Operations and Management Area Working Group N. So
Internet Draft Verizon
Intended status: Standard Track P. Unbehagen
Expires: Sept 2011 Alcatel-Lu
L. Dunbar
Huawei
H.Yu
TW Telecom
J. Heinz
CenturyLink
N.Figueira
Brocade
March 7, 2011
Requirement and Framework for VPN-Oriented Cloud Services
draft-so-vpn-o-cs-00.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on September 7, 2011.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
So Expires September 7, 2011 [Page 1]
Internet-Draft VPN-oriented Cloud Services March 2011
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
Abstract
This contribution addresses the service providers' requirements to
support VPN-Oriented Cloud services. It describes the characteristics
of VPN-oriented Cloud Service and specifies the requirement on how to
maintain and manage the data center resources for those services.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 Error!
Reference source not found..
Table of Contents
1. Introduction ................................................ 3
2. Terminology ................................................. 3
3. Service definitions and requirements ........................ 4
4. Requirements of Data Center networks in support of VPN-Oriented
Cloud Services ................................................. 5
5. Data Center Resource Management Requirements for VPN-oriented
Cloud Service .................................................. 6
6. Security Requirement ........................................ 7
7. Other Requirements .......................................... 7
8. IANA Considerations ......................................... 8
9. Acknowledgments ............................................. 8
10. References ................................................. 8
Authors' Addresses ............................................. 8
Intellectual Property Statement................................. 9
Disclaimer of Validity ......................................... 9
So Expires Sept7, 2011 [Page 2]
Internet-Draft VPN-oriented Cloud Services March 2011
1. Introduction
Layer 2 and 3 VPN services offer secure and logically dedicated
connectivity among multiple sites for enterprises. VPN-oriented Cloud
Service is for those VPN customers who want to offload some dedicated
user data center operations such as software, compute, and storage,
to the shared cloud centers. Those customers often do not feel
comfortable using public Internet as the cloud center access network.
They also have more restrictive requirements on what and how the
virtualized cloud center resources, e.g., computing power, disk
spaces, and/or application licenses, can be shared.
VPN-Oriented Cloud Services allow the VPN services to be extended
into cloud data centers and to control the virtual resources sharing
functions. As a network and cloud service provider, a VPN-Oriented
Cloud-service product may be offered globally across multiple data
centers. Some of the data centers may be owned by a network provider,
while others may be owned by a partner/vendor. In addition, multiple
VPN-oriented Cloud-Service products can be offered from the same data
center.
VPN-Oriented Cloud Services differentiate itself from other cloud
services in the following aspects:
Strictly maintaining the secure, reliable, and logical isolation
characteristics of VPN;
Making the traditional data center services (like computing,
storage space, or application licenses) as additional attributes to
VPNs.
VPN having the control on how and what data center resources to be
associated with the VPN.
This draft describes the characteristics of those services, their
service requirements, and the corresponding requirements to data
center networks. It also describes a list of the problems that this
service is causing to the network provider/operator, especially for
the existing VPN customers. These issues must be addressed
immediately in order for service providers to facilitate the addition
of Cloud-based services to the VPNs of existing customer.
2. Terminology
DC: Data Center
So Expires Sept7, 2011 [Page 3]
Internet-Draft VPN-oriented Cloud Services March 2011
VM: Virtual Machines
VPN: Virtual Private Network
3. Service definitions and requirements
There are various types of VPN-Oriented Cloud Services. Here are just
some examples:
VPN-oriented cloud computing service
This refers to Virtual Machines (VMs) and/or physical servers in a
cloud data center being added to a VPN customer. The VPN customer
can choose different properties on the computing power, such as
dedicated servers, preference on which data center to host those
servers, or special VMs which are shared with a group of other VPN
customers, and etc.
Any cloud data center providing the VPN-oriented computing services
SHOULD be able to automatically provision and/or change the
required resources based on the specified properties associated
with a VPN.
VPN customers SHALL be able to automatically instantiate or remove
hosts to/from the VPN's associated Virtual Machines or dedicated
servers through the changing of the customer's VPN properties.
