Re: [Teas-ns-dt] John's Proposed NS-DT Framework Starting Point
"Dongjie (Jimmy)" <jie.dong@huawei.com> Tue, 14 January 2020 11:08 UTC
Return-Path: <jie.dong@huawei.com>
X-Original-To: teas-ns-dt@ietfa.amsl.com
Delivered-To: teas-ns-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA0912006E; Tue, 14 Jan 2020 03:08:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4vbjmVRkC1A; Tue, 14 Jan 2020 03:08:25 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDA51120052; Tue, 14 Jan 2020 03:08:24 -0800 (PST)
Received: from lhreml709-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 3255940ADE33FF10FE0F; Tue, 14 Jan 2020 11:08:22 +0000 (GMT)
Received: from NKGEML412-HUB.china.huawei.com (10.98.56.73) by lhreml709-cah.china.huawei.com (10.201.108.32) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 14 Jan 2020 11:08:20 +0000
Received: from NKGEML515-MBX.china.huawei.com ([fe80::a54a:89d2:c471:ff]) by nkgeml412-hub.china.huawei.com ([10.98.56.73]) with mapi id 14.03.0439.000; Tue, 14 Jan 2020 19:08:15 +0800
From: "Dongjie (Jimmy)" <jie.dong@huawei.com>
To: Eric Gray <eric.gray=40ericsson.com@dmarc.ietf.org>, "teas-ns-dt@ietf.org" <teas-ns-dt@ietf.org>
CC: Jari Arkko <jari.arkko@ericsson.com>, "draft-ietf-teas-enhanced-vpn@ietf.org" <draft-ietf-teas-enhanced-vpn@ietf.org>
Thread-Topic: John's Proposed NS-DT Framework Starting Point
Thread-Index: AdXJ+VdXqh8oiiSaRYeBo7tLBE2HdgAwPZ5A
Date: Tue, 14 Jan 2020 11:08:15 +0000
Message-ID: <76CD132C3ADEF848BD84D028D243C927CD5EB9D9@NKGEML515-MBX.china.huawei.com>
References: <BN8PR15MB2644C9F13A57F11D286190D197350@BN8PR15MB2644.namprd15.prod.outlook.com>
In-Reply-To: <BN8PR15MB2644C9F13A57F11D286190D197350@BN8PR15MB2644.namprd15.prod.outlook.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.108.203.211]
Content-Type: multipart/alternative; boundary="_000_76CD132C3ADEF848BD84D028D243C927CD5EB9D9NKGEML515MBXchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/teas-ns-dt/D1STib4dB6BW5Y93FUxEGnVpdxE>
Subject: Re: [Teas-ns-dt] John's Proposed NS-DT Framework Starting Point
X-BeenThere: teas-ns-dt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TEAS Network Slicing Design Team <teas-ns-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teas-ns-dt>, <mailto:teas-ns-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teas-ns-dt/>
List-Post: <mailto:teas-ns-dt@ietf.org>
List-Help: <mailto:teas-ns-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teas-ns-dt>, <mailto:teas-ns-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 11:08:32 -0000
Hi Eric, Thanks a lot for your review and analysis of the text in VPN+ framework draft. Recently we are working on a new revision of this draft, which could solve some of your comments below. As the design team plan to reuse some text of VPN+ framework in the design team framework document, I (on behalf of other coauthors) would like to be part of this effort to help the alignment between the two drafts. Please see some further comments inline: Best regards, Jie From: Teas-ns-dt [mailto:teas-ns-dt-bounces@ietf.org] On Behalf Of Eric Gray Sent: Monday, January 13, 2020 9:24 PM To: teas-ns-dt@ietf.org Cc: Jari Arkko <jari.arkko@ericsson.com> Subject: [Teas-ns-dt] John's Proposed NS-DT Framework Starting Point Hopefully for addition to today's agenda... John will be unable to attend today's meeting and asked me to talk about his proposal to augment the Framework draft. In John's E-Mail, he added references to places in the Enhanced VPN draft where we could "lift" the text to fill in sections in the Framework skeleton Jari provided (at: https://github.com/teas-wg/teas-ns-dt/blob/master/notes/notes-2019-12-23-framework-skeleton.md). I have reformatted this in order to clarify what were "section headers" in Jari's proposed skeleton. I also added a note that the underlying technologies section is not expected to be all inclusive. Finally, I have added some of the proposed section text explicitly in order to make it easier to see what John has proposed adding All that John appears to have added (or changed) otherwise is the URLs referring to specific sections (which is what we asked him to do). Introduction ... Refer to [definitions] ... .... Relation to existing IETF technologies ... ......JD https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-1 Virtual private networks (VPNs) have served the industry well as a means of providing different groups of users with logically isolated access to a common network. The common or base network that is used to provide the VPNs is often referred to as the underlay, and the VPN is often called an overlay. Customers of a network operator may request enhanced overlay services with advanced characteristics such as complete isolation from other services so that changes in one service (such as changes in network load, or events such as congestion or outages) have no effect on the throughput or latency of other services provided to the customer. While this paragraph may be (and probably is) true for some set of customers, it is not particularly relevant to this work. I recommend omitting the paragraph. [Jie] It is relevant to network slice use cases which have particular requirement on isolation. Driven largely by needs surfacing from 5G, the concept of network slicing has gained traction [NGMN-NS-Concept<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-NGMN-NS-Concept>] [TS23501<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-TS23501>] [TS28530<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-TS28530>] [BBF-SD406<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-BBF-SD406>]. In [TS23501<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-TS23501>], Network Slice is defined as "a logical network that provides specific network capabilities and network characteristics", and Network Slice Instance is defined as "A set of Network Function instances and the