rfc9732.original   rfc9732.txt 
TEAS Working Group J. Dong Internet Engineering Task Force (IETF) J. Dong
Internet-Draft Huawei Request for Comments: 9732 Huawei
Intended status: Informational S. Bryant Category: Informational S. Bryant
Expires: 16 December 2024 University of Surrey ISSN: 2070-1721 University of Surrey
Z. Li Z. Li
China Mobile China Mobile
T. Miyasaka T. Miyasaka
KDDI Corporation KDDI Corporation
Y. Lee Y. Lee
Samsung Samsung
14 June 2024 January 2025
A Framework for Network Resource Partition (NRP) based Enhanced Virtual A Framework for Network Resource Partition Based Enhanced Virtual
Private Networks Private Networks
draft-ietf-teas-enhanced-vpn-20
Abstract Abstract
This document describes the framework for Network Resource Partition This document describes the framework for enhanced Virtual Private
(NRP) based Enhanced Virtual Private Networks (VPNs) to support the Networks (VPNs) that are Network Resource Partition (NRP) based in
needs of applications with specific traffic performance requirements order to support the needs of applications with specific traffic
(e.g., low latency, bounded jitter). An NRP represents a subset of performance requirements (e.g., low latency, bounded jitter). An NRP
network resources and associated policies in the underlay network. represents a subset of network resources and associated policies in
NRP-based Enhanced VPNs leverage the VPN and Traffic Engineering (TE) the underlay network. NRP-based enhanced VPNs leverage the VPN and
technologies and add characteristics that specific services require Traffic Engineering (TE) technologies and add characteristics that
beyond those provided by conventional VPNs. Typically, an NRP-based specific services require beyond those provided by conventional VPNs.
enhanced VPN will be used to underpin network slicing, but could also Typically, an NRP-based enhanced VPN will be used to underpin network
be of use in its own right providing enhanced connectivity services slicing, but it could also be of use in its own right providing
between customer sites. This document also provides an overview of enhanced connectivity services between customer sites. This document
relevant technologies in different network layers, and identifies also provides an overview of relevant technologies in different
some areas for potential new work. network layers and identifies some areas for potential new work.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering This document is a product of the Internet Engineering Task Force
Task Force (IETF). Note that other groups may also distribute (IETF). It represents the consensus of the IETF community. It has
working documents as Internet-Drafts. The list of current Internet- received public review and has been approved for publication by the
Drafts is at https://datatracker.ietf.org/drafts/current/. Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
Internet-Drafts are draft documents valid for a maximum of six months Information about the current status of this document, any errata,
and may be updated, replaced, or obsoleted by other documents at any and how to provide feedback on it may be obtained at
time. It is inappropriate to use Internet-Drafts as reference https://www.rfc-editor.org/info/rfc9732.
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 16 December 2024.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Terminology
3. Overview of the Requirements . . . . . . . . . . . . . . . . 7 3. Overview of the Requirements
3.1. Performance Guarantees . . . . . . . . . . . . . . . . . 7 3.1. Performance Guarantees
3.2. Interaction between Enhanced VPN Services . . . . . . . . 9 3.2. Interaction Between Enhanced VPN Services
3.2.1. Requirements on Traffic Isolation . . . . . . . . . . 9 3.2.1. Requirements on Traffic Isolation
3.2.2. Limited Interaction with Other Services . . . . . . . 10 3.2.2. Limited Interaction with Other Services
3.2.3. Realization of Limited Interaction with Enhanced VPN 3.2.3. Realization of Limited Interaction with Enhanced VPN
Services . . . . . . . . . . . . . . . . . . . . . . 11 Services
3.3. Integration with Network Resources and Service 3.3. Integration with Network Resources and Service Functions
Functions . . . . . . . . . . . . . . . . . . . . . . . . 12 3.3.1. Abstraction
3.3.1. Abstraction . . . . . . . . . . . . . . . . . . . . . 12 3.4. Dynamic Changes
3.4. Dynamic Changes . . . . . . . . . . . . . . . . . . . . . 12 3.5. Customized Control
3.5. Customized Control . . . . . . . . . . . . . . . . . . . 13 3.6. Applicability to Overlay Technologies
3.6. Applicability to Overlay Technologies . . . . . . . . . . 14 3.7. Inter-Domain and Inter-Layer Network
3.7. Inter-Domain and Inter-Layer Network . . . . . . . . . . 14 4. The Architecture of NRP-Based Enhanced VPNs
4. The Architecture of NRP-based Enhanced VPNs . . . . . . . . . 14 4.1. Layered Architecture
4.1. Layered Architecture . . . . . . . . . . . . . . . . . . 16 4.2. Connectivity Types
4.2. Connectivity Types . . . . . . . . . . . . . . . . . . . 19 4.3. Application-Specific Data Types
4.3. Application-Specific Data Types . . . . . . . . . . . . . 19 4.4. Scalable Service Mapping
4.4. Scalable Service Mapping . . . . . . . . . . . . . . . . 19 5. Candidate Technologies
5. Candidate Technologies . . . . . . . . . . . . . . . . . . . 20 5.1. Underlay Forwarding Resource Partitioning
5.1. Underlay Forwarding Resource Partitioning . . . . . . . . 21 5.1.1. Flexible Ethernet
5.1.1. Flexible Ethernet . . . . . . . . . . . . . . . . . . 21 5.1.2. Dedicated Queues
5.1.2. Dedicated Queues . . . . . . . . . . . . . . . . . . 21 5.1.3. Time-Sensitive Networking
5.1.3. Time Sensitive Networking . . . . . . . . . . . . . . 22 5.2. Network Layer Encapsulation and Forwarding
5.2. Network Layer Encapsulation and Forwarding . . . . . . . 22 5.2.1. Deterministic Networking (DetNet)
5.2.1. Deterministic Networking . . . . . . . . . . . . . . 22 5.2.2. MPLS Traffic Engineering (MPLS-TE)
5.2.2. MPLS Traffic Engineering (MPLS-TE) . . . . . . . . . 23 5.2.3. Segment Routing
5.2.3. Segment Routing . . . . . . . . . . . . . . . . . . . 23 5.2.4. New Encapsulation Extensions
5.2.4. New Encapsulation Extensions . . . . . . . . . . . . 24 5.3. Non-Packet Data Plane
5.3. Non-Packet Data Plane . . . . . . . . . . . . . . . . . . 24 5.4. Control Plane
5.4. Control Plane . . . . . . . . . . . . . . . . . . . . . . 24 5.5. Management Plane
5.5. Management Plane . . . . . . . . . . . . . . . . . . . . 26 5.6. Applicability of Service Data Models to Enhanced VPNs
5.6. Applicability of Service Data Models to Enhanced VPNs . . 27 6. Applicability in Network Slice Realization
6. Applicability in Network Slice Realization . . . . . . . . . 28 6.1. NRP Planning
6.1. NRP Planning . . . . . . . . . . . . . . . . . . . . . . 28 6.2. NRP Creation
6.2. NRP Creation . . . . . . . . . . . . . . . . . . . . . . 29 6.3. Network Slice Service Provisioning
6.3. Network Slice Service Provisioning . . . . . . . . . . . 29 6.4. Network Slice Traffic Steering and Forwarding
6.4. Network Slice Traffic Steering and Forwarding . . . . . . 29 7. Scalability Considerations
7. Scalability Considerations . . . . . . . . . . . . . . . . . 30 7.1. Maximum Stack Depth of SR
7.1. Maximum Stack Depth of SR . . . . . . . . . . . . . . . . 31 7.2. RSVP-TE Scalability
7.2. RSVP-TE Scalability . . . . . . . . . . . . . . . . . . . 31 7.3. SDN Scaling
7.3. SDN Scaling . . . . . . . . . . . . . . . . . . . . . . . 31 8. Enhanced Resiliency
8. Enhanced Resiliency . . . . . . . . . . . . . . . . . . . . . 32 9. Manageability Considerations
9. Manageability Considerations . . . . . . . . . . . . . . . . 33 9.1. OAM Considerations
9.1. OAM Considerations . . . . . . . . . . . . . . . . . . . 33 9.2. Telemetry Considerations
9.2. Telemetry Considerations . . . . . . . . . . . . . . . . 34 10. Operational Considerations
10. Operational Considerations . . . . . . . . . . . . . . . . . 34 11. Security Considerations
11. Security Considerations . . . . . . . . . . . . . . . . . . . 34 12. IANA Considerations
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 13. References
13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 35 13.1. Normative References
14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 36 13.2. Informative References
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 Acknowledgements
15.1. Normative References . . . . . . . . . . . . . . . . . . 36 Contributors
15.2. Informative References . . . . . . . . . . . . . . . . . 37 Authors' Addresses
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44
1. Introduction 1. Introduction
Virtual Private Networks (VPNs) have served the industry well as a Virtual Private Networks (VPNs) have served the industry well as a
means of providing different groups of users with logically isolated means of providing different groups of users with logically isolated
connectivity over a common network. The common (base) network that connectivity over a common network. The common (base) network that
is used to provide the VPNs is often referred to as the underlay, and is used to provide the VPNs is often referred to as the "underlay",
the VPN is often called an overlay. and the VPN is often called an "overlay".
Customers of a network operator may request connectivity services Customers of a network operator may request connectivity services
with advanced characteristics, such as low latency guarantees, with advanced characteristics, such as low-latency guarantees,
bounded jitter, or isolation from other services or customers so that bounded jitter, or isolation from other services or customers, so
changes in other services (e.g., changes in network load, or events that changes in other services (e.g., changes in network load, or
such as congestion or outages) have no effect or only acceptable events such as congestion or outages) have no effect or only
effects on the observed throughput or latency of the services acceptable effects on the observed throughput or latency of the
delivered to the customer. These services are referred to as services delivered to the customer. These services are referred to
"enhanced VPNs", as they are similar to VPN services providing the as "enhanced VPNs", as they are similar to VPN services, providing
customer with the required connectivity, but in addition, they also the customer with the required connectivity, but they also provide
provide enhanced characteristics. enhanced characteristics.
This document describes a framework for delivering VPN services with This document describes a framework for delivering VPN services with
enhanced characteristics, such as guaranteed resources, latency, enhanced characteristics, such as guaranteed resources, latency,
jitter, etc. This list is not exhaustive. It is expected that other jitter, etc. This list is not exhaustive. It is expected that other
enhanced features may be added to VPN over time, and it is expected enhanced features may be added to VPN over time and that this
this framework will support these additions with necessary changes or framework will support these additions with necessary changes or
enhancements in some network layers and network planes (data plane, enhancements in some network layers and network planes (data plane,
control plane, and management plane). control plane, and management plane).
The concept of network slicing has gained traction driven largely by The concept of network slicing has gained traction, driven largely by
needs surfacing from 5G [NGMN-NS-Concept] [TS23501] [TS28530]. needs surfacing from 5G (see [NGMN-NS-Concept], [TS23501], and
According to [TS28530], a 5G end-to-end network slice consists of [TS28530]). According to [TS28530], a 5G end-to-end network slice
three major types of network segments: Radio Access Network (RAN), consists of three major types of network segments: Radio Access
Transport Network (TN), and Mobile Core Network (CN). The transport Network (RAN), Transport Network (TN), and mobile Core Network (CN).
network provides the connectivity between different entities in RAN The transport network provides the connectivity between different
and CN segments of a 5G end-to-end network slice, with specific entities in RAN and CN segments of a 5G end-to-end network slice,
performance commitments. with specific performance commitments.
[RFC9543] discusses the general framework, components, and interfaces [RFC9543] discusses the general framework, components, and interfaces
for requesting and operating network slices using IETF technologies. for requesting and operating network slices using IETF technologies.
These network slices may be referred to as RFC 9543 Network Slices, These network slices may be referred to as "RFC 9543 Network Slices",
but in this document (which is solely about IETF technologies) we but in this document (which is solely about IETF technologies), we
simply use the term "network slice" to refer to this concept. A simply use the term "network slice" to refer to this concept. A
network slice service enables connectivity between a set of Service network slice service enables connectivity between a set of Service
Demarcation Points (SDPs) with specific Service Level Objectives Demarcation Points (SDPs) with specific Service Level Objectives
(SLOs) and Service Level Expectations (SLEs) over a common underlay (SLOs) and Service Level Expectations (SLEs) over a common underlay
network. A network slice can be realized as a logical network network. A network slice can be realized as a logical network
connecting a number of endpoints and is associated with a set of connecting a number of endpoints and is associated with a set of
shared or dedicated network resources that are used to satisfy the shared or dedicated network resources that are used to satisfy the
SLOs and SLEs requirements. A network slice is considered as one SLO and SLE requirements. A network slice is considered to be one
target use case of enhanced VPNs. target use case of enhanced VPNs.
[RFC9543] also introduces the concept of Network Resource Partition [RFC9543] also introduces the concept of Network Resource Partition
(NRP), which is a subset of the buffer/queuing/scheduling resources (NRP), which is a subset of the buffer/queuing/scheduling resources
and associated policies on each of a connected set of links in the and associated policies on each of a connected set of links in the
underlay network. An NRP can be associated with a dedicated or underlay network. An NRP can be associated with a dedicated or
shared network topology to select or specify the set of links and shared network topology to select or specify the set of links and
nodes involved. nodes involved.
The requirements of enhanced VPN services cannot simply be met by The requirements of enhanced VPN services cannot simply be met by
overlay networks, as enhanced VPN services require tighter overlay networks: enhanced VPN services require tighter coordination
coordination and integration between the overlay and the underlay and integration between the overlay and the underlay networks.
networks.
In the overlay network, the VPN has been defined as the network In the overlay network, the VPN has been defined as the network
construct to provide the required connectivity for different services construct to provide the required connectivity for different services
or customers. Multiple VPN flavors can be considered to create that or customers. Multiple VPN flavors can be considered to create that
construct [RFC4026]. In the underlay network, the NRP is used to construct [RFC4026]. In the underlay network, the NRP is used to
represent a subset of the network resources and associated policies represent a subset of the network resources and associated policies
in the underlay network. An NRP can be associated with a dedicated in the underlay network. An NRP can be associated with a dedicated
or shared network topology to select or specify the set of links and or shared network topology to select or specify the set of links and
nodes involved. nodes involved.
An enhanced VPN service can be realized by integrating a VPN in the An enhanced VPN service can be realized by integrating a VPN in the
overlay and an NRP in the underlay. This is called an NRP-based overlay and an NRP in the underlay. This is called an "NRP-based
enhanced VPN. In doing so, an enhanced VPN service can provide enhanced VPN". In doing so, an enhanced VPN service can provide
enhanced properties, such as guaranteed resources and assured or enhanced properties, such as guaranteed resources and assured or
predictable performance. An enhanced VPN service may also involve a predictable performance. An enhanced VPN service may also involve a
set of service functions (see Section 1.4 of [RFC7665] for the set of service functions (see Section 1.4 of [RFC7665] for the
definition of service function). The techniques for delivering an definition of service function). The techniques for delivering an
NRP-based enhanced VPN can be used to instantiate a network slice NRP-based enhanced VPN can be used to instantiate a network slice
service (as described in Section 6), and they can also be of use in service (as described in Section 6), and they can also be of use in
general cases to provide enhanced connectivity services between general cases to provide enhanced connectivity services between
customer sites or service endpoints. customer sites or service endpoints.
