Internet Engineering Task Force (IETF) L. Yong
Request for Comments: 8151 L. Dunbar
Category: Informational Huawei
ISSN: 2070-1721 M. Toy
Verizon
A. Isaac
Juniper Networks
V. Manral
Nano Sec Co
May 2017
Internet Engineering Task Force (IETF) L. Yong
Request for Comments: 8151 L. Dunbar
Category: Informational Huawei
ISSN: 2070-1721 M. Toy
Verizon
A. Isaac
Juniper Networks
V. Manral
Nano Sec Co
May 2017
Use Cases for Data Center Network Virtualization Overlay Networks
数据中心网络虚拟化覆盖网络的使用案例
Abstract
摘要
This document describes Network Virtualization over Layer 3 (NVO3) use cases that can be deployed in various data centers and serve different data-center applications.
本文档描述了第3层网络虚拟化(NVO3)用例,这些用例可以部署在不同的数据中心并服务于不同的数据中心应用程序。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8151.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc8151.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Terminology ................................................4
1.2. NVO3 Background ............................................5
2. DC with a Large Number of Virtual Networks ......................6
3. DC NVO3 Virtual Network and External Network Interconnection ....6
3.1. DC NVO3 Virtual Network Access via the Internet ............7
3.2. DC NVO3 Virtual Network and SP WAN VPN Interconnection .....8
4. DC Applications Using NVO3 ......................................9
4.1. Supporting Multiple Technologies ...........................9
4.2. DC Applications Spanning Multiple Physical Zones ..........10
4.3. Virtual Data Center (vDC) .................................10
5. Summary ........................................................12
6. Security Considerations ........................................12
7. IANA Considerations ............................................12
8. Informative References .........................................13
Acknowledgements...................................................14
Contributors ......................................................15
Authors' Addresses.................................................16
1. Introduction ....................................................3
1.1. Terminology ................................................4
1.2. NVO3 Background ............................................5
2. DC with a Large Number of Virtual Networks ......................6
3. DC NVO3 Virtual Network and External Network Interconnection ....6
3.1. DC NVO3 Virtual Network Access via the Internet ............7
3.2. DC NVO3 Virtual Network and SP WAN VPN Interconnection .....8
4. DC Applications Using NVO3 ......................................9
4.1. Supporting Multiple Technologies ...........................9
4.2. DC Applications Spanning Multiple Physical Zones ..........10
4.3. Virtual Data Center (vDC) .................................10
5. Summary ........................................................12
6. Security Considerations ........................................12
7. IANA Considerations ............................................12
8. Informative References .........................................13
Acknowledgements...................................................14
Contributors ......................................................15
Authors' Addresses.................................................16
Server virtualization has changed the Information Technology (IT) industry in terms of the efficiency, cost, and speed of providing new applications and/or services such as cloud applications. However, traditional data center (DC) networks have limits in supporting cloud applications and multi-tenant networks [RFC7364]. The goal of data center Network Virtualization over Layer 3 (NVO3) networks is to decouple the communication among tenant systems from DC physical infrastructure networks and to allow one physical network infrastructure to:
服务器虚拟化在提供新应用程序和/或服务(如云应用程序)的效率、成本和速度方面改变了信息技术(IT)行业。然而,传统数据中心(DC)网络在支持云应用程序和多租户网络方面存在局限[RFC7364]。第3层(NVO3)网络上的数据中心网络虚拟化的目标是将租户系统之间的通信与DC物理基础设施网络分离,并允许一个物理网络基础设施:
o carry many NVO3 virtual networks and isolate the traffic of different NVO3 virtual networks on a physical network.
o 承载多个NVO3虚拟网络,并在物理网络上隔离不同NVO3虚拟网络的流量。
o provide independent address space in individual NVO3 virtual network such as Media Access Control (MAC) and IP.
o 在单个NVO3虚拟网络中提供独立的地址空间,如媒体访问控制(MAC)和IP。
o Support flexible Virtual Machines (VMs) and/or workload placement including the ability to move them from one server to another without requiring VM address changes and physical infrastructure network configuration changes, and the ability to perform a "hot move" with no disruption to the live application running on those VMs.
o 支持灵活的虚拟机(VM)和/或工作负载放置,包括在不需要更改VM地址和物理基础架构网络配置的情况下将它们从一台服务器移动到另一台服务器的能力,以及在不中断这些VM上运行的实时应用程序的情况下执行“热移动”的能力。
These characteristics of NVO3 virtual networks (VNs) help address the issues that cloud applications face in data centers [RFC7364].
NVO3虚拟网络(VN)的这些特性有助于解决云应用程序在数据中心面临的问题[RFC7364]。
Hosts in one NVO3 VN may communicate with hosts in another NVO3 VN that is carried by the same physical network, or different physical network, via a gateway. The use-case examples for the latter are as follows:
一个NVO3 VN中的主机可以通过网关与另一个NVO3 VN中由相同物理网络或不同物理网络承载的主机通信。后者的用例示例如下所示:
1) DCs that migrate toward an NVO3 solution will be done in steps, where a portion of tenant systems in a VN are on virtualized servers while others exist on a LAN.
1) 向NVO3解决方案迁移的DC将分步骤完成,其中VN中的一部分租户系统位于虚拟化服务器上,而其他租户系统位于LAN上。
2) many DC applications serve Internet users who are on different physical networks;
2) 许多DC应用程序为位于不同物理网络上的Internet用户提供服务;
3) some applications are CPU bound, such as Big Data analytics, and may not run on virtualized resources.
3) 有些应用程序受CPU限制,如大数据分析,可能无法在虚拟化资源上运行。
The inter-VN policies are usually enforced by the gateway.
