draft-ietf-nvo3-use-case-04.txt   draft-ietf-nvo3-use-case-05.txt 
skipping to change at page 1, line 13 skipping to change at page 1, line 13
Internet Draft Huawei Internet Draft Huawei
Category: Informational M. Toy Category: Informational M. Toy
Comcast Comcast
A. Isaac A. Isaac
Bloomberg Bloomberg
V. Manral V. Manral
Hewlett-Packard Hewlett-Packard
L. Dunbar L. Dunbar
Huawei Huawei
Expires: January 2015 July 1, 2014 Expires: August 2015 February 5, 2015
Use Cases for DC Network Virtualization Overlays Use Cases for Data Center Network Virtualization Overlays
draft-ietf-nvo3-use-case-04 draft-ietf-nvo3-use-case-05
Abstract Abstract
This document describes DC Network Virtualization (NVO3) use cases This document describes Data Center (DC) Network Virtualization over
that may be potentially deployed in various data centers and apply Layer 3 (NVO3) use cases that can be deployed in various data
to different applications. centers and serve to different applications.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with This Internet-Draft is submitted to IETF in full conformance with
the provisions of BCP 78 and BCP 79. the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 46 skipping to change at page 1, line 46
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January, 2015. This Internet-Draft will expire on August 5, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License. warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction ................................................ 3 1. Introduction...................................................3
1.1. Contributors ........................................... 4 1.1. Terminology...............................................4
1.2. Terminology ............................................ 4 2. Basic Virtual Networks in a Data Center........................4
2. Basic Virtual Networks in a Data Center ..................... 4 3. DC Virtual Network and External Network Interconnection........6
3. Interconnecting DC Virtual Network and External Networks .... 6 3.1. DC Virtual Network Access via Internet....................6
3.1. DC Virtual Network Access via Internet ................. 6 3.2. DC VN and SP WAN VPN Interconnection......................7
3.2. DC VN and Enterprise Sites interconnected via SP WAN ... 7 4. DC Applications Using NVO3.....................................8
4. DC Applications Using NVO3 .................................. 8 4.1. Supporting Multiple Technologies and Applications.........8
4.1. Supporting Multi Technologies and Applications in a DC . 9 4.2. Tenant Network with Multiple Subnets......................9
4.2. Tenant Network with Multi-Subnets or across multi DCs .. 9 4.3. Virtualized Data Center (vDC)............................11
4.3. Virtualized Data Center (vDC) ......................... 11 5. Summary.......................................................12
5. OAM Considerations ......................................... 12 6. Security Considerations.......................................13
6. Summary .................................................... 13 7. IANA Considerations...........................................13
7. Security Considerations .................................... 14 8. References....................................................13
8. IANA Considerations ........................................ 14 8.1. Normative References.....................................13
9. Acknowledgements ........................................... 14 8.2. Informative References...................................13
10. References ................................................ 14 Contributors.....................................................14
10.1. Normative References ................................. 14 Acknowledgements.................................................15
10.2. Informative References ............................... 15 Authors' Addresses...............................................15
Authors' Addresses ............................................ 15
1. Introduction 1. Introduction
Server Virtualization has changed IT industry in terms of efficiency, Server Virtualization has changed the Information Technology (IT)
cost, and the speed in providing a new applications and/or services. industry in terms of the efficiency, cost, and speed of providing a
However, today's data center networks have limited support for cloud new applications and/or services. However traditional Data Center
applications and multi tenant networks.[NVO3PRBM] The goal of DC (DC) networks have some limits in supporting cloud applications and
Network Virtualization Overlays, i.e. NVO3, is to decouple the multi tenant networks [RFC7364]. The goal of Network Virtualization
communication among tenant systems from DC physical networks and to Overlays in DC is to decouple the communication among tenant systems
allow one physical network infrastructure to provide: 1) multi- from DC physical infrastructure networks and to allow one physical
tenant virtual networks and traffic isolation among the virtual network infrastructure to provide:
networks over the same physical network; 2) independent address
spaces in individual virtual networks such as MAC, IP, TCP/UDP etc;
3) Flexible VMs or workload placement including the ability to move
them from servers to other servers without requiring VM address and
configuration change and the ability doing a hot move in which no
disruption to the live application on VM. These characteristics will
help address the issues in today's cloud applications [NVO3PRBM].
An NVO3 network is necessary to interconnect with a physical network, o Multi-tenant virtual networks and traffic isolation among the
where tenant systems attach to the both networks. For examples: 1) virtual networks over the same physical network.
DCs that migrates toward NVO3 solution will be done in steps; 2) a
lot of DC applications are served to Internet users which exist on
physical networks; 3) some applications are CPU bound like Big Data
analytics and may not run on virtualized resources.
This document is to describe general NVO3 use cases that apply to o Independent address spaces in individual virtual networks such as
various data centers. Three types of the use cases described here MAC, IP, TCP/UDP etc.
are:
o Basic virtual networks in DC. All TS of the virtual networks are o Flexible Virtual Machines (VM) and/or workload placement
located within one DC. The Virtual networks can be either L2 or including the ability to move them from server to server without
L3. The number of Virtual Networks to be supported in NVO3 is requiring VM address and configuration change and the ability
usually more than what traditional VLAN can support. The case is doing a hot move with no disruption to the live application
often referred as to the DC East-West traffic. running on VMs.
o Virtual networks that span across multiple Data Centers or These characteristics of NVO3 help address the issues that cloud
customer premises, i.e. a Virtual Network that has some nodes in applications face in Data Centers [RFC7364].
a DC and other nodes in other places. An enterprise customer may
use a traditional VPN provided by a carrier or an IPsec tunnel
over Internet to connect the TSs across multiple DCs and customer
premises.
o DC applications or services that may use NVO3. Three scenarios An NVO3 network can interconnect with another physical network, i.e.,
are described: 1) use NVO3 and other network technologies to not the physical network that the NVO3 network is over. For example:
build a tenant network; 2) construct several virtual networks as 1) DCs that migrate toward NVO3 solution will be done in steps; 2)
a tenant network; 3) apply NVO3 to a virtualized DC (vDC). many DC applications serve to Internet cloud users who are on
physical networks; 3) some applications are CPU bound such as Big
Data analytics and may not run on virtualized resources.
