I2RS overlay use case
draft-hu-i2rs-overlay-use-case-05.txt

Abstract

This document proposes an overlay network use case for interface to routing system (I2RS). The forwarding routers network is assumed to be an overlay structure. There are two types of forwarding routers: Edge Router(ER) and Core Routers(CR). Edge Router encapsulates format data based on the tunnel type, which are established among Edge Routers. Core Router would be very simple and cheap. CRs focus on the encapsulation data forwarding. In order to reduce the overall ER costs, the use of network virtualization is proposed in this document.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on July 30, 2015.

Copyright Notice

Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

• 1. Introduction
• 2. Overlay Network Structure
• 2.1. Overview
• 2.2. The Benefit of Overlay Network Structure
• 2.3. Core Router Requirements
• 2.4. Edge Router Requirement
• 3. MPLS Tunnel automatic configuration
• 4. Security Alliance among ER
• 5. Network Virtualization(NV)
• 5.1. Benefits of Network Virtualization
• 5.2. Applications and Requirements
• 5.3. Network Virtualization
• 6. Security Considerations
• 7. IANA Considerations
• 8. Normative References
• Authors' Addresses

1. Introduction

The hierarchical structure of current Internet core has remained largely unchanged since its invention. In the face of growing traffic, service providers must keep investing in larger and faster routers and links, especially in the core part of Internet, even though revenues are growing relatively slowly in that segment.

It is necessary to develop and deploy new structure in order to maintain a steady growth of the core without significantly increasing the expenses. In addition, as modern networks grow in scale and complexity, the need for rapid and dynamic control increases. I2RS ([I2RS-FRM]) provides a new routing system framework to meet these requirements. There is a programmable interface for the forwarding router. All the forwarding routers should support the I2RS agent to communicate with controllers. The forwarding routers gather the traffic and topology information, report to the controllers, and receive the forwarding policy from controllers.

Besides the idea of programmable and open interface, another key feature is forwarding plane and control plane separation in the I2RS in addition to using the concept of software defined networking. Some of the control and computing function could be separation from traditional routers. By this way, We could reduce the cost of core forwarding device. This document proposes an overlay network structure based on the I2RS framework. We hope that the service and data encapsulation are all done in the routers of the edge of network, and the routers in the core part are only focus on MPLS data forwarding. The RIB table of the routers in core part could only store very few IP routing record for management. In this way, the expensive TCAM chip for routers in the core part could be replaced by cheap ASIC chip, and the cost would be reduced significantly. The full mesh tunnel is required for the edge Routers. The forwarding routers in the overlay network are divided into two types based on the roles in the network: CR(Core Router) and ER(Edge Router). The Edge Routers encapsulate the forwarding data based on the tunnel type, gather topology information, and report traffic to the controller, while Core Routers would be MPLS switches actually, and focus on fast MPLS data forwarding and receive only policy related information(metadata)from the controller.

2. Overlay Network Structure

2.1. Overview

           +--------+                                     +--------+ 
           | Edge   +--+                              +---| Edge   | 
           | Router |  |                              |   | Router | 
           +--------+  |                              |   +--------+ 
                       |  +------+           +------+ |        
                       |  | Core |           |Core  | |   
                       +--|Router|---------- |Router|-+ 
                          +------+           +------+ 
                          /                       \    
                         /                         \     
           +--------+   /    physical topology      \     +--------+ 
           | Edge   |--+                             +----| Edge   |
           | Router |                                     | Router |
           +--------+                                     +--------+
 ===================================================================
           +--------+                                    +--------+ 
           | Edge   |--+                            +----| Edge   | 
           | Router |  |                            |    | Router | 
           +--------+  |    ...................     |    +--------+ 
                       |    .                 .     |
                       |    .  *          *   .     |
                       +----.   *        *    .-----+
                           /.    *      *     .
                          / .      *   *      .  
                         /  .Overlay * Tunnel . 
           +--------+   /   .       *  *      .-----+    +--------+
           | Edge   +--+    .     *      *    .     |    | Edge   |
           | Router |       .    *        *   .     +----| Router |
           +--------+       ...*............*..          +--------+
                             Logical  Tunnel
 
                         Figure 1: An Overlay Structure.
            

The overlay structure is as shown in Figure 1. The upper half part of the Figure shows a physical network. The Edge Routers are located in the edge of the overlay network, and are logically connected through Core Routers. The services and data encapsulation are done in the edge routers. The Core Routers(MPLS Switches) are very simple and focus on the MPLS data forwarding according to the label forwarding table, and may not perceive any distinction among the tunnels to/from Edge Routers.

