TEAS Working Group J. Dong
Internet-Draft Z. Li
Intended status: Informational Huawei Technologies
Expires: May 6, 2021 F. Qin
China Mobile
G. Yang
China Telecom
November 2, 2020
Scalability Considerations for Enhanced VPN (VPN+)
draft-dong-teas-enhanced-vpn-vtn-scalability-01
Abstract
Enhanced VPN (VPN+) aims to provide enhancements to existing VPN
services to support the needs of new applications, particularly
including the applications that are associated with 5G services.
VPN+ could be used to provide network slicing in 5G, and may also be
of use in more generic scenarios, such as enterprise services which
have demanding requirement. With the requirement for VPN+ services
increase, scalability would become an important factor for deployment
of VPN+. This document describes the scalability considerations in
the control plane and data plane to enable VPN+ services, some
optimization mechanisms are also described.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 6, 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
Dong, et al. Expires May 6, 2021 [Page 1]
Internet-Draft VPN+ Scalability Considerations November 2020
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. VPN+ Scalability Requirements . . . . . . . . . . . . . . . . 3
3. VPN+ Scalability Considerations . . . . . . . . . . . . . . . 4
3.1. Control Plane Scalability . . . . . . . . . . . . . . . . 5
3.1.1. Distributed Control Plane . . . . . . . . . . . . . . 5
3.1.2. Centralized Control Plane . . . . . . . . . . . . . . 5
3.2. Data Plane Scalability . . . . . . . . . . . . . . . . . 6
3.3. Gap Analysis of Existing Mechanisms . . . . . . . . . . . 6
4. Possible Optimizations . . . . . . . . . . . . . . . . . . . 7
4.1. Control Plane Optimization . . . . . . . . . . . . . . . 7
4.2. Data Plane Optimization . . . . . . . . . . . . . . . . . 9
5. Solution Evolution for Improved Scalability . . . . . . . . . 10
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 11
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
10.1. Normative References . . . . . . . . . . . . . . . . . . 11
10.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
Virtual Private Networks (VPNs) have served the industry well as a
means of providing different groups of users with logically isolated
connectivity over a common network infrastructure. The VPN service
is provided with two network layers: the overlay and the underlay.
The underlay is responsible for establishing network connectivity and
managing network resources to meet the service requirement. The
overlay is used to distribute the membership and reachability
information of the tenants, and provide logical separation of service
delivery between different tenants.
Enhanced VPN service (VPN+) [I-D.ietf-teas-enhanced-vpn] is targeted
at new applications which require better isolation between tenants
and/or services, and have more stringent performance requirements
Dong, et al. Expires May 6, 2021 [Page 2]
Internet-Draft VPN+ Scalability Considerations November 2020
than can be provided with existing VPNs. To meet the requirement of
VPN+ services, Virtual Transport Networks (VTN) need to be created,
each with a subset of the underlay network topology and a set of
network resources allocated to meet the requirements of one or a
group of VPN+ services. The VPN in overlay together with the
corresponding VTN in the underlay provide the VPN+ service.
[I-D.ietf-teas-enhanced-vpn] provides some general analysis of the
scalability of VPN+. This document gives detailed analysis of the
scalability considerations when enabling VPN+ services. The focus of
this document is mainly on the scalability of the underlay of VPN+,
i.e. the VTN.
2. VPN+ Scalability Requirements
As described in [I-D.ietf-teas-enhanced-vpn], VPN+ services may
require additional state to be introduced into the network to take
advantage of the enhanced functionality. This introduces some
scalability considerations to the network. This section gives some
analysis of the number of VPN+ services that might be needed in a
network.
There are several use cases where VPN+ may be necessary, and these
determine how many will be required in a network. One typical use
case of VPN+ is to provide network slicing for applications or
services in 5G, thus the number of network slices needed could
reflect the number of VPN+ services. In the future, with the
development and evolution of 5G, it is expected that more and more
network slices will be deployed. The number of network slices
required is relevant to how network slicing will be used, and the
progress of 5G for vertical industrial services. The potential
number of network slices is analyzed by classifying the network
slicing deployment into three typical scenarios:
1. Network slicing can be used by a network opeartor internally to
isolate different types of services. For example, in a converged
multi-service network, different network slices can be created to
carry mobile transport service, fixed broadband service and
enterprise services respectively, each type of service could be
managed by a separate department or management team. Some
service types, such as multicast service may also be deployed in
a dedicated network slice. It is also possible that an
infrastructure network operator provides network slices to other
network operators as a wholesale service. In this scenario, the
number of network slices in a network would be relatively small,
such as on the order of 10 or so. This could be the typical case
in the beginning of the network slicing deployment.