The document uses the architecture reference model defined in This document describes general NVO3 use cases that apply to various
[NVO3FRWK] to describe the use cases. data centers. Three types of the use cases described here are:
1.1. Contributors o Basic NVO3 virtual networks in a DC (Section 2). All Tenant
Systems (TS) in virtual networks are located within one DC. The
individual virtual networks can be either Layer 2 (L2) or Layer 3
(L3). The number of virtual networks supported by NVO3 in a DC is
much higher than what traditional VLAN based virtual networks
[IEEE 802.1Q] can support. This case is often referred as to the
DC East-West traffic.
Vinay Bannai o Virtual networks that span across multiple Data Centers and/or to
PayPal customer premises, i.e., a virtual network that connects some
2211 N. First St, tenant systems in a DC interconnects another virtual or physical
San Jose, CA 95131 network outside the data center. An enterprise customer may use a
Phone: +1-408-967-7784 traditional carrier VPN or an IPsec tunnel over Internet to
Email: vbannai@paypal.com communicate its systems in the DC. This is described in Section 3.
Ram Krishnan o DC applications or services that may use NVO3 (Section 4). Three
Brocade Communications scenarios are described: 1) use NVO3 and other network
San Jose, CA 95134 technologies to build a tenant network; 2) construct several
Phone: +1-408-406-7890 virtual networks as a tenant network; 3) apply NVO3 to a
Email: ramk@brocade.com virtualized DC (vDC).
1.2. Terminology The document uses the architecture reference model defined in
[RFC7365] to describe the use cases.
This document uses the terminologies defined in [NVO3FRWK], 1.1. Terminology
This document uses the terminologies defined in [RFC7365] and
[RFC4364]. Some additional terms used in the document are listed [RFC4364]. Some additional terms used in the document are listed
here. here.
CPE: Customer Premise Equipment DMZ: Demilitarized Zone. A computer or small sub-network that sits
DMZ: Demilitarized Zone. A computer or small subnetwork that sits
between a trusted internal network, such as a corporate private LAN, between a trusted internal network, such as a corporate private LAN,
and an un-trusted external network, such as the public Internet. and an un-trusted external network, such as the public Internet.
DNS: Domain Name Service DNS: Domain Name Service
NAT: Network Address Translation NAT: Network Address Translation
VIRB: Virtual Integrated Routing/Bridging Note that a virtual network in this document is a virtual network in
DC that is implemented with NVO3 technology.
Note that a virtual network in this document is an overlay virtual
network instance.
2. Basic Virtual Networks in a Data Center 2. Basic Virtual Networks in a Data Center
A virtual network may exist within a DC. The network enables a A virtual network in a DC enables a communication among Tenant
communication among Tenant Systems (TS). A TS may be a physical Systems (TS). A TS can be a physical server/device or a virtual
server/device or a virtual machine (VM) on a server. A network machine (VM) on a server, i.e., end-device [RFC7365]. A Network
virtual edge (NVE) may be co-located with a TS, i.e. on a same end- Virtual Edge (NVE) can be co-located with a TS, i.e., on a same end-
device, or reside on a different device, e.g. a top of rack switch device, or reside on a different device, e.g., a top of rack switch
(ToR). A virtual network has a unique virtual network identifier (ToR). A virtual network has a virtual network identifier (can be
(may be local or global unique) for an NVE to properly differentiate global unique or local significant at NVEs).
it from other virtual networks.
Tenant Systems attached to the same NVE may belong to the same or Tenant Systems attached to the same NVE may belong to the same or
different virtual network. The multiple virtual networks can be different virtual networks. An NVE provides tenant traffic
constructed in a way so that the policies are enforced when the TSs forwarding/encapsulation and obtains tenant systems reachability
in one virtual network communicate with the TSs in other virtual information from Network Virtualization Authority (NVA)[NVO3ARCH].
networks. An NVE provides tenant traffic forwarding/encapsulation
and obtains tenant systems reachability information from Network
Virtualization Authority (NVA)[NVO3ARCH]. Furthermore in a DC
operators may construct many tenant networks that have no
communication in between at all. In this case, each tenant network
may use its own address spaces such as MAC and IP. One tenant
network may have one or more virtual networks.
A Tenant System may also be configured with one or multiple DC operators can construct many virtual networks that have no
addresses and participate in multiple virtual networks, i.e. use the communication in between at all. In this case, each virtual network
same or different address in different virtual networks. For can have its own address spaces such as MAC and IP. DC operators can
examples, a TS may be a NAT GW or a firewall and connect to more also construct multiple virtual networks in a way so that the
than one virtual network. policies are enforced when the TSs in one virtual network
communicate with the TSs in other virtual networks. This is referred
to as Distributed Gateway [NVO3ARCH].
A Tenant System can be configured with one or multiple addresses and
participate in multiple virtual networks, i.e., use the same or
different address in different virtual networks. For examples, a
Tenant System can be a NAT GW or a firewall and connect to more than
one virtual network.
Network Virtualization Overlay in this context means that a virtual Network Virtualization Overlay in this context means that a virtual
network is implemented with an overlay technology, i.e. traffic from network is implemented with an overlay technology, i.e., tenant
an NVE to another is sent via a tunnel between a pair of traffic is encapsulated at its local NVE and carried by a tunnel
NVEs.[NVO3FRWK] This architecture decouples tenant system address over DC IP network to another NVE where the packet is decapsulated
scheme and configuration from the infrastructure's, which brings a prior to sending to a target tenant system. This architecture
great flexibility for VM placement and mobility. This also makes the decouples tenant system address space and configuration from the
transit nodes in the infrastructure not aware of the existence of infrastructure's, which brings a great flexibility for VM placement
the virtual networks. One tunnel may carry the traffic belonging to and mobility. The technology results the transit nodes in the
different virtual networks; a virtual network identifier is used for infrastructure not aware of the existence of the virtual networks.
traffic demultiplexing. One tunnel may carry the traffic belonging to different virtual
networks; a virtual network identifier is used for traffic
demultiplexing.
