Types 3.3. Application Specific Network Types
Although a lot of the traffic that will be carried over the enhanced Although a lot of the traffic that will be carried over the enhanced
VPN will likely be IPv4 or IPv6, the design has to be capable of VPN will likely be IPv4 or IPv6, the design has to be capable of
carrying other traffic types, in particular Ethernet traffic. This carrying other traffic types, in particular Ethernet traffic. This
is easily accomplished through the various pseudowire (PW) techniques is easily accomplished through the various pseudowire (PW)
[RFC3985]. Where the underlay is MPLS, Ethernet can be carried over techniques [RFC3985]. Where the underlay is MPLS, Ethernet can be
the enhanced VPN encapsulated according to the method specified in carried over the enhanced VPN encapsulated according to the method
[RFC4448]. Where the underlay is IP, Layer Two Tunneling Protocol - specified in [RFC4448]. Where the underlay is IP, Layer Two
Version 3 (L2TPv3) [RFC3931] can be used with Ethernet traffic Tunneling Protocol - Version 3 (L2TPv3) [RFC3931] can be used with
carried according to [RFC4719]. Encapsulations have been defined for Ethernet traffic carried according to [RFC4719]. Encapsulations
most of the common layer-2 types for both PW over MPLS and for have been defined for most of the common Layer 2 types for both PW
L2TPv3. over MPLS and for L2TPv3.
3.4. Scaling Considerations 3.4. Scaling Considerations
VPNs are instantiated as overlays on top of an operator's network and VPNs are instantiated as overlays on top of an operator's network
offered as services to the operator's customers. An important and offered as services to the operator's customers. An important
feature of overlays is that they are able to deliver services without feature of overlays is that they are able to deliver services
placing per-service state in the core of the underlay network. without placing per-service state in the core of the underlay
network.
Enhanced VPNs may need to install some additional state within the Enhanced VPNs may need to install some additional state within the
network to achieve the additional features that they require. network to achieve the additional features that they require.
Solutions must consider minimising and controlling the scale of such Solutions must consider minimizing and controlling the scale of such
state, and deployment architectures should constrain the number of state, and deployment architectures should constrain the number of
enhanced VPNs that would exist where such services would place enhanced VPNs that would exist where such services would place
additional state in the network. It is expected that the number of additional state in the network. It is expected that the number of
enhanced VPN would be a small number in the beginning, and even in enhanced VPN would be small in the beginning, and even in future the
future the number of enhanced VPN will be much less than traditional number of enhanced VPN will be much fewer than traditional VPNs,
VPNs, because pre-existing VPN techniques would be good enough to because pre-existing VPN techniques are be good enough to meet the
meet the needs of most existing VPN-type services. needs of most existing VPN-type services.
In general, it is not required that the state in the network be In general, it is not required that the state in the network be
maintained in a 1:1 relationship with the VPN+ instances. It will maintained in a 1:1 relationship with the VPN+ instances. It will
usually be possible to aggregate a set of VPN+ services so that they usually be possible to aggregate a set of VPN+ services so that they
share the same virtual network and the same set of network resources share the same virtual network and the same set of network resources
(much in the way that current VPNs are aggregated over transport (much in the way that current VPNs are aggregated over transport
tunnels) so that collections of enhanced VPNs that require the same tunnels) so that collections of enhanced VPNs that require the same
behaviour from the network in terms of resource reservation, latency behaviour from the network in terms of resource reservation, latency
bounds, resiliency, etc. are able to be grouped together. This is an bounds, resiliency, etc. are able to be grouped together. This is
important feature to assist with the scaling characteristics of VPN+ an important feature to assist with the scaling characteristics of
deployments. VPN+ deployments.
See Section 5 for a greater discussion of scalability considerations. See Section 5 for a further discussion of scalability considerations.
4. Candidate Technologies 4. Candidate Technologies
A VPN is a network created by applying a multiplexing technique to A VPN is a network created by applying a demultiplexing technique to
the underlying network (the underlay) in order to distinguish the the underlying network (the underlay) in order to distinguish the
traffic of one VPN from that of another. A VPN path that travels by traffic of one VPN from that of another. A VPN path that travels by
other than the shortest path through the underlay normally requires other than the shortest path through the underlay normally requires
state in the underlay to specify that path. State is normally state in the underlay to specify that path. State is normally
applied to the underlay through the use of the RSVP Signaling applied to the underlay through the use of the RSVP signaling
protocol, or directly through the use of an SDN controller, although protocol, or directly through the use of an SDN controller, although
other techniques may emerge as this problem is studied. This state other techniques may emerge as this problem is studied. This state
gets harder to manage as the number of VPN paths increases. gets harder to manage as the number of VPN paths increases.
Furthermore, as we increase the coupling between the underlay and the Furthermore, as we increase the coupling between the underlay and
overlay to support the enhanced VPN service, this state will increase the overlay to support the enhanced VPN service, this state will
further. increase further.
In an enhanced VPN different subsets of the underlay resources can be In an enhanced VPN different subsets of the underlay resources can
dedicated to different enhanced VPNs or different groups of enhanced be dedicated to different enhanced VPNs or different groups of
VPNs. An enhanced VPN solution thus needs tighter coupling with enhanced VPNs. An enhanced VPN solution thus needs tighter coupling
underlay than is the case with existing VPNs. We cannot, for with underlay than is the case with existing VPNs. We cannot, for
example, share the network resource between enhanced VPNs which example, share the network resource between enhanced VPNs which
require hard isolation. require hard isolation.
4.1. Layer-Two Data Plane 4.1. Layer-Two Data Plane
A number of candidate Layer-2 packet or frame-based data plane A number of candidate Layer 2 packet or frame-based data plane
solutions which can be used provide the required isolation and solutions which can be used provide the required isolation and
guarantee are described in following sections. guarantees are described in following sections.
o FlexE
o Time Sensitive Networking
o Dedicated Queues 4.1.1. Flexible Ethernet
4.1.1. FlexE FlexE [FLEXE] provides the ability to multiplex channels over an
Ethernet link to create point-to-point fixed-bandwidth connections
in a way that provides hard isolation. FlexE also supports bonding
links to create larger links out of multiple low capacity links.
FlexE [FLEXE] is a method of creating a point-to-point Ethernet with However, FlexE is only a link level technology. When packets are
a specific fixed bandwidth. FlexE provides the ability to multiplex received by the downstream node, they need to be processed in a way
multiple channels over an Ethernet link in a way that provides hard that preserves that isolation in the downstream node. This in turn
isolation. FlexE also supports the bonding of multiple links, which requires a queuing and forwarding implementation that preserves the
can be used to create larger links out of multiple low capacity links end-to-end isolation.
in a more efficient way that traditional link aggregation. FlexE
also supports the sub-rating of links, which allows an operator to
only use a portion of a link. However it is a only a link level
technology. When packets are received by the downstream node, they
need to be processed in a way that preserves that isolation in the
downstream node. This in turn requires a queuing and forwarding
implementation that preserves the end-to-end isolation.
If different FlexE channels are used for different services, then no If different FlexE channels are used for different services, then no
sharing is possible between the FlexE channels. This in turn means sharing is possible between the FlexE channels. This means that it
that it may be difficult to dynamically redistribute unused bandwidth may be difficult to dynamically redistribute unused bandwidth to
to lower priority services. This may increase the cost of providing lower priority services in another FlexE channel. If one FlexE
services on the network. On the other hand, FlexE can be used to channel is used by one tenant, the tenant can use some methods to
provide hard isolation between different tenants on a shared manage the relative priority of his own traffic in the FlexE channel.
interface. The tenant can then use other methods to manage the
relative priority of their own traffic in each FlexE channel.
Methods of dynamically re-sizing FlexE channels and the implication 4.1.2. Dedicated Queues
for enhanced VPN are for further study.
4.1.2. Dedicated Queues DiffServ based queuing systems are described in [RFC2475] and
[RFC4594]. This is considered insufficient to provide isolation for
enhanced VPNs because DiffServ does not always provide enough
markers to differentiate between traffic of many enhanced VPNs, or
offer the range of service classes that each VPN needs to provide to
its tenants. This problem is particularly acute with an MPLS
underlay, because MPLS only provides eight Traffic Classes.
In order to provide multiple isolated virtual networks for enhanced In addition, DiffServ, as currently implemented, mainly provides
VPN, the conventional DiffServ based queuing system [RFC2475] per-hop priority-based scheduling, and it is difficult to use it to
[RFC4594] is considered insufficient, as DiffServ does not always achieve quantitive resource reservation.
provide enough queues to differentiate between traffic of different
enhanced VPNs, or the range of service classes that each need to
provide to their tenants. This problem is particularly acute with an
MPLS underlay, because MPLS only provides 8 Traffic Classes (TC), and
it's highly likely that there will be more than eight enhanced VPN
instances supported by a network. In addition, DiffServ, as
currently implemented, mainly provides relative priority-based
scheduling, and is difficult to achieve quantitive resource
reservation. In order to address this problem and reduce the
interference between enhanced VPNs, it is necessary to steer traffic
of enhanced VPNs to dedicated input and output queues. Some routers
have large amount of queues and sophisticated queuing systems, which
could be used or enhanced to provide the granularity and level of
isolation required by the applications of enhanced VPN. For example,
on one physical interface, the queuing system can provide a set of
virtual sub-interfaces, each allocated with dedicated queueing and
buffer resources. Sophisticated queuing systems of this type may be
used to provide end-to-end virtual isolation between traffic of
different enhanced VPNs.
4.1.3. Time Sensitive Networking In order to address these problems and to reduce the potential
interference between enhanced VPNs, it would be necessary to steer
traffic to dedicated input and output queues per enhanced VPN: some
routers have a large number of queues and sophisticated queuing
systems, which could support this, while some routers may struggle
to provide the granularity and level of isolation required by the
applications of enhanced VPN.
4.1.3. Time Sensitive Networking
Time Sensitive Networking (TSN) [TSN] is an IEEE project that is Time Sensitive Networking (TSN) [TSN] is an IEEE project that is
designing a method of carrying time sensitive information over designing a method of carrying time sensitive information over
Ethernet. It introduces the concept of packet scheduling where a Ethernet. It introduces the concept of packet scheduling where a
high priority packet stream may be given a scheduled time slot packet stream may be given a time slot guaranteeing that it
thereby guaranteeing that it experiences no queuing delay and hence a experiences no queuing delay or increase in latency. The mechanisms
reduced latency. However, when no scheduled packet arrives, its defined in TSN can be used to meet the requirements of time
reserved time-slot is handed over to best effort traffic, thereby sensitive services of an enhanced VPN.
improving the economics of the network. The mechanisms defined in
TSN can be used to meet the requirements of time sensitive services
of an enhanced VPN.