The lower half of the Figure shows a logical tunnel network. All the Edge Routers are connected via a logical-full mesh tunnel-based connection among them. The tunnel could be an MPLS tunnel. Edge Router encapsulates/decapsulates MPLS data.

2.2. The Benefit of Overlay Network Structure

(1)

Lower cost for Core Routers: For the Core Router, it is not required to compute route, and distribute protocol signal. The Core Routers only store the equipment IP prefix, and do not store user IP prefix any more. The RIB and FIB table for core Router are very small. The size routing tables in the Core Routers does not increase and remains stable with the growth of the numbers of users.

(2)

Improved network security: The overlay network structure improves network security by splitting(and hence isolating)the provider equipment and user station. The attacks from hacker to core routers would therefore be separated by the edge routers.

(3)

Support of network virtualization: Some of the control and computing function could be separated from Edge Router and be done by the controller. The edge router in the future could be a simple hardware platform. The service, policy, and other control functions, such as route computing, signal distribution can be furnished by physical/virtual servers. The network virtualization for Edge Router is discussed in section 3.

2.3. Core Router Requirements

The Core Router performs the following functions:

(1)

Core Routers mainly focus on fast forwarding encapsulated data.

(2)

The control plane is very simple. It announces and floods the topology information.

(3)

For compatibility reasons, Route computation may be needed, but is not absolutely necessary.

2.4. Edge Router Requirement

The edge Router performs the following functions:

(1)

Access and resources management: Edge Routers support user Access authentication, authorization, and resource control and management. When there is new user access network, the edge router support user access authentication, authorization. If the subscriber is legal and registered, he/she should should pass the access authentication and authorization tests.

(2)

Encapsulation data and tunnel type decision: Edge Router negotiates with the peer Edge router based on the service traffic through controller, and encapsulates the original data traffic.

(3)

Topology management:Edge Router gathers the network topology information and reports the topology to the controller. When the topology changes, the edge router reports the changes as well.

(4)

Policy management: Edge Router identifies the policy from The I2RS Commissioner([I2RS-FRM]).

(5)

Service management: Edge Routers should identify the services and perform the appropriate encapsulation.

(6)

Route and signal protocol management: Edge Router computes route based on the topology information received from other edge router and core router.

(7)

Tunnel control and management: Edge Routers manage and maintain tunnel information. All of the edge routers are connected over logical full-mesh based tunnel network.

(8)

Traffic analysis and reporting: Edge router monitors the data traffic, and reports the traffic updates/changes.

3. MPLS Tunnel automatic configuration

The MPLS tunnel among the ERs(Edge Routers) could be automatically configured and established according to the clients' requirements and information. The procedure is as following: The controller (I2RS clients) receives the VPN information from Edge Router through the programmable interface of I2RS Agent. The VPN information includes VPN Table ID, and table item. The table item is composed of the following parameters: item key value, exit interface, VPN identifies, VPN forwarding identifies, Master/Slave flag, load balance flag, keep alive time, etc.

The item key value is the packet destination address. For example, if the packet is encapsulated as L2VPN, the item key value is MAC address, while if the packet is encapsulated as L3VPN,the item key value is IP address.

Exit interface is the VPN binding interface or local device identifier when it is the VPN information sent from I2RS Agent to I2RS Client. If the VPN information is sent from I2RS Client to SR/CR through I2RS agent interface, the exit interface is the remote SR/CR identifier or the local tunnel ID, which indicates the end to end connection from network management (I2RS Client) to CR/ER(I2RS Agent).

VPN identifier is used to identify the unique global VPN in the area.

VPN Table ID is the index of VPN user information item.

VPN forwarding identifier is used to identify the forwarding data plane packet. Generally, it is the MPLS label.

Master/salve flag indicates the optimal and backup path, which could be used as path protection or traffic engineering.

Load balance flag indicates multiple next hop for the forwarding identifier, which is used for load balance.

Keep alive time indicates the alive time for the item.

Network management collects all of the VPN user information, and computes the forwarding path and Unified policy based on it. Then it downloads the forwarding information to each ER/SR through I2RS Agent interface.

4. Security Alliance among ER

In the overlay network structure, the ER are full mesh. This session provides a solution to setup SA(security Alliance) among ERs. The security parameter negotiation could be finished through I2RS Client.

As an example, let us consider the following figure(Figure 2).

