IETF Logo Mail Archive

RE: Preliminary L3VPN/VPN4DC agenda @ IETF82

"Luyuan Fang (lufang)" <lufang@cisco.com> Sat, 05 November 2011 05:41 UTC

Return-Path: <lufang@cisco.com>
X-Original-To: l3vpn@ietfa.amsl.com
Delivered-To: l3vpn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F261011E8073 for <l3vpn@ietfa.amsl.com>; Fri, 4 Nov 2011 22:41:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.675
X-Spam-Level:
X-Spam-Status: No, score=-4.675 tagged_above=-999 required=5 tests=[AWL=0.123, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, J_CHICKENPOX_14=0.6, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7ih7F1XmmZK for <l3vpn@ietfa.amsl.com>; Fri, 4 Nov 2011 22:41:51 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id A30C421F85A8 for <l3vpn@ietf.org>; Fri, 4 Nov 2011 22:41:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=lufang@cisco.com; l=32229; q=dns/txt; s=iport; t=1320471710; x=1321681310; h=mime-version:subject:date:message-id:in-reply-to: references:from:to:cc; bh=CHRowVINJTcoiHjWxjKrBGRYdT5JvtyV76FybMxKPOA=; b=Z7ceuuTBBBXfN14dWXRl9SvR833pH63CUZ9IcjzBjvsH+1p9Nu5CYtPd feH+NOtFgHck5Ym8XPrfP6Iy1CFjKfA2dduZYLG31uPT3xgA3DbHc0lH8 j1B4mzTeFjper4elov6CNzLBT7qTOeFe4F0K6k4lRWjRsa5CzuUIWXDVY 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AuoAACHMtE6tJV2a/2dsb2JhbAA9BoJNl0eNHYE3gSCBBYFyAQEBBBIBCREDPAIEBwwEAgEIDgMEAQELBhABBgEGAUUJCAEBBAESCAESB4domEMBnheGBYJDYwSIC5FNjE8
X-IronPort-AV: E=Sophos; i="4.69,459,1315180800"; d="scan'208,217"; a="33585502"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-5.cisco.com with ESMTP; 05 Nov 2011 05:41:49 +0000
Received: from xbh-rcd-202.cisco.com (xbh-rcd-202.cisco.com [72.163.62.201]) by rcdn-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id pA55fnO1000407; Sat, 5 Nov 2011 05:41:49 GMT
Received: from xmb-rcd-201.cisco.com ([72.163.62.208]) by xbh-rcd-202.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 5 Nov 2011 00:41:49 -0500
X-Mimeole: Produced By Microsoft Exchange V6.5
x-cr-hashedpuzzle: BFUY BWPi EVs1 HZqf Knlt LDBH L63u XYqq Z7FV bl97 cP1Z hFs8 ijy+ i0rR lJhB q+ky; 5; YwBjAGkAZQAxADUANgA3ADIAQAB5AGEAaABvAG8ALgBjAG8AbQA7AGwAMwB2AHAAbgBAAGkAZQB0AGYALgBvAHIAZwA7AGwAaQBuAGQAYQAuAGQAdQBuAGIAYQByAEAAaAB1AGEAdwBlAGkALgBjAG8AbQA7AG4AYQBiAGkAbAAuAG4ALgBiAGkAdABhAHIAQAB2AGUAcgBpAHoAbwBuAC4AYwBvAG0AOwByAG8AYgBlAHIAdABAAHIAYQBzAHoAdQBrAC4AbgBlAHQA; Sosha1_v1; 7; {7BC8F3AA-12F0-4D3E-8461-6F2A83EDB31D}; bAB1AGYAYQBuAGcAQABjAGkAcwBjAG8ALgBjAG8AbQA=; Sat, 05 Nov 2011 05:41:33 GMT; UgBFADoAIABQAHIAZQBsAGkAbQBpAG4AYQByAHkAIABMADMAVgBQAE4ALwBWAFAATgA0AEQAQwAgAGEAZwBlAG4AZABhACAAQAAgAEkARQBUAEYAOAAyAA==
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CC9B7D.9CB202BC"
x-cr-puzzleid: {7BC8F3AA-12F0-4D3E-8461-6F2A83EDB31D}
Content-class: urn:content-classes:message
Subject: RE: Preliminary L3VPN/VPN4DC agenda @ IETF82
Date: Sat, 05 Nov 2011 00:41:33 -0500
Message-ID: <238542D917511A45B6B8AA806E875E25073CAAF0@XMB-RCD-201.cisco.com>
In-Reply-To: <1320458884.82254.YahooMailNeo@web161801.mail.bf1.yahoo.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Preliminary L3VPN/VPN4DC agenda @ IETF82
Thread-Index: AcybX8dJX7F8CtVpS9OyEOTGf0TkCwAB26gA
References: <4EB2D29D.8000701@raszuk.net><CAD957A1.2C4B8%nabil.n.bitar@verizon.com> <1320458884.82254.YahooMailNeo@web161801.mail.bf1.yahoo.com>
From: "Luyuan Fang (lufang)" <lufang@cisco.com>
To: Derick Winkworth <ccie15672@yahoo.com>, "Bitar, Nabil N" <nabil.n.bitar@verizon.com>, robert@raszuk.net, Linda Dunbar <linda.dunbar@huawei.com>
X-OriginalArrivalTime: 05 Nov 2011 05:41:49.0216 (UTC) FILETIME=[9CE1C200:01CC9B7D]
Cc: L3VPN WG mailing list <l3vpn@ietf.org>
X-BeenThere: l3vpn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <l3vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l3vpn>
List-Post: <mailto:l3vpn@ietf.org>
List-Help: <mailto:l3vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Nov 2011 05:41:55 -0000