Ethernet can be emulated over a Layer 3 network using a pseudowire. Ethernet can be emulated over a Layer 3 network using an IP or MPLS
However the TSN payload would be opaque to the underlay and thus not pseudowire. However, a TSN Ethernet payload would be opaque to the
treated specifically as time sensitive data. The preferred method of underlay and thus not treated specifically as time sensitive data.
carrying TSN over a layer 3 network is through the use of The preferred method of carrying TSN over a Layer 3 network is
deterministic networking as explained in the following section of through the use of deterministic networking as explained in Section
this document. 4.2.1.
4.2. Layer-Three Data Plane 4.2. Layer-Three Data Plane
We now consider the problem of slice differentiation and resource We now consider the problem of slice differentiation and resource
representation in the network layer. The candidate technologies are: representation in the network layer.
o Deterministic Networking
o MPLS-TE
o Segment Routing
4.2.1. Deterministic Networking
Deterministic Networking (DetNet) [I-D.ietf-detnet-architecture] is a
technique being developed in the IETF to enhance the ability of
layer-3 networks to deliver packets more reliably and with greater
control over the delay. The design cannot use re-transmission
techniques such as TCP since that can exceed the delay tolerated by
the applications. Even the delay improvements that are achieved with
Stream Control Transmission Protocol Partial Reliability Extenstion
(SCTP-PR) [RFC3758] do not meet the bounds set by application
demands. DetNet pre-emptively sends copies of the packet over
various paths to minimize the chance of all copies of a packet being
lost, and trims duplicate packets to prevent excessive flooding of
the network and to prevent multiple packets being delivered to the
destination. It also seeks to set an upper bound on latency. The
goal is not to minimize latency; the optimum upper bound paths may
not be the minimum latency paths.
DetNet is based on flows. It currently does not specify the use of 4.2.1. Deterministic Networking
underlay topology other than the base topology. To be of use for
enhanced VPN, DetNet needs to be integrated with different virtual
topologies of enhanced VPNs.
The detailed design that allows the use DetNet in a multi-tenant Deterministic Networking (DetNet) [RFC8655] is a technique being
network, and how to improve the scalability of DetNet in a multi- developed in the IETF to enhance the ability of Layer 3 networks to
tenant network are topics for further study. deliver packets more reliably and with greater control over the
delay. The design cannot use re-transmission techniques such as TCP
since that can exceed the delay tolerated by the applications. Even
the delay improvements that are achieved with Stream Control
Transmission Protocol Partial Reliability Extension (SCTP-PR)
[RFC3758] do not meet the bounds set by application demands. DetNet
pre-emptively sends copies of the packet over various paths to
minimize the chance of all copies of a packet being lost. It also
seeks to set an upper bound on latency, but the goal is not to
minimize latency.
4.2.2. MPLS Traffic Engineering (MPLS-TE) 4.2.2. MPLS Traffic Engineering (MPLS-TE)
MPLS-TE introduces the concept of reserving end-to-end bandwidth for MPLS-TE [RFC2702] [RFC3209] introduces the concept of reserving end-
a TE-LSP, which can be used as the underlay of VPNs. It also to-end bandwidth for a TE-LSP, which can be used as connectivity
introduces the concept of non-shortest path routing through the use across the underlay network to support VPNs. VPN traffic can be
of the Explicit Route Object [RFC3209]. VPN traffic can be run over carried over dedicated TE-LSPs to provide reserved bandwidth for
dedicated TE-LSPs to provide reserved bandwidth for each specific each specific connection in a VPN, and VPNs with similar behavior
connection in a VPN. Some network operators have concerns about the requirements may be multiplexed onto the same TE-LSPs. Some network
scalability and management overhead of RSVP-TE system, and this has operators have concerns about the scalability and management
lead them to consider other solutions for their networks. overhead of MPLS-TE system, and this has lead them to consider other
solutions for their networks.
4.2.3. Segment Routing 4.2.3. Segment Routing
Segment Routing [RFC8402] is a method that prepends instructions to Segment Routing (SR) [RFC8402] is a method that prepends
packets at the head-end node and optionally at various points as it instructions to packets at the head-end of a path. These
passes though the network. These instructions allow the packets to instructions are used to specify the nodes and links to be traversed
be routed on paths other than the shortest path for various traffic and allow the packets to be routed on paths other than the shortest
engineering reasons. With SR, a path needs to be dynamically created path. By encoding the state in the packet, per-path state is
through a set of segments by simply specifying the Segment
Identifiers (SIDs), i.e. instructions rooted at a particular point in
the network. By encoding the state in the packet, per-path state is
transitioned out of the network. transitioned out of the network.
With current segment routing, the instructions are used to specify An SR traffic engineered path operates with a granularity of a link
the nodes and links to be traversed. An SR traffic engineered path with hints about priority provided through the use of the traffic
operates with a granularity of a link with hints about priority class (TC) or Differentiated Services Code Point (DSCP) field in the
provided through the use of the traffic class (TC) or Differentiated header. However to achieve the latency and isolation
Services Code Point (DSCP) field in the header. However to achieve characteristics that are sought by the enhanced VPN users, steering
the latency and isolation characteristics that are sought by the packets through specific queues and resources will likely be
enhanced VPN users, steering packets through specific queues and required. With SR, it is possible to introduce such fine-grained
resources will likely be required. With SR, it is possible to packet steering by specifying the queues and resources through an SR
introduce such fine-grained packet steering by specifying the queues instruction list.
and resources through an SR instruction list.
Note that the concept of a queue is a useful abstraction for many Note that the concept of queue is a useful abstraction for different
types of underlay mechanism that may be used to provide enhanced types of underlay mechanism that may be used to provide enhanced
isolation and latency support. How the queue satisfies the isolation and latency support. How the queue satisfies the
requirement is implementation specific and is transparent to the requirement is implementation specific and is transparent to the
layer-3 data plane and control plane mechanisms used. layer-3 data plane and control plane mechanisms used.
Both SR-MPLS and SRv6 are candidate data plane technologies for 4.3. Non-Packet Data Plane
enhanced VPN. In some cases they can further be used for DetNet to
meet the packet loss, delay and jitter requirement of particular
service. How to provide the DetNet enhanced delivery in an SRv6
environment is specified in [I-D.geng-spring-srv6-for-detnet].
4.3. Non-Packet Data Plane
Non-packet underlay data plane technologies often have TE properties Non-packet underlay data plane technologies often have TE properties
and behaviors, and meet many of the key requirements in particular and behaviors, and meet many of the key requirements in particular
for bandwidth guarantees, traffic isolation (with physical isolation for bandwidth guarantees, traffic isolation (with physical isolation
often being an integral part of the technology), highly predictable often being an integral part of the technology), highly predictable
latency and jitter characteristics, measurable loss characteristics, latency and jitter characteristics, measurable loss characteristics,
and ease of identification of flows (and hence slices). and ease of identification of flows. The cost is the resources are
allocated on a long term and end-to-end basis. Such an arrangement
The control and management planes for non-packet data plane means that the full cost of the resources has be borne by the
technologies have most in common with MPLS-TE (Section 4.2.2) and service that is allocated with the resources.
offer the same set of advanced features [RFC3945]. Furthermore,
management techniques such as ACTN ([RFC8453] and Section 4.6 can be
used to aid in the reporting of underlying network topologies, and
the creation of virtual networks with the resource and properties
needed by the enhanced VPN services.
4.4. Control Plane 4.4. Control Plane
Enhanced VPN would likely be based on a hybrid control mechanism, Enhanced VPN would likely be based on a hybrid control mechanism,
which takes advantage of the logically centralized controller for on- which takes advantage of the logically centralized controller for
demand provisioning and global optimization, whilst still relies on on-demand provisioning and global optimization, whilst still relying
distributed control plane to provide scalability, high reliability, on a distributed control plane to provide scalability, high
fast reaction, automatic failure recovery etc. Extension and reliability, fast reaction, automatic failure recovery, etc.
optimization to the distributed control plane is needed to support Extension to and optimization of the distributed control plane is
the enhanced properties of VPN+. needed to support the enhanced properties of VPN+.
RSVP-TE provides the signaling mechanism of establishing a TE-LSP RSVP-TE [RFC3209] provides the signaling mechanism for establishing
with end-to-end resource reservation. It can be used to bind the VPN a TE-LSP in an MPLS network with end-to-end resource reservation.
to specific network resource allocated within the underlay, but there It could be used to bind the VPN to specific network resources
are the above mentioned scalability concerns. allocated within the underlay, but there remain scalability concerns
mentioned in Section 4.2.2.
SR does not have the capability of signaling the resource reservation The control plane of SR [RFC8665] [RFC8667] [I-D.ietf-idr-bgp-ls-
along the path, nor do its currently specified distributed link state segment-routing-ext] does not have the capability of signaling
routing protocols. On the other hand, the SR approach provides a way resource reservations along the path. On the other hand, the SR
of efficiently binding the network underlay and the enhanced VPN approach provides a potential way of binding the underlay network
overlay, as it reduces the amount of state to be maintained in the resource and the enhanced VPN service without requiring per-path
network. An SR-based approach with per-slice resource reservation state to be maintained in the network. A centralized controller can
can easily create dedicated SR network slices, and the VPN services perform resource planning and reservation for enhanced VPNs, while
can be bound to a particular SR network slice. A centralized it needs to ensure that resources are correctly allocated in network
controller can perform resource planning and reservation from the nodes for the enhanced VPN service.
controller's point of view, but this does not ensure resource
reservation is actually done in the network nodes. Thus, if a
distributed control plane is needed, either in place of an SDN
controller or as an assistant to it, the design of the control system
needs to ensure that resources are uniquely allocated in the network
nodes for the correct services, and not allocated to other services
causing unintended resource conflict.
In addition, in multi-domain and multi-layer networks, the 4.5. Management Plane
centralized and distributed control mechanisms will be used for
inter-domain coordination and inter-layer optimization, so that the
diverse and customized enhanced VPN service requirement could be met.
