Network Working Group L. Dunbar Internet-Draft L. Yong Intended status: Informational Song Xiao Lin Huawei Expires: April 2017 October 31, 2016 Client Defined Private Networks laid over Thin CPEs draft-dunbar-opsawg-private-networks-over-thin-cpe-01 Abstract This document specifies a type of private networks that interconnect thin CPEs at multiple client sites by IP tunnels, or more specifically, lay over multiple client sites' Thin CPEs via IP tunnels. Those private overlay networks not only interconnect those sites by secure IP tunnels but can also enforce the client specified policies to govern how applications or hosts within those sites communicate and how to access public internet. Hosts or applications in those sites can be interconnected by Layer 2 networks or/and by Layer 3 networks. The network that the IP tunnels are traversing can be IPv4 or IPv6 networks. This document describes the special properties of the client defined networks over Thin CPEs. A separate draft will describes the special features that those IP tunnels need to have in order to interconnect multiple sites as if those sites are directly connected by wires and how communication policies are enforced. Status of This Document This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents Yong, et al. [Page 1] Internet-Draft Client Defined Overlay Private Network October 2016 at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 31, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction...................................................4 2. Terminology....................................................4 2.1. Requirements Language.....................................4 2.2. Terms defined in this document............................4 3. Brief Description of the Private networks laid over Thin CPEs..6 4. Overlay Private Network Configuration from Client Perspective..8 4.1. Client Defined Overlay Private Networks...................8 4.2. Client's site Configuration...............................8 4.3. Internet Gateway for each Site............................9 4.4. Overlay-VPN Gateway.......................................9 4.5. Interconnection among Sites...............................9 5. Protocols needed for the Client Defined Overlay Private Networks .................................................................10 5.1. Thin CPE Auto Instantiation..............................10 5.2. Network agnostic interworking............................10 5.3. Gateway Anchor Auto-Selection............................10 5.4. Middle boxes auto-creation and rules exchanges...........10 5.5. Thin CPE on Third Party location.........................11 5.6. Client Defined Polices for traffic to/from client sites..11 5.7. QoS policies.............................................11 5.8. Explicit Service functions chain specified by clients....11 5.9. Thin CPE monitoring......................................11 Dunbar, et al. [Page 2] Internet-Draft Client Defined Overlay Private Network October 2016 5.10. Alarm & Events via Thin CPE.............................11 5.11. Resource management via Thin CPE instantiated in Remote Locations.....................................................11 5.12. Client traffic flows management, monitoring, and reporting ..............................................................11 6. Networks carried by IP tunnels in conjunction with existing L2VPN/L3VPN......................................................12 7. IANA Considerations...........................................12 8. Security Considerations.......................................12 9. References....................................................12 9.1. Normative References.....................................12 9.2. Informative Reference....................................12 10. Authors' Addresses...........................................12 11. Contributors Addresses.......................................13 Dunbar, et al. [Page 3] Internet-Draft Client Defined Overlay Private Network October 2016 1. Introduction This document specifies a type of private networks that interconnect thin CPEs at multiple client sites by IP tunnels, or more specifically, lay over multiple client sites' Thin CPEs via IP tunnels. Those private overlay networks not only interconnect those sites by secure IP tunnels but can also enforce the client specified policies to govern how applications or hosts within those sites communicate and how to access public internet. Hosts or applications in those sites can be interconnected by Layer 2 networks or/and by Layer 3 networks. The network that the IP tunnels are traversing can be IPv4 or IPv6 networks. This document describes the special properties of the client defined networks over Thin CPEs. For ease of description, the "Client Defined Private Overlay Network" is also called the client's "Overlay Private Network" or "Overlay Virtual Private Network (Overlay-VPN)" throughout this document. A separate draft will describes the special features that those IP tunnels need to have in order to interconnect multiple sites as if those sites are directly connected by wires and how communication policies are enforced. 2. Terminology 2.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2.2. Terms defined in this document Internet Gateway: a network function, which can be a physical device in the provider site or a virtual function instantiated to connect client site traffic to the public internet, and can enforce client specified policies. Overlay Private Network: private network over a set of thin CPEs at multiple sites created by clients or users, who don't need to worry Dunbar, et al. [Page 4] Internet-Draft Client Defined Overlay Private Network October 2016 about how thin CPEs are connected nor the protocol setting at network side. The "Overlay Private Network" not only interconnects multiple sites by (secure) IP tunnels but can also enforce the client specified policies to govern how applications or hosts within those sites communicate and how to access public internet. Overlay-VPN: Overlay Private Network. Provider site: the location where the provider have access to the devices or equipment. Site: A place that contains switches, routers, services, appliances and these devices are configured to form L2 domain (s) or L3 domain. For example an Enterprise company data center, a college campus network center. For L3 subnets, either private IPv4 or IPv6 address or public IPv4 or Ipv6 address can be used. SITE: Site Interconnection Tunnel Encapsulation Protocol Thin CPE: a simple device at a customer premise that maps the site local traffic to either the IP tunnels connected to the Internet Gateway, or the IP tunnels connected to the VPN Gateway. Overlay-VPN Gateway: the function (which can be virtual) that establish private (secure) connections to other sites belonging to the same client. Dunbar, et al. [Page 5] Internet-Draft Client Defined Overlay Private Network October 2016 3. Brief Description of the Private networks laid over Thin CPEs The following figure depicts multiple overlay private networks that interconnect the client's various sites. Note, the Overlay Private Network is marked as "Overlay" in the figure. The client can create multiple overlay private networks and then assign each site to specific overlay private networks. The client also specify the policies on what traffic to/from the clients can be exchanged with external network, which are enforced by the "Internet gateways" created by the provider. _,....._ ,-' `-. / External `. | Network | `. / `.__ _,-' `'''' | +---------+ +-+-------+ | +-+-------+ | | |Internet | +-+For enforcing policies |Gateway x+-+ +----+----+ / \ +---------+---+-----------------+ +--------+ +-----+ | L3 +--+ +----| | |Network | | | | L2 | +--------+ | +--+------+ | +--+--+ | +-+--+ +--|Overlay1 | ++---+ | | |Site|/ +-|-------+-+ +---------|Site+---+ +--| 1 |\+----|Overlay2 |/ +----| 2 |-+ +---++ +-+-------+-+ / +--+-+ | / \ |Overlay3 |--+ | +--------+ / \ +-+-------+ +---+-+ | L2 +--+ \ | | | |Network | \ | | L3 | +--------+ \ | +-----+ +-+-----+ | Site | can be in Cloud DC, private DC | 3 | or customer premises. +-------+ Figure 1 Overlay Private Networks interconnecting sites Dunbar, et al. [Page 6] Internet-Draft Client Defined Overlay Private Network October 2016 Here are some key properties of Client defined Overlay Private Networks: - Each client "Site" has a Thin CPE that is connected to a VPN gateway which is hosted in the provider site via IP Tunnel (which can be secured per customer request). The Thin CPE can be software image instantiated on virtual machines, physical CPE, or other form factors. ---------------+ Site +-+--+| +--------+ 1 |Thin||<---->|Overlay +<======> Overlay VPN1, |CPE || |VPN GW | Overlay VPN2 +-+--+| +--------+ ---------------+ Figure 2 site Thin CPE connect to Overlay GW via IP Tunnel - Each Thin CPE is connected to an "Internet Gateway" via IP Tunnel (that is automatically created by provider). The "Internet Gateway", virtual or physical, can be located anywhere. An IP Tunnel is created automatically between the Thin CPE and the "Internet Gateway". - When the provider don't own the infrastructure to interconnect multiple sites, (secure) IP Tunnels are created among each site's VPN Gateway, so that each site's local networks (L2 or L3) attached to the Thin CPEs are interconnected as if those networks are directly connected by physical wire. - Some traffic between Thin CPE have to go through secure tunnel, e.g. IPSec. Clients can specify what traffic to go through secure tunnels without specifically worrying about how to establish or maintain the secure tunnels. The client traffic can be carried by VxLAN (for interconnecting layer 2 traffic) or GRE (for L3 traffic) over the IPSEc tunnel. - Client specifies the policies on how/what/when hosts from the interconnected sites can communicate with external peers; E.g. Hosts in one Layer 2 domain from one site may communicate with hosts in different Layer 2 domains in different sites. The Client Defined Overlay Networks can be viewed by client as their own private networks. For ease of description, the terminology "Overlay Private Network" or "Overlay-VPN" is used throughout this document to refer to this kind of client defined overlay network over Thin CPEs. Dunbar, et al. [Page 7] Internet-Draft Client Defined Overlay Private Network October 2016 "Overlay Private Network" is different from the IETF's L2VPN or L3VPN for the following reasons: - Overlay-Private-Network is built upon IP network (whereas L2VPN/L3VPN is built upon MPLS network), - Traffic originated from a client's site (where Thin CPE is instantiated) not only can communicate with hosts in other sites of the client via IP tunnels, but also can communicate with public internet (governed by the policies specified by the client), - Client's site Thin CPE don't participate in IGP or BGP routing with provider side. Client can specify the prefixes and/or VLANs for each site so that they can be reached by external hosts, - IP tunnel is automatically created between a Thin CPE and provider site where VPN gateway and internet gateway are instantiated and maintained. 4. Overlay Private Network Configuration from Client Perspective 4.1. Client Defined Overlay Private Networks The client can specify multiple overlay private networks (a.k.a. Overlay-VPNs). Client can specify which sites connect to which Overlay-VPNs. Each Site can connect to multiple Overlay-VPNs. As features on Thin CPE are very limited, each Overlay-VPN has its own Overlay VPN gateway in provider site to connect to Thin CPE via IP tunnel, as depicted in Figure 2 above. 4.2. Client's site Configuration For each site, the client needs to specify: - Site Identifier (include unique system Identifier, name, etc.) - VLANs enabled on the site (i.e. the VLANs enabled on the client facing ports of the Thin CPE). - Subnets from the site (i.e. the subnets enabled on the client facing ports of the Thin CPE) Dunbar, et al. [Page 8] Internet-Draft Client Defined Overlay Private Network October 2016 - IP address for the Overlay-VPN Gateway that connect other sites belonging to the client - IP address for the Internet Gateway The configuration on the site is mainly for the Thin CPE instantiated on the site. Therefore, the client also needs to specify which VLANs/subnets are enabled on the ports of the Thin CPE facing the local network on the site. 4.3. Internet Gateway for each Site Each site is associated with an Internet Gateway, which is automatically created by the provider. The Interconnect gateway can be a physical device on the provider site or a virtual function, to connect client site traffic to the public internet, and can enforce client specified policies. Considering one client can have multiple sites in different geographic locations, the client can specify different policies for traffic to/from each site. 4.4. Overlay-VPN Gateway The Overlay-VPN Gateway is on the provider site, connected to Thin CPE via IP tunnel. The purpose of the Overlay-VPN Gateway is to connect a site to its specified Overlay VPNs. Each site can be connected to multiple Overlay VPNs. For each Overlay-VPN gateway, the client needs to specify: - Identifier - Which VPN is the Gateway connected to - Upstream bandwidth from Thin CPE to the Overlay VPN GW - Downstream bandwidth from the Overlay VPN GW to the Thin CPE 4.5. Interconnection among Sites For each Overlay VPN, the Client can choose which sites are connected by specifying the VPN Gateway associated with each site. Dunbar, et al. [Page 9] Internet-Draft Client Defined Overlay Private Network October 2016 5. Protocols needed for the Client Defined Overlay Private Networks 5.1. Thin CPE Auto Instantiation Thin CPE is a simple device that maps the site local traffic to either the IP tunnels connected to the Internet Gateway, or the IP tunnels connected to the VPN Gateway. 5.2. Network agnostic interworking IP tunnels are automatically created between Thin CPE and (Internet/VPN) gateways based on the traffic to the access network. For Layer 2 traffic from the client local site, VxLAN is used to build the IP Tunnels to the site's Internet gateway or VPN gateway respectively. For Layer 3 traffic from the client local site, GRE is used to build the IP Tunnels to the site's Internet gateway or VPN gateway respectively. If the client specifies secure connection to other sites, IPSec is added to the tunnels between the Thin CPE and the VPN Gateway. 5.3. Gateway Anchor Auto-Selection For each client site, internet gateway and VPN gateway will be automatically instantiated. There will be protocol extension needed for the creation/deletion process and how NAT is used for client traffic from each site. 5.4. Middle boxes auto-creation and rules exchanges To be added Dunbar, et al. [Page 10] Internet-Draft Client Defined Overlay Private Network October 2016 5.5. Thin CPE on Third Party location Thin CPEs can also be instantiated third party premises, such as cloud data centers. The instantiated Thin CPE can establish IP tunnels with the client's Internet Gateway or VPN Gateway. 5.6. Client Defined Polices for traffic to/from client sites Depending on the policies specified by the clients, the Thin CPE jointly with the virtual GW will select the appropriate network security functions, i.e. (virtual) FW, IPS, IDS, or others to enforce the policies specified by the clients. The policies specified by the clients will be more expressed in clients' oriented language, e.g. using client Identifier or virtual addresses (instead of IP addresses of the actual packets traverse the FW). Those policies will be translated to the implementable rules to the chosen network security functions, such as FW. 5.7. QoS policies To be added 5.8. Explicit Service functions chain specified by clients Clients can query network service functions available to them and the capabilities of those functions. Then, the client can choose a set of them, either in strict sequence or simply as a set to apply to their traffic. The policies to service functions can follow the guideline specified by [I2NSF-framework]. 5.9. Thin CPE monitoring 5.10. Alarm & Events via Thin CPE To be added 5.11. Resource management via Thin CPE instantiated in Remote Locations To be added 5.12. Client traffic flows management, monitoring, and reporting To be added Dunbar, et al. [Page 11] Internet-Draft Client Defined Overlay Private Network October 2016 6. Networks carried by IP tunnels in conjunction with existing L2VPN/L3VPN 7. IANA Considerations To be added 8. Security Considerations To be added. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC2119, March 1997. 9.2. Informative Reference [I2NSF-Framework] Lopez, D, et al, "Framework for Interface to Network security functions", draft-ietf-i2nsf-framework-04, Oct 2016 10. Authors' Addresses Linda Dunbar Huawei Technologies Email: linda.dunbar@huawei.com Lucy Yong Huawei Technologies Email: lucy.yong@huawei.com Song Xiao Li Huawei Technologies Email: sxlin@huawei.com Dunbar, et al. [Page 12] Internet-Draft Client Defined Overlay Private Network October 2016 11. Contributors Addresses Xuan Ming fu Huawei Technologies xuanmingfu@huawei.com Dunbar, et al. [Page 13]