Hi, A couple of questions of some substance below. > Support for multi-tenancy has become a core requirement of data centers > (DCs), especially in the context of data centers supporting virtualized > hosts known as virtual machines (VMs). Two key requirements needed > to support multi-tenancy are traffic isolation, so that a tenant's > traffic is not visible to any other tenant, and address independence, > so that one tenant's addressing does not collide with other tenants > addressing schemes or with addresses used within the data center itself. > Another key requirement is to support the placement and migration of > VMs anywhere within the data center, without being limited by DC > network constraints such as the IP subnet boundaries of the > underlying DC network. > > An NVO3 solution (known here as a Data Center Virtual Private > Network (DCVPN)) is a VPN that is viable across a scaling range of > a few thousand VMs to several million VMs running on greater > than 100K physical servers. It thus has good scaling properties > from relatively small networks to networks with several million > DCVPN endpoints and hundreds of thousands of DCVPNs within a > single administrative domain. > > Note that although this charter uses the term VM throughout, NVO3 must > also support connectivity to traditional hosts e.g. hosts that do not > have hypervisors. > > NVO3 will consider approaches to multi-tenancy that reside at the > network layer rather than using traditional isolation mechanisms I know we have been dancing around this and there is a lot of paranoia. It is clear that we mean that no IETF technology will be excluded from consideration a priori. This may be sensitive because the PWE3 charter (which had to handle a similar question) explicitly called out IP and MPLS. I can't think of a better way of saying what the text says other than "network layer" but perhaps, for the avoidance of doubt, Stewart could put an email in the archive that says "I confirm that the phrase 'network layer' in the context of the NVO3 charter does not exclude MPLS." Then (hopefully) we can all move along and do the real work :-) > that rely on the underlying layer 2 technology (e.g., VLANs). > The NVO3 WG will determine which types of service are needed by typical > DC deployments (for example, IP and/or Ethernet). > > NVO3 will document the problem statement, the applicability, and an > architectural framework for DCVPNs within a data center > environment. Within this framework, functional blocks will be defined to > allow the dynamic attachment / detachment of VMs to their DCVPN, > and the interconnection of elements of the DCVPNs over > the underlying physical network. This will support the delivery > of packets to the destination VM, and provide the network functions > required for the migration of VMs within the network in a > sub-second timeframe. This has been discussed a bit, but I still can't believe that it won't cause contention down the line. The term "migration" will mean different things to different people and some will expect it to mean the picking up of one active operational environment and its transportation to run in a different place. We need to be clear whether we mean simply that the "re-registration" of a VM at a different location and the associated "convergence" of the network is intended to be sub-second, or whether it is the whole transportation of the VM. I don't have an immediate suggestion for wording around this other than to say that the bald word "migration" is not enough. > Based on this framework, the NVO3 WG will develop requirements for both > control plane protocol(s) and data plane encapsulation format(s), I find this rather clumsy and suggest: Based on this framework, the NVO3 WG will develop requirements for control plane protocols and data plane encapsulation formats, > and > perform a gap analysis of existing candidate mechanisms. In addition > to functional and architectural requirements, the NVO3 WG will develop > management, operational, maintenance, troubleshooting, security and > OAM protocol requirements. > > The NVO3 WG will investigate the interconnection of the DCVPNs > and their tenants with non-NVO3 IP network(s) to determine if > any specific work is needed. I can see how this might give rise to requirements and architectural work. I am not clear what "determine if any specific work is needed" because that may substantially depend on which solutions have been selected. Perhaps replacement text... The NVO3 WG will investigate the interconnection of the DCVPNs and their tenants with non-NVO3 IP networks, and will document any additional requirements and architectural functions. > The NVO3 WG will write the following informational RFCs, which > must be substantially complete before rechartering can be > considered: "substantially complete" is sufficiently subjective to risk a riot at some point in the future! Can we be more precise with some well-known process step such as WG last call or publication request. I do not believe that rechartering at that point would take more than a couple of weeks, so it is not as though the WG will grind to a halt for a season. > Problem Statement > Framework document > Control plane requirements document > Data plane requirements document > Operational Requirements > Gap Analysis I see how the three requirements documents have been arrived at from the text in the previous paragraphs. Where does Security fit in? Is it distributed amongst the three documents? If so, why were operational requirements not similarly distributed? > Driven by the requirements and consistent with the gap analysis, > the NVO3 WG may request being rechartered to document solutions > consisting of one or more data plane encapsulations and > control plane protocols as applicable. Any documented solutions > will use existing IETF protocols if suitable. Otherwise, > the NVO3 WG may propose the development of new IETF protocols, > or the writing of an applicability statement for a non-IETF > protocol. s/a non-IETF protocol/non-IETF protocols/ [snip] Thanks, Adrian