The detailed mechanisms will be described in a future version.
4.5. Management Plane The management plane provides the interface between the enhanced VPN
provider and the clients for the service life-cycle management (e.g.
creation, modification, assurance/monitoring and decommissioning).
It relies on a set of service data models for the description of the
information and operations needed on the interface.
In the context of 5G end-to-end network slicing, the management of In the context of 5G end-to-end network slicing [TS28530], the
enhanced VPN is considered as the management of transport network management of enhanced VPNs is considered as the management of the
part of the end-to-end network slice. 3GPP management system may transport network part of the end-to-end network slice. 3GPP
provide the topology and QoS parameters as requirement to the management system may provide the connectivity and performance
management plane of transport network. It may also require the related parameters as requirements to the management plane of the
transport network to expose the capability and status of the transport network. It may also require the transport network to
transport network slice. Thus an interface between enhanced VPN expose the capability and status of the transport network slice.
management plane and 3GPP network slice management system and Thus, an interface between the enhanced VPN management plane and the
relevant service data models are needed for the coordination of end- 3GPP network slice management system, and relevant service data
to-end network slice management. models are needed for the coordination of end-to-end network slice
management.
The management plane interface and data models for enhanced VPN can The management plane interface and data models for enhanced VPN can
be based on the service models such as: be based on the service models described in Section 4.6.
o VPN service models defined in [RFC8299] and [RFC8466]
o Possible augmentations and extensions
(e.g.,[I-D.ietf-teas-te-service-mapping-yang]) to VPN service
models
o ACTN related service models such as [I-D.ietf-teas-actn-vn-yang]
and [I-D.ietf-teas-actn-pm-telemetry-autonomics].
o VPN network model as defined in [I-D.aguado-opsawg-l3sm-l3nm].
o TE Tunnel model as defined in [I-D.ietf-teas-yang-te].
These data models can be applicable in the provisioning of enhanced
VPN service. The details are described in Section 4.6.
4.6. Applicability of Service Data Models to Enhanced VPN 4.6. Applicability of Service Data Models to Enhanced VPN
ACTN supports operators in viewing and controlling different domains ACTN supports operators in viewing and controlling different domains
and presenting virtualized networks to their customers. The ACTN and presenting virtualized networks to their customers. The ACTN
framework [RFC8453] highlights how: framework [RFC8453] highlights how:
o Abstraction of the underlying network resources are provided to o Abstraction of the underlying network resources is provided to
higher-layer applications and customers. higher-layer applications and customers.
o Virtualization of underlying resources, whose selection criterion
is the allocation of those resources for the customer,
application, or service.
o Creation of a virtualized environment allowing operators to view o Underlying resources are virtualized allocating those resources
and control multi-domain networks as a single virtualized network. for the customer, application, or service.
o The presentation to customers of networks as a virtual network via o A virtualized environment is created allowing operators to view
open and programmable interfaces. and control multi-domain networks as a single virtualized network.
The infrastructure managed through the Service Data models comprises o Networks can be presented to customers as a virtual network via
traffic engineered network resources (e.g. bandwidth, time slot, open and programmable interfaces.
wavelength) and VPN service related resources (e.g. Route Target
(RT) and Route Distinguisher (RD)).
The type of network virtualization enabled by ACTN managed The type of network virtualization enabled by ACTN managed
infrastructure provides customers and applications (tenants) with the infrastructure provides customers and applications (tenants) with
capability to utilize and independently control allocated virtual the capability to utilize and independently control allocated
network resources as if they were physically their own resources. virtual network resources as if they were physically their own
resources. Service Data models are used to represent, monitor, and
The Customer VPN model (e.g. L3SM) or an ACTN Virtual Network (VN) manage the virtual networks and services enabled by ACTN. The
model is a customer view of the ACTN managed infrastructure, and is Customer VPN model (e.g. L3SM [RFC8299]) or an ACTN Virtual Network
presented by the ACTN provider as a set of abstracted services or (VN) [I-D.ietf-teas-actn-vn-yang] model is a customer view of the
ACTN managed infrastructure, and is presented by the ACTN provider
as a set of abstracted services or resources. The L3VPN network
model [I-D.ietf-opsawg-l3sm-l3nm] and the TE tunnel model [I-D.ietf-
teas-yang-te] provide a network view of the ACTN managed
infrastructure presented by the ACTN provider as a set of transport
resources. resources.
L3VPN network model or TE tunnel model is a network view of the ACTN 4.6.1. Enhanced VPN Delivery in the ACTN Architecture
managed infrastructure, and is presented by the ACTN provider as a
set of transport resources.
Depending on the agreement between customer and provider, various
VPN/VN operations and VPN/VN views are possible.
o Virtual Network Creation: A VPN/VN could be pre-configured and
created via static or dynamic request and negotiation between
customer and provider. It must meet the specified SLA attributes
which satisfy the customer's objectives.
o Virtual Network Operations: The virtual network may be further
modified and deleted based on customer request to request changes
in the network resources reserved for the customer, and used to
construct the network slice. The customer can further act upon
the virtual network to manage traffic flow across the virtual
network.
o Virtual Network View: The VPN/VN topology from a customer point of
view. These may be a variety of tunnels, or an entire VN
topology, or an VPN service topology. Such connections may
comprise of customer end points, access links, intra-domain paths,
and inter-domain links.
Dynamic VPN/VN Operations allow a customer to modify or delete the
VPN/VN. The customer can further act upon the virtual network to
create/modify/delete virtual links and nodes or VPN sites. These
changes will result in subsequent tunnel management or VPN service
management in the operator's networks.
4.6.1. Enhanced VPN Delivery in ACTN Architecture
ACTN provides VPN connections or VN connections between multiple
sites as requested via a VPN requestor enabled by the Customer
Network Controller (CNC). The CNC is managed by the customer
themselves, and interacts with the network provider's Multi-Domain
Service Controller (MDSC). The Provisioning Network Controllers
(PNC) are responible for network resource management, thus the PNCs
are remain entirely under the management of the network provider and
are not visible to the customer.
The benefits of this model include:
o Provision of edge-to-edge VPN multi-access connectivity.
o Management is mostly performed by the network provider, with some ACTN provides VPN connections between multiple sites as requested
flexibility delegated to the customer-managed CNC. via the Customer Network Controller (CNC). The CNC is managed by
the customer themselves, and interacts with the network provider's
Multi-Domain Service Controller (MDSC). The Provisioning Network
Controllers (PNC) are responsible for network resource management,
thus the PNCs are remain entirely under the management of the
network provider and are not visible to the customer so that
management is mostly performed by the network provider, with some
flexibility delegated to the customer-managed CNC.
Figure 3 presents a more general representation of how multiple Figure 3 presents a more general representation of how multiple
enhanced VPNs may be created from the resources of multiple physical enhanced VPNs may be created from the resources of multiple physical
networks using the CNC, MDSC, and PNC components of the ACTN networks using the CNC, MDSC, and PNC components of the ACTN
architecture. Each enhanced VPN is controlled by its own CNC. The architecture. Each enhanced VPN is controlled by its own CNC. The
CNCs send requests to the provider's MDSC. The provider manages two CNCs send requests to the provider's MDSC. The provider manages two
different physical networks each under the control of PNC. The MDSC different physical networks each under the control of PNC. The MDSC
asks the PNCs to allocate and provision resources to achieve the asks the PNCs to allocate and provision resources to achieve the
enhanced VPNs. In this figure, one enhanced VPN is constructed enhanced VPNs. In this figure, one enhanced VPN is constructed
solely from the resources of one of the physical networks, while the solely from the resources of one of the physical networks, while the
the VPN uses resources from both physical networks. the VPN uses resources from both physical networks.
___________ --------------- ( )
--------------- ( ) | CNC |---------->( VPN+ )
| CNC |---------->( VPN+ ) --------^------ ( )
--------^------ ( ) | _(_________ _)
| _(_________ _) --------------- ( ) ^
--------------- ( ) ^ | CNC |----------->( VPN+ ) :
| CNC |----------->( VPN+ ) : ------^-------- ( ) :
------^-------- ( ) : | | (___________) :
| | (___________) : | | ^ ^ :
| | ^ ^ : Boundary | | : : :
Boundary | | : : : Between ==========|====|===================:====:====:========
Between ==========|====|===================:====:====:======== Customer & | | : : :
Customer & | | : : : Network Provider | | : : :
Network Provider | | : : : v v : : :
v v : : : --------------- : :....:
--------------- : :....: | MDSC | : :
| MDSC | : : --------------- : :
--------------- : : ^ ---^------ ...
^ ---^------ ... | ( ) .
| ( ) . v ( Physical ) .
v ( Physical ) . ---------------- ( Network ) .
---------------- ( Network ) . | PNC |<-------->( ) ---^------
| PNC |<-------->( ) ---^------ ---------------- | -------- ( )
---------------- | -------- ( )
| |-- ( Physical ) | |-- ( Physical )
| PNC |<------------------------->( Network ) | PNC |<------------------------->( Network )
--------------- ( ) --------------- ( )
-------- --------
Figure 3: Generic VPN+ Delivery in the ACTN Architecture
4.6.2. Enhanced VPN Features with Service Data Models
This section discusses how the service data models can fulfill the
enhanced VPN requirements described earlier in this document. As
previously noted, key requirements of the enhanced VPN include:
1. Isolation between VPNs/VNs
2. Guaranteed Performance
3. Integration
4. Dynamic Management Figure 3 Generic VPN+ Delivery in the ACTN Architecture
5. Customized Control 4.6.2. Enhanced VPN Features with Service Data Models
The subsections that follow outline how each requirement is met using This section discusses how the service data models can fulfil the
ACTN. enhanced VPN requirements described earlier in this document within
the scope of the ACTN architecture.
