Internet DRAFT - draft-carpenter-nvo3-addressing
draft-carpenter-nvo3-addressing
NVO3 B. Carpenter
Internet-Draft Univ. of Auckland
Intended status: Informational S. Jiang
Expires: January 5, 2013 Huawei Technologies Co., Ltd
July 4, 2012
Layer 3 Addressing Considerations for Network Virtualization Overlays
draft-carpenter-nvo3-addressing-00
Abstract
This document discusses network layer addressing issues for virtual
network overlays in large scale data centres hosting many virtual
servers for multiple customers.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 5, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Carpenter & Jiang Expires January 5, 2013 [Page 1]
�
Internet-Draft NVO3 Addresssing July 2012
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Aspects of addressing in virtual overlay networks . . . . . . . 3
2.1. Address Independence and Isolation . . . . . . . . . . . . 3
2.2. Multiple Data Centres . . . . . . . . . . . . . . . . . . . 4
2.3. Address mapping . . . . . . . . . . . . . . . . . . . . . . 4
2.4. Address migration . . . . . . . . . . . . . . . . . . . . . 5
2.5. DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.6. Dual Stack Operation . . . . . . . . . . . . . . . . . . . 6
3. Consequences for IPv4 address management . . . . . . . . . . . 6
4. Consequences for IPv6 address management . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
8. Change log [RFC Editor: Please remove] . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
Carpenter & Jiang Expires January 5, 2013 [Page 2]
�
Internet-Draft NVO3 Addresssing July 2012
1. Introduction
A common technique in large data centres hosting servers and services
for many customers is to use virtual layer 3 network overlays (NVO3)
to organise, manage and separate the virtual servers used by
individual customers. The related problems are discussed in
[I-D.narten-nvo3-overlay-problem-statement], and a framework for the
main components of a solution is described in
[I-D.lasserre-nvo3-framework].
[Note: In this draft we do not yet give detailed references to the
various NVO3 drafts, none of which discuss addressing issues in
detail.]
When emulating a large number of virtual hosts on whatever physical
network topology is used, probably involving multiple LAN segments,
virtual LANs at layer2, and both routers and switches, the question
of the IP addressing scheme for the virtual hosts is not trivial.
The intention of the present document is to describe the resulting
consequences for IP address management in such an environment.
Firstly the general aspects are discussed, and then the consequences
for both IPv4 and IPv6 addressing schemes are described.
2. Aspects of addressing in virtual overlay networks
2.1. Address Independence and Isolation
In a typical hosting centre, there will be a number of customers, who
are quite possibly mutual competitors who happen to use the same
hosting centre. It is essential that virtual hosts assigned to one
customer cannot communicate directly with, or even be aware of,
virtual hosts assigned to any other customer. It is also essential
that virtual networks are operationally independent to the maximum
possible extent.
Therefore, to simplify operations by clearly separating independent
virtual networks (VNs) from one another, and to enhance both real and
perceived confidentiality of each network, it is desirable for the
addresses used by each virtual layer 3 network to be allocated and
managed independently of all the others. A consequence of this is
that it becomes reasonably straightforward to configure layer 3
routing such that traffic from one VN can never unintentionally enter
another one, because each network has its own well defined range of
addresses. Similarly, it is also reasonably straightforward to
configure firewalls or filters to detect and block any unwanted
traffic between VNs, even if there is a routing misconfiguration.
Carpenter & Jiang Expires January 5, 2013 [Page 3]
�
Internet-Draft NVO3 Addresssing July 2012
For these reasons alone, it is necessary for each VN to have its own
well-defined layer 3 address space that is managed independently of
all other VNs. This requirement is independent of whether the
physical hosts that contain the virtual hosts are on one or more
physical or bridged LANs or VLANs. In other words, once the layer 3
topology is virtualised, layer 2 address independence and isolation
is neither necessary nor sufficient to guarantee layer 3 address
independence and isolation.
It should be understood that independent address allocation does not
imply unique addresses. In the IPv4 context, as further discussed
below, it is very likely that multiple VNs will use the same
ambiguous address space, running over the same physical network
infrastructure.
2.2. Multiple Data Centres
A given customer might have virtual hosts spread across multiple data
centres (DCs). Furthermore, those data centres might be owned and
operated by competing enterprises. The only safe assumption is that
a single address range cannot span multiple DCs, and that a virtual
host being relocated to another DC might need to be renumbered. The
addressing scheme for virtual hosts must be compatible with such a
situation. Most likely this means extending the requirement for
address independence and isolation to cover separate parts of a given
customer's total set of virtual servers. In other words the usage
scenario for any given customer must be able to deal with virtual
hosts in multiple independent and mutually isolated layer 3 address
spaces, and with the risk of occasional virtual host renumbering.