required resources (e.g. compute, storage and networking resources) which form a deployed Network Slice". According to [TS28530<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-TS28530>], an end-to-end network slice consists of three major network segments: Radio Access Network (RAN), Transport Network (TN) and Core Network (CN). Transport network provides the required connectivity within and between RAN and CN parts, with specific performance commitment. For each end-to-end network slice, the topology and performance requirement on transport network can be very different, which requires transport network to have the capability of supporting multiple different transport network slices. This should probably refer to "types of network segments," as it is clear from prior DT discussions that there may be multiple instances of (for example) "Transport Slices." [Jie] Agree to change to "types of network segments" A transport network slice is a virtual (logical) network with a particular network topology and a set of shared or dedicated network resources, which are used to provide the network slice consumer with the required connectivity, appropriate isolation and specific Service Level Agreement (SLA). A transport network slice could span multiple technology (IP, Optical) and multiple administrative domains. Depends on the consumer's requirement, a transport network slice could be isolated from other, often concurrent transport network slices in terms of data plane, control plane and management plane. In the following sections of this document, network slice refers to transport network slice, and is interchangeable with enhanced VPN. (spelling) End-to-end network slice is used to refer to the 5G network slice. In the above paragraph, we would (obviously) not include the phrase claiming that a "transport network slice" being interchangeable with VPN+; in addition there are the following issues: 1) We have agreed (I am fairly certain) to use the expression "Transport Slice" to refer to what this text refers to as a "transport network slice" hence - if we include this text (and subsequent text using either "transport network slice" or just "network slice" we will need to revise that text to be consistent with the definitions draft; 2) We have also (again, I am fairly certain) agreed that the scope for transport (network) slices is not limited to 5G. I recommend omitting this paragraph and - instead - making sure that the remainder of the subsequent text becomes consistent with the definitions draft. [Jie] We will rephrase the text about the relationship between transport network slice and VPN+. In 5G context, VPN+ could be used to provide network slicing in the transport segment. The network slice definition in this draft could align with the design team definition once we have consensus in the design team. One of the comment I raised on the list was whether we use "Transport Slice" or "Transport Network Slice", as we are working on network in IETF, not another industry. Network abstraction is a technique that can be applied to a network domain to select network resources by policy to obtain a view of potential connectivity and a set of service functions. Network slicing builds on the concept of resource management, network virtualization and abstraction to provide performance assurance, flexibility, programmability and modularity. It may use techniques such as Software Defined Networking (SDN) [RFC7149<https://tools.ietf.org/html/rfc7149>] and Network Function Virtualization (NFV) [RFC8172<https://tools.ietf.org/html/rfc8172>][RFC8568] to create multiple logical (virtual) networks, each tailored for a set of services or a particular tenant or a group of tenants that share the same set of requirements, on top of a common network. How the network slices are engineered can be deployment-specific. Thus, there is a need to create virtual networks with enhanced characteristics. The tenant of such a virtual network can require a degree of isolation and performance that previously could not be satisfied by traditional overlay VPNs. Additionally, the tenant may ask for some level of control to their virtual networks, e.g., to customize the service paths in a network slice. This usage of "could (not)" has been a target for extensive objections in the VPN+ draft and should not be included in this work. I recommend replacing "could" with "might." [Jie] The text here means that the enhanced characteristics require coordination between the underlay network thus could not be met with pure overlay VPNs, what technologies to use in underlay is not limited. These enhanced properties cannot be met with pure overlay networks, as they require tighter coordination and integration between the underlay and the overlay network. This document introduces a new network service called Enhanced VPN: VPN+. VPN+ is built from a virtual network which has a customized network topology and a set of dedicated or shared network resources, including invoked service functions, allocated from the underlay network. Unlike a traditional VPN, an enhanced VPN can achieve greater isolation with strict performance guarantees. These new properties, which have general applicability, may also be of interest as part of a network slicing Dong, et al. Expires March 15, 2020 [Page 4] ________________________________ <https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#page-5> Internet-Draft VPN+ Framework September 2019 solution, but it is not envisaged that VPN+ techniques will be applied to normal VPN services that can continue to be deployed using pre-existing mechanisms. Furthermore, it is not intended that large numbers of VPN+ instances will be deployed within a single network. See Section 5<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-5> for a discussion of scalability considerations. The above paragraph is specific to VPN+ (or