A virtual network may be an L2 or L3 domain. The TSs attached to an A virtual network may be an L2 or L3 domain. The TSs attached to an
NVE may belong to different virtual networks that may be in L2 or NVE can belong to different virtual networks that are either in L2
L3. A virtual network may carry unicast traffic and/or or L3. A virtual network can carry unicast traffic and/or
broadcast/multicast/unknown traffic from/to tenant systems. There broadcast/multicast/unknown traffic from/to tenant systems. There
are several ways to transport BUM traffic.[NVO3MCAST] are several ways to transport virtual network BUM traffic
[NVO3MCAST].
It is worth to mention two distinct cases here. The first is that It is worth to mention two distinct cases regarding to NVE location.
TSs and NVE are co-located on a same end device, which means that The first is that TSs and an NVE are co-located on a same end device,
the NVE can be made aware of the TS state at any time via internal which means that the NVE can be aware of the TS state at any time
API. The second is that TSs and NVE are remotely connected, i.e. via internal API. The second is that TSs and an NVE reside on
connected via a switched network or point-to-point link. In this different devices that connect via a wire; in this case, a protocol
case, a protocol is necessary for NVE to know TS state. is necessary for NVE to know TS state [NVO3HYVR2NVE].
One virtual network may connect many TSs that attach to many One virtual network can provide connectivity to many TSs that attach
different NVEs. TS dynamic placement and mobility results in to many different NVEs in a DC. TS dynamic placement and mobility
frequent changes in the TS and NVE bindings. The TS reachbility results in frequent changes of the binding between a TS and an NVE.
update mechanism need be fast enough to not cause any service The TS reachbility update mechanisms need be fast enough so that the
interruption. The capability of supporting many TSs in a virtual updates do not cause any service interruption. The capability of
network and many more virtual networks in a DC is critical for NVO3 supporting many TSs in a virtual network and many more virtual
solution. networks in a DC is critical for NVO3 solution.
If a virtual network spans across multiple DC sites, one design is If a virtual network spans across multiple DC sites, one design is
to allow the network seamlessly to span across the sites without DC to allow the network seamlessly to span across the sites without DC
gateway routers' termination. In this case, the tunnel between a gateway routers' termination. In this case, the tunnel between a
pair of NVEs may in turn be tunneled over other intermediate tunnels pair of NVEs can be carried within other intermediate tunnels of the
over the Internet or other WANs, or the intra DC and inter DC Internet or other WANs, or the intra DC and inter DC tunnels can be
tunnels are stitched together to form an end-to-end virtual network stitched together to form a tunnel between the pair of NVEs that are
across DCs. in different DC sites. Both cases will form one virtual network
across multiple DC sites.
3. Interconnecting DC Virtual Network and External Networks 3. DC Virtual Network and External Network Interconnection
For customers (an enterprise or individuals) who utilize the DC For customers (an enterprise or individuals) who utilize DC
provider's compute and storage resources to run their applications, provider's compute and storage resources to run their applications,
they need to access their systems hosted in a DC through Internet or they need to access their systems hosted in a DC through Internet or
Service Providers' WANs. A DC provider may construct a virtual Service Providers' Wide Area Networks (WAN). A DC provider can
network that connect all the resources designated for a customer and construct a virtual network that provides the connectivity to all
allow the customer to access their resources via a virtual gateway the resources designated for a customer and allows the customer to
(vGW). This, in turn, becomes the case of interconnecting a DC access their resources via a virtual gateway (vGW). This, in turn,
virtual network and the network at customer site(s) via Internet or becomes the case of interconnecting a DC virtual network and the
WANs. Two cases are described here. network at customer site(s) via Internet or WANs. Two use cases are
described here.
3.1. DC Virtual Network Access via Internet 3.1. DC Virtual Network Access via Internet
A customer can connect to a DC virtual network via Internet in a A customer can connect to a DC virtual network via Internet in a
secure way. Figure 1 illustrates this case. A virtual network is secure way. Figure 1 illustrates this case. A virtual network is
configured on NVE1 and NVE2 and two NVEs are connected via an L3 configured on NVE1 and NVE2 and two NVEs are connected via an IP
tunnel in the Data Center. A set of tenant systems are attached to tunnel in the Data Center. A set of tenant systems are attached to
NVE1 on a server. The NVE2 resides on a DC Gateway device. NVE2 NVE1 on a server. The NVE2 resides on a DC Gateway device. NVE2
terminates the tunnel and uses the VNID on the packet to pass the terminates the tunnel and uses the VNID on the packet to pass the
packet to the corresponding vGW entity on the DC GW. A customer can packet to the corresponding vGW entity on the DC GW. A customer can
access their systems, i.e. TS1 or TSn, in the DC via Internet by access their systems, i.e., TS1 or TSn, in the DC via Internet by
using IPsec tunnel [RFC4301]. The IPsec tunnel is configured between using IPsec tunnel [RFC4301]. The IPsec tunnel is configured between
the vGW and the customer gateway at customer site. Either static the vGW and the customer gateway at customer site. Either static
route or BGP may be used for peer routes. The vGW provides IPsec route or iBGP may be used for routes update. The vGW provides IPsec
functionality such as authentication scheme and encryption. Note functionality such as authentication scheme and encryption; iBGP
that: 1) some vGW functions such as firewall and load balancer may protocol is carried within the IPsec tunnel. Some vGW features are
also be performed by locally attached network appliance devices; 2) listed below:
The virtual network in DC may use different address space than
external users, then vGW need to provide the NAT function; 3) more o Some vGW functions such as firewall and load balancer can be
than one IPsec tunnels can be configured for the redundancy; 4) vGW performed by locally attached network appliance devices.
may be implemented on a server or VM. In this case, IP tunnels or
IPsec tunnels may be used over DC infrastructure. o The virtual network in DC may use different address space than
external users, then vGW needs to provide the NAT function.
o More than one IPsec tunnels can be configured for the redundancy.
o vGW can be implemented on a server or VM. In this case, IP
tunnels or IPsec tunnels can be used over DC infrastructure.
o DC operators need to construct a vGW for each customer.
