Internet DRAFT - draft-hy-nvo3-gue-4-nvo

draft-hy-nvo3-gue-4-nvo



Network Working Group                                          L. Yong
Internet-Draft                                               Huawei USA
Intended status: Standard Track                              T. Herbert
                                                               Facebook
                                                                 O. Zia
                                                              Microsoft


Expires: April 2017                                    October 28, 2016


    Generic UDP Encapsulation (GUE) for Network Virtualization Overlay
                        draft-hy-nvo3-gue-4-nvo-04

Abstract

   This document describes network virtualization overlay encapsulation
   scheme by use of Generic UDP Encapsulation (GUE) [GUE]. It allocates
   one GUE optional flag and defines a 32 bit field for Virtual Network
   Identifier (VNID).

Status of This Document

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF). Note that other groups may also distribute
   working documents as Internet-Drafts. The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 28, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with



Yong, Herbert, Zia                                             [Page 1]

Internet-Draft          GUE for NVO3                       October 2016

   respect to this document.  Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.


Table of Contents


   1. Introduction...................................................3
   2. Terminology....................................................3
      2.1. Requirements Language.....................................3
   3. Generic UDP Encapsulation (GUE) for NVO3.......................3
   4. Encapsulation/Decapsulation Operations.........................5
      4.1. Multi-Tenant Segregation..................................5
      4.2. Tenant Broadcast and Multicast Packets....................6
      4.3. Fragmentation.............................................6
      4.4. GUE Header Security.......................................6
      4.5. Tenant Packet Encryption..................................6
   5. IANA Considerations............................................7
   6. Security Considerations........................................7
   7. References.....................................................7
      7.1. Normative References......................................7
      7.2. Informative Reference.....................................8
   8. Authors' Addresses.............................................8
























Yong, Herbert, Zia                                             [Page 2]

Internet-Draft          GUE for NVO3                       October 2016


1. Introduction

   Network Virtualization Overlay (NVO3) [RFC7365] provides a framework
   for a virtual network solution over an IP network in a DC with
   multi-tenant environment. Virtual network packets, i.e. tenant
   packets, between any pair of Network Virtualization Edges (NVE) are
   encapsulated at ingress NVE, sent from ingress NVE to egress NVE as
   IP packets, and decapsulated at egress NVE. This is known as a
   tunnel mechanism. This draft specifies use of Generic UDP
   Encapsulation (GUE) [GUE] for NVO3 packet encapsulation.

   GUE [GUE] as a generic UDP encapsulation provides several merits for
   NVO3 encapsulation. Hence, underlay IP network treats it the same
   was as other UDP applications, that are well supported by both IPv4
   and IPv6 underlay networks. GUE provides strong security transport
   options [GUEEXT] that NVO3 can leverage. In addition, GUE supports
   other options that NVO3 may use such as private data and
   extensibility. In addition, GUE control flag can be used for NVO3
   OAM message.

   This document requests one flag (1 bit) from GUE optional flag field
   for Network Virtualization Overlay (NVO3) indication and specifies a
   32 bit field for virtual network identifier in GUE optional fields.
   It describes use of GUE security options in NVO3.

2. Terminology

   The terms defined in [GUE], [RFC7365] are used in this document.

  2.1. Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].


3. Generic UDP Encapsulation (GUE) for NVO3

   Generic UDP Encapsulation adds a 32 bit basic GUE header after UDP
   header. GUE header contains some key fields that a UDP tunnel
   application needs. These key fields are version, control message
   indication (c), Header Length (HLen), and Protocol Type (or ctype).
   It also contains some optional flags that are reserved for optional
   features at a UDP tunnel.