 
			
                       +--------------+
                       |              |
                     . | Controller   |.
                    /  |              | \  
                   .   +--------------+  .
     =============/=======================\==================
                 .     ...........         . 
                /      .         .          \
        +------+       . Overlay .        +------+
        |      +-------.         .--------|      |
        | ER1  |       . Tunnel  .        | ER2  |
        +------+       ...........        +------+
		
Figure 2: Controlled Security Alliance among Edge Routers in a Virtualized  Network Environment.
           

As shown in Figure 2, ER1 and ER2 need to establish SA(security Alliance), and adopt IPSec as the security transport channel.

(1)

ER1 and ER2 connect to the controller(I2RS Client) via logical tunnels, and the controller download the IPSec SA parameters to them. The parameters include: VPN Type(for example IPSec, L2VPN etc.), direction of AS(export or import), address family(IPv4 or IPv6), encapsulation mode, encapsulation protocol(AH or ESP), authentication algorithm (MD5 or SHA), ESP algorithm mode(Encryption or compression algorithm), Encryption mode, SA lifetime type, SA index, destination IP address of IPSec, Source IP address of IPSec, Secret key, Security parameter index information(SPI), and Access control list(ACL) configuration.

(2)

ER1 and ER2 then establish IPSec security channel respectively. They negotiate the IPSec parameter with controller through IKE protocol. By this way, the ERs and controller establish a security and reliable connection link.

(3)

The controller downloads the necessary parameters to the ERs through network routing protocol(such as BGP) or Netconf protocol.

(4)

ERs receives the packets with required parameters from the controller(I2RS Client), and decryption the packets, then write the IPSec parameters to SD table.

(5)

The Security alliance between ER1 and ER2 is thereby established.

(6)

When the Security alliance is expired, controller re-computes the secret key, and restarts the above steps in order to re-establish the security alliance.

5. Network Virtualization(NV)

5.1. Benefits of Network Virtualization

(1)

NV reduces ER complexity and equipment costs.

(2)

NV allows flexibility and rapid deployment of new services; services can also be quickly scaled up/down based on demands.

(3)

NV offers seamless support of scalability and reliability

(4)

NV allows flexibility and simplicity of function combination, for co-existence with hardware based network platform. An ER could be utilized both as BRAS, Firewall, or NAT equipment on the same hardware platform.

5.2. Applications and Requirements

(1)

Tunnel gateway elements: IPSec/SSL VPN gateway.

(2)

Traffic analytics: DPI, QoS measurement, SLA agent.

(3)

Converged and network-wide functions: AAA Server, policy control and charging platform.

(4)

Security function: Firewalls, virus scanners, instruction detection and prevention systems.

5.3. Network Virtualization

Edge routers can support network virtualization. An ER can be a hardware based platform, and the other necessary adjunct functions can be supported via separate servers. A programmable interface between functional server and edge router can be used to support this paradigm. When there is new service, it is required to add a new server to support that service, and there may only be minimal or no changes required to the edge routers, as shown in Figure 3.

+--------------------+                        +-------------------+
| +------+  +------+ |                        | +------+ +------+ |
| |DPI   |  |NAT   | |                        | |DPI   | |NAT   | |
| |Server|  |Server| |                        | |Server| |Server| |
| +------+  +------+ |                        | +------+ +------+ |
|       +------+     |                        |      +------+     |
|       | QOS  |     |                        |      | QOS  |     |
|       |Server|     |                        |      |Server|     |
|       +------+     |                        |      +------+     |
+-----+--------------+    virtualization      +---------------+---+
======|=======================================================|====
      .                                                       .
      |  +------------------------------------------------+   . 
      .  |   +--------+                       +-------+   |   |
      |- +-->| Edge   |                       | Edge  |<--+---. 
      .  |   | Router |                       | Router|   |   |
      |  |   +--------+                       +-------+   |   .
      .  |               Overlay Network                  |   |
      |  |            +-------+     +-------+             |   . 
      .  |            | Core  |-----| Core  |             |   |
      |  |            | Router|     | Router|             |   .
      .  |            +-------+     +-------+             |   | 
      |  |                                                |   .
      .  |  +--------+                        +-------+   |   |
      +--+->| Edge   +                        | Edge  |<--+---+
         |  | Router |                        | Router|   |      
         |  +--------+                        +-------+   |       
         +------------------------------------------------+
		 
		       Figure 3: Network Virtualization Example. 
      

6. Security Considerations

TBD

7. IANA Considerations

TBD

8. Normative References

Authors' Addresses