Network N. So Internet Draft D. McDysan Intended status: Informational Verizon, Inc Expires: April 2012 H.Yu TW Telecom J. Heinz Century Link October 26, 2011October 25, 2011 Requirements for VPN-Oriented Data Center Services draft-so-vdcs-02.txt Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, and it may not be published except as an Internet-Draft. This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, except to publish it as an RFC and to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on April 26,25, 2012. So Expires December 8,2011 [Page 1] Internet-Draft VPN-oriented Data Center Services October 2011 Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Abstract This contribution addresses the service providers' requirements to support VPN-Oriented data center services. It describes the characteristics and the framework of VPN-oriented data center services and specifies the requirements on how to maintain and manage the virtual resources within data center resources and the supporting network infrastructures for those services. Table of Contents 1. Introduction....................................................3 2. Conventions used in this document...............................4 3. Service defination and requirements.............................4 3.1. VPN-oriented data center computing services...................4 3.1.1. VPN-oriented data center computer service requirements......4 3.2. VPN-oriented data center storage services.....................5 3.2.1. VPN-oriented data center storage services requirments.......5 4. Requirments for data center networks in supporting VDCS.........6 4.1. Requirments for extending VPNs into data center using VPN gateways...........................................................6 4.2. Requirments for extending VPNs into data center using intra- data center VPN....................................................8 5. Data center resource management requirments for VDCS............8 6. Security requirements...........................................9 7. Other requirements..............................................9 8. References.....................................................10 So Expires December 26,25,2011 [Page 2] Internet-Draft VPN-oriented Data Center Services October 2011 9. Acknowledgements...............................................13 1. Introduction Layer 2 and 3 VPN services offer secure and logically dedicated reachability among multiple sites for enterprises. VPN-oriented data center service is for those VPN customers who want to offload some dedicated user data center operations such as software, compute, and storage, to the shared carrier data centers. Those customers often do not want to use public Internet as the primary network accessing and handling the traffic between the customer (user and user data centers) and the carrier data centers. Instead, they would prefer to use the carrier data center as a natural extension of the VPN they are already using, realizing the benefits of a multi-tenant data center while retaining as much control as possible. For example, they want to maintain the restrictive control on what and how the virtualized data center resources, e.g., computing power, disk space, and/or application licenses, can be shared. VPN-Oriented Data center Services allow the VPN services to be extended into carrier data centers and to control the virtual resource sharing functions. As a carrier, a VPN-Oriented data center service product may be offered globally across multiple data centers. Some of the data centers may be owned by the cloud service provider, while others may be owned by a partner of the service provider and/or an enterprise user. In addition, multiple VPN- oriented data center Service products (e.g. SaaS and PaaS) can be offered from the same data center. VPN-Oriented data center services differentiate it from other carrier data center services in the following aspects: o Strictly maintaining the secure, reliable, and logical isolation characteristics of VPN for the end-to-end services provided. o Making the traditional data center services (like computing, storage space, or application licenses) as additional attributes attached to VPNs. o VPN is aware of how and what data center resources are associated with the VPN. So Expires December 26,25,2011 [Page 3] Internet-Draft VPN-oriented Data Center Services October 2011 This draft describes the characteristics of those services, the service requirements, and the corresponding requirements to data center networks. It also describes a list of the problems that this service is causing to the network provider/operator, especially for the existing VPN customers. These issues must be addressed in order for service providers to facilitate the addition of virtualized services to the VPNs of existing customers. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119]. In this document, these words will appear with that interpretation only when in ALL CAPS. Lower case uses of these words are not to be interpreted as carrying RFC-2119 significance. 