Dong, et al. Expires May 6, 2021 [Page 3]
Internet-Draft VPN+ Scalability Considerations November 2020
2. Network slicing can be used to provide isolated and customized
virtual networks for tenants in different vertical industries.
At the early stage of the vertical industrial service deployment,
a few top tenants in some typical industries will begin to use
network slicing to support their business, such as smart grid,
manufacturing, public safety, on-line gaming, etc. Considering
the number of the vertical industries, and the number of top
tenants in each industry, the number of network slices may
increase to the order of 100.
3. With the evolution of 5G, network slicing could be widely used by
both vertical industrial tenants and enterprise tenants which
require guaranteed or predictable service performance. The total
amount of network slices may increase to the order of 1000 or
more. While it is expected that the number of network slices
would still be less than the number of traditional VPN services
in the network.
In 3GPP [TS23501], a 5G network slice is identified using Single
Network Slice Selection Assistance Information (S-NSSAI), which is a
32-bit identifier comprised of 8-bit Slice/Service Type (SST) and
24-bit Slice Differentiator (SD). This allows the mobile network
(RAN and CN) to provide a large number of network slices. Although
it is possible that multiple network slices in RAN and CN can be
mapped to the same transport network slice, the amount of transport
slice still needs to be comparable with the number of 5G network
slices. Thus the scalability of transport network slices needs to be
taken into consideration from the beginning.
8-bit 24-bit
+------------+-------------------------+
| SST | Slice Differentiator |
+------------+-------------------------+
Figure 1. Format of S-NSSAI in 3GPP
VPN+ needs to meet the scalability requirement of network slicing in
different scenarios. The increased number of VPN+s will introduce
additional complexity and overhead to both the control plane and data
plane, especially for the underlying virtual transport network.
3. VPN+ Scalability Considerations
In this section, the scalability in control and data plane is
analyzed to understand the possible gaps in meeting the scalability
requirement of VPN+.
Dong, et al. Expires May 6, 2021 [Page 4]
Internet-Draft VPN+ Scalability Considerations November 2020
3.1. Control Plane Scalability
As described in [I-D.ietf-teas-enhanced-vpn], the control plane of
VPN+ could be based on the hybrid of centralized controller and
distributed control plane.
3.1.1. Distributed Control Plane
At part of the construction of VPN+ services, it is necessary to
create different VTNs that provide customized topology and resource
attributes. The attributes and state information of each VTN needs
to be exchanged in the control plane. The scalability of the
distributed control plane for the establishment and maintenance of
VTNs needs to be considered in the following aspects:
o The number of control protocol instances maintained on each node
o The number of protocol sessions maintained on each link
o The number of routes advertised by each node
o The amount of attributes associated with each route
o The number of route computation (i.e. SPF) executed on each node
As the number of VTNs increases, it is expected that for some of the
above aspects, the overhead in the control plane may increase
dramatically. For example, the overhead of maintaining separated
control protocol instances for each VTN is considered higher than
maintaining separated virtual network topologies for different VTNs
in the same routing instance, and the overhead of maintaining
separate protocol sessions for each VTN is considered higher than
using a shared protocol session for the information exchange of
multiple VTNs. To meet the requirement of the increasing number of
VTNs, It is suggested to choose the control plane mechanisms which
could improve the scalability while still provide the required
functionality.
3.1.2. Centralized Control Plane
Although the SDN approach can reduce the amount of control plane
overhead in the distributed control plane, it may transfer some of
the scalability concerns from network nodes to the centralized
controller, thus the scalability of the controller also needs to be
considered.