VN间策略通常由网关实施。
This document describes general NVO3 VN use cases that apply to various data centers. The use cases described here represent the DC provider's interests and vision for their cloud services. The
本文档描述了适用于各种数据中心的一般NVO3 VN用例。这里描述的用例代表了DC提供商对其云服务的兴趣和愿景。这个
document groups the use cases into three categories from simple to sophisticated in terms of implementation. However, the implementation details of these use cases are outside the scope of this document. These three categories are described below:
在实现方面,文档将用例分为三类,从简单到复杂。然而,这些用例的实现细节不在本文档的范围之内。以下介绍这三类:
o Basic NVO3 VNs (Section 2). All Tenant Systems (TSs) in the network are located within the same DC. The individual networks can be either Layer 2 (L2) or Layer 3 (L3). The number of NVO3 VNs in a DC is much larger than the number that traditional VLAN-based virtual networks [IEEE802.1Q] can support.
o 基本NVO3 VNs(第2节)。网络中的所有租户系统(TSs)都位于同一DC内。各个网络可以是第2层(L2)或第3层(L3)。DC中的NVO3 VN数量远大于传统基于VLAN的虚拟网络[IEEE802.1Q]所能支持的数量。
o A virtual network that spans across multiple DCs and/or to customer premises where NVO3 virtual networks are constructed and interconnect other virtual or physical networks outside the DC. An enterprise customer may use a traditional carrier-grade VPN or an IPsec tunnel over the Internet to communicate with its systems in the DC. This is described in Section 3.
o 一种虚拟网络,跨越多个DC和/或客户场所,其中构建了NVO3虚拟网络,并与DC外部的其他虚拟或物理网络互连。企业客户可以使用传统的电信级VPN或Internet上的IPsec隧道与DC中的系统通信。第3节对此进行了描述。
o DC applications or services require an advanced network that contains several NVO3 virtual networks that are interconnected by gateways. Three scenarios are described in Section 4: (1) supporting multiple technologies; (2) constructing several virtual networks as a tenant network; and (3) applying NVO3 to a virtual Data Center (vDC).
o DC应用程序或服务需要一个高级网络,该网络包含多个通过网关互连的NVO3虚拟网络。第4节描述了三种场景:(1)支持多种技术;(2) 构建多个虚拟网络作为租户网络;以及(3)将NVO3应用于虚拟数据中心(vDC)。
The document uses the architecture reference model defined in [RFC7365] to describe the use cases.
本文档使用[RFC7365]中定义的架构参考模型来描述用例。
This document uses the terminology defined in [RFC7365] and [RFC4364]. Some additional terms used in the document are listed here.
本文件使用[RFC7365]和[RFC4364]中定义的术语。此处列出了本文件中使用的一些附加术语。
ASBR: Autonomous System Border Router.
ASBR:自治系统边界路由器。
DC: Data Center.
数据中心。
DMZ: Demilitarized Zone. A computer or small subnetwork between a more-trusted internal network, such as a corporate private LAN, and an untrusted or less-trusted external network, such as the public Internet.
非军事区:非军事区。在更可信的内部网络(如公司专用局域网)和不可信或不可信的外部网络(如公共互联网)之间的计算机或小型子网。
DNS: Domain Name Service [RFC1035].
域名服务[RFC1035]。
DC Operator: An entity that is responsible for constructing and managing all resources in DCs, including, but not limited to, computing, storage, networking, etc.
DC操作员:负责构建和管理DCs中所有资源的实体,包括但不限于计算、存储、网络等。
DC Provider: An entity that uses its DC infrastructure to offer services to its customers.
DC提供商:使用其DC基础设施向其客户提供服务的实体。
NAT: Network Address Translation [RFC3022].
NAT:网络地址转换[RFC3022]。
vGW: virtual GateWay. A gateway component used for an NVO3 virtual network to interconnect with another virtual/physical network.
虚拟网关。用于NVO3虚拟网络与另一虚拟/物理网络互连的网关组件。
NVO3: Network Virtualization over Layer 3. A virtual network that is implemented based on the NVO3 architecture.
NVO3:第3层上的网络虚拟化。基于NVO3体系结构实现的虚拟网络。
PE: Provider Edge.
PE:提供者边缘。
SP: Service Provider.
SP:服务提供商。
TS: A Tenant System, which can be instantiated on a physical server or virtual machine (VM).
TS:租户系统,可以在物理服务器或虚拟机(VM)上实例化。
VRF-LITE: Virtual Routing and Forwarding - LITE [VRF-LITE].
VRF-LITE:虚拟路由和转发-LITE[VRF-LITE]。
VN: Virtual Network
虚拟网络
VoIP: Voice over IP
VoIP:IP语音
WAN VPN: Wide Area Network Virtual Private Network [RFC4364] [RFC7432].
广域网VPN:广域网虚拟专用网[RFC4364][RFC7432]。
An NVO3 virtual network is in a DC that is implemented based on the NVO3 architecture [RFC8014]. This architecture is often referred to as an overlay architecture. The traffic carried by an NVO3 virtual network is encapsulated at a Network Virtualization Edge (NVE) [RFC8014] and carried by a tunnel to another NVE where the traffic is decapsulated and sent to a destination Tenant System (TS). The NVO3 architecture decouples NVO3 virtual networks from the DC physical network configuration. The architecture uses common tunnels to carry NVO3 traffic that belongs to multiple NVO3 virtual networks.
NVO3虚拟网络位于基于NVO3架构实现的DC中[RFC8014]。这种体系结构通常被称为覆盖体系结构。NVO3虚拟网络承载的流量被封装在网络虚拟化边缘(NVE)[RFC8014]处,并通过隧道承载到另一个NVE,在另一个NVE处,流量被解除封装并发送到目标租户系统(TS)。NVO3体系结构将NVO3虚拟网络与DC物理网络配置分离。该架构使用公共隧道来承载属于多个NVO3虚拟网络的NVO3流量。
An NVO3 virtual network may be an L2 or L3 domain. The network provides switching (L2) or routing (L3) capability to support host (i.e., TS) communications. An NVO3 virtual network may be required to carry unicast traffic and/or multicast or broadcast/unknown-
NVO3虚拟网络可以是L2或L3域。网络提供交换(L2)或路由(L3)能力,以支持主机(即TS)通信。NVO3虚拟网络可能需要承载单播流量和/或多播或广播/未知-
unicast (for L2 only) traffic to/from TSs. There are several ways to transport NVO3 virtual network Broadcast, Unknown Unicast, and Multicast (BUM) traffic [NVO3MCAST].