4.6.2.1. Isolation Between VPN/VNs 4.6.2.1. Isolation Between VPNs
The VN YANG model [I-D.ietf-teas-actn-vn-yang] and the TE-service The VN YANG model [I-D.ietf-teas-actn-vn-yang] and the TE-service
mapping model [I-D.ietf-teas-te-service-mapping-yang] fulfill the mapping model [I-D.ietf-teas-te-service-mapping-yang] fulfil the VPN
VPN/VN isolation requirement by providing the following features for isolation requirement by providing the following features for the
the VPN/VNs: VPNs:
o Each VN is identified with a unique identifier (vn-id and vn-name)
and so is each VN member that belongs to the VN (vn-member-id).
o Each VPN is identified with a unique identifier (vpn-id) and can
be mapped to one specific VN. While multiple VPNs may mapped to
the same VN according to service requirement and operator's
policy.
o Each VPN and the corresponding VN is managed and controlled
independent of other VPNs/VNs in the network with proper
availability level.
o Each VPN/VN is instantiated with an isolation requirement
described by the TE-service mapping model
[I-D.ietf-teas-te-service-mapping-yang]. This mapping supports:
* Hard isolation with deterministic characteristics (e.g., this
case may need an optical bypass tunnel or a DetNet/TSN tunnel
to guarantee latency with no jitter)
* Hard isolation (i.e., dedicated TE resources in all underlays)
* Soft isolation (i.e., resource in some layer may be shared o Each VPN is identified with a unique identifier (vpn-id) and
while in some other layers is dedicated). can be mapped to a specific VN. Multiple VPNs may mapped to the
same VN according to service requirements and operator's policy.
* No isolation (i.e., sharing with other VPN/VN). o Each VPN is managed and controlled independent of other VPNs.
4.6.2.2. Guaranteed Performance o Each VPN is instantiated with an isolation requirement
described by the TE-service mapping model [I-D.ietf-teas-te-service-
mapping-yang]. This mapping supports all levels of isolation (hard
isolation with deterministic characteristics, hard isolation, soft
isolation, or no isolation).
Performance objectives of a VN need first to be expressed in order to 4.6.2.2. Guaranteed Performance
assure the performance guarantee.
Performance objectives of a VPN [RFC8299][RFC8466] are expressed with Performance objectives of a VPN [RFC8299][RFC8466] are expressed
QoS profile, either standard profile or customer profile. The through a QoS profile including the following properties:
customer QoS profile include the following properties:
o Rate-limit o Rate-limit
o Bandwidth o Bandwidth
o Latency o Latency
o Jitter o Jitter
[I-D.ietf-teas-actn-vn-yang] and [I-D.ietf-teas-yang-te-topo] allow [I-D.ietf-teas-actn-vn-yang] and [I-D.ietf-teas-yang-te-topo] allow
configuration of several TE parameters that may affect the VN configuration of several TE parameters that may help to meet the VPN
performance objectives as follows: performance objectives as follows:
o Bandwidth o Bandwidth
o Objective function (e.g., min cost path, min load path, etc.)
o Metric Types and their threshold:
* TE cost, IGP cost, Hop count, or Unidirectional Delay (e.g., o Objective function (e.g., min cost path, min load path, etc.)
can set all path delay <= threshold)
Once these requests are instantiated, the resources are committed and o Metric Types and their threshold:
guaranteed through the life cycle of the VPN/VN.
4.6.2.3. Integration * TE cost, IGP cost, Hop count, or Unidirectional Delay (e.g.,
can set all path delay <= threshold)
L3VPN network model provides mechanism to correlate customer's VPN Once these requests are instantiated, the resources are committed
and the VPN service related resources (e.g.RT and RD) allocated in and guaranteed through the life cycle of the VPN.
the provider's network.
VPN/Network performance monitoring model 4.6.2.3. Integration
[I-D.www-bess-yang-vpn-service-pm] provides mechanisms to monitor and
manage network Performance on the topology at different layer or the
overlay topology between VPN sites.
VN model and Performance Monitoring Telemetry model provides The L3VPN network model provides mechanism to correlate customer's
mechanisms to correlate customer's VN and the actual TE tunnels VPN and the VPN service related resources (e.g., RT and RD)
instantiated in the provider's network. Specifically: allocated in the provider's network.
o Link each VN member to actual TE tunnel. The VPN/Network performance monitoring model [I-D.www-bess-yang-vpn-
service-pm] provides mechanisms to monitor and manage network
Performance on the topology at different layer or the overlay
topology between VPN sites.
o Each VN can be monitored on a various level such as VN level, VN These two models provide mechanisms to correlate the customer's VPN
member level, TE-tunnel level, and link/node level. and the actual TE tunnels instantiated in the provider's network.
Service function integration with network topology (L3 and TE Service function integration with network topology (L3 and TE
topology) is in progress in [I-D.ietf-teas-sf-aware-topo-model]. topology) is in progress in [I-D.ietf-teas-sf-aware-topo-model]
Specifically, [I-D.ietf-teas-sf-aware-topo-model] addresses a number which addresses a number of use-cases that show how TE topology
of use-cases that show how TE topology supports various service supports various service functions.
functions.
4.6.2.4. Dynamic Management
ACTN provides an architecture that allows the CNC to interact with
the MDSC which is network provider's SDN controller. This gives the
customer control of their VPN or VNs.
e.g., the ACTN VN model [I-D.ietf-teas-actn-vn-yang] allows the VN to 4.6.2.4. Dynamic and Customized Management
life-cycle management such as create, modify, and delete VNs on
demand. Another example is L3VPN servicel model [RFC8299] which
allows the VPN lifecycle management such as VPN creation,
modification and deletion on demand.
4.6.2.5. Customized Control The ACTN architecture allows the CNC to interact with the provider's
MDSC. This gives the customer dynamic control of their VPNs.
ACTN provides a YANG model that allows the CNC to control a VN as a For example, the ACTN VN model [I-D.ietf-teas-actn-vn-yang] allows
"Type 2 VN" that allows the customer to provision tunnels that life-cycle management to create, modify, and delete VNs on demand.
connect their endpoints over the customized VN topology. Customers may also be allowed more customized control of the VN
topology by provisioning tunnels to connect their endpoints, and
even configuring the paths of those tunnels.
For some VN members, the customers are allowed to configure the path Another example is the L3VPN service model [RFC8299] which allows
(i.e., the sequence of virtual nodes and virtual links) over the VN/ VPN lifecycle management such as VPN creation, modification, and
abstract topology. deletion on demand.
4.6.3. 5G Transport Service Delivery via Coordinated Data Modules 4.6.3. 5G Transport Service Delivery via Coordinated Data Modules
The overview of network slice structure as defined in the 3GPP 5GS is The overview of network slice structure as defined in the 3GPP 5GS
shown in Figure 5. The terms are described in specific 3GPP is shown in Figure 4. The terms are described in specific 3GPP
documents (e.g. [TS23501] and [TS28530].) documents [TS23501] [TS28530].
<================== E2E-NSI =======================>
: : : : :
: : : : :
<====== RAN-NSSI ======><=TRN-NSSI=><====== CN-NSSI ======>VL[APL]
: : : : : : : : :
: : : : : : : : :
RW[NFs ]<=TRN-NSSI=>[NFs ]<=TRN-NSSI=>[NFs ]<=TRN-NSSI=>[NFs ]VL[APL]
. . . . . . . . . . . . .. . . . . . . . . . . . . .. <================== E2E-NSI =======================>
.,----. ,----. ,----.. ,----. .,----. ,----. ,----.. : : : : :
UE--|RAN |---| TN |---|RAN |---| TN |---|CN |---| TN |---|CN |--[APL] : : : : :
.|NFs | `----' |NFs |. `----' .|NFs | `----' |NFs |. <====== RAN-NSSI ======><=TN-NSSI=><====== CN-NSSI ======>VL[APL]
.`----' `----'. .`----' `----'. : : : : : : : : :
. . . . . . . . . . . . .. . . . . . . . . . . . . .. : : : : : : : : :
RW[NFs ]<=TRN-NSSI=>[NFs ]<=TN-NSSI=>[NFs ]<=TRN-NSSI=>[NFs ]VL[APL]
. . . . . . . . . . . . .. . . . . . . . . . . . . ..
.,----. ,----. ,----.. ,----. .,----. ,----. ,----..
UE--|RAN |---| TN |---|RAN |---| TN |--|CN |--| TN |--|CN |--[APL]
.|NFs | `----' |NFs |. `----' .|NFs | `----' |NFs |.
.`----' `----'. .`----' `----'.
. . . . . . . . . . . . .. . . . . . . . . . . . ..
RW RAN MBH CN DN RW RAN MBH CN DN
*Legends *Legends
UE: User Equipment UE: User Equipment
RAN: Radio Access Network RAN: Radio Access Network
CN: Core Network CN: Core Network
DN: Data Network DN: Data Network
TN: Transport Network TN: Transport Network
MBH: Mobile Backhaul MBH: Mobile Backhaul
RW: Radio Wave RW: Radio Wave
NF: Network Function NF: Network Function
APL: Application Server APL: Application Server
NSI: Network Slice Instance NSI: Network Slice Instance
NSSI: Network Slice Subnet Instance NSSI: Network Slice Subnet Instance
Figure 4: Overview of Structure of Network Slice in 3GPP 5GS Figure 4 Overview of Structure of Network Slice in 3GPP 5GS
To support 5G service (e.g., 5G MBB service), L3VPN service model The L3VPN service model [RFC8299] and TEAS VN model [I-D.ietf-teas-
[RFC8299] and TEAS VN model [I-D.ietf-teas-actn-vn-yang] can be both actn-vn-yang] can both be used to describe the 5G MBB Transport
provided to describe 5G MBB Transport Service or connectivity Service or connectivity service. The L3VPN service model is used to
service. L3VPN service model is used to describe end-to-end IP describe end-to-end IP connectivity service, while the TEAS VN model
connectivity service while TEAS VN model is used to describe TE is used to describe TE connectivity service between VPN sites or
connectivity service between VPN sites or between RAN NFs and Core between RAN NFs and Core network NFs.
network NFs.
VN in TEAS VN model and support point-to-point or multipoint-to- A VN in the TEAS VN model with its support of point-to-point or
multipoint connectivity service and can be seen as one example of multipoint-to-multipoint connectivity services can be seen as one
network slice. example of a network slice.
TE Service mapping model can be used to map L3VPN service requests The TE Service mapping model can be used to map L3VPN service
onto underlying network resource and TE models to get TE network requests onto underlying network resource and TE models to get the
setup. TE network provisioned.
For IP VPN service provision, the service parameters in the L3VPN For IP VPN service provisioning, the service parameters in the L3VPN
service model [RFC8299] can be decomposed into a set of configuration service model [RFC8299] can be decomposed into a set of
parameters described in the L3VPN network model configuration parameters described in the L3VPN network model [I-
[I-D.aguado-opsawg-l3sm-l3nm] which will get VPN network setup. D.ietf-opsawg-l3sm-l3nm] which will get the VPN network provisioned.