Derick,

 

I believe your comments are toward
http://tools.ietf.org/html/draft-ko-vaas-problem-statement-01

not toward Nabil's comments - which did not have direct relationship to
the draft-ko-vaas from my reading. 

 

Regardless, I like the points you made.

 

The original intention of VPN4DC is to address L3VPN connectivity to DC
VM networks. 

The core set of the existing VPNs are BGP/MPLS VPNs, what you want seem
to match the requests from several SPs and folks who operate those VPNs
and providing cloud services.

 

Will follow up with a VPN4DC scope discussion.

 

Thanks,

Luyuan

 

 

From: l3vpn-bounces@ietf.org [mailto:l3vpn-bounces@ietf.org] On Behalf
Of Derick Winkworth
Sent: Friday, November 04, 2011 10:08 PM
To: Bitar, Nabil N; robert@raszuk.net; Linda Dunbar
Cc: L3VPN WG mailing list
Subject: Re: Preliminary L3VPN/VPN4DC agenda @ IETF82

 

I have read the VaaS document several times and I'm not seeing how it is
relevant to VPN4DC.  

 

(1) These VMs are not mobile users on the internet. 

(2) We are, in fact, creating network path isolation (with proper
separation) for the VMs in the data center to/from their respective VRF.

(3) No matter how great the software is that you are using on your host
to establish the VPN... *my* customers, the reason I'm so interested in
VPN4DC, do not want their servers exposed to the internet at any level.
They want their servers effectively "jailed" in their L3VPN.  there can
be no dependency on software or configuration of the VM for its
placement in their network.  The vNIC is bound by path isolation to
their private L3VPN.  this is a not a unique or unusual requirement.

(4) You are advocating VaaS as a replacement for MPLS (it would seem by
your comments).  I'm not interested in replacing MPLS.  

 

Feel free to correct or clarify any misunderstanding I may be suffering
from...

 

 

 

 

 

________________________________

From: "Bitar, Nabil N" <nabil.n.bitar@verizon.com>
To: "robert@raszuk.net" <robert@raszuk.net>; Linda Dunbar
<linda.dunbar@huawei.com>
Cc: L3VPN WG mailing list <l3vpn@ietf.org>
Sent: Friday, November 4, 2011 1:16 PM
Subject: Re: Preliminary L3VPN/VPN4DC agenda @ IETF82

Hi,
I think what we need to be careful about assuming that the cloud service
provider is the same as the VPN service provider, and in particular a
BGP/MPLS service provider. That is not to say that they cannot be the
same, but it is over-restrictive to assume that they are and if one
makes
that assumption the solution or attributes of a solution will not be
necessarily the same. Model #2 seems to assume that this is the case in
the way it is worded.

There are a number of ways in which #1 can be achieved, and one of which
can be overlapping with model#2 per suggested modification. I think it
is
fine to define a model that defines a type or types  of DC tenant
isolation (connectivity)  that will be stitched to the tenant VPN WAN
service provided by a service provider. The tenant VPN service can be
focused on to be BGP/MPLS VPN provided by a service provider. The tenant
connectivity within the data center can also be a BGP-MPLS VPN or an
IPsec
VPN or a layer2VPN, and one can focus on one, but I think we will find
that that at the connection between the data center and the tenant WAN
VPN
provided by a service provider, the problem will be the same. That is,
in
terms of stitching the two VPN services. If the service provider VPN is
integrated with that of data center, I think that will become a
degenerate
case. In addition, if there is no BGP/MPLS connectivity, and the
customer
is gaining access to the DC via an Ipsec tunnel starting from a customer
CE and terminated in the data center, that will be transparent to the
VPN
service provider as a BGP MPLS service provider and I don't think in
that
case there is anything additional that should be done within the L3VPN
WG.

