next steps towards virtualization - jmuze€¦ · virtualnet2.edu myuniv.edu virtual system a...

Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1

Next Steps Towards Virtualization Paradigm

Jean-Marc Uzé[email protected]

Nov 6th, 2007


Goal of this Presentation

Look at the Virtualization paradigm trends and impact on end-to-end Research & Education network infrastructure

Generate discussion, and explore potential areas of research and service activities

Apologize: this presentation provides more questions than answers


Agenda

Concepts of Virtualization for a NREN

Adoption of Virtualization Services by Campuses

Existing Virtualization Building Blocks

Service Plane for End-to-end Virtualization Paradigm


Concepts of Virtualization for a NRENOne physical infrastructure providing:

• Connectivity/Circuits (pt-to-pt)• Switching Capability (pt-to-pt, mpt-to-mpt)• Routing Capability (any-to-any)• Computing/Storage resources

Virtualization technique to offer a dedicated slice of the physical infrastructure to a group of users

• Community or project based• On-demand controlled by the end-user

• Activation/deactivation of the virtual slice• Management of the virtual slice

End-to-end service across multiple stakeholdersCoordination of the resources and end-users via a “service layer” (or “business layer”)

• Trend to leverage SOA/Webservices technology

Is the virtualized paradigm for a very limited set of users only, or should it prefigure a service that could be extended to a larger set of users ?


IP network

Virtualization in NRENs augmented by Regional Networks and MANSTowards a Diet Virtualization Service?

NRENNREN

L2 VPNVPLSλ

Virtual Network 1

Virtual Network 2

Regional RENRegional REN

IP network

Virtual Network 1

Virtual Network 2

L2 VPNVPLSλ

NRENs / GEANT Regional REN / MAN

Service Layer (Web Service / SOA)

Questions regarding Regional REN and MANS:Should they align their development with NRENs? at same speed?Or should NRENs request to MANs/RRENs to offer a Light Virtualization service. E.g:

• Virtualized connectivity only?• No Service Plane?


Requirements for a Campus to Adopt Virtualization Services

Campuses/sites particular characteristics are• First and Last mile• Unique role of connecting the endpoint (and so end-user, if any) to the network• Deal with more traditional “enterprise” issues (e.g. security), that makes R&E

specific services more challenging to adopt => probably a need to adapt !

More diversified traffic processing building blocks• Routing, Ethernet switching, Firewall, NAT, IPSec VPN, VPN SSL, IDS/IDP,

Application Acceleration, etc.• What means virtualization for a campus? That may require to integrate other

components

Seamless integration of NREN services• Integration with their existing processes and tools (e.g. NAC and other security

policies and enforcers)

Avoid Bottleneck in Performances and Services• No matter what elements are in the chain, between the endpoint and the first

Research & Education Backbone infrastructure


Handling Endpoint Access Projection

CampusCampus

VLANMPLS

IP network

Virtual Network 1

Virtual Network 2 ?

The end-user has to move between virtual networksTwo questions:Service Plane:• Should the campus deploy the

NREN Tool and integrate it with the campus infrastructure

• or should we leverage current campus network access control technology

• or “connect” them together?Date plane:• VLAN would be the

easiest/flexible solution• Is it a good enough solution?


Service Plane: Use Network Access control ?

CampusCampus

IP network

Virtual Network 1

Virtual Network 2

802.1x

Use Standard NAC technologies to connect the endpoint to the virtualized slice• 802.1x to

authenticate/authorize the host and end-user

• VLAN makes the connection• VLAN choice?

• End-user control (click)?• Or Automatic based on the

detection of a particular process in a host

• Allow/Deny dual connection?• E.g. wireless + FE


Data Plane: Is a VLAN good enough ?

CampusCampus

IP network

Virtual Network 1

Virtual Network 2

802.1x

Is a VLAN conform to Campus Security Policies?Is the end-user willing to connect to unprotected network?Is a virtual network safer or more risky environment compared to the IP/Internet network?Should the virtualized slice in the campus contain other traffic processing capabilities?This problem is not new as it started with Lightpath paradigm, but virtualization can dramatically increase this issue


IP network

End-to-End Virtualization in R&E networks

NRENNREN Regional RENRegional RENCampusCampus

L2 VPNVPLSλ

Virtual Network 1

Virtual Network 2

IP network

Virtual Network 1

Virtual Network 2

IP network

Virtual Network 1

Virtual Network 2

L2 VPNVPLSλ

NRENs / GEANT Regional REN / MAN University / Campus

Service Layer (Web Service / SOA) Network AccessControl

VLANMPLS


Existing Virtualization Building BlocksVirtual Nodes (e.g. VMWare, Xen…)

L1/L2 circuits: Lambdas / SDH / OTNEthernet VLANsMPLS VPNs

Logical RoutersFirewall Virtual SystemsVPN SSL Virtual Systems

Network Access Control (e.g. UAC)SOA/webservice Tool (e.g. UCLP)

endpoint

Connectivity

Traffic

Processing

Service

Plane


Benefits of MPLS Network Backbones

MPLS VPN AMPLS VPN BPhysical connection

Redundant MPLS connections (LSPs);

Failover in less than 50 msec

BackboneRouter

BranchRouter

Many VPNs (IP-VPN, VPLS, L2 VPN) to transparently support

many different groups and protocols

Converged network with Classes-of-Service

supporting many different applications

#1

#3#2


Logical Routers (LR) is a feature that segments a physical router to be configured and operate as multiple independent routers within a platformLR virtualizes the configuration and operation of a physical router into subsets for increased manageabilityEnables the use of large routers in small router rolesProvides flexible segmentation of routing by service typeMulti service capabilities brings improved asset optimization

Logical Routers - Introduction


Logical Router PortfolioSoftware vs. Hardware Logical Routers

Scaling per LR

Operational flexibility by allowing each LR to run different software version

CAPEX benefit by sharing interfaces

Same capabilities as physical router

Separate control and administration plane

HLRSLRFeature


Benefits of Firewall Virtual Systems (VSYS)

IP network

VirtualNetwork 1

VirtualNetwork 2

#1 Simplifies management

#2 Improves security by segmenting network

#3 Lowers TCO by eliminating need for additional hardware

Establishes virtual Firewall with their own address book, policies, and management

• Including separate routing table via virtual router

Route traffic to VSYS by IP address, physical interface, or VLAN TagsVSYS can support multiple user communities or domains withoutsharing policy

• Can be managed separately for division of labor

Vsys #3

Vsys #2

Vsys #1


VPN SSL with Instant Virtual Systems

IP network

VirtualNetwork 1

VirtualNetwork 2 VirtualNet1.edu

VirtualNet2.edu

MyUniv.edu

Virtual System A

Virtual System B

Virtual System C

VLAN A

VLAN B

VLAN C

webmail.VirtualNet1.edufilesrv. VirtualNet1.edu

webmail.VirtualNet2.edu

Authsrv.MyUniv.edufilesrv.MyUniv.edu

Maximize ProductivityEnforce Strict Security

Assure Business Continuity


Considerations for Traffic Processing Elements

Should Not Bring More Issues Than Advantages :Virtualization Capability WithService Transparency…• Ipv4 / IPv6• Unicast /Multicast• QoS

With Reliability• Robustness (hardware and software architecture)• High Availability Features

Without Performance Compromise !• Throughput• Small packet size• Jumbo Frames

EARNEST Technical Study:

“Middleboxes frequently interferewith higher-layer protocols

in unexpected ways”


UAC Components

OAC

AAA

AAA ServersIdentity Stores

Phase 1 Enforcers

Unified policy enforcement based on

User Identity, Network Identity, and Endpoint

Assessment

• Users get their machine profiled.• Authenticates to the Infranet Controller

•L3 direct (over IP)•802.1x via switch or AP

• Enforces access policies defined by Infranet Controller for endpoints

• Allows user connectivity as determined by the Infranet Controller

Infranet Controller (IC)• Authenticates users (using existing AAA infrastructure)• Determines users access rights to network resources• Provisions access for endpoint on the Enforcers & 802.1x devices• Central policy manager that pushes policy to Endpoints and

Enforcement points

L3 (IP):

User Auth

, Endpoi

nt Chec

k

Dynamic Role Provisioning

User access to L3 resources in VLANs

802.1x (E

APoR):

User Auth

, Endpoi

nt Chec

k,

VLAN en

forcem

ent

802.1x (E

APoL):

User Auth

, Endpoi

nt Ck

Phase 2.0 Enforcement• Enforces access policies defined by the Infranet

Controller at Layer2 using 802.1x and VLANS• Any 802.1x enabled device

User access to L3 protected resources


Network Access Control example with UAC 2.0 -Interoperability

Protected Resources

802.1X

AAA ServersIdentity Stores

AR

TNC Access Requestor

PEP

TNC Policy Enforcement Point

PDP

TNC Policy Decision Point

Security Event Manager (SEMs)


UAC: Access Control to a Virtualized Slice


IP network

Additional questions on Service Plane and Control Plane for End-to-End Virtualization in R&E networks

NRENNREN Regional RENRegional RENCampusCampus

L2 VPNVPLSλ

Virtual Network 1

Virtual Network 2

IP network

Virtual Network 1

Virtual Network 2

IP network

Virtual Network 1

Virtual Network 2

L2 VPNVPLSλ

NRENs / GEANT Regional REN / MAN University / Campus

Service Layer (Web Service / SOA) Network AccessControl

VLANMPLS

1. Interoperability between Service Plane Tools? Towards a standard?2. Stitching NRENs and RRENs/MANs? Will they adopt NREN Service Plane?

3. Stitching backbone tools with campus network access control?4. Routing between Virtual Slices? Impact on BGP?


Conclusion

Virtualization Paradigm is being adopted as a major trendSeveral project going on, inclusing in Europe• E.g. Manticore, Federica…

The end-to-end will probably be a challenge, again…Opportunity to study further the complete Virtualization Paradigm• Work on the full picture

next steps towards virtualization - jmuze€¦ · virtualnet2.edu myuniv.edu virtual system a...

Documents