Server+---------------+ Server+---------------+
| TS1 TSn | | TS1 TSn |
| |...| | | |...| |
| +-+---+-+ | Customer Site | +-+---+-+ | Customer Site
| | NVE1 | | +-----+ | | NVE1 | | +-----+
| +---+---+ | | CGW | | +---+---+ | | CGW |
+------+--------+ +--+--+ +------+--------+ +--+--+
| * | *
L3 Tunnel * L3 Tunnel *
skipping to change at page 7, line 29 skipping to change at page 7, line 34
| | NVE2 | | .-.' * ) | | NVE2 | | .-.' * )
| +---+---+ | ( * Internet ) | +---+---+ | ( * Internet )
| +---+---+. | ( * / | +---+---+. | ( * /
| | vGW | * * * * * * * * '-' '-' | | vGW | * * * * * * * * '-' '-'
| +-------+ | | IPsec \../ \.--/' | +-------+ | | IPsec \../ \.--/'
| +--------+ | Tunnel | +--------+ | Tunnel
+----------------+ +----------------+
DC Provider Site DC Provider Site
Figure 1 DC Virtual Network Access via Internet Figure 1 - DC Virtual Network Access via Internet
3.2. DC VN and Enterprise Sites interconnected via SP WAN
An enterprise company may lease the VM and storage resources hosted 3.2. DC VN and SP WAN VPN Interconnection
in the 3rd party DC to run its applications. For example, the
company may run its web applications at 3 party sites but run
backend applications in own DCs. The Web applications and backend
applications need to communicate privately. The 3 party DC may
construct one or more virtual networks to connect all VMs and
storage running the Enterprise Web applications. The company may buy
a p2p private tunnel such as VPWS from a SP to interconnect its site
and the virtual network at the 3rd party site. A protocol is
necessary for exchanging the reachability between two peering points
and the traffic are carried over the tunnel. If an enterprise has
multiple sites, it may buy multiple p2p tunnels to form a mesh
interconnection among the sites and the third party site. This
requires each site peering with all other sites for route
distribution.
Another way to achieve multi-site interconnection is to use Service In this case, an Enterprise customer wants to use Service Provider
Provider (SP) VPN services, in which each site only peers with SP PE (SP) WAN VPN [RFC4364] [EVPN] to interconnect its sites and a
site. A DC Provider and VPN SP may build a DC virtual network (VN) virtual network in DC site. Service Provider constructs a VPN for
and VPN independently. The VPN interconnects several enterprise the enterprise customer. Each enterprise site peers with a SP PE.
sites and the DC virtual network at DC site, i.e. VPN site. The DC The DC Provider and VPN Service Provider can build a DC virtual
VN and SP VPN interconnect via a local link or a tunnel. The control network (VN) and VPN independently and interconnects the VN and VPN
plan interconnection options are described in RFC4364 [RFC4364]. In via a local link or a tunnel between DC GW and WAN PE devices. The
Option A with VRF-LITE [VRF-LITE], both DC GW and SP PE maintain a control plan interconnection options between the VN and VPN are
routing/forwarding table, and perform the table lookup in forwarding. described in RFC4364 [RFC4364]. In Option A with VRF-LITE [VRF-LITE],
In Option B, DC GW and SP PE do not maintain the forwarding table, both ASBRs, i.e., DC GW and SP PE, maintain a routing/forwarding
it only maintains the VN and VPN identifier mapping, and swap the table, and perform the table lookup in forwarding. In Option B, DC
identifier on the packet in the forwarding process. Both option A ASBR and SP ASBR do not maintain the forwarding table, it only
and B requires tunnel termination. In option C, DC GW and SP PE use maintains the VN and VPN identifier mapping, and swap the
the same identifier for VN and VPN, and just perform the tunnel identifiers on the packet in the forwarding process. Both option A
stitching, i.e. change the tunnel end points. Each option has and B requires tunnel termination. In option C, the VN and VPN use
pros/cons (see RFC4364) and has been deployed in SP networks the same identifier, and Both ASBRs perform the tunnel stitching,
depending on the applications. The BGP protocols may be used in i.e., change the tunnel end points. Each option has pros/cons (see
these options for route distribution. Note that if the provider DC RFC4364) and has been deployed in SP networks depending on the
is the SP Data Center, the DC GW and PE in this case may be on one applications. The BGP protocols can be used in these options for
device. route distribution. Note that if the DC is the SP Data Center, the
DC GW and SP PE in this case can be merged into one device that
performs the interworking of the VN and VPN.
This configuration allows the enterprise networks communicating to This configuration allows the enterprise networks communicating to
the tenant systems attached to the VN in a provider DC without the tenant systems attached to the VN in a DC provider site without
interfering with DC provider underlying physical networks and other interfering with DC provider underlying physical networks and other
virtual networks in the DC. The enterprise may use its own address virtual networks in the DC. The enterprise can use its own address
space on the tenant systems in the VN. The DC provider can manage space in the VN. The DC provider can manage which VM and storage
which VM and storage attachment to the VN. The enterprise customer attaching to the VN. The enterprise customer manages what
manages what applications to run on the VMs in the VN. See Section 4 applications to run on the VMs in the VN without the knowledge of
for more. VMs location in the DC. (See Section 4 for more)
The interesting feature in this use case is that the VN and compute Furthermore, in this use case, the DC operator can move the VMs
resource are managed by the DC provider. The DC operator can place assigned to the enterprise from one sever to another in the DC
them at any server without notifying the enterprise and WAN SP without the enterprise customer awareness, i.e., no impact on the
because the DC physical network is completely isolated from the enterprise 'live' applications running these resources. Such
carrier and enterprise network. Furthermore, the DC operator may advanced technologies bring DC providers great benefits in offering
move the VMs assigned to the enterprise from one sever to another in cloud applications but add some requirements for NVO3 [RFC7364] as
the DC without the enterprise customer awareness, i.e. no impact on well.
the enterprise 'live' applications running these resources. Such
advanced features bring DC providers great benefits in serving cloud
applications but also add some requirements for NVO3 [NVO3PRBM].