单播(仅限L2)到/来自TSs的流量。有几种方法可以传输NVO3虚拟网络广播、未知单播和多播(BUM)流量[NVO3MCAST]。
An NVO3 virtual network provides communications among TSs in a DC. A TS can be a physical server/device or a VM on a server end-device [RFC7365].
NVO3虚拟网络提供DC中TSs之间的通信。TS可以是物理服务器/设备,也可以是服务器端设备上的VM[RFC7365]。
A DC provider often uses NVO3 virtual networks for internal applications where each application runs on many VMs or physical servers and the provider requires applications to be segregated from each other. A DC may run a larger number of NVO3 virtual networks to support many applications concurrently, where a traditional VLAN solution based on IEEE 802.1Q is limited to 4094 VLANs.
DC提供商通常将NVO3虚拟网络用于内部应用程序,其中每个应用程序运行在多个VM或物理服务器上,并且提供商要求应用程序彼此隔离。DC可以运行大量NVO3虚拟网络以同时支持许多应用程序,其中基于IEEE 802.1Q的传统VLAN解决方案仅限于4094个VLAN。
Applications running on VMs may require a different quantity of computing resources, which may result in a computing-resource shortage on some servers and other servers being nearly idle. A shortage of computing resources may impact application performance. DC operators desire VM or workload movement for resource-usage optimization. VM dynamic placement and mobility results in frequent changes of the binding between a TS and an NVE. The TS reachability update mechanisms should take significantly less time than the typical retransmission Timeout window of a reliable transport protocol such as TCP and Stream Control Transmission Protocol (SCTP), so that endpoints' transport connections won't be impacted by a TS becoming bound to a different NVE. The capability of supporting many TSs in a virtual network and many virtual networks in a DC is critical for an NVO3 solution.
在虚拟机上运行的应用程序可能需要不同数量的计算资源,这可能导致某些服务器上的计算资源短缺,而其他服务器几乎处于空闲状态。计算资源短缺可能会影响应用程序性能。DC运营商需要VM或工作负载移动来优化资源使用。VM的动态布局和移动性导致TS和NVE之间绑定的频繁更改。TS可达性更新机制所需的时间应明显少于可靠传输协议(如TCP和流控制传输协议(SCTP))的典型重传超时窗口,因此,TS绑定到不同的NVE不会影响端点的传输连接。支持虚拟网络中的多个TSs和DC中的多个虚拟网络的能力对于NVO3解决方案至关重要。
When NVO3 virtual networks segregate VMs belonging to different applications, DC operators can independently assign MAC and/or IP address space to each virtual network. This addressing is more flexible than requiring all hosts in all NVO3 virtual networks to share one address space. In contrast, typical use of IEEE 802.1Q VLANs requires a single common MAC address space.
当NVO3虚拟网络隔离属于不同应用程序的虚拟机时,DC运营商可以独立地为每个虚拟网络分配MAC和/或IP地址空间。这种寻址比要求所有NVO3虚拟网络中的所有主机共享一个地址空间更灵活。相反,IEEE 802.1Q VLAN的典型使用需要一个公共MAC地址空间。
Many customers (enterprises or individuals) who utilize a DC provider's compute and storage resources to run their applications need to access their systems hosted in a DC through Internet or Service Providers' Wide Area Networks (WAN). A DC provider can construct a NVO3 virtual network that provides connectivity to all the resources designated for a customer, and it allows the customer
许多使用DC提供商的计算和存储资源来运行其应用程序的客户(企业或个人)需要通过Internet或服务提供商的广域网(WAN)访问托管在DC中的系统。DC提供商可以构建一个NVO3虚拟网络,为客户指定的所有资源提供连接,并允许客户
to access the resources via a virtual GateWay (vGW). WAN connectivity to the vGW can be provided by VPN technologies such as IPsec VPNs [RFC4301] and BGP/MPLS IP VPNs [RFC4364].
通过虚拟网关(vGW)访问资源。到vGW的广域网连接可以通过VPN技术提供,如IPsec VPN[RFC4301]和BGP/MPLS IP VPN[RFC4364]。
If a virtual network spans multiple DC sites, one design using NVO3 is to allow the network to seamlessly span the sites without DC gateway routers' termination. In this case, the tunnel between a pair of NVEs can be carried within other intermediate tunnels over the Internet or other WANs, or an intra-DC tunnel and inter-DC tunnel(s) can be stitched together to form an end-to-end tunnel between the pair of NVEs that are in different DC sites. Both cases will form one NVO3 virtual network across multiple DC sites.
如果虚拟网络跨越多个DC站点,使用NVO3的一种设计是允许网络无缝跨越站点,而无需DC网关路由器终止。在这种情况下,一对NVE之间的隧道可以通过互联网或其他WAN在其他中间隧道内承载,或者DC内隧道和DC间隧道可以缝合在一起,以形成位于不同DC站点的一对NVE之间的端到端隧道。这两种情况将在多个DC站点上形成一个NVO3虚拟网络。
Two use cases are described in the following sections.
