VPN Extension Requirements for Private Clouds draft-so-vepc-00.txt Description of Today’s Cloud Infrastructure • Three components that make up the Cloud infrastructure – Data center, network (LAN/MAN/WAN), and the end user • Multiple Cloud-based products and services are being offered across multiple data centers globally – Data centers are multi-tenant in nature, can be single Cloud Service Provider or independent 3rd party operated – The application (VM) can be mobile • The networks can be layer 2 and layer 3 IP/MPLS (VPN and non-VPN) networks, and layer 1 private line/OTN/MPLS-TP based networks – The selection of the network of choice is possible • The users can be wireline and wireless with various access technologies – Users are mobile, and exchange of wireless/wireline is possible Problem Areas The problem areas that this situation can cause Cloud Service Providers, especially for the existing VPN customers – – – Private Cloud Customer End to End Separation Private Cloud Resource Virtualization Private Cloud Services Restoration Other Non-VPN Specific Areas – – – – – – – Cloud Traffic Load-Balancing and Congestion Avoidance QoS Synchronization Cross Layer Optimization Automation end to end Configuration End-to-End Quality of Experience OAM Considerations Cloud Security Private Cloud Customer End to End Separation • Today data center segregates the customer traffic at layer 7 (application), and there is no standard on extending the VPN into data center. – The success of VPN services in the enterprise and the government world is largely due to its ability to virtually segregate the customer traffic at layer 2 and layer 3 – The lower layer the segregation can be maintained, the safer it is for the customers from security and privacy perspectives • Cloud-Application (or the virtualization function) should have the ability to get access to VPN (including Layer 2/3 VPN), to segregate different Cloud-Services traffic trough the network. • Very high level example solutions are provided to illustrate solution specific requirements Private Cloud Resource Virtualization • Today data center virtualization is totally handled by data center servers and hypervisors. – – – – Application server and VM allocation and assignment disk and memory space allocation traffic loading and balancing QoS assignments, and etc. • The entire process is invisible to the underlying networks and the users Private Cloud Resource Virtualization • There shall be a way that the network can influence some virtualization functions that are important to the concept and spirit of the VPN. – The Private Cloud provisioning and management system SHALL have the ability to dedicate a specific block of disk space per services per VPN. – Each VPN SHALL have the exclusive access to the dedicated block of disk space. – Each VPN SHALL have the ability to indicate the mechanism used to prevent the unwanted data retrieval for the block of disk space after it is no longer used by the VPN, before it can be re-used by other parties – Each VPN SHALL have the ability to request a dedicated VM with certainly CPU capability, amount of memory and disk space. – Each VPN SHALL have the ability to request dedicated L2/3 network resources within the data center such as bandwidth, priorities, and so on – Each VPN SHALL have the ability to hold the requested resources without sharing with any other parties – Each VPN SHALL have the ability to limit the stored data mobility to a certain geographic region confinement (country/state). Private Cloud Resource Virtualization • There shall be a way that the network can influence some virtualization functions that are important to the concept and spirit of the VPN. – The Private Cloud provisioning and management system SHALL have the ability to dedicate a specific block of disk space per services per VPN. – Each VPN SHALL have the exclusive access to the dedicated block of disk space. – Each VPN SHALL have the ability to indicate the mechanism used to prevent the unwanted data retrieval for the block of disk space after it is no longer used by the VPN, before it can be re-used by other parties – Each VPN SHALL have the ability to request a dedicated VM with certainly CPU capability, amount of memory and disk space. – Each VPN SHALL have the ability to request dedicated L2/3 network resources within the data center such as bandwidth, priorities, and so on – Each VPN SHALL have the ability to hold the requested resources without sharing with any other parties – Each VPN SHALL have the ability to limit the stored data mobility to a certain geographic region confinement (country/state). – TCP/IP stack SHOULD support multiple routing instances. Each virtualization function SHOULD connect to the network through it own virtual routing instance. Private Cloud Services Restoration • Today the data center restoration and diversity design are not linked to the network restoration and diversity design. – May cause redundant diversity design – May cause traffic oscillation and service/performance degradation • Highly performance sensitive VPN traffic is most at risk • The solution SHOULD be able to indicate how the restoration is handled across layers – Allows end-to-end diversity design and optimization • The restoration capability awareness needs to be scalable – Problems occur in one area of the Cloud SHALL not affect all other areas of the Cloud – Each component of the Cloud can scale independently Next Step • Which WG does this draft belong? • Should the draft be split into Requirements and Framework draft, and Solution draft?