4. DC Applications Using NVO3 4. DC Applications Using NVO3
NVO3 brings DC operators the flexibility in designing and deploying NVO3 technology brings DC operators the flexibility in designing and
different applications in an end-to-end virtualization overlay deploying different applications in an end-to-end virtualization
environment, where the operators no longer need to worry about the overlay environment, where the operators no longer need to worry
constraints of the DC physical network configuration when creating about the constraints of the DC physical network configuration when
VMs and configuring a virtual network. DC provider may use NVO3 in creating VMs and configuring a virtual network. DC provider may use
various ways and also use it in the conjunction with physical NVO3 in various ways and also use it in the conjunction with other
networks in DC for many reasons. This section just highlights some physical networks in DC for a reason. This section just highlights
use cases. some use cases.
4.1. Supporting Multi Technologies and Applications in a DC 4.1. Supporting Multiple Technologies and Applications
Most likely servers deployed in a large data center are rolled in at Most likely servers deployed in a large data center are rolled in at
different times and may have different capacities/features. Some different times and may have different capacities/features. Some
servers may be virtualized, some may not; some may be equipped with servers may be virtualized, some may not; some may be equipped with
virtual switches, some may not. For the ones equipped with virtual switches, some may not. For the ones equipped with
hypervisor based virtual switches, some may support VxLAN [VXLAN] hypervisor based virtual switches, some may support VxLAN [RFC7348]
encapsulation, some may support NVGRE encapsulation [NVGRE], and encapsulation, some may support NVGRE encapsulation [NVGRE], and
some may not support any types of encapsulation. To construct a some may not support any types of encapsulation. To construct a
tenant network among these servers and the ToR switches, it may tenant network among these servers and the ToR switches, operators
construct one virtual network and one traditional VLAN network; or can construct one NVO3 virtual network and one traditional VLAN
two virtual networks that one uses VxLAN encapsulation and another network; or two virtual networks that one uses VxLAN encapsulation
uses NVGRE. and another uses NVGRE.
In these cases, a gateway device or virtual GW is used to In these cases, a gateway device or virtual GW is used to
participate in multiple virtual networks. It performs the packet participate in two virtual networks. It performs the packet
encapsulation/decapsulation and may also perform address mapping or encapsulation/decapsulation translation and may also perform address
translation, and etc. translation, and etc.
A data center may be also constructed with multi-tier zones. Each A data center may be also constructed with multi-tier zones. Each
zone has different access permissions and run different applications. zone has different access permissions and runs different
For example, the three-tier zone design has a front zone (Web tier) applications. For example, the three-tier zone design has a front
with Web applications, a mid zone (application tier) with service zone (Web tier) with Web applications, a mid zone (application tier)
applications such as payment and booking, and a back zone (database with service applications such as payment and booking, and a back
tier) with Data. External users are only able to communicate with zone (database tier) with Data. External users are only able to
the Web application in the front zone. In this case, the communicate with the Web application in the front zone. In this case,
communication between the zones must pass through the security the communication between the zones must pass through the security
GW/firewall. One virtual network may be configured in each zone and GW/firewall. One virtual network can be configured in each zone and
a GW is used to interconnect two virtual networks. If individual a GW is used to interconnect two virtual networks, i.e., two zones.
zones use the different implementations, the GW needs to support If individual zones use the different implementations, the GW needs
these implementations as well. to support these implementations as well.
4.2. Tenant Network with Multi-Subnets or across multi DCs 4.2. Tenant Network with Multiple Subnets
A tenant network may contain multiple subnets. The DC physical A tenant network may contain multiple subnets. The DC physical
network needs support the connectivity for many tenant networks. The network needs to support the connectivity for many tenant networks.
inter-subnets policies may be placed at some designated gateway The inter-subnet policies may be placed at some designated gateway
devices only. Such design requires the inter-subnet traffic to be devices only. Such design requires the inter-subnet traffic to be
sent to one of the gateways first for the policy checking, which may sent to one of the gateways first for the policy checking, which may
cause traffic hairpin at the gateway in a DC. It is desirable that cause traffic hairpin at the gateway in a DC. It is desirable that
an NVE can hold some policies and be able to forward inter-subnet an NVE can hold some policies and be able to forward inter-subnet
traffic directly. To reduce NVE burden, the hybrid design may be traffic directly. To reduce NVE burden, the hybrid design may be
deployed, i.e. an NVE can perform forwarding for the selected inter- deployed, i.e., an NVE can perform forwarding for the selected
subnets and the designated GW performs for the rest. For example, inter-subnets and the designated GW performs for the rest. For
each NVE performs inter-subnet forwarding for a tenant, and the example, each NVE performs inter-subnet forwarding for a tenant, and
designated GW is used for inter-subnet traffic from/to the different the designated GW is used for inter-subnet traffic from/to the
tenant networks. different tenant networks.
A tenant network may span across multiple Data Centers in distance. A tenant network may span across multiple Data Centers that are in
DC operators may configure an L2 VN within each DC and an L3 VN difference locations. DC operators may configure an L2 VN within
between DCs for a tenant network. For this configuration, the each DC and an L3 VN between DCs for a tenant network. For this
virtual L2/L3 gateway can be implemented on DC GW device. Figure 2 configuration, the virtual L2/L3 gateway can be implemented on DC GW
illustrates this configuration. device. Figure 2 illustrates this configuration.
Figure 2 depicts two DC sites. The site A constructs one L2 VN, say Figure 2 depicts two DC sites. The site A constructs one L2 VN, say
L2VNa, on NVE1, NVE2, and NVE3. NVE1 and NVE2 reside on the servers L2VNa, on NVE1, NVE2, and NVE3. NVE1 and NVE2 reside on the servers
which host multiple tenant systems. NVE3 resides on the DC GW device. which host multiple tenant systems. NVE3 resides on the DC GW device.