以下部分描述了两个用例。
A customer can connect to an NVO3 virtual network via the Internet in a secure way. Figure 1 illustrates an example of this case. The NVO3 virtual network has an instance at NVE1 and NVE2, and the two NVEs are connected via an IP tunnel in the DC. A set of TSs are attached to NVE1 on a server. NVE2 resides on a DC Gateway device. NVE2 terminates the tunnel and uses the VN Identifier (VNID) on the packet to pass the packet to the corresponding vGW entity on the DC GW (the vGW is the default gateway for the virtual network). A customer can access their systems, i.e., TS1 or TSn, in the DC via the Internet by using an IPsec tunnel [RFC4301]. The IPsec tunnel is configured between the vGW and the customer gateway at the customer site. Either a static route or Internal Border Gateway Protocol (IBGP) may be used for prefix advertisement. The vGW provides IPsec functionality such as authentication scheme and encryption; IBGP traffic is carried within the IPsec tunnel. Some vGW features are listed below:
客户可以通过Internet以安全的方式连接到NVO3虚拟网络。图1举例说明了这种情况。NVO3虚拟网络在NVE1和NVE2有一个实例,两个NVE通过DC中的IP隧道连接。一组TSs连接到服务器上的NVE1。NVE2驻留在DC网关设备上。NVE2终止隧道并使用数据包上的VN标识符(VNID)将数据包传递给DC GW上的相应vGW实体(vGW是虚拟网络的默认网关)。客户可以使用IPsec隧道[RFC4301]通过互联网访问DC中的系统,即TS1或TSn。IPsec隧道在vGW和客户站点的客户网关之间配置。前缀播发可以使用静态路由或内部边界网关协议(IBGP)。vGW提供IPsec功能,如身份验证方案和加密;IBGP通信在IPsec隧道中传输。以下列出了vGW的一些功能:
o The vGW maintains the TS/NVE mappings and advertises the TS prefix to the customer via static route or IBGP.
o vGW维护TS/NVE映射,并通过静态路由或IBGP向客户播发TS前缀。
o Some vGW functions such as the firewall and load-balancer (LB) can be performed by locally attached network appliance devices.
o 某些vGW功能(如防火墙和负载平衡器(LB))可由本地连接的网络设备设备执行。
o If the NVO3 virtual network uses different address space than external users, then the vGW needs to provide the NAT function.
o 如果NVO3虚拟网络使用的地址空间与外部用户不同,则vGW需要提供NAT功能。
o More than one IPsec tunnel can be configured for redundancy.
o 可以为冗余配置多个IPsec隧道。
o The vGW can be implemented on a server or VM. In this case, IP tunnels or IPsec tunnels can be used over the DC infrastructure.
o vGW可以在服务器或VM上实现。在这种情况下,可以通过DC基础设施使用IP隧道或IPsec隧道。
o DC operators need to construct a vGW for each customer.
o 直流运营商需要为每个客户建造一个vGW。
Server+---------------+
| TS1 TSn |
| |...| |
| +-+---+-+ | Customer Site
| | NVE1 | | +-----+
| +---+---+ | | GW |
+------+--------+ +--+--+
| *
L3 Tunnel *
| *
DC GW +------+---------+ .--. .--.
| +---+---+ | ( '* '.--.
| | NVE2 | | .-.' * )
| +---+---+ | ( * Internet )
| +---+---+. | ( * /
| | vGW | * * * * * * * * '-' '-'
| +-------+ | | IPsec \../ \.--/'
| +--------+ | Tunnel
+----------------+
Server+---------------+
| TS1 TSn |
| |...| |
| +-+---+-+ | Customer Site
| | NVE1 | | +-----+
| +---+---+ | | GW |
+------+--------+ +--+--+
| *
L3 Tunnel *
| *
DC GW +------+---------+ .--. .--.
| +---+---+ | ( '* '.--.
| | NVE2 | | .-.' * )
| +---+---+ | ( * Internet )
| +---+---+. | ( * /
| | vGW | * * * * * * * * '-' '-'
| +-------+ | | IPsec \../ \.--/'
| +--------+ | Tunnel
+----------------+
DC Provider Site
DC提供商站点
Figure 1: DC Virtual Network Access via the Internet
图1:通过Internet访问DC虚拟网络
In this case, an enterprise customer wants to use a Service Provider
(SP) WAN VPN [RFC4364] [RFC7432] to interconnect its sites with an
NVO3 virtual network in a DC site. The SP constructs a VPN for the
enterprise customer. Each enterprise site peers with an SP PE. The
DC provider and VPN SP can build an NVO3 virtual network and a WAN
VPN independently, and then interconnect them via a local link or a
tunnel between the DC GW and WAN PE devices. The control plane
interconnection options between the DC and WAN are described in
[RFC4364]. Using the option "a" specified in [RFC4364] with VRF-LITE
[VRF-LITE], both ASBRs, i.e., DC GW and SP PE, maintain a
routing/forwarding table (VRF). Using the option "b" specified in
[RFC4364], the DC ASBR and SP ASBR do not maintain the VRF table;
they only maintain the NVO3 virtual network and VPN identifier
mappings, i.e., label mapping, and swap the label on the packets in
the forwarding process. Both option "a" and option "b" allow the se
of NVO3 VNs and VPNs using their own identifiers, and two identifiers
are mapped at the DC GW. With the option "c" in [RFC4364], the VN
In this case, an enterprise customer wants to use a Service Provider
(SP) WAN VPN [RFC4364] [RFC7432] to interconnect its sites with an
NVO3 virtual network in a DC site. The SP constructs a VPN for the
enterprise customer. Each enterprise site peers with an SP PE. The
DC provider and VPN SP can build an NVO3 virtual network and a WAN
VPN independently, and then interconnect them via a local link or a
tunnel between the DC GW and WAN PE devices. The control plane
interconnection options between the DC and WAN are described in
[RFC4364]. Using the option "a" specified in [RFC4364] with VRF-LITE
[VRF-LITE], both ASBRs, i.e., DC GW and SP PE, maintain a
routing/forwarding table (VRF). Using the option "b" specified in
[RFC4364], the DC ASBR and SP ASBR do not maintain the VRF table;
they only maintain the NVO3 virtual network and VPN identifier
mappings, i.e., label mapping, and swap the label on the packets in
the forwarding process. Both option "a" and option "b" allow the se
of NVO3 VNs and VPNs using their own identifiers, and two identifiers
are mapped at the DC GW. With the option "c" in [RFC4364], the VN
and VPN use the same identifier and both ASBRs perform the tunnel stitching, i.e., tunnel segment mapping. Each option has pros and cons [RFC4364] and has been deployed in SP networks depending on the application requirements. BGP is used in these options for route distribution between DCs and SP WANs. Note that if the DC is the SP's DC, the DC GW and SP PE can be merged into one device that performs the interworking of the VN and VPN within an Autonomous System.
