NVO3 Working Group Z. Qiang
Internet Draft Ericsson
Intended status: Informational October 27, 2014
Expires: April 2015
Data Plane Signaling in NVO3
draft-zu-nvo3-user-plane-signalling-00.txt
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on April 27, 2015.
Z. Qiang Expires April 27, 2015 [Page 1]
�
Internet-Draft Data Plane Handling in NVO3 October 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Abstract
This draft discusses the considerations on user plane signaling and
data handling in NVO3 architecture and several related issues which
need to be considered when designing a NVO3 based virtualized data
center network for multiple tenants.
Table of Contents
1. Introduction...................................................3
2. Conventions used in this document..............................3
3. Terminology....................................................3
4. Data Forwarding................................................3
5. STP/RSTP/MSTP..................................................4
6. LACP...........................................................5
7. ARP and Neighbor Discovery.....................................5
8. Routing protocol...............................................6
9. Security Considerations........................................8
10. IANA Considerations...........................................8
11. References....................................................8
11.1. Normative References.....................................8
11.2. Informative References...................................8
12. Acknowledgments...............................................9
Z. Qiang Expires April 27, 2015 [Page 2]
�
Internet-Draft Data Plane Handling in NVO3 October 2014
1. Introduction
A high-level overview of a possible architecture for building NVO3
overlay networks has been present in [nvo3-arch]. The corresponding
control plane requirements has documented in [hypervisor-nve-cp] and
[nve-nva-cp-req].
User plane signaling is referring to the Layer 2 Control Protocol
(L2CP) specified in IEEE802.1 and Layer 3 Control Protocol (L3CP)
specified in IETF.
This document is providing some considerations on how the user plane
signaling shall be handled by NVE. And several related issues are
discussed.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].
In this document, these words will appear with that interpretation
only when in ALL CAPS. Lower case uses of these words are not to be
interpreted as carrying RFC-2119 significance.
3. Terminology
This document uses the same terminology as found in the NVO3
Framework document [framework] and [hypervisor-nve-cp].
4. Data Forwarding
In NVO3, a L2 NVE implements Ethernet LAN emulation, an Ethernet
based multipoint service similar to an IETF VPLS [RFC4761] [RFC4762]
or EVPN [EVPN] service. It forwards the multicast and unicast L2
traffic between the TSs. From the Tenant Systems aspect, the NVE is
just like a L2 bridge as specified in IEEE 802.1Q [IEEE 802.1Q].
A L3 NVE provides Virtualized IP forwarding service, similar to IETF
IP VPN, e.g. BGP/MPLS IPVPN [RFC4364]. An L3 NVE provides inter-
subnet layer 3 switching/routing for the TS. The NVE is the first hop
or next hop router to the attached TS.
In NVO3, it is very common to provide both L2 and L3 service to a TS.
In logic view, the TS is attached to a NVE which provides both L2 and
L3 function. In implementation, the L2 NVE function and L3 NVE
function may be collocated. The L2 NVE function provides intra-subnet
Z. Qiang Expires April 27, 2015 [Page 3]
�
Internet-Draft Data Plane Handling in NVO3 October 2014
traffic forwarding. The L3 NVE function provides inter-subnet traffic
forwarding.
In NVO3, to avoid flooding issues, the inner-outer address mapping
table is built using the NVA-NVE control signaling [nve-nva-cp-req].
Both L2 and L3 data forwarding are based on the inner-outer address
mapping table lookup (and forwarding policies).
The data forwarding procedure is similar for both L2 NVE and L3 NVE.
Upon receiving a unicast packet from the TS, the NVE performs a
lookup in the inner-outer address mapping table using the received
destination IP/MAC address. If a mapping is found, the received
packet will be encapsulated and forwarded to the destination NVE. If
no mapping is found, the received unknown unicast packet should be
dropped. As an alternative, the inner-outer address mapping table
updating procedure may be triggered using the NVA-NVE control
signaling [nve-nva-cp-req]. However, an attacker may generate large
amount of unknown unicast packets from a compromised VM, which may
result a denial of service (DOS) attacks. Therefore for security
reason, the inner-outer address mapping table updating procedure
shall not be triggered too often. One easy way to avoid this kind
security issue is to implement user plane filtering function.
Discussions: Some kind user plane filtering functions need to be
supported in the NVE for security reason.
5. STP/RSTP/MSTP
For a L2 NVE, the VAP is an emulation of a physical Ethernet port. It
shall have the capability to handle any L2CP. The Spanning Tree
Protocol (STP) is a L2 protocol that ensures a loop-free topology for
any bridged Ethernet local area network. STP is originally
standardized as IEEE 802.1D. It is deprecated as of 802.1d-2004 in
favor of Rapid Spanning Tree Protocol (RSTP). The Multiple Spanning
Tree Protocol (MSTP) defines an extension to RSTP to further develop
the usefulness of VLANs.
