Re: [Teas] Network Slicing design team definitions - isolation and resolution

Igor Bryskin <i_bryskin@yahoo.com> Tue, 28 April 2020 17:52 UTC

Return-Path: <i_bryskin@yahoo.com>
X-Original-To: teas@ietfa.amsl.com
Delivered-To: teas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35F23A0E4C for <teas@ietfa.amsl.com>; Tue, 28 Apr 2020 10:52:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.917
X-Spam-Level:
X-Spam-Status: No, score=-2.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.82, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cl0rVQfoW_IW for <teas@ietfa.amsl.com>; Tue, 28 Apr 2020 10:52:10 -0700 (PDT)
Received: from sonic306-21.consmr.mail.ne1.yahoo.com (sonic306-21.consmr.mail.ne1.yahoo.com [66.163.189.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 728E23A0E43 for <teas@ietf.org>; Tue, 28 Apr 2020 10:52:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1588096329; bh=XGT6FjH9vALH3TDVckPwD1sFYW2tnlgcDOIaEAyyBiU=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject; b=h9v5+JY4dA6YQBhQMjkCbEeubzc4t+9d7dTIR//0QOQkniQ47AaBFbq8u9uLWOe/trXu8fJuKha2Pt/A70eeOoqyPFQ6kKs5Vv58843Wle8DrI5jtU51DSCdcAhV3utAXHuTUilMTN1u6qAIpk/OHFvScLEhKA3cuAiOGUyQeI33q6z06vv1wbiOuOn14tUu+3t2GwAbTcOS72pP/7mt6YQ+Mxrslb1PYU/jmgBJxidW/83MuIqILA49Q2JVa57EnNTuQejGvSYY40joiRU73w2MWG4lwXd8nmnuytbmBGdGtVbNe+zBY6JpRqMGyNkE5QDKzTqmx+XrBWDocuLZig==
X-YMail-OSG: ZPk_Z0gVM1l.9JAODJWCrpEj_AxektA6T4jldBdgSAN4dNcboJmyAt_DPvbLFYu LEsRP9C0O7yqauFRgatugk9zuS9jC2xfaerN60LVp6B0JsvnEduyLCVEY0dWM.YOVf0dOSy0qaGP 9Wgxstz9q57Kl1mR3BbKc6zb188zv._lqF0tq0uaOlyay51Tepp5FbjRgc8_Wxt7pb9zpkkGgJju 7JCZKQlbB9VqFX2nnabFClAwtnyo2jwsOY0Kn24Gw2Yf7wiRMuljXj7LnFUt0FlPK.foqAJzXN5E h9tPYYMy90qkyzaAYa42BvxcF9dAByLsbkMoIJRZ2GCNeKGjuII6BPkTOmR99h_KKtKTTl5ida2o m9vPHmkpSAMlkKsnq.f4IhDEVHSwe5iLjkqlz13YP_AhIH8UepkXtQ7.nkLFgaT2VgW2ft8Ht9yz ABOFxl1BzxUs6HSRqd2rVkV9zbX4vjIgzaL1RoHOfncDyM9ijkCLvAPYyNsF3ZKKGdm3mcoCKGzK bSc.tnfmKMKf9lJp.1t0ALVDTGAhwRtsM4hT4FVeDeZ1vgrtECgJbbO3erQEacPYvkPi.nyBuHkZ HdBrme5Mj137JIDrOHLqHXuTErbTL_Z72PPLO0W33xNo1p6yKG0kmk2iXUelPZA9n8EUpWb4n451 s2knywyj6dz8OR2DOhVHWeKOp0ljH1ghFMMsuJC59Rjtq1B_ySLlgjPDJgMk9d1FKbUCVrerAYKx NGWVc.Ac0WBBF05PvE1NkpzQPE49o6E0Z1Psl4522aa9jPJQidKSp8u85eeXek5dcybX2MGubpaY