和VPN使用相同的标识符,两个ASBR执行隧道拼接,即隧道段映射。每个选项都有优缺点[RFC4364],并已根据应用程序要求部署在SP网络中。在这些选项中,BGP用于DCs和SP WAN之间的路由分配。请注意,如果DC是SP的DC,则DC GW和SP PE可以合并到一个设备中,该设备在自治系统内执行VN和VPN的互通。
These solutions allow the enterprise networks to communicate with the tenant systems attached to the NVO3 virtual network in the DC without interfering with the DC provider's underlying physical networks and other NVO3 virtual networks in the DC. The enterprise can use its own address space in the NVO3 virtual network. The DC provider can manage which VM and storage elements attach to the NVO3 virtual network. The enterprise customer manages which applications run on the VMs without knowing the location of the VMs in the DC. (See Section 4 for more information.)
这些解决方案允许企业网络与DC中连接到NVO3虚拟网络的租户系统通信,而不会干扰DC提供商的底层物理网络和DC中的其他NVO3虚拟网络。企业可以在NVO3虚拟网络中使用自己的地址空间。DC提供程序可以管理哪些VM和存储元素连接到NVO3虚拟网络。企业客户在不知道虚拟机在DC中的位置的情况下管理在虚拟机上运行的应用程序。(有关更多信息,请参见第4节。)
Furthermore, in this use case, the DC operator can move the VMs assigned to the enterprise from one sever to another in the DC without the enterprise customer being aware, i.e., with no impact on the enterprise's "live" applications. Such advanced technologies bring DC providers great benefits in offering cloud services, but add some requirements for NVO3 [RFC7364] as well.
此外,在此用例中,DC运营商可以将分配给企业的VM从DC中的一台服务器移动到另一台服务器,而企业客户不知道,也就是说,不会影响企业的“实时”应用程序。这些先进的技术为DC提供商提供云服务带来了巨大的好处,但也增加了对NVO3[RFC7364]的一些要求。
NVO3 technology provides DC operators with the flexibility in designing and deploying different applications in an end-to-end virtualization overlay environment. The operators no longer need to worry about the constraints of the DC physical network configuration when creating VMs and configuring a network to connect them. A DC provider may use NVO3 in various ways, in conjunction with other physical networks and/or virtual networks in the DC. This section highlights some use cases for this goal.
NVO3技术为DC运营商提供了在端到端虚拟化覆盖环境中设计和部署不同应用程序的灵活性。在创建虚拟机并配置网络以连接虚拟机时,运营商不再需要担心DC物理网络配置的限制。DC提供商可以以各种方式结合DC中的其他物理网络和/或虚拟网络使用NVO3。本节重点介绍了该目标的一些用例。
Servers deployed in a large DC are often installed at different times, and they may have different capabilities/features. Some servers may be virtualized, while others may not; some may be equipped with virtual switches, while others may not. For the servers equipped with Hypervisor-based virtual switches, some may support a standardized NVO3 encapsulation, some may not support any encapsulation, and some may support a documented encapsulation protocol (e.g., Virtual eXtensible Local Area Network (VXLAN) [RFC7348] and Network Virtualization using Generic Routing
部署在大型DC中的服务器通常在不同的时间安装,并且它们可能具有不同的功能。一些服务器可能是虚拟化的,而其他服务器可能不是;一些可能配备了虚拟交换机,而另一些可能没有。对于配备基于虚拟机监控程序的虚拟交换机的服务器,有些可能支持标准化的NVO3封装,有些可能不支持任何封装,有些可能支持文档化的封装协议(例如,虚拟可扩展局域网(VXLAN)[RFC7348]和使用通用路由的网络虚拟化)
Encapsulation (NVGRE) [RFC7637]) or proprietary encapsulations. To construct a tenant network among these servers and the Top-of-Rack (ToR) switches, operators can construct one traditional VLAN network and two virtual networks where one uses VXLAN encapsulation and the other uses NVGRE, and interconnect these three networks via a gateway or virtual GW. The GW performs packet encapsulation/decapsulation translation between the networks.
封装(NVGRE)[RFC7637])或专有封装。为了在这些服务器和机架顶部(ToR)交换机之间构建租户网络,运营商可以构建一个传统VLAN网络和两个虚拟网络,其中一个使用VXLAN封装,另一个使用NVGRE,并通过网关或虚拟GW互连这三个网络。GW在网络之间执行数据包封装/去封装转换。
Another case is that some software of a tenant has high CPU and memory consumption, which only makes sense to run on standalone servers; other software of the tenant may be good to run on VMs. However, provider DC infrastructure is configured to use NVO3 to connect VMs and VLANs [IEEE802.1Q] to physical servers. The tenant network requires interworking between NVO3 and traditional VLAN.
另一种情况是,租户的某些软件具有较高的CPU和内存消耗,只有在独立服务器上运行才有意义;租户的其他软件可能适合在虚拟机上运行。但是,提供商DC基础设施配置为使用NVO3将虚拟机和VLAN[IEEE802.1Q]连接到物理服务器。租户网络需要NVO3和传统VLAN之间的互通。
A DC can be partitioned into multiple physical zones, with each zone having different access permissions and running different applications. For example, a three-tier zone design has a front zone (Web tier) with Web applications, a mid zone (application tier) where service applications such as credit payment or ticket booking run, and a back zone (database tier) with Data. External users are only able to communicate with the Web application in the front zone; the back zone can only receive traffic from the application zone. In this case, communications between the zones must pass through one or more security functions in a physical DMZ zone. Each zone can be implemented by one NVO3 virtual network and the security functions in DMZ zone can be used to between two NVO3 virtual networks, i.e., two zones. If network functions (NFs), especially the security functions in the physical DMZ, can't process encapsulated NVO3 traffic, the NVO3 tunnels have to be terminated for the NF to perform its processing on the application traffic.