Thanks,
Nabil

On 11/3/11 1:42 PM, "Robert Raszuk" <robert@raszuk.net> wrote:

>Linda,
>
> > Personally I don't think that we need to waste our time on Model #1
> > for the following reasons:
>
>Personally I don't think we need to waste our time on solving Model #2
>for one main reason - #2 is a subset of #1. If we solve #1 then #2
get's
>solved automatically.
>
>Please note that IPSec access to provider's L3VPNs has been a
>commercialized and deployed feature years ago.
>
>--
>
>I really think that if we have any desire to constructively move
forward
>in this space time spend on finding the flexible and universal
>auto-discovery tool for customer's network islands (be it VMs alone or
>L3VPNs sites/set of sides or even specific mobile users) is a
>prerequisite for any further work.
>
>Then we could worry about what tool to use to interconnect those
islands.
>
>Even if those islands (more and more dynamic in nature) would all
belong
>under one SP .. such SP would also largely benefit from ability to
>auto-discovery in real time needs to join or leave a VPN. Then the
>toolkit of choice could be triggered to add/delete a site, a user or a
>VM to/from given VPN via the orchestration system of his choice.
>
>To the best of my knowledge such dynamic VPN discovery tool has not
been
>invented yet.
>
>Best rgds,
>R.
>
>
>
>> Here is the fundamental question for the goal of VPN4DC:
>>
>> 1. Is VPN4DC to create mechanisms which make it possible to connect
>> hosts in any public data centers (e.g. Amazon' EC2) to hosts'
>> corresponding VPNs? Or
>>
>> 2. Is VPN4DC to create a solution which allows VPN service provider
>> to extend their VPN with computing service? In this model, customers
>> (i.e. VPN clients) see their computing resources being offloaded to
>> their VPN. Customers don't deal with data centers directly.
>>
>>
>> Personally I don't think that we need to waste our time on Model #1
>> for the following reasons: -      VPN service providers may not even
>> have PEs in close proximity to "the public data centers" which
>> clients choose. If a VPN client has leased some computing resource
>> from a data center, the easiest way to connect them securely is by
>> IPSec tunnel.
>>
>> -      Today Amazon already allows any hosts to be connected to
>> their chosen sites by IPSec (Amazon's VPC service).
>>
>> Model #2 gives VPN service providers an unique advantage of binding
>> valuable VPN services with virtual computing services,  making it
>> more difficult for data centers who don't own network infrastructure
>> to compete.
>>
>> Do people agree?
>>
>> Linda
>>
>>> -----Original Message----- From: Luyuan Fang (lufang)
>>> [mailto:lufang@cisco.com] Sent: Wednesday, November 02, 2011 11:41
>>> PM To: Linda Dunbar; Ben Niven-Jenkins; L3VPN WG mailing list
>>> Subject: RE: Preliminary L3VPN/VPN4DC agenda @ IETF82
>>>
>>> Linda,
>>>
>>> Ben suggested that Ning and myself to work with co-authors of
>>> other problem statement drafts to come up with a combined view to
>>> be presented in Taipei meeting. The requirements drafts would be
>>> treated in the similar fashion. I plan to put gap analysis together
>>> with pb statement drafts.
>>>
>>> Though there would be no individual vpn4dc drafts presentations as
>>> in normal WG meetings, we welcome input on all three subjects from
>>> authors of vpn4dc related drafts, and everyone on the list.
>>>
>>> In fact, the intent of vpn4dc Q&A I sent a couple of days ago was
>>> to gather feedback/input from the list, as the first step of
>>> meeting prep.
>>>
>>> Will get together with the authors of the relevant drafts to
>>> discuss soon, prefer we meet when Ning is back to office in a
>>> couple of days. Ping me if you cannot wait.
>>>
>>> Thanks, Luyuan
>>>
>>>
>>>> -----Original Message----- From: l3vpn-bounces@ietf.org
>>>> [mailto:l3vpn-bounces@ietf.org] On
>>> Behalf
>>>> Of Linda Dunbar Sent: Wednesday, November 02, 2011 10:56 PM To:
>>>> Ben Niven-Jenkins; L3VPN WG mailing list Subject: RE: Preliminary
>>>> L3VPN/VPN4DC agenda @ IETF82
>>>>
>>>> Who will lead the talk for each topic?
>>>>
>>>> Linda
>>>>
>>>>> -----Original Message----- From: l3vpn-bounces@ietf.org
>>>>> [mailto:l3vpn-bounces@ietf.org] On
>>>> Behalf
>>>>> Of Ben Niven-Jenkins Sent: Wednesday, November 02, 2011 1:01
>>>>> PM To: L3VPN WG mailing list Subject: Preliminary L3VPN/VPN4DC
>>>>> agenda @ IETF82
>>>>>
>>>>> Colleagues,
>>>>>
>>>>> Marshall&  I have uploaded a preliminary L3VPN/VPN4DC agenda
>>>>> for
>>> IETF
>>>>> 82 in Taipei. You can find it here:
>>>>>
>>>>> http://www.ietf.org/proceedings/82/agenda/l3vpn.txt
>>>>>
>>>>> At the moment the agenda is a little vague because we are
>>>>> still
>>>> working
>>>>> with the VPN4DC proponents on who will lead each slot.
>>>>>
>>>>> We have purposely not put time on the agenda to
>>>>> present/discuss specific solution drafts as we would like the
>>>>> discussion to be
>>>> focussed
>>>>> on the problem/requirements posed by VPN4DC and its
>>>>> applicability
>>> to
>>>>> IETF (including L3VPN). Discussion of specific solution
>>>>> proposals
>>> can
>>>>> happen at future meetings if the VPN4DC work is adopted.
>>>>>
>>>>> Ben
>>>>>
>>
>>
>>

v2.23.0 | Report a Bug | By Email