This complicates the issues of routing configuration and address
filtering. If a VN extends over multiple DCs, VN routing across DC
borders must be supported for the address ranges concerned, and
address filtering must also be applied in a consistent way at each DC
hosting part of a given VN.
2.3. Address mapping
Several of the NVO3 documents state the need for an address mapping
scheme. Some aspects of this are discussed in
[I-D.kreeger-nvo3-overlay-cp]. It is generally assumed that an NVO3
system will be built using tunnels, and the required mapping is
between virtual host addresses and tunnel end points. The addressing
scheme for virtual hosts needs to be consistent with the mapping
system adopted and whatever dynamic update protocol is used for that
mapping.
In the case of a VN that covers multiple DCs, the mapping scheme must
Carpenter & Jiang Expires January 5, 2013 [Page 4]
�
Internet-Draft NVO3 Addresssing July 2012
also support multiple DCs. The mapping update protocol will need to
exchange mapping information between tunnel endpoints at all DCs
involved. This information needs to be specified in some detail, and
it must be decided whether this protocol needs to be run per VN or
per DC, how this protocol decides which DCs it should talk with, etc.
2.4. Address migration
As discussed in [I-D.narten-nvo3-overlay-problem-statement], current
virtual host mechanisms assume that a host's IP address is fixed. If
a workload is migrated from one physical host to another, the
migration mechanisms assume that existing transport layer
associations such as TCP sessions stay alive, and the succesful
migration of a job in progress relies on this.
As workload conditions change in a large data centre, virtual hosts
may need to be migrated from one physical host to another, and quite
possibly this will mean moving to a different physical LAN. However,
the virtual host address itself should remain constant as just
mentioned. The addressing scheme adopted needs to be consistent with
this requirement. Another way to view this is as an inverted form of
renumbering - instead of the address of a given host changing, a
given address is reassigned to a different physical host, thereby
representing the move of a given virtual host.
When such a move occurs, there will normally be changes in both the
layer 2/layer 3 mapping (given by ARP, Neighbour Discovery, etc.) and
the virtual host address to tunnel mapping mentioned above. However,
an address which is moved in this way should still remain part of the
same aggregate for routing purposes. Otherwise, an immediate change
to the routing configuration will be needed as well.
As mentioned above, if a virtual host needs to be migrated between
DCs, it might be unavoidable for its virtual address to change. In
this case an application layer mechanism will be needed to recover
from the resulting loss of transport layer sessions.
2.5. DNS
A Domain Name Service, which resolves queries for hostnames into IP
addresses, can reduce the direct dependence of customer applications
on IP addresses. If a virtual host is always connected using its
hostname, the renumbering issue during inter-DC migrations, mentioned
in previous section, would be significantly mitigated. However, this
would imply a need for rapid DNS updates.
Carpenter & Jiang Expires January 5, 2013 [Page 5]
�
Internet-Draft NVO3 Addresssing July 2012
2.6. Dual Stack Operation
In the case of a dual stack deployment, where each virtual host has
both an IPv4 and an IPv6 address, there will presumably be some sort
of interdependency of the two addressing schemes. At least, the
virtual subnet topologies would usually be the same for the two
addressing schemes, and virtual hosts would need to migrate
simultaneously for IPv4 and IPv6 purposes. If this was not the case,
scenarios requiring IPv4/IPv6 interworking might arise unexpectedly,
which would be inconvenient and inefficient. A particular case would
be the migration of a virtual host between two DCs, one of which
supports dual stack and the other of which supports only a single
stack.
In general, these situations would require a layer 3 IPv4/IPv6
translator within a VN. This solution should be avoided if possible.
3. Consequences for IPv4 address management
In IPv4, it must be assumed that in many if not most cases, the
virtual hosts will be numbered out of ambiguous private address space
[RFC1918]. The only safe assumption for a general model is that any
individual VN may use the same address space as any other. This
increases the importance of the requirements for address isolation,
independence and mapping. In fact, without address mapping (and in
some scenarios network address translation) a large scale IPv4 NVO3
system could not be made to work.
Since the IPv4 addresses in use will be ambiguous, management tools
must be carefully designed so that operators will never need to rely
on addresses alone to identify individual servers. For example, when
an address is presented to an operator for any reason, it should
always be tagged with some sort of VN identifier. The same goes for
any place that an address is logged or stored for any other reason.
Legacy software and tools that do not do this should be avoided as
much as possible.