CM3zfB_DkskaEw9jF3UzPrYH54jEBEAWP6X2Em_TFIVqi6CKjTCq4qF_k0JPfJw8oplzrNOvVfD4 sBlgXohXrUU5rT8mAVCdpB25BRQhhSNgoTbIZdxrj0FsafhX3_wQ6FzvgibrHBnt1GWBorJ2dkRB B0Dys_OTh1_9M9rBpNeqJAAxANkAKSAV8lLtRguz2g69tC7AU5aqG0YvxAM54s0UAEMYCV8YvkUo WlKCdBoPH5y0PID9x2LQXqfzrcY4NJFGgsapSk7kYH6e5zLao1CZIiWG.zFyViJ0mqwCxXb7Kk48 2FnBf.dirVEeKnuvn9Z8616At7OfL0K4svqbGJWB6LRwz50P3.SOLD9FPx0CBI13dhDnQmKYX6i3 940W5pSUs7XbqcTPd9qX9XdL0GkaVvWeoo57.xfjfw.HL8z9QfpkAjRJpASjxY91V6y53AXY9Nye BIvqvKKxSblm8uzaO.EeWGqOOgU.51lSToJqtw1KBUsxVeSWE9LMGXBZRLx7C7TbD.rRCieF05X2 pkuwQAAIZJj3mrfSJW1IbpUBuPKk1mXM-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Tue, 28 Apr 2020 17:52:09 +0000
Date: Tue, 28 Apr 2020 17:51:41 +0000 (UTC)
From: Igor Bryskin <i_bryskin@yahoo.com>
To: "Dongjie (Jimmy)" <jie.dong@huawei.com>, Greg Mirsky <gregimirsky@gmail.com>
Cc: "Joel M. Halpern" <jmh@joelhalpern.com>, "teas@ietf.org" <teas@ietf.org>
Message-ID: <1212271585.1682731.1588096301849@mail.yahoo.com>
In-Reply-To: <CA+RyBmXrqjXNtFiYyoUT5ACtJ8fOJF7z78xnjC1MosNxXTZYzw@mail.gmail.com>
References: <E0C26CAA2504C84093A49B2CAC3261A43F83079E@dggeml531-mbs.china.huawei.com> <c467e349-efd8-1519-7d8a-1f242042cfed@joelhalpern.com> <a94fe17dae2244b0af6a9303e68f1e0e@huawei.com> <b54e1be6-cfd2-0bf7-1601-f6764253dfa3@joelhalpern.com> <CA+RyBmWaBN=WP3A4qwCOvm5Vax2ookYYas1-L5yQFiGmRH2OBA@mail.gmail.com> <aac854e6-92e5-59ea-3dac-e95fbf424a98@joelhalpern.com> <fc242b850689461da7861d81e3ab1a13@huawei.com> <CA+RyBmXrqjXNtFiYyoUT5ACtJ8fOJF7z78xnjC1MosNxXTZYzw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1682730_903241831.1588096301844"
X-Mailer: WebService/1.1.15756 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/teas/UVU4GZhsEURTC1Lcg1NGZBzhbug>
Subject: Re: [Teas] Network Slicing design team definitions - isolation and resolution
X-BeenThere: teas@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Traffic Engineering Architecture and Signaling working group discussion list <teas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teas>, <mailto:teas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teas/>
List-Post: <mailto:teas@ietf.org>
List-Help: <mailto:teas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teas>, <mailto:teas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 17:52:15 -0000