To provide global optimization for Traffic Engineered (TE) paths in
different VTNs, the controller needs to keep the topology and
Dong, et al. Expires May 6, 2021 [Page 5]
Internet-Draft VPN+ Scalability Considerations November 2020
resource information of all the VTNs up to date. To achieve this,
the controller may need to maintain a communication channel with each
network node in the network. When there is significant change in the
network and multiple VTNs requires global optimization concurrently,
there may be a heavy processing burden at the controller, and a heavy
load in the network surrounding the controller for the distribution
of the updated network state.
3.2. Data Plane Scalability
To provide different VPN+ services with the required isolation and
performance characteristics, it is necessary to allocate different
sets of network resources to different VTNs. As the number of VPN+
increases, the number of VTNs will increase accordingly. This
requires the underlying network to provide finer-granular network
resource partitioning, which means the amount of state about the
reserved network resources to be maintained on network nodes will
also increase accordingly.
In data plane, traffic of different VPN+ services need to be
processed separately according to the topology and resource
constraints of the associated VTN , thus the identifier of VTN needs
to be carried either directly or implicitly in the data packet.
Different representations of the VTN identifier in data packet have
different scalability implication. One approach is to reuse some
existing fields in packet headers to additionally identify the VTN
the packet belongs to. As this introduces additional semantics to an
existing identifier, it may increase the amount of the identifiers to
be allocated and managed, which may not be expected in its original
design and could cause scalability problem. An alternative is to
introduce a dedicated identifier in the packet for VTN
identification.
In addition, the introduction of per VTN packet forwarding has impact
on the scalability of the forwarding entries on network nodes, as a
network node needs to maintain separate forwarding entries for a
target node in each VTN it participates.
3.3. Gap Analysis of Existing Mechanisms
One candidate approach to build VTN is using Segment Routing (either
SR-MPLS or SRv6) as the data plane, and distributing the customized
topology and resource attribute based on Multi-topology [RFC4915]
[RFC5120], Flex-Algo [I-D.ietf-lsr-flex-algo] or the combination of
these mechanisms in the control plane. If the number of VTNs
increases to a certain extent, such approach may have several
scalability issues:
Dong, et al. Expires May 6, 2021 [Page 6]
Internet-Draft VPN+ Scalability Considerations November 2020
1. The number of SR SIDs needed will increase dependent upon the
number of VTNs in the network, which will bring challenges both
to the SID information distribution in control plane and to the
installation of forwarding entries for the SIDs in data plane.
2. The number of SPF computation will also increase in proportion to
the number of VTNs in the network, which can introduce
significant overhead of the computing resources on network nodes.
3. The maximum number of network topology supported by OSPF Multi-
topology is 128, the maximum number of Flex-Algo is 128, which
may not meet the required number of VTNs in some networks.
4. Possible Optimizations
4.1. Control Plane Optimization
For the distributed control plane, several optimizations can be
considered to reduce the overhead and improve the control plane
scalability.
The first optimization mechanism is to reduce the amount of control
plane sessions used for the establishment and maintenance of the
VTNs. For multiple VTNs which have the same peering relationship
between two adjacent network nodes, it is proposed that one single
control session is used for the establishment of multiple VTNs.
Information of different VTNs can be exchanged over the same control
session, with necessary identification information to distinguish
them in the control messages. This could reduce the overhead of
maintaining a large number of control protocol sessions, and could
also reduce the amount of control plane message flooding in the
network.
The second optimization mechanism is to decompose the attributes of a
VTN into different groups, so that different types of attribute can
be advertised and processed separately in control plane. For a VTN,
there are two basic types of attributes: the topology attribute and
the associated network resource attribute. In a network, it is
possible that multiple VTNs share the same topology, and multiple
VTNs may share the same set of network resource on particular network
segments. It is more efficient if only one copy of the topology
attribute is advertised, then multiple VTNs sharing the same topology
could refer to the topology information, and share the result of
topology-based route computation. Similarly, information of a subset
of network resource reserved on network segments could be advertised
once and then be used by multiple VTNs. This methodology could also
apply to other attributes of VTN which may be introduced later and
can be processed independently.
