Re: [nvo3] Updated Charter
Yakov Rekhter <yakov@juniper.net> Thu, 05 April 2012 19:31 UTC
Return-Path: <yakov@juniper.net>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAD2C21F86B0 for <nvo3@ietfa.amsl.com>; Thu, 5 Apr 2012 12:31:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aEJefp1vRUsl for <nvo3@ietfa.amsl.com>; Thu, 5 Apr 2012 12:31:00 -0700 (PDT)
Received: from exprod7og123.obsmtp.com (exprod7og123.obsmtp.com [64.18.2.24]) by ietfa.amsl.com (Postfix) with ESMTP id 26EBE21F869E for <nvo3@ietf.org>; Thu, 5 Apr 2012 12:31:00 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob123.postini.com ([64.18.6.12]) with SMTP ID DSNKT33y5qY0g7k9vgFmzafE9v9TW7i8LI2Y@postini.com; Thu, 05 Apr 2012 12:31:00 PDT
Received: from merlot.juniper.net (172.17.27.10) by P-EMHUB02-HQ.jnpr.net (172.24.192.33) with Microsoft SMTP Server (TLS) id 8.3.213.0; Thu, 5 Apr 2012 12:30:35 -0700
Received: from juniper.net (sapphire.juniper.net [172.17.28.108]) by merlot.juniper.net (8.11.3/8.11.3) with ESMTP id q35JUZQ75008; Thu, 5 Apr 2012 12:30:35 -0700 (PDT) (envelope-from yakov@juniper.net)
Message-ID: <201204051930.q35JUZQ75008@merlot.juniper.net>
To: AshwoodsmithPeter <Peter.AshwoodSmith@huawei.com>
In-Reply-To: <7AE6A4247B044C4ABE0A5B6BF427F8E29382C3@dfweml503-mbx>
References: <7AE6A4247B044C4ABE0A5B6BF427F8E29382C3@dfweml503-mbx>
X-MH-In-Reply-To: AshwoodsmithPeter <Peter.AshwoodSmith@huawei.com> message dated "Thu, 05 Apr 2012 18:26:13 -0000."
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <79485.1333654234.1@juniper.net>
Date: Thu, 05 Apr 2012 12:30:35 -0700
From: Yakov Rekhter <yakov@juniper.net>
Cc: Thomas Narten <narten@us.ibm.com>, "Bocci, Matthew (Matthew)" <matthew.bocci@alcatel-lucent.com>, "nvo3@ietf.org" <nvo3@ietf.org>, "Balus, Florin Stelian (Florin)" <florin.balus@alcatel-lucent.com>, Benson Schliesser <bschlies@cisco.com>, Shane Amante <shane@castlepoint.net>
Subject: Re: [nvo3] Updated Charter
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "L2 \"Network Virtualization Over l3\" overlay discussion list \(nvo3\)" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nvo3>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2012 19:31:01 -0000
Peter, > > > > c) Active/Active. > ..... > > > > I'm interested what others think about the need to add these to the > > NVO3 requirements. > > Something is required in the routers that terminate the tunnels to > support active/active. At the very least the charter should recommend > something that exis ts like VRRP and show how it maps. I suppose > its also possible for the router to have some NVO3 tunnels terminating > into a subnet handled by some VRF but also some other non NVO3 > mechanisms terminating into the same subnet/VRF, in which case any > VRRP like mechanism would have to operate between the two different > te chnologies. > > Tromboning caused by picking the wrong gateway from outside the DC > is LISPs realm and I suppose it begs the question of why not adopt > a LISP style encap inside the DC too. Kill 2 birds with one stone. You may look at draft-raggarwa-data-center-mobility-02.txt for a description of mechanism that allow to eliminate "tromboning". > So active/active I think should be in the charter. External > tromboning if included would be a pull towards LISP and would be > nice to have just one encap for both purposes. Yakov. > > Peter Ashwood-Smith > > > -----Original Message----- > From: nvo3-bounces@ietf.org [mailto:nvo3-bounces@ietf.org] On Behalf Of Balus , Florin Stelian (Florin) > Sent: Thursday, April 05, 2012 1:05 PM > To: Thomas Narten; Shane Amante > Cc: Bocci, Matthew (Matthew); nvo3@ietf.org; Benson Schliesser > Subject: Re: [nvo3] Updated Charter > > Thomas, > > You asked below what others think about Shane use cases/requirements. > > I think what he described in his email are DC networking issues we need at le ast to discuss in NVO3 data plane/control plane requirements and gap analysis. In particular the requirements to address traffic tromboning to/from NVO3 and r esiliency at NVO3 gateways came up a number of times in the past in various IET F WG sessions. We can see after that where/how exactly is the best place/way to address them. But we should not just ignore them. > > My 2 cents... > > Florin > > > -----Original Message----- > > From: nvo3-bounces@ietf.org [mailto:nvo3-bounces@ietf.org] On Behalf Of > > Thomas Narten > > Sent: Thursday, April 05, 2012 9:12 AM > > To: Shane Amante > > Cc: Bocci, Matthew (Matthew); nvo3@ietf.org; Benson Schliesser > > Subject: Re: [nvo3] Updated Charter > > > > Shane, > > > > > FWIW, the reason I bring up this issue is that I have encountered > > this > > > exact situation when I contributed to a redesign of DataCenters > > > recently. See below. > > > > I'm not saying it can't or won't happen. I'm saying this is a > > relatively hard problem to solve, and just wishing we had a solution > > shouldn't be enough to make it a charter item for NVO3. > > > > Furthermore, this is arguably a general IP issue and not specific to > > NVO3. That raises fundamental questions about whether NVO3 is the right > > place to attempt a solution. Presumably we'd want general solutions > > that apply also in non-NVO3 scenarios. > > > > > > The problem with that is that we just don't know how to do it > > > > effectively at the IP level and we have not to date come up with a > > > > general purpose way of doing that. At least as far as I know. > > > > > I find the above somewhat ironic given that this is the IETF, where > > > we've defined both ARP and IPv6 Router + Neighbor Discovery ... > > > > There are plenty of examples of problems where we wish we had a > > solution, but there isn't necessarily one... No matter how much we'd > > like one... > > > > > > Or do you have some approaches in mind? > > > > > As I look at: > > > http://tools.ietf.org/html/draft-kreeger-nvo3-overlay-cp-00 > > > It seems fairly clear that NVO3 is, eventually, headed in a map & > > > encaps direction, (cf: Section 3.1, "Inner to Outer Address > > Mapping"). > > > > Absolutely. This is a given. That is what the data plane does. > > > > > If this is true, then it would seem wise to think about requirements > > > for additional attributes that can/should be included in the > > requisite > > > NVO3 mapping protocol(s). For example, it's conceivable that a > > > Hypervisor, implementing NVO3, could dynamically learn or be > > > statically programmed with an idea as to its physical and/or logical > > > location, (e.g.: NYC1 DC). In addition, the "exit points" from the > > > NVO3 overlay (would these exist on routers or switches or would it be > > > another VM/server acting as a "router"?) could also dynamically learn > > > and/or be programmed with similar information, since they need to (at > > > a bare minimum) implement a encaps/de-encaps function to get traffic > > > in/out of the overlay, right? Then, when "mapping" is performed > > in/by > > > the NVO3 control plane for Inner <-> Outer Address Mapping the answer > > > handed back as a result of that function /could/ be influenced by > > > additional criteria so that you get back something like: "here is the > > > topologically closest exit point from the NVO3 overlay". > > > Ultimately, the NVO3 "FIB" gets programmed with that information and, > > > perhaps, propagated further into the VM's ARP and/or ND tables ... > > > > For the special case of a router, I can imagine optimizations. But what > > about just using VRRP? There can be multiple instances of VRRP, and it > > is (arguably) VRRP's job to figure out how to the optimal path > > selection. I'm not familiar with VRRP's details with regards to load > > balancing, but it does allow for load balancing. That might be a better > > place to handle the router exit selection problem... > > > > > > In other words, this isn't an NVO3 problem per se, this is an > > > > inherent limitation in the IP subnet model. > > > > > True. However, NVO3 appears headed down a road of needing and, > > > eventually, defining (or, re-using?) a "mapping" function. If that > > is > > > the case, then there's room for 'enhancement' above and beyond > > > standard ARP & ICMPv6 RD/ND ... > > > > The problem I see with this approach is that the mapping is based on IP > > addresses. Given a target IP address, the mapping system presumably has > > no information about the kind of service residing at that address and > > whether or not there are multiple instances of such a service. > > > > I gather you are suggesting that the mapping system should be augmented > > with such information, so that the mapping function can be smarter > > about what it returns. > > > > This would certainly add to the complexities the mapping system has to > > deal with. > > > > Are you willing to scope the problem to the one case of wanting to > > optimize the selection of exit routers? Or do you see additional places > > where such optimizations would be desireable? > > > > > I can use a variety of techniques in IP routing to influence the > > > return traffic to go "the right way" back into the DC, e.g.: > > > announcing longer prefixes into IGP/BGP to ensure that 'return > > > traffic' is optimally routed back. The key problem is, without > > > running a dynamic routing protocol or using static routes on the > > > server/VM, I have no way of influencing traffic that is transmitted > > > *from* the server/VM to a optimal exit point. > > > > Understood. > > > > > >> So, IMO, it would be helpful to understand here on the list, and > > in > > > >> the charter, if NVO3 'solutions' care about optimizing traffic > > > >> flows that are transmitted by one VM and are required to traverse > > > >> an IP subnet boundary, for a variety of reasons, e.g.: > > > > > > > >> - traffic is required to pass through a "policy enforcement > > point", > > > >> such as a firewall/NAT/middle-box because: > > > > > > > > This will be something that has to be done, but it may be done > > > > completely outside of NVO3. E.g., you can have a single default > > > > router for the overlay instance, and all traffic would go through > > it > > > > (and the firewall beyond). It is unclear to me NVO3 has to know > > this > > > > is going on. > > > > > Yikes. I hope we're NOT designing for a single point-of-failure, out > > > of the NVO3 overlay, from Day 1. It seems we should be considering a > > > minimum of 2 x exit points from the overlay from Day 1 or, at the > > very > > > least, the ability for some type of *extremely* fast fail-over from > > > one 'physical' piece of hardware acting as the primary exit point to > > a > > > second piece of hardware acting as a secondary/standby exit point > > from > > > the overlay. > > > > Don't we have existing techniques already for dealing with router > > failover? (e.g., VRRP). > > > > And if you have multiple exit points, you need to deal with the > > multiple (possibly stateful) FW issues (in some cases). Not saying that > > can't be done, just that it may not be as simple as having multiple > > exit routers. > > > > > >> a) it's traversing between two 'tenants'; and/or, > > > > > > > > By definition, we have been saying that if you go from one tenant > > to > > > > another, that requires that you (conceptually) exit the overlay > > and > > > > re-enter it. So, again, this could be outside of NVO3's scope. > > > > > > > >> b) one VM is consuming a common service/application from the DC > > > >> operator > > > > > > > > Can you expand on what this means? > > > > > Let's say I'm an Amazon customer and have my own IP subnet. At > > times, > > > I may want to use their S3 or other services they provide. > > > The key point is I need my servers to talk to their S3 service, but I > > > do not want their other customers to be able to see and/or talk to my > > > servers, for security reasons. > > > > Not sure this is a new problem to NVO3. Don't you have the same > > scenario today using (say) VLANs? How does NVO3 change this scenario? > > > > > Again, we need to be careful to include some form(s) of redundancy > > in > > > the plans for NVO3, specifically as it relates to traffic that will > > > enter/exit the overlay. The way I see it there are three or four > > > things that should be considered: > > > > > a) No redundancy whatsoever for traffic entering/leaving the NVO3 > > > overlay -- good luck trying to sell this to Mega/Tera/Yotta > > DataCenter > > > customers ... > > > > OK, but at a first cut, I see nor reason why one cannot have multiple > > routers on a overlay given instance. > > > > > b) Active/Backup. One exit is active at any given time; only when > > it > > > dies does the "backup" take over (instantaneously). > > > > OK. > > > > > c) Active/Active. Two, or more, exit points are active at any given > > > time. This is the scenario I think we should aim for, because it can > > > be used to provide two physically diverse exit points from the same, > > > physical DataCenter as well as from geographically diverse > > > DataCenters. Ultimately, this allows the possibility for traffic to > > > enter/exit through the most optimal "active" entry/exit point. > > > > OK. > > > > I'm interested what others think about the need to add these to the > > NVO3 requirements. > > > > > >> - traffic is coming from a VM and destined toward an (IP)VPN, > > which > > > >> may have corporate offices spread all over the world that are > > > >> using services provided by those VM's > > > > > > > > Not sure of the details of this case. Where is the overlay > > boundary? > > > > Are the VMs both inside an overlay instance, or is one outside? > > (And > > > > if the latter, isn't this similar to previous cases?) > > > > > VM's are inside the overlay, acting as application servers, but they > > > are talking to clients (think: desktops/laptops/tablets/etc.) that > > are > > > sitting on a Corp WAN/LAN. The latter, clients, are not aware of > > NVO3 > > > and are speaking "regular" IP toward the DataCenter(s) to access > > > various applications/resources. It's the former, VM's inside the > > NVO3 > > > overlay, that I care about in the context of this conversation, > > > reqmt's and design space. > > > > Understood. > > > > To summarize, what you are saying about all these cases is you want to > > have multiple exit/entry points into a specific overlay, and you want > > NVO3 to help make sure the "closest" exit is used when possible. > > Right? > > > > Thomas > > > > _______________________________________________ > > nvo3 mailing list > > nvo3@ietf.org > > https://www.ietf.org/mailman/listinfo/nvo3 > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3
- Re: [nvo3] Updated Charter Mcdysan, David E
- Re: [nvo3] Updated Charter Benson Schliesser
- [nvo3] Updated Charter Benson Schliesser
- Re: [nvo3] Updated Charter Mcdysan, David E
- Re: [nvo3] Updated Charter Christopher Liljenstolpe
- Re: [nvo3] Updated Charter David Meyer
- Re: [nvo3] Updated Charter Miya Kohno
- Re: [nvo3] Updated Charter Randy Bush
- Re: [nvo3] Updated Charter Randy Bush
- Re: [nvo3] Updated Charter Chris Wright
- Re: [nvo3] Updated Charter Chris Wright
- Re: [nvo3] Updated Charter PAULING, JOEL (JOEL)
- Re: [nvo3] Updated Charter Larry Kreeger
- Re: [nvo3] Updated Charter Chris Wright
- Re: [nvo3] Updated Charter Stewart Bryant
- Re: [nvo3] Updated Charter David Freedman
- Re: [nvo3] Updated Charter Shane Amante
- Re: [nvo3] Updated Charter Robert Raszuk
- Re: [nvo3] Updated Charter Thomas Narten
- Re: [nvo3] Updated Charter Thomas Narten
- Re: [nvo3] Updated Charter Balus, Florin Stelian (Florin)
- Re: [nvo3] Updated Charter Thomas Narten
- Re: [nvo3] Updated Charter T. Sridhar
- Re: [nvo3] Updated Charter Shane Amante
- Re: [nvo3] Updated Charter Xuxiaohu
- Re: [nvo3] Updated Charter Thomas Narten
- Re: [nvo3] Updated Charter Stiliadis, Dimitrios (Dimitri)
- Re: [nvo3] Updated Charter Shane Amante
- Re: [nvo3] Updated Charter Balus, Florin Stelian (Florin)
- Re: [nvo3] Updated Charter AshwoodsmithPeter
- Re: [nvo3] Updated Charter Shane Amante
- Re: [nvo3] Updated Charter Dino Farinacci
- Re: [nvo3] Updated Charter Puneet Agarwal
- Re: [nvo3] Updated Charter AshwoodsmithPeter
- Re: [nvo3] Updated Charter Vishwas Manral
- Re: [nvo3] Updated Charter Yakov Rekhter
- Re: [nvo3] Updated Charter Yakov Rekhter
- Re: [nvo3] Updated Charter Dino Farinacci
- Re: [nvo3] Updated Charter Santosh Rajagopalan
- Re: [nvo3] Updated Charter thomas.morin
- Re: [nvo3] Updated Charter thomas.morin
- Re: [nvo3] Updated Charter Xuxiaohu
- Re: [nvo3] Updated Charter Mcdysan, David E
- Re: [nvo3] Updated Charter LASSERRE, MARC (MARC)
- Re: [nvo3] Updated Charter Thomas Narten
- Re: [nvo3] Updated Charter Mcdysan, David E
- Re: [nvo3] Updated Charter Thomas Narten
- Re: [nvo3] Updated Charter John E Drake
- Re: [nvo3] Updated Charter Lizhong Jin
- Re: [nvo3] Updated Charter Balus, Florin Stelian (Florin)
- Re: [nvo3] Updated Charter Mcdysan, David E
- Re: [nvo3] Updated Charter Anoop Ghanwani
- Re: [nvo3] Updated Charter Mcdysan, David E
- Re: [nvo3] Updated Charter John E Drake
- Re: [nvo3] Updated Charter Kireeti Kompella
- [nvo3] IDs david.black
- Re: [nvo3] Updated Charter AshwoodsmithPeter
- Re: [nvo3] Updated Charter Yakov Rekhter