Internet DRAFT - draft-dunbar-opsawg-private-networks-over-thin-cpe

draft-dunbar-opsawg-private-networks-over-thin-cpe



Network Working Group                                        L. Dunbar
Internet-Draft                                                 L. Yong
Intended status: Informational                           Song Xiao Lin
                                                                Huawei



Expires: April 2017                                    October 31, 2016


           Client Defined Private Networks laid over Thin CPEs
          draft-dunbar-opsawg-private-networks-over-thin-cpe-01

Abstract

   This document specifies a type of private networks that
   interconnect thin CPEs at multiple client sites by IP tunnels, or
   more specifically, lay over multiple client sites' Thin CPEs via IP
   tunnels. Those private overlay networks not only interconnect those
   sites by secure IP tunnels but can also enforce the client specified
   policies to govern how applications or hosts within those sites
   communicate and how to access public internet.

   Hosts or applications in those sites can be interconnected by Layer
   2 networks or/and by Layer 3 networks. The network that the IP
   tunnels are traversing can be IPv4 or IPv6 networks. This document
   describes the special properties of the client defined networks over
   Thin CPEs.

   A separate draft will describes the special features that those IP
   tunnels need to have in order to interconnect multiple sites as if
   those sites are directly connected by wires and how communication
   policies are enforced.

Status of This Document

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF). Note that other groups may also distribute
   working documents as Internet-Drafts. The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents




Yong, et al.                                                   [Page 1]

Internet-Draft   Client Defined Overlay Private Network    October 2016

   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 31, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.


Table of Contents


   1. Introduction...................................................4
   2. Terminology....................................................4
      2.1. Requirements Language.....................................4
      2.2. Terms defined in this document............................4
   3. Brief Description of the Private networks laid over Thin CPEs..6
   4. Overlay Private Network Configuration from Client Perspective..8
      4.1. Client Defined Overlay Private Networks...................8
      4.2. Client's site Configuration...............................8
      4.3. Internet Gateway for each Site............................9
      4.4. Overlay-VPN Gateway.......................................9
      4.5. Interconnection among Sites...............................9
   5. Protocols needed for the Client Defined Overlay Private Networks
   .................................................................10
      5.1. Thin CPE Auto Instantiation..............................10
      5.2. Network agnostic interworking............................10
      5.3. Gateway Anchor Auto-Selection............................10
      5.4. Middle boxes auto-creation and rules exchanges...........10
      5.5. Thin CPE on Third Party location.........................11
      5.6. Client Defined Polices for traffic to/from client sites..11
      5.7. QoS policies.............................................11
      5.8. Explicit Service functions chain specified by clients....11
      5.9. Thin CPE monitoring......................................11


Dunbar, et al.                                                 [Page 2]

Internet-Draft   Client Defined Overlay Private Network    October 2016

      5.10. Alarm & Events via Thin CPE.............................11
      5.11. Resource management via Thin CPE instantiated in Remote
      Locations.....................................................11
      5.12. Client traffic flows management, monitoring, and reporting
      ..............................................................11
   6. Networks carried by IP tunnels in conjunction with existing
   L2VPN/L3VPN......................................................12
   7. IANA Considerations...........................................12
   8. Security Considerations.......................................12
   9. References....................................................12
      9.1. Normative References.....................................12
      9.2. Informative Reference....................................12
   10. Authors' Addresses...........................................12
   11. Contributors Addresses.......................................13




































Dunbar, et al.                                                 [Page 3]

Internet-Draft   Client Defined Overlay Private Network    October 2016


1. Introduction

   This document specifies a type of private networks that interconnect
   thin CPEs at multiple client sites by IP tunnels, or more
   specifically, lay over multiple client sites' Thin CPEs via IP
   tunnels. Those private overlay networks not only interconnect those
   sites by secure IP tunnels but can also enforce the client specified
   policies to govern how applications or hosts within those sites
   communicate and how to access public internet.

   Hosts or applications in those sites can be interconnected by Layer
   2 networks or/and by Layer 3 networks. The network that the IP
   tunnels are traversing can be IPv4 or IPv6 networks. This document
   describes the special properties of the client defined networks over
   Thin CPEs.

   For ease of description, the "Client Defined Private Overlay
   Network" is also called the client's "Overlay Private Network" or
   "Overlay Virtual Private Network (Overlay-VPN)" throughout this
   document.