Dong, et al. Expires May 6, 2021 [Page 7]
Internet-Draft VPN+ Scalability Considerations November 2020
O#####O#####O O*****O*****O
# # # * * *
# # # * * *
O#####O#####O O*****O*****O
VTN-1 VTN-2
O-----O-----O
| | |
| | |
O-----O-----O
Shared Network Topology
Legend
O Virtual node
### Virtual links with a set of reserved resource
*** Virtual links with another set of reserved resource
Figure 2. Topology Sharing between VTNs
FIG-2
Figure 2 gives an example of multiple VTNs which share the same
topology attribute. As shown in the figure, VTN-1 and VTN-2 have the
same topology, while the link resource attributes of each VTN are
different. In this case, only one copy of the network topology
information needs to be advertised, and the topology-based route
computation result can be used by both VTNs to generate the routing
tables.
O#####O#####O O- -O#####O
# # # \/ # #
# # # /\ # #
O#####O#####O O- -O#####O
VTN-1 VTN-2
Legend
O Virtual node
### Virtual links with a set of reserved resource
--- Virtual links with another set of reserved resource
Figure 3. Resource Sharing between VTNs
Dong, et al. Expires May 6, 2021 [Page 8]
Internet-Draft VPN+ Scalability Considerations November 2020
Figure 3 gives another example of multiple VTNs which shares the same
set of network resources on some links. In this case, information
about the reserved resource on each link only needs to be advertised
once, then both VTN-1 and VTN-2 could refer to the link resource for
constraint based computation.
For the centralized control plane, it is suggested that the
centralized controller is deployed as a complementary mechanism to
the distributed control plane rather than replacement, so that the
computation burden in control plane could be shared by both the
centralized controller and the network nodes, thus the scalability of
both systems could be improved.
4.2. Data Plane Optimization
To support more VPN+ services while keeping the amount of data plane
state in a reasonable scale, one possible approach is to classify a
set of VPN+ services which has similar service characteristics and
performance requirements into a group, and such group of VPN+ is
mapped to one VTN, which is allocated with an aggregated set of
network topology and resources to meet the service requirement of the
whole group of VPN+. Different groups of VPN+ need to be mapped to
different VTNs with different set of network resources allocated.
With appropriate grouping of VPN+ services, a reasonable number of
VTNs with network resources reservation and aggregation could still
meet the service requirements.
Another optimization in the data plane is to decouple the identifier
used for topology-based forwarding and the identifier used for the
resource-specific processing introduced by VTN. One possible
mechanism is to introduce a dedicated field in the packet header to
uniquely identify the set of local network resources allocated to a
VTN on each network node for the processing and forwarding of the
received packet. Then the existing identifier in the packet header
used for topology based forwarding is kept unchanged. The benefit is
the number of existing topology-specific identifiers will only
increase in proportion to the number of topologies rather than the
number of VTNs, so that its scalability will not be impacted by the
increase of VTN. Note this probably requires network nodes to
support a hierarchical forwarding table in the data plane. Figure 4
shows the concept of using different data plane identifiers for
topology-based and VTN resource-based packet processing respectively.
Dong, et al. Expires May 6, 2021 [Page 9]
Internet-Draft VPN+ Scalability Considerations November 2020
+--------------------------+
| Packet Header |
| |
| +----------------------+ |
| | Topology-specific ID | |
| +----------------------+ |
| |
| +----------------------+ |
| | VTN Resource ID | |
| +----------------------+ |
+--------------------------+
Figure 4. Decoupled Data Plane Identifiers
In an IPv6 [RFC8200] based network, this could be achieved by
introducing a dedicated field in either the IPv6 fixed header or one
of the extension headers to carry the VTN identifier for the
resource-specific forwarding, while keeping the destination IP
address field used for routing towards the destination prefix in the
corresponding topology. Note that the VTN ID needs to be parsed by
every node along the path which is capable of VTN-specific
forwarding. In an MPLS [RFC3032] based network, this may be achieved
by introducing a dedicated MPLS label to identify the VTN instance,
while the existing MPLS labels could be used for topology-based
packet forwarding towards the associated destination prefix. This
requires that both labels be parsed by each node along the forwarding
path of the packet. The detailed extensions in IPv6 and MPLS
encapsulation are out of the scope of this document.
5. Solution Evolution for Improved Scalability
Based on the analysis in this document, the control plane and data
plane for VPN+ needs to evolve to support the increasing number of
VPN+ services in the network.