Yong, Herbert, Zia                                             [Page 3]

Internet-Draft          GUE for NVO3                       October 2016

   This document proposes to allocate one flag bit from GUE optional
   flags for the Network Virtualization Overlay (NVO3) and defines a 32
   bit field for NVO3 in GUE optional fields when the flag bit is set.
   GUE based NVO3 encapsulation format is shown in Figure 1.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |        Source port            |      Destination port         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |           Length              |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Ver|C|  Hlen |  Proto/ctype    |V|    Optional Flags           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |              Virtual Network Identifier (VNID)                |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      ~                     Security, etc (optional)                  ~
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      ~                 Private Data (optional)                       ~
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


               Figure 1 GUE based NVO3 Encapsulation Format

   o  'V': Virtualization flag. Indicates presence of the Virtual
      Network Identifier (VNID) field in GUE optional fields. This flag
      MUST be set when GUE is used for network virtualization overlay
      (NVO3).

   o  Virtual Network ID (4 octets): a 32 bit field is used to identify
      a virtual network that the packet belongs to. This field MUST be
      present when 'V' virtualization flag is set; and MUST NOT present
      when 'V' flag is clear.

   NVO3 implementation may carry private data in the private data field.
   It must follow the rules specified in [GUE] when inserting private
   data in GUE header.

   NVO3 may allocate other flags and fields in GUE header for NVO3
   purpose and MUST follow the flag/field allocation rules specified in
   [GUE].




Yong, Herbert, Zia                                             [Page 4]

Internet-Draft          GUE for NVO3                       October 2016

   The usage of the key fields in the GUE header [GUE] for NVO3
   encapsulation is described as below:

   o  Ver: Set to 0x0 to indicate version zero of GUE. Packets received
      by the decapsulator with non-zero version MUST be dropped.

   o  Control flag: When set, indicates that the packet contains a
      control message. OAM packets for the virtual network instance can
      be carried as a control message. NOV3 OAM packet format and
      mechanisms will be specified in a separated document.

   o  Hlen: length of (optional fields + private field (byte))/4.

   o  Proto/ctype: Contain the protocol of the encapsulated payload
      packet, i.e. next header or control message type (ctype) when
      Control flag is set. The next header begins at the offset
      provided by Hlen. For network virtualization, the payload
      protocol can be Ethernet, IPv4, IPv6, or 59 (NULL). The VNID can
      be used with ctype to direct control message for the VN layer.

   UDP header field MUST be set per [GUE]. The checksum and length
   implementation MUST be compliant with GUE implementation [GUE].

   NVO3 can use GUE specified optional functions to improve the
   transport such as GUE security option [GUEEXT], GUE checksum option
   [GUEEXT], etc. When using a GUE specified option, NVO3
   implementation MUST be compliant with the corresponding
   specification.

4. Encapsulation/Decapsulation Operations

   The network virtualization encapsulation by use of GUE applies to
   both IPv4 and IPv6 underlay networks. The outer source and
   destination IP addresses MUST be ingress NVE and egress NVE IP
   addresses respectively. Ingress NVE adds UDP and GUE headers on the
   payload packet with the required fields as described in Section 3.
   NVE encapsulation and decapsulation process MUST be compliant with
   GUE implementation specification [GUE]. If ingress and egress NVE
   implement GUE options, they MUST be compliant with the corresponding
   GUE option specification.

  4.1. Multi-Tenant Segregation

   Ingress NVE MUST set option 'V' and insert Virtual Network
   Identifier (VNID) into the corresponding option field when
   encapsulating tenant packets. A GUE tunnel can carry the payload
   packets that are from different tenant networks simultaneously.



Yong, Herbert, Zia                                             [Page 5]

Internet-Draft          GUE for NVO3                       October 2016

   Egress NVE MUST use the VNID in GUE header to identify the tenant
   network that the payload packet is associated to and forward to the
   packet to corresponding tenant network. All 32 bits can be used for
   VNID.

  4.2. Tenant Broadcast and Multicast Packets

   If tenant packet is L2 broadcast/multicast, or L3 multicast packet,
   depending on which multicast solution NV03 deploys [NVO3MFRWK], the
   packet may be carried by a set of point-to-point GUE tunnels, or a
   point-to-multipoint GUE tunnel. In the latter case, multicast IP
   address is used as outer destination address.

   The mapping of inner broadcast/multicast group to IP multicast group
   can be manually configured or based on an algorithm, which is
   outside the scope of this document.