3. Service definitions and requirements 3.1. Virtual Private Computing Service (VPCS) This refers to Virtual Machines (VMs) and/or physical servers in a virtualized carrier data center being attached to a customer VPN. It is also known as National Institute of Science and Technology (NIST)'s Infrastructure-as-a-Service (IssS) being attached to a customer VPN. The customer can choose different properties on the computing power, preference on which data center to host those servers, and etc. 3.1.1. Virtual private computing services requirements These requirements apply to all VPN-oriented data center services defined in this draft unless specified otherwise. o Any virtualized carrier data center providing VPCS SHALL be able to automatically provision and/or change the resources associated with the VM/Servers based on the signaled messages through the VPN. For example, the resources CAN be bandwidth, amount of memory, and/or CPU cycles associated with the VMs. o VPN customers SHALL be able to automatically instantiate or remove Virtual Machines (VMs) inside the provider's DC using inband signaling requests sent by the user's host (VM/server). So Expires December 26,25,2011 [Page 4] Internet-Draft VPN-oriented Data Center Services October 2011 o VPN customers SHOULD be able to move VMs among customer private data centers and carrier data centers based on their own load balancing criteria and algorithm. o VPN customers SHALL be able to monitor, log, and track all VM/server related usage information on per VPN basis. o VPN customers SHALL be able to control if and how VM mobility can occur. 3.2. Virtual private storage service (VPSS) This refers to disk space, either virtual or actual blocks of hard drives in data centers, being added to a customer's VPN 3.2.1. VPN-oriented data center storage service requirements o The VPN customer SHOULD be able to choose different content replication properties. For example, the customer can control if the content has to be replicated locally or has to be replicated at a geographically different location (identifiable by the customer if needed and subject to latency constraint); if the storage has to be co-located with certain VMs/hosts; or which VMs/hosts have access to the content, and etc. o These storage properties SHOULD be associated with the VPN. Any data center providing the storage space for a VPN SHOULD be able to automatically provision or change the required storage space based on the properties associated with the VPN. o The VPN customer SHOULD be able to automatically add disc space or remove disc space to the VPN's associated storage through the changing of the VPN properties. o The VPN customer SHOULD have the ability to specify the stored content life cycle management properties. Those properties include but not limited to how long the stored content shall be stored and how it should be erased/deleted. o Control of whether data is encrypted. o Specify required access speed for a storage hierarchy. So Expires December 26,25,2011 [Page 5] Internet-Draft VPN-oriented Data Center Services October 2011 4. Requirements for Data Center networks in support of VPN-Oriented Data center Services The success of VPN services in the enterprise and the government world is largely due to its ability to virtually segregate the customer traffic at layer 2 and layer 3. The lower the layer that segregation can be maintained, the safer it is for the customers from security and privacy perspectives. Today's Data Centers use VLANs to segregate servers and traffic from different customers. Since each customer usually needs multiple service zones to place different applications, each customer usually needs multiple VLANs. Even small data centers today can have thousands of VLANs. Therefore, pure VLAN segregation is not enough for large data centers. In addition, since carrier data center resources can be viewed as added attributes to VPNs, traffic segregation per VPN becomes an essential requirement to VPN-oriented data center services because of its ability to control the data center virtual resources' assignments, thus ensuring end-to-end resource allocation for service level performance insurance as well as manageability. 4.1. Requirement for extending VPNs into data center networks using VPN gateways When a data center does not use L2VPN or L3VPN as the intra-data center network, but still wants to provide the VPN-oriented data center services for external VPN customers, a VPN gateway function can be added to the data center networks to extend the external VPNs into the data center networks and to connect with the VMs and virtual storage. (Note that L2/3 data center network technology used can include TRILL, PBB, SPB, OpenFlow, STP, etc.) The VPN gateway function has to meet the following requirements: o Each external L2/L3VPN SHALL be given a unique Identification (ID), and the traffic separation within the data center SHALL be maintained per ID. o Each data center Service associated with a VPN SHALL be transmitted over an unique set of intra-data center network connections (logical or physical). o The VPN gateway SHOULD maintain a record and the mapping of virtual and physical data center resources to physical/logical connections associated with each specific VPN running the VPN-oriented data center services. o The carrier and the customer SHALL be able to monitor the resource assignment and usage per VPN per service. So Expires December 26,25,2011 [Page 6] Internet-Draft VPN-oriented Data Center Services October 2011 o The customer SHOULD be able to dynamically re-configure the data center resources assignment and allocation per services and/or per VM through the re-configuration of its VPN properties. o Beyond L2/L3 reachability, VPN gateway SHALL support multiple services per VPN. o VPN gateway SHOULD have the capability to differentiate QoS within the VPN on per service basis. For example, storage service may have higher QoS requirement than computing service. o VPN gateway SHOULD support multiple external VPN instances and SHOULD be able to map them to the associated services. o VPN gateway SHALL maintain the reportable record of how traffic separation per VPN is achieved through the data center network. o Each external VPN SHALL be given a unique Identification (ID), and the traffic separation within the data center SHALL be maintained per ID. o The VPN gateway SHOULD maintain a record and the mapping of virtual and physical data center resources to physical/logical connections