Hi Greg,

Flow isolation and network isolation are different things. For example, you do not expect receiving data in one network broadcasted over properly isolated another network. Likewise, you do not expect congestion in one network caused by an activity in another (isolated) network. Om the other hand, flows in the same network may influence on each other.

Igor 

    On Tuesday, April 28, 2020, 12:30:38 PM EDT, Greg Mirsky <gregimirsky@gmail.com> wrote:  
 
 Hi Jie,thank you for listing the existing cases of isolation term use in IETF RFCs. My understanding of these quotes is that most of them refer to data flow isolation/separation. And that is what Connectivity Verification OAM is intended to monitor. At the same time, as Joel has pointed out, the term isolation is being used in the draft-nsdt-teas-transport-slice-definition in a different manner, particularly in Section 4.1.1. In that section, several levels (hard and soft) of the isolation are discussed whereas isolation of data flows, in my understanding, is always "hard". As I've mentioned earlier, we might look for different terms when referring to use/access to underlay resources vs. data flows interaction.
Regards,Greg

On Tue, Apr 28, 2020 at 2:31 AM Dongjie (Jimmy) <jie.dong@huawei.com> wrote:

Hi Joel and Greg,

As I mentioned during the virtual meeting, isolation was described as a requirement in several PPVPN requirement and framework RFCs. In summary, isolation is firstly required to avoid unwanted exposure of both data traffic and routing information, then it is also mentioned that isolation is needed to avoid the effects of traffic congestion happened in other VPNs in the network. 

Just quote some of them: 

RFC 3809: Generic Requirements for Provider Provisioned Virtual Private Networks (PPVPN)

4.4.  Data isolation

   The PPVPN MUST support forwarding plane isolation.  The network MUST
   never deliver user data across VPN boundaries unless the two VPNs
   participate in an intranet or extranet.

   Furthermore, if the provider network receives signaling or routing
   information from one VPN, it MUST NOT reveal that information to
   another VPN unless the two VPNs participate in an intranet or
   extranet.


RFC 4031: Service Requirements for Layer 3 Provider Provisioned Virtual Private Networks (PPVPNs)

4.1.  Isolated Exchange of Data and Routing Information

   A mechanism must be provided for isolating the distribution of
   reachability information to only those sites associated with a VPN.
   ...
   Note that isolation of forwarded data or exchange of reachability
   information to only those sites that are part of a VPN may be viewed
   as a form of security - for example, [Y.1311.1], [MPLSSEC].

5.8.  Isolation

   These features include traffic and routing information exchange
   isolation, similar to that obtained in VPNs based on Layer 1 and
   Layer 2 (e.g., private lines, FR, or ATM) [MPLSSEC].

6.8.  Isolation of Traffic and Routing
   ...
   From a high-level SP perspective, a PE-based L3VPN MUST isolate the
   exchange of traffic and routing information to only those sites that
   are authenticated and authorized members of a VPN.

   In a CE-based VPN, the tunnels that connect the sites effectively
   meet this isolation requirement if both traffic and routing
   information flow over the tunnels.

   An L3VPN solution SHOULD provide a means to meet L3VPN QoS SLA
   requirements that isolates VPN traffic from the effects of traffic
   offered by non-VPN customers.  Also, L3VPN solutions SHOULD provide a
   means to isolate the effects that traffic congestion produced by
   sites as part of one VPN can have on another VPN.


RFC 4110: A Framework for Layer 3 Provider-Provisioned Virtual Private Networks (PPVPNs)

1.2 Overview of Virtual Private Networks

   In PE-based layer 3 VPNs, the PE devices may
   route the VPN traffic based on the customer addresses found in the IP
   headers; this implies that the PE devices need to maintain a level of
   isolation between the packets from different customer networks..
   ...
   Tunneling is also important for other reasons, such as providing
   isolation between different customer networks, allowing a wide range
   of protocols to be carried over an SP network, etc.  Different QoS
   and security characteristics may be associated with different
   tunnels.

4. 3 VPN Tunneling

   Another capability optionally provided by tunneling is that of
   isolation between different VPN traffic flows.  The QoS and security
   requirements for these traffic flows may differ, and can be met by
   using different tunnels with the appropriate characteristics.  This
   allows a provider to offer different service characteristics for
   traffic in different VPNs, or to subsets of traffic flows within a
   single VPN.


