RE: Preliminary L3VPN/VPN4DC agenda @ IETF82
"Luyuan Fang (lufang)" <lufang@cisco.com> Sat, 05 November 2011 05:41 UTC
Return-Path: <lufang@cisco.com>
X-Original-To: l3vpn@ietfa.amsl.com
Delivered-To: l3vpn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F261011E8073 for <l3vpn@ietfa.amsl.com>; Fri, 4 Nov 2011 22:41:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.675
X-Spam-Level:
X-Spam-Status: No, score=-4.675 tagged_above=-999 required=5 tests=[AWL=0.123, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, J_CHICKENPOX_14=0.6, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7ih7F1XmmZK for <l3vpn@ietfa.amsl.com>; Fri, 4 Nov 2011 22:41:51 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id A30C421F85A8 for <l3vpn@ietf.org>; Fri, 4 Nov 2011 22:41:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=lufang@cisco.com; l=32229; q=dns/txt; s=iport; t=1320471710; x=1321681310; h=mime-version:subject:date:message-id:in-reply-to: references:from:to:cc; bh=CHRowVINJTcoiHjWxjKrBGRYdT5JvtyV76FybMxKPOA=; b=Z7ceuuTBBBXfN14dWXRl9SvR833pH63CUZ9IcjzBjvsH+1p9Nu5CYtPd feH+NOtFgHck5Ym8XPrfP6Iy1CFjKfA2dduZYLG31uPT3xgA3DbHc0lH8 j1B4mzTeFjper4elov6CNzLBT7qTOeFe4F0K6k4lRWjRsa5CzuUIWXDVY 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AuoAACHMtE6tJV2a/2dsb2JhbAA9BoJNl0eNHYE3gSCBBYFyAQEBBBIBCREDPAIEBwwEAgEIDgMEAQELBhABBgEGAUUJCAEBBAESCAESB4domEMBnheGBYJDYwSIC5FNjE8
X-IronPort-AV: E=Sophos; i="4.69,459,1315180800"; d="scan'208,217"; a="33585502"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-5.cisco.com with ESMTP; 05 Nov 2011 05:41:49 +0000
Received: from xbh-rcd-202.cisco.com (xbh-rcd-202.cisco.com [72.163.62.201]) by rcdn-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id pA55fnO1000407; Sat, 5 Nov 2011 05:41:49 GMT
Received: from xmb-rcd-201.cisco.com ([72.163.62.208]) by xbh-rcd-202.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 5 Nov 2011 00:41:49 -0500
X-Mimeole: Produced By Microsoft Exchange V6.5
x-cr-hashedpuzzle: BFUY BWPi EVs1 HZqf Knlt LDBH L63u XYqq Z7FV bl97 cP1Z hFs8 ijy+ i0rR lJhB q+ky; 5; YwBjAGkAZQAxADUANgA3ADIAQAB5AGEAaABvAG8ALgBjAG8AbQA7AGwAMwB2AHAAbgBAAGkAZQB0AGYALgBvAHIAZwA7AGwAaQBuAGQAYQAuAGQAdQBuAGIAYQByAEAAaAB1AGEAdwBlAGkALgBjAG8AbQA7AG4AYQBiAGkAbAAuAG4ALgBiAGkAdABhAHIAQAB2AGUAcgBpAHoAbwBuAC4AYwBvAG0AOwByAG8AYgBlAHIAdABAAHIAYQBzAHoAdQBrAC4AbgBlAHQA; Sosha1_v1; 7; {7BC8F3AA-12F0-4D3E-8461-6F2A83EDB31D}; bAB1AGYAYQBuAGcAQABjAGkAcwBjAG8ALgBjAG8AbQA=; Sat, 05 Nov 2011 05:41:33 GMT; UgBFADoAIABQAHIAZQBsAGkAbQBpAG4AYQByAHkAIABMADMAVgBQAE4ALwBWAFAATgA0AEQAQwAgAGEAZwBlAG4AZABhACAAQAAgAEkARQBUAEYAOAAyAA==
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CC9B7D.9CB202BC"
x-cr-puzzleid: {7BC8F3AA-12F0-4D3E-8461-6F2A83EDB31D}
Content-class: urn:content-classes:message
Subject: RE: Preliminary L3VPN/VPN4DC agenda @ IETF82
Date: Sat, 05 Nov 2011 00:41:33 -0500
Message-ID: <238542D917511A45B6B8AA806E875E25073CAAF0@XMB-RCD-201.cisco.com>
In-Reply-To: <1320458884.82254.YahooMailNeo@web161801.mail.bf1.yahoo.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Preliminary L3VPN/VPN4DC agenda @ IETF82
Thread-Index: AcybX8dJX7F8CtVpS9OyEOTGf0TkCwAB26gA
References: <4EB2D29D.8000701@raszuk.net><CAD957A1.2C4B8%nabil.n.bitar@verizon.com> <1320458884.82254.YahooMailNeo@web161801.mail.bf1.yahoo.com>
From: "Luyuan Fang (lufang)" <lufang@cisco.com>
To: Derick Winkworth <ccie15672@yahoo.com>, "Bitar, Nabil N" <nabil.n.bitar@verizon.com>, robert@raszuk.net, Linda Dunbar <linda.dunbar@huawei.com>
X-OriginalArrivalTime: 05 Nov 2011 05:41:49.0216 (UTC) FILETIME=[9CE1C200:01CC9B7D]
Cc: L3VPN WG mailing list <l3vpn@ietf.org>
X-BeenThere: l3vpn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <l3vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l3vpn>
List-Post: <mailto:l3vpn@ietf.org>
List-Help: <mailto:l3vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Nov 2011 05:41:55 -0000
