Network Working Group S. Jeong Internet-Draft ETRI Intended status: Informational D. Colle Expires: June 27, 2011 IBBT December 24, 2010 Virtual Networks Problem Statement draft-jeong-vnrg-virtual-networks-ps-00.txt Abstract This document presents the definition and effectiveness of virtual networks and discusses the key components and challenges of supporting virtual networks in the networks. It also describes acid tests for virtual networks. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on June 27, 2011. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Jeong & Colle Expires June 27, 2011 [Page 1] Internet-Draft Virtual Networks PS December 2010 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Motivation and Definition of Virtual Networks . . . . . . . . . 4 2.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Definition of Virtual Networks . . . . . . . . . . . . . . 5 2.3. Effectiveness of Virtual Networks . . . . . . . . . . . . . 6 3. Key Components and Challenges for Virtual Networks . . . . . . 6 3.1. Key Components . . . . . . . . . . . . . . . . . . . . . . 6 3.2. Key Challenges . . . . . . . . . . . . . . . . . . . . . . 6 4. Acid Tests for Virtual Networks . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 6. Informative References . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 Jeong & Colle Expires June 27, 2011 [Page 2] Internet-Draft Virtual Networks PS December 2010 1. Introduction The main objectives of virtualization are to create multiple logical instances of the resources that can coexist, to separate the uses of the logical instances, and to simplify the use of the underlying resources by abstracting the characteristics and interacting with the resources with limited abstracted knowledge. The virtualization technology has been extensively studied for decades from desktop virtualization, application virtualization, system virtualization, link virtualization, storage virtualization to network virtualization. All the virtualization technologies above have relationship with network virtualization technology, but from the simplified view the network elements may be seen as systems with links. Thus, network virtualization would be expected to be realized on the basis of traditional virtualization technologies, especially system and link virtualization. The system virtualization is the ability to run an entire virtual system with its own guest OS over another OS or over a bare-machine. So, it allows multiple virtual systems with heterogeneous guest OSes to run in isolation on the same physical system. Each virtual system has its own set of virtual hardware and can be accessed independently. Thus, each virtual system can participate in constructing and providing independent networks. The virtual system can utilize consistent, normalized set of hardware regardless of the characteristics of physical hardware specification. Network virtualization allows dynamic creation and management of virtual networks over network infrastructures. These virtual networks may be heterogeneous and multiple separate virtual networks can be simultaneously coexisted over the network infrastructures. The benefits of system virtualization are as follows, but these benefits can also be applied to network virtualization. o Since several virtual systems share a single set of hardware, it is possible to achieve better resource utilization and to lower hardware cost. o Secure and separate environment can be provided among virtual systems because each virtual system is isolated from the others. o System virtualization can provide normalized set of interfaces and make it easier to provide virtual systems. Also, it can support seamless migration of virtual systems by setting up a virtual system using a pre-existing template and shifting virtual system from one physical system to another to balance workloads or improve efficiency. Jeong & Colle Expires June 27, 2011 [Page 3] Internet-Draft Virtual Networks PS December 2010 There are various technologies for providing virtual networks over network infrastructures, for example Virtual Private Network (VPN) technologies provide virtual networks. Although VPN supports coexistence of separate virtual networks, it is not easy to dynamically reconfigure the capability of given virtual networks based on the changes of user's demand. Network virtualization is one of prominent technologies to support dynamically reconfigurable, isolated, and separate virtual networks over network infrastructures. Network virtualization allows multiple heterogeneous virtual networks that are isolated and independently manageable to coexist over shared physical network infrastructures. Since each virtual network can utilize different network architectures, the shared network infrastructure may support the architecture of multiple architectures. For example, by utilizing network virtualization technology, different virtual networks can provide different end-to-end packet delivery systems and may use different protocols and packet formats [1]. These virtual networks may be a way to de-ossify the current network architectures. This document presents the definition and effectiveness of virtual networks. It also discusses the key components and challenges of supporting virtual networks in the networks. Finally, it describes acid tests for virtual networks. 2. Motivation and Definition of Virtual Networks 2.1. Motivation The current network architectures are facing many challenges as they continuously expand application spaces and environments. Some of the challenges may require a variety of the new different architectures so as to resolve the challenges. In order to accelerate the research and development of the innovative architectures, a common means should be provided to accommodate the new heterogeneous architecture researches and experiments in shared network infrastructures. The common means would be a set of virtual networks. The virtual networks can be served as non-virtualized networks without operational interference with other virtual networks while sharing the components of networks. Thus, multiple virtual networks can concurrently use a single physical network for multiple virtual networks and different virtual networks may use heterogeneous network technologies in the isolated and separate environment. Also, standardized set of interfaces between virtual networks can make it easier to provide virtual networks and improve portability. The provision of standardized interfaces can support seamless migration Jeong & Colle Expires June 27, 2011 [Page 4] Internet-Draft Virtual Networks PS December 2010 and update of the capability of virtual networks. Finally, utilization of physical resources can be increased by accommodating multiple virtual networks in a single physical resource. 2.2. Definition of Virtual Networks A virtual network is a network of virtual resources where the resources can be separated from other virtual resources and their capabilities can be dynamically reconfigured. In other words, a virtual network is a logical partition of physical or logical networks and its capability is the same as or subset of the networks. Also, the virtual network may expand its capability by aggregating the capabilities of multiple networks. From the user's point of view, the virtual network can be seen as a non-virtualized network. A virtual resource is an abstraction of physical or logical resource and its partition and has the same mechanisms as the physical or logical resource. It can also inherit all existing mechanisms and tools for the physical or logical resource. In addition to the mechanisms above, a virtual resource has several interfaces to access and manage the virtual resource. These interfaces typically include virtual data plane interfaces, virtual configuration interfaces, and management interfaces. A virtual network has following key properties. o Partitioning: Each virtual resource can be used concurrently by multiple virtual networks. Multiple applications or OSes can be simultaneously supported within a single physical resource. Multiple physical resources can be consolidated into virtual resources on either a scale-up or scale-down architecture. o Isolation: Any virtual network can be clearly isolated from all others. Even though a virtual network crashes, the others are not affected. Data in one virtual network do not leak across virtual networks and applications can only communicate over configured network connections. Unauthorized accesses to other virtual networks are prohibited. o Abstraction: A given virtual resource needs not directly correspond to its component resources. The detailed information of the physical resource can be abstracted so that other systems, applications, or users access the capabilities of resources by using abstracted interfaces. These interfaces can guarantee compatibility for accessing the virtual resources and provide an efficient control of the virtual resources.. Jeong & Colle Expires June 27, 2011 [Page 5] Internet-Draft Virtual Networks PS December 2010 2.3. Effectiveness of Virtual Networks Virtual networks can be used for the same purposes as non-virtualized networks without interfering with the operation of other virtual networks while sharing the key components among virtual networks. Therefore, the coexistence of multiple virtual networks is possible. The virtual networks over physical infrastructure are completely isolated each other, so different virtual networks may use different network technologies, for example, different protocols and packet formats or even defining a new layering architecture can be supported on each virtual network without interfering with the operation of other virtual networks. In other words, each virtual network can provide the corresponding user group with full network services similar to those provided by a traditional non-virtualized network. From the users' perspective, each user accesses a dedicated network independently. Also, providing virtual networks can reduce the total cost by increasing the utilization of resources while still maintaining secure separation among virtual networks [2]. 3. Key Components and Challenges for Virtual Networks 3.1. Key Components The key components of virtual networks include traditional network elements, such as hosts, routers, links, etc. In addition to them, mechanisms for creating and managing the virtual networks are also included. The virtual network management mechanisms create logical partitions in the components and connect those partitions in order to construct a virtual network. The virtual network can be connected with non-virtualized components. Users can see the virtual network as a non-virtualized dedicated network, so they can perform any actions such as deploy new services, network architectures, etc. as if they own the dedicated network. 3.2. Key Challenges The followings investigate the key challenges for virtual networks. o Performance: Virtualization resource is typically realized by adopting virtualization layer in the physical resources, so creation and management of virtual network also needs to interact with the virtualization layer. Therefore, the performance of the virtual networks may not be as good as the non-virtualized network and how to reduce the performance degradation is a challenge. Jeong & Colle Expires June 27, 2011 [Page 6] Internet-Draft Virtual Networks PS December 2010 o Isolation: Multiple virtual networks coexist over the key components of virtual networks, so isolation among the coexisting virtual networks is the challenge. The isolation includes various aspects such as security isolation, performance isolation, etc. Since multiple virtual networks exist over shared physical infrastructures, unexpected behavior of a virtual network may affect other coexisting services and may cause security problems, performance degradation of other services, and so on. How to guarantee isolation of virtual networks by creating isolated virtual network environments between users belonging to separate groups is a key challenge. o Flexibility: After creating a virtual network based on user's requirements, the requirements can be changed. In that case, it will be necessary to modify the capability of the virtual network. The update of virtual network's capability may be done dynamically and without interrupting the operation of the current virtual network. o Scalability: How many virtual networks can be simultaneously supported or how many key components can be connected and managed are also a challenge. o Management: Since each virtual network can be separately configured and managed, how to provide independent management functions for each virtual network is a challenge. Also, the management functions need to collaborate with the management for the physical infrastructures. 4. Acid Tests for Virtual Networks In the network community, virtual networks has been used as a general term without clear definition or requirements, so provision of virtual networks across various heterogeneous systems such as network operators, network equipment vendors, service providers, etc. has been difficult. This section discusses acid tests for virtual networks in order to build common understanding about virtual networks. o Control isolation: Since multiple virtual networks concurrently exist in virtual resources, each virtual networks need to be separately managed. Thus, isolated control is necessary so that separate virtual networks can be individually configured and managed. o Access control and virtual network labeling: Since any virtual network can be isolated from others, it is necessary to prevent a Jeong & Colle Expires June 27, 2011 [Page 7] Internet-Draft Virtual Networks PS December 2010 user in a virtual network from accessing other virtual networks without authorization. In order to support the clear isolation, virtual resources should be able to uniquely identify virtual networks and enforce access control for users and applications. o Virtualization of address and port ranges: Since multiple virtual networks share a single physical resource, overlapping address ranges should be possible. It is necessary to provide translation of virtual address into internal physical address at ingress points of the physical resource and vice versa at egress points. o Regulation of resource usage: Considering the utility of customers, each virtual network should be capable of using physical network resources and constructing a network topology. However, one possible problem is that some abnormal virtual networks may occupy most of the resources, which deteriorates other virtual network performance due to network resource exhaustion. Therefore, it is necessary to regulate the upper limit of resource consumption by each virtual network in order to maintain the overall utility and performance. Injecting the resource owner's policy into usage of the resource also needs to be supported. 5. Security Considerations TBD 6. Informative References [1] Mosharaf, N. and R. Boutaba, "Network Virtualization: State of the Art and Research Challenges", IEEE Communications Magazine , July 2009. [2] Mosharaf, N. and R. Boutaba, "A Survey of Network Virtualization", Computer Networks , April 2010. Jeong & Colle Expires June 27, 2011 [Page 8] Internet-Draft Virtual Networks PS December 2010 Authors' Addresses Sangjin Jeong ETRI 138 Gajeongno, Yuseong Daejeon, 305-700 Korea Phone: +82 42 860 1877 Email: sjjeong@etri.re.kr Didier Colle Ghent University Gaston Crommenlaan 8 Gent, B-9050 Belgium Phone: +32 9 331 49 70 Email: didier.colle@intec.ugent.be Jeong & Colle Expires June 27, 2011 [Page 9]