For example, by introducing resource-awareness to segment routing
SIDs [I-D.ietf-spring-resource-aware-segments], and using Multi-
Topology or Flex-Algo as control plane could provide a solution for
building a limited set of VTNs in the network to meet the requirement
of a small number of VPN+ in the network. Such mechanism is
considered as basic SR-VTN.
As the number of required VPN+ services increases, more VTNs needs to
be created, then the control plane scalability could be improved by
decoupling the topology attribute from other attributes (e.g.
resource attribute) of VTN, so that multiple VTNs could share the
same topology or resource attribute.
Dong, et al. Expires May 6, 2021 [Page 10]
Internet-Draft VPN+ Scalability Considerations November 2020
To further improve the data plane scalability, dedicated data plane
identifiers of VTN can be introduced to decouple the topology-
specific forwarding and the VTN resource-based processing in data
plane.
6. Security Considerations
TBD
7. IANA Considerations
This document makes no request of IANA.
8. Contributors
Zhibo Hu
Email: huzhibo@huawei.com
9. Acknowledgments
The authors would like to thank XXX for the review and discussion of
this document.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
10.2. Informative References
[I-D.dong-spring-sr-for-enhanced-vpn]
Dong, J., Bryant, S., Miyasaka, T., Zhu, Y., Qin, F., Li,
Z., and F. Clad, "Segment Routing based Virtual Transport
Network for Enhanced VPN", draft-dong-spring-sr-for-
enhanced-vpn-10 (work in progress), August 2020.
[I-D.ietf-lsr-flex-algo]
Psenak, P., Hegde, S., Filsfils, C., Talaulikar, K., and
A. Gulko, "IGP Flexible Algorithm", draft-ietf-lsr-flex-
algo-13 (work in progress), October 2020.
Dong, et al. Expires May 6, 2021 [Page 11]
Internet-Draft VPN+ Scalability Considerations November 2020
[I-D.ietf-spring-resource-aware-segments]
Dong, J., Bryant, S., Miyasaka, T., Zhu, Y., Qin, F., Li,
Z., and F. Clad, "Introducing Resource Awareness to SR
Segments", draft-ietf-spring-resource-aware-segments-00
(work in progress), July 2020.
[I-D.ietf-teas-enhanced-vpn]
Dong, J., Bryant, S., Li, Z., Miyasaka, T., and Y. Lee, "A
Framework for Enhanced Virtual Private Networks (VPN+)
Service", draft-ietf-teas-enhanced-vpn-06 (work in
progress), July 2020.
[RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y.,
Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack
Encoding", RFC 3032, DOI 10.17487/RFC3032, January 2001,
<https://www.rfc-editor.org/info/rfc3032>.
[RFC4915] Psenak, P., Mirtorabi, S., Roy, A., Nguyen, L., and P.
Pillay-Esnault, "Multi-Topology (MT) Routing in OSPF",
RFC 4915, DOI 10.17487/RFC4915, June 2007,
<https://www.rfc-editor.org/info/rfc4915>.
[RFC5120] Przygienda, T., Shen, N., and N. Sheth, "M-ISIS: Multi
Topology (MT) Routing in Intermediate System to
Intermediate Systems (IS-ISs)", RFC 5120,
DOI 10.17487/RFC5120, February 2008,
<https://www.rfc-editor.org/info/rfc5120>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200,
DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>.
[TS23501] "3GPP TS23.501", 2016,
<https://portal.3gpp.org/desktopmodules/Specifications/
SpecificationDetails.aspx?specificationId=3144>.
Authors' Addresses
Jie Dong
Huawei Technologies
Huawei Campus, No. 156 Beiqing Road
Beijing 100095
China
Email: jie.dong@huawei.com
Dong, et al. Expires May 6, 2021 [Page 12]
Internet-Draft VPN+ Scalability Considerations November 2020
Zhenbin Li
Huawei Technologies
Huawei Campus, No. 156 Beiqing Road
Beijing 100095
China
Email: lizhenbin@huawei.com
Fengwei Qin
China Mobile
No. 32 Xuanwumenxi Ave., Xicheng District
Beijing
China
Email: qinfengwei@chinamobile.com
Guangming Yang
China Telecom
No.109 West Zhongshan Ave., Tianhe District
Guangzhou
China
Email: yangguangm@chinatelecom.cn
Dong, et al. Expires May 6, 2021 [Page 13]