DC可以划分为多个物理区域,每个区域具有不同的访问权限并运行不同的应用程序。例如,三层分区设计有一个包含Web应用程序的前端分区(Web层),一个运行信用支付或机票预订等服务应用程序的中间分区(应用层),以及一个包含数据的后端分区(数据库层)。外部用户只能在前端区域与Web应用程序通信;后台区域只能接收来自应用程序区域的流量。在这种情况下,区域之间的通信必须通过物理DMZ区域中的一个或多个安全功能进行。每个区域可由一个NVO3虚拟网络实现,DMZ区域中的安全功能可用于在两个NVO3虚拟网络(即两个区域)之间切换。如果网络功能(NFs),特别是物理DMZ中的安全功能无法处理封装的NVO3流量,则必须终止NVO3隧道,以便NF对应用程序流量执行其处理。
An enterprise DC may deploy routers, switches, and network appliance devices to construct its internal network, DMZ, and external network access; it may have many servers and storage running various applications. With NVO3 technology, a DC provider can construct a vDC over its physical DC infrastructure and offer a vDC service to enterprise customers. A vDC at the DC provider site provides the same capability as the physical DC at a customer site. A customer manages its own applications running in its vDC. A DC provider can further offer different network service functions to the customer. The network service functions may include a firewall, DNS, LB, gateway, etc.
企业DC可以部署路由器、交换机和网络设备设备来构建其内部网络、DMZ和外部网络访问;它可能有许多运行各种应用程序的服务器和存储器。通过NVO3技术,DC提供商可以在其物理DC基础设施上构建vDC,并向企业客户提供vDC服务。DC提供商站点的vDC提供与客户站点的物理DC相同的功能。客户管理在其vDC中运行的自己的应用程序。DC提供商可以进一步向客户提供不同的网络服务功能。网络服务功能可包括防火墙、DNS、LB、网关等。
Figure 2 illustrates one such scenario at the service-abstraction level. In this example, the vDC contains several L2 VNs (L2VNx, L2VNy, L2VNz) to group the tenant systems together on a per-application basis, and one L3 VN (L3VNa) for the internal routing. A network firewall and gateway runs on a VM or server that connects to L3VNa and is used for inbound and outbound traffic processing. An LB is used in L2VNx. A VPN is also built between the gateway and enterprise router. An Enterprise customer runs Web/Mail/Voice applications on VMs within the vDC. The users at the Enterprise site access the applications running in the vDC via the VPN; Internet users access these applications via the gateway/firewall at the DC provider site.
图2在服务抽象级别演示了一个这样的场景。在本例中,vDC包含多个L2 VN(L2VNx、L2VNy、L2VNz),用于根据每个应用程序将租户系统分组在一起,以及一个L3 VN(L3VNa)用于内部路由。网络防火墙和网关运行在连接到L3VNa的VM或服务器上,用于入站和出站流量处理。L2VNx中使用了一个LB。网关和企业路由器之间也建立了VPN。企业客户在vDC内的VM上运行Web/Mail/Voice应用程序。企业站点的用户通过VPN访问在vDC中运行的应用程序;Internet用户通过DC提供商站点的网关/防火墙访问这些应用程序。
Internet ^ Internet
|
^ +--+---+
| | GW |
| +--+---+
| |
+-------+--------+ +--+---+
|Firewall/Gateway+--- VPN-----+router|
+-------+--------+ +-+--+-+
| | |
...+.... |..|
+-------: L3 VNa :---------+ LANs
+-+-+ ........ |
|LB | | | Enterprise Site
+-+-+ | |
...+... ...+... ...+...
: L2VNx : : L2VNy : : L2VNz :
....... ....... .......
|..| |..| |..|
| | | | | |
Web App. Mail App. VoIP App.
Internet ^ Internet
|
^ +--+---+
| | GW |
| +--+---+
| |
+-------+--------+ +--+---+
|Firewall/Gateway+--- VPN-----+router|
+-------+--------+ +-+--+-+
| | |
...+.... |..|
+-------: L3 VNa :---------+ LANs
+-+-+ ........ |
|LB | | | Enterprise Site
+-+-+ | |
...+... ...+... ...+...
: L2VNx : : L2VNy : : L2VNz :
....... ....... .......
|..| |..| |..|
| | | | | |
Web App. Mail App. VoIP App.
DC Provider Site
DC提供商站点
Figure 2: Virtual Data Center Abstraction View
图2:虚拟数据中心抽象视图
The enterprise customer decides which applications should be accessible only via the intranet and which should be assessable via both the intranet and Internet, and it configures the proper security policy and gateway function at the firewall/gateway. Furthermore, an enterprise customer may want multi-zones in a vDC (see Section 4.2) for the security and/or the ability to set different QoS levels for the different applications.
企业客户决定哪些应用程序只能通过intranet访问,哪些应用程序可以通过intranet和Internet进行评估,并在防火墙/网关上配置适当的安全策略和网关功能。此外,企业客户可能需要vDC中的多个区域(参见第4.2节),以确保安全性和/或为不同应用程序设置不同QoS级别的能力。
The vDC use case requires an NVO3 solution to provide DC operators with an easy and quick way to create an NVO3 virtual network and NVEs for any vDC design, to allocate TSs and assign TSs to the corresponding NVO3 virtual network and to illustrate vDC topology and manage/configure individual elements in the vDC in a secure way.
vDC用例需要一个NVO3解决方案,为DC运营商提供一种简单快捷的方法,为任何vDC设计创建NVO3虚拟网络和NVE,分配TSs并将TSs分配给相应的NVO3虚拟网络,并以安全的方式说明vDC拓扑和管理/配置vDC中的各个元素。
This document describes some general NVO3 use cases in DCs. The combination of these cases will give operators the flexibility and capability to design more sophisticated support for various cloud applications.