Derick, I believe your comments are toward http://tools.ietf.org/html/draft-ko-vaas-problem-statement-01 not toward Nabil's comments - which did not have direct relationship to the draft-ko-vaas from my reading. Regardless, I like the points you made. The original intention of VPN4DC is to address L3VPN connectivity to DC VM networks. The core set of the existing VPNs are BGP/MPLS VPNs, what you want seem to match the requests from several SPs and folks who operate those VPNs and providing cloud services. Will follow up with a VPN4DC scope discussion. Thanks, Luyuan From: l3vpn-bounces@ietf.org [mailto:l3vpn-bounces@ietf.org] On Behalf Of Derick Winkworth Sent: Friday, November 04, 2011 10:08 PM To: Bitar, Nabil N; robert@raszuk.net; Linda Dunbar Cc: L3VPN WG mailing list Subject: Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 I have read the VaaS document several times and I'm not seeing how it is relevant to VPN4DC. (1) These VMs are not mobile users on the internet. (2) We are, in fact, creating network path isolation (with proper separation) for the VMs in the data center to/from their respective VRF. (3) No matter how great the software is that you are using on your host to establish the VPN... *my* customers, the reason I'm so interested in VPN4DC, do not want their servers exposed to the internet at any level. They want their servers effectively "jailed" in their L3VPN. there can be no dependency on software or configuration of the VM for its placement in their network. The vNIC is bound by path isolation to their private L3VPN. this is a not a unique or unusual requirement. (4) You are advocating VaaS as a replacement for MPLS (it would seem by your comments). I'm not interested in replacing MPLS. Feel free to correct or clarify any misunderstanding I may be suffering from... ________________________________ From: "Bitar, Nabil N" <nabil.n.bitar@verizon.com> To: "robert@raszuk.net" <robert@raszuk.net>; Linda Dunbar <linda.dunbar@huawei.com> Cc: L3VPN WG mailing list <l3vpn@ietf.org> Sent: Friday, November 4, 2011 1:16 PM Subject: Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Hi, I think what we need to be careful about assuming that the cloud service provider is the same as the VPN service provider, and in particular a BGP/MPLS service provider. That is not to say that they cannot be the same, but it is over-restrictive to assume that they are and if one makes that assumption the solution or attributes of a solution will not be necessarily the same. Model #2 seems to assume that this is the case in the way it is worded. There are a number of ways in which #1 can be achieved, and one of which can be overlapping with model#2 per suggested modification. I think it is fine to define a model that defines a type or types of DC tenant isolation (connectivity) that will be stitched to the tenant VPN WAN service provided by a service provider. The tenant VPN service can be focused on to be BGP/MPLS VPN provided by a service provider. The tenant connectivity within the data center can also be a BGP-MPLS VPN or an IPsec VPN or a layer2VPN, and one can focus on one, but I think we will find that that at the connection between the data center and the tenant WAN VPN provided by a service provider, the problem will be the same. That is, in terms of stitching the two VPN services. If the service provider VPN is integrated with that of data center, I think that will become a degenerate case. In addition, if there is no BGP/MPLS connectivity, and the customer is gaining access to the DC via an Ipsec tunnel starting from a customer CE and terminated in the data center, that will be transparent to the VPN service provider as a BGP MPLS service provider and I don't think in that case there is anything additional that should be done within the L3VPN WG. Thanks, Nabil On 11/3/11 