This document describes a framework for using existing, modified, and This document describes a framework for using existing, modified, and
skipping to change at page 5, line 38 skipping to change at line 223
* The necessary control and management protocols in both the * The necessary control and management protocols in both the
underlay and the overlay of enhanced VPNs. underlay and the overlay of enhanced VPNs.
* The mechanisms to achieve integration between the overlay network * The mechanisms to achieve integration between the overlay network
and the underlay network. and the underlay network.
* The necessary Operation, Administration, and Management (OAM) * The necessary Operation, Administration, and Management (OAM)
methods to instrument an enhanced VPN to make sure that the methods to instrument an enhanced VPN to make sure that the
required Service Level Agreement (SLA) between the customer and required Service Level Agreement (SLA) between the customer and
the network operator is met, and to take any corrective action the network operator is met and to take any corrective action
(such as switching traffic to an alternate path) to avoid SLA (such as switching traffic to an alternate path) to avoid SLA
violation. violation.
One possible layered network structure to achieve these objectives is One possible layered network structure to achieve these objectives is
shown in Section 4.1. shown in Section 4.1.
It is not envisaged that enhanced VPN services will replace It is not envisaged that enhanced VPN services will replace
conventional VPN services. VPN services will continue to be conventional VPN services. VPN services will continue to be
delivered using existing mechanisms and can co-exist with enhanced delivered using existing mechanisms and can coexist with enhanced VPN
VPN services. Whether enhanced VPN features are added to an active services. Whether enhanced VPN features are added to an active VPN
VPN service is deployment-specific. service is deployment specific.
2. Terminology 2. Terminology
In this document, the relationship of the four terms "VPN", "enhanced In this document, the relationship of the four terms "VPN", "enhanced
VPN", "NRP", and "Network Slice" are as follows: VPN", "NRP", and "Network Slice" are as follows:
* A Virtual Private Network (VPN) refers to the overlay network * A Virtual Private Network (VPN) refers to the overlay network
service that provides connectivity between different customer service that provides connectivity between different customer
sites, and that maintains traffic separation between different sites and that maintains traffic separation between different
customers. Examples of technologies to provide VPN services are: customers. Examples of technologies to provide VPN services are
IPVPN [RFC2764], L2VPN [RFC4664], L3VPN [RFC4364], and EVPN as follows: IPVPN [RFC2764], L2VPN [RFC4664], L3VPN [RFC4364], and
[RFC7432]. EVPN [RFC7432].
* An enhanced VPN service is an evolution of the VPN service that * An enhanced VPN service is an evolution of the VPN service that
makes additional service-specific commitments. An NRP-based makes additional service-specific commitments. An NRP-based
enhanced VPN is made by integrating a VPN with a set of network enhanced VPN is made by integrating a VPN with a set of network
resources allocated in the underlay network (i.e. an NRP). resources allocated in the underlay network (i.e., an NRP).
* A Network Resource Partition (NRP) as defined in [RFC9543] is a * A Network Resource Partition (NRP), as defined in [RFC9543], is a
subset of the buffer/queuing/scheduling resources and associated subset of the buffer/queuing/scheduling resources and associated
policies on each of a connected set of links in the underlay policies on each of a connected set of links in the underlay
network. An NRP can be associated with a dedicated or shared network. An NRP can be associated with a dedicated or shared
network topology to select or specify the set of links and nodes network topology to select or specify the set of links and nodes
involved. An NRP is designed to meet the network resources and involved. An NRP is designed to meet the network resources and
performance characteristics required by the enhanced VPN services. performance characteristics required by the enhanced VPN services.
* A network slice service could be delivered by provisioning one or * A network slice service could be delivered by provisioning one or
more NRP-based enhanced VPNs in the network. Other mechanisms for more NRP-based enhanced VPNs in the network. Other mechanisms for
realizing network slices may exist but are not in the scope of realizing network slices may exist but are not in the scope of
this document. this document.
The term "tenant" is used in this document to refer to a customer of The term "tenant" is used in this document to refer to a customer of
the enhanced VPN services. the enhanced VPN services.
The following terms, defined in other documents, are also used in The following terms, defined in other documents, are also used in
this document. this document.
SLA: Service Level Agreement. See [RFC9543]. SLA: Service Level Agreement (see [RFC9543])
SLO: Service Level Objective. See [RFC9543]. SLO: Service Level Objective (see [RFC9543])
SLE: Service Level Expectation. See [RFC9543]. SLE: Service Level Expectation (see [RFC9543])
ACTN: Abstraction and Control of Traffic Engineered Networks ACTN: Abstraction and Control of TE Networks (see [RFC8453])
[RFC8453].
DetNet: Deterministic Networking. See [RFC8655]. DetNet: Deterministic Networking (see [RFC8655])
FlexE: Flexible Ethernet [FLEXE]. FlexE: Flexible Ethernet (see [FLEXE])
TSN: Time Sensitive Networking [TSN]. TSN: Time-Sensitive Networking (see [TSN])
VN: Virtual Network. See [RFC8453]. VN: Virtual Network (see [RFC8453])
3. Overview of the Requirements 3. Overview of the Requirements
This section provides an overview of the requirements of an enhanced This section provides an overview of the requirements of an enhanced
VPN service. VPN service.
3.1. Performance Guarantees 3.1. Performance Guarantees
Performance guarantees are committed by network operators to their Performance guarantees are committed by network operators to their
customers in relation to the services delivered to the customers. customers in relation to the services delivered to the customers.
skipping to change at page 7, line 41 skipping to change at line 320
the goal of Deterministic Networking (DetNet) [RFC8655] and Time- the goal of Deterministic Networking (DetNet) [RFC8655] and Time-
Sensitive Networking (TSN) [TSN]. In modern optical networks, loss Sensitive Networking (TSN) [TSN]. In modern optical networks, loss
due to transmission errors already approaches zero, but there is the due to transmission errors already approaches zero, but there is the
possibility of failure of the interface or the fiber itself. This possibility of failure of the interface or the fiber itself. This
type of fault can be addressed by some form of signal duplication and type of fault can be addressed by some form of signal duplication and
transmission over diverse paths. transmission over diverse paths.
Guaranteed maximum latency is required by a number of applications, Guaranteed maximum latency is required by a number of applications,
particularly real-time control applications and some types of particularly real-time control applications and some types of
augmented reality and virtual reality (AR/VR) applications. DetNet augmented reality and virtual reality (AR/VR) applications. DetNet
techniques may be considered [RFC8655], however additional methods of techniques may be considered [RFC8655]; however, additional methods
enhancing the underlay to better support the delay guarantees may be of enhancing the underlay to better support the delay guarantees may
needed, and these methods will need to be integrated with the overall be needed. These methods will need to be integrated with the overall
service provisioning mechanisms. service provisioning mechanisms.
Guaranteed maximum delay variation is a performance guarantee that Guaranteed maximum delay variation is a performance guarantee that
may also be needed. [RFC8578] calls up a number of cases that need may also be needed. [RFC8578] calls up a number of cases that need
this guarantee, for example in electrical utilities. Time transfer this guarantee, for example, in electrical utilities. Time transfer
is an example service that needs a performance guarantee, although it is an example service that needs a performance guarantee, although it
is in the nature of time that the service might be delivered by the is in the nature of time that the service might be delivered by the
underlay as a shared service and not provided through different underlay as a shared service and not provided through different
enhanced VPNs. Alternatively, a dedicated enhanced VPN might be used enhanced VPNs. Alternatively, a dedicated enhanced VPN might be used
to provide time transfer as a shared service. to provide time transfer as a shared service.
This suggests that a spectrum of service guarantees needs to be This suggests that a spectrum of service guarantees needs to be
considered when designing and deploying an enhanced VPN. For considered when designing and deploying an enhanced VPN. For
illustration purposes and without claiming to be exhaustive, four illustration purposes and without claiming to be exhaustive, four
types of services are considered: types of services are considered:
skipping to change at page 8, line 31 skipping to change at line 351
* Assured bandwidth * Assured bandwidth
* Guaranteed latency * Guaranteed latency
* Enhanced delivery * Enhanced delivery
It is noted that some services may have mixed requirements from this It is noted that some services may have mixed requirements from this
list, e.g., both assured bandwidth and guaranteed latency can be list, e.g., both assured bandwidth and guaranteed latency can be
required. required.
The best effort service is the basic connectivity service that can be The best-effort service is the basic connectivity service that can be
provided by current VPNs. provided by current VPNs.
An assured bandwidth service is a connectivity service in which the An assured bandwidth service is a connectivity service in which the
bandwidth over some period of time is assured. This could be bandwidth over some period of time is assured. This could be
achieved either simply based on a best effort service with over- achieved either simply based on a best-effort service with over-
capacity provisioning, or it can be based on MPLS traffic engineered capacity provisioning or based on MPLS TE Label Switching Paths (TE-
label switching paths (TE-LSPs) with bandwidth reservations. LSPs) with bandwidth reservations. Depending on the technique used,
Depending on the technique used, however, the bandwidth is not however, the bandwidth is not necessarily assured at any instant.
necessarily assured at any instant. Providing assured bandwidth to Providing assured bandwidth to VPNs, for example, by using per-VPN
VPNs, for example by using per-VPN TE-LSPs, is not widely deployed at TE-LSPs, is not widely deployed at least partially due to scalability
least partially due to scalability concerns. The more common concerns. The more common approach of aggregating multiple VPNs onto
approach of aggregating multiple VPNs onto common TE-LSPs results in common TE-LSPs results in shared bandwidth and so may reduce the
shared bandwidth and so may reduce the assurance of bandwidth to any assurance of bandwidth to any one service. Enhanced VPNs aim to
one service. Enhanced VPNs aim to provide a more scalable approach provide a more scalable approach for such services.
for such services.
A guaranteed latency service has an upper bound to edge-to-edge A guaranteed latency service has an upper bound to edge-to-edge
latency. Assuring the upper bound is sometimes more important than latency. Assuring the upper bound is sometimes more important than
minimizing latency. There are several new technologies that provide minimizing latency. There are several new technologies that provide
some assistance with this performance guarantee. Firstly, the IEEE some assistance with this performance guarantee:
TSN project [TSN] introduces the concept of scheduling of delay- and
loss-sensitive packets. FlexE [FLEXE] is also useful to help provide * the IEEE TSN project [TSN] introduces the concept of scheduling of
a guaranteed upper bound to latency. DetNet is also of relevance in delay-sensitive and loss-sensitive packets.
assuring an upper bound of end-to-end packet latency in the network
layer. The use of these technologies to deliver enhanced VPN * FlexE [FLEXE] is useful to help provide a guaranteed upper bound
services needs to be considered when a guaranteed latency service is to latency.
required.
* DetNet is of relevance in assuring an upper bound of end-to-end
packet latency in the network layer.
The use of these technologies to deliver enhanced VPN services needs
to be considered when a guaranteed latency service is required.
An enhanced delivery service is a connectivity service in which the An enhanced delivery service is a connectivity service in which the
underlay network (at Layer 3) needs to ensure to eliminate or underlay network (at Layer 3) needs to ensure to eliminate or
minimize packet loss in the event of equipment or media failures. minimize packet loss in the event of equipment or media failures.
This may be achieved by delivering a copy of the packet through This may be achieved by delivering a copy of the packet through
multiple paths. Such a mechanism may need to be used for enhanced multiple paths. Such a mechanism may need to be used for enhanced
VPN services. VPN services.
3.2. Interaction between Enhanced VPN Services 3.2. Interaction Between Enhanced VPN Services
There is a fine distinction between how a customer requests limits on There is a fine distinction between how a customer requests limits on
interaction between an enhanced VPN service and other services interaction between an enhanced VPN service and other services
(whether they are other enhanced VPN services or any other network (whether they are other enhanced VPN services or any other network
service), and how that is delivered by the service provider. This service) and how that is delivered by the service provider. This
section examines the requirements and realization of limited section examines the requirements and realization of limited
interaction between an enhanced VPN service and other services. interaction between an enhanced VPN service and other services.
3.2.1. Requirements on Traffic Isolation 3.2.1. Requirements on Traffic Isolation
Traffic isolation is a generic term that can be used to describe the "Traffic isolation" is a generic term that can be used to describe
requirements for separating the services of different customers or the requirements for separating the services of different customers
different service types in the network. In the context of network or different service types in the network. In the context of network
slicing, traffic isolation is defined as an SLE of the network slice slicing, traffic isolation is defined as an SLE of the network slice
service (Section 8.1 of [RFC9543]), which is one element of the SLA. service (Section 8.1 of [RFC9543]), which is one element of the SLA.
A customer may care about disruption caused by other services, A customer may care about disruption caused by other services,
contamination by other traffic, or delivery of their traffic to the contamination by other traffic, or delivery of their traffic to the
wrong destinations. wrong destinations.
A customer may want to specify (and thus pay for) the traffic A customer may want to specify (and thus pay for) the traffic
isolation provided by the service provider. Some customers (banking, isolation provided by the service provider. Some customers (banking,
for example) may have strict requirements on how their flows are for example) may have strict requirements on how their flows are
handled when delivered over a shared network. Some professional handled when delivered over a shared network. Some professional
services are used to relying on specific certifications and audits to services are used to relying on specific certifications and audits to
ensure the compliancy of a network with traffic isolation ensure the compliancy of a network with traffic-isolation
requirements, and specifically to prevent data leaks. requirements and, specifically, to prevent data leaks.
With traffic isolation, a customer expects that the service traffic With traffic isolation, a customer expects that the service traffic
cannot be received by other customers in the same network. In cannot be received by other customers in the same network. In
[RFC4176], traffic isolation is mentioned as one of the requirements [RFC4176], traffic isolation is mentioned as one of the requirements
of VPN customers. Traffic isolation is also described in Section 3.8 of VPN customers. Traffic isolation is also described in Section 3.8
of [RFC7297]. of [RFC7297].
There can be different expectations of traffic isolation. For There can be different expectations of traffic isolation. For
example, a customer may further request the protection of their example, a customer may further request the protection of their
traffic by requesting specific encryption schemes at the enhanced VPN traffic by requesting specific encryption schemes at the enhanced VPN
network access and also when transported between Provider Edge (PE) access and also when transported between Provider Edge (PE) nodes.
Nodes.
An enhanced VPN service customer may request traffic isolation An enhanced VPN service customer may request traffic isolation
together with other operator defined service characteristics. The together with other operator-defined service characteristics. The
exact details about the expected behavior need to be specified in the exact details about the expected behavior need to be specified in the
service request, so that meaningful service assurance and fulfillment service request so that meaningful service assurance and fulfillment
feedback can be exposed to the customers. It is out of the scope of feedback can be exposed to the customers. It is out of the scope of
this document to elaborate the service modeling considerations. this document to elaborate the service-modeling considerations.