本文档描述了DCs中的一些一般NVO3用例。这些案例的结合将为运营商提供灵活性和能力,为各种云应用程序设计更复杂的支持。
DC services may vary, NVO3 virtual networks make it possible to scale a large number of virtual networks in a DC and ensure the network infrastructure not impacted by the number of VMs and dynamic workload changes in a DC.
DC服务可能会有所不同,NVO3虚拟网络可以扩展DC中的大量虚拟网络,并确保网络基础设施不受DC中VM数量和动态工作负载变化的影响。
NVO3 uses tunnel techniques to deliver NVO3 traffic over DC physical infrastructure network. A tunnel encapsulation protocol is necessary. An NVO3 tunnel may, in turn, be tunneled over other intermediate tunnels over the Internet or other WANs.
NVO3使用隧道技术通过DC物理基础设施网络传输NVO3流量。隧道封装协议是必要的。反过来,NVO3隧道可以通过互联网或其他WAN在其他中间隧道上进行隧道传输。
An NVO3 virtual network in a DC may be accessed by external users in a secure way. Many existing technologies can help achieve this.
DC中的NVO3虚拟网络可由外部用户以安全方式访问。许多现有技术可以帮助实现这一点。
Security is a concern. DC operators need to provide a tenant with a secured virtual network, which means one tenant's traffic is isolated from other tenants' traffic and is not leaked to the underlay networks. Tenants are vulnerable to observation and data modification/injection by the operator of the underlay and should only use operators they trust. DC operators also need to prevent a tenant application attacking their underlay DC networks; further, they need to protect a tenant application attacking another tenant application via the DC infrastructure network. For example, a tenant application attempts to generate a large volume of traffic to overload the DC's underlying network. This can be done by limiting the bandwidth of such communications.
安全是一个问题。DC运营商需要为租户提供安全的虚拟网络,这意味着一个租户的流量与其他租户的流量隔离,并且不会泄漏到底层网络。承租人容易受到基线运营商的观察和数据修改/注入的影响,只能使用他们信任的运营商。DC运营商还需要防止租户应用程序攻击其底层DC网络;此外,他们需要保护一个租户应用程序通过DC基础设施网络攻击另一个租户应用程序。例如,租户应用程序试图生成大量流量,以使DC的底层网络过载。这可以通过限制此类通信的带宽来实现。
This document does not require any IANA actions.
本文件不要求IANA采取任何行动。
[IEEE802.1Q] IEEE, "IEEE Standard for Local and metropolitan area networks -- Media Access Control (MAC) Bridges and Virtual Bridged Local Area Networks", IEEE Std 802.1Q-2011, DOI 10.1109/IEEESTD.2011.6009146.
[IEEE802.1Q]IEEE,“局域网和城域网的IEEE标准——媒体访问控制(MAC)网桥和虚拟桥接局域网”,IEEE标准802.1Q-2011,DOI 10.1109/IEEESTD.2011.6009146。
[NVO3MCAST] Ghanwani, A., Dunbar, L., McBride, M., Bannai, V., and R. Krishnan, "A Framework for Multicast in Network Virtualization Overlays", Work in Progress, draft-ietf-nvo3-mcast-framework-07, May 2016.
[NVO3MCAST]Ghanwani,A.,Dunbar,L.,McBride,M.,Bannai,V.,和R.Krishnan,“网络虚拟化覆盖中的多播框架”,正在进行的工作,草稿-ietf-nvo3-mcast-Framework-07,2016年5月。
[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC1035]Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 1035,DOI 10.17487/RFC1035,1987年11月<http://www.rfc-editor.org/info/rfc1035>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, DOI 10.17487/RFC3022, January 2001, <http://www.rfc-editor.org/info/rfc3022>.
[RFC3022]Srisuresh,P.和K.Egevang,“传统IP网络地址转换器(传统NAT)”,RFC 3022,DOI 10.17487/RFC3022,2001年1月<http://www.rfc-editor.org/info/rfc3022>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, <http://www.rfc-editor.org/info/rfc4301>.
[RFC4301]Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 4301,DOI 10.17487/RFC4301,2005年12月<http://www.rfc-editor.org/info/rfc4301>.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February 2006, <http://www.rfc-editor.org/info/rfc4364>.
[RFC4364]Rosen,E.和Y.Rekhter,“BGP/MPLS IP虚拟专用网络(VPN)”,RFC 4364,DOI 10.17487/RFC4364,2006年2月<http://www.rfc-editor.org/info/rfc4364>.
[RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, L., Sridhar, T., Bursell, M., and C. Wright, "Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014, <http://www.rfc-editor.org/info/rfc7348>.
[RFC7348]Mahalingam,M.,Dutt,D.,Duda,K.,Agarwal,P.,Kreeger,L.,Sridhar,T.,Bursell,M.,和C.Wright,“虚拟可扩展局域网(VXLAN):在第3层网络上覆盖虚拟化第2层网络的框架”,RFC 7348,DOI 10.17487/RFC7348,2014年8月<http://www.rfc-editor.org/info/rfc7348>.
[RFC7364] Narten, T., Ed., Gray, E., Ed., Black, D., Fang, L., Kreeger, L., and M. Napierala, "Problem Statement: Overlays for Network Virtualization", RFC 7364, DOI 10.17487/RFC7364, October 2014, <http://www.rfc-editor.org/info/rfc7364>.
[RFC7364]Narten,T.,Ed.,Gray,E.,Ed.,Black,D.,Fang,L.,Kreeger,L.,和M.Napierala,“问题陈述:网络虚拟化覆盖”,RFC 7364,DOI 10.17487/RFC7364,2014年10月<http://www.rfc-editor.org/info/rfc7364>.