5. Scalability Considerations 5. Scalability Considerations
Enhanced VPN provides the performance guaranteed services in packet Enhanced VPN provides performance guaranteed services in packet
networks, but with the potential cost of introducing additional networks, but with the potential cost of introducing additional
states into the network. There are at least three ways that this states into the network. There are at least three ways that this
adding state might be presented in the network: additional state might be presented in the network:
o Introduce the complete state into the packet, as is done in SR.
This allows the controller to specify the detailed series of
forwarding and processing instructions for the packet as it
transits the network. The cost of this is an increase in the
packet header size. The cost is also that systems will have
capabilities enabled in case they are called upon by a service.
This is a type of latent state, and increases as we more precisely
specify the path and resources that need to be exclusively
available to a VPN.
o Introduce the state to the network. This is normally done by o Introduce the complete state into the packet, as is done in SR.
creating a path using RSVP-TE, which can be extended to introduce This allows the controller to specify a detailed series of
any element that needs to be specified along the path, for example forwarding and processing instructions for the packet as it transits
explicitly specifying queuing policy. It is of course possible to the network. The cost of this is an increase in the packet header
use other methods to introduce path state, such as via a Software size. The cost is also that systems will have capabilities enabled
Defined Network (SDN) controller, or possibly by modifying a in case they are called upon by a service. This is a type of latent
routing protocol. With this approach there is state per path per state, and increases as we more precisely specify the path and
path characteristic that needs to be maintained over its life- resources that need to be exclusively available to a VPN.
cycle. This is more state than is needed using SR, but the packet
are shorter.
o Provide a hybrid approach based on using binding SIDs to create o Introduce the state to the network. This is normally done by
path fragments, and bind them together with SR. creating a path using RSVP-TE, which can be extended to introduce
any element that needs to be specified along the path, for example
explicitly specifying queuing policy. It is possible to use other
methods to introduce path state, such as via a Software Defined
Network (SDN) controller, or possibly by modifying a routing
protocol. With this approach there is state per path, per path
characteristic that needs to be maintained over its life-cycle.
This is more state than is needed using SR, but the packets are
shorter.
Dynamic creation of a VPN path using SR requires less state o Provide a hybrid approach. One example is based on using
maintenance in the network core at the expense of larger VPN headers binding SIDs [RFC8402] to create path fragments, and bind them
on the packet. The packet size can be lower if a form of loose together with SR. Dynamic creation of a VPN service path using SR
source routing is used (using a few nodal SIDs), and it will be lower requires less state maintenance in the network core at the expense
if no specific functions or resource on the routers are specified. of larger packet headers. The packet size can be lower if a form of
Reducing the state in the network is important to enhanced VPN, as it loose source routing is used (using a few nodal SIDs), and it will
requires the overlay to be more closely integrated with the underlay be lower if no specific functions or resources on the routers are
than with traditional VPNs. This tighter coupling would normally specified.
mean that more state needed to be created and maintained in the
network, as the state about fine granularity processing would need to
be loaded and maintained in the routers. However, a segment routed
approach allows much of this state to be spread amongst the network
ingress nodes, and transiently carried in the packets as SIDs.
These approaches are for further study. Reducing the state in the network is important to enhanced VPN, as
it requires the overlay to be more closely integrated with the
underlay than with traditional VPNs. This tighter coupling would
normally mean that more state needed to be created and maintained in
the network, as the state about fine granularity processing would
need to be loaded and maintained in the routers. However, a segment
routed approach allows much of this state to be spread amongst the
network ingress nodes, and transiently carried in the packets as
SIDs.
5.1. Maximum Stack Depth of SR 5.1. Maximum Stack Depth of SR
One of the challenges with SR is the stack depth that nodes are able One of the challenges with SR is the stack depth that nodes are able
to impose on packets [RFC8491]. This leads to a difficult balance to impose on packets [RFC8491]. This leads to a difficult balance
between adding state to the network and minimizing stack depth, or between adding state to the network and minimizing stack depth, or
minimizing state and increasing the stack depth. minimizing state and increasing the stack depth.
5.2. RSVP Scalability 5.2. RSVP Scalability
The traditional method of creating a resource allocated path through The traditional method of creating a resource allocated path through
an MPLS network is to use the RSVP protocol. However there have been an MPLS network is to use the RSVP protocol. However there have
concerns that this requires significant continuous state maintenance been concerns that this requires significant continuous state
in the network. There are ongoing works to improve the scalability maintenance in the network. Work to improve the scalability of
of RSVP-TE LSPs in the control plane [RFC8370]. RSVP-TE LSPs in the control plane can be found in [RFC8370].
There is also concern at the scalability of the forwarder footprint There is also concern at the scalability of the forwarder footprint
of RSVP as the number of paths through an LSR grows [RFC8577] of RSVP as the number of paths through an LSR grows. [RFC8577]
proposes to address this by employing SR within a tunnel established proposes to address this by employing SR within a tunnel established
by RSVP-TE. by RSVP-TE.
5.3. SDN Scaling 5.3. SDN Scaling
The centralized approach of SDN requires state to be stored in the The centralized approach of SDN requires state to be stored in the
network, but does not have the overhead of also requiring control network, but does not have the overhead of also requiring control
plane state to be maintained. Each individual network node may need plane state to be maintained. Each individual network node may need
to maintain a communication channel with the SDN controller, but that to maintain a communication channel with the SDN controller, but
compares favourably with the need for a control plane to maintain that compares favourably with the need for a control plane to
communication with all neighbors. maintain communication with all neighbors.
However, SDN may transfer some of the scalability concerns from the However, SDN may transfer some of the scalability concerns from the
network to the centralized controller. In particular, there may be a network to the centralized controller. In particular, there may be
heavy processing burden at the controller, and a heavy load in the a heavy processing burden at the controller, and a heavy load in the
network surrounding the controller. network surrounding the controller.
6. OAM Considerations 6. OAM Considerations
The enhanced VPN OAM design needs to consider the following The enhanced VPN OAM design needs to consider the following
requirements: requirements:
o Instrumentation of the underlay so that the network operator can o Instrumentation of the underlay so that the network operator can
be sure that the resources committed to a tenant are operating be sure that the resources committed to a tenant are operating
correctly and delivering the required performance. correctly and delivering the required performance.
o Instrumentation of the overlay by the tenant. This is likely to o Instrumentation of the overlay by the tenant. This is likely to
be transparent to the network operator and to use existing be transparent to the network operator and to use existing methods.
methods. Particular consideration needs to be given to the need Particular consideration needs to be given to the need to verify the
to verify the isolation and the various committed performance isolation and the various committed performance characteristics.
characteristics.
o Instrumentation of the overlay by the network provider to o Instrumentation of the overlay by the network provider to
proactively demonstrate that the committed performance is being proactively demonstrate that the committed performance is being
delivered. This needs to be done in a non-intrusive manner, delivered. This needs to be done in a non-intrusive manner,
particularly when the tenant is deploying a performance sensitive particularly when the tenant is deploying a performance sensitive
application application.
o Verification of the conformity of the path to the service o Verification of the conformity of the path to the service
requirement. This may need to be done as part of a commissioning requirement. This may need to be done as part of a commissioning
test. test.
A study of OAM in SR networks has been documented in [RFC8403]. A study of OAM in SR networks has been documented in [RFC8403].
7. Telemetry Considerations 7. Telemetry Considerations
Network visibility is essential for network operation. Network Network visibility is essential for network operation. Network
telemetry has been considered as an ideal means to gain sufficient telemetry has been considered as an ideal means to gain sufficient
network visibility with better flexibility, scalability, accuracy, network visibility with better flexibility, scalability, accuracy,
coverage, and performance than conventional OAM technologies. coverage, and performance than conventional OAM technologies.
As defined in [I-D.ietf-opsawg-ntf], Network Telemetry is to acquire As defined in [I-D.ietf-opsawg-ntf], the purpose of Network
network data remotely for network monitoring and operation. It is a Telemetry is to acquire network data remotely for network monitoring
general term for a large set of network visibility techniques and and operation. It is a general term for a large set of network
protocols. Network telemetry addresses the current network operation visibility techniques and protocols. Network telemetry addresses
issues and enables smooth evolution toward intent-driven autonomous the current network operation issues and enables smooth evolution
networks. Telemetry can be applied on the forwarding plane, the toward intent-driven autonomous networks. Telemetry can be applied
control plane, and the management plane in a network. on the forwarding plane, the control plane, and the management plane
in a network.
How the telemetry mechanisms could be used or extended for the How the telemetry mechanisms could be used or extended for the
enhanced VPN service will be described in a future version. enhanced VPN service will be described in a separate document.
8. Enhanced Resiliency 8. Enhanced Resiliency
Each enhanced VPN has a life-cycle, and needs modification during Each enhanced VPN has a life-cycle, and may need modification during
deployment as the needs of its tenant change. Additionally, as the deployment as the needs of its tenant change. Additionally, as the
network as a whole evolves, there will need to be garbage collection network as a whole evolves, there may need to be garbage collection
performed to consolidate resources into usable quanta. performed to consolidate resources into usable quanta.
Systems in which the path is imposed such as SR, or some form of Systems in which the path is imposed such as SR, or some form of
explicit routing tend to do well in these applications, because it is explicit routing tend to do well in these applications, because it
possible to perform an atomic transition from one path to another. is possible to perform an atomic transition from one path to another.
This is a single action by the head-end changes the path without the This is a single action by the head-end changes the path without the
need for coordinated action by the routers along the path. However, need for coordinated action by the routers along the path. However,
implementations and the monitoring protocols need to make sure that implementations and the monitoring protocols need to make sure that
the new path is up and meet the required SLA before traffic is the new path is up and meets the required SLA before traffic is
transitioned to it. It is possible for deadlocks arise as a result transitioned to it. It is possible for deadlocks to arise as a
of the network becoming fragmented over time, such that it is result of the network becoming fragmented over time, such that it is
impossible to create a new path or modify a existing path without impossible to create a new path or to modify an existing path
impacting the SLA of other paths. Resolution of this situation is as without impacting the SLA of other paths. Resolution of this
much a commercial issue as it is a technical issue and is outside the situation is as much a commercial issue as it is a technical issue
scope of this document. and is outside the scope of this document.