The site Z has similar configuration with L2VNz on NVE3, NVE4, and The site Z has similar configuration with L2VNz on NVE3, NVE4, and
NVE6. One L3 VN, say L3VNx, is configured on the NVE5 at site A and NVE6. One L3 VN, say L3VNx, is configured on the NVE5 at site A and
the NVE6 at site Z. An internal Virtual Interface of Routing and the NVE6 at site Z. An internal Virtual Interface of Routing and
Bridging (VIRB) is used between L2VNI and L3VNI on NVE5 and NVE6, Bridging (VIRB) is used between L2VNI and L3VNI on NVE5 and NVE6,
respectively. The L2VNI is the MAC/NVE mapping table and the L3VNI respectively. The L2VNI is the MAC/NVE mapping table and the L3VNI
is the IP prefix/NVE mapping table. A packet to the NVE5 from L2VNa is the IP prefix/NVE mapping table. A packet to the NVE5 from L2VNa
will be decapsulated and converted into an IP packet and then will be decapsulated and converted into an IP packet and then
encapsulated and sent to the site Z. The policies can be checked at encapsulated and sent to the site Z. The policies can be checked at
VIRB. VIRB.
Note that the L2VNa, L2VNz, and L3VNx in Figure 2 are overlay Note that the L2VNa, L2VNz, and L3VNx in Figure 2 are NVO3 virtual
virtual networks. networks.
NVE5/DCGW+------------+ +-----------+ NVE6/DCGW NVE5/DCGW+------------+ +-----------+ NVE6/DCGW
| +-----+ | '''''''''''''''' | +-----+ | | +-----+ | '''''''''''''''' | +-----+ |
| |L3VNI+----+' L3VNx '+---+L3VNI| | | |L3VNI+----+' L3VNx '+---+L3VNI| |
| +--+--+ | '''''''''''''''' | +--+--+ | | +--+--+ | '''''''''''''''' | +--+--+ |
| |VIRB | | VIRB| | | |VIRB | | VIRB| |
| +--+---+ | | +---+--+ | | +--+---+ | | +---+--+ |
| |L2VNIs| | | |L2VNIs| | | |L2VNIs| | | |L2VNIs| |
| +--+---+ | | +---+--+ | | +--+---+ | | +---+--+ |
+----+-------+ +------+----+ +----+-------+ +------+----+
skipping to change at page 11, line 10 skipping to change at page 10, line 44
| +--+--+ | | +--+--+ | | +---+-+ | | +--+--+ | | +--+--+ | | +--+--+ | | +---+-+ | | +--+--+ |
| |L2VNI| | | |L2VNI| | | |L2VNI| | | |L2VNI| | | |L2VNI| | | |L2VNI| | | |L2VNI| | | |L2VNI| |
| ++---++ | | ++---++ | | ++---++ | | ++---++ | | ++---++ | | ++---++ | | ++---++ | | ++---++ |
+--+---+--+ +--+---+--+ +--+---+--+ +--+---+--+ +--+---+--+ +--+---+--+ +--+---+--+ +--+---+--+
|...| |...| |...| |...| |...| |...| |...| |...|
Tenant Systems Tenant Systems Tenant Systems Tenant Systems
DC Site A DC Site Z DC Site A DC Site Z
Figure 2 Tenant Virtual Network with Bridging/Routing Figure 2 - Tenant Virtual Network with Bridging/Routing
4.3. Virtualized Data Center (vDC) 4.3. Virtualized Data Center (vDC)
Enterprise DC's today may deploy routers, switches, and network An Enterprise Data Center today may deploy routers, switches, and
appliance devices to construct its internal network, DMZ, and network appliance devices to construct its internal network, DMZ,
external network access and have many servers and storage running and external network access; it may have many servers and storage
various applications. A DC Provider may construct a virtualized DC running various applications. With NVO3 technology, a DC Provider
over its DC infrastructure and offer a virtual DC service to can construct a virtualized DC over its DC infrastructure and offer
enterprise customers. A vDC provides the same capability as a a virtual DC service to enterprise customers. A vDC at DC Provider
physical DC. A customer manages what and how applications to run in site provides the same capability as a physical DC at the customer
the vDC. Instead of using many hardware devices to do it, with the site. A customer manages what and how applications to run in its
network virtualization overlay technology, DC operators may build vDC. DC Provider can further offer different network service
such vDCs on top of a common DC infrastructure for many such functions to a vDC. The network service functions may include
customers and offer network service functions to a vDC. The network firewall, DNS, load balancer, gateway, and etc.
service functions may include firewall, DNS, load balancer, gateway,
etc. The network virtualization overlay further enables potential
for vDC mobility when a customer moves to different locations
because vDC configuration is decouple from the infrastructure
network.
Figure 3 below illustrates one scenario. For the simple Figure 3 below illustrates one scenario. For the simple
illustration, it only shows the L3 VN or L2 VN as virtual routers or illustration, it only shows the L3 VN or L2 VN in abstraction. In
switches. In this case, DC operators create several L2 VNs (L2VNx, this example, DC Provider operators create several L2 VNs (L2VNx,
L2VNy, L2VNz) in Figure 3 to group the tenant systems together per L2VNy, L2VNz) to group the tenant systems together per application
application basis, create one L3 VN, e.g. VNa for the internal basis, create one L3 VN, e.g., VNa for the internal routing. A
routing. A net device (may be a VM or server) runs firewall/gateway network function, firewall and gateway, runs on a VM or server that
applications and connects to the L3VNa and Internet. A load balancer connects to the L3VNa and is used for inbound and outbound traffic
(LB) is used in L2 VNx. A VPWS p2p tunnel is also built between the process. A load balancer (LB) is used in L2 VNx. A VPN is also built
gateway and enterprise router. Enterprise customer runs between the gateway and enterprise router. Enterprise customer runs
Web/Mail/Voice applications at the provider DC site; lets the users Web/Mail/Voice applications on VMs at the provider DC site that can
at Enterprise site to access the applications via the VPN tunnel and spread out on many servers; the users at Enterprise site access the
Internet via a gateway at the Enterprise site; let Internet users applications running in the provider DC site via the VPN; Internet
access the applications via the gateway in the provider DC. users access these applications via the gateway/firewall at the
provider DC.