[RFC7365] Lasserre, M., Balus, F., Morin, T., Bitar, N., and Y. Rekhter, "Framework for Data Center (DC) Network Virtualization", RFC 7365, DOI 10.17487/RFC7365, October 2014, <http://www.rfc-editor.org/info/rfc7365>.
[RFC7365]Lasserre,M.,Balus,F.,Morin,T.,Bitar,N.,和Y.Rekhter,“数据中心(DC)网络虚拟化框架”,RFC 7365,DOI 10.17487/RFC7365,2014年10月<http://www.rfc-editor.org/info/rfc7365>.
[RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 2015, <http://www.rfc-editor.org/info/rfc7432>.
[RFC7432]Sajassi,A.,Ed.,Aggarwal,R.,Bitar,N.,Isaac,A.,Uttaro,J.,Drake,J.,和W.Henderickx,“基于BGP MPLS的以太网VPN”,RFC 7432,DOI 10.17487/RFC7432,2015年2月<http://www.rfc-editor.org/info/rfc7432>.
[RFC7637] Garg, P., Ed., and Y. Wang, Ed., "NVGRE: Network Virtualization Using Generic Routing Encapsulation", RFC 7637, DOI 10.17487/RFC7637, September 2015, <http://www.rfc-editor.org/info/rfc7637>.
[RFC7637]Garg,P.,Ed.,和Y.Wang,Ed.,“NVGRE:使用通用路由封装的网络虚拟化”,RFC 7637,DOI 10.17487/RFC7637,2015年9月<http://www.rfc-editor.org/info/rfc7637>.
[RFC8014] Black, D., Hudson, J., Kreeger, L., Lasserre, M., and T. Narten, "An Architecture for Data-Center Network Virtualization over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December 2016, <http://www.rfc-editor.org/info/rfc8014>.
[RFC8014]Black,D.,Hudson,J.,Kreeger,L.,Lasserre,M.,和T.Narten,“第3层数据中心网络虚拟化架构(NVO3)”,RFC 8014,DOI 10.17487/RFC8014,2016年12月<http://www.rfc-editor.org/info/rfc8014>.
[VRF-LITE] Cisco, "Configuring VRF-lite", <http://www.cisco.com/c/en/us/td/docs/switches/lan/ catalyst4500/12-2/31sg/configuration/guide/conf/ vrf.pdf>.
[VRF-LITE]Cisco,“配置VRF-LITE”<http://www.cisco.com/c/en/us/td/docs/switches/lan/ catalyst4500/12-2/31sg/configuration/guide/conf/vrf.pdf>。
Acknowledgements
致谢
The authors would like to thank Sue Hares, Young Lee, David Black, Pedro Marques, Mike McBride, David McDysan, Randy Bush, Uma Chunduri, Eric Gray, David Allan, Joe Touch, Olufemi Komolafe, Matthew Bocci, and Alia Atlas for the reviews, comments, and suggestions.
作者要感谢Sue Hares、Young Lee、David Black、Pedro Marques、Mike McBride、David McDysan、Randy Bush、Uma Chunduri、Eric Gray、David Allan、Joe Touch、Olufemi Komolafe、Matthew Bocci和Alia Atlas的评论、评论和建议。
Contributors
贡献者
David Black Dell EMC 176 South Street Hopkinton, MA 01748 United States of America
David Black Dell EMC美国马萨诸塞州霍普金顿南街176号01748
Email: David.Black@dell.com
Email: David.Black@dell.com
Vinay Bannai PayPal 2211 N. First Street San Jose, CA 95131 United States of America
Vinay Bannai PayPal美国加利福尼亚州圣何塞第一大街北2211号,邮编95131
Phone: +1-408-967-7784
Email: vbannai@paypal.com
Phone: +1-408-967-7784
Email: vbannai@paypal.com
Ram Krishnan Brocade Communications San Jose, CA 95134 United States of America
Ram Krishnan Brocade通信公司加利福尼亚州圣何塞95134美利坚合众国
Phone: +1-408-406-7890
Email: ramk@brocade.com
Phone: +1-408-406-7890
Email: ramk@brocade.com
Kieran Milne Juniper Networks 1133 Innovation Way Sunnyvale, CA 94089 United States of America
Kieran Milne Juniper Networks 1133创新之路美国加利福尼亚州桑尼维尔94089
Phone: +1-408-745-2000
Email: kmilne@juniper.net
Phone: +1-408-745-2000
Email: kmilne@juniper.net
Authors' Addresses
作者地址
Lucy Yong Huawei Technologies Phone: +1-918-808-1918
华为技术部电话:+1-918-808-1918
Email: lucy.yong@huawei.com
Email: lucy.yong@huawei.com
Linda Dunbar Huawei Technologies, 5340 Legacy Drive Plano, TX 75025 United States of America
Linda Dunbar Huawei Technologies,美国德克萨斯州普莱诺市5340 Legacy Drive,邮编75025
Phone: +1-469-277-5840
Email: linda.dunbar@huawei.com
Phone: +1-469-277-5840
Email: linda.dunbar@huawei.com
Mehmet Toy Verizon
梅米特玩具威瑞森
Email: mehmet.toy@verizon.com
Email: mehmet.toy@verizon.com
Aldrin Isaac Juniper Networks 1133 Innovation Way Sunnyvale, CA 94089 United States of America
Aldrin Isaac Juniper Networks 1133 Innovation Way Sunnyvale,加利福尼亚州,美国94089
Email: aldrin.isaac@gmail.com
Email: aldrin.isaac@gmail.com
Vishwas Manral Nano Sec Co 3350 Thomas Rd. Santa Clara, CA United States of America
美国加利福尼亚州圣克拉拉市托马斯路3350号维斯瓦斯曼拉尔纳米公司
Email: vishwas@nanosec.io
Email: vishwas@nanosec.io