There are however two manifestations of the latency problem that are There are, however, two manifestations of the latency problem that
for further study in any of these approaches: are for further study in any of these approaches:
o The problem of packets overtaking one and other if a path latency o The problem of packets overtaking one and other if a path latency
reduces during a transition. reduces during a transition.
o The problem of the latency transient in either direction as a path o The problem of transient variation in latency in either direction
migrates. as a path migrates.
There is also the matter of what happens during failure in the There is also the matter of what happens during failure in the
underlay infrastructure. Fast reroute is one approach, but that underlay infrastructure. Fast reroute is one approach, but that
still produces a transient loss with a normal goal of rectifying this still produces a transient loss with a normal goal of rectifying
within 50ms [RFC5654] . An alternative is some form of N+1 delivery this within 50ms [RFC5654]. An alternative is some form of N+1
such as has been used for many years to support protection from delivery such as has been used for many years to support protection
service disruption. This may be taken to a different level using the from service disruption. This may be taken to a different level
techniques proposed by the IETF deterministic network work with using the techniques proposed by the IETF deterministic network work
multiple in-network replication and the culling of later packets with multiple in-network replication and the culling of later
[I-D.ietf-detnet-architecture]. packets [RFC8655].
In addition to the approach used to protect high priority packets, In addition to the approach used to protect high priority packets,
consideration has to be given to the impact of best effort traffic on consideration has to be given to the impact of best effort traffic
the high priority packets during a transient. Specifically if a on the high priority packets during a transient. Specifically if a
conventional re-convergence process is used there will inevitably be conventional re-convergence process is used there will inevitably be
micro-loops and whilst some form of explicit routing will protect the micro-loops and whilst some form of explicit routing will protect
high priority traffic, lower priority traffic on best effort shortest the high priority traffic, lower priority traffic on best effort
paths will micro-loop without the use of a loop prevention shortest paths will micro-loop without the use of a loop prevention
technology. To provide the highest quality of service to high technology. To provide the highest quality of service to high
priority traffic, either this traffic must be shielded from the priority traffic, either this traffic must be shielded from the
micro-loops, or micro-loops must be prevented. micro-loops, or micro-loops must be prevented.
9. Operational Considerations 9. Operational Considerations
TBD in a future version. It is likely that enhanced VPN service will be introduced in
networks which already have traditional VPN services deployed.
Depends on service requirement, the tenants or the operator may
choose to use traditional VPN or enhanced VPN to fulfil the service
requirement. The information and parameters to assist such decision
needs to be reflected on the management interface between the
tenants and the operator.
10. Security Considerations 10. Security Considerations
All types of virtual network require special consideration to be All types of virtual network require special consideration to be
given to the isolation between the tenants. In this regard enhanced given to the isolation of traffic belonging to different tenants.
VPNs neither introduce, no experience a greater security risk than That is, traffic belonging to one VPN must not be delivered to end
another VPN of the same base type. However, in an enhanced virtual points outside that VPN. In this regard enhanced VPNs neither
network service the isolation requirement needs to be considered. If introduce, no experience a greater security risks than other VPNs.
a service requires a specific latency then it can be damaged by
simply delaying the packet through the activities of another tenant. However, in an enhanced Virtual Private Network service the
In a network with virtual functions, depriving a function used by additional service requirements need to be considered. For example,
another tenant of compute resources can be just as damaging as if a service requires a specific upper bound to latency then it can
delaying transmission of a packet in the network. The measures to be damaged by simply delaying the packets through the activities of
address these dynamic security risks must be specified as part to the another tenant, i.e., by introducing bursts of traffic for other
specific solution. services.
The measures to address these dynamic security risks must be
specified as part to the specific solution are form part of the
isolation requirements of a service.
While an enhanced VPN service may be sold as offering encryption and While an enhanced VPN service may be sold as offering encryption and
other security features as part of the service, customers would be other security features as part of the service, customers would be
well advised to take responsibility for their own security well advised to take responsibility for their own security
requirements themselves possibly by encrypting traffic before handing requirements themselves possibly by encrypting traffic before
it off to the service provider. handing it off to the service provider.
The privacy of enhanced VPN service customers must be preserved. It The privacy of enhanced VPN service customers must be preserved. It
should not be possible for one customer to discover the existence of should not be possible for one customer to discover the existence of
another customer, nor should the sites that are members of an another customer, nor should the sites that are members of an
enhanced VPN be externally visible. enhanced VPN be externally visible.
11. IANA Considerations 11. IANA Considerations
There are no requested IANA actions. There are no requested IANA actions.
12. Contributors 12. Contributors
Daniel King
Email: daniel@olddog.co.uk
Adrian Farrel Daniel King
Email: adrian@olddog.co.uk Email: daniel@olddog.co.uk
Jeff Tansura Adrian Farrel
Email: jefftant.ietf@gmail.com Email: adrian@olddog.co.uk
Qin Wu Jeff Tansura
Email: bill.wu@huawei.com Email: jefftant.ietf@gmail.com
Daniele Ceccarelli Qin Wu
Email: daniele.ceccarelli@ericsson.com Email: bill.wu@huawei.com
Mohamed Boucadair Daniele Ceccarelli
Email: mohamed.boucadair@orange.com Email: daniele.ceccarelli@ericsson.com
Sergio Belotti Mohamed Boucadair
Email: sergio.belotti@nokia.com Email: mohamed.boucadair@orange.com
Haomian Zheng Sergio Belotti
Email: zhenghaomian@huawei.com Email: sergio.belotti@nokia.com
13. Acknowledgements Haomian Zheng
Email: zhenghaomian@huawei.com
The authors would like to thank Charlie Perkins, James N Guichard and 13. Acknowledgments
John E Drake for their review and valuable comments.
The authors would like to thank Charlie Perkins, James N Guichard,
John E Drake and Shunsuke Homma for their review and valuable
comments.
This work was supported in part by the European Commission funded This work was supported in part by the European Commission funded
H2020-ICT-2016-2 METRO-HAUL project (G.A. 761727). H2020-ICT-2016-2 METRO-HAUL project (G.A. 761727).
14. References 14. References
14.1. Normative References
[I-D.ietf-teas-actn-vn-yang] 14.1. Normative References
Lee, Y., Dhody, D., Ceccarelli, D., Bryskin, I., and B.
Yoon, "A Yang Data Model for VN Operation", draft-ietf-
teas-actn-vn-yang-06 (work in progress), July 2019.
[I-D.ietf-teas-te-service-mapping-yang] [I-D.ietf-teas-actn-vn-yang] Lee, Y., Dhody, D., Ceccarelli, D.,
Lee, Y., Dhody, D., Fioccola, G., Wu, Q., Ceccarelli, D., Bryskin, I., and B. Yoon, "A Yang Data Model for VN
and J. Tantsura, "Traffic Engineering (TE) and Service Operation", draft-ietf-teas-actn-vn-yang-07 (work in
Mapping Yang Model", draft-ietf-teas-te-service-mapping- progress), October 2019.
yang-02 (work in progress), September 2019.
[RFC2764] Gleeson, B., Lin, A., Heinanen, J., Armitage, G., and A. [I-D.ietf-teas-te-service-mapping-yang] Lee, Y., Dhody, D., Fioccola,
Malis, "A Framework for IP Based Virtual Private G., Wu, Q., Ceccarelli, D., and J. Tantsura, "Traffic
Networks", RFC 2764, DOI 10.17487/RFC2764, February 2000, Engineering (TE) and Service Mapping Yang Model", draft-
<https://www.rfc-editor.org/info/rfc2764>. ietf-teas-te-service-mapping-yang-02 (work in progress),
September 2019.
[RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., [RFC2764] Gleeson, B., Lin, A., Heinanen, J., Armitage, G., and A.
and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP Malis, "A Framework for IP Based Virtual Private Networks",
Tunnels", RFC 3209, DOI 10.17487/RFC3209, December 2001, RFC 2764, DOI 10.17487/RFC2764, February 2000,
<https://www.rfc-editor.org/info/rfc3209>. <https://www.rfc-editor.org/info/rfc2764>.
[RFC3985] Bryant, S., Ed. and P. Pate, Ed., "Pseudo Wire Emulation [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V.,
Edge-to-Edge (PWE3) Architecture", RFC 3985, and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP
DOI 10.17487/RFC3985, March 2005, Tunnels", RFC 3209, DOI 10.17487/RFC3209, December 2001,
<https://www.rfc-editor.org/info/rfc3985>. <https://www.rfc-editor.org/info/rfc3209>.
[RFC4664] Andersson, L., Ed. and E. Rosen, Ed., "Framework for Layer [RFC3985] Bryant, S., Ed. and P. Pate, Ed., "Pseudo Wire Emulation
2 Virtual Private Networks (L2VPNs)", RFC 4664, Edge-to-Edge (PWE3) Architecture", RFC 3985, DOI
DOI 10.17487/RFC4664, September 2006, 10.17487/RFC3985, March 2005, <https://www.rfc-
<https://www.rfc-editor.org/info/rfc4664>. editor.org/info/rfc3985>.
[RFC8299] Wu, Q., Ed., Litkowski, S., Tomotaki, L., and K. Ogaki, [RFC4664] Andersson, L., Ed. and E. Rosen, Ed., "Framework for Layer
"YANG Data Model for L3VPN Service Delivery", RFC 8299, 2 Virtual Private Networks (L2VPNs)", RFC 4664, DOI
DOI 10.17487/RFC8299, January 2018, 10.17487/RFC4664, September 2006, <https://www.rfc-
<https://www.rfc-editor.org/info/rfc8299>. editor.org/info/rfc4664>
[RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., [RFC8299] Wu, Q., Ed., Litkowski, S., Tomotaki, L., and K. Ogaki,
Decraene, B., Litkowski, S., and R. Shakir, "Segment "YANG Data Model for L3VPN Service Delivery", RFC 8299,
Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, DOI 10.17487/RFC8299, January 2018, <https://www.rfc-
July 2018, <https://www.rfc-editor.org/info/rfc8402>. editor.org/info/rfc8299>.
[RFC8453] Ceccarelli, D., Ed. and Y. Lee, Ed., "Framework for [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L.,
Abstraction and Control of TE Networks (ACTN)", RFC 8453, Decraene, B., Litkowski, S., and R. Shakir, "Segment
DOI 10.17487/RFC8453, August 2018, Routing Architecture", RFC 8402, DOI 10.17487/RFC8402,
<https://www.rfc-editor.org/info/rfc8453>. July 2018, <https://www.rfc-editor.org/info/rfc8402>.
