FW: half done (RE: comments on draft-ietf-rtgwg-net2cloud-problem-statement-01

Linda Dunbar <linda.dunbar@futurewei.com> Wed, 26 June 2019 23:39 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3849B1203AE for <rtgwg@ietfa.amsl.com>; Wed, 26 Jun 2019 16:39:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2DTsYQ6uezdM for <rtgwg@ietfa.amsl.com>; Wed, 26 Jun 2019 16:38:59 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-eopbgr810100.outbound.protection.outlook.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74303120164 for <rtgwg@ietf.org>; Wed, 26 Jun 2019 16:38:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qI2zSzUUpGUJlU7JJ6B/WIpyAHT6ec3Kgz1Dvhr6/xw=; b=FNqsMf9UQahaDlzi/dnf9MofUkxLrSPRrg/2nVpkfFvJZ2/2UnsrF3NrTGW7LsSKCz00hoNSGSLZ5AHFGSG0PO7yv39+Exuh4S/d6LKtnfNWCPYGT1U3Xivv/BjhRPDuNNpSWe7nnOLbPMLs4/Q7hD1iHWjmzJBzdTW744M96t8=
Received: from MN2PR13MB3582.namprd13.prod.outlook.com ( by MN2PR13MB3567.namprd13.prod.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.12; Wed, 26 Jun 2019 23:38:55 +0000
Received: from MN2PR13MB3582.namprd13.prod.outlook.com ([fe80::a8cd:e9ef:5219:67ea]) by MN2PR13MB3582.namprd13.prod.outlook.com ([fe80::a8cd:e9ef:5219:67ea%6]) with mapi id 15.20.2032.012; Wed, 26 Jun 2019 23:38:55 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Chris Bowers <chrisbowers.ietf@gmail.com>
CC: RTGWG <rtgwg@ietf.org>
Subject: FW: half done (RE: comments on draft-ietf-rtgwg-net2cloud-problem-statement-01
Thread-Topic: half done (RE: comments on draft-ietf-rtgwg-net2cloud-problem-statement-01
Thread-Index: AdUrr/R80FXZv+UzQFmrKMCHIIuxqwAx9FPg
Date: Wed, 26 Jun 2019 23:38:55 +0000
Message-ID: <MN2PR13MB358205ADCC33D8DCE030EB8385E20@MN2PR13MB3582.namprd13.prod.outlook.com>
References: <MN2PR13MB3582858DD2C3543A2417FD6A85E30@MN2PR13MB3582.namprd13.prod.outlook.com>
In-Reply-To: <MN2PR13MB3582858DD2C3543A2417FD6A85E30@MN2PR13MB3582.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is ) smtp.mailfrom=linda.dunbar@futurewei.com;
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4c390314-10b5-4a5c-c471-08d6fa8f745f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR13MB3567;
x-ms-traffictypediagnostic: MN2PR13MB3567:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <MN2PR13MB3567A9CC8861C1EF7F30FC1685E20@MN2PR13MB3567.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00808B16F3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(39850400004)(396003)(136003)(346002)(199004)(189003)(2473003)(66946007)(186003)(71190400001)(4326008)(64756008)(73956011)(66556008)(66446008)(5660300002)(52536014)(229853002)(66476007)(9686003)(76116006)(68736007)(6306002)(66066001)(14444005)(256004)(5070765005)(44832011)(71200400001)(486006)(606006)(54896002)(33656002)(316002)(476003)(76176011)(66574012)(446003)(45080400002)(74316002)(86362001)(7696005)(53936002)(6916009)(102836004)(14454004)(99286004)(2906002)(55016002)(8936002)(236005)(3846002)(6116002)(790700001)(25786009)(8676002)(53946003)(81156014)(81166006)(6506007)(53546011)(6436002)(7736002)(966005)(26005)(478600001)(11346002); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR13MB3567; H:MN2PR13MB3582.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 1KSslkuwvYlQWKMxqZ9Zo1nn/PgWaZ6a7qq9pabZ/2/K64NQ33R0FQg7OwwfSqhA0YcnTcbUofJ25hhu6opMzmXO3MRXQKOkWILz67JSxyANuor6Cvz4WD5iqTBfGxF5QmrgGYlQMFJiw/4Gl27g4eWFLHQsJLN4uiAi/haeW8o4tzVntPyR8gNEADqZOCWp3wnaLgwMwPoRWUUlDpy3sXV+MsIRO6EEj6Bu42xFR+o8GuyGAnXaNuweoGgN5LraTS/xRmxucG0b1lll2ZcQX2+gZWZM5jmx8cf8Qklm80xCD28H6I+rnVdB/66Se5prjBPCEuO4gN7WZMhBjMVi2sJ/Nb8E4yn5x9ERAV7DLAK7vR5Zc0Uj1Jl185QwsFaYMuQlp5tsmvcHn0lDD6tH45PBadjqnW2bz5OXfzVYG3I=
Content-Type: multipart/alternative; boundary="_000_MN2PR13MB358205ADCC33D8DCE030EB8385E20MN2PR13MB3582namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c390314-10b5-4a5c-c471-08d6fa8f745f
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2019 23:38:55.7755 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ldunbar@futurewei.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB3567
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/4gsI_cDjWpX4LR8U_UrUJq1gIps>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 23:39:04 -0000