VPN-oriented cloud storage service
This refers to disk space, either virtual or actual blocks of hard
drives in data centers, being added to a customer's VPN. The VPN
customer SHOULD be able to choose different properties on the
storage space, such as: if the content has to replicated locally or
has to be replicated at geographically different locations; if the
storage has to be co-located with certain hosts; or which hosts
have access to the content, and etc.
These properties are strictly associated with the VPN. Any data
center providing the storage space for a VPN SHOULD be able to
automatically provision or change the required storage space based
on the property associated with the VPN.
So Expires Sept7, 2011 [Page 4]
Internet-Draft VPN-oriented Cloud Services March 2011
The VPN customer SHOULD be able to automatically add disc space or
remove disc space to the VPN's associated storage through the
changing of the VPN properties.
Each VPN SHALL have the ability to limit the mobility of the stored
data to a certain geographic region confinement (country/state).
4. Requirements of Data Center networks in support of VPN-Oriented Cloud
Services
The success of VPN services in the enterprise and the government
world is largely due to its ability to virtually segregate the
customer traffic at layer 2 and layer 3. The lower the layer that
segregation can be maintained, the safer it is for the customers from
security and privacy perspectives. Today's Data Centers use VLANs to
segregate servers and traffic from different customers. Since each
customer usually needs multiple zones (e.g., DMZ, Web Server zone,
and etc) to place different applications, each customer usually needs
multiple VLANs. Even small data centers today already consume several
thousands of VLANs. Therefore, pure VLAN segregation is not enough
for large data centers.
Network service providers view data center resources as added
attributes to VPNs. Therefore, traffic segregation per VPN is an
essential requirement to the success of VPN-oriented Cloud-Services
in the enterprises and government markets. Other essential
requirements include:
Requirements for extending VPNs into data center networks using VPN
gateways:
o The Cloud Service associated with certain VPN(s) SHALL be
transmitted over a pre-defined set of connections, and each
VPN utilizing the service SHALL be transmitted over a sub-set
of logical connections.
o The VPN gateway should maintain a mapping among Virtual or
physical Resources, physical/logical connections, with
specific VPNs.
o The VPN Gateway SHOULD be able to control the connection
traffic flow and assign the dedicated virtual resources
accordingly.
So Expires Sept7, 2011 [Page 5]
Internet-Draft VPN-oriented Cloud Services March 2011
Independent of the L2/3 technology, e.g., TRILL, PBB, SPB,
OpenFlow, and etc, used for connecting external (customer) VPNs and
data center virtual resources, e.g., , each VPN SHALL be given a
unique Service ID, and traffic separation SHALL be maintained per
Service ID.
When a L2/3 VPN is used as the network technology connecting the
external (customer) VPN and the data center virtual resources, each
external VPN SHALL be mapped to a unique internal VPN.
5. Data Center Resource Management Requirements for VPN-oriented Cloud
Service
Today, data center server resources are managed by data center
servers' administrators or management systems, and supported by
hypervisors on the servers. The entire process is invisible to the
underlying networks. The data center management functions today
include managing servers, instantiating hosts to VMs, managing disk
space, and etc.
Traffic loading and balancing and QoS assignments for data center
networks are usually not considered by Data Center's server
administration systems. There shall be a way that the VPN can connect
with the Data Center's server administration systems that are
important to the concept and spirit of the VPN:
The resources in data center MUST be partitioned per VPN's
requirements instead of the traditional partitioning per customer.
The Cloud orchestration system SHALL have the ability to dedicate
a specific block of disk space per services per VPN.
If a VPN requires dedicated access to blocks of disk space, the
data center disk management system SHALL allocate the required
disk space per VPN and be able to let VPN automatically retrieve
the identification of those disk spaces.
If a VPN specifies its associated storage space to be accessible
only by certain hosts, the data center disk management system
SHALL have the ability to indicate the mechanism used to prevent
the unwanted data retrieval for the block of disk space after it
is no longer used by the VPN, before it can be re-used by other
parties.