   A separate draft will describes the special features that those IP
   tunnels need to have in order to interconnect multiple sites as if
   those sites are directly connected by wires and how communication
   policies are enforced.

2. Terminology

2.1. Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.2. Terms defined in this document

   Internet Gateway: a network function, which can be a physical device
   in the provider site or a virtual function instantiated to connect
   client site traffic to the public internet, and can enforce client
   specified policies.

   Overlay Private Network: private network over a set of thin CPEs at
   multiple sites created by clients or users, who don't need to worry



Dunbar, et al.                                                 [Page 4]

Internet-Draft   Client Defined Overlay Private Network    October 2016

   about how thin CPEs are connected nor the protocol setting at
   network side. The "Overlay Private Network" not only interconnects
   multiple sites by (secure) IP tunnels but can also enforce the
   client specified policies to govern how applications or hosts within
   those sites communicate and how to access public internet.

   Overlay-VPN: Overlay Private Network.

   Provider site: the location where the provider have access to the
   devices or equipment.

   Site: A place that contains switches, routers, services, appliances
   and these devices are configured to form L2 domain (s) or L3 domain.
   For example an Enterprise company data center, a college campus
   network center. For L3 subnets, either private IPv4 or IPv6 address
   or public IPv4 or Ipv6 address can be used.

   SITE: Site Interconnection Tunnel Encapsulation Protocol

   Thin CPE: a simple device at a customer premise that maps the site
   local traffic to either the IP tunnels connected to the Internet
   Gateway, or the IP tunnels connected to the VPN Gateway.

   Overlay-VPN Gateway: the function (which can be virtual) that
   establish private (secure) connections to other sites belonging to
   the same client.
























Dunbar, et al.                                                 [Page 5]

Internet-Draft   Client Defined Overlay Private Network    October 2016

3. Brief Description of the Private networks laid over Thin CPEs

   The following figure depicts multiple overlay private networks that
   interconnect the client's various sites. Note, the Overlay Private
   Network is marked as "Overlay" in the figure. The client can create
   multiple overlay private networks and then assign each site to
   specific overlay private networks.  The client also specify the
   policies on what traffic to/from the clients can be exchanged with
   external network, which are enforced by the "Internet gateways"
   created by the provider.


                                 _,....._
                              ,-'        `-.
                             /   External  `.
                            |     Network   |
                            `.             /
                              `.__     _,-'
                                  `''''
                                      |
                                     +---------+
                                   +-+-------+ |
                                 +-+-------+ | |
                                 |Internet | +-+For enforcing policies
                                 |Gateway x+-+
                                 +----+----+
                                     / \
                          +---------+---+-----------------+
          +--------+                                             +-----+
          | L3     +--+                                     +----|     |
          |Network |  |                                     |    | L2  |
          +--------+  |            +--+------+              |    +--+--+
                      |  +-+--+ +--|Overlay1 |             ++---+   |
                      |  |Site|/   +-|-------+-+ +---------|Site+---+
                      +--|  1 |\+----|Overlay2 |/     +----|  2 |-+
                         +---++      +-+-------+-+   /     +--+-+ |
                        /     \        |Overlay3 |--+             |
          +--------+   /       \       +-+-------+            +---+-+
          | L2     +--+         \        |                    |     |
          |Network |             \       |                    | L3  |
          +--------+              \      |                    +-----+
                                 +-+-----+
                                 | Site  | can be in Cloud DC, private DC
                                 |   3   | or customer premises.
                                 +-------+

         Figure 1 Overlay Private Networks interconnecting sites



Dunbar, et al.                                                 [Page 6]

Internet-Draft   Client Defined Overlay Private Network    October 2016


   Here are some key properties of Client defined Overlay Private
   Networks:

   -  Each client "Site" has a Thin CPE that is connected to a VPN
     gateway which is hosted in the provider site via IP Tunnel (which
     can be secured per customer request). The Thin CPE can be software
     image instantiated on virtual machines, physical CPE, or other
     form factors.

                ---------------+
                Site     +-+--+|      +--------+
                 1       |Thin||<---->|Overlay +<======> Overlay VPN1,
                         |CPE ||      |VPN GW  |         Overlay VPN2
                         +-+--+|      +--------+
               ---------------+
        Figure 2 site Thin CPE connect to Overlay GW via IP Tunnel

   -  Each Thin CPE is connected to an "Internet Gateway" via IP Tunnel
     (that is automatically created by provider). The "Internet
     Gateway", virtual or physical, can be located anywhere. An IP
     Tunnel is created automatically between the Thin CPE and the
     "Internet Gateway".

   -  When the provider don't own the infrastructure to interconnect
     multiple sites, (secure) IP Tunnels are created among each site's
     VPN Gateway, so that each site's local networks (L2 or L3)
     attached to the Thin CPEs are interconnected as if those networks
     are directly connected by physical wire.

   -  Some traffic between Thin CPE have to go through secure tunnel,
     e.g. IPSec. Clients can specify what traffic to go through secure
     tunnels without specifically worrying about how to establish or
     maintain the secure tunnels. The client traffic can be carried by
     VxLAN (for interconnecting layer 2 traffic) or GRE (for L3 traffic)
     over the IPSEc tunnel.

   -  Client specifies the policies on how/what/when hosts from the
     interconnected sites can communicate with external peers; E.g.
     Hosts in one Layer 2 domain from one site may communicate with
     hosts in different Layer 2 domains in different sites.

   The Client Defined Overlay Networks can be viewed by client as their
   own private networks. For ease of description, the terminology
   "Overlay Private Network" or "Overlay-VPN" is used throughout this
   document to refer to this kind of client defined overlay network
   over Thin CPEs.



Dunbar, et al.                                                 [Page 7]

Internet-Draft   Client Defined Overlay Private Network    October 2016

   "Overlay Private Network" is different from the IETF's L2VPN or
   L3VPN for the following reasons:

   -  Overlay-Private-Network is built upon IP network (whereas
     L2VPN/L3VPN is built upon MPLS network),

   -  Traffic originated from a client's site (where Thin CPE is
     instantiated) not only can communicate with hosts in other sites
     of the client via IP tunnels, but also can communicate with public
     internet (governed by the policies specified by the client),

   -  Client's site Thin CPE don't participate in IGP or BGP routing
     with provider side. Client can specify the prefixes and/or VLANs
     for each site so that they can be reached by external hosts,

   -  IP tunnel is automatically created between a Thin CPE and
     provider site where VPN gateway and internet gateway are
     instantiated and maintained.



4. Overlay Private Network Configuration from Client Perspective

4.1. Client Defined Overlay Private Networks

   The client can specify multiple overlay private networks (a.k.a.
   Overlay-VPNs). Client can specify which sites connect to which
   Overlay-VPNs. Each Site can connect to multiple Overlay-VPNs.

   As features on Thin CPE are very limited, each Overlay-VPN has its
   own Overlay VPN gateway in provider site to connect to Thin CPE via
   IP tunnel, as depicted in Figure 2 above.



4.2. Client's site Configuration

   For each site, the client needs to specify:

   -  Site Identifier (include unique system Identifier, name, etc.)

   -  VLANs enabled on the site (i.e. the VLANs enabled on the client
     facing ports of the Thin CPE).

   -  Subnets from the site (i.e. the subnets enabled on the client
     facing ports of the Thin CPE)




Dunbar, et al.                                                 [Page 8]

Internet-Draft   Client Defined Overlay Private Network    October 2016

   -  IP address for the Overlay-VPN Gateway that connect other sites
     belonging to the client

   -  IP address for the Internet Gateway

   The configuration on the site is mainly for the Thin CPE
   instantiated on the site. Therefore, the client also needs to
   specify which VLANs/subnets are enabled on the ports of the Thin CPE
   facing the local network on the site.

4.3. Internet Gateway for each Site

   Each site is associated with an Internet Gateway, which is
   automatically created by the provider. The Interconnect gateway can
   be a physical device on the provider site or a virtual function, to
   connect client site traffic to the public internet, and can enforce
   client specified policies.

   Considering one client can have multiple sites in different
   geographic locations, the client can specify different policies for
   traffic to/from each site.



4.4. Overlay-VPN Gateway

   The Overlay-VPN Gateway is on the provider site, connected to Thin
   CPE via IP tunnel. The purpose of the Overlay-VPN Gateway is to
   connect a site to its specified Overlay VPNs. Each site can be
   connected to multiple Overlay VPNs.

   For each Overlay-VPN gateway, the client needs to specify:

   -  Identifier

   -  Which VPN is the Gateway connected to

   -  Upstream bandwidth from Thin CPE to the Overlay VPN GW

   -  Downstream bandwidth from the Overlay VPN GW to the Thin CPE



4.5. Interconnection among Sites

   For each Overlay VPN, the Client can choose which sites are
   connected by specifying the VPN Gateway associated with each site.



Dunbar, et al.                                                 [Page 9]

Internet-Draft   Client Defined Overlay Private Network    October 2016



5. Protocols needed for the Client Defined Overlay Private Networks



5.1. Thin CPE Auto Instantiation

   Thin CPE is a simple device that maps the site local traffic to
   either the IP tunnels connected to the Internet Gateway, or the IP
   tunnels connected to the VPN Gateway.

5.2. Network agnostic interworking

   IP tunnels are automatically created between Thin CPE and
   (Internet/VPN) gateways based on the traffic to the access network.

   For Layer 2 traffic from the client local site, VxLAN is used to
   build the IP Tunnels to the site's Internet gateway or VPN gateway
   respectively.

   For Layer 3 traffic from the client local site, GRE is used to build
   the IP Tunnels to the site's Internet gateway or VPN gateway
   respectively.

   If the client specifies secure connection to other sites, IPSec is
   added to the tunnels between the Thin CPE and the VPN Gateway.



5.3. Gateway Anchor Auto-Selection

   For each client site, internet gateway and VPN gateway will be
   automatically instantiated.

   There will be protocol extension needed for the creation/deletion
   process and how NAT is used for client traffic from each site.



5.4. Middle boxes auto-creation and rules exchanges

   To be added







Dunbar, et al.                                                [Page 10]

Internet-Draft   Client Defined Overlay Private Network    October 2016

5.5. Thin CPE on Third Party location

   Thin CPEs can also be instantiated third party premises, such as
   cloud data centers. The instantiated Thin CPE can establish IP
   tunnels with the client's Internet Gateway or VPN Gateway.

5.6. Client Defined Polices for traffic to/from client sites

   Depending on the policies specified by the clients, the Thin CPE
   jointly with the virtual GW will select the appropriate network
   security functions, i.e. (virtual) FW, IPS, IDS, or others to
   enforce the policies specified by the clients.

   The policies specified by the clients will be more expressed in
   clients' oriented language, e.g. using client Identifier or virtual
   addresses (instead of IP addresses of the actual packets traverse
   the FW).  Those policies will be translated to the implementable
   rules to the chosen network security functions, such as FW.

5.7. QoS policies

   To be added

5.8. Explicit Service functions chain specified by clients

   Clients can query network service functions available to them and
   the capabilities of those functions. Then, the client can choose a
   set of them, either in strict sequence or simply as a set to apply
   to their traffic.

   The policies to service functions can follow the guideline specified
   by [I2NSF-framework].

5.9. Thin CPE monitoring

5.10. Alarm & Events via Thin CPE

   To be added

5.11. Resource management via Thin CPE instantiated in Remote Locations

   To be added

5.12. Client traffic flows management, monitoring, and reporting

   To be added




Dunbar, et al.                                                [Page 11]

Internet-Draft   Client Defined Overlay Private Network    October 2016



6. Networks carried by IP tunnels in conjunction with existing
   L2VPN/L3VPN



7. IANA Considerations

   To be added

8. Security Considerations

   To be added.

9. References

9.1. Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC2119, March 1997.

9.2. Informative Reference

   [I2NSF-Framework] Lopez, D, et al, "Framework for Interface to
             Network security functions", draft-ietf-i2nsf-framework-04,
             Oct 2016



10. Authors' Addresses

   Linda Dunbar
   Huawei Technologies
   Email: linda.dunbar@huawei.com

   Lucy Yong
   Huawei Technologies
   Email: lucy.yong@huawei.com

   Song Xiao Li
   Huawei Technologies
   Email: sxlin@huawei.com






Dunbar, et al.                                                [Page 12]

Internet-Draft   Client Defined Overlay Private Network    October 2016

11. Contributors Addresses


   Xuan Ming fu
   Huawei Technologies
   xuanmingfu@huawei.com












































Dunbar, et al.                                                [Page 13]