Hi,
A couple of questions of some substance below.
Support for multi-tenancy has become a core requirement of data centers
(DCs), especially in the context of data centers supporting virtualized
hosts known as virtual machines (VMs). Two key requirements needed
to support multi-tenancy are traffic isolation, so that a tenant's
traffic is not visible to any other tenant, and address independence,
so that one tenant's addressing does not collide with other tenants
addressing schemes or with addresses used within the data center itself.
Another key requirement is to support the placement and migration of
VMs anywhere within the data center, without being limited by DC
network constraints such as the IP subnet boundaries of the
underlying DC network.
An NVO3 solution (known here as a Data Center Virtual Private
Network (DCVPN)) is a VPN that is viable across a scaling range of
a few thousand VMs to several million VMs running on greater
than 100K physical servers. It thus has good scaling properties
from relatively small networks to networks with several million
DCVPN endpoints and hundreds of thousands of DCVPNs within a
single administrative domain.
Note that although this charter uses the term VM throughout, NVO3 must
also support connectivity to traditional hosts e.g. hosts that do not
have hypervisors.
NVO3 will consider approaches to multi-tenancy that reside at the
network layer rather than using traditional isolation mechanisms
I know we have been dancing around this and there is a lot of paranoia. It is
clear that we mean that no IETF technology will be excluded from consideration a
priori. This may be sensitive because the PWE3 charter (which had to handle a
similar question) explicitly called out IP and MPLS. I can't think of a better
way of saying what the text says other than "network layer" but perhaps, for the
avoidance of doubt, Stewart could put an email in the archive that says "I
confirm that the phrase 'network layer' in the context of the NVO3 charter does
not exclude MPLS." Then (hopefully) we can all move along and do the real work
:-)
that rely on the underlying layer 2 technology (e.g., VLANs).
The NVO3 WG will determine which types of service are needed by typical
DC deployments (for example, IP and/or Ethernet).
NVO3 will document the problem statement, the applicability, and an
architectural framework for DCVPNs within a data center
environment. Within this framework, functional blocks will be defined to
allow the dynamic attachment / detachment of VMs to their DCVPN,
and the interconnection of elements of the DCVPNs over
the underlying physical network. This will support the delivery
of packets to the destination VM, and provide the network functions
required for the migration of VMs within the network in a
sub-second timeframe.
This has been discussed a bit, but I still can't believe that it won't cause
contention down the line. The term "migration" will mean different things to
different people and some will expect it to mean the picking up of one active
operational environment and its transportation to run in a different place. We
need to be clear whether we mean simply that the "re-registration" of a VM at a
different location and the associated "convergence" of the network is intended
to be sub-second, or whether it is the whole transportation of the VM.
I don't have an immediate suggestion for wording around this other than to say
that the bald word "migration" is not enough.
Based on this framework, the NVO3 WG will develop requirements for both
control plane protocol(s) and data plane encapsulation format(s),
I find this rather clumsy and suggest:
Based on this framework, the NVO3 WG will develop requirements for control plane
protocols and data plane encapsulation formats,
and
perform a gap analysis of existing candidate mechanisms. In addition
to functional and architectural requirements, the NVO3 WG will develop
management, operational, maintenance, troubleshooting, security and
OAM protocol requirements.
The NVO3 WG will investigate the interconnection of the DCVPNs
and their tenants with non-NVO3 IP network(s) to determine if
any specific work is needed.
I can see how this might give rise to requirements and architectural work. I am
not clear what "determine if any specific work is needed" because that may
substantially depend on which solutions have been selected. Perhaps replacement
text...
The NVO3 WG will investigate the interconnection of the DCVPNs and their tenants
with non-NVO3 IP networks, and will document any additional requirements and
architectural functions.
The NVO3 WG will write the following informational RFCs, which
must be substantially complete before rechartering can be
considered:
"substantially complete" is sufficiently subjective to risk a riot at some point
in the future!
Can we be more precise with some well-known process step such as WG last call or
publication request.
I do not believe that rechartering at that point would take more than a couple
of weeks, so it is not as though the WG will grind to a halt for a season.
Problem Statement
Framework document
Control plane requirements document
Data plane requirements document
Operational Requirements
Gap Analysis
I see how the three requirements documents have been arrived at from the text in
the previous paragraphs. Where does Security fit in? Is it distributed amongst
the three documents? If so, why were operational requirements not similarly
distributed?
Driven by the requirements and consistent with the gap analysis,
the NVO3 WG may request being rechartered to document solutions
consisting of one or more data plane encapsulations and
control plane protocols as applicable. Any documented solutions
will use existing IETF protocols if suitable. Otherwise,
the NVO3 WG may propose the development of new IETF protocols,
or the writing of an applicability statement for a non-IETF
protocol.
s/a non-IETF protocol/non-IETF protocols/
[snip]
Thanks,
Adrian