enhanced VPN) and therefore has no place in this NS-DT Framework Introduction. I recommend omitting this paragraph. This document specifies a framework for using existing, modified and potential new technologies as components to provide a VPN+ service. Specifically we are concerned with: I recommend replacing "VPN+" with "Transport Slice." o The design of the enhanced data plane. I recommend replacing "enhanced" with "Transport Slice." o The necessary protocols in both the underlay and the overlay of the enhanced VPN. I recommend replacing "enhanced VPN" with "Transport Slice." o The mechanisms to achieve integration between overlay and underlay. o The necessary Operation, Administration, and Management (OAM) methods to instrument an enhanced VPN to make sure that the required Service Level Agreement (SLA) is met, and to take any corrective action to avoid SLA violation, such as switching to an alternate path. I recommend replacing "enhanced VPN" with "Transport Slice." In addition, we have settled on using "Service Level Objectives in our work, so this should be aligned with that usage. [Jie] OK to use either SLA or SLO or both in the draft to align with the design team. I receommend replacing "Agreement (SLA)" with "Objective (SLO)" and further modifying subsequent text as needed to be consistent with the definitions draft. The required layered network structure to achieve this is shown in Section 3.1<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-3.1>. This reference - if this sentence is included - must be corrected to refer to a section (or figure) in this draft. Note that, in this document, the four terms "VPN", "Enhanced VPN" (or "VPN+"), "Virtual Network (VN)", and "Network Slice" may be considered as describing similar concepts dependent on the viewpoint from which they are used. I recommend omitting this paragraph. o An enhanced VPN can be considered as a form of VPN, but with additional service-specific commitments. Thus, care must be taken with the term "VPN" to distinguish normal or legacy VPNs from VPN+ instances. I recommend replacing "enhanced VPN" with "Transport Slice" and omitting the second sentence. o A Virtual Network is a type of service that connects customer edge points with the additional possibility of requesting further service characteristics in the manner of an enhanced VPN. I recommend omitting this bullet. o An enhanced VPN or VN is made by creating a slice through the resources of the underlay network. I recommend omitting this bullet. o The general concept of network slicing in a TE network is a larger problem space than is addressed by VPN+ or VN, but those concepts are tools to address some aspects or realizations of network slicing. I recommend replacing the highlighted text above with "existing concepts (e.g. - VPN/VPN+)." Requirements .... .... clarify scoping is only networking ... .... add some discussion of scalability ... ......JD https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-2, https://tools..ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-5<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-5> The text in section 2 of the enhanced VPN draft is entirely about the contentious concept of hard and soft isolation, which that draft is explicitly aimed at providing. Including the text from section 2 of the enhanced VPN draft MUST be seen as an explicit endorsement of that draft as a solution to "Transport Slicing." I recommend providing a reference to section 2 of the enhanced VPN draft as an example of a set of requirements that may apply to "Transport Slices." [Jie] Please note that isolation is also mentioned as one requirement in the GST of GSMA. Similarly, the text in section 5 addresses state scalability issues related to use of Segment Routing, RSVP-TE or some mix of the two. This text would require extensive modification to emphasize the generic issues associated with state information (in packets, or in the network) required for a number of currently proposed solutions for supporting "Transport Slicing." Note that the section concludes that a solution to the scalability issues it discusses is for further study. I recommend making the modifications to the text from section 5 to discuss the generic scalability issues only. A reference to section 5 of the enhanced VPN draft may be included for further information about example technologies. [Jie] Agree to generalize the scalability consideration in design team's document. Framework ......JD https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-3 Note that this section of the enhanced VPN draft is named "Architecture of Enhanced VPN." The text (and figure) in this section extends from page 13 to page 16 (4 pages). It is not the purpose of this Framework section in our draft to provide a specific solution architecture, and the subsections of this section do not align well with the subsections in this framework skeleton. Specifically, section 3 has the following subsections: 3. Architecture of Enhanced VPN 3.1. Layered Architecture 3.2. Multi-Point to Multi-Point (MP2MP) 3.3. Application Specific Network Types 3.4. Scaling Considerations I recommend reviewing the contents of this section and providing a recommendation based on it as a starting point for filling in at least the leading text for the framework (as well as evaluating the included figure (Figure 2) as a possible starting point for the diagram suggested below. [Jie] Review comment are welcome, and some update to this section is in progress. .... diagram ... Applications .... the transport slice system is used by an application. in most likely, that application is just another level slice orchestrator, e.g., the end-to-end slice orchestrator. but in theory it could also be an actual application that wants to manage some specific connectivity through the transport slice system. ... Expressing connectivity intents ......JD I would replace the term 'applications' w/ 'overlay services' .... northbound interface ... .... data models ... .... SLOs as intents ... .... (most of this comes from the definitions draft) ... Mapping .... the requirements get mapped by a piece of software, the controller, to concrete technologies and the connectivity is set up ... Controller .... Underlying technology (examples) .... such as MPLS or VPNs or even physical cables ... ......JD https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-4 A VPN is a network created by applying a multiplexing technique to the underlying network (the underlay) in order to distinguish the traffic of one VPN from that of another. A VPN path that travels by other than the shortest path through the underlay normally requires state in the underlay to specify that path. State is normally applied to the underlay through the use of the RSVP Signaling protocol, or directly through the use of an SDN controller, although other techniques may emerge as this problem is studied. This state gets harder to manage as the number of VPN paths increases. Furthermore, as we increase the coupling between the underlay and the overlay to support the enhanced VPN service, this state will increase further. In an enhanced VPN different subsets of the underlay resources can be dedicated to different enhanced VPNs or different groups of enhanced VPNs. An enhanced VPN solution thus needs tighter coupling with underlay than is the case with existing VPNs. We cannot, for example, share the network resource between enhanced VPNs which require hard isolation. Layer-Two Data Plane A number of candidate Layer-2 packet or frame-based data plane solutions which can be used provide the required isolation and guarantee are described in following sections. o FlexE o Time Sensitive Networking o Dedicated Queues FlexE FlexE [FLEXE<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-FLEXE>] is a method of creating a point-to-point Ethernet with a specific fixed bandwidth. FlexE provides the ability to multiplex multiple channels over an Ethernet link in a way that provides hard isolation. FlexE also supports the bonding of multiple links, which can be used to create larger links out of multiple low capacity links in a more efficient way that traditional link aggregation. FlexE also supports the sub-rating of links, which allows an operator to only use a portion of a link. However it is a only a link level technology. When packets are received by the downstream node, they need to be processed in a way that preserves that isolation in the downstream node. This in turn requires a queuing and forwarding implementation that preserves the end-to-end isolation. If different FlexE channels are used for different services, then no sharing is possible between the FlexE channels. This in turn means that it may be difficult to dynamically redistribute unused bandwidth to lower priority services. This may increase the cost of providing services on the network. On the other hand, FlexE can be used to provide hard isolation between different tenants on a shared interface. The tenant can then use other methods to manage the relative priority of their own traffic in each FlexE channel. Methods of dynamically re-sizing FlexE channels and the implication for enhanced VPN are for further study. Dedicated Queues In order to provide multiple isolated virtual networks for enhanced VPN, the conventional DiffServ based queuing system [RFC2475<https://tools.ietf.org/html/rfc2475>] [RFC4594<https://tools.ietf.org/html/rfc4594>] is considered insufficient, as DiffServ does not always provide enough queues to differentiate between traffic of different enhanced VPNs, or the range of service classes that each need to provide to their tenants. This problem is particularly acute with an MPLS underlay, because MPLS only provides 8 Traffic Classes (TC), and it's highly likely that there will be more than eight enhanced VPN instances supported by a network. In addition, DiffServ, as currently implemented, mainly provides relative priority-based scheduling, and is difficult to achieve quantitive resource reservation. In order to address this problem and reduce the interference between enhanced VPNs, it is necessary to steer traffic of enhanced VPNs to dedicated input and output queues. Some routers have large amount of queues and sophisticated queuing systems, which could be used or enhanced to provide the granularity and level of isolation required by the applications of enhanced VPN. For example, on one physical interface, the queuing system can provide a set of virtual sub-interfaces, each allocated with dedicated queueing and buffer resources. Sophisticated queuing systems of this type may be used to provide end-to-end virtual isolation between traffic of different enhanced VPNs. Time-Sensitive Networking Time Sensitive Networking (TSN) [TSN<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-TSN>] is an IEEE project that is designing a method of carrying time sensitive information over Ethernet. It introduces the concept of packet scheduling where a high priority packet stream may be given a scheduled time slot thereby guaranteeing that it experiences no queuing delay and hence a reduced latency. However, when no scheduled packet arrives, its reserved time-slot is handed over to best effort traffic, thereby improving the economics of the network. The mechanisms defined in TSN can be used to meet the requirements of time sensitive services of an enhanced VPN. Ethernet can be emulated over a Layer 3 network using a pseudowire. However the TSN payload would be opaque to the underlay and thus not treated specifically as time sensitive data. The preferred method of carrying TSN over a layer 3 network is through the use of deterministic networking as explained in the following section of this document.. Layer-Three Data