In NVO3 network, the looping of the L2 connections among the NVEs can
be avoided by correctly configuring the NVE inner-outer address
mapping table. There is no need to use any L2CP for that purpose
among the participated NVEs of a TS. However, STP/RSTP/MSTP may be
used by the TS, including multi-homing case.
In NVO3 network, the NVE does not need to propagate any STP messages
to the remote NVEs. But, the NVE may need to learn the Root Bridge
MAC address and Bridge Priority of the root of the Internal Spanning
Tree (IST) of the attached layer 2 segment by listening to the BPDUs.
Z. Qiang Expires April 27, 2015 [Page 4]
�
Internet-Draft Data Plane Handling in NVO3 October 2014
Discussions: The NVE does not need to forward the message. But it may
need to participate it. Once there is updating of Internal Spanning
Tree, NVA-NVE control signaling may be triggered for address mapping
table updates.
6. LACP
Link Aggregation [IEEE 802.1AXbk-2012] is a mechanism for making
multiple point-to-point links between a pair of devices appear to be
a single logical link between those devices.
A L2 NVE does not have to be involved in the Link Aggregation
procedure. It only needs to encapsulate and forward any Link
Aggregation Control Protocol Data and data packets between the
participated TSs.
Discussions: The NVE does not need to be involved. But it may need to
forward the messages.
7. ARP and Neighbor Discovery
For an L2 service, it is not a must for NVE to support any special
processing of ARP [RFC0826] and IPv6 Neighbor Discovery (ND)
[RFC4861] in NVO3 architecture. However, as a performance
optimization, an NVE does not need to propagate the ARP or ND
messages. It can intercept ARP or ND requests from its attached TSs
and respond based on the information configured in the inner-outer
address mapping table.
Discussions: The NVE does not need to forward the ARP or ND messages.
But it may need to response to the received messages based on the
inner-outer address mapping table.
Upon receiving ARP or ND request from a TS, the NVE sends the ARP or
ND response with the requested MAC address back. The NVE may perform
ARP or ND proxy when responding the ARP or ND request. If the NVE
does not have the interested MAC information in the receiving ARP or
ND request, it may query the NVA using the NVA-NVE control signaling
[nve-nva-cp-req]. However, an attacker may generate large amount of
ARP / ND request packets from a compromised VM, which may result a
denial of service (DOS) attacks. Therefore for security reason, the
inner-outer address mapping table updating procedure shall not be
triggered too often. One easy way to avoid this kind security issue
is to implement user plane filtering function.
Discussions: The NVE shall have some kind ARP and/or ND filtering
functions installed for security reason.
Z. Qiang Expires April 27, 2015 [Page 5]
�
Internet-Draft Data Plane Handling in NVO3 October 2014
In multi-homing case, a TS may be attached to more than one NVE and
it is possible for the TS to reach a remote TS via multiple NVEs. In
this case, it may be racing issue if all NVEs support ARP and ND
proxy function. One alternative is to select a primary NVE by using
control signaling.
Discussions: The NVA may need to select one primary NVE per network
segment of a TS to avoid the racing issue at multi-homing case.
At VM mobility, a VM may be moved from one layer-2 segment to another
layer-2 segment, assuming IP address preservation is supported. To
optimize the ARP updating procedure, the source NVE and the target
NVE can have the same MAC address configured at the VAP where the TS
attached. However, the ARP updating cannot be avoided completely.
Discussions: The NVA may need a property way to configure the primary
NVEs with same MAC address on the VAP of the same VN at each network
segment.
8. Routing protocol
A routing protocol specifies how routers communicate with each other,
disseminating information that enables them to select routes between
any two nodes on a computer network.
In NVO3, there are different developments to support layer 3
services: centralized GW function, distributed GW function, or both.
If the L3 service is provided by a NVO3 Centralized Gateway function,
the user plane routing function and the NVO3 Centralized Gateway
functions appears as router adjacencies to each other. A routing
protocol may be used between the routers for overlay data plane. Any
user plane routing messages (e.g. routing updates message from a vR
function installed in a VM of the TS) will be handled by the NVO3
Centralized Gateway function. Once there is a routing rules
installation or updating, the NVO3 Centralized Gateway function may
update its routing distribution polices and forward data packets
accordingly. The user data packet will be forwarded by the attached
NVE to the NVO3 Centralized Gateway function. Then the NVO3
Centralized Gateway function will make the L3 routing decision that
either discarding the packet or tunneling it to the destination NVE
where the destination VM attached. In this case, the NVEs, both
source NVE and destination NVE, only need to support layer 2
functionalities.
If the L3 service is provided by the Distributed GW function embedded
in the L3NVE, this can be an issue for dynamic routing updates. All
Z. Qiang Expires April 27, 2015 [Page 6]
�
Internet-Draft Data Plane Handling in NVO3 October 2014
participated L3NVEs grouping together appears as next hop router to
the user plane routing functions, e.g. vR functions installed in a VM
of the TS. The Distributed GW function embedded in the L3NVE may need
to support one or more routing protocols (e.g. BGP/OSPF/RIP) to learn
any user plane routing rules installation or updating. This allows a
L3NVE and the attached TS router to learn the IP routes updates from
each other. However, as the user plane packet forwarding in the L3NVE
is based on the inner-outer address mapping table configured by NVA
using the NVA-NVE control protocol, any user plane routing updates
may trigger the inner-outer address mapping table updates
accordingly, not in the attached NVE, but in the remote NVEs. With
the NVO3 architecture specified in [nvo3-arch], it is an issue on how
this dynamic updates can be done.