So Expires Sept7, 2011 [Page 6]
Internet-Draft VPN-oriented Cloud Services March 2011
The VPN SHALL have the ability to request dedicated L2/3 network
resources within the data center such as bandwidth, priorities,
and so on.
The VPN SHALL have the ability to hold the requested resources
without sharing with any other parties.
The VPN's QoS assignments SHOULD be able to synchronize with the
Cloud virtual resources' QoS assignments.
6. Security Requirements
VPN-Oriented Cloud Service SHOULD support a variety of security
measures in securing tenancy of virtual resources such as
resource locking, containment, authentication, access control,
encryption, integrity measure, and etc.
The VPN-Oriented Cloud Service SHOULD allow the security to be
configured end-to-end on a per VPN per-user basis. For example,
the Virtual Systems MUST resource-lock resources such as memory,
but must also provide a cleaning function to insure
confidentiality before being reallocated.
VPN-Oriented Cloud Service for private Clouds SHOULD specify an
authentication mechanism based on an authentication algorithm
(MD5, HMAC-SHA-1) for both header and payload. Encryption MAY
also be use to provide confidentiality.
Security boundaries MAY also be create to maintain domains of
TRUSTED, UNTRUSTED, and Hybrid. Within each domain access
control, techniques MAY be used to secure resources and
administrative domains.
7. Other Requirements
The VPN-Oriented Cloud Service SHALL support automatic end-to-
end network configuration.
The VPN-Oriented Cloud Service solution MUST have sufficient OAM
mechanisms in place to allow consistent end-to-end management of
the solution in existing deployed networks. The solution SHOULD
use existing protocols (e.g., IEEE 802.1ag, ITU-T Y.1731, BFD)
wherever possible to facilitate interoperability with existing
OAM deployments.
So Expires Sept7, 2011 [Page 7]
Internet-Draft VPN-oriented Cloud Services March 2011
8. IANA Considerations
9. Acknowledgments
This document was prepared using 2-Word-v2.0.template.dot.
10. References
Authors' Addresses
Ning So
Verizon Inc.
2400 N. Glenville Ave.,
Richardson, TX75082
ning.so@verizonbusiness.com
Paul Unbehagen
Alcatel-Lucent
8742 Lucent Boulevard
Highlands Ranch, CO 80129
paul.unbehagen@alcatel-lucent.com
Linda Dunbar
Huawei Technologies
1700 Alma Drive, Suite 500
Plano, TX 75075, USA
Linda.dunbar@huawei.com
Henry Yu
TW Telecom
10475 Park Meadows Dr.
Littleton, CO 80124
Henry.yu@twtelecom.com
John M. Heinz
CenturyLink
600 New Century PKWY
KSNCAA0420-4B116
New Century, KS 66031
john.m.heinz@centurylink.com
Norival Figueira
Brocade Networks
So Expires Sept7, 2011 [Page 8]
Internet-Draft VPN-oriented Cloud Services March 2011
130 Holger Way
San Jose, CA 95134
nfigueir@brocade.com
Intellectual Property Statement
The IETF Trust takes no position regarding the validity or scope of
any Intellectual Property Rights or other rights that might be
claimed to pertain to the implementation or use of the technology
described in any IETF Document or the extent to which any license
under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any
such rights.
Copies of Intellectual Property disclosures made to the IETF
Secretariat and any assurances of licenses to be made available, or
the result of an attempt made to obtain a general license or
permission for the use of such proprietary rights by implementers or
users of this specification can be obtained from the IETF on-line IPR
repository at http://www.ietf.org/ipr
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
any standard or specification contained in an IETF Document. Please
address the information to the IETF at ietf-ipr@ietf.org.
Disclaimer of Validity
All IETF Documents and the information contained therein are provided
on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE
IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE
ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
So Expires Sept7, 2011 [Page 9]
Internet-Draft VPN-oriented Cloud Services March 2011
So Expires Sept7, 2011 [Page 10]