Plane We now consider the problem of slice differentiation and resource representation in the network layer. The candidate technologies are: o Deterministic Networking o MPLS-TE o Segment Routing Deterministic Networking Deterministic Networking (DetNet) [I-D.ietf-detnet-architecture<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-detnet-architecture>] is a technique being developed in the IETF to enhance the ability of layer-3 networks to deliver packets more reliably and with greater control over the delay. The design cannot use re-transmission techniques such as TCP since that can exceed the delay tolerated by the applications. Even the delay improvements that are achieved with Stream Control Transmission Protocol Partial Reliability Extenstion (SCTP-PR) [RFC3758<https://tools.ietf.org/html/rfc3758>] do not meet the bounds set by application demands. DetNet pre-emptively sends copies of the packet over various paths to minimize the chance of all copies of a packet being lost, and trims duplicate packets to prevent excessive flooding of the network and to prevent multiple packets being delivered to the destination. It also seeks to set an upper bound on latency. The goal is not to minimize latency; the optimum upper bound paths may not be the minimum latency paths. DetNet is based on flows. It currently does not specify the use of underlay topology other than the base topology. To be of use for enhanced VPN, DetNet needs to be integrated with different virtual topologies of enhanced VPNs. The detailed design that allows the use DetNet in a multi-tenant network, and how to improve the scalability of DetNet in a multi- tenant network are topics for further study. MPLS Traffic Engineering MPLS-TE introduces the concept of reserving end-to-end bandwidth for a TE-LSP, which can be used as the underlay of VPNs. It also introduces the concept of non-shortest path routing through the use of the Explicit Route Object [RFC3209<https://tools.ietf.org/html/rfc3209>]. VPN traffic can be run over dedicated TE-LSPs to provide reserved bandwidth for each specific connection in a VPN. Some network operators have concerns about the scalability and management overhead of RSVP-TE system, and this has lead them to consider other solutions for their networks. Segment Routing Segment Routing [RFC8402<https://tools.ietf.org/html/rfc8402>] is a method that prepends instructions to packets at the head-end node and optionally at various points as it passes though the network. These instructions allow the packets to be routed on paths other than the shortest path for various traffic engineering reasons. With SR, a path needs to be dynamically created through a set of segments by simply specifying the Segment Identifiers (SIDs), i.e. instructions rooted at a particular point in the network. By encoding the state in the packet, per-path state is transitioned out of the network. With current segment routing, the instructions are used to specify the nodes and links to be traversed. An SR traffic engineered path operates with a granularity of a link with hints about priority provided through the use of the traffic class (TC) or Differentiated Services Code Point (DSCP) field in the header. However to achieve the latency and isolation characteristics that are sought by the enhanced VPN users, steering packets through specific queues and resources will likely be required. With SR, it is possible to introduce such fine-grained packet steering by specifying the queues and resources through an SR instruction list. Note that the concept of a queue is a useful abstraction for many types of underlay mechanism that may be used to provide enhanced isolation and latency support. How the queue satisfies the requirement is implementation specific and is transparent to the layer-3 data plane and control plane mechanisms used. Both SR-MPLS and SRv6 are candidate data plane technologies for enhanced VPN. In some cases they can further be used for DetNet to meet the packet loss, delay and jitter requirement of particular service. How to provide the DetNet enhanced delivery in an SRv6 environment is specified in [I-D.geng-spring-srv6-for-detnet<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.geng-spring-srv6-for-detnet>].. Non-Packet Data Plane Non-packet underlay data plane technologies often have TE properties and behaviors, and meet many of the key requirements in particular for bandwidth guarantees, traffic isolation (with physical isolation often being an integral part of the technology), highly predictable latency and jitter characteristics, measurable loss characteristics, and ease of identification of flows (and hence slices). The control and management planes for non-packet data plane technologies have most in common with MPLS-TE (Section 4.2.2<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-4.2.2>) and offer the same set of advanced features [RFC3945<https://tools.ietf.org/html/rfc3945>]. Furthermore, management techniques such as ACTN ([RFC8453<https://tools.ietf.org/html/rfc8453>] and Section 4.6<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-4.6> can be used to aid in the reporting of underlying network topologies, and the creation of virtual networks with the resource and properties needed by the enhanced VPN services. Control Plane Enhanced VPN would likely be based on a hybrid control mechanism, which takes advantage of the logically centralized controller for on- demand provisioning and global optimization, whilst still relies on distributed control plane to provide scalability, high reliability, fast reaction, automatic failure recovery etc. Extension and optimization to the distributed control plane is needed to support the enhanced properties of VPN+. RSVP-TE provides the signaling mechanism of establishing a TE-LSP with end-to-end resource reservation. It can be used to bind the VPN to specific network