Hope this helps. 

Best regards,
Jie

> -----Original Message-----
> From: Teas [mailto:teas-bounces@ietf.org] On Behalf Of Joel M. Halpern
> Sent: Tuesday, April 28, 2020 5:33 AM
> To: Greg Mirsky <gregimirsky@gmail.com>
> Cc: teas@ietf.org
> Subject: Re: [Teas] Network Slicing design team definitions - isolation and
> resolution
> 
> Greg, that definition seems to be a specific subset of VPN.
> As far as I can tell, the slice definition does include what endpoints the slice
> participants can talk to.  Presumably, with some way to say "the Internet".
> So Whether the slice supports communication with the Internet or not is
> definitely an observable property.  I would tend not to call it isolation.
> Separately, the definition you propose is unrelated to the definition in the
> document, Which is why I suggest, for now, removing all discussion of
> isolation from the document.
> 
> Yours,
> Joel
> 
> On 4/27/2020 5:22 PM, Greg Mirsky wrote:
> > Dear Joel,
> > thank you for bringing the matter of "isolation" to the discussion. I
> > agree, that it is not practical to expect physical isolation in modern
> > networks. In my view, a transport slice that requires isolation is as
> > a transport connection that expects to receive data only from the
> > specific domain and not from any other domain. In other words, I view
> > isolation as the absence of mis-connectivity (in transport network
> > interpretation which differentiates between path continuity check and
> > connectivity verification). If my interpretation is acceptable, then
> > isolation can be monitored using connectivity verification OAM
> mechanism(s).
> > I much appreciate your thoughts, opinion on the proposed
> > interpretation of isolation on transport slice.
> >
> > Regards,
> > Greg
> >
> > On Sun, Apr 26, 2020 at 8:57 AM Joel Halpern Direct
> > <jmh.direct@joelhalpern.com <mailto:jmh.direct@joelhalpern.com>>
> wrote:
> >
> >     Trimmed, in line.
> >     Joel
> >
> >     On 4/26/2020 11:08 AM, Dongjie (Jimmy) wrote:
> >      > Hi Joel,
> >      >
> >      > Please see some replies inline:
> >      >
> >      >> -----Original Message-----
> >      >> From: Teas [mailto:teas-bounces@ietf.org
> >     <mailto:teas-bounces@ietf.org>] On Behalf Of Joel M. Halpern
> >      >> Sent: Sunday, April 26, 2020 10:52 AM
> >      >> To: Zhenghaomian <zhenghaomian@huawei.com
> >     <mailto:zhenghaomian@huawei.com>>; teas@ietf.org
> <mailto:teas@ietf.org>
> >      >> Subject: Re: [Teas] Network Slicing design team definitions -
> >     isolation and
> >      >> resolution
> >      >>
> >     ....
> >      >> More importantly, it is not something the customer has any way
> >     to verify.
> >      >> There is no test a customer can run that will verify this.
> >      >> Making unverifiable promises is rarely a useful thing to do.
> >      >
> >      > Totally agree that tools for verification is important. As
> >     mentioned in Haomian's mail, isolation can be verified with suitable
> >     tools which can be used to collect the information at the necessary
> >     places with a suitable interval. And it is important that customers
> >     can be provided with such tools to monitor the performance and be
> >     informed of SLA violation.
> >
> >     As far as I can tell, the observable that you describe is latency
> >     variation (or maybe loss).  Fine, describe the SLO in terms of latency
> >     variation  (or loss).  Given that there are always imperfections in
> the
> >     system, the customer may think that the issue is isolation.  But
> >     what he
> >     can observe, and as far as I can tell what he cares about, is delay
> >     variation, loss, or other factors that affect his traffic.
> >
> >     To use a different example, I have learned from the advocates to hate
> >     bufferbloat.  But even their tests measure delay, delay variation,
> >     etc..
> >     They then infer the presence of large buffers.  But in fact, if the
> >     large buffers are present but never used, we would all be happy.  So
> >     the
> >     SLO on this would be in terms of latency, latency variation, loss, etc.
> >     Not bufferbloat.`
> >
> >     Yours,
> >     Joel
> >
> >      >
> >      > Best regards,
> >      > Jie
> >      >
> >      >>
> >      >> Yours,
> >      >> Joel
> >      >>
> >      >> PS: Note that I understand that operators get asked for odd
> >     things mby
> >      >> customers.  But if we are going to define standards to support
> >     it, we need to
> >      >> understand the actual need.
> >      >>
> >      >> On 4/25/2020 10:44 PM, Zhenghaomian wrote:
> >      >>> Not sure if I understand your question correctly.
> >      >>> Well, it's reasonable for people to request hard isolation
> >     because 'I don't want
> >      >> my data to be transported together with other people's data'.
> >      >>> For delivery this can be achieved by separating physical
> >     devices/connections,
> >      >> which are visible to users. For example dedicated boxes and
> >     fibers will guarantee
> >      >> the user's data is not mixed with others...
> >      >>>
> >      >>> Best wishes,
> >      >>> Haomian
> >      >>>
> >      >>> -----邮件原件-----
> >      >>> 发件人: Joel M. Halpern [mailto:jmh@joelhalpern.com
> >     <mailto:jmh@joelhalpern.com>]
> >      >>> 发送时间: 2020年4月26日 10:34
> >      >>> 收件人: Zhenghaomian <zhenghaomian@huawei.com
> >     <mailto:zhenghaomian@huawei.com>>; teas@ietf.org
> <mailto:teas@ietf.org>
> >      >>> 主题: Re: [Teas] Network Slicing design team definitions -
> >     isolation and
> >      >>> resolution
> >      >>>
> >      >>> (trimmed)
> >      >>> What is the user perceivable effect that the user is asking for
> >     when you say "if
> >      >> the user requests isolation"?
> >      >>>
> >      >>> Yours,
> >      >>> Joel
> >      >>>
> >      >>> On 4/25/2020 10:31 PM, Zhenghaomian wrote:
> >      >>>> Hi, Kiran, Joel,
> >      >>>>
> >      >>> ...
> >      >>>> BTW, regarding the isolation, I don't see the necessity to
> >     argue whether it
> >      >> should be in SLO or not. The isolation itself, can either be
> >     requested by the user
> >      >> of the transport slice (then from NBI of TSC) to express the
> >     demand of reliability,
> >      >> or be offered by the provider of the transport slice (then from
> >     the SBI of TSC) to
> >      >> achieve the SLO requested from the user. In other words, if the
> >     user requests
> >      >> certain level of isolation in an SLO, such isolation should be
> >     provided; if the user
> >      >> does not request certain level of isolation (no isolation
> >     request in SLO), then
> >      >> there may be some isolation provided to satisfy the user's
> request.
> >      >>>>
> >      >>>> Best wishes,
> >      >>>> Haomian
> >      >>
> >      >> _______________________________________________
> >      >> Teas mailing list
> >      >> Teas@ietf.org <mailto:Teas@ietf.org>
> >      >> https://www.ietf.org/mailman/listinfo/teas
> >
> >     _______________________________________________
> >     Teas mailing list
> >     Teas@ietf.org <mailto:Teas@ietf.org>
> >     https://www.ietf.org/mailman/listinfo/teas
> >
> >
> > _______________________________________________
> > Teas mailing list
> > Teas@ietf.org
> > https://www.ietf.org/mailman/listinfo/teas
> >
> 
> _______________________________________________
> Teas mailing list
> Teas@ietf.org
> https://www.ietf.org/mailman/listinfo/teas

_______________________________________________
Teas mailing list
Teas@ietf.org
https://www.ietf.org/mailman/listinfo/teas