[RFC8466] Wen, B., Fioccola, G., Ed., Xie, C., and L. Jalil, "A YANG [RFC8453] Ceccarelli, D., Ed. and Y. Lee, Ed., "Framework for
Data Model for Layer 2 Virtual Private Network (L2VPN) Abstraction and Control of TE Networks (ACTN)", RFC 8453,
Service Delivery", RFC 8466, DOI 10.17487/RFC8466, October DOI 10.17487/RFC8453, August 2018, <https://www.rfc-
2018, <https://www.rfc-editor.org/info/rfc8466>. editor.org/info/rfc8453>.
14.2. Informative References [RFC8466] Wen, B., Fioccola, G., Ed., Xie, C., and L. Jalil, "A YANG
Data Model for Layer 2 Virtual Private Network (L2VPN)
Service Delivery", RFC 8466, DOI 10.17487/RFC8466, October
2018, <https://www.rfc-editor.org/info/rfc8466>.
[BBF-SD406] 14.2. Informative References
"BBF SD-406: End-to-End Network Slicing", 2016,
<https://wiki.broadband-forum.org/display/BBF/SD-406+End-
to-End+Network+Slicing>.
[DETNET] "Deterministic Networking", March , [BBF-SD406] "BBF SD-406: End-to-End Network Slicing", 2016,
<https://datatracker.ietf.org/wg/detnet/about/>. <https://wiki.broadband-forum.org/display/BBF/SD-406+End-
to-End+Network+Slicing>.
[FLEXE] "Flex Ethernet Implementation Agreement", March 2016, [DETNET] "Deterministic Networking", March ,
<http://www.oiforum.com/wp-content/uploads/OIF-FLEXE- <https://datatracker.ietf.org/wg/detnet/about/>.
01.0.pdf>.
[I-D.aguado-opsawg-l3sm-l3nm] [FLEXE] "Flex Ethernet Implementation Agreement", March 2016,
Aguado, A., Dios, O., Lopezalvarez, V., <https://www.oiforum.com/wp-content/uploads/2019/01/OIF-
daniel.voyer@bell.ca, d., and L. Munoz, "Layer 3 VPN FLEXE-01.0.pdf>.
Network Model", draft-aguado-opsawg-l3sm-l3nm-01 (work in
progress), July 2019.
[I-D.geng-spring-srv6-for-detnet] [I-D.ietf-idr-bgp-ls-segment-routing-ext] Previdi, S., Talaulikar,
Geng, X., Li, Z., and M. Chen, "SRv6 for Deterministic K., Filsfils, C., Gredler, H., and M. Chen, "BGP Link-
Networking (DetNet)", draft-geng-spring-srv6-for-detnet-00 State extensions for Segment Routing", draft-ietf-idr-bgp-
(work in progress), July 2019. ls-segment-routing-ext-16 (work in progress), June 2019.
[I-D.ietf-detnet-architecture] [I-D.ietf-opsawg-l3sm-l3nm] Aguado, A., Dios, O., Lopezalvarez, V.,
Finn, N., Thubert, P., Varga, B., and J. Farkas, daniel.voyer@bell.ca, d., and L. Munoz, "Layer 3 VPN
"Deterministic Networking Architecture", draft-ietf- Network Model", draft-ietf-opsawg-l3sm-l3nm-01, (work in
detnet-architecture-13 (work in progress), May 2019. progress), November 2019.
[I-D.ietf-detnet-dp-sol-ip] [I-D.ietf-opsawg-ntf] Song, H., Qin, F., Martinez-Julia, P.,
Korhonen, J. and B. Varga, "DetNet IP Data Plane Ciavaglia, L., and A. Wang, "Network Telemetry Framework",
Encapsulation", draft-ietf-detnet-dp-sol-ip-02 (work in draft-ietf-opsawg-ntf-02 (work in progress), October 2019.
progress), March 2019.
[I-D.ietf-opsawg-ntf] [I-D.ietf-teas-sf-aware-topo-model] Bryskin, I., Liu, X., Lee, Y.,
Song, H., Qin, F., Martinez-Julia, P., Ciavaglia, L., and Guichard, J., Contreras, L., Ceccarelli, D., and J.
A. Wang, "Network Telemetry Framework", draft-ietf-opsawg- Tantsura, "SF Aware TE Topology YANG Model", draft-ietf-
ntf-01 (work in progress), June 2019. teas-sf-aware-topo-model-04 (work in progress), November
2019.
[I-D.ietf-teas-actn-pm-telemetry-autonomics] [I-D.ietf-teas-yang-te] Saad, T., Gandhi, R., Liu, X., Beeram, V.,
Lee, Y., Dhody, D., Karunanithi, S., Vilata, R., King, D., and I. Bryskin, "A YANG Data Model for Traffic Engineering
and D. Ceccarelli, "YANG models for VN & TE Performance Tunnels and Interfaces", draft-ietf-teas-yang-te-22 (work
Monitoring Telemetry and Scaling Intent Autonomics", in progress), November 2019.
draft-ietf-teas-actn-pm-telemetry-autonomics-00 (work in
progress), July 2019.
[I-D.ietf-teas-sf-aware-topo-model] [I-D.ietf-teas-yang-te-topo] Liu, X., Bryskin, I., Beeram, V., Saad,
Bryskin, I., Liu, X., Lee, Y., Guichard, J., Contreras, T., Shah, H., and O. Dios, "YANG Data Model for Traffic
L., Ceccarelli, D., and J. Tantsura, "SF Aware TE Topology Engineering (TE) Topologies", draft-ietf-teas-yang-te-
YANG Model", draft-ietf-teas-sf-aware-topo-model-03 (work topo-22 (work in progress), June 2019.
in progress), March 2019.
[I-D.ietf-teas-yang-te] [I-D.www-bess-yang-vpn-service-pm] Wang, Z., Wu, Q., Even, R., Wen,
Saad, T., Gandhi, R., Liu, X., Beeram, V., and I. Bryskin, B., and C. Liu, "A YANG Model for Network and VPN Service
"A YANG Data Model for Traffic Engineering Tunnels and Performance Monitoring", draft-www-bess-yang-vpn-service-
Interfaces", draft-ietf-teas-yang-te-21 (work in pm-04 (work in progress), November 2019.
progress), April 2019.
[I-D.ietf-teas-yang-te-topo] [NGMN-NS-Concept] "NGMN NS Concept", 2016,
Liu, X., Bryskin, I., Beeram, V., Saad, T., Shah, H., and <https://www.ngmn.org/fileadmin/user_upload/161010_NGMN_Ne
O. Dios, "YANG Data Model for Traffic Engineering (TE) twork_Slicing_framework_v1.0.8.pdf>.
Topologies", draft-ietf-teas-yang-te-topo-22 (work in
progress), June 2019.
[I-D.www-bess-yang-vpn-service-pm] [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z.,
Wang, Z., Wu, Q., Even, R., Wen, B., and C. Liu, "A YANG and W. Weiss, "An Architecture for Differentiated
Model for Network and VPN Service Performance Monitoring", Services", RFC 2475, DOI 10.17487/RFC2475, December 1998,
draft-www-bess-yang-vpn-service-pm-03 (work in progress), <https://www.rfc-editor.org/info/rfc2475>.
July 2019.
[NGMN-NS-Concept] [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path
"NGMN NS Concept", 2016, <https://www.ngmn.org/fileadmin/u Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000,
ser_upload/161010_NGMN_Network_Slicing_framework_v1.0.8.pd <https://www.rfc-editor.org/info/rfc2992>.
f>.
[RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., [RFC3758] Stewart, R., Ramalho, M., Xie, Q., Tuexen, M., and P.
and W. Weiss, "An Architecture for Differentiated Conrad, "Stream Control Transmission Protocol (SCTP)
Services", RFC 2475, DOI 10.17487/RFC2475, December 1998, Partial Reliability Extension", RFC 3758, DOI
<https://www.rfc-editor.org/info/rfc2475>. 10.17487/RFC3758, May 2004, <https://www.rfc-
editor.org/info/rfc3758>.
[RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path [RFC3931] Lau, J., Ed., Townsley, M., Ed., and I. Goyret, Ed.,
Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000, "Layer Two Tunneling Protocol - Version 3 (L2TPv3)", RFC
<https://www.rfc-editor.org/info/rfc2992>. 3931, DOI 10.17487/RFC3931, March 2005, <https://www.rfc-
editor.org/info/rfc3931>.
[RFC3758] Stewart, R., Ramalho, M., Xie, Q., Tuexen, M., and P. [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Conrad, "Stream Control Transmission Protocol (SCTP) Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February
Partial Reliability Extension", RFC 3758, 2006, <https://www.rfc-editor.org/info/rfc4364>.
DOI 10.17487/RFC3758, May 2004,
<https://www.rfc-editor.org/info/rfc3758>.
[RFC3931] Lau, J., Ed., Townsley, M., Ed., and I. Goyret, Ed., [RFC4448] Martini, L., Ed., Rosen, E., El-Aawar, N., and G. Heron,
"Layer Two Tunneling Protocol - Version 3 (L2TPv3)", "Encapsulation Methods for Transport of Ethernet over MPLS
RFC 3931, DOI 10.17487/RFC3931, March 2005, Networks", RFC 4448, DOI 10.17487/RFC4448, April 2006,
<https://www.rfc-editor.org/info/rfc3931>. <https://www.rfc-editor.org/info/rfc4448>.
[RFC3945] Mannie, E., Ed., "Generalized Multi-Protocol Label [RFC4594] Babiarz, J., Chan, K., and F. Baker, "Configuration
Switching (GMPLS) Architecture", RFC 3945, Guidelines for DiffServ Service Classes", RFC 4594, DOI
DOI 10.17487/RFC3945, October 2004, 10.17487/RFC4594, August 2006, <https://www.rfc-
<https://www.rfc-editor.org/info/rfc3945>. editor.org/info/rfc4594>.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private [RFC4719] Aggarwal, R., Ed., Townsley, M., Ed., and M. Dos Santos,
Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February Ed., "Transport of Ethernet Frames over Layer 2 Tunneling
2006, <https://www.rfc-editor.org/info/rfc4364>. Protocol Version 3 (L2TPv3)", RFC 4719, DOI
10.17487/RFC4719, November 2006, <https://www.rfc-
editor.org/info/rfc4719>.