resource allocated within the underlay, but there are the above mentioned scalability concerns. SR does not have the capability of signaling the resource reservation along the path, nor do its currently specified distributed link state routing protocols. On the other hand, the SR approach provides a way of efficiently binding the network underlay and the enhanced VPN overlay, as it reduces the amount of state to be maintained in the network. An SR-based approach with per-slice resource reservation can easily create dedicated SR network slices, and the VPN services can be bound to a particular SR network slice. A centralized controller can perform resource planning and reservation from the controller's point of view, but this does not ensure resource reservation is actually done in the network nodes. Thus, if a distributed control plane is needed, either in place of an SDN controller or as an assistant to it, the design of the control system needs to ensure that resources are uniquely allocated in the network nodes for the correct services, and not allocated to other services causing unintended resource conflict. In addition, in multi-domain and multi-layer networks, the centralized and distributed control mechanisms will be used for inter-domain coordination and inter-layer optimization, so that the diverse and customized enhanced VPN service requirement could be met. The detailed mechanisms will be described in a future version. Management Plane In the context of 5G end-to-end network slicing, the management of enhanced VPN is considered as the management of transport network part of the end-to-end network slice. 3GPP management system may provide the topology and QoS parameters as requirement to the management plane of transport network. It may also require the transport network to expose the capability and status of the transport network slice. Thus an interface between enhanced VPN management plane and 3GPP network slice management system and relevant service data models are needed for the coordination of end- to-end network slice management. The management plane interface and data models for enhanced VPN can be based on the service models such as: o VPN service models defined in [RFC8299<https://tools.ietf.org/html/rfc8299>] and [RFC8466<https://tools.ietf.org/html/rfc8466>] o Possible augmentations and extensions (e.g.,[I-D.ietf-teas-te-service-mapping-yang<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-te-service-mapping-yang>]) to VPN service models o ACTN related service models such as [I-D.ietf-teas-actn-vn-yang<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-actn-vn-yang>] and [I-D.ietf-teas-actn-pm-telemetry-autonomics<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-actn-pm-telemetry-autonomics>]. o VPN network model as defined in [I-D.aguado-opsawg-l3sm-l3nm<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.aguado-opsawg-l3sm-l3nm>]. o TE Tunnel model as defined in [I-D.ietf-teas-yang-te<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-yang-te>]. These data models can be applicable in the provisioning of enhanced VPN service. The details are described in Section 4.6<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-4.6>. Applicability of Service Data Models to Enhanced VPN ACTN supports operators in viewing and controlling different domains and presenting virtualized networks to their customers. The ACTN framework [RFC8453<https://tools.ietf.org/html/rfc8453>] highlights how: o Abstraction of the underlying network resources are provided to higher-layer applications and customers. o Virtualization of underlying resources, whose selection criterion is the allocation of those resources for the customer, application, or service. o Creation of a virtualized environment allowing operators to view and control multi-domain networks as a single virtualized network. o The presentation to customers of networks as a virtual network via open and programmable interfaces. The infrastructure managed through the Service Data models comprises traffic engineered network resources (e.g. bandwidth, time slot, wavelength) and VPN service related resources (e.g. Route Target (RT) and Route Distinguisher (RD)). The type of network virtualization enabled by ACTN managed infrastructure provides customers and applications (tenants) with the capability to utilize and independently control allocated virtual network resources as if they were physically their own resources. The Customer VPN model (e.g. L3SM) or an ACTN Virtual Network (VN) model is a customer view of the ACTN managed infrastructure, and is presented by the ACTN provider as a set of abstracted services or resources. L3VPN network model or TE tunnel model is a network view of the ACTN managed infrastructure, and is presented by the ACTN provider as a set of transport resources. Depending on the agreement between customer and provider, various VPN/VN operations and VPN/VN views are possible. o Virtual Network Creation: A VPN/VN could be pre-configured and created via static or dynamic request and negotiation between customer and provider. It must meet the specified SLA attributes which satisfy the customer's objectives. o Virtual Network Operations: The virtual network may be further modified and deleted based on customer request to request changes in the network resources reserved for the customer, and used to construct the network slice. The customer can further act upon the virtual network to manage traffic flow across the virtual network. o Virtual Network View: The VPN/VN topology from a customer point of view. These may be a variety of tunnels, or an entire VN topology, or an VPN service topology. Such connections may comprise of customer end points, access links, intra-domain paths, and inter-domain links. Dynamic VPN/VN Operations allow a customer to modify or delete the VPN/VN. The customer can further act upon the virtual network to create/modify/delete virtual links and nodes or VPN sites. These changes will result in subsequent tunnel management or VPN service management in the operator's networks. Enhanced VPN Delivery in ACTN Architecture ACTN provides VPN connections or VN connections between multiple sites as requested via a VPN requestor enabled by the Customer Network Controller (CNC). The CNC is managed by the customer themselves, and interacts with the network provider's Multi-Domain Service Controller (MDSC). The Provisioning Network Controllers (PNC) are responible for network resource management, thus the PNCs are remain entirely under the management of the network provider and are not visible to the customer. The benefits of this model include: o Provision of edge-to-edge VPN multi-access connectivity. o Management is mostly performed by the network provider, with some flexibility delegated to the customer-managed CNC. Figure 3 presents a more general representation of how multiple enhanced VPNs may be created from the resources of multiple physical networks using the CNC, MDSC, and PNC components of the ACTN architecture. Each enhanced VPN is controlled by its own CNC. The CNCs send requests to the provider's MDSC. The provider manages two different physical networks each under the control of PNC. The MDSC asks the PNCs to allocate and provision resources to achieve the enhanced VPNs.. In this figure, one enhanced VPN is constructed solely from the resources of one of the physical networks, while the the VPN uses resources from both physical networks. ___________ --------------- ( ) | CNC |---------->( VPN+ ) --------^------ ( ) | _(_________ _) --------------- ( ) ^ | CNC |----------->( VPN+ ) : ------^-------- ( ) : | | (___________) : | | ^ ^ : Boundary | | : : : Between ==========|====|===================:====:====:======== Customer & | | : : : Network Provider | | : : : v v : : : --------------- : :....: | MDSC | : : --------------- : : ^ ---^------ ... | ( ) . v ( Physical ) . ---------------- ( Network ) . | PNC |<-------->( ) ---^------ ---------------- | -------- ( ) | |-- ( Physical ) | PNC |<------------------------->( Network ) --------------- ( ) -------- Figure 3: Generic VPN+ Delivery in the ACTN Architecture Enhanced VPN Features with Service Data Models This section discusses how the service data models can fulfill the enhanced VPN requirements described earlier in this document. As previously noted, key requirements of the enhanced VPN include: 1. Isolation between VPNs/VNs 2. Guaranteed Performance 3. Integration 4. Dynamic Management 5. Customized Control The subsections that follow outline how each requirement is met using ACTN. Isolation Between VPNs/VNs The VN YANG model [I-D.ietf-teas-actn-vn-yang<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-actn-vn-yang>] and the TE-service mapping model [I-D.ietf-teas-te-service-mapping-yang<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-te-service-mapping-yang>] fulfill the VPN/VN isolation requirement by providing the following features for the VPN/VNs: o Each VN is identified with a unique identifier (vn-id and vn-name) and so is each VN member that belongs to the VN (vn-member-id). o Each VPN is identified with a unique identifier (vpn-id) and can be mapped to one specific VN. While multiple VPNs may mapped to the same VN according to service requirement and operator's policy. o Each VPN and the corresponding VN is managed and controlled independent of other VPNs/VNs in the network with proper availability level. o Each VPN/VN is instantiated with an isolation requirement described by the TE-service mapping model [I-D.ietf-teas-te-service-mapping-yang<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-te-service-mapping-yang>]. This mapping supports: * Hard isolation with deterministic characteristics (e.g., this case may need an optical bypass tunnel or a DetNet/TSN tunnel to guarantee latency with no jitter) * Hard isolation (i.e., dedicated TE resources in all underlays) * Soft isolation (i.e., resource in some layer may be shared while in some other layers is dedicated). * No isolation (i.e., sharing with other VPN/VN). Guaranteed Performance Performance objectives of a VN need first to be expressed in order to assure the performance guarantee. Performance objectives of a VPN [RFC8299<https://tools.ietf.org/html/rfc8299>][RFC8466] are expressed with QoS profile, either standard profile or customer profile. The customer QoS profile include the following properties: o Rate-limit o Bandwidth o Latency o Jitter [I-D.ietf-teas-actn-vn-yang] and [I-D.ietf-teas-yang-te-topo<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-yang-te-topo>] allow configuration of several TE parameters that may affect the VN performance objectives as follows: o Bandwidth o Objective function (e.g., min cost path, min load path, etc.) o Metric Types and their threshold: * TE cost, IGP cost, Hop count, or Unidirectional Delay (e.g., can set all path delay <= threshold) Once these requests are instantiated, the resources are committed and guaranteed through the life cycle of the VPN/VN. Integration L3VPN network model provides mechanism to correlate customer's VPN and the VPN service related resources (e.g.RT and RD) allocated in the provider's network. VPN/Network performance monitoring model [I-D.www-bess-yang-vpn-service-pm<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.www-bess-yang-vpn-service-pm>] provides mechanisms to monitor and manage network Performance on the topology at different layer or the overlay topology between VPN sites. VN model and Performance Monitoring Telemetry model provides mechanisms to correlate customer's VN and the actual TE tunnels instantiated in the provider's network. Specifically: o Link each VN member to actual TE tunnel. o Each VN can be monitored on a various level such as VN