1:42 PM, "Robert Raszuk" <robert@raszuk.net> wrote: >Linda, > > > Personally I don't think that we need to waste our time on Model #1 > > for the following reasons: > >Personally I don't think we need to waste our time on solving Model #2 >for one main reason - #2 is a subset of #1. If we solve #1 then #2 get's >solved automatically. > >Please note that IPSec access to provider's L3VPNs has been a >commercialized and deployed feature years ago. > >-- > >I really think that if we have any desire to constructively move forward >in this space time spend on finding the flexible and universal >auto-discovery tool for customer's network islands (be it VMs alone or >L3VPNs sites/set of sides or even specific mobile users) is a >prerequisite for any further work. > >Then we could worry about what tool to use to interconnect those islands. > >Even if those islands (more and more dynamic in nature) would all belong >under one SP .. such SP would also largely benefit from ability to >auto-discovery in real time needs to join or leave a VPN. Then the >toolkit of choice could be triggered to add/delete a site, a user or a >VM to/from given VPN via the orchestration system of his choice. > >To the best of my knowledge such dynamic VPN discovery tool has not been >invented yet. > >Best rgds, >R. > > > >> Here is the fundamental question for the goal of VPN4DC: >> >> 1. Is VPN4DC to create mechanisms which make it possible to connect >> hosts in any public data centers (e.g. Amazon' EC2) to hosts' >> corresponding VPNs? Or >> >> 2. Is VPN4DC to create a solution which allows VPN service provider >> to extend their VPN with computing service? In this model, customers >> (i.e. VPN clients) see their computing resources being offloaded to >> their VPN. Customers don't deal with data centers directly. >> >> >> Personally I don't think that we need to waste our time on Model #1 >> for the following reasons: - VPN service providers may not even >> have PEs in close proximity to "the public data centers" which >> clients choose. If a VPN client has leased some computing resource >> from a data center, the easiest way to connect them securely is by >> IPSec tunnel. >> >> - Today Amazon already allows any hosts to be connected to >> their chosen sites by IPSec (Amazon's VPC service). >> >> Model #2 gives VPN service providers an unique advantage of binding >> valuable VPN services with virtual computing services, making it >> more difficult for data centers who don't own network infrastructure >> to compete. >> >> Do people agree? >> >> Linda >> >>> -----Original Message----- From: Luyuan Fang (lufang) >>> [mailto:lufang@cisco.com] Sent: Wednesday, November 02, 2011 11:41 >>> PM To: Linda Dunbar; Ben Niven-Jenkins; L3VPN WG mailing list >>> Subject: RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 >>> >>> Linda, >>> >>> Ben suggested that Ning and myself to work with co-authors of >>> other problem statement drafts to come up with a combined view to >>> be presented in Taipei meeting. The requirements drafts would be >>> treated in the similar fashion. I plan to put gap analysis together >>> with pb statement drafts. >>> >>> Though there would be no individual vpn4dc drafts presentations as >>> in normal WG meetings, we welcome input on all three subjects from >>> authors of vpn4dc related drafts, and everyone on the list. >>> >>> In fact, the intent of vpn4dc Q&A I sent a couple of days ago was >>> to gather feedback/input from the list, as the first step of >>> meeting prep. >>> >>> Will get together with the authors of the relevant drafts to >>> discuss soon, prefer we meet when Ning is back to office in a >>> couple of days. Ping me if you cannot wait. >>> >>> Thanks, Luyuan >>> >>> >>>> -----Original Message----- From: l3vpn-bounces@ietf.org >>>> [mailto:l3vpn-bounces@ietf.org] On >>> Behalf >>>> Of Linda