3.2.2. Limited Interaction with Other Services 3.2.2. Limited Interaction with Other Services
[RFC2211] describes the Controlled Load Service. In that document, [RFC2211] describes the controlled-load service. In that document,
the end-to-end behavior provided to an application by a series of the end-to-end behavior provided to an application by a series of
network elements providing controlled-load service is described as network elements providing controlled-load service is described as
closely approximating to the behavior visible to applications closely approximating to the behavior visible to applications
receiving best-effort service when those network elements are not receiving best-effort service when those network elements are not
carrying substantial traffic from other services. carrying substantial traffic from other services.
Thus, a consumer of a Controlled Load Service may assume that: Thus, a consumer of a controlled-load service may assume that:
* A very high percentage of transmitted packets will be successfully * A very high percentage of transmitted packets will be successfully
delivered by the network to the receiving end-nodes. delivered by the network to the receiving end nodes.
* The transit delay experienced by a very high percentage of the * The transit delay experienced by a very high percentage of the
delivered packets will not greatly exceed the minimum transmit delivered packets will not greatly exceed the minimum transmit
delay experienced by any successfully delivered packet. delay experienced by any successfully delivered packet.
An enhanced VPN customer may request a Controlled Load Service in one An enhanced VPN customer may request a controlled-load service in one
of two ways: of two ways:
1. It may configure a set of SLOs (for example, for delay and loss) 1. It may configure a set of SLOs (for example, for delay and loss)
such that the delivered enhanced VPN meets the behavioral such that the delivered enhanced VPN meets the behavioral
objectives of the customer. objectives of the customer.
2. As described in [RFC2211], a customer may request the Controlled 2. As described in [RFC2211], a customer may request the controlled-
Load Service without reference to or specification of specific load service without reference to or specification of specific
target values for control parameters such as delay or loss. target values for control parameters such as delay or loss.
Instead, acceptance of a request for Controlled Load Service is Instead, acceptance of a request for controlled-load service is
defined to imply a commitment by the network element to provide defined to imply a commitment by the network element to provide
the requestor with service closely equivalent to that provided to the requestor with service closely equivalent to that provided to
uncontrolled (best-effort) traffic under lightly loaded uncontrolled (best-effort) traffic under lightly loaded
conditions. This way of requesting the service is an SLE. conditions. This way of requesting the service is an SLE.
Limited interaction between enhanced VPN services does not cover Limited interaction between enhanced VPN services does not cover
service degradation due to non-interaction-related causes, such as service degradation due to non-interaction-related causes, such as
link errors. link errors.
3.2.3. Realization of Limited Interaction with Enhanced VPN Services 3.2.3. Realization of Limited Interaction with Enhanced VPN Services
A service provider may translate the requirements related to limited A service provider may translate the requirements related to limited
interaction into distinct engineering rules in its network. Honoring interaction into distinct engineering rules in its network. Honoring
the service requirement may involve tweaking a set of QoS, TE, the service requirement may involve tweaking a set of QoS, TE,
security, and planning tools, while traffic isolation will involve security, and planning tools, while traffic isolation will involve
adequately configuring routing and authorization capabilities. adequately configuring routing and authorization capabilities.
Concretely, there are many existing techniques which can be used to Concretely, there are many existing techniques that can be used to
provide traffic isolation, such as IP and MPLS VPNs or other multi- provide traffic isolation, such as IP and MPLS VPNs or other multi-
tenant virtual network techniques. Controlled Load Services may be tenant virtual network techniques. Controlled-load services may be
realized as described in [RFC2211]. Other tools may include various realized as described in [RFC2211]. Other tools may include various
forms of resource management and reservation techniques, such as forms of resource management and reservation techniques, such as
network capacity planning, allocating dedicated network resources, network capacity planning, allocating dedicated network resources,
traffic policing or shaping, prioritizing in using shared network traffic policing or shaping, prioritizing in using shared network
resources etc., so that a subset of bandwidth, buffers, and queueing resources, etc., so that a subset of bandwidth, buffers, and queueing
resources can be available in the underlay network to support the resources can be available in the underlay network to support the
enhanced VPN services. enhanced VPN services.
To provide the required traffic isolation, or to reduce the To provide the required traffic isolation, or to reduce the
interaction with other enhanced VPN services, network resources may interaction with other enhanced VPN services, network resources may
need to be reserved in the data plane of the underlay network and need to be reserved in the data plane of the underlay network and
dedicated to traffic from a specific enhanced VPN service or a dedicated to traffic from a specific enhanced VPN service or a
specific group of enhanced VPN services. This may introduce specific group of enhanced VPN services. This may introduce
scalability concerns both in the implementation (as each enhanced VPN scalability concerns both in the implementation (as each enhanced VPN
may need to be tracked in the network) and in how many resources need may need to be tracked in the network) and in how many resources need
to be reserved and how the services are mapped to the resources to be reserved and how the services are mapped to the resources
(Section 4.4). Thus, some trade-off needs to be considered to (Section 4.4). Thus, some trade-off needs to be considered to
provide the traffic isolation and limited interaction between an provide the traffic isolation and limited interaction between an
enhanced VPN services and other services. enhanced VPN service and other services.
A dedicated physical network can be used to meet stricter SLO and SLE A dedicated physical network can be used to meet stricter SLO and SLE
requests, at the cost of allocating resources on a long-term and end- requests, at the cost of allocating resources on a long-term and end-
to-end basis. On the other hand, where adequate traffic isolation to-end basis. On the other hand, where adequate traffic isolation
and limited interaction can be achieved at the packet layer, this and limited interaction can be achieved at the packet layer, this
permits the resources to be shared amongst a group of services and permits the resources to be shared amongst a group of services and
only dedicated to a service on a temporary basis. By combining only dedicated to a service on a temporary basis. By combining
conventional VPNs with TE/QoS/security techniques, an enhanced VPN conventional VPNs with TE/QoS/security techniques, an enhanced VPN
offers a variety of means to honor customer's requirements. offers a variety of means to honor customer's requirements.
3.3. Integration with Network Resources and Service Functions 3.3. Integration with Network Resources and Service Functions
The way to achieve the characteristics demand of an enhanced VPN The way to achieve the characteristics demand of an enhanced VPN
service (such as guaranteed or predictable performance) is by service (such as guaranteed or predictable performance) is by
integrating the overlay VPN with a particular set of resources in the integrating the overlay VPN with a particular set of resources in the
underlay network which are allocated to meet the service underlay network that are allocated to meet the service requirements.
requirements. This needs to be done in a flexible and scalable way This needs to be done in a flexible and scalable way so that it can
so that it can be widely deployed in operators' networks to support a be widely deployed in operators' networks to support a good number of
good number of enhanced VPN services. enhanced VPN services.
Taking mobile networks and in particular 5G into consideration, the Taking mobile networks and, in particular, 5G into consideration, the
integration of the network with service functions is likely a integration of the network with service functions is likely a
requirement. The IETF's work on service function chaining (SFC) requirement. The IETF's work on Service Function Chaining (SFC)
[RFC7665] provides a foundation for this. Service functions in the [RFC7665] provides a foundation for this. Service functions in the
underlay network can be considered as part of the enhanced VPN underlay network can be considered to be part of the enhanced VPN
services, which means the service functions may need to be an services, which means the service functions may need to be an
integral part of the corresponding NRP. The details of the integral part of the corresponding NRP. The details of the
integration between service functions and enhanced VPNs are out of integration between service functions and enhanced VPNs are out of
the scope of this document. the scope of this document.
3.3.1. Abstraction 3.3.1. Abstraction
Integration of the overlay VPN and the underlay network resources and Integration of the overlay VPN and the underlay network resources and
service functions does not always need to be a direct mapping. As service functions does not always need to be a direct mapping. As
described in [RFC7926], abstraction is the process of applying policy described in [RFC7926], abstraction is the process of applying policy
to a set of information about a traffic engineered (TE) network to to a set of information about a traffic engineered (TE) network to
produce selective information that represents the potential ability produce selective information that represents the potential ability
to connect across the network. The process of abstraction presents to connect across the network. The process of abstraction presents
the connectivity graph in a way that is independent of the underlying the connectivity graph in a way that is independent of the underlying
network technologies, capabilities, and topology so that the graph network technologies, capabilities, and topology so that the graph
can be used to plan and deliver network services in a uniform way. can be used to plan and deliver network services in a uniform way.
With the approach of abstraction, an enhanced VPN may be built on top With the approach of abstraction, an enhanced VPN may be built on top
of an abstracted topology that represents the connectivity of an abstracted topology that represents the connectivity
capabilities of the underlay TE based network as described in the capabilities of the underlay TE-based network as described in the
framework for Abstraction and Control of TE Networks (ACTN) [RFC8453] framework for Abstraction and Control of TE Networks (ACTN) [RFC8453]
as discussed further in Section 5.5. as discussed further in Section 5.5.
3.4. Dynamic Changes 3.4. Dynamic Changes
Enhanced VPNs need to be created, modified, and removed from the Enhanced VPNs need to be created, modified, and removed from the
network according to service demands (including scheduled requests). network according to service demands (including scheduled requests).
An enhanced VPN that requires limited interaction with other services An enhanced VPN that requires limited interaction with other services
(Section 3.2.2) must not be disrupted by the instantiation or (Section 3.2.2) must not be disrupted by the instantiation or
modification of another enhanced VPN service. As discussed in modification of another enhanced VPN service. As discussed in
Section 3.1 of [RFC4176], the assessment of traffic isolation is part Section 3.1 of [RFC4176], the assessment of traffic isolation is part
of the management of a VPN service. Determining whether modification of the management of a VPN service. Determining whether modification
of an enhanced VPN can be disruptive to that enhanced VPN and whether of an enhanced VPN can be disruptive to that enhanced VPN and whether
the traffic in flight will be disrupted can be a difficult problem. the traffic in flight will be disrupted can be a difficult problem.
Dynamic changes both to the enhanced VPN and to the underlay network Dynamic changes both to the enhanced VPN and to the underlay network
need to be managed to avoid disruption to services that are sensitive need to be managed to avoid disruption to services that are sensitive
to changes in network performance. to changes in network performance.
In addition to non-disruptively managing the network during changes In addition to managing the network without disruption during changes
such as the inclusion of a new enhanced VPN service endpoint or a such as the inclusion of a new enhanced VPN service endpoint or a
change to a link, enhanced VPN traffic might need to be moved because change to a link, enhanced VPN traffic might need to be moved because
of changes to traffic patterns and volumes. This means that during of changes to traffic patterns and volume. This means that during
the lifetime of an enhanced VPN service, closed-loop optimization is the lifetime of an enhanced VPN service, closed-loop optimization is
needed so that the delivered service always matches the ordered needed so that the delivered service always matches the ordered
service SLA. service SLA.
The data plane aspects of this problem are discussed further in The data plane aspects of this problem are discussed further in
Section 5.1, Section 5.2, and Section 5.3. Sections 5.1, 5.2, and 5.3.
The control plane aspects of this problem are discussed further in The control plane aspects of this problem are discussed further in
Section 5.4. Section 5.4.
The management plane aspects of this problem are discussed further in The management plane aspects of this problem are discussed further in
Section 5.5. Section 5.5.
3.5. Customized Control 3.5. Customized Control
In many cases enhanced VPN services are delivered to customers In many cases enhanced VPN services are delivered to customers
without information about the underlying NRPs. However, depending on without information about the underlying NRPs. However, in some
the agreement between the operator and the customer, in some cases cases, depending on the agreement between the operator and the
the customer may also be provided with some information about the customer, the customer may also be provided with some information
underlying NRPs. Such information can be filtered or aggregated about the underlying NRPs. Such information can be filtered or
according to the operator's policy. This allows the customer of an aggregated according to the operator's policy. This allows the
enhanced VPN service to have some visibility and even control over customer of an enhanced VPN service to have some visibility and even
how the underlying topology and resources of the NRP are used. For control over how the underlying topology and resources of the NRP are
example, the customers may be able to specify the path or path used. For example, the customer may be able to specify the path or
constraints within the NRP for specific traffic flows of their path constraints within the NRP for specific traffic flows of their
enhanced VPN service. Depending on the requirements, an enhanced VPN enhanced VPN service. Depending on the requirements, an enhanced VPN
customer may have their own network controller, which may be provided customer may have their own network controller, which may be provided
with an interface to the control or management system run by the with an interface to the control or management system run by the
network operator. Note that such a control is within the scope of network operator. Note that such a control is within the scope of
the customer's enhanced VPN service; any additional changes beyond the customer's enhanced VPN service; any additional changes beyond
this would require some intervention by the network operator. this would require some intervention by the network operator.
A description of the control plane aspects of this problem are A description of the control plane aspects of this problem are
discussed further in Section 5.4. A description of the management discussed further in Section 5.4. A description of the management
plane aspects of this feature can be found in Section 5.5. plane aspects of this feature can be found in Section 5.5.
3.6. Applicability to Overlay Technologies 3.6. Applicability to Overlay Technologies
The concept of an enhanced VPN can be applied to any existing and The concept of an enhanced VPN can be applied to any existing and
future multi-tenancy overlay technologies including but not limited future multi-tenancy overlay technologies including but not limited
to: to:
* Layer-2 point-to-point services, such as pseudowires [RFC3985] * Layer 2 point-to-point (P2P) services, such as pseudowires (see
[RFC3985])
* Layer-2 VPNs [RFC4664] * Layer 2 VPNs (see [RFC4664])
* Ethernet VPNs [RFC7209], [RFC7432] * Ethernet VPNs (see [RFC7209] and [RFC7432])
* Layer-3 VPNs [RFC4364], [RFC2764] * Layer 3 VPNs (see [RFC4364] and [RFC2764])
Where such VPN service types need enhanced isolation and delivery Where such VPN service types need enhanced isolation and delivery
characteristics, the technologies described in Section 5 can be used characteristics, the technologies described in Section 5 can be used
to tweak the underlay to provide the required enhanced performance. to tweak the underlay to provide the required enhanced performance.
3.7. Inter-Domain and Inter-Layer Network 3.7. Inter-Domain and Inter-Layer Network
In some scenarios, an enhanced VPN service may span multiple network In some scenarios, an enhanced VPN service may span multiple network
domains. A domain is considered to be any collection of network domains. A domain is considered to be any collection of network
elements under the responsibility of the same administrative entity, elements under the responsibility of the same administrative entity,
for example, an Autonomous System (AS). In some domains, the network for example, an Autonomous System (AS). In some domains, the network
operator may manage a multi-layered network, for example, a packet operator may manage a multi-layered network, for example, a packet
network over an optical network. When enhanced VPN services are network over an optical network. When enhanced VPN services are
provisioned in such network scenarios, the technologies used in provisioned in such network scenarios, the technologies used in
different network planes (data plane, control plane, and management different network planes (the data plane, control plane, and
plane) need to provide mechanisms to support multi-domain and multi- management plane) need to provide mechanisms to support multi-domain
layer coordination and integration, so as to provide the required and multi-layer coordination and integration; this is to provide the
service characteristics for different enhanced VPN services, and required service characteristics for different enhanced VPN services
improve network efficiency and operational simplicity. The and improve network efficiency and operational simplicity. The
mechanisms for multi-domain VPNs [RFC4364] may be reused, and some mechanisms for multi-domain VPNs (see [RFC4364]) may be reused, and
enhancement may be needed to meet the additional requirements of some enhancement may be needed to meet the additional requirements of
enhanced VPN services. enhanced VPN services.
4. The Architecture of NRP-based Enhanced VPNs 4. The Architecture of NRP-Based Enhanced VPNs
Multiple NRP-based enhanced VPN services can be provided by a common Multiple NRP-based enhanced VPN services can be provided by a common
network infrastructure. Each NRP-based enhanced VPN service is network infrastructure. Each NRP-based enhanced VPN service is
provisioned with an overlay VPN and mapped to a corresponding NRP, provisioned with an overlay VPN and mapped to a corresponding NRP,
which has a specific set of network resources and service functions which has a specific set of network resources and service functions
allocated in the underlay to satisfy the needs of the customer. One allocated in the underlay to satisfy the needs of the customer. One
NRP may support one or more NRP-based enhanced VPN services. The NRP may support one or more NRP-based enhanced VPN services. The
integration between the overlay connectivity and the underlay integration between the overlay connectivity and the underlay
resources ensures the required isolation between different enhanced resources ensures the required isolation between different enhanced
VPN services, and achieves the guaranteed performance for different VPN services and achieves the guaranteed performance for different
customers. customers.
The NRP-based enhanced VPN architecture needs to be designed with The NRP-based enhanced VPN architecture needs to be designed with
consideration given to: consideration given to:
* An enhanced data plane. * An enhanced data plane.
* A control plane to create enhanced VPNs and NRPs, making use of * A control plane to create enhanced VPNs and NRPs, making use of
the data plane isolation and performance guarantee techniques. the data plane isolation and performance guarantee techniques.
* A management plane for enhanced VPN service life-cycle management. * A management plane to manage enhanced VPN service life cycles.
* The OAM mechanisms for enhanced VPNs and the underlying NRPs. * The OAM mechanisms for enhanced VPNs and the underlying NRPs.
* Telemetry mechanisms for enhanced VPNs and the underlying NRPs. * Telemetry mechanisms for enhanced VPNs and the underlying NRPs.
These topics are expanded below. These topics are expanded below.
* The enhanced data plane provides: * The enhanced data plane provides:
- The required packet latency and jitter characteristics. - The required packet-latency and jitter characteristics.
- The required packet loss characteristics. - The required packet-loss characteristics.
- The required resource isolation capability, e.g., bandwidth - The required resource-isolation capability, e.g., bandwidth
guarantee. guarantee.
- The mechanism to associate a packet with the set of resources - The mechanism to associate a packet with the set of resources
allocated to an NRP which the enhanced VPN service packet is allocated to an NRP to which the enhanced VPN service packet is
mapped to. mapped.
* The control plane: * The control plane:
- Collects information about the underlying network topology and - Collects information about the underlying network topology and
network resources, and exports this to network nodes and/or a network resources and exports this to network nodes and/or a
centralized controller as required. centralized controller as required.
- Creates NRPs with the network resource and topology properties - Creates NRPs with the network resource and topology properties
needed by the enhanced VPN services. needed by the enhanced VPN services.
- Distributes the attributes of NRPs to network nodes which - Distributes the attributes of NRPs to network nodes that
participate in the NRPs and/or a centralized controller. participate in the NRPs and/or a centralized controller.
- Computes and sets up network paths in each NRP. - Computes and sets up network paths in each NRP.
- Maps enhanced VPN services to an appropriate NRP. - Maps enhanced VPN services to an appropriate NRP.
- Determines the risk of SLA violation and takes appropriate - Determines the risk of SLA violation and takes appropriate
avoiding/correction actions. avoidance/correction actions.
- Considers the right balance of per-packet and per-node state - Considers the right balance of per-packet and per-node state
according to the needs of the enhanced VPN services to scale to according to the needs of the enhanced VPN services to scale to
the required size. the required size.
* The management plane includes management interfaces, the * The management plane includes management interfaces, the
Operations, Administration, and Maintenance (OAM) and Telemetry Operations, Administration, and Maintenance (OAM) and telemetry
mechanisms. More specifically, it provides: mechanisms. More specifically, it provides:
- An interface between the enhanced VPN service provider (e.g., - An interface between the enhanced VPN service provider (e.g.,
operator's network management system) and the enhanced VPN the operator's network management system) and the enhanced VPN
customer (e.g., an organization or a service with enhanced VPN customer (e.g., an organization or service with an enhanced VPN
requirement) such that the operation requests and the related requirement) such that the operation requests and the related
parameters can be exchanged without the awareness of other parameters can be exchanged without the awareness of other
enhanced VPN customers. enhanced VPN customers.
- An interface between the enhanced VPN service provider and the - An interface between the enhanced VPN service provider and the
enhanced VPN customers to expose the network capability enhanced VPN customers to expose the network capability
information toward the customer. information toward the customer.
- The service life-cycle management and operation of enhanced VPN - The service life-cycle management and operation of enhanced VPN
services (e.g., creation, modification, assurance/monitoring, services (e.g., creation, modification, assurance/monitoring,
and decommissioning). and decommissioning).
- The OAM tools to verify whether the underlay network resources - The OAM tools to verify whether the underlay network resources
(i.e. NRPs) are correctly allocated and operating properly. (i.e., NRPs) are correctly allocated and operating properly.
- The OAM tools to verify the connectivity and monitor the - The OAM tools to verify the connectivity and monitor the
performance of the enhanced VPN service. performance of the enhanced VPN service.
- Telemetry of information in the underlay network for overall - Telemetry of information in the underlay network for overall
performance evaluation and the planning of the enhanced VPN performance evaluation and the planning of the enhanced VPN
services. services.
- Telemetry of information of enhanced VPN services for - Telemetry of information of enhanced VPN services for
monitoring and analytics of the characteristics and SLA monitoring and analytics of the characteristics and SLA
fulfillment of the enhanced VPN services. fulfillment of the enhanced VPN services.
4.1. Layered Architecture 4.1. Layered Architecture
The layered architecture of NRP-based enhanced VPNs is shown in The layered architecture of NRP-based enhanced VPNs is shown in
Figure 1. Figure 1.
Underpinning everything is the physical network infrastructure layer Underpinning everything is the physical network infrastructure layer,
which provides the underlying resources used to provision the which provides the underlying resources used to provision the
separate NRPs. This layer is responsible for the partitioning of separate NRPs. This layer is responsible for the partitioning of
link and/or node resources for different NRPs. Each subset of link link and/or node resources for different NRPs. Each subset of a link
or node resource can be considered as a virtual link or virtual node or node resource can be considered to be a virtual link or virtual
used to build the NRPs. node used to build the NRPs.
/\ /\
|| ||
+-------------------+ Centralized +-------------------+ Centralized
| Network Controller| Control & Management | Network Controller| Control & Management
+-------------------+ +-------------------+
|| ||
\/ \/
o---------------------------o Enhanced VPN #1 o---------------------------o Enhanced VPN #1
/-------------o /-------------o
skipping to change at page 18, line 18 skipping to change at line 817
Figure 1: The Layered Architecture of Enhanced VPNs Figure 1: The Layered Architecture of Enhanced VPNs
Various components and techniques discussed in Section 5 can be used Various components and techniques discussed in Section 5 can be used
to enable resource partitioning of the physical network to enable resource partitioning of the physical network
infrastructure, such as FlexE, TSN, dedicated queues, etc. These infrastructure, such as FlexE, TSN, dedicated queues, etc. These
partitions may be physical or virtual so long as the SLA required by partitions may be physical or virtual so long as the SLA required by
the higher layers is met. the higher layers is met.
Based on the set of network resource partitions provided by the Based on the set of network resource partitions provided by the
physical network infrastructure, multiple NRPs can be created, each physical network infrastructure, multiple NRPs can be created. Each
with a set of dedicated or shared network resources allocated from of these NRPs:
the physical underlay network, and each can be associated with a
customized logical network topology, so as to meet the requirements
of different enhanced VPN services or different groups of enhanced
VPN services. According to the associated logical network topology,
each NRP needs to be instantiated on a set of network nodes and links
which are involved in the logical topology. And on each node or
link, each NRP is associated with a set of local resources which are
allocated for the processing of traffic in the NRP. The NRP provides
the integration between the logical network topology and the required
underlying network resources.
According to the service requirements of connectivity, performance * has a set of dedicated or shared network resources allocated from
and isolation, etc., enhanced VPN services can be mapped to the the physical underlay network, and
* can be associated with a customized logical network topology so as
to meet the requirements of different enhanced VPN services or
different groups of enhanced VPN services.
According to the associated logical network topology, each NRP needs
to be instantiated on a set of network nodes and links that are
involved in the logical topology. On each node or link, each NRP is
associated with a set of local resources that are allocated for the
processing of traffic in the NRP. The NRP provides the integration
between the logical network topology and the required underlying
network resources.
According to the service requirements of connectivity, performance,
isolation, etc., enhanced VPN services can be mapped to the
appropriate NRPs in the network. Different enhanced VPN services can appropriate NRPs in the network. Different enhanced VPN services can
be mapped to different NRPs, while it is also possible that multiple be mapped to different NRPs; it is also possible that multiple
enhanced VPN services are mapped to the same NRP. Thus, the NRP is enhanced VPN services are mapped to the same NRP. Thus, the NRP is
an essential scaling technique, as it has the potential of an essential scaling technique as it has the potential of eliminating
eliminating per-service per-path state from the network. In per-service per-path state from the network. In addition, when a
addition, when a group of enhanced VPN services are mapped to a group of enhanced VPN services is mapped to a single NRP, only the
single NRP, only the network state of the single NRP needs to be network state of the single NRP needs to be maintained in the network
maintained in the network (see Section 4.4 for more information). (see Section 4.4 for more information).
The network controller is responsible for creating an NRP, The network controller is responsible for creating an NRP,
instructing the involved network nodes to allocate network resources instructing the involved network nodes to allocate network resources
to the NRP, and provisioning the enhanced VPN services on the NRP. A to the NRP, and provisioning the enhanced VPN services on the NRP. A
distributed control plane may be used for distributing the NRP distributed control plane may be used for distributing the NRP
resource and topology attributes among nodes in the NRP. Extensions resource and topology attributes among nodes in the NRP. Extensions
to distributed control protocols (if any) are out of the scope of to distributed control protocols (if any) are out of the scope of
this document. this document.
The process used to create NRPs and to allocate network resources for The process used to create NRPs and to allocate network resources for
use by the NRPs needs to take a holistic view of the needs of all of use by the NRPs needs to take a holistic view of the needs of all of
the service provider's customers and to partition the resources the service provider's customers and to partition the resources
accordingly. However, within an NRP these resources can, if accordingly. However, within an NRP, these resources can be managed
required, be managed via a dynamic control plane. This provides the via a dynamic control plane if required. This provides the required
required scalability and isolation with some flexibility. scalability and isolation with some flexibility.
4.2. Connectivity Types 4.2. Connectivity Types
At the VPN service level, the required connectivity for an MP2MP VPN At the VPN service level, the required connectivity for a Multipoint-
service is usually full or partial mesh. To support such VPN to-Multipoint (MP2MP) VPN service is usually full or partial mesh.
services, the corresponding NRP also needs to provide MP2MP To support such VPN services, the corresponding NRP also needs to
connectivity among the end points. provide MP2MP connectivity among the endpoints.
Other service requirements may be expressed at different Other service requirements may be expressed at different
granularities, some of which can be applicable to the whole service, granularities, some of which can be applicable to the whole service
while some others may only be applicable to some pairs of end points. while others may only be applicable to some pairs of endpoints. For
For example, when a particular level of performance guarantee is example, when a particular level of performance guarantee is
required, the point-to-point path through the underlying NRP of the required, the point-to-point path through the underlying NRP of the
enhanced VPN service may need to be specifically engineered to meet enhanced VPN service may need to be specifically engineered to meet
the required performance guarantee. the required performance guarantee.
4.3. Application-Specific Data Types 4.3. Application-Specific Data Types
Although a lot of the traffic that will be carried over enhanced VPN Although a lot of the traffic that will be carried over enhanced VPN
will likely be IP-based, the design must be capable of carrying other will likely be IP based, the design must be capable of carrying other
traffic types, in particular Ethernet traffic. This is easily traffic types, in particular Ethernet traffic. This is easily
accomplished through the various pseudowire (PW) techniques accomplished through various pseudowire (PW) techniques [RFC3985].
[RFC3985].
Where the underlay is MPLS, Ethernet traffic can be carried over an Where the underlay is MPLS, Ethernet traffic can be carried over an
enhanced VPN encapsulated according to the method specified in enhanced VPN encapsulated according to the method specified in
[RFC4448]. Where the underlay is IP, Layer Two Tunneling Protocol - [RFC4448]. Where the underlay is IP, L2 Tunneling Protocol - Version
Version 3 (L2TPv3) [RFC3931] can be used with Ethernet traffic 3 (L2TPv3) [RFC3931] can be used with Ethernet traffic carried
carried according to [RFC4719]. Encapsulations have been defined for according to [RFC4719]. Encapsulations have been defined for most of
most of the common layer-2 types for both PW over MPLS and for the common L2 types for both PW over MPLS and for L2TPv3.
L2TPv3.
4.4. Scalable Service Mapping 4.4. Scalable Service Mapping
VPNs are instantiated as overlays on top of an operator's network and VPNs are instantiated as overlays on top of an operator's network and
offered as services to the operator's customers. An important offered as services to the operator's customers. An important
feature of overlays is that they can deliver services without placing feature of overlays is that they can deliver services without placing
per-service state in the core of the underlay network. per-service state in the core of the underlay network.
An enhanced VPN may need to install some additional state within the An enhanced VPN may need to install some additional state within the
network to achieve the features that they require. Solutions need to network to achieve the features that they require. Solutions need to
take the scale of such state into consideration, and deployment take the scale of such state into consideration, and deployment
architectures should constrain the number of enhanced VPN services so architectures should constrain the number of enhanced VPN services so
that the additional state introduced to the network is acceptable and that the additional state introduced to the network is acceptable and
under control. It is expected that the number of enhanced VPN under control. It is expected that the number of enhanced VPN
services will be small at the beginning, and even in the future the services will be small at the beginning: even in the future, the
number of enhanced VPN services will be fewer than conventional VPNs number of enhanced VPN services will be fewer than conventional VPNs
because existing VPN techniques are good enough to meet the needs of because existing VPN techniques are good enough to meet the needs of
most existing VPN-type services. most existing VPN-type services.
In general, it is not required that the state in the network be In general, it is not required that the state in the network be
maintained in a 1:1 relationship with the enhanced VPN services. It maintained in a 1:1 relationship with the enhanced VPN services. It
will usually be possible to aggregate a set or group of enhanced VPN will usually be possible to aggregate a set or group of enhanced VPN
services so that they share the same NRP and the same set of network services so that they share the same NRP and the same set of network
resources (much in the same way that current VPNs are aggregated over resources (much in the same way that current VPNs are aggregated over
transport tunnels) so that collections of enhanced VPN services that transport tunnels) so that collections of enhanced VPN services that
require the same behavior from the network in terms of resource require the same behavior from the network in terms of resource
reservation, latency bounds, resiliency, etc. can be grouped reservation, latency bounds, resiliency, etc. can be grouped
together. This is an important feature to assist with the scaling together. This is an important feature to assist with the scaling
characteristics of NRP-based enhanced VPN deployments. characteristics of NRP-based enhanced VPN deployments.
[I-D.ietf-teas-nrp-scalability] provides more details of scalability [NRP-SCALABILITY] provides more details of scalability considerations
considerations for the NRPs used to instantiate NRPs, and Section 7 for the NRPs used to instantiate NRPs, and Section 7 includes a
includes a greater discussion of scalability considerations. greater discussion of scalability considerations.
5. Candidate Technologies 5. Candidate Technologies
A VPN is a virtual network created by applying a demultiplexing A VPN is created by applying a demultiplexing technique to the
technique to the underlying network (the underlay) to distinguish the underlying network (the underlay) to distinguish the traffic of one
traffic of one VPN from that of another. The connections of a VPN VPN from that of another. The connections of a VPN are supported by
are supported by a set of underlay paths. A path that travels by a set of underlay paths. A path that travels by other than the
other than the shortest path through the underlay normally requires shortest path through the underlay normally requires state to specify
state to specify that path. The state of the paths could be applied that path. The state of the paths could be applied to the underlay
to the underlay through the use of the RSVP-TE signaling protocol, or through the use of the RSVP-TE signaling protocol or directly through
directly through the use of an SDN controller. Based on Segment the use of a Software-Defined Networking (SDN) controller. Based on
Routing, state could be maintained at the ingress node of the path, Segment Routing (SR), state could be maintained at the ingress node
and carried in the data packet. Other techniques may emerge as this of the path and carried in the data packet. Other techniques may
problem is studied. This state gets harder to manage as the number emerge as this problem is studied. This state gets harder to manage
of paths increases. Furthermore, as we increase the coupling between as the number of paths increases. Furthermore, as we increase the
the underlay and the overlay to support the enhanced VPN service, coupling between the underlay and the overlay to support the enhanced
this state is likely to increase further. Through the use of NRP, a VPN service, this state is likely to increase further. Through the
subset of underlay network resource can be either dedicated for a use of NRP, a subset of underlay network resources can be either
particular enhanced VPN service or shared among a group of enhanced dedicated for a particular enhanced VPN service or shared among a
VPN services. A group of underlay paths can be established using the group of enhanced VPN services. A group of underlay paths can be
common set of network resources of the NRP. established using the common set of network resources of the NRP.
This section describes the candidate technologies, and examines them This section describes the candidate technologies and examines them
in the context of the different network planes that may be used in the context of the different network planes that may be used
together to build NRPs. Section 5.1 discusses the layer-2 packet- together to build NRPs. Section 5.1 discusses the L2 packet-based or
based or frame-based forwarding plane mechanisms for resource frame-based forwarding-plane mechanisms for resource partitioning.
partitioning. Section 5.2 discusses the corresponding encapsulation Section 5.2 discusses the corresponding encapsulation and forwarding
and forwarding mechanisms in the network layer. Non-packet data mechanisms in the network layer. Non-packet data plane mechanisms
plane mechanisms are briefly discussed in Section 5.3. The control are briefly discussed in Section 5.3. The control plane and
plane and management plane mechanisms are discussed in Section 5.4 management plane mechanisms are discussed in Sections 5.4 and 5.5,
and Section 5.5 respectively. respectively.
5.1. Underlay Forwarding Resource Partitioning 5.1. Underlay Forwarding Resource Partitioning
Several candidate layer-2 packet-based or frame-based forwarding Several candidate L2 packet-based or frame-based forwarding-plane
plane mechanisms which can provide the required traffic isolation and mechanisms that can provide the required traffic isolation and
performance guarantees are described in the following sections. performance guarantees are described in the following sections.
5.1.1. Flexible Ethernet 5.1.1. Flexible Ethernet
FlexE [FLEXE] provides the ability to multiplex channels over an FlexE [FLEXE] provides the ability to multiplex channels over an
Ethernet link to create point-to-point fixed-bandwidth connections in Ethernet link to create point-to-point fixed-bandwidth connections in
a way that provides separation between enhanced VPN services. FlexE a way that provides separation between enhanced VPN services. FlexE
also supports bonding links to create larger links out of multiple also supports bonding links to create larger links out of multiple
low-capacity links. low-capacity links.
However, FlexE is only a link-level technology. When packets are However, FlexE is only a link-level technology. When packets are
received by the downstream node, they need to be processed in a way received by the downstream node, they need to be processed in a way
that preserves that traffic isolation in the downstream node. This that preserves that traffic isolation in the downstream node. In
in turn requires a queuing and forwarding implementation that turn, this requires a queuing and forwarding implementation that
preserves the end-to-end separation of enhanced VPNs. preserves the end-to-end separation of enhanced VPNs.
If different FlexE channels are used for different services, then no If different FlexE channels are used for different services, then no
sharing is possible between the FlexE channels. This means that it sharing is possible between the FlexE channels. Thus, it may be
may be difficult to dynamically redistribute unused bandwidth to difficult to dynamically redistribute unused bandwidth to lower
lower priority services in another FlexE channel. If one FlexE priority services in another FlexE channel. If one FlexE channel is
channel is used by one customer, the customer can use some methods to used by one customer, the customer can use some methods to manage the
manage the relative priority of their own traffic in the FlexE relative priority of their own traffic in the FlexE channel.
channel.
5.1.2. Dedicated Queues 5.1.2. Dedicated Queues
DiffServ-based queuing systems are described in [RFC2475] and Diffserv-based queuing systems are described in [RFC2475] and
[RFC4594]. This approach is not sufficient to provide separation of [RFC4594]. This approach is not sufficient to provide separation of
enhanced VPN services because DiffServ does not provide enough enhanced VPN services because Diffserv does not provide enough
markers to differentiate between traffic of a large number of markers to differentiate between traffic of a large number of
enhanced VPN services. Additionally, DiffServ does not offer the enhanced VPN services. Additionally, Diffserv does not offer the
range of service classes that each enhanced VPN service needs to range of service classes that each enhanced VPN service needs to
provide to its tenants. This problem is particularly acute with an provide to its tenants. This problem is particularly acute with an
MPLS underlay, because MPLS only provides eight traffic classes. MPLS underlay because MPLS only provides eight traffic classes.
In addition, DiffServ, as currently implemented, mainly provides per- In addition, Diffserv, as currently implemented, mainly provides per-
hop priority-based scheduling, and it is difficult to use it to hop priority-based scheduling, and it is difficult to use it to
achieve quantitative resource reservation for different enhanced VPN achieve quantitative resource reservation for different enhanced VPN
services. services.
To address these problems and to reduce the potential interactions To address these problems and to reduce the potential interactions
between enhanced VPN services, it would be necessary to steer traffic between enhanced VPN services, it would be necessary to steer traffic
to dedicated input and output queues per enhanced VPN service or per to dedicated input and output queues per enhanced VPN service or per
group of enhanced VPN services: some routers have a large number of group of enhanced VPN services: some routers have a large number of
queues and sophisticated queuing systems which could support this, queues and sophisticated queuing systems that could support this
while some routers may struggle to provide the granularity and level while some routers may struggle to provide the granularity and level
of separation required by the applications of an enhanced VPN. of separation required by the applications of an enhanced VPN.
5.1.3. Time Sensitive Networking 5.1.3. Time-Sensitive Networking
Time-Sensitive Networking (TSN) [TSN] is an IEEE project to provide a [TSN] is an IEEE project to provide a method of carrying time-
method of carrying time-sensitive information over Ethernet. It sensitive information over Ethernet. It introduces the concept of
introduces the concept of packet scheduling where a packet stream may packet scheduling where a packet stream may be given a time slot
be given a time slot guaranteeing that it experiences no queuing guaranteeing that it will experience no queuing delay or increase in
delay or increase in latency beyond the very small scheduling delay. latency beyond a very small scheduling delay. The mechanisms defined
The mechanisms defined in TSN can be used to meet the requirements of in TSN can be used to meet the requirements of time-sensitive traffic
time-sensitive traffic flows of enhanced VPN service. flows of enhanced VPN service.
Ethernet can be emulated over a layer-3 network using an IP or MPLS Ethernet can be emulated over a L3 network using an IP or MPLS
pseudowire. However, a TSN Ethernet payload would be opaque to the pseudowire. However, a TSN Ethernet payload would be opaque to the
underlay and thus not treated specifically as time-sensitive data. underlay; thus, it would not be treated specifically as time-
The preferred method of carrying TSN over a layer-3 network is sensitive data. The preferred method of carrying TSN over a L3
through the use of deterministic networking as explained in network is through the use of deterministic networking as explained
Section 5.2.1. in Section 5.2.1.
5.2. Network Layer Encapsulation and Forwarding 5.2. Network Layer Encapsulation and Forwarding
This section considers the problem of enhanced VPN service This section considers the problem of enhanced VPN service
differentiation and the representation of underlying network differentiation and the representation of underlying network
resources in the network layer. More specifically, it describes the resources in the network layer. More specifically, it describes the
possible data plane mechanisms to determine the network resources and possible data plane mechanisms to determine the network resources and
the logical network topology or paths associated with an NRP. the logical network topology or paths associated with an NRP.
5.2.1. Deterministic Networking 5.2.1. Deterministic Networking (DetNet)
Deterministic Networking (DetNet) [RFC8655] is a technique being DetNet [RFC8655] is a technique being developed in the IETF to
developed in the IETF to enhance the ability of layer-3 networks to enhance the ability of L3 networks to deliver packets more reliably
deliver packets more reliably and with greater control over the and with greater control over the delay. The design cannot use
delay. The design cannot use re-transmission techniques such as TCP retransmission techniques such as TCP because that can exceed the
since that can exceed the delay tolerated by the applications. delay tolerated by the applications. DetNet preemptively sends
DetNet preemptively sends copies of the packet over various paths to copies of the packet over various paths to minimize the chance of all
minimize the chance of all copies of a packet being lost. It also copies of a packet being lost. It also seeks to set an upper bound
seeks to set an upper bound on latency, but the goal is not to on latency, but the goal is not to minimize latency. DetNet can be
minimize latency. DetNet can be realized over IP data plane realized over the IP data plane [RFC8939] or the MPLS data plane
[RFC8939] or MPLS data plane [RFC8964], and may be used to provide [RFC8964], and it may be used to provide deterministic paths for
deterministic paths for enhanced VPN services. enhanced VPN services.
5.2.2. MPLS Traffic Engineering (MPLS-TE) 5.2.2. MPLS Traffic Engineering (MPLS-TE)
MPLS-TE [RFC2702][RFC3209] introduces the concept of reserving end- MPLS-TE (see [RFC2702] and [RFC3209]) introduces the concept of
to-end bandwidth for a TE-LSP, which can be used to provide a set of reserving end-to-end bandwidth for a TE-LSP, which can be used to
point-to-point resource reserved paths across the underlay network to provide a set of point-to-point resource-reserved paths across the
support VPN services. VPN traffic can be carried over dedicated TE- underlay network to support VPN services. VPN traffic can be carried
LSPs to provide guaranteed bandwidth for each specific connection in over dedicated TE-LSPs to provide guaranteed bandwidth for each
a VPN, and VPNs with similar behavior requirements may be multiplexed specific connection in a VPN, and VPNs with similar behavior
onto the same TE-LSPs. Some network operators have concerns about requirements may be multiplexed onto the same TE-LSPs. Some network
the scalability and management overhead of MPLS-TE system, especially operators have concerns about the scalability and management overhead
with regard to those systems that use an active control plane, and of MPLS-TE system, especially with regard to those systems that use
this has lead them to consider other solutions for traffic an active control plane, and this has lead them to consider other
engineering in their networks. solutions for traffic engineering in their networks.
5.2.3. Segment Routing 5.2.3. Segment Routing
Segment Routing (SR) [RFC8402] is a method that prepends instructions Segment Routing (SR) [RFC8402] is a method that prepends instructions
to packets at the head-end of a path. These instructions are used to to packets at the headend of a path. These instructions are used to
specify the nodes and links to be traversed, and allow the packets to specify the nodes and links to be traversed, and they allow the
be routed on paths other than the shortest path. By encoding the packets to be routed on paths other than the shortest path. By
state in the packet, per-path state is transitioned out of the encoding the state in the packet, per-path state is transitioned out
network. SR can be instantiated using MPLS data plane (SR-MPLS) of the network. SR can be instantiated using the MPLS data plane
[RFC8660] or IPv6 data plane (SRv6) [RFC8986]. (SR-MPLS) (see [RFC8660]) or the IPv6 data plane (SRv6) (see
[RFC8986]).
An SR traffic engineered path operates with a granularity of a link. An SR traffic engineered path operates with the granularity of a
Hints about priority are provided using the Traffic Class (TC) field link. Hints about priority are provided using the Traffic Class (TC)
in the packet header. However, to achieve the performance and field in the packet header. However, to achieve the performance and
isolation characteristics that are sought by enhanced VPN customers, isolation characteristics that are sought by enhanced VPN customers,
it will be necessary to steer packets through specific virtual links it will be necessary to steer packets through specific virtual links
and/or queues on the same link and direct them to use specific and/or queues on the same link and direct them to use specific
resources. With SR, it is possible to introduce such fine-grained resources. With SR, it is possible to introduce such fine-grained
packet steering by specifying the queues and the associated resources packet steering by specifying the queues and the associated resources
through an SR instruction list. One approach to do this is described through an SR instruction list. One approach to do this is described
in [I-D.ietf-spring-resource-aware-segments]. in [RESOURCE-AWARE-SEGMENTS].
Note that the concept of a queue is a useful abstraction for Note that the concept of a queue is a useful abstraction for
different types of underlay mechanism that may be used to provide different types of underlay mechanisms that may be used to provide
enhanced isolation and performance support. How the queue satisfies enhanced isolation and performance support. How the queue satisfies
the requirement is implementation specific and is transparent to the the requirement is implementation specific and is transparent to the
layer-3 data plane and control plane mechanisms used. L3 data plane and control plane mechanisms used.
With Segment Routing, the SR instruction list could be used to build With Segment Routing, the SR instruction list could be used to build
a P2P SR path. In addition, a group of SR Segment Identifiers (SIDs) a P2P SR path. In addition, a group of SR Segment Identifiers (SIDs)
could also be used to represent an MP2MP network. Thus, the SR based could also be used to represent an MP2MP network. Thus, the SR-based
mechanism could be used to provide both resource reserved paths and mechanism could be used to provide both resource-reserved paths and
NRPs for enhanced VPN services. NRPs for enhanced VPN services.
5.2.4. New Encapsulation Extensions 5.2.4. New Encapsulation Extensions
In contrast to reusing existing data plane for enhanced VPN, another In contrast to reusing an existing data plane for enhanced VPN,
possible approach is to introduce new encapsulations or extensions to another possible approach is to introduce new encapsulations or
existing data plane to allow dedicated identifiers for the underlay extensions to an existing data plane to allow dedicated identifiers
network resources of an enhanced VPN, and the logical network for the underlay network resources of an enhanced VPN and the logical
topology or paths associated with an enhanced VPN. This may require network topology or paths associated with an enhanced VPN. This may
more protocol work, while the potential benefit is it can reduce the require more protocol work; however, the potential benefits are that
impact to existing network operation and improve the scalability of it can reduce the impact to existing network operation and improve
enhanced VPN. More details about the encapsulation extensions and the scalability of enhanced VPN. More details about the
the scalability concerns are described in encapsulation extensions and the scalability concerns are described
[I-D.ietf-teas-nrp-scalability]. in [NRP-SCALABILITY].
5.3. Non-Packet Data Plane 5.3. Non-Packet Data Plane
Non-packet underlay data plane technologies, such as optical based Non-packet underlay data plane technologies, such as optical-based
data planes often have TE properties and behaviors, and meet many of data planes, often have TE properties and behaviors. They meet many
the key requirements in particular for bandwidth guarantees, traffic of the key requirements, particularly those for:
isolation (with physical isolation often being an integral part of
the technology), highly predictable latency and jitter * bandwidth guarantees,
characteristics, measurable loss characteristics, and ease of
identification of flows. The cost is that the resources are * traffic isolation (with physical isolation often being an integral
allocated on a long-term and end-to-end basis. Such an arrangement part of the technology),
means that the full cost of the resources has to be borne by the
client to which the resources are allocated. When an NRP built with * highly predictable latency and jitter characteristics,
this data plane is used to support multiple enhanced VPN services,
the cost could be distributed among such a group of services. * measurable loss characteristics, and
* ease of identification of flows.
The cost is that the resources are allocated on a long-term and end-
to-end basis. Such an arrangement means that the full cost of the
resources has to be borne by the client to which the resources are
allocated. When an NRP built with this data plane is used to support
multiple enhanced VPN services, the cost could be distributed among
such a group of services.
5.4. Control Plane 5.4. Control Plane
The control plane of NRP-based enhanced VPNs is likely be based on a The control plane of NRP-based enhanced VPNs is likely to be based on
hybrid control mechanism that takes advantage of a logically a hybrid control mechanism that takes advantage of a logically
centralized controller for on-demand provisioning and global centralized controller for on-demand provisioning and Global
optimization, whilst still relying on a distributed control plane to Concurrent Optimization (GCO) while still relying on a distributed
provide scalability, high reliability, fast reaction, automatic control plane to provide scalability, high reliability, fast
failure recovery, etc. Extension to and optimization of the reaction, automatic failure recovery, etc. Extension to and
centralized and distributed control plane is needed to support the optimization of the centralized and distributed control plane is
enhanced properties of an NRP-based enhanced VPN. needed to support the enhanced properties of an NRP-based enhanced
VPN.
As described in Section 4, the enhanced VPN control plane needs to As described in Section 4, the enhanced VPN control plane needs to
provide the following functions: provide the following functions:
* Collect information about the underlying network topology and * Collection of information about the underlying network topology
network resources, and exports this to network nodes and/or a and network resources and exportation of this to network nodes
centralized controller as required. and/or a centralized controller as required.
* Create NRPs with the network resource and topology properties * Creation of NRPs with the network resource and topology properties
needed by NRP-based enhanced VPN services. needed by NRP-based enhanced VPN services.
* Distribute the attributes of NRPs to network nodes which * Distribution of the attributes of NRPs to network nodes that
participate in the NRPs and/or the centralized controller. participate in the NRPs and/or the centralized controller.
* Map enhanced VPN services to an appropriate NRP. * Mapping of enhanced VPN services to an appropriate NRP.
* Compute and set up service paths in each NRP to meet enhanced VPN * Computation and set up of service paths in each NRP to meet
service requirements. enhanced VPN service requirements.
The collection of underlying network topology and resource Underlying network topology and resource information can be collected
information can be done using the existing IGP and Border Gateway using mechanisms based on the existing IGP and Border Gateway
Protocol - Link State (BGP-LS) [RFC9552] based mechanisms. The Protocol - Link State (BGP-LS) [RFC9552]. The creation of NRPs and
creation of NRPs and the distribution of NRP attributes may need the distribution of NRP attributes may need further control protocol
further control protocol extensions. The computation of service extensions. The computation of service paths based on the attributes
paths based on the attributes and constraints of the NRP can be and constraints of the NRP can be performed either by the headend
performed either by the headend node of the path or a centralized node of the path or by a centralized Path Computation Element (PCE)
Path Computation Element (PCE) [RFC4655]. [RFC4655].
Two candidate control plane mechanisms for path setup in the NRP are: Two candidate control plane mechanisms for path setup in the NRP are
RSVP-TE and Segment Routing (SR). RSVP-TE and Segment Routing (SR).
* RSVP-TE [RFC3209] provides the signaling mechanism for * RSVP-TE, as described in [RFC3209], provides the signaling
establishing a TE-LSP in an MPLS network with end-to-end resource mechanism for establishing a TE-LSP in an MPLS network with end-
reservation. This can be seen as an approach of providing to-end resource reservation. This can be seen as an approach of
resource-reserved paths which could be used to bind the VPN to providing resource-reserved paths that could be used to bind the
specific set of network resources allocated within the underlay, VPN to a specific set of network resources allocated within the
but there remain scalability concerns as mentioned in underlay; however, there remain scalability concerns, as mentioned
Section 5.2.2. in Section 5.2.2.
* The SR control plane [RFC8665] [RFC8667] [RFC9085] does not have * The SR control plane, as described in [RFC8665], [RFC8667], and
the capability of signaling resource reservations along the path. [RFC9085], does not have the capability of signaling resource
On the other hand, the SR approach provides a potential way of reservations along the path. On the other hand, the SR approach
binding the underlay network resource and the NRPs without provides a potential way of binding the underlay network resource
requiring per-path state to be maintained in the network. A and the NRPs without requiring per-path state to be maintained in
centralized controller can perform resource planning and the network. A centralized controller can perform resource
reservation for NRPs, and it needs to instruct the network nodes planning and reservation for NRPs, and it needs to instruct the
to ensure that resources are correctly allocated for the NRP. The network nodes to ensure that resources are correctly allocated for
controller could provision the SR paths based on the mechanism in the NRP. The controller could provision the SR paths based on the
[RFC9256] to the headend nodes of the paths. mechanism in [RFC9256] to the headend nodes of the paths.
According to the service requirements for connectivity, performance According to the service requirements for connectivity, performance,
and isolation, one enhanced VPN service may be mapped to a dedicated and isolation, one enhanced VPN service may be mapped to a dedicated
NRP, or a group of enhanced VPN services may be mapped to the same NRP or a group of enhanced VPN services may be mapped to the same
NRP. The mapping of enhanced VPN services to NRP can be achieved NRP. The mapping of enhanced VPN services to an NRP can be achieved
using existing control mechanisms with possible extensions, and it using existing control mechanisms with possible extensions; it can be
can be based on either the characteristics of the data packet or the based on either the characteristics of the data packet or the
attributes of the VPN service routes. attributes of the VPN service routes.
5.5. Management Plane 5.5. Management Plane
The management plane provides the interface between the enhanced VPN The management plane provides the interface between the enhanced VPN
service provider and the customers for life-cycle management of the service provider and the customers for life-cycle management of the
enhanced VPN service (i.e., creation, modification, assurance/ enhanced VPN service (i.e., creation, modification, assurance/
monitoring, and decommissioning). It relies on a set of service data monitoring, and decommissioning). It relies on a set of service data
models for the description of the information and operations needed models for the description of the information and operations needed
on the interface. on the interface.
As an example, in the context of 5G end-to-end network slicing As an example, in the context of 5G end-to-end network slicing
[TS28530], the management of the transport network segment of the 5G [TS28530], the management of the transport network segment of the 5G
end-to-end network slice can be realized with the management plane of end-to-end network slice can be realized with the management plane of
enhanced VPN. The 3GPP management system may provide the the enhanced VPN. The 3GPP management system may provide the
connectivity and performance-related parameters as requirements to connectivity and performance-related parameters as requirements to
the management plane of the transport network. It may also require the management plane of the transport network. It may also require
the transport network to expose the capabilities and status of the the transport network to expose the capabilities and status of the
network slice. Thus, an interface between the enhanced VPN network slice. Thus, an interface between the enhanced VPN
management plane and the 5G network slice management system, and management plane and the 5G network slice management system, and
relevant service data models are needed for the coordination of 5G relevant service data models are needed for the coordination of 5G
end-to-end network slice management. end-to-end network slice management.
The management plane interface and data models for enhanced VPN The management plane interface and data models for enhanced VPN
services can be based on the service models described in Section 5.6. services can be based on the service models described in Section 5.6.
It is important that the management life-cycle supports in-place It is important that the life-cycle management support in-place
modification of enhanced VPN services. That is, it should be modification of enhanced VPN services. That is, it should be
possible to add and remove end points, as well as to change the possible to add and remove endpoints, as well as to change the
requested characteristics of the service that is delivered. The requested characteristics of the service that is delivered. The
management system needs to be able to assess the revised enhanced VPN management system needs to be able to assess the revised enhanced VPN
requests and determine whether they can be provided by the existing requests and determine whether they can be provided by the existing
NRPs or whether changes must be made, and it will additionally need NRPs or whether changes must be made. It will also need to determine
to determine whether those changes to the NRP are possible. If not, whether those changes to the NRP are possible. If not, then the
then the customer's modification request may be rejected. customer's modification request may be rejected.
When the modification of an enhanced VPN service is possible, the When the modification of an enhanced VPN service is possible, the
management system must make every effort to make the changes in a management system must make every effort to make the changes in a
non-disruptive way. That is, the modification of the enhanced VPN non-disruptive way. That is, the modification of the enhanced VPN
service or the underlying NRP must not perturb traffic on the service or the underlying NRP must not perturb traffic on the
enhanced VPN service in a way that causes the service level to drop enhanced VPN service in a way that causes the service level to drop
below the agreed levels. Furthermore, changes to one enhanced VPN below the agreed levels. Furthermore, changes to one enhanced VPN
service should not cause disruption to other enhanced VPN services. service should not cause disruption to other enhanced VPN services.
The network operator for the underlay network (i.e., the provider of The network operator for the underlay network (i.e., the provider of
the enhanced VPN service) may delegate some operational aspects of the enhanced VPN service) may delegate some operational aspects of
the overlay VPN and the underlying NRP to the customer. In this way, the overlay VPN and the underlying NRP to the customer. In this way,
the enhanced VPN is presented to the customer as a virtual network, the enhanced VPN is presented to the customer as a virtual network,
and the customer can choose how to use that network. Some mechanisms and the customer can choose how to use that network. Some mechanisms
in the operator's network are needed, so that a customer cannot in the operator's network are needed so that:
exceed the capabilities of the virtual links and nodes, but can
decide how to load traffic onto the network, for example, by * a customer cannot exceed the capabilities of the virtual links and
assigning different metrics to the virtual links so that the customer nodes, but
can control how traffic is routed through the virtual network. This
approach requires a management system for the virtual network, but * it can decide how to load traffic onto the network, for example,
does not necessarily require any coordination between the management by assigning different metrics to the virtual links so that the
systems of the virtual network and the physical network, except that customer can control how traffic is routed through the virtual
the virtual network management system might notice when the NRP is network.
close to capacity or considerably under-used and automatically
request changes in the service provided by the underlay network. This approach requires a management system for the virtual network
but does not necessarily require any coordination between the
management systems of the virtual network and the physical network,
except that the virtual network management system might notice when
the NRP is close to capacity or considerably under-used and
automatically request changes in the service provided by the underlay
network.
5.6. Applicability of Service Data Models to Enhanced VPNs 5.6. Applicability of Service Data Models to Enhanced VPNs
This section describes the applicability of the existing and in- This section describes the applicability of the existing and in-
progress service data models to enhanced VPNs. [RFC8309] describes progress service data models to enhanced VPNs. [RFC8309] describes
the scope and purpose of service models and shows where a service the scope and purpose of service models and shows where a service
model might fit into an SDN-based network management architecture. model might fit into an SDN-based network management architecture.
New service models may also be introduced for some of the required New service models may also be introduced for some of the required
management functions. management functions.
Service data models are used to represent, monitor, and manage the Service data models are used to represent, monitor, and manage the
virtual networks and services enabled by enhanced VPNs. The VPN virtual networks and services enabled by enhanced VPNs. The VPN
customer service models (e.g., the Layer 3 VPN Service Model (L3SM) customer service models (e.g., the L3VPN Service Model (L3SM) in
[RFC8299], the Layer 2 VPN Service Model (L2SM) [RFC8466]), or the [RFC8299], the L2VPN Service Model (L2SM) in [RFC8466]), or the ACTN
ACTN Virtual Network (VN) model [I-D.ietf-teas-actn-vn-yang]) are Virtual Network (VN) model in [RFC9731]) are service models that can
service models which can provide the customer's view of the enhanced provide the customer's view of the enhanced VPN service. The L3VPN
VPN service. The Layer-3 VPN Network Model (L3NM) [RFC9182], the Network Model (L3NM) from [RFC9182] and the L2VPN Network Model
Layer-2 VPN network model (L2NM) [RFC9291] provide the operator's (L2NM) from [RFC9291] provide the operator's view of the managed
view of the managed infrastructure as a set of virtual networks and infrastructure as a set of virtual networks and the associated
the associated resources. The Service Attachment Points (SAPs) model resources. The Service Attachment Points (SAPs) model in [RFC9408]
[RFC9408] provides an abstract view of the service attachment points provides an abstract view of the Service Attachment Points (SAPs) to
(SAPs) to various network services in the provider network, where various network services in the provider network, where enhanced VPN
enhanced VPN could be one of the service types. [RFC9375] provides could be one of the service types. [RFC9375] provides the data model
the data model for performance monitoring of network and VPN for performance monitoring of network and VPN services. Augmentation
services. Augmentation to these service models may be needed to to these service models may be needed to provide the enhanced VPN
provide the enhanced VPN services. The NRP model services. The NRP model in [NRP-YANG] further provides the
[I-D.ietf-teas-nrp-yang] further provides the management of the NRP management of the NRP topology and resources both in the controller
topology and resources both in the controller and in the network and in the network devices to instantiate the NRPs needed for the
devices to instantiate the NRPs needed for the enhanced VPN services. enhanced VPN services.
6. Applicability in Network Slice Realization 6. Applicability in Network Slice Realization
This section describes the applicability of NRP-based enhanced VPN This section describes the applicability of NRP-based enhanced VPN
for network slice realization. for network slice realization.
In order to provide network slice services to customers, a In order to provide network slice services to customers, a
technology-agnostic network slice service model technology-agnostic network slice service model [NETWORK-SLICE-YANG]
[I-D.ietf-teas-ietf-network-slice-nbi-yang] is needed for the is needed for the customers to communicate the requirements of
customers to communicate the requirements of network slices (SDPs, network slices (SDPs, connectivity, SLOs, and SLEs). These
connectivity, SLOs, and SLEs). These requirements may be realized requirements may be realized using technology specified in this
using technology specified in this document to instruct the network document to instruct the network to deliver an enhanced VPN service
to deliver an enhanced VPN service so as to meet the requirements of so as to meet the requirements of the network slice customers.
the network slice customers. According to the location of SDPs used According to the location of SDPs used for the network slice service
for the network slice service (see Section 5.2 of [RFC9543]), an SDP (see Section 5.2 of [RFC9543]), an SDP can be mapped to a Customer
can be mapped to a CE, a PE, a port on a CE, or a customer-facing Edge (CE), a PE, a port on a CE, or a customer-facing port on a PE,
port on a PE, any of which can be correlated to the end point of any of which can be correlated to the endpoint of the enhanced VPN
enhanced VPN service. The detailed approach for SDP mapping is service. The detailed approach for SDP mapping is described in
described in [I-D.ietf-teas-ietf-network-slice-nbi-yang]. [NETWORK-SLICE-YANG].
6.1. NRP Planning 6.1. NRP Planning
An NRP is used to support the SLOs and SLEs required by the network An NRP is used to support the SLOs and SLEs required by the network
slice services. According to the network operators' network resource slice services. According to the network operators' network resource
planning policy, or based on the requirements of one or a group of planning policy, or based on the requirements of one or a group of
customers or services, an NRP may need to be created to meet the customers or services, an NRP may need to be created to meet the
requirements of network slice services. One of the basic requirements of network slice services. One of the basic
requirements for the NRP is to provide a set of dedicated network requirements for the NRP is to provide a set of dedicated network
resources to avoid unexpected interference from other services in the resources to avoid unexpected interference from other services in the
same network. Other possible requirements may include the required same network. Other possible requirements may include the required
topology and connectivity, bandwidth, latency, reliability, etc. topology and connectivity, bandwidth, latency, reliability, etc.
A centralized network controller can be responsible for calculating a A centralized network controller can be responsible for calculating a
subset of the underlay network topology (which is called a logical subset of the underlay network topology (which is called a logical
topology) to support the NRP requirement. On the network nodes and topology) to support the NRP requirement. On the network nodes and
links within the logical topology, the set of network resources to be links within the logical topology, the set of network resources to be
allocated to the NRP can also be determined by the controller. allocated to the NRP can also be determined by the controller.
Normally such calculation needs to take the underlay network Normally, such calculation needs to take the underlay network
connectivity information and the available network resource connectivity information and the available network resource
information of the underlay network into consideration. The network information of the underlay network into consideration. The network
controller may also take the status of the existing NRPs into controller may also take the status of the existing NRPs into
consideration in the planning and calculation of a new NRP. consideration in the planning and calculation of a new NRP.
6.2. NRP Creation 6.2. NRP Creation
According to the result of the NRP planning, the network nodes and According to the result of the NRP planning, the network nodes and
links involved in the logical topology of the NRP are instructed to links involved in the logical topology of the NRP are instructed to
allocate the required set of network resources for the NRP. One or allocate the required set of network resources for the NRP. One or
multiple mechanisms as specified in section 5.1 can be used to multiple mechanisms as specified in Section 5.1 can be used to
partition the forwarding plane network resources and allocate partition the forwarding-plane network resources and allocate
different subsets of resources to different NRPs. In addition, the different subsets of resources to different NRPs. In addition, the
data plane identifiers which are used to identify the set of network data plane identifiers that are used to identify the set of network
resources allocated to the NRP are also provisioned on the network resources allocated to the NRP are also provisioned on the network
nodes. Depending on the data plane technologies used, the set of nodes. Depending on the data plane technologies used, the set of
network resources of an NRP can be identified using e.g. either network resources of an NRP can be identified using, e.g., resource-
resource-aware SR segments as specified in aware SR segments as specified in [RESOURCE-AWARE-SEGMENTS] and
[I-D.ietf-spring-resource-aware-segments] [SR-ENHANCED-VPN] or a dedicated Resource ID as specified in
[I-D.ietf-spring-sr-for-enhanced-vpn], or a dedicated Resource ID as [IPv6-NRP-OPTION] can be introduced. The network nodes involved in
specified in [I-D.ietf-6man-enhanced-vpn-vtn-id] can be introduced. an NRP may distribute the logical topology information, the NRP-
The network nodes involved in an NRP may distribute the logical specific network resource information, and the Resource ID of the NRP
topology information, the NRP-specific network resource information using the control plane. Such information could be used by the
and the Resource Identifier of the NRP using the control plane. Such controller and the network nodes to compute the TE or shortest paths
information could be used by the controller and the network nodes to within the NRP and to install the NRP-specific forwarding entries to
compute the TE or shortest paths within the NRP, and install the NRP network nodes.
specific forwarding entries to network nodes.
6.3. Network Slice Service Provisioning 6.3. Network Slice Service Provisioning
According to the connectivity requirements of an network slice According to the connectivity requirements of a network slice
service, an overlay VPN can be created using the existing or future service, an overlay VPN can be created using the existing or future
multi-tenancy overlay technologies as described in Section 3.6. multi-tenancy overlay technologies as described in Section 3.6.
Then according to the SLO and SLE requirements of a network slice Then, according to the SLO and SLE requirements of a network slice
service, the network slice service is mapped to an appropriate NRP as service, the network slice service is mapped to an appropriate NRP as
the virtual underlay. The integration of the overlay VPN and the the virtual underlay. The integration of the overlay VPN and the
underlay NRP together provide a network slice service. underlay NRP provides a network slice service.
6.4. Network Slice Traffic Steering and Forwarding 6.4. Network Slice Traffic Steering and Forwarding
At the edge of the operator's network, traffic of network slices can At the edge of the operator's network, network slice traffic can be
be classified based on the rules defined by the operator's policy, so classified based on the rules defined by the operator's policy; this
that the traffic which matches the rules for specific network slice is so that the traffic that matches the rules for specific network
services can be mapped to the corresponding NRP. This way, packets slice services can be mapped to the corresponding NRP. Thus, packets
belonging to specific network slice service will be processed and belonging to a specific network slice service will be processed and
forwarded by network nodes based either the traffic-engineered paths forwarded by network nodes based on either:
or the shortest paths in the associated network topology, using the
set of network resources of the corresponding NRP. * the traffic-engineered paths or
* the shortest paths in the associated network topology
using the set of network resources of the corresponding NRP.
7. Scalability Considerations 7. Scalability Considerations
NRP-based enhanced VPNs provide performance guaranteed services in NRP-based enhanced VPNs provide performance guaranteed services in
packet networks, but with the potential cost of introducing packet networks; however, this comes with the potential cost of
additional state into the network. There are at least three ways introducing additional state into the network. There are at least
that this additional state might be brought into the network: three ways that this additional state might be added:
* Introduce the complete state into the packet, as is done in SR. * by introducing the complete state into the packet, as is done in
This allows the controller to specify the detailed series of SR. This allows the controller to specify the detailed series of
forwarding and processing instructions for the packet as it forwarding and processing instructions for the packet as it
transits the network. The cost of this is an increase in the transits the network. The cost of this is an increase in the
packet header size. The cost is also that systems will have to packet header size. A further cost is that systems will have to
provide NRP specific segments in case they are called upon by a provide NRP-specific segments in case they are called upon by a
service. This is a type of latent state, and increases as the service. This is a type of latent state, and it increases as the
segments and resources that need to be exclusively available to segments and resources that need to be exclusively available to
enhanced VPN service are specified more precisely. enhanced VPN service are specified more precisely.
* Introduce the state to the network. This is normally done by * by introducing the state to the network. This is normally done by
creating a path using signaling such as RSVP-TE. This could be creating a path using signaling such as RSVP-TE. This could be
extended to include any element that needs to be specified along extended to include any element that needs to be specified along
the path, for example explicitly specifying queuing policy. It is the path, for example, explicitly specifying queuing policy. It
also possible to use other methods to introduce path state, such is also possible to use other methods to introduce path state,
as via an SDN controller, or possibly by modifying a routing such as via an SDN controller or possibly by modifying a routing
protocol. With this approach there is state per path: per-path protocol. With this approach, there is state per path: a per-path
characteristic that needs to be maintained over the life of the characteristic that needs to be maintained over the life of the
path. This is more network state than is needed using SR, but the path. This is more network state than is needed using SR, but the
packets are usually shorter. packets are usually shorter.
* Provide a hybrid approach. One example is based on using binding * by providing a hybrid approach. One example is based on using
SIDs [RFC8402] to represent path fragments, and bind them together binding SIDs (see [RFC8402]) to represent path fragments and
with SR. Dynamic creation of a VPN service path using SR requires binding them together with SR. Dynamic creation of a VPN service
less state maintenance in the network core at the expense of path using SR requires less state maintenance in the network core
larger packet headers. The packet size can be lower if a form of at the expense of larger packet headers. The packet size can be
loose source routing is used (using a few nodal SIDs), and it will lower if a form of loose source routing is used (using a few nodal
be lower if no specific functions or resources on the routers are SIDs), and it will be lower if no specific functions or resources
specified. For SRv6, the packet size may also be reduced by on the routers are specified. For SRv6, the packet size may also
utilizing the compression techniques as specified in be reduced by utilizing the compression techniques specified in
[I-D.ietf-spring-srv6-srh-compression]. [SRv6-SRH-COMPRESSION].
Reducing the state in the network is important to enhanced VPNs, as Reducing state in the network is important to enhanced VPNs, as it
it requires the overlay to be more closely integrated with the requires the overlay to be more closely integrated with the underlay
underlay than with conventional VPNs. This tighter coupling would than with conventional VPNs. This tighter coupling would normally
normally mean that more state needs to be created and maintained in mean that more state needs to be created and maintained in the
the network, as the state about fine granularity processing would network, as state about fine-granularity processing would need to be
need to be loaded and maintained in the routers. Aggregation is a loaded and maintained in the routers. Aggregation is a well-
well-established approach to reduce the amount of state and improve established approach to reduce the amount of state and improve
scaling, and NRP is considered as the network construct to aggregate scaling, and NRP is considered to be the network construct to
the states of enhanced VPN services. In addition, an SR approach aggregate the states of enhanced VPN services. In addition, an SR
allows much of the state to be spread amongst the network ingress approach allows much of the state to be spread amongst the network
nodes, and transiently carried in the packets as SIDs. ingress nodes and transiently carried in the packets as SIDs.
The following subsections describe some of the scalability concerns The following subsections describe some of the scalability concerns
that need to be considered. Further discussion of the scalability that need to be considered. Further discussion of the scalability
considerations of the underlaying network constructs of NRP-based considerations of the underlaying network constructs of NRP-based
enhanced VPNs can be found in [I-D.ietf-teas-nrp-scalability]. enhanced VPNs can be found in [NRP-SCALABILITY].
7.1. Maximum Stack Depth of SR 7.1. Maximum Stack Depth of SR
One of the challenges with SR is the stack depth that nodes are able One of the challenges with SR is the stack depth that nodes are able
to impose on packets [RFC8491]. This leads to a difficult balance to impose on packets [RFC8491]. This leads to a difficult balance
between adding state to the network and minimizing stack depth, or between:
minimizing state and increasing the stack depth.
* adding state to the network and minimizing stack depth and
* minimizing state and increasing the stack depth.
7.2. RSVP-TE Scalability 7.2. RSVP-TE Scalability
The established method of creating a resource-reserved path through The established method of creating a resource-reserved path through
an MPLS network is to use the RSVP-TE protocol. However, there have an MPLS network is to use the RSVP-TE protocol. However, there have
been concerns that this requires significant continuous state been concerns that this requires significant continuous state
maintenance in the network. Work to improve the scalability of RSVP- maintenance in the network. Work to improve the scalability of RSVP-
TE LSPs in the control plane can be found in [RFC8370]. TE LSPs in the control plane can be found in [RFC8370].
There is also concern at the scalability of the forwarder footprint There is also concern at the scalability of the forwarder footprint
of RSVP-TE as the number of paths through a label switching router of RSVP-TE as the number of paths through a Label Switching Router
(LSR) grows. [RFC8577] addresses this by employing SR within a (LSR) grows. [RFC8577] addresses this by employing SR within a
tunnel established by RSVP-TE. tunnel established by RSVP-TE.
7.3. SDN Scaling 7.3. SDN Scaling
The centralized approach of SDN requires control plane state to be The centralized approach of SDN requires control plane state to be
stored in the network, but can reduce the overhead of control stored in the network, but can reduce the overhead of control
channels to be maintained. Each individual network node may need to channels to be maintained. Each individual network node may need to
maintain a control channel with an SDN controller, which is maintain a control channel with an SDN controller, which is
considered more scalable comparing to the need of maintaining control considered more scalable compared to the need of maintaining control
channels with a set of neighbor nodes. channels with a set of neighbor nodes.
However, SDN may transfer some of the scalability concerns from the However, SDN may transfer some of the scalability concerns from the
network to a centralized controller. In particular, there may be a network to a centralized controller. In particular, there may be a
heavy processing burden at the controller, and a heavy load in the heavy processing burden at the controller and a heavy load in the
network surrounding the controller. A centralized controller may network surrounding the controller. A centralized controller may
also present a single point of failure within the network. also present a single point of failure within the network.
8. Enhanced Resiliency 8. Enhanced Resiliency
Each enhanced VPN service has a life cycle, and may need modification Each enhanced VPN service has a life cycle and may need modification
during deployment as the needs of its tenant change. This is during deployment as the needs of its tenant change (see
discussed in Section 5.5. Additionally, as the network evolves, Section 5.5). Additionally, as the network evolves, garbage
there may need to perform garbage collection to consolidate resources collection may need to be performed to consolidate resources into
into usable quanta. usable quanta.
Systems in which the path is imposed, such as SR or some form of Systems in which the path is imposed, such as SR or some form of
explicit routing, tend to do well in these applications, because it explicit routing, tend to do well in these applications because it is
is possible to perform an atomic transition from one path to another. possible to perform an atomic transition from one path to another.
That is, a single action by the head-end that changes the path That is, a single action by the headend that changes the path without
without the need for coordinated action by the routers along the the need for coordinated action by the routers along the path.
path. However, implementations and the monitoring protocols need to However, implementations and the monitoring protocols need to make
make sure that the new path is operational and meets the required SLA sure that the new path is operational and meets the required SLA
before traffic is transitioned to it. It is possible for deadlocks before traffic is transitioned to it. It is possible for deadlocks
to arise as a result of the network becoming fragmented over time, to arise as a result of the network becoming fragmented over time,
such that it is impossible to create a new path or to modify an such that it is impossible to create a new path or to modify an
existing path without impacting the SLA of other paths. The global existing path without impacting the SLA of other paths. The GCO
concurrent optimization mechanisms as described in [RFC5557] and mechanisms as described in [RFC5557] and discussed in [RFC7399] may
discussed in [RFC7399] may be helpful, while complete resolution of be helpful, while complete resolution of this situation is as much a
this situation is as much a commercial issue as it is a technical commercial issue as it is a technical issue.
issue.
There are, however, two manifestations of the latency problem that However, there are two manifestations of the latency problem that are
are for further study in any of these approaches: for further study in any of these approaches:
* The problem of packets overtaking one another if a path latency * Packets overtaking one another if path latency reduces during a
reduces during a transition. transition.
* The problem of transient variation in latency in either direction * Transient variation in latency in either direction as a path
as a path migrates. migrates.
There is also the matter of what happens during failure in the There is also the matter of what happens during failure in the
underlay infrastructure. Fast reroute is one approach, but that underlay infrastructure. Fast reroute is one approach, but that
still produces a transient loss with a normal goal of rectifying this still produces a transient loss with a normal goal of rectifying this
within 50ms [RFC5654]. An alternative is some form of N+1 delivery within 50 ms [RFC5654]. An alternative is some form of N+1 delivery
such as has been used for many years to support protection from such as has been used for many years to support protection from
service disruption. This may be taken to a different level using the service disruption. This may be taken to a different level using the
techniques of DetNet with multiple in-network replication and the techniques of DetNet with multiple in-network replications and the
culling of later packets [RFC8655]. culling of later packets [RFC8655].
In addition to the approach used to protect high priority packets, In addition to the approach used to protect high-priority packets,
consideration should be given to the impact of best effort traffic on consideration should be given to the impact of best-effort traffic on
the high priority packets during a transition. Specifically, if a the high-priority packets during a transition. Specifically, if a
conventional re-convergence process is used there will inevitably be conventional re-convergence process is used, there will inevitably be
micro-loops and whilst some form of explicit routing will protect the micro-loops and, while some form of explicit routing will protect the
high priority traffic, lower priority traffic on best effort shortest high-priority traffic, lower-priority traffic on best-effort shortest
paths will micro-loop without the use of a loop prevention paths will micro-loop without the use of a loop-prevention
technology. To provide the highest quality of service to high technology. To provide the highest quality of service to high-
priority traffic, either this traffic must be shielded from the priority traffic, either this traffic must be shielded from the
micro-loops, or micro-loops must be prevented completely. micro-loops or micro-loops must be prevented completely.
9. Manageability Considerations 9. Manageability Considerations
This section describes the considerations about the OAM and Telemetry This section describes the considerations about the OAM and telemetry
mechanisms used to support the verification, monitoring and mechanisms used to support the verification, monitoring, and
optimization of the characteristics and SLA fulfillment of NRP-based optimization of the characteristics and SLA fulfillment of NRP-based
enhanced VPN services. It should be read along with Section 5.5 that enhanced VPN services. It should be read along with Section 5.5,
gives consideration of the management plane techniques that can be which gives consideration to the management plane techniques that can
used to build NRPs. be used to build NRPs.
9.1. OAM Considerations 9.1. OAM Considerations
The design of OAM for enhanced VPN services needs to consider the The design of OAM for enhanced VPN services needs to consider the
following requirements: following requirements:
* Instrumentation of the NRP (the virtual underlay) so that the * Instrumentation of the NRP (the virtual underlay) so that the
network operator can be sure that the resources committed to a network operator can be sure that the resources committed to a
customer are operating correctly and delivering the required customer are operating correctly and delivering the required
performance. It is important that the OAM packets follow the same performance. It is important that the OAM packets follow the same
path and the set of resources as the service packets mapped to the path and set of resources as the service packets mapped to the
NRP. NRP.
* Instrumentation of the overlay by the customer. This is likely to * Instrumentation of the overlay by the customer. This is likely to
be transparent to the network operator and to use existing be transparent to the network operator and to use existing
methods. Particular consideration needs to be given to the need methods. Particular consideration needs to be given to the need
to verify the various committed performance characteristics. to verify the various committed performance characteristics.
* Instrumentation of the overlay by the service provider to * Instrumentation of the overlay by the service provider to
proactively demonstrate that the committed performance is being proactively demonstrate that the committed performance is being
delivered. This needs to be done in a non-intrusive manner, delivered. This needs to be done in a non-intrusive manner,
particularly when the tenant is deploying a performance-sensitive particularly when the tenant is deploying a performance-sensitive
application. application.
A study of OAM in SR networks is documented in [RFC8403]. A study of OAM in SR networks is documented in [RFC8403].
9.2. Telemetry Considerations 9.2. Telemetry Considerations
Network visibility is essential for network operation. Network Network visibility is essential for network operation. Network
telemetry has been considered as an ideal means to gain sufficient telemetry has been considered to be an ideal means to gain sufficient
network visibility with better flexibility, scalability, accuracy, network visibility with better flexibility, scalability, accuracy,
coverage, and performance than conventional OAM technologies. coverage, and performance than conventional OAM technologies.
As defined in [RFC9232], the objective of Network Telemetry is to As defined in [RFC9232], the objective of network telemetry is to
acquire network data remotely for network monitoring and operation. acquire network data remotely for network monitoring and operation.
It is a general term for a large set of network visibility techniques It is a general term for a large set of network visibility techniques
and protocols. Network telemetry addresses the current network and protocols. Network telemetry addresses the current network
operation issues and enables smooth evolution toward intent-driven operation issues and enables smooth evolution toward intent-driven
autonomous networks. Telemetry can be applied on the forwarding autonomous networks. Telemetry can be applied on the forwarding
plane, the control plane, and the management plane in a network. plane, the control plane, and the management plane in a network.
Telemetry for enhanced VPN service needs to consider the following Telemetry for enhanced VPN service needs to consider the following
requirements: requirements:
* Collecting data of NRPs for overall performance evaluation and the * Collecting data of NRPs for overall performance evaluation and the
skipping to change at page 34, line 34 skipping to change at line 1589
* Collecting data of each enhanced VPN service for monitoring and * Collecting data of each enhanced VPN service for monitoring and
analytics of the service characteristics and SLA fulfillment. analytics of the service characteristics and SLA fulfillment.
How the telemetry mechanisms could be used or extended for enhanced How the telemetry mechanisms could be used or extended for enhanced
VPN services is out of the scope of this document. VPN services is out of the scope of this document.
10. Operational Considerations 10. Operational Considerations
It is expected that NRP-based enhanced VPN services will be It is expected that NRP-based enhanced VPN services will be
introduced in networks which already have conventional VPN services introduced in networks that already have conventional VPN services
deployed. Depending on service requirements, the tenants or the deployed. Depending on service requirements, the tenants or the
operator may choose to use a VPN or an enhanced VPN to fulfill a operator may choose to use a VPN or an enhanced VPN to fulfill a
service requirement. The information and parameters to assist such a service requirement. The information and parameters to assist such a
decision needs to be supplied on the management interface between the decision needs to be supplied on the management interface between the
tenant and the operator. The management interface and data models as tenant and the operator. The management interface and data models
described in Section 5.6 can be used for the life-cycle management of (as described in Section 5.6) can be used for the life-cycle
enhanced VPN services, such as service creation, modification, management of enhanced VPN services, such as service creation,
performance monitoring and decommissioning. modification, performance monitoring, and decommissioning.
11. Security Considerations 11. Security Considerations
All types of virtual network require special consideration to be All types of virtual networks require special consideration to be
given to the isolation of traffic belonging to different tenants. given to the isolation of traffic belonging to different tenants.
That is, traffic belonging to one VPN must not be delivered to end That is, traffic belonging to one VPN must not be delivered to
points outside that VPN. In this regard the enhanced VPN neither endpoints outside that VPN. In this regard, the enhanced VPN neither
introduces, nor experiences greater security risks than other VPNs. introduces nor experiences greater security risks than other VPNs.
However, in an enhanced VPN service the additional service However, in an enhanced VPN service, the additional service
requirements need to be considered. For example, if a service requirements need to be considered. For example, if a service
requires a specific upper bound to latency then it can be damaged by requires a specific upper bound to latency, then it can be damaged by
simply delaying the packets through the activities of another tenant, simply delaying the packets through the activities of another tenant,
i.e., by introducing bursts of traffic for other services. In some i.e., by introducing bursts of traffic for other services. In some
respects this makes the enhanced VPN more susceptible to attacks respects, this makes the enhanced VPN more susceptible to attacks
since the SLA may be broken. But another view is that the operator since the SLA may be broken. Another view is that the operator must,
must, in any case, preform monitoring of the enhanced VPN to ensure in any case, preform monitoring of the enhanced VPN to ensure that
that the SLA is met, and this means that the operator may be more the SLA is met; thus, the operator may be more likely to spot the
likely to spot the early onset of a security attack and be able to early onset of a security attack and be able to take preemptive
take preemptive protective action. protective action.
The measures to address these dynamic security risks must be The measures to address these dynamic security risks must be
specified as part of the specific solution to the isolation specified as part of the specific solution to the isolation
requirements of an enhanced VPN service. requirements of an enhanced VPN service.
While an enhanced VPN service may be sold as offering encryption and While an enhanced VPN service may be sold as offering encryption and
other security features as part of the service, customers would be other security features as part of the service, customers would be
well advised to take responsibility for their own security well advised to take responsibility for their security requirements
requirements themselves possibly by encrypting traffic before handing themselves, possibly by encrypting traffic before handing it off to
it off to the service provider. the service provider.
The privacy of enhanced VPN service customers must be preserved. It The privacy of enhanced VPN service customers must be preserved. It
should not be possible for one customer to discover the existence of should not be possible for one customer to discover the existence of
another customer, nor should the sites that are members of an another customer nor should the sites that are members of an enhanced
enhanced VPN be externally visible. VPN be externally visible.
An enhanced VPN service (even one with traffic isolation requirements An enhanced VPN service (even one with traffic isolation requirements
or with limited interaction with other enhanced VPNs) does not or with limited interaction with other enhanced VPNs) does not
provide any additional guarantees of privacy for customer traffic provide any additional guarantees of privacy for customer traffic
compared to regular VPNs: the traffic within the network may be compared to regular VPNs: the traffic within the network may be
intercepted and errors may lead to mis-delivery. Users who wish to intercepted and errors may lead to mis-delivery. Users who wish to
ensure the privacy of their traffic must take their own precautions ensure the privacy of their traffic must take their own precautions
including end-to-end encryption. including end-to-end encryption.
12. IANA Considerations 12. IANA Considerations
There are no requested IANA actions. This document has no IANA actions.
13. Contributors
Daniel King
Email: daniel@olddog.co.uk
Adrian Farrel
Email: adrian@olddog.co.uk
Jeff Tantsura
Email: jefftant.ietf@gmail.com
Zhenbin Li
Email: lizhenbin@huawei.com
Qin Wu
Email: bill.wu@huawei.com
Bo Wu
Email: lana.wubo@huawei.com
Daniele Ceccarelli
Email: daniele.ietf@gmail.com
Mohamed Boucadair
Email: mohamed.boucadair@orange.com
Sergio Belotti
Email: sergio.belotti@nokia.com
Haomian Zheng
Email: zhenghaomian@huawei.com
14. Acknowledgements
The authors would like to thank Charlie Perkins, James N Guichard,
John E Drake, Shunsuke Homma, Luis M. Contreras, and Joel Halpern
for their review and valuable comments.
This work was supported in part by the European Commission funded
H2020-ICT-2016-2 METRO-HAUL project (G.A. 761727).
15. References 13. References
15.1. Normative References 13.1. Normative References
[RFC9543] Farrel, A., Ed., Drake, J., Ed., Rokui, R., Homma, S., [RFC9543] Farrel, A., Ed., Drake, J., Ed., Rokui, R., Homma, S.,
Makhijani, K., Contreras, L., and J. Tantsura, "A Makhijani, K., Contreras, L., and J. Tantsura, "A
Framework for Network Slices in Networks Built from IETF Framework for Network Slices in Networks Built from IETF
Technologies", RFC 9543, DOI 10.17487/RFC9543, March 2024, Technologies", RFC 9543, DOI 10.17487/RFC9543, March 2024,
<https://www.rfc-editor.org/info/rfc9543>. <https://www.rfc-editor.org/info/rfc9543>.
15.2. Informative References 13.2. Informative References
[FLEXE] "Flex Ethernet Implementation Agreement", March 2016, [FLEXE] Optical Internetworking Forum, "Flex Ethernet
<https://www.oiforum.com/wp-content/uploads/2019/01/OIF- Implementation Agreement", IA # OIF-FLEXE-01.0, March
FLEXE-01.0.pdf>. 2016, <https://www.oiforum.com/wp-content/uploads/2019/01/
OIF-FLEXE-01.0.pdf>.
[I-D.ietf-6man-enhanced-vpn-vtn-id] [IPv6-NRP-OPTION]
Dong, J., Li, Z., Xie, C., Ma, C., and G. S. Mishra, Dong, J., Li, Z., Xie, C., Ma, C., and G. S. Mishra,
"Carrying Network Resource Partition (NRP) Information in "Carrying Network Resource (NR) related Information in
IPv6 Extension Header", Work in Progress, Internet-Draft, IPv6 Extension Header", Work in Progress, Internet-Draft,
draft-ietf-6man-enhanced-vpn-vtn-id-06, 20 February 2024, draft-ietf-6man-enhanced-vpn-vtn-id-09, 3 November 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-6man- <https://datatracker.ietf.org/doc/html/draft-ietf-6man-
enhanced-vpn-vtn-id-06>. enhanced-vpn-vtn-id-09>.
[I-D.ietf-spring-resource-aware-segments]
Dong, J., Miyasaka, T., Zhu, Y., Qin, F., and Z. Li,
"Introducing Resource Awareness to SR Segments", Work in
Progress, Internet-Draft, draft-ietf-spring-resource-
aware-segments-09, 6 May 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-spring-
resource-aware-segments-09>.
[I-D.ietf-spring-sr-for-enhanced-vpn]
Dong, J., Miyasaka, T., Zhu, Y., Qin, F., and Z. Li,
"Segment Routing based Network Resource Partition (NRP)
for Enhanced VPN", Work in Progress, Internet-Draft,
draft-ietf-spring-sr-for-enhanced-vpn-07, 3 March 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-spring-
sr-for-enhanced-vpn-07>.
[I-D.ietf-spring-srv6-srh-compression]
Cheng, W., Filsfils, C., Li, Z., Decraene, B., and F.
Clad, "Compressed SRv6 Segment List Encoding", Work in
Progress, Internet-Draft, draft-ietf-spring-srv6-srh-
compression-17, 16 May 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-spring-
srv6-srh-compression-17>.
[I-D.ietf-teas-actn-vn-yang]
Lee, Y., Dhody, D., Ceccarelli, D., Bryskin, I., and B. Y.
Yoon, "A YANG Data Model for Virtual Network (VN)
Operations", Work in Progress, Internet-Draft, draft-ietf-
teas-actn-vn-yang-28, 8 June 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-teas-
actn-vn-yang-28>.
[I-D.ietf-teas-ietf-network-slice-nbi-yang] [NETWORK-SLICE-YANG]
Wu, B., Dhody, D., Rokui, R., Saad, T., and J. Mullooly, Wu, B., Dhody, D., Rokui, R., Saad, T., and J. Mullooly,
"A YANG Data Model for the RFC 9543 Network Slice "A YANG Data Model for the RFC 9543 Network Slice
Service", Work in Progress