An interesting aspect of using, say, Net 10 for every VN instance is
that the number of virtual hosts can be quite large, up to 2**24 (in
excess of 16 million). This frees the designer from traditional
limits on the size of an IPv4 subnet.
An unavoidable consequence of using RFC1918 addresses is that the
virtual hosts, if accessed by outside users, will be hidden behind
either an application layer proxy or a NAT. In both cases these
might be part of a load balancing system.
Carpenter & Jiang Expires January 5, 2013 [Page 6]
�
Internet-Draft NVO3 Addresssing July 2012
4. Consequences for IPv6 address management
In IPv6, there is no concept of ambiguous private space. Each VN can
have its own global-scope address prefix. This removes the
operational problems casued by ambiguous addresses in IPv4.
Even a basic /64 prefix would allow for more virtual host addresses
than would ever be possible in IPv4, so again the designer is not
restricted by any absolute limit on subnet size. Nevertheless, it is
advisable to use a shorter prefix such as /48 or /56 for each VN, so
that a VN can span more than one LAN using standard IPv6 routing
without difficulty. It is unclear that tunnels and address mapping
are needed for IPv6-based VNs, due to the absence of ambiguous
addresses.
A choice can be made between a regular IPv6 prefix from the
customer's own IPv6 space or from ISP-assigned space, and a Unique
Local Address prefix [RFC4193], [I-D.liu-v6ops-ula-usage-analysis].
The latter has the advantage of needing no administrative procedure
before assigning it, and it is also routinely blocked by site and ISP
border routers, like an RFC1918 prefix. However, apart from that the
choice of IPv6 prefix has little external importance and is mainly a
matter of convenience.
There is no requirement for IPv6 prefix translation [RFC6296] between
the virtual hosts and any outside users. However, the presence of
such translation, or of some form of load balancing, cannot be
excluded.
5. Security Considerations
Routing configurations and filters in firewalls and routers should be
constructed such that, by default, packets from virtual hosts in one
VN cannot be forwarded into another VN. Traffic to and from a given
VN should only be allowed for the designated users of that VN, and
for the VN management and operations tools.
An independent and isolated addressing scheme is not by itself a
security solution. While it might avoid the most trivial and
straightforward penetration attempts, it is in no way a substitute
for a security solution that responds to specific threat models in
the NVO3 situation.
6. IANA Considerations
This document requests no action by IANA.
Carpenter & Jiang Expires January 5, 2013 [Page 7]
�
Internet-Draft NVO3 Addresssing July 2012
7. Acknowledgements
Valuable comments and contributions were made by ... and others.
This document was produced using the xml2rfc tool [RFC2629].
8. Change log [RFC Editor: Please remove]
draft-carpenter-nvo3-addressing-00: original version, 2012-07-04.
9. References
9.1. Normative References
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005.
9.2. Informative References
[I-D.kreeger-nvo3-overlay-cp]
Black, D., Dutt, D., Kreeger, L., Sridhavan, M., and T.
Narten, "Network Virtualization Overlay Control Protocol
Requirements", draft-kreeger-nvo3-overlay-cp-00 (work in
progress), January 2012.
[I-D.lasserre-nvo3-framework]
Lasserre, M., Balus, F., Morin, T., Bitar, N., and Y.
Rekhter, "Framework for DC Network Virtualization",
draft-lasserre-nvo3-framework-02 (work in progress),
June 2012.
[I-D.liu-v6ops-ula-usage-analysis]
Liu, B., Jiang, S., and C. Byrne, "Analysis and
recommendation for the ULA usage",
draft-liu-v6ops-ula-usage-analysis-02 (work in progress),
March 2012.
[I-D.narten-nvo3-overlay-problem-statement]
Narten, T., Sridhavan, M., Dutt, D., Black, D., and L.
Carpenter & Jiang Expires January 5, 2013 [Page 8]
�
Internet-Draft NVO3 Addresssing July 2012
Kreeger, "Problem Statement: Overlays for Network
Virtualization",
draft-narten-nvo3-overlay-problem-statement-02 (work in
progress), June 2012.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, June 2011.
Authors' Addresses
Brian Carpenter
Department of Computer Science
University of Auckland
PB 92019
Auckland, 1142
New Zealand
Email: brian.e.carpenter@gmail.com
Sheng Jiang
Huawei Technologies Co., Ltd
Q14, Huawei Campus
No.156 Beiqing Road
Hai-Dian District, Beijing 100095
P.R. China
Email: jiangsheng@huawei.com
Carpenter & Jiang Expires January 5, 2013 [Page 9]
�
