Operations and Management Area Working Group N. So Internet Draft Verizon Intended status: Standard Track P. Unbehagen Expires: Sept 2011 Alcatel-Lu L. Dunbar Huawei H.Yu TW Telecom J. Heinz CenturyLink N.Figueira Brocade March 7, 2011 Requirement and Framework for VPN-Oriented Cloud Services draft-so-vpn-o-cs-00.txt Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on September 7, 2011. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents So Expires September 7, 2011 [Page 1] Internet-Draft VPN-oriented Cloud Services March 2011 (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Abstract This contribution addresses the service providers' requirements to support VPN-Oriented Cloud services. It describes the characteristics of VPN-oriented Cloud Service and specifies the requirement on how to maintain and manage the data center resources for those services. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 Error! Reference source not found.. Table of Contents 1. Introduction ................................................ 3 2. Terminology ................................................. 3 3. Service definitions and requirements ........................ 4 4. Requirements of Data Center networks in support of VPN-Oriented Cloud Services ................................................. 5 5. Data Center Resource Management Requirements for VPN-oriented Cloud Service .................................................. 6 6. Security Requirement ........................................ 7 7. Other Requirements .......................................... 7 8. IANA Considerations ......................................... 8 9. Acknowledgments ............................................. 8 10. References ................................................. 8 Authors' Addresses ............................................. 8 Intellectual Property Statement................................. 9 Disclaimer of Validity ......................................... 9 So Expires Sept7, 2011 [Page 2] Internet-Draft VPN-oriented Cloud Services March 2011 1. Introduction Layer 2 and 3 VPN services offer secure and logically dedicated connectivity among multiple sites for enterprises. VPN-oriented Cloud Service is for those VPN customers who want to offload some dedicated user data center operations such as software, compute, and storage, to the shared cloud centers. Those customers often do not feel comfortable using public Internet as the cloud center access network. They also have more restrictive requirements on what and how the virtualized cloud center resources, e.g., computing power, disk spaces, and/or application licenses, can be shared. VPN-Oriented Cloud Services allow the VPN services to be extended into cloud data centers and to control the virtual resources sharing functions. As a network and cloud service provider, a VPN-Oriented Cloud-service product may be offered globally across multiple data centers. Some of the data centers may be owned by a network provider, while others may be owned by a partner/vendor. In addition, multiple VPN-oriented Cloud-Service products can be offered from the same data center. VPN-Oriented Cloud Services differentiate itself from other cloud services in the following aspects: Strictly maintaining the secure, reliable, and logical isolation characteristics of VPN; Making the traditional data center services (like computing, storage space, or application licenses) as additional attributes to VPNs. VPN having the control on how and what data center resources to be associated with the VPN. This draft describes the characteristics of those services, their service requirements, and the corresponding requirements to data center networks. It also describes a list of the problems that this service is causing to the network provider/operator, especially for the existing VPN customers. These issues must be addressed immediately in order for service providers to facilitate the addition of Cloud-based services to the VPNs of existing customer. 2. Terminology DC: Data Center So Expires Sept7, 2011 [Page 3] Internet-Draft VPN-oriented Cloud Services March 2011 VM: Virtual Machines VPN: Virtual Private Network 3. Service definitions and requirements There are various types of VPN-Oriented Cloud Services. Here are just some examples: VPN-oriented cloud computing service This refers to Virtual Machines (VMs) and/or physical servers in a cloud data center being added to a VPN customer. The VPN customer can choose different properties on the computing power, such as dedicated servers, preference on which data center to host those servers, or special VMs which are shared with a group of other VPN customers, and etc. Any cloud data center providing the VPN-oriented computing services SHOULD be able to automatically provision and/or change the required resources based on the specified properties associated with a VPN. VPN customers SHALL be able to automatically instantiate or remove hosts to/from the VPN's associated Virtual Machines or dedicated servers through the changing of the customer's VPN properties. VPN-oriented cloud storage service This refers to disk space, either virtual or actual blocks of hard drives in data centers, being added to a customer's VPN. The VPN customer SHOULD be able to choose different properties on the storage space, such as: if the content has to replicated locally or has to be replicated at geographically different locations; if the storage has to be co-located with certain hosts; or which hosts have access to the content, and etc. These properties are strictly associated with the VPN. Any data center providing the storage space for a VPN SHOULD be able to automatically provision or change the required storage space based on the property associated with the VPN. So Expires Sept7, 2011 [Page 4] Internet-Draft VPN-oriented Cloud Services March 2011 The VPN customer SHOULD be able to automatically add disc space or remove disc space to the VPN's associated storage through the changing of the VPN properties. Each VPN SHALL have the ability to limit the mobility of the stored data to a certain geographic region confinement (country/state). 