level, VN member level, TE-tunnel level, and link/node level. Service function integration with network topology (L3 and TE topology) is in progress in [I-D.ietf-teas-sf-aware-topo-model<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-sf-aware-topo-model>]. Specifically, [I-D.ietf-teas-sf-aware-topo-model<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-sf-aware-topo-model>] addresses a number of use-cases that show how TE topology supports various service functions. Dynamic Management ACTN provides an architecture that allows the CNC to interact with the MDSC which is network provider's SDN controller. This gives the customer control of their VPN or VNs. e.g., the ACTN VN model [I-D.ietf-teas-actn-vn-yang<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-actn-vn-yang>] allows the VN to life-cycle management such as create, modify, and delete VNs on demand. Another example is L3VPN servicel model [RFC8299<https://tools.ietf.org/html/rfc8299>] which allows the VPN lifecycle management such as VPN creation, modification and deletion on demand. Customized Control ACTN provides a YANG model that allows the CNC to control a VN as a "Type 2 VN" that allows the customer to provision tunnels that connect their endpoints over the customized VN topology. For some VN members, the customers are allowed to configure the path (i.e., the sequence of virtual nodes and virtual links) over the VN/ abstract topology. 5G Transport Service Delivery via Coordinated Data Modules The overview of network slice structure as defined in the 3GPP 5GS is shown in Figure 5. The terms are described in specific 3GPP documents (e.g. [TS23501<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-TS23501>] and [TS28530<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-TS28530>].) <================== E2E-NSI =======================> : : : : : : : : : : <====== RAN-NSSI ======><=TRN-NSSI=><====== CN-NSSI ======>VL[APL] : : : : : : : : : : : : : : : : : : RW[NFs ]<=TRN-NSSI=>[NFs ]<=TRN-NSSI=>[NFs ]<=TRN-NSSI=>[NFs ]VL[APL] . . . . . . . . . . . . .. . . . . . . . . . . . . .. .,----. ,----. ,----.. ,----. .,----. ,----. ,----.. UE--|RAN |---| TN |---|RAN |---| TN |---|CN |---| TN |---|CN |--[APL] .|NFs | `----' |NFs |. `----' .|NFs | `----' |NFs |. .`----' `----'. .`----' `----'. . . . . . . . . . . . . .. . . . . . . . . . . . . .. RW RAN MBH CN DN *Legends UE: User Equipment RAN: Radio Access Network CN: Core Network DN: Data Network TN: Transport Network MBH: Mobile Backhaul RW: Radio Wave NF: Network Function APL: Application Server NSI: Network Slice Instance NSSI: Network Slice Subnet Instance Figure 4: Overview of Structure of Network Slice in 3GPP 5GS To support 5G service (e.g., 5G MBB service), L3VPN service model [RFC8299<https://tools.ietf.org/html/rfc8299>] and TEAS VN model [I-D.ietf-teas-actn-vn-yang<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.ietf-teas-actn-vn-yang>] can be both provided to describe 5G MBB Transport Service or connectivity service. L3VPN service model is used to describe end-to-end IP connectivity service while TEAS VN model is used to describe TE connectivity service between VPN sites or between RAN NFs and Core network NFs. VN in TEAS VN model and support point-to-point or multipoint-to- multipoint connectivity service and can be seen as one example of network slice.. TE Service mapping model can be used to map L3VPN service requests onto underlying network resource and TE models to get TE network setup. For IP VPN service provision, the service parameters in the L3VPN service model [RFC8299<https://tools.ietf.org/html/rfc8299>] can be decomposed into a set of configuration parameters described in the L3VPN network model [I-D.aguado-opsawg-l3sm-l3nm<https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#ref-I-D.aguado-opsawg-l3sm-l3nm>] which will get VPN network setup. Much of this text (and at least one of the figures) will be usable in the NS-DT Framework draft. It will be necessary to comb through the text to make it generically applicable to Transport Slicing, consistent with the definitions draft, etc. - and some text may not be directly usable (we could include the less relevant concepts by reference). [Jie] The design team draft could provide general description about underlying technologies, and reference this section of VPN+ framework. While some more effort could be put on the management plane and data models as discussed on the list and conference call. Considerations Monitoring .... we need to instrument the slice realization to know how it is doing + update the slice as situation changes + dynamic reconfig... (spelling) How to deal with hierarchy ......JD https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-6, https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-7, https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-8 Sections 6 and 7 of the enhanced VPN draft are (respectively) OAM and Telemetry Considerations, and - as such - are a better fit for the "Monitoring" subsection above. It is not clear how section 8 ("Enhanced Resiliency") applies here. [Jie] The "enhanced resiliency" is about availability, it may be added in a separate section. .... Security model .... accidental or malicous interaction between slices raises new security concerns ... ......JD https://tools.ietf.org/html/draft-ietf-teas-enhanced-vpn-03#section-10 The text in this section would - after some modification - provide a good basis for a security considerations section of this draft. Note that "Security Model" and "Security Considerations" are not the same thing. [Jie] Comments about security sections are welcome.
- [Teas-ns-dt] John's Proposed NS-DT Framework Star… Eric Gray
- Re: [Teas-ns-dt] John's Proposed NS-DT Framework … Jari Arkko
- Re: [Teas-ns-dt] John's Proposed NS-DT Framework … Eric Gray
- Re: [Teas-ns-dt] John's Proposed NS-DT Framework … Dongjie (Jimmy)