Dunbar Sent: Wednesday, November 02, 2011 10:56 PM To: >>>> Ben Niven-Jenkins; L3VPN WG mailing list Subject: RE: Preliminary >>>> L3VPN/VPN4DC agenda @ IETF82 >>>> >>>> Who will lead the talk for each topic? >>>> >>>> Linda >>>> >>>>> -----Original Message----- From: l3vpn-bounces@ietf.org >>>>> [mailto:l3vpn-bounces@ietf.org] On >>>> Behalf >>>>> Of Ben Niven-Jenkins Sent: Wednesday, November 02, 2011 1:01 >>>>> PM To: L3VPN WG mailing list Subject: Preliminary L3VPN/VPN4DC >>>>> agenda @ IETF82 >>>>> >>>>> Colleagues, >>>>> >>>>> Marshall& I have uploaded a preliminary L3VPN/VPN4DC agenda >>>>> for >>> IETF >>>>> 82 in Taipei. You can find it here: >>>>> >>>>> http://www.ietf.org/proceedings/82/agenda/l3vpn.txt >>>>> >>>>> At the moment the agenda is a little vague because we are >>>>> still >>>> working >>>>> with the VPN4DC proponents on who will lead each slot. >>>>> >>>>> We have purposely not put time on the agenda to >>>>> present/discuss specific solution drafts as we would like the >>>>> discussion to be >>>> focussed >>>>> on the problem/requirements posed by VPN4DC and its >>>>> applicability >>> to >>>>> IETF (including L3VPN). Discussion of specific solution >>>>> proposals >>> can >>>>> happen at future meetings if the VPN4DC work is adopted. >>>>> >>>>> Ben >>>>> >> >> >>
- Preliminary L3VPN/VPN4DC agenda @ IETF82 Ben Niven-Jenkins
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Lucy yong
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Linda Dunbar
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Luyuan Fang (lufang)
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Linda Dunbar
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Pedro Marques
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Robert Raszuk
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Linda Dunbar
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Linda Dunbar
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Robert Raszuk
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Luyuan Fang (lufang)
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Pedro Marques
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Linda Dunbar
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Linda Dunbar
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Robert Raszuk
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Luyuan Fang (lufang)
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Linda Dunbar
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Luyuan Fang (lufang)
- Application of L3VPN for DCI//re: Preliminary L3V… Xuxiaohu
- Re: Application of L3VPN for DCI//re: Preliminary… Pedro Marques
- RE: Application of L3VPN for DCI//re: Preliminary… Luyuan Fang (lufang)
- re: Application of L3VPN for DCI//re: Preliminary… Xuxiaohu
- 答复: Application of L3VPN for DCI//re: Preliminary… Xuxiaohu
- 答复: Application of L3VPN for DCI//re: Preliminary… Xuxiaohu
- re: Application of L3VPN for DCI//re: Preliminary… Xuxiaohu
- 答复: Application of L3VPN for DCI//re: Preliminary… Xuxiaohu
- Re: 答复: Application of L3VPN for DCI//re: Prelimi… Pedro Marques
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Bitar, Nabil N
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Derick Winkworth
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Lizhong Jin
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Luyuan Fang (lufang)
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Luyuan Fang (lufang)
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Luyuan Fang (lufang)
- RE: Preliminary L3VPN/VPN4DC agenda @ IETF82 Luyuan Fang (lufang)
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Lizhong Jin
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Bitar, Nabil N
- Re: Preliminary L3VPN/VPN4DC agenda @ IETF82 Derick Winkworth
- re: Application of L3VPN for DCI//re: Preliminary… Xuxiaohu