4. Requirements of Data Center networks in support of VPN-Oriented Cloud Services The success of VPN services in the enterprise and the government world is largely due to its ability to virtually segregate the customer traffic at layer 2 and layer 3. The lower the layer that segregation can be maintained, the safer it is for the customers from security and privacy perspectives. Today's Data Centers use VLANs to segregate servers and traffic from different customers. Since each customer usually needs multiple zones (e.g., DMZ, Web Server zone, and etc) to place different applications, each customer usually needs multiple VLANs. Even small data centers today already consume several thousands of VLANs. Therefore, pure VLAN segregation is not enough for large data centers. Network service providers view data center resources as added attributes to VPNs. Therefore, traffic segregation per VPN is an essential requirement to the success of VPN-oriented Cloud-Services in the enterprises and government markets. Other essential requirements include: Requirements for extending VPNs into data center networks using VPN gateways: o The Cloud Service associated with certain VPN(s) SHALL be transmitted over a pre-defined set of connections, and each VPN utilizing the service SHALL be transmitted over a sub-set of logical connections. o The VPN gateway should maintain a mapping among Virtual or physical Resources, physical/logical connections, with specific VPNs. o The VPN Gateway SHOULD be able to control the connection traffic flow and assign the dedicated virtual resources accordingly. So Expires Sept7, 2011 [Page 5] Internet-Draft VPN-oriented Cloud Services March 2011 Independent of the L2/3 technology, e.g., TRILL, PBB, SPB, OpenFlow, and etc, used for connecting external (customer) VPNs and data center virtual resources, e.g., , each VPN SHALL be given a unique Service ID, and traffic separation SHALL be maintained per Service ID. When a L2/3 VPN is used as the network technology connecting the external (customer) VPN and the data center virtual resources, each external VPN SHALL be mapped to a unique internal VPN. 5. Data Center Resource Management Requirements for VPN-oriented Cloud Service Today, data center server resources are managed by data center servers' administrators or management systems, and supported by hypervisors on the servers. The entire process is invisible to the underlying networks. The data center management functions today include managing servers, instantiating hosts to VMs, managing disk space, and etc. Traffic loading and balancing and QoS assignments for data center networks are usually not considered by Data Center's server administration systems. There shall be a way that the VPN can connect with the Data Center's server administration systems that are important to the concept and spirit of the VPN: The resources in data center MUST be partitioned per VPN's requirements instead of the traditional partitioning per customer. The Cloud orchestration system SHALL have the ability to dedicate a specific block of disk space per services per VPN. If a VPN requires dedicated access to blocks of disk space, the data center disk management system SHALL allocate the required disk space per VPN and be able to let VPN automatically retrieve the identification of those disk spaces. If a VPN specifies its associated storage space to be accessible only by certain hosts, the data center disk management system SHALL have the ability to indicate the mechanism used to prevent the unwanted data retrieval for the block of disk space after it is no longer used by the VPN, before it can be re-used by other parties. So Expires Sept7, 2011 [Page 6] Internet-Draft VPN-oriented Cloud Services March 2011 The VPN SHALL have the ability to request dedicated L2/3 network resources within the data center such as bandwidth, priorities, and so on. The VPN SHALL have the ability to hold the requested resources without sharing with any other parties. The VPN's QoS assignments SHOULD be able to synchronize with the Cloud virtual resources' QoS assignments. 6. Security Requirements VPN-Oriented Cloud Service SHOULD support a variety of security measures in securing tenancy of virtual resources such as resource locking, containment, authentication, access control, encryption, integrity measure, and etc. The VPN-Oriented Cloud Service SHOULD allow the security to be configured end-to-end on a per VPN per-user basis. For example, the Virtual Systems MUST resource-lock resources such as memory, but must also provide a cleaning function to insure confidentiality before being reallocated. VPN-Oriented Cloud Service for private Clouds SHOULD specify an authentication mechanism based on an authentication algorithm (MD5, HMAC-SHA-1) for both header and payload. Encryption MAY also be use to provide confidentiality. Security boundaries MAY also be create to maintain domains of TRUSTED, UNTRUSTED, and Hybrid. Within each domain access control, techniques MAY be used to secure resources and administrative domains. 7. Other Requirements The VPN-Oriented Cloud Service SHALL support automatic end-to- end network configuration. The VPN-Oriented Cloud Service solution MUST have sufficient OAM mechanisms in place to allow consistent end-to-end management of the solution in existing deployed networks. The solution SHOULD use existing protocols (e.g., IEEE 802.1ag, ITU-T Y.1731, BFD) wherever possible to facilitate interoperability with existing OAM deployments. So Expires Sept7, 2011 [Page 7] Internet-Draft VPN-oriented Cloud Services March 2011 8. IANA Considerations 9. Acknowledgments This document was prepared using 2-Word-v2.0.template.dot. 10. References Authors' Addresses Ning So Verizon Inc. 2400 N. Glenville Ave., Richardson, TX75082 ning.so@verizonbusiness.com Paul Unbehagen Alcatel-Lucent 8742 Lucent Boulevard Highlands Ranch, CO 80129 paul.unbehagen@alcatel-lucent.com Linda Dunbar Huawei Technologies 1700 Alma Drive, Suite 500 Plano, TX 75075, USA Linda.dunbar@huawei.com Henry Yu TW Telecom 10475 Park Meadows Dr. Littleton, CO 80124 Henry.yu@twtelecom.com John M. Heinz CenturyLink 600 New Century PKWY KSNCAA0420-4B116 New Century, KS 66031 john.m.heinz@centurylink.com Norival Figueira Brocade Networks So Expires Sept7, 2011 [Page 8] Internet-Draft VPN-oriented Cloud Services March 2011 130 Holger Way San Jose, CA 95134 nfigueir@brocade.com Intellectual Property Statement The IETF Trust takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in any IETF Document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Copies of Intellectual Property disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement any standard or specification contained in an IETF Document. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity All IETF Documents and the information contained therein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. So Expires Sept7, 2011 [Page 9] Internet-Draft VPN-oriented Cloud Services March 2011 So Expires Sept7, 2011 [Page 10]