[RFC4448] Martini, L., Ed., Rosen, E., El-Aawar, N., and G. Heron, [RFC5151] Farrel, A., Ed., Ayyangar, A., and JP. Vasseur, "Inter-
"Encapsulation Methods for Transport of Ethernet over MPLS Domain MPLS and GMPLS Traffic Engineering - Resource
Networks", RFC 4448, DOI 10.17487/RFC4448, April 2006, Reservation Protocol-Traffic Engineering (RSVP-TE)
<https://www.rfc-editor.org/info/rfc4448>. Extensions", RFC 5151, DOI 10.17487/RFC5151, February 2008,
<https://www.rfc-editor.org/info/rfc5151>.
[RFC4594] Babiarz, J., Chan, K., and F. Baker, "Configuration [RFC5654] Niven-Jenkins, B., Ed., Brungard, D., Ed., Betts, M., Ed.,
Guidelines for DiffServ Service Classes", RFC 4594, Sprecher, N., and S. Ueno, "Requirements of an MPLS
DOI 10.17487/RFC4594, August 2006, Transport Profile", RFC 5654, DOI 10.17487/RFC5654,
<https://www.rfc-editor.org/info/rfc4594>. September 2009, <https://www.rfc-editor.org/info/rfc5654>
[RFC4719] Aggarwal, R., Ed., Townsley, M., Ed., and M. Dos Santos, [RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined
Ed., "Transport of Ethernet Frames over Layer 2 Tunneling Networking: A Perspective from within a Service Provider
Protocol Version 3 (L2TPv3)", RFC 4719, Environment", RFC 7149, DOI 10.17487/RFC7149, March 2014,
DOI 10.17487/RFC4719, November 2006, <https://www.rfc-editor.org/info/rfc7149>.
<https://www.rfc-editor.org/info/rfc4719>.
[RFC5151] Farrel, A., Ed., Ayyangar, A., and JP. Vasseur, "Inter- [RFC7209] Sajassi, A., Aggarwal, R., Uttaro, J., Bitar, N.,
Domain MPLS and GMPLS Traffic Engineering -- Resource Henderickx, W., and A. Isaac, "Requirements for Ethernet
Reservation Protocol-Traffic Engineering (RSVP-TE) VPN (EVPN)", RFC 7209, DOI 10.17487/RFC7209, May 2014,
Extensions", RFC 5151, DOI 10.17487/RFC5151, February <https://www.rfc-editor.org/info/rfc7209>.
2008, <https://www.rfc-editor.org/info/rfc5151>.
[RFC5654] Niven-Jenkins, B., Ed., Brungard, D., Ed., Betts, M., Ed., [RFC7926] Farrel, A., Ed., Drake, J., Bitar, N., Swallow, G.,
Sprecher, N., and S. Ueno, "Requirements of an MPLS Ceccarelli, D., and X. Zhang, "Problem Statement and
Transport Profile", RFC 5654, DOI 10.17487/RFC5654, Architecture for Information Exchange between
September 2009, <https://www.rfc-editor.org/info/rfc5654>. Interconnected Traffic-Engineered Networks", BCP 206, RFC
7926, DOI 10.17487/RFC7926, July 2016, <https://www.rfc-
editor.org/info/rfc7926>.
[RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined [RFC8172] Morton, A., "Considerations for Benchmarking Virtual
Networking: A Perspective from within a Service Provider Network Functions and Their Infrastructure", RFC 8172, DOI
Environment", RFC 7149, DOI 10.17487/RFC7149, March 2014, 10.17487/RFC8172, July 2017, <https://www.rfc-
<https://www.rfc-editor.org/info/rfc7149>. editor.org/info/rfc8172>.
[RFC7209] Sajassi, A., Aggarwal, R., Uttaro, J., Bitar, N., [RFC8370] Beeram, V., Ed., Minei, I., Shakir, R., Pacella, D., and T.
Henderickx, W., and A. Isaac, "Requirements for Ethernet Saad, "Techniques to Improve the Scalability of RSVP-TE
VPN (EVPN)", RFC 7209, DOI 10.17487/RFC7209, May 2014, Deployments", RFC 8370, DOI 10.17487/RFC8370, May 2018,
<https://www.rfc-editor.org/info/rfc7209>. <https://www.rfc-editor.org/info/rfc8370>.
[RFC7926] Farrel, A., Ed., Drake, J., Bitar, N., Swallow, G., [RFC8403] Geib, R., Ed., Filsfils, C., Pignataro, C., Ed., and N.
Ceccarelli, D., and X. Zhang, "Problem Statement and Kumar, "A Scalable and Topology-Aware MPLS Data-Plane
Architecture for Information Exchange between Monitoring System", RFC 8403, DOI 10.17487/RFC8403, July
Interconnected Traffic-Engineered Networks", BCP 206, 2018, <https://www.rfc-editor.org/info/rfc8403>.
RFC 7926, DOI 10.17487/RFC7926, July 2016,
<https://www.rfc-editor.org/info/rfc7926>.
[RFC8172] Morton, A., "Considerations for Benchmarking Virtual [RFC8491] Tantsura, J., Chunduri, U., Aldrin, S., and L. Ginsberg,
Network Functions and Their Infrastructure", RFC 8172, "Signaling Maximum SID Depth (MSD) Using IS-IS", RFC 8491,
DOI 10.17487/RFC8172, July 2017, DOI 10.17487/RFC8491, November 2018, <https://www.rfc-
<https://www.rfc-editor.org/info/rfc8172>. editor.org/info/rfc8491>.
[RFC8370] Beeram, V., Ed., Minei, I., Shakir, R., Pacella, D., and [RFC8568] Bernardos, CJ., Rahman, A., Zuniga, JC., Contreras, LM.,
T. Saad, "Techniques to Improve the Scalability of RSVP-TE Aranda, P., and P. Lynch, "Network Virtualization Research
Deployments", RFC 8370, DOI 10.17487/RFC8370, May 2018, Challenges", RFC 8568, DOI 10.17487/RFC8568, April 2019,
<https://www.rfc-editor.org/info/rfc8370>. <https://www.rfc-editor.org/info/rfc8568>.
[RFC8403] Geib, R., Ed., Filsfils, C., Pignataro, C., Ed., and N. [RFC8577] Sitaraman, H., Beeram, V., Parikh, T., and T. Saad,
Kumar, "A Scalable and Topology-Aware MPLS Data-Plane "Signaling RSVP-TE Tunnels on a Shared MPLS Forwarding
Monitoring System", RFC 8403, DOI 10.17487/RFC8403, July Plane", RFC 8577, DOI 10.17487/RFC8577, April 2019,
2018, <https://www.rfc-editor.org/info/rfc8403>. <https://www.rfc-editor.org/info/rfc8577>.
[RFC8491] Tantsura, J., Chunduri, U., Aldrin, S., and L. Ginsberg, [RFC8578] Grossman, E., Ed., "Deterministic Networking Use Cases",
"Signaling Maximum SID Depth (MSD) Using IS-IS", RFC 8491, RFC 8578, DOI 10.17487/RFC8578, May 2019,
DOI 10.17487/RFC8491, November 2018, <https://www.rfc-editor.org/info/rfc8578>.
<https://www.rfc-editor.org/info/rfc8491>.
[RFC8568] Bernardos, CJ., Rahman, A., Zuniga, JC., Contreras, LM., [RFC8655] Finn, N., Thubert, P., Varga, B., and J. Farkas,
Aranda, P., and P. Lynch, "Network Virtualization Research "Deterministic Networking Architecture", RFC 8655, DOI
Challenges", RFC 8568, DOI 10.17487/RFC8568, April 2019, 10.17487/RFC8655, October 2019, <https://www.rfc-
<https://www.rfc-editor.org/info/rfc8568>. editor.org/info/rfc8655>.
[RFC8577] Sitaraman, H., Beeram, V., Parikh, T., and T. Saad, [RFC8665] Psenak, P., Previdi, S., Filsfils, C., Gredler, H., Shakir,
"Signaling RSVP-TE Tunnels on a Shared MPLS Forwarding R., Henderickx, W., and J. Tantsura, "OSPF Extensions for
Plane", RFC 8577, DOI 10.17487/RFC8577, April 2019, Segment Routing", RFC 8665, DOI 10.17487/RFC8665, December
<https://www.rfc-editor.org/info/rfc8577>. 2019, <https://www.rfc-editor.org/info/rfc8665>.
[RFC8578] Grossman, E., Ed., "Deterministic Networking Use Cases", [RFC8667] Previdi, S., Ginsberg, L., Filsfils, C., Bashandy, A.,
RFC 8578, DOI 10.17487/RFC8578, May 2019, Gredler, H., and B. Decraene, "IS-IS Extensions for
<https://www.rfc-editor.org/info/rfc8578>. Segment Routing", RFC 8667, DOI 10.17487/RFC8667, December
2019, <https://www.rfc-editor.org/info/rfc8667>.
[SFC] "Service Function Chaining", March , [SFC] "Service Function Chaining",
<https://datatracker.ietf.org/wg/sfc/about>. <https://datatracker.ietf.org/wg/sfc/about>.
[TS23501] "3GPP TS23.501", 2016, [TS23501] "3GPP TS23.501", 2019,
<https://portal.3gpp.org/desktopmodules/Specifications/ <https://portal.3gpp.org/desktopmodules/Specifications/Spe
SpecificationDetails.aspx?specificationId=3144>. cificationDetails.aspx?specificationId=3144>.
[TS28530] "3GPP TS28.530", 2016, [TS28530] "3GPP TS28.530", 2019,
<https://portal.3gpp.org/desktopmodules/Specifications/ <https://portal.3gpp.org/desktopmodules/Specifications/
SpecificationDetails.aspx?specificationId=3273>. SpecificationDetails.aspx?specificationId=3273>.
[TSN] "Time-Sensitive Networking", March , [TSN] "Time-Sensitive Networking", <https://1.ieee802.org/tsn/>.
<https://1.ieee802.org/tsn/>.
Authors' Addresses Authors' Addresses
Jie Dong Jie Dong
Huawei Huawei
Email: jie.dong@huawei.com Email: jie.dong@huawei.com
Stewart Bryant Stewart Bryant
Futurewei Futurewei
 End of changes. 324 change blocks. 
1314 lines changed or deleted 1164 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/