associated with each specific VPN running the VPN-oriented data center services. o The VPN gateway SHOULD be able to control the traffic flow and assign the dedicated virtual resources accordingly. o The carrier and the customer SHALL be able to monitor the resource assignment and usage per VPN per service. o The customer SHOULD be able to dynamically re-configure the data center resources assignment and allocation per services and/or per VM through the re-configuration of its VPN properties. o VPN gateway SHALL support multiple services per VPN. o VPN gateway SHOULD have the capability to differentiate QoS within the VPN on per service basis. For example, storage service may have higher QoS requirement than computing service. o VPN gateway SHOULD support multiple external VPN instances and SHOULD be able to map them to the associated services. o VPN gateway SHALL maintain the reportable record of how traffic separation per VPN is achieved through the data center network. VPN Gateway SHOULD be able to allocated intra-data center network resources according to external VPN So Expires December 26,25,2011 [Page 7] Internet-Draft VPN-oriented Data Center Services October 2011 network's requirements dynamically for bandwidth, QoS and traffic engineering purpose. 4.2. Requirement for extending VPNs into data center networks using intra-data center VPN When a L2/3 VPN is used as the network technology inside the data center, each external VPN SHALL be mapped to a unique internal VPN. 5. Data Center Resource Management Requirements for VPN-oriented Data center Services Today, data center server resources are managed by data center servers' administrators or management systems, and supported by hypervisors on the servers. This process is invisible to the underlying networks. The data center management functions include managing servers, instantiating hosts to VMs, managing disk space, and etc. Traffic loading and balancing and QoS assignments for data center networks are not easily considered by some Data Center server administration systems. Therefore, there is an interworking gap between the networks and the Data Center's server administration systems. This gap needs to be filled in order for the VPN-oriented data center service to operate. o The resources in data center MUST be partitioned per VPN. o The data center service orchestration system SHALL have the ability to dedicate a specific block of disk space per services per VPN. The dedicated block of disk space CAN be maintained permanently or temporarily per VPN requirement, controlled by the associated properties of VPN. o The carrier and the VPN customer SHALL be able to monitor the dedicated block of disk space per VPN per services. o If a VPN specifies its associated storage space to be accessible only by certain hosts, the VPN customer SHALL have the ability to indicate the mechanism used to prevent the unwanted data retrieval for the block of disk space after it is no longer used by the VPN, before it can be re-used by other parties. So Expires December 26,25,2011 [Page 8] Internet-Draft VPN-oriented Data Center Services October 2011 o The VPN SHALL have the ability to request dedicated network resources within the data center such as bandwidth and QoS settings. o The VPN SHALL have the ability to hold the requested resources without sharing with any other parties. o The external VPN's QoS assignments SHOULD be able to synchronize with the data center virtual resources' QoS assignments. 6. Security Requirements o VPN-Oriented Data center Service SHOULD support a variety of security measures in securing tenancy of virtual resources such as resource locking, containment, authentication, access control, encryption, integrity measure, and etc. o The VPN-Oriented Data center Service SHOULD allow the security to be configured end-to-end on a per-VPN/per-service/per-user basis. For example, the Data center Systems SHOULD be able to resource- lock resources such as memory, and also SHOULD be able provide a cleaning function to insure confidentiality before being reallocated. o VPN-Oriented Data center Service SHOULD be able to specify an authentication mechanism based for both header and payload. Encryption algorithm CAN also be specified to provide additional security. o Security boundaries CAN be specified and created per VPN to maintain domains of TRUSTED, UNTRUSTED, and Hybrid. Within each domain access control, additional techniques MAY be specified to secure resources and administrative domains. 7. Other Requirements o The VPN-Oriented Data center Service SHALL support host-to-host configuration exchanges via inband signaling. So Expires December 26,25,2011 [Page 9] Internet-Draft VPN-oriented Data Center Services October 2011 o The VPN-Oriented data center service solution MUST have sufficient OAM mechanisms in place to allow consistent end-to-end management of the solution in existing deployed networks. The solution SHOULD use existing protocols (e.g., IEEE 802.1ag, ITU-T Y.1731, BFD) wherever possible to facilitate interoperability with existing OAM deployments. 8. References Thanks to Paul Unbehagen, Linda Dunbar, Bhumip Khasnabish, LiZhong Jin, Norival Figueira, and Zhengping You for review this draft and providing valuble inputs. Authors' Addresses Ning So Verizon Inc. 2400 N. Glenville Ave., Richardson, TX75082 ning.so@verizon.com Dave McDysan Verizon Inc. 22001 Loudoun County PKWY. Ashburn, VA 20147 Dave.mcdysan@verizon.com Henry Yu TW Telecom 10475 Park Meadows Dr. Littleton, CO 80124 Henry.yu@twtelecom.com John M. Heinz CenturyLink 600 New Century PKWY KSNCAA0420-4B116 New Century, KS 66031 john.m.heinz@centurylink.com 9. Acknowledgments This document was prepared using 2-Word-v2.0.template.dot. So Expires December 26,25,2011 [Page 10]