VPN Extension Requirements
for Private Clouds
draft-so-vepc-00.txt
Description of Today’s Cloud Infrastructure
• Three components that make up the Cloud infrastructure
– Data center, network (LAN/MAN/WAN), and the end user
• Multiple Cloud-based products and services are being
offered across multiple data centers globally
– Data centers are multi-tenant in nature, can be single Cloud
Service Provider or independent 3rd party operated
– The application (VM) can be mobile
• The networks can be layer 2 and layer 3 IP/MPLS (VPN
and non-VPN) networks, and layer 1 private
line/OTN/MPLS-TP based networks
– The selection of the network of choice is possible
• The users can be wireline and wireless with various
access technologies
– Users are mobile, and exchange of wireless/wireline is possible
Problem Areas
The problem areas that this situation can cause Cloud
Service Providers, especially for the existing VPN
customers
–
–
–
Private Cloud Customer End to End Separation
Private Cloud Resource Virtualization
Private Cloud Services Restoration
Other Non-VPN Specific Areas
–
–
–
–
–
–
–
Cloud Traffic Load-Balancing and Congestion Avoidance
QoS Synchronization
Cross Layer Optimization
Automation end to end Configuration
End-to-End Quality of Experience
OAM Considerations
Cloud Security
Private Cloud Customer End to End
Separation
• Today data center segregates the customer traffic at
layer 7 (application), and there is no standard on
extending the VPN into data center.
– The success of VPN services in the enterprise and the
government world is largely due to its ability to virtually
segregate the customer traffic at layer 2 and layer 3
– The lower layer the segregation can be maintained, the safer it is
for the customers from security and privacy perspectives
• Cloud-Application (or the virtualization function) should
have the ability to get access to VPN (including Layer
2/3 VPN), to segregate different Cloud-Services traffic
trough the network.
• Very high level example solutions are provided to
illustrate solution specific requirements
Private Cloud Resource Virtualization
• Today data center virtualization is totally
handled by data center servers and hypervisors.
–
–
–
–
Application server and VM allocation and assignment
disk and memory space allocation
traffic loading and balancing
QoS assignments, and etc.
• The entire process is invisible to the underlying
networks and the users
Private Cloud Resource Virtualization
• There shall be a way that the network can influence
some virtualization functions that are important to the
concept and spirit of the VPN.
– The Private Cloud provisioning and management system SHALL have the ability
to dedicate a specific block of disk space per services per VPN.
– Each VPN SHALL have the exclusive access to the dedicated block of disk
space.
– Each VPN SHALL have the ability to indicate the mechanism used to prevent the
unwanted data retrieval for the block of disk space after it is no longer used by
the VPN, before it can be re-used by other parties
– Each VPN SHALL have the ability to request a dedicated VM with certainly CPU
capability, amount of memory and disk space.
– Each VPN SHALL have the ability to request dedicated L2/3 network resources
within the data center such as bandwidth, priorities, and so on
– Each VPN SHALL have the ability to hold the requested resources without
sharing with any other parties
– Each VPN SHALL have the ability to limit the stored data mobility to a certain
geographic region confinement (country/state).
Private Cloud Resource Virtualization
• There shall be a way that the network can influence some
virtualization functions that are important to the concept and spirit of
the VPN.
– The Private Cloud provisioning and management system SHALL have the ability
to dedicate a specific block of disk space per services per VPN.
– Each VPN SHALL have the exclusive access to the dedicated block of disk
space.
– Each VPN SHALL have the ability to indicate the mechanism used to prevent the
unwanted data retrieval for the block of disk space after it is no longer used by
the VPN, before it can be re-used by other parties
– Each VPN SHALL have the ability to request a dedicated VM with certainly CPU
capability, amount of memory and disk space.
– Each VPN SHALL have the ability to request dedicated L2/3 network resources
within the data center such as bandwidth, priorities, and so on
– Each VPN SHALL have the ability to hold the requested resources without
sharing with any other parties
– Each VPN SHALL have the ability to limit the stored data mobility to a certain
geographic region confinement (country/state).
– TCP/IP stack SHOULD support multiple routing instances. Each virtualization
function SHOULD connect to the network through it own virtual routing instance.
Private Cloud Services Restoration
• Today the data center restoration and diversity design
are not linked to the network restoration and diversity
design.
– May cause redundant diversity design
– May cause traffic oscillation and service/performance
degradation
• Highly performance sensitive VPN traffic is most at risk
• The solution SHOULD be able to indicate how the
restoration is handled across layers
– Allows end-to-end diversity design and optimization
• The restoration capability awareness needs to be
scalable
– Problems occur in one area of the Cloud SHALL not affect all
other areas of the Cloud
– Each component of the Cloud can scale independently
Next Step
• Which WG does this draft belong?
• Should the draft be split into Requirements
and Framework draft, and Solution draft?