next steps towards virtualization - jmuze€¦ · virtualnet2.edu myuniv.edu virtual system a...
TRANSCRIPT
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 1
Next Steps Towards Virtualization Paradigm
Jean-Marc Uzé[email protected]
Nov 6th, 2007
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 2
Goal of this Presentation
Look at the Virtualization paradigm trends and impact on end-to-end Research & Education network infrastructure
Generate discussion, and explore potential areas of research and service activities
Apologize: this presentation provides more questions than answers
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 3
Agenda
Concepts of Virtualization for a NREN
Adoption of Virtualization Services by Campuses
Existing Virtualization Building Blocks
Service Plane for End-to-end Virtualization Paradigm
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 4
Concepts of Virtualization for a NRENOne physical infrastructure providing:
• Connectivity/Circuits (pt-to-pt)• Switching Capability (pt-to-pt, mpt-to-mpt)• Routing Capability (any-to-any)• Computing/Storage resources
Virtualization technique to offer a dedicated slice of the physical infrastructure to a group of users
• Community or project based• On-demand controlled by the end-user
• Activation/deactivation of the virtual slice• Management of the virtual slice
End-to-end service across multiple stakeholdersCoordination of the resources and end-users via a “service layer” (or “business layer”)
• Trend to leverage SOA/Webservices technology
Is the virtualized paradigm for a very limited set of users only, or should it prefigure a service that could be extended to a larger set of users ?
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 5
IP network
Virtualization in NRENs augmented by Regional Networks and MANSTowards a Diet Virtualization Service?
NRENNREN
L2 VPNVPLSλ
Virtual Network 1
Virtual Network 2
Regional RENRegional REN
IP network
Virtual Network 1
Virtual Network 2
L2 VPNVPLSλ
NRENs / GEANT Regional REN / MAN
Service Layer (Web Service / SOA)
Questions regarding Regional REN and MANS:Should they align their development with NRENs? at same speed?Or should NRENs request to MANs/RRENs to offer a Light Virtualization service. E.g:
• Virtualized connectivity only?• No Service Plane?
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 6
Requirements for a Campus to Adopt Virtualization Services
Campuses/sites particular characteristics are• First and Last mile• Unique role of connecting the endpoint (and so end-user, if any) to the network• Deal with more traditional “enterprise” issues (e.g. security), that makes R&E
specific services more challenging to adopt => probably a need to adapt !
More diversified traffic processing building blocks• Routing, Ethernet switching, Firewall, NAT, IPSec VPN, VPN SSL, IDS/IDP,
Application Acceleration, etc.• What means virtualization for a campus? That may require to integrate other
components
Seamless integration of NREN services• Integration with their existing processes and tools (e.g. NAC and other security
policies and enforcers)
Avoid Bottleneck in Performances and Services• No matter what elements are in the chain, between the endpoint and the first
Research & Education Backbone infrastructure
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 7
Handling Endpoint Access Projection
CampusCampus
VLANMPLS
IP network
Virtual Network 1
Virtual Network 2 ?
The end-user has to move between virtual networksTwo questions:Service Plane:• Should the campus deploy the
NREN Tool and integrate it with the campus infrastructure
• or should we leverage current campus network access control technology
• or “connect” them together?Date plane:• VLAN would be the
easiest/flexible solution• Is it a good enough solution?
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 8
Service Plane: Use Network Access control ?
CampusCampus
IP network
Virtual Network 1
Virtual Network 2
802.1x
Use Standard NAC technologies to connect the endpoint to the virtualized slice• 802.1x to
authenticate/authorize the host and end-user
• VLAN makes the connection• VLAN choice?
• End-user control (click)?• Or Automatic based on the
detection of a particular process in a host
• Allow/Deny dual connection?• E.g. wireless + FE
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 9
Data Plane: Is a VLAN good enough ?
CampusCampus
IP network
Virtual Network 1
Virtual Network 2
802.1x
Is a VLAN conform to Campus Security Policies?Is the end-user willing to connect to unprotected network?Is a virtual network safer or more risky environment compared to the IP/Internet network?Should the virtualized slice in the campus contain other traffic processing capabilities?This problem is not new as it started with Lightpath paradigm, but virtualization can dramatically increase this issue
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 10
IP network
End-to-End Virtualization in R&E networks
NRENNREN Regional RENRegional RENCampusCampus
L2 VPNVPLSλ
Virtual Network 1
Virtual Network 2
IP network
Virtual Network 1
Virtual Network 2
IP network
Virtual Network 1
Virtual Network 2
L2 VPNVPLSλ
NRENs / GEANT Regional REN / MAN University / Campus
Service Layer (Web Service / SOA) Network AccessControl
VLANMPLS
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 11
Existing Virtualization Building BlocksVirtual Nodes (e.g. VMWare, Xen…)
L1/L2 circuits: Lambdas / SDH / OTNEthernet VLANsMPLS VPNs
Logical RoutersFirewall Virtual SystemsVPN SSL Virtual Systems
Network Access Control (e.g. UAC)SOA/webservice Tool (e.g. UCLP)
endpoint
Connectivity
Traffic
Processing
Service
Plane
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 12
Benefits of MPLS Network Backbones
MPLS VPN AMPLS VPN BPhysical connection
Redundant MPLS connections (LSPs);
Failover in less than 50 msec
BackboneRouter
BranchRouter
Many VPNs (IP-VPN, VPLS, L2 VPN) to transparently support
many different groups and protocols
Converged network with Classes-of-Service
supporting many different applications
#1
#3#2
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 13
Logical Routers (LR) is a feature that segments a physical router to be configured and operate as multiple independent routers within a platformLR virtualizes the configuration and operation of a physical router into subsets for increased manageabilityEnables the use of large routers in small router rolesProvides flexible segmentation of routing by service typeMulti service capabilities brings improved asset optimization
Logical Routers - Introduction
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 14
Logical Router PortfolioSoftware vs. Hardware Logical Routers
Scaling per LR
Operational flexibility by allowing each LR to run different software version
CAPEX benefit by sharing interfaces
Same capabilities as physical router
Separate control and administration plane
HLRSLRFeature
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 15
Benefits of Firewall Virtual Systems (VSYS)
IP network
VirtualNetwork 1
VirtualNetwork 2
#1 Simplifies management
#2 Improves security by segmenting network
#3 Lowers TCO by eliminating need for additional hardware
Establishes virtual Firewall with their own address book, policies, and management
• Including separate routing table via virtual router
Route traffic to VSYS by IP address, physical interface, or VLAN TagsVSYS can support multiple user communities or domains withoutsharing policy
• Can be managed separately for division of labor
Vsys #3
Vsys #2
Vsys #1
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 16
VPN SSL with Instant Virtual Systems
IP network
VirtualNetwork 1
VirtualNetwork 2 VirtualNet1.edu
VirtualNet2.edu
MyUniv.edu
Virtual System A
Virtual System B
Virtual System C
VLAN A
VLAN B
VLAN C
webmail.VirtualNet1.edufilesrv. VirtualNet1.edu
webmail.VirtualNet2.edu
Authsrv.MyUniv.edufilesrv.MyUniv.edu
Maximize ProductivityEnforce Strict Security
Assure Business Continuity
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 17
Considerations for Traffic Processing Elements
Should Not Bring More Issues Than Advantages :Virtualization Capability WithService Transparency…• Ipv4 / IPv6• Unicast /Multicast• QoS
With Reliability• Robustness (hardware and software architecture)• High Availability Features
Without Performance Compromise !• Throughput• Small packet size• Jumbo Frames
EARNEST Technical Study:
“Middleboxes frequently interferewith higher-layer protocols
in unexpected ways”
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 18
UAC Components
OAC
AAA
AAA ServersIdentity Stores
Phase 1 Enforcers
Unified policy enforcement based on
User Identity, Network Identity, and Endpoint
Assessment
• Users get their machine profiled.• Authenticates to the Infranet Controller
•L3 direct (over IP)•802.1x via switch or AP
• Enforces access policies defined by Infranet Controller for endpoints
• Allows user connectivity as determined by the Infranet Controller
Infranet Controller (IC)• Authenticates users (using existing AAA infrastructure)• Determines users access rights to network resources• Provisions access for endpoint on the Enforcers & 802.1x devices• Central policy manager that pushes policy to Endpoints and
Enforcement points
L3 (IP):
User Auth
, Endpoi
nt Chec
k
Dynamic Role Provisioning
User access to L3 resources in VLANs
802.1x (E
APoR):
User Auth
, Endpoi
nt Chec
k,
VLAN en
forcem
ent
802.1x (E
APoL):
User Auth
, Endpoi
nt Ck
Phase 2.0 Enforcement• Enforces access policies defined by the Infranet
Controller at Layer2 using 802.1x and VLANS• Any 802.1x enabled device
User access to L3 protected resources
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 19
Network Access Control example with UAC 2.0 -Interoperability
Protected Resources
802.1X
AAA ServersIdentity Stores
AR
TNC Access Requestor
PEP
TNC Policy Enforcement Point
PDP
TNC Policy Decision Point
Security Event Manager (SEMs)
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 20
UAC: Access Control to a Virtualized Slice
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 21
IP network
Additional questions on Service Plane and Control Plane for End-to-End Virtualization in R&E networks
NRENNREN Regional RENRegional RENCampusCampus
L2 VPNVPLSλ
Virtual Network 1
Virtual Network 2
IP network
Virtual Network 1
Virtual Network 2
IP network
Virtual Network 1
Virtual Network 2
L2 VPNVPLSλ
NRENs / GEANT Regional REN / MAN University / Campus
Service Layer (Web Service / SOA) Network AccessControl
VLANMPLS
1. Interoperability between Service Plane Tools? Towards a standard?2. Stitching NRENs and RRENs/MANs? Will they adopt NREN Service Plane?
3. Stitching backbone tools with campus network access control?4. Routing between Virtual Slices? Impact on BGP?
Copyright © 2007 Juniper Networks, Inc. www.juniper.net 22
Conclusion
Virtualization Paradigm is being adopted as a major trendSeveral project going on, inclusing in Europe• E.g. Manticore, Federica…
The end-to-end will probably be a challenge, again…Opportunity to study further the complete Virtualization Paradigm• Work on the full picture