The customer decides which applications are accessed by intranet Enterprise customer decides which applications are accessed by
only and which by both intranet and extranet and configures the intranet only and which by both intranet and extranet and configures
proper security policy and gateway function. Furthermore a customer the proper security policy and gateway function at firewall/gateway.
may want multi-zones in a vDC for the security and/or set different Furthermore an enterprise customer may want multi-zones in a vDC
QoS levels for the different applications. (See section 4.1) for the security and/or set different QoS levels
for the different applications.
This use case requires the NVO3 solution to provide the DC operator The vDC use case requires the NVO3 solution to provide the DC
an easy way to create a VN and NVEs for any design and to quickly operators an easy and quick way to create a VN and NVEs for any vDC
assign TSs to VNIs on a NVE they attach to, easily to set up virtual design, to allocate TSs and assign TSs to the corresponding VN, and
topology and place or configure policies on an NVE or VMs that run to illustrate vDC topology and manage/configure individual elements
net services, and support VM mobility. Furthermore a DC operator in the vDC via the vDC topology.
and/or customer should be able to view the vDC topology and access
individual virtual components in the vDC. Either DC provider or
tenant can provision virtual components in the vDC. It is desirable
to automate the provisioning process and have programmability.
Internet ^ Internet Internet ^ Internet
| |
^ +--+---+ ^ +--+---+
| | GW | | | GW |
| +--+---+ | +--+---+
| | | |
+-------+--------+ +--+---+ +-------+--------+ +--+---+
|Firewall/Gateway+--- VPN-----+router| |Firewall/Gateway+--- VPN-----+router|
+-------+--------+ +-+--+-+ +-------+--------+ +-+--+-+
skipping to change at page 12, line 39 skipping to change at page 12, line 29
+-+-+ | | +-+-+ | |
...+... ...+... ...+... ...+... ...+... ...+...
: L2VNx : : L2VNy : : L2VNx : : L2VNx : : L2VNy : : L2VNx :
....... ....... ....... ....... ....... .......
|..| |..| |..| |..| |..| |..|
| | | | | | | | | | | |
Web Apps Mail Apps VoIP Apps Web Apps Mail Apps VoIP Apps
Provider DC Site Provider DC Site
firewall/gateway and Load Balancer (LB) may run on a server or VMs Figure 3 - Virtual Data Center (vDC)
Figure 3 Virtual Data Center by Using NVO3
5. OAM Considerations
NVO3 brings the ability for a DC provider to segregate tenant
traffic. A DC provider needs to manage and maintain NVO3 instances.
Similarly, the tenant needs to be informed about underlying network
failures impacting tenant applications or the tenant network is able
to detect both overlay and underlay network failures and builds some
resiliency mechanisms.
Various OAM and SOAM tools and procedures are defined in [IEEE
802.1ag], [ITU-T Y.1731], [RFC4378], [RFC5880], [ITU-T Y.1564] for
L2 and L3 networks, and for user, including continuity check,
loopback, link trace, testing, alarms such as AIS/RDI, and on-demand
and periodic measurements. These procedures may apply to tenant
overlay networks and tenants not only for proactive maintenance, but
also to ensure support of Service Level Agreements (SLAs).
As the tunnel traverses different networks, OAM messages need to be
translated at the edge of each network to ensure end-to-end OAM.
6. Summary 5. Summary
The document describes some general potential use cases of NVO3 in This document describes some general potential use cases of NVO3 in
DCs. The combination of these cases should give operators DCs. The combination of these cases will give operators flexibility
flexibility and capability to design more sophisticated cases for and capability to design more sophisticated cases for various cloud
various purposes. applications.
DC services may vary from infrastructure as a service (IaaS), DC services may vary from infrastructure as a service (IaaS),
platform as a service (PaaS), to software as a service (SaaS), in platform as a service (PaaS), to software as a service (SaaS), in
which the network virtualization overlay is just a portion of an which NVO3 virtual networks are just a portion of such services.
application service. NVO3 decouples the service
construction/configurations from the DC network infrastructure
configuration, and helps deployment of higher level services over
the application.
NVO3's underlying network provides the tunneling between NVEs so NVO3 uses tunnel technique so that two NVEs appear as one hop to
that two NVEs appear as one hop to each other. Many tunneling each other in a virtual network. Many tunneling technologies can
technologies can serve this function. The tunneling may in turn be serve this function. The tunneling may in turn be tunneled over
tunneled over other intermediate tunnels over the Internet or other other intermediate tunnels over the Internet or other WANs.
WANs. It is also possible that intra DC and inter DC tunnels are
stitched together to form an end-to-end tunnel between two NVEs.
A DC virtual network may be accessed by external users in a secure A DC virtual network may be accessed by external users in a secure
way. Many existing technologies can help achieve this. way. Many existing technologies can help achieve this.
NVO3 implementations may vary. Some DC operators prefer to use NVO3 implementations may vary. Some DC operators prefer to use
centralized controller to manage tenant system reachbility in a centralized controller to manage tenant system reachbility in a
tenant network, other prefer to use distributed protocols to virtual network, other prefer to use distributed protocols to
advertise the tenant system location, i.e. associated NVEs. For the advertise the tenant system location, i.e., NVE location. When a
migration and special requirement, the different solutions may apply tenant network spans across multiple DCs and WANs, each network
to one tenant network in a DC. When a tenant network spans across administration domain may use different methods to distribute the
multiple DCs and WANs, each network administration domain may use tenant system locations. Both control plane and data plane
different methods to distribute the tenant system locations. Both interworking are necessary.
control plane and data plane interworking are necessary.
7. Security Considerations 6. Security Considerations
Security is a concern. DC operators need to provide a tenant a Security is a concern. DC operators need to provide a tenant a
secured virtual network, which means one tenant's traffic isolated secured virtual network, which means one tenant's traffic isolated
from the other tenant's traffic and non-tenant's traffic; they also from other tenant's traffic and non-tenant's traffic; they also need
need to prevent DC underlying network from any tenant application to prevent DC underlying network from any tenant application
attacking through the tenant virtual network or one tenant attacking through the tenant virtual network or one tenant
application attacking another tenant application via DC networks. application attacking another tenant application via DC
For example, a tenant application attempts to generate a large infrastructure network. For example, a tenant application attempts
volume of traffic to overload DC underlying network. The NVO3 to generate a large volume of traffic to overload DC underlying
solution has to address these issues. network. The NVO3 solution has to address these issues.
8. IANA Considerations 7. IANA Considerations
This document does not request any action from IANA. This document does not request any action from IANA.
9. Acknowledgements 8. References
Authors like to thank Sue Hares, Young Lee, David Black, Pedro 8.1. Normative References
Marques, Mike McBride, David McDysan, Randy Bush, Uma Chunduri, and
Eric Gray for the review, comments, and suggestions.
10. References [RFC7364] Narten, T., et al "Problem Statement: Overlays for Network
Virtualization", RFC7364, October 2014.
10.1. Normative References [RFC7365] Lasserre, M., Motin, T., and et al, "Framework for DC
Network Virtualization", RFC7365, October 2014.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 8.2. Informative References
Networks (VPNs)", RFC 4364, February 2006.
[IEEE 802.1ag] "Virtual Bridged Local Area Networks - Amendment 5: [EVPN] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A. and J.
Connectivity Fault Management", December 2007. Uttaro, "BGP MPLS Based Ethernet VPN", Work in Progress,
draft-ietf-l2vpn-evpn-11, work in progress.
[ITU-T G.8013/Y.1731] OAM Functions and Mechanisms for Ethernet [IEEE 802.1Q] IEEE, "IEEE Standard for Local and metropolitan area
based Networks, 2011. networks -- Media Access Control (MAC) Bridges and Virtual
Bridged Local Area", IEEE Std 802.1Q, 2011.
[ITU-T Y.1564] "Ethernet service activation test methodology", 2011. [NVO3HYVR2NVE] Li, Y., et al, "Hypervisor to NVE Control Plane
Requirements", draft-ietf-nvo3-hpvr2nve-cp-req-01, work in
progress.
[RFC4378] Allan, D., Nadeau, T., "A Framework for Multi-Protocol [NVGRE] Sridharan, M., "NVGRE: Network Virtualization using Generic
Label Switching (MPLS) Operations and Management (OAM)", Routing Encapsulation", draft-sridharan-virtualization-
RFC4378, February 2006 nvgre-07, work in progress.
[NVO3ARCH] Black, D., et al, "An Architecture for Overlay Networks
(NVO3)", draft-ietf-nvo3-arch-02, work in progress.
[NVO3MCAST] Ghanwani, A., "Framework of Supporting Applications
Specific Multicast in NVO3", draft-ghanwani-nvo3-app-
mcast-framework-02, work in progress.
[RFC4301] Kent, S., "Security Architecture for the Internet [RFC4301] Kent, S., "Security Architecture for the Internet
Protocol", rfc4301, December 2005 Protocol", rfc4301, December 2005
[RFC5880] Katz, D. and Ward, D., "Bidirectional Forwarding Detection [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
(BFD)", rfc5880, June 2010. Networks (VPNs)", RFC 4364, February 2006.
10.2. Informative References
[NVGRE] Sridharan, M., "NVGRE: Network Virtualization using Generic [RFC7348] Mahalingam,M., Dutt, D., ific Multicast in etc "VXLAN: A
Routing Encapsulation", draft-sridharan-virtualization- Framework for Overlaying Virtualized Layer 2 Networks over
nvgre-03, work in progress. Layer 3 Networks", RFC7348 August 2014.
[NVO3ARCH] Black, D., et al, "An Architecture for Overlay Networks [VRF-LITE] Cisco, "Configuring VRF-lite", http://www.cisco.com
(NVO3)", draft-ietf-nvo3-arch-00, work in progress.
[NVO3PRBM] Narten, T., et al "Problem Statement: Overlays for Contributors
Network Virtualization", draft-ietf-nvo3-overlay-problem-
statement-04, work in progress.
[NVO3FRWK] Lasserre, M., Motin, T., and et al, "Framework for DC Vinay Bannai
Network Virtualization", draft-ietf-nvo3-framework-04, PayPal
work in progress. 2211 N. First St,
San Jose, CA 95131
Phone: +1-408-967-7784
Email: vbannai@paypal.com
[NVO3MCAST] Ghanwani, A., "Multicast Issues in Networks Using NVO3", Ram Krishnan
draft-ghanwani-nvo3-mcast-issues-00, work in progress. Brocade Communications
San Jose, CA 95134
Phone: +1-408-406-7890
Email: ramk@brocade.com
[VRF-LITE] Cisco, "Configuring VRF-lite", http://www.cisco.com Acknowledgements
[VXLAN] Mahalingam,M., Dutt, D., etc "VXLAN: A Framework for Authors like to thank Sue Hares, Young Lee, David Black, Pedro
Overlaying Virtualized Layer 2 Networks over Layer 3 Marques, Mike McBride, David McDysan, Randy Bush, Uma Chunduri, and
Networks", draft-mahalingam-dutt-dcops-vxlan-06.txt, work Eric Gray for the review, comments, and suggestions.
in progress.
Authors' Addresses Authors' Addresses
Lucy Yong Lucy Yong
Phone: +1-918-808-1918 Phone: +1-918-808-1918
Email: lucy.yong@huawei.com Email: lucy.yong@huawei.com
Mehmet Toy Mehmet Toy
Comcast Comcast
 End of changes. 85 change blocks. 
393 lines changed or deleted 352 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/