Discussion: One alternative is to use the NVE-NVE interaction
signaling for peer NVE updates at the data plane routing updates. For
instance, the L3NVE may inform the peer NVEs with the received
routing updates information. However, in this case, should the peer
NVE update its inner-outer address mapping table without NVA's
involvements? This may be challenging the NVA's centralized control
role. And it may also cause some security violation concerns.
Another alternative is that the L3NVE shall not forward any routing
updates information to any peer NVEs to avoid flooding. Instead, it
shall always inform the NVA about any routing changes. Then the NVA
will use the NVA-NVE signaling for the inner-outer address mapping
table updating at the peer NVE. This alternative gives the
centralized GW function role to the NVA.
It is possible to have the L3 service provided by both a centralized
GW function and a few distributed GW functions in a NVO3 network. For
instance, the centralized GW function can be used to handle the user
plane routing installing and updating. And the distributed GW
functions can be used for data forwarding only. In this case, at any
user plane routing installing and updating, the centralized GW
function may update the routing policies (i.e. RIB), and notify the
distributed GW functions with the updated forwarding policies (i.e.
FIB).
Discussion: However, unless the NVA has the centralized GW function
role, this alternative is also violating the NVO3 architecture
specified in [nvo3-arch], as the FIB is the inner-outer address
mapping table in the NVE.
Z. Qiang Expires April 27, 2015 [Page 7]
�
Internet-Draft Data Plane Handling in NVO3 October 2014
9. Security Considerations
This is a discussion paper which provides inputs for the NVO3
requirement documents and in itself does not introduce any new
security concerns.
10. IANA Considerations
No actions are required from IANA for this informational document.
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for
Syntax Specifications: ABNF", RFC 2234, Internet Mail
Consortium and Demon Internet Ltd., November 1997.
11.2. Informative References
[overlay-problem-statement] Narten, T., Gray, E., Black, D., Fang,
L., Kreeger, L., and M. Napierala, "Problem Statement:
Overlays for Network Virtualization", draft-ietf-nvo3-
overlay-problem-statement-04 (work in progress), July 31,
2013.
[hypervisor-nve-cp] Li, Y., Yong L., Kreeger, L., Narten, T., and D.
Black, "Hypervisor to NVE Control Plane Requirements",
draft-ietf-nvo3-hpvr2nve-cp-req-00(work in progress), July
1, 2014.
[nvo3-framework] Lasserre, M., Balus, F., Morin, T., Bitar, N., and
Y. Rekhter, "Framework for DC Network Virtualization",
draft-ietf-nvo3-framework-09 (work in progress), July 4,
2014.
[nve-nva-cp-req] Kreeger, L., D. Dutt, T. Narten, D. Black, "Network
Virtualization NVE to NVA Control Protocol Requirements",
draft-ietf-nvo3-nve-nva-cp-req-02 (work in progress), April
24, 2014
[nvo3-arch] D. Black, J. Hudson, L. Kreeger, M. Lasserre, T. Narten,
"An Architecture for Overlay Networks (NVO3)", draft-ietf-
nvo3-arch-01(work in progress), February 14, 2014
Z. Qiang Expires April 27, 2015 [Page 8]
�
Internet-Draft Data Plane Handling in NVO3 October 2014
[IEEE 802.1Q] "Virtual Bridged Local Area Networks", 2005
[EVPN] Sajassi, A. et al, "BGP MPLS Based Ethernet VPN", draft-
ietf-l2vpn-evpn (work in progress)
[RFC4761] Kompella, K. et al, "Virtual Private LAN Service (VPLS)
Using BGP for auto-discovery and Signaling", RFC4761,
January 2007
[RFC4762] Lasserre, M. et al, "Virtual Private LAN Service (VPLS)
Using Label Distribution Protocol (LDP) Signaling",
RFC4762, January 2007
[RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or
converting network protocol addresses to 48.bit Ethernet
address for transmission on Ethernet hardware", STD 37, RFC
826, November 1982.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Networks (VPNs)", RFC 4364, February 2006.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007.
12. Acknowledgments
Many people have contributed to the development of this document and
many more will probably do so before we are done with it. While we
cannot thank all contributors, some have played an especially
prominent role. The following have provided essential input: Suresh
Krishnan.
Authors' Addresses
Zu Qiang
Ericsson
8400, boul. Decarie
Ville Mont-Royal, QC,
Canada
Email: Zu.Qiang@Ericsson.com
Z. Qiang Expires April 27, 2015 [Page 9]