  4.3. Fragmentation

   To gain the performance and simplification, NVO3 SHOULD avoid packet
   fragmentation. Manual configuration or negotiation with tenant
   systems can ensure that the MTU of the physical networks is greater
   than or equal to the MTU of the encapsulated network plus GUE header.
   It is strongly RECOMMENDED Path MTU Discovery [RFC1191] [RFC1981] to
   be used by setting the DF bit in the IP header when GUE packets are
   carried by IPv4 (this is the default with IPv6). In a case, it can't
   avoid packet fragmentation; GUE fragmentation option can be used
   [GUEEXT].

  4.4. GUE Header Security

   NVO3 is expected to operate in multi-tenant environment, so security
   is extreme important. Security can be provided by DC networking
   and/or by NVO3. NVO3 can use GUE security options [GUEEXT]. When
   NVO3 use GUE security option, ingress NVE has to set the security
   flag and insert a key value in the security field [GUEEXT], egress
   NVE has to validate the key prior to packet decapitation process. If
   the key validation fails, the packet will be dropped [GUEEXT]. The
   key value used between ingress and egress NVE can be managed by NVA
   or generated algorithm at NVEs. This mechanism will be described in
   future version.

  4.5.  Tenant Packet Encryption

   To prevent tenant packet from eavesdropping, tampering, or message
   forgery, NVO3 can adopt GUE payload encryption mechanism. To encrypt
   tenant packets, ingress NVE sets GUE payload transform flag and adds



Yong, Herbert, Zia                                             [Page 6]

Internet-Draft          GUE for NVO3                       October 2016

   32 bit payload transform field in GUE header. The payload type MUST
   be filled at the payload transform field and the protocol field in
   GUE base header MUST be set to 59 "No next header"[GUEEXT]. Both
   ingress NVE and egress NVE MUST implement the encryption mechanism
   as described in [GUEEXT].

5. IANA Considerations

   The document request IANA to allocate the first bit in the registry
   of GUE optional flag fields for Network Virtualization Flag and
   register 32 bit field on GUE option field registry for Network
   Virtualization Identifier (VNID).

6. Security Considerations

   When Network Virtualization Edge (NVE) uses the UDP tunnel mechanism
   specified in GUE [GUE], it faces the same security concern stated in
   Section of Security Considerations in [GUE] and can leverage GUE
   secure transport mechanisms [GUEEXT] for secure transport over the
   underlay IP network.

   GUE provides two optional security functions. One is origin
   authentication and integrity protection between encapsulator and
   decapsulator, which protects Denial of Service (DoS) attacks;
   another is GUE payload encryption, which prevents the payload from
   eavesdropping, tampering, or message forgery. The two functions can
   be used together or independently according to the deployment
   environment. NVO3 virtual network identifier (VNID) is encoded in
   GUE header that can be protected by origin authentication.

7. References

  7.1. Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC2119, March 1997.

   [RFC7365] Lasserre, M., el al, "Framework for Data Center (DC)
             Network Virtualization".

   [GUE]     Herbert T., Yong, L., Zia, O., "Generic UNP Encapsulation",
             draft-ietf-nvo3-gue, work in progress.





Yong, Herbert, Zia                                             [Page 7]

Internet-Draft          GUE for NVO3                       October 2016

   [GUEEXT]  Herbert, T., Yong, L., Templin, F., "Extensions for
             Generic UDP Encapsulation", draft-herbert-gue-extensions,
             work in progress.

  7.2. Informative Reference

   [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
             November 1990.

   [RFC1981]  McCann, J., Deering, S., and J. Mogul, "Path MTU
             Discovery for IP version 6", RFC 1981, August 1996.

   [NVO3MFRWK] Ghanwani, A., Dunbar, L., et al "A Framework for
             Multicast in Network Virtualization Overlays", draft-ietf-
             nov3-mcast-framework, work in progress.


8. Authors' Addresses

   Lucy Yong
   Huawei USA
   5340 Legacy Dr.
   Plano, TX 75024
   US

   Email: lucy.yong@huawei.com


   Tom Herbert
   Google
   1600 Amphitheatre Parkway
   Mountain View, CA
   US

   Email: therbert@google.com

   Osama Zia
   Microsoft
   1 Microsoft Way
   Redmond, WA 98029
   US

   Email: osamaz@microsoft.com






Yong, Herbert, Zia                                             [Page 8]