Internet DRAFT - draft-felix-nfvrg-recursive-orchestration

draft-felix-nfvrg-recursive-orchestration







Internet Research Task Force NFVRG                      G. Carrozzo, Ed.
Internet-Draft                                                 Nextworks
Intended status: Informational                       K. Pentikousis, Ed.
Expires: January 7, 2016                                            EICT
                                                            July 6, 2015


     Recursive orchestration of federated virtual network functions
              draft-felix-nfvrg-recursive-orchestration-00

Abstract

   This document introduces a policy-based resource management and
   orchestration framework which aims at contributing towards the
   current namesake NFVRG near-term work items.

   It describes key points of the recursive resource orchestration
   framework developed within the wider research area of federated
   virtual network function orchestration.  The document also relates
   this effort with respect to other orchestration frameworks, thus
   addressing both the NFV research and practitioner communities.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 7, 2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents



Carrozzo & Pentikousis   Expires January 7, 2016                [Page 1]

Internet-Draft           Recursive orchestration               July 2015


   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Recursive orchestration in federated virtual environments . .   5
     3.1.  Problem Statement . . . . . . . . . . . . . . . . . . . .   5
     3.2.  Resource Orchestrator . . . . . . . . . . . . . . . . . .   6
   4.  Policy-Based Resource Management  . . . . . . . . . . . . . .   9
     4.1.  Certificate-based authN/authZ (C-BAS) . . . . . . . . . .  10
     4.2.  Resource Managers . . . . . . . . . . . . . . . . . . . .  11
   5.  Positioning w.r.t. existing Orchestration  Frameworks . . . .  14
     5.1.  Openstack orchestration . . . . . . . . . . . . . . . . .  14
     5.2.  OpenMANO  . . . . . . . . . . . . . . . . . . . . . . . .  15
     5.3.  Other orchestration approaches: federated SDN
           infrastructures for research experimentation  . . . . . .  15
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  16
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  17
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  17
   9.  Contributors  . . . . . . . . . . . . . . . . . . . . . . . .  17
   10. Informative References  . . . . . . . . . . . . . . . . . . .  17
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  19

1.  Introduction

   Today's Internet is a concatenation of IP networks interconnected by
   many distributed functions integrated into a plethora of highly
   specialized middleboxes.  These elements implement complex network
   functions like firewalls, NATs, DPI, traffic scrubbing, etc.  The
   product is a quite complex and rigid internetworking system in which
   network administrators and users cannot easily determine what is
   happening to traffic flows as they go toward destinations.  In the
   last decade networks, servers, storage technologies, and applications
   have all undergone significant changes with the introduction of
   virtualization, network overlays, and orchestration.  Such
   technologies have allowed network operators and service providers to
   easily introduce a variety of (proprietary) hardware-based appliances
   in order to improve their network manageability as well as rapidly
   launch new services, keeping up with the pace of their users demand.
   Therefore, the current Internet looks like a concatenation of
   networks with many distributed functions, implemented via a plethora
   of highly specialized middleboxes which implement firewalls, DPI,
   NAT, traffic scrubbing, etc.  [middlebox].



Carrozzo & Pentikousis   Expires January 7, 2016                [Page 2]

Internet-Draft           Recursive orchestration               July 2015


   Software Define Networking and programmable virtualized network
   functions for flow processing are rapidly changing the current
   scenario, extending the support of network functions by virtualized
   and chained appliances beyond the virtual L2 switching over IP
   networks (e.g.  VXLAN, GRENV, STT) and the basic LAN based flow
   pinpointing.

   Virtual Functions of this kind, for network and non network (e.g.
   computing) tasks, are generally available in heterogeneous pools
   under different administrative domains, being them related to the
   hosting infrastructures in which they originate.  It is emerging a
   need to interconnect, federate and implement policy control on these
   pools of virtual resources, in order to abstract different
   infrastructures, resources and functions, as well as procedures by
   physical operators and infrastructure owners.  This can allow
   defining larger virtual overlays where different resources and
   functions are deployed, combined and handled in the form of virtual
   instances irrespective of the administrative domain and specific
   technology from which they originate.  Examples of application
   contexts in which this federation of virtual function pools may occur
   are:

   o  large scale experimentation over programmable networks, which
      allows to reserve slices of network and non-network resources from
      different federated providers to run experiments on network
      control, protocols and algorithms at large scale (e.g.  [FELIX]);

   o  virtual infrastructure operators, who intend to implement their
      network service offer over a completely virtual infrastructure in
      the form of virtual network nodes and functions, virtual servers
      and storage, etc., all procured as a service from physical
      providers.

   This document discusses key points of the recursive resource
   orchestration framework developed within the wider research area of
   federated virtual network function orchestration.  The proposed
   architecture allows federation and integration of different network
   and computing resources residing in a multi-domain heterogeneous
   environment across different providers.  To achieve this, the
   architecture uses a combination of recursive and hierarchical
   configurations for orchestration, request delegation and inter-domain
   dependency management, with resource orchestrating entities (Resource
   Orchestrators, RO) responsible for synchronization of resources
   available in particular administrative domains.

   This document is being discussed on the nfvrg@irtf.org mailing list.





Carrozzo & Pentikousis   Expires January 7, 2016                [Page 3]

Internet-Draft           Recursive orchestration               July 2015


2.  Terminology

   The following terminology is used in this document.

   Virtual Network Function(VNF).  One or more virtual machines running
      different software and processes, on top of industry standard high
      volume servers, switches and storage, or even cloud computing
      infrastructure, and capable of implementing network functions
      traditionally implemented via custom hardware appliances and
      middleboxes (e.g. router, NAT, Firewall, load-balancer, etc.)

   VNF Island.  A set of virtualized network functions and related
      network and IT resources under the same administrative ownership/
      control.  A VNF island could consist of multiple zones, each
      characterized by a specific set of control tools & interfaces.

   VNF Zone.  A set of virtual network functions grouped for homogeneity
      of technologies and/or control tools and/or interfaces (e.g.  L2
      switching zone, optical switching zone, OF protocol controlled
      zone, other transit domain zone with a control interface).  The
      major goal of defining SDN zones is to implement appropriate
      policies for increasing availability, scalability and control of
      the different resources of the island.  Examples of zone
      definitions are available in popular Cloud Management Systems
      (CMS) like Cloudstack (e.g. refer to the Cloudstack Infrastructure
      partitioning into regions, zones, pods, etc., [cloudstack]) and
      OpenStack (e.g. refer to the infrastructure partitioning in
      availability zones and host aggregates [openstack]).

   Transit network domains.  The network domains use a Bandwidth on
      Demand Interface to expose automatically and on-demand control of
      connectivity services and, optionally, inter-domain topology
      exchange.  In order to federate resources belonging to distant
      facilities (i.e. islands/zones) it must be ensured that
      interconnectivity is provided on-demand and with a specific
      granularity.

   Slice.  A user-defined subset of virtual networking and IT resources,
      created from the physical resources available in federated VNF
      Zones and VNF Islands.  A VNF Slice has the basic property of
      being isolated from other slices defined over the same physical
      resources, and being dynamically extensible across multiple VNF
      Islands.  Each VNF Slice instantiates the specific set of control
      tools of the specific zones it traverses.

   Resource Orchestrator (RO).  Entity responsible for orchestrating
      end-to-end network service and resources reservation in terms of
      compute, storage and network functions over the infrastructure, as



Carrozzo & Pentikousis   Expires January 7, 2016                [Page 4]

Internet-Draft           Recursive orchestration               July 2015


      well as delegating end-to-end resource and service provisioning in
      a technology-agnostic way.

   Resource Managers (RMs).  Entity responsible for controlling and
      managing different types of resources and/or network functions.

3.  Recursive orchestration in federated virtual environments

3.1.  Problem Statement

   The coordinates creation of a virtual environment with pools of
   virtual network and non-network functions from heterogeneous, multi-
   domain and geographically distributed facilities requires appropriate
   tools for resource and virtual function management and control
   capable of orchestration and policy control across VNF islands, zones
   and domains defined above.

   Elements that belong to this control and orchestration layer operate
   in a hierarchical way (parent-child) for efficient multi-domain
   information management and sharing.  This is generally referred as
   Inter-island Orchestration Space [FELIX-D2.1]  [FELIX-D2.2].

   Once the set of virtual network and non-network functions is
   determined, reserved and deployed across the different islands, the
   resulting virtual network environment is ready for being used as a
   User Space by any tool or application the user wants to deploy in it.

   In the Inter-island Orchestration Space (see Figure 1), Resource
   Orchestrators (RO) are responsible for orchestrating end-to-end
   network services and resources reservations in the whole
   infrastructure.  Moreover, ROs should be able to delegate end-to-end
   resource and service provisioning in technology-agnostic way.

   ROs are connected to different types of Resource Managers (RMs),
   which are in turn used to control and manage different kinds of
   technological resources.  For example, the VNF RM WAN side provides
   connectivity between L1/L2 network domains at the two ends.  This
   management can be achieved using frame, packet or circuit switching
   technologies and should support different protocols.

   On the other hand, the VNF RM (LAN side) manages the network
   infrastructure composed of SDN-enabled devices, e.g.  OpenFlow
   switches or routers.  In short, it can control the user traffic
   environment by updating flow tables in physical devices.

   In addition, the Virtual Function pool RM for computing resources is
   responsible for setting up and configuring computing resources, i.e.




Carrozzo & Pentikousis   Expires January 7, 2016                [Page 5]

Internet-Draft           Recursive orchestration               July 2015


   creating new virtual machine instances, powering on/off instances,
   network interface card configuration, etc.

   Authentication and Authorization Infrastructure (AAI) for
   authenticating and authorizing users, is a cross layer function in
   the Inter-island Orchestration Space, because it serving as a 'trust
   anchor' to facilitate authN/authZ procedures in federated facilities.

   Similarly, Monitoring allows to retrieve, correlate and abstract
   statistics from the different components of the physical and virtual
   resource pools and from the user's slice.

   Figure 1 shows a parent RO coordinating orchestration actions at NFV
   island level under the responsibility of two child ROs, each
   orchestrating different types of RMs for the different kinds of
   virtual network and non-network function pools.


  +---+           +-------------------------------------------+    +---+
  |   |           |          RESOURCE ORCHESTRATOR - RO       |    |   |
  |   |-----------|                (parent)                   |----|   |
  |   |           +-------------------------------------------+    |   |
  |   |                     |                              |       |   |
  |   |                     |                              |       |   |
  |   |  +-------------------------------------+     +---------+   |   |
  | M |  |                  RO                 |     |    RO   |   |   |
  | O |--|               (child)               |     | (child) |---|   |
  | N |  +-------------------------------------+     +---------+   | A |
  | I |        |             |            |                |       | A |
  | T |        |             |            |                |       | A |
  | O |  +-----------+ +----------+ +----------+    +-----------+  |   |
  | R |  |  VF POOL  | | VNF POOL | | VNF POOL |    |  Virtual  |  |   |
  | I |--|  MANAGER  | | MANAGER  | | MANAGER  |    |    pool   |--|   |
  | N |  |(computing)| |(LAN side)| |(WAN side)|    | manager(s)|  |   |
  | G |  +-----------+ +----------+ +----------+    +-----------+  |   |
  |   |        |             |             |              |        |   |
  |   |  +----------+  +----------+ ----------+      +----------+  |   |
  |   |--|    VF    |  |    VNF   | |    VNF   |     |    VNF   |--|   |
  +---+  +----------+  +----------+ +----------+     +----------+  +---+


           Figure 1: Recursive Orchestration architecture model

3.2.  Resource Orchestrator

   RO is the entity that orchestrates the different resources in the
   Inter-island Orchestration Space.




Carrozzo & Pentikousis   Expires January 7, 2016                [Page 6]

Internet-Draft           Recursive orchestration               July 2015


   There are two different modes in which RO may operate:

   o  Parent

   o  Child

   For an inter-island federation, RO operates in parent mode and
   attaches to child ROs, whilst in child mode ROs communicate with RMs.

   One of RO's main objectives is to forward requests within the
   infrastructure, either by:

   o  Passing user requests to the appropriate resource management
      systems (RMs) in the layer below, as with any hierarchical mode.

   o  Proxying requests between other ROs in a recursive mode, depending
      on the federation policy that is configured for the domain where
      the RO is located.  For this to work it is necessary to ensure
      similar interfaces for each orchestrator.

   Key functions of the RO can be summarized as follows.  RO manages the
   different VNF islands and users in terms of their resource and data
   access policies.  It mediates between the user and the technology
   specific to a Resource Manager (RM) by means of delegation.  It is
   expected that different RMs will handle, for example, technology-
   dependent aspects in SDN domains (VNF RM LAN side) and transit
   network domains (VNF RM WAN side), as well non-network resource
   pools.  As part of this mediation, the RO will engage in the creation
   (provisioning), maintenance, monitoring, and deletion (release) of
   the used slices.

   RO also maintains a high-level cross-island topological view, which
   summarizes the different resources pools available along with their
   inter-connections.  This topology view is initialized and updated by
   the underlying RMs, thus implementing a distributed hierarchical
   resource discovery function.  It determines which domains and which
   inter-domain resources should be used to instantiate a given end-to-
   end service for a particular experimenter's slice.

   For example, based on a user request for a given type of service to
   be instantiated in two remote islands, parent RO determines which
   specific resource domains should be involved.

   Finally, RO coordinates and ensures that the correct sequence of
   actions takes place with respect to the operation of the technology-
   specific RMs.  This includes the provisioning of the slice resources
   as per user's requirements.




Carrozzo & Pentikousis   Expires January 7, 2016                [Page 7]

Internet-Draft           Recursive orchestration               July 2015


   RO also collects and correlates status alarms and warnings on
   resources, either generated by the resources themselves or the
   services managing them.  This is done on a per-slice basis and
   proceeds with reporting/notifying the corresponding users.

   Different deployment models are possible for a Resource Orchestration
   entity:

   o  hierarchical centralized (see Figure 2.A)

   o  distributed in chain (see Figure 2.B

   o  distributed full-mesh (see Figure 2.C)

   o  hierarchical hybrid (see Figure 3)

   The hierarchical hybrid model is deemed to guarantee the optimal
   trade-off between effectiveness of control, federation, trust
   adjacencies and scalability.



             +-----------+
             |     RO    |
             +-----------+
             /     |    \                 +------+   +------+   +------+
            /      |     \                |  RO  |---|   RO |---|  RO  |
           /       |      \               +------+   +------+   +------+
    +------+   +------+   +------+
    |  RO  |   |  RO  |   |  RO  |
    +------+   +------+   +------+
                (A)                                     (B)


                 +--------------------+
                 |                    |
             +------+   +------+   +------+   +------+
             |  RO  |---|  RO  |---|  RO  |---|  RO  |
             +------+   +------+   +------+   +------+
                 |         |                    |  |
                 |         +--------------------+  |
                 +---------------------------------+
                                (C)




                      Figure 2: RO deployment models



Carrozzo & Pentikousis   Expires January 7, 2016                [Page 8]

Internet-Draft           Recursive orchestration               July 2015


                +-----------+                      +-----------+
                |     RO    +----------------------+     RO    |
                +-----------+                      +-----------+
                /     |    \                       /     |    \
               /      |     \                     /      |     \
              /       |      \                   /       |      \
       +------+   +------+   +------+     +------+   +------+   +------+
       |  RO  |   |  RO  |   |  RO  |     |  RO  |   |  RO  |   |  RO  |
       +------+   +------+   +------+     +------+   +------+   +------+


                   Figure 3: Hybrid RO deployment model

4.  Policy-Based Resource Management

   Aside from the main functions described above, each Resource Manager
   is also part of the Authentication and Authorization Infrastructure
   (AAI).

   AAI provides the necessary mechanisms to authenticate and authorize
   users, as well as provide accountability.  In order to realize these
   functions, our architecture suggests the implementation of a
   ClearingHouse (CH) , which establishes the root of a trust chain.
   This chain can then be used to verify the identity and privileges of
   all actors in this architecture.

   By using a certificate-based approach, the architecture has
   flexibility to easily federate different VNF islands.  By installing
   ClearingHouse certificates, actors can be verified against different
   ClearingHouses, and thus can utilize a multitude of resources.

   A ClearingHouse (CH) comprises a set of related services supporting
   AAA operations.  CH serves as a central location to lookup
   information about members, slices and other available services in the
   VNF island.

   There are three groups of CH services:

   o  Registration and management services to lookup for available
      services in the facility as well as register new members, projects
      and slice objects.

   o  Authentication and Authorization services to manage the
      credentials of all entities and enforce predefined policies.

   o  Accountability services to facilitate tracking of all
      transactions.




Carrozzo & Pentikousis   Expires January 7, 2016                [Page 9]

Internet-Draft           Recursive orchestration               July 2015


   These services are offered by CH with the help of the following
   functions and authorities.

   o  The Member Authority (MA) is responsible for managing and
      asserting user attributes.  It generates member certificates for
      identification purposes and credentials to specify the attributes
      and roles associated with each member.  The MA maintains a
      database of registered members and their associated information
      including, but not limited to, certificates and credentials, SSH
      (Secure Shell) and SSL (Secure Sockets Layer) keys as well as the
      human readable identity information like real name, institute,
      contact details.

   o  In addition, a Certificate Revocation List (CRL) can also be
      accessed from MA for use in certificate verification process.

   o  The Slice Authority (SA) creates and manages slice objects and the
      associated member credentials (called slice credentials).  Slice
      credentials map member roles and privileges on a slice object,
      i.e., slice credentials authorize user actions at aggregates
      within a slice context.  SA also enables related operations on
      slice objects like look up, modify, renew, etc.

   o  The Project Service (PS) hosted at SA maintains a list of existing
      projects and asserts the member roles.

   o  The Service Registry (SR) serves as the primary network contact
      point as it keeps a record of all available registered services
      such as SA and MA and offers their URIs.

   o  The Logging Service (LS) realizes accountability by storing the
      transaction details between user-agents and aggregate managers.

   The user-agents and ROs can communicate with the CH through XMLRPC
   calls over a secured connection (SSL).

   AAI is ultimately responsible for granting access to the resources,
   and can be further extended through policies, which are a set of
   rules defined by the administrators to implement an upper-level
   control on the resource usage (e.g. defining a maximum virtual memory
   value for a VM resource or a maximum number of flow spaces).

4.1.  Certificate-based authN/authZ (C-BAS)

   Since VNF pools are finite, access to virtual functions and resources
   should be policed according to set authorization levels throughout
   the life-cycle of each experiment.




Carrozzo & Pentikousis   Expires January 7, 2016               [Page 10]

Internet-Draft           Recursive orchestration               July 2015


   Access control is also required to ensure that infrastructures remain
   operational.

   Although a number of solutions for authentication (authN) and
   authorization(authZ), such as Kerberos and LDAP, already exist, they
   have several shortcomings: tight-coupling of authN/authZ mechanisms
   with the implementation of the architecture; little or no regard for
   re-usability (i.e., one authN/authZ architecture cannot be reused by
   a different infrastructure); and no support for a standard access
   interface between networks and the authN/authZ architecture.

   C-BAS, certificate-based authN/authZ solution, is designed to serve
   all these requirements and include i) multiple authoritative source
   of trust, ii) flexible system of authorization, and iii)
   synchronization of authN/authZ entities to realize federations.

   For example, the Registry Service of C-BAS may be exploited to
   implement load balancing and failover features.  In addition, the
   evolved architecture of C-BAS makes it robust against disruptions and
   interference from attackers and enables support for various member
   roles and permissions.

   C-BAS employs X.509 certificates and SFA styled credentials to
   realize AAA services.

   The implementation of C-BAS is publicly available (www.eict.de/c-bas)
   and is based on eiSoil (github.com/EICT/eiSoil/wiki) thus exploiting
   its plugin capabilities that enable importing the functionality from
   one plugin module to another.

4.2.  Resource Managers

4.2.1.  VNF Pool manager functionality

   A VNF pool manager is a functional entity in charge of controlling a
   specific type of VNFs, being the equivalent of the SFA Aggregate
   Manager (see [SFA]).  As such, a VNF pool manager is a Resource
   Manager within the federation, capable of discovering resources,
   capabilities ans functions from physical infrastructure, abstracting
   them before publishing to the supervising RO and eventually capable
   of managing specific technology-specific configurations and
   provisioning towards the actual resource layer.

   Whilst the northbound interface of the Resource Manager is abstract
   and unified across different technology domains (e.g. based on REST
   or XMLRPC), the southbound interface is based on the specific
   interfaces exposed by the different types of resources (e.g.
   OpenFlow, NETCONF, SNMP, CLI, OVSDB, etc.)



Carrozzo & Pentikousis   Expires January 7, 2016               [Page 11]

Internet-Draft           Recursive orchestration               July 2015


4.2.2.  OpenFlow-based VNF pool manager

   The VNF pool manager LAN side could be OpenFlow-based and provide the
   mechanisms to control the network infrastructure inside a domain with
   SDN-enabled hardware (typically, OpenFlow-enabled switches and
   routers).  The Inter-island Orchestration Space architecture is
   agnostic of the physical network resources.  For a SDN domain based
   on OpenFlow users can control network behaviour by actively updating
   the flow tables of the network elements.  This update is usually done
   by a SDN controller, which is configured according the user's
   requirements.  Typically, the controller will respond to an event
   generated by a network element, such as a flow establishment request,
   and update the flow tables appropriately.

   For the network manager, the VNF pool manager LAN side will provide
   management functionalities for the overall network resources and
   virtual network functions in the LAN or data center.  This element
   acts as a proxy between the resources and the SDN controller, and
   grants or denies the forwarding of control messages.  The VNF pool
   manager LAN side provides functions to build a unique flow space for
   every experimenter so that traffic is isolated and distinguished from
   that of other slices (e.g. like FlowVisor or OVX do).

   These functionalities can prevent issues arising when several users
   wish to use the same physical resources.  In detail, a flow space can
   contain a range of differentiators: source or destination IPs or MAC
   addresses, TCP or UDP ports, for example.

   One way to separate the traffic is assigning a VLAN tag to each
   packet.  In this case, the special purpose controller inspects the
   incoming packet, identifies the VLAN tag and sends it to the
   corresponding SDN controller.

4.2.3.  Stitching Entity VNF pool manager

   The Stitching Entity VNF pool Manager is among the pool managers WAN
   side, and is in charge to control the Stitching Entity (SE), a
   network element providing necessary translation mechanisms for a
   slice setup on top of the L2 protocol stack performed in order to
   hide from a user the real complexity of the multi-domain WAN
   transport network.

   The main responsibility of the SE is to provide at least one of the
   following network functions:

   o  QinQ, to encapsulate slice traffic into a transport network
      Ethernet frames,




Carrozzo & Pentikousis   Expires January 7, 2016               [Page 12]

Internet-Draft           Recursive orchestration               July 2015


   o  VLAN translation mechanism to hide from a user the actual VLAN
      tagging, used by carrier networks while interconnecting two or
      more VNF islands.

   The SE RM communicates with an RO, a parent control entity, to i)
   advertise an internal topology and capabilities of the SE under its
   control, ii) receive requests, and iii) notify the RO about success
   and failure events.

   A single SE RM must relate only to a single RO and must be
   implemented in each VNF island.  A single SE RM is responsible for a
   single SE or a group of SEs, which belong to a network domain and act
   as an entry point to the island infrastructure.

4.2.4.  Transit network VNF pool manager

   The main responsibility of the Transit VNF pool manager (TN RM) is to
   support the FELIX architecture with network connectivity mechanisms
   within particular domains and between them.

   In order to deliver the network services, it must be integrated with
   its southbound interfaces within a particular network domain.  Such a
   domain can use different L1/L2 technologies and may be controlled by
   a Network Management System (NMS) or by specific interfaces or
   protocols that are technology-dependent, and unique in each case.

   The Transit network VNF pool manager must communicate with an RO in
   order to i) advertise resources under its control, ii) receive
   requests, and iii) notify the RO about success and failure events.

   A single TN RM must relate only to a single RO.  A single TN RM is
   responsible for a group of particular network resources, which belong
   to a network domain and are usually managed by a single entity, i.e.
   a network administrator or NMS.

   TN RM usually manages L1/L2 transport networks, which are composed of
   physical devices using frames/packets or circuit switching
   technologies and support different protocols, e.g.  MPLS/GMPLS.  In
   order to support inter-island connectivity between existing VNF
   islands, the TN RM also supports the management of VPN set up and
   tear down procedures.

   The TN RM southbound interface can be based on Bandwidth on Demand
   interfaces, like GMPLS UNI or similar approaches.







Carrozzo & Pentikousis   Expires January 7, 2016               [Page 13]

Internet-Draft           Recursive orchestration               July 2015


4.2.5.  RM for virtual computing

   The function of the Computing Resource pool Manager (C-RM) is to
   provide a method to assign, set up and configure computing resources.

   C-RM manages physical computing resources, and also the configuration
   of its own slicing mechanisms (e.g. common hypervisors or other
   virtualization stacks) and computer resources as presented to the
   user (OS images, network interface configuration, and so on).

   The management of physical computing resources should provide a
   method for rebooting machines, remote control (of a machine's
   console), or hard power on/off of a machine experiencing problems,
   for example using a networked PDU (power distribution unit).

   Management is typically performed only when problems occur, and when
   a slice is created, destroyed or modified.  Migration of computing
   resources to other islands may also require reconfiguration.  This
   includes the configuration of network interfaces of the computing
   resource, and setting the underlying resources (e.g. hypervisor,
   physical machine), such that those interfaces are bridged onto the
   correct physical interfaces.  In particular, it may be necessary to
   configure a slicing mechanism in this bridging, in the case where
   multiple computing resources have to share a single physical
   interface.  This would typically be achieved using a (software-based)
   SDN solution inside the virtualization platform.  Once the SDN
   solution has been properly set up, it becomes an SDN resource, which
   is managed by the VNF pool manager LAN side.

5.  Positioning w.r.t. existing Orchestration Frameworks

5.1.  Openstack orchestration

   Among cloud orchestration solution, OpenStack is the facto common
   reference through its Heat module [os-heat].

   Openstack Heat implements an orchestration engine to launch multiple
   composite cloud applications based on templates in the form of text
   files that can be treated like code.

   Many existing CloudFormation templates can be launched on OpenStack.
   Heat provides both an OpenStack-native ReST API and a CloudFormation-
   compatible Query API.

   A Heat template describes the infrastructure for a cloud application
   in a text file.  Infrastructure resources that can be described
   include: servers, floating ips, volumes, security groups, users, etc.




Carrozzo & Pentikousis   Expires January 7, 2016               [Page 14]

Internet-Draft           Recursive orchestration               July 2015


   Templates can also specify the relationships between resources (e.g.
   this volume is connected to this server).

   Heat also provides an autoscaling service.

   Heat primarily manages cloud infrastructure, does not support
   federation and AAI is bundled in the OpenStack framework.

5.2.  OpenMANO

   OpenMANO is an open source project which implements the reference
   architecture for Management & Orchestration under standardization at
   ETSI's NFV ISG (NFV MANO) [openmano].

   OpenMANO consists of two main SW components:

   o  NFV VIM (Virtualised Infrastructure Manager) to provide computing
      and networking capabilities and to deploy virtual machines.

   o  A reference implementation of an NFV-O (Network Functions
      Virtualisation Orchestrator), which allows creation and deletion
      of VNF templates, VNF instances, network service templates and
      network service instances.

   OpenMANO does not support federation and AAI as of today.

5.3.  Other orchestration approaches: federated SDN infrastructures for
      research experimentation

   The FELIX project [FELIX] is part of an international research
   experimentation infrastructure strategy (in Europe under the Future
   Internet Research Experimentation - FIRE - framework), with a special
   focus on SDN and Network Service Interface (NSI) developed by the
   Open Grid Forum.  FELIX is implementing federation and integration of
   different network and computing resources controlled via SDN and NSI
   in a multi-domain heterogeneous environment across, initially
   spanning Europe and Japan.  FELIX consortium has designed and is
   implementing an architecture that extends and advances assets
   previously developed in other Future Internet projects (e.g.
   OFELIA), by realizing the federation concepts defined in SFA [SFA]
   with a combination of recursive and hierarchical orchestration,
   request delegation and inter-domain dependency management.  Other
   research testbeds have been working over the past year on federation
   of SDN resources.  Three of them are particularly relevant on the SDN
   area: OFELIA, FIBRE and GridARS.

   The OFELIA project [OFELIA] established a pan-European experimental
   network facility which enables researchers to experiment with real



Carrozzo & Pentikousis   Expires January 7, 2016               [Page 15]

Internet-Draft           Recursive orchestration               July 2015


   OpenFlow-enabled network equipment and to control and extend the
   network itself in a precise and dynamic mode.  The OFELIA facility
   uses the OpenFlow protocol (and related tools) to support network
   virtualization and control of the network environment through secure
   and standardised interfaces.  OFELIA consists of two layers.  The
   physical layer is comprised of the computing resources (servers,
   processors) and network resources (routers, switches, links, wireless
   devices and optical components).  Resources are managed by the OFELIA
   Control Framework (OCF).  Furthermore, the control framework layer
   contains components which manage and monitor the applications and
   devices in the physical layer.  Aggregate Managers and Resource
   Managers are components of this layer, which can be seen as the
   combination of three components: Expedient is the GUI and allows the
   connection and federation with different Aggregate Managers via its
   plugins; Aggregate Managers (AMs) enable experimenters to create both
   compute and network resources via the VT AM and OF AM respectively;
   Resource Managers directly interact with the physical layer,
   provisioning compute resources (OFELIA Xen Agent) or flow rules to
   establish the topology (FlowVisor).

   The FIBRE project [FIBRE] federates SDN testbeds distributed across
   Europe and Brazil.  The FIBRE-EU system builds on top of the OFELIA
   OCF and incorporates several wireless nodes based on commercial Wi-Fi
   cards and Linux open source drivers.  Unlike OFELIA, the FIBRE
   infrastructure is managed by different types of control and
   monitoring frameworks (CMFs).  FIBRE deployed two top-domain
   authorities, one in Brazil and one in Europe, to manage and own
   resources in the respective continents.  These inter-connected
   authorities interoperate to allow the federation of BR and EU
   testbeds.

   In Japan, GridARS [GRIDARS]  provides a reference implementation of
   the Open Grid Forum (OGF) Network Services Interfaces Connection
   Service (NSI-CS) protocol standard.  GridARS can coordinate multiple
   resources (services), such as a network connection, virtual machines
   and storage spaces, via the NSICS protocol.  It provides
   experimenters a virtual infrastructure, which spans several cloud
   resources, realised by multiple management domains including
   commercial solutions.  GridARS consists of three main components.

6.  IANA Considerations

   No IANA considerations are applicable.








Carrozzo & Pentikousis   Expires January 7, 2016               [Page 16]

Internet-Draft           Recursive orchestration               July 2015


7.  Security Considerations

   This document proposes a new architecture for resource and VNF
   orchestration for the design of which security features are of utmost
   importance to proceed to operational deployments.  Frameworks for
   Security in SDN are applicable to this document and are discussed in
   literature, for example, in [SDNSecurity], [SDNSecServ] and
   [SDNSecOF].  Security considerations regarding specific protocol
   interfaces are TBD.

8.  Acknowledgements

   This work has been partially supported and funded by the European
   Commission through the FP7 ICT FELIX project (Federated Testbeds for
   Large Scale Infrastructure Experiments, grant agreement no. 608638)
   and the National Institute of Information and Communications
   Technology (NICT) in Japan.  The views expressed here are those of
   the author only.  The European Commission and NICT are not liable for
   any use that may be made of the information in this document.

9.  Contributors

   Authors would like to acknowledge (in alphabetical order) the
   following contributors who have provided text, pointers, and ideas
   for this document:

   o  B.  Belter (PSNC, Poland)

   o  C.  Bermudo (i2CAT, Spain)

   o  T.  Kudoh (Univ.  Tokyo/AIST, Japan)

   o  J.  Tanaka (KDDI, Japan)

   o  B.  Vermeulen(iMinds, Belgium)

10.  Informative References

   [cloudstack]
              "Apache CloudStack documentation. Cloud Infrastructure
              Concepts", Available online at
              http://cloudstack.apache.org/docs/en-
              US/Apache_CloudStack/4.1.0/html/Admin_Guide/
              cloud-infrastructure-concepts.html.

   [FELIX]    "FELIX Project website", http://www.ict-felix.eu.





Carrozzo & Pentikousis   Expires January 7, 2016               [Page 17]

Internet-Draft           Recursive orchestration               July 2015


   [FELIX-D2.1]
              R. Krzywania, W. Bogacki, B. Belter, K. Pentikousis, T.
              Rothe, G. Carrozzo, N. Ciulli, C. Bermudo, T. Kudoh, A.
              Takefusa, J. Tanaka and B. Puype, , "FELIX Deliverable
              D2.1 - Experiment Use Cases and Requirements", Available
              online at http://www.ict-felix.eu., September 2013.

   [FELIX-D2.2]
              R. Krzywania, W. Bogacki, B. Belter, K. Pentikousis, T.
              Rothe, M. Broadbent, G. Carrozzo, N. Ciulli, R. Monno, C.
              Bermudo, A. Vico, C. Fernandez, T. Kudoh, A. Takefusa, J.
              Tanaka and B. Puype, , "FELIX Deliverable D2.2 - General
              Architecture and Functional Blocks", Available online at
              http://www.ict-felix.eu., February 2014.

   [FIBRE]    T. Salmito, L. Ciuffo, I. Machado, M. Salvador, et al, ,
              "FIBRE - An International Testbed for Future Internet
              Experimentation", 32th Simposio Brasileiro de Redes de
              Computadores e Sistemas Distribuidos (SBRC'14) , 2014.

   [GRIDARS]  [15] A. Takefusa, H. Nakada, T. Kudoh, Y. Tanaka and S.
              Sekiguchi, , "GridARS: An Advance Reservation-based Grid
              Co-allocation Framework for Distributed Computing and
              Network Resources", Lecture Notes, Computer Science of the
              Job Scheduling Strategies for Parallel Processing (JSSPP)
              vol.4942, pp. 152-168, April 2008.

   [middlebox]
              A. Greenhalgh, F. Huici, M. Hoerdt, P. Papadimitriou, M.
              Handley, and L. Mathy, , "Flow Processing and the Rise of
              Commodity Network Hardware", ACM SIGCOMM Computer
              Communication Review Volume 39 issue 2, April 2009.

   [OFELIA]   M. Sune, L. Bergesio, H. Woesner, T. Rothe, A. Kopsel, et
              al., , "Design and implementation of the OFELIA FP7
              facility: The European OpenFlow testbed", The
              International Journal of Computer and Telecommunications
              Networking , December 2013.

   [openmano]
              "OpenMANO", Available online at
              https://github.com/nfvlabs/openmano/wiki.

   [openstack]
              "Scaling Openstack", Available online at
              http://docs.openstack.org/openstack-ops/content/
              scaling.html.




Carrozzo & Pentikousis   Expires January 7, 2016               [Page 18]

Internet-Draft           Recursive orchestration               July 2015


   [os-heat]  "OpenStack Orchestration - Heat", Available online at
              https://wiki.openstack.org/wiki/Heat.

   [SDNSecOF]
              Kloti, R., Kotronis, V., and P. Smith, , "OpenFlow: A
              Security Analysis", 21st IEEE International Conference on
              Network Protocols (ICNP) pp. 1-6, October 2013.

   [SDNSecServ]
              Scott-Hayward, S., O'Callaghan, G., and S. Sezer, , "SDN
              Security: A Survey", IEEE SDN for Future Networks and
              Services (SDN4FNS) pp. 1-7, 2013.

   [SDNSecurity]
              Kreutz, D., Ramos, F., and P. Verissimo, , "Towards Secure
              and Dependable Software-Defined Networks", Proceedings of
              the second ACM SIGCOMM workshop on Hot Topics in Software
              Defined Networking pp. 55-60, 2013.

   [SFA]      L. Peterson, R. Ricci, A. Falk and J. Chase, , "Slice-
              based Federation Architecture (SFA) v2.0", , July 2010.

Authors' Addresses

   Gino Carrozzo (Ed.) (editor)
   Nextworks
   via Livornese 1027
   Pisa  56122
   Italy

   Email: g.carrozzo@nextworks.it


   Kostas Pentikousis (Ed.) (editor)
   EICT
   Torgauer Strasse 12-15
   Berlin  10829
   Germany

   Email: k.pentikousis@eict.de











Carrozzo & Pentikousis   Expires January 7, 2016               [Page 19]