Thank you for more comments.

[Linda] I see many comments are related to not so clear definition on VPC. Do you think the following definition (quoted from a Cloud DC documentation) is clear enough?

"Virtual Private Cloud is a virtual network dedicated to one client account. It is logically isolated from other virtual networks in a Cloud DC. Each client can launch his/her desired resources, such as compute, storage, or network functions into his/her VPC. In Microsoft Azure, the term "Virtual Network (VNet)" is used for Virtual Private Cloud. Most Cloud Operators' VPCs only support private addresses, some support IPv4 only, others support IPv4/IPv6 dual stack."

See below in purple for the proposed resolutions for other comments:

From: Chris Bowers <chrisbowers.ietf@gmail.com<mailto:chrisbowers.ietf@gmail.com>>
Sent: Tuesday, June 25, 2019 4:52 PM
To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Cc: RTGWG <rtgwg@ietf.org<mailto:rtgwg@ietf.org>>
Subject: Re: comments on draft-ietf-rtgwg-net2cloud-problem-statement-01

Section 2

Existing text:
VPC:        Virtual Private Cloud. A service offered by Cloud DC
               operators to allocate logically-isolated cloud
               resources, including compute, networking and storage.

It seems to me that Virtual Private Cloud needs a much more detailed definition or description.   For example, does the VPC use public or private address space?  Later on in section 3.1 there is mention of "transit gateways".  Perhaps a more complete description of  the VPC would describe transit gateways.

[CB]  As far as I can tell, this request for a much more detailed description of a VPC has not been addressed in -02.  The document makes assertions about problems connnecting to VPCs without ever clearly defining the properties of VPCs.

Section 3.1

Existing text:

     - Internet gateway for any external entities to reach the

        workloads hosted in AWS Cloud DC via the Internet.

It is not clear what this option refers to.  Is the ability for the enterprise to SSH and SCP into their server instances in the AWS cloud at public IP addresses over the internet?  Or it the ability of, for example, a customer of the enterprise to access an application on a web server run by the enterprise?  Or is it access from the Internet to the VPC private address space mediated by NAT.  This should be clarified.

[Linda] this is refereeing to AWS Internet Gateway.
How about changing to "AWS Internet Gateway allows communication between instances in AWS VPC and the internet"?

[CB] I think this should be addressed as part of a much more detailed discussion of the properties of VPCs.   The quote below gives more information about VPCs, which could help with the general description of VPCs.  For example, so far the text of this draft hasn't said whether or not the VPC uses public or private IPv4 addresses, so what the Internet Gateway needs to do to connect a VPC to the public internet is not clear.

[Linda] AWS VPC only supports private IPv4 addresses, it doesn't support IPv6,. Azure supports dual stack. Do you think it is necessary to elaborate more on the Internet Gateway?

Here is the direct quote from AWS documentation:

Internet Gateways
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.
An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
An internet gateway supports IPv4 and IPv6 traffic.

Section 3.1

Existing text:
Via Direct Connect, an AWS Transit
        Gateway can be used to interconnect multiple VPCs in different
        Availability Zones.

The "transit gateway" needs a clearer description.  It is also not clear what the transit gateway has to do with the Direct Connect option.

[Linda] it is referring to AWS Transit Gateway which is described in detail in AWS documentation: https://aws.amazon.com/transit-gateway/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Faws.amazon.com%2Ftransit-gateway%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C7889c9cecd504a25a48408d6f9c73cbc%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C636971031444510847&sdata=DO4pNt3emXMzWIz9n%2BPEmRx8NyTN1HcoadjzvSSuC0s%3D&reserved=0>
 Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks which act like spokes.

[CB] Again, I think this needs to be addressed as part of the more detailed description of VPCs.

Section 3.1

Existing text:

  CPEs at one Enterprise branch office are connected to the Internet

   to reach AWS's vGW via IPsec tunnels. Other ports of such CPEs are

   connected to AWS DirectConnect via a private network (without any


Proposed text:
As an example, some branch offices of an enterprise can connect to over the Internet to reach AWS's vGW via IPsec tunnels.
Other branch offices of the same enterprise can connect to AWS DirectConnect via a private network (without any

[Linda] thank you very much for the suggestion. Changed accordingly.

Figure 1.

Figure 1 needs more description and detail

What are TN-1 and TN-2?  Are they "Tenant Networks" or something else?  Are they all part of the same VPC or do they represent different VPCs?

If the point of figure 1 is to show that a single enterprise can connect to the same set of resources with some branches using IPSec Tunnels and others branches using Direct Connect (since TN-1 and TN-2 are repeated in each instance), then perhaps it would be better to just represent those resources as a single instance, instead of multiple instances with the same names.

Where is the "customer gateway" physically located in the Direct connect case?

[Linda] Modified the figure per your suggestion. And add the following explanation:

Figure below shows an example of some tenants' workloads are accessible via a virtual router connected by AWS Internet Gateway; some are accessible via AWS vGW, and others are accessible via AWS Direct Connect. The vR1 can have its own IPsec capability for secure tunnel over the internet to bypass paying additional price for the IPsec features provided by AWS vGW. Some tenants can deploy separate virtual routers to connect to internet traffic and to traffic from the secure channels from vGW and DirectConnect, e.g. vR1 & vR2. Others may have one virtual router connecting to both types of traffic. Customer Gateway can be customer owned router or ports physically connected to AWS Direct Connect GW.

Section 3.2

Existing Text:

   According to Gartner, by 2020 "hybrid will be the most common usage

   of the cloud" as more enterprises see the benefits of integrating

   public and private cloud infrastructures.

I personally don't think that this reference to a Gartner report is very useful.  By the time this draft is published, it will likely already be 2020.  However, it you do want to use the reference, then it needs a citation in the References section so that someone can go look it up.

[Linda] removed the reference.

[CB]  Reference was removed, but the prediction is now an assertion.  "Hybrid will be the most common usage of the cloud..."  How about something less strong like, "It is likely that hybrid will be a common usage of the cloud ..."
 [Linda] Changed to your suggested wording.

The division of the material in Sections 3.1  "Interconnect to Cloud DCs" and section 3.2  "Interconnect to Hybrid Cloud DCs" is confusing and seems somewhat arbitrary.  The content of section 3.1 seems like it mainly applies to Hybrid Cloud DCs.    At the same time, the observation in section 3.2  that "some enterprises prefer to instantiate their own virtual  CPEs/routers inside the Cloud DC to connect the workloads within the Cloud DC" doesn't seem specific to Hybrid Clouds DCs.  I would suggest reorganizing the content of these two sections.

[Linda] The section 3.1 is mainly about same workloads being accessible by multiple connections (Internet, Direct Connect, etc.).  It is important for enterprises to be able to observe the specific behaviors when connected by different connections.
How about Changing the Section 3.1 title to "Multiple connection to workloads in a Cloud DC".

Section 3.3 mentions three different approaches to interconnect workloads among different Cloud DCs.  However, most of the discussion is about the third option (establishing direct tunnels among different VPCs via client's own virtual routers instantiated within Cloud DCs.)  It would the good to provide more detail on the first two options.  Presumably the first option (utilizing Cloud DC provided transit gateways) is reasonable if the enterprise is using only one cloud provider. The current text is pretty dismissive of this option.  The second option (Hairpin all the traffic through the customer gateway) is not very clearly explained.  If these different approaches are going to be discussed, there needs to be more detail.

[Linda] Added the following text to describe the issues associated with each of the bullets listed:

Approach a) usually does not work if Cloud DCs are owned and managed by different Cloud providers.
Approach b) creates additional transmission delay plus incurring cost when exiting Cloud DCs.
For the Approach c), DMVPN or DSVPN use NHRP (Next Hop Resolution Protocol) [RFC2735] so that spoke nodes can register their IP addresses & WAN ports with the hub node. The IETF ION (Internetworking over NBMA (non-broadcast multiple access) WG standardized NHRP for connection-oriented NBMA network (such as ATM) network address resolution more than two decades ago.

[CB]  This hasn't provided more detail on the first two options.  It is has just rearranged the existing information.

[Linda] Not sure what more to add. However, I will compose some text to describe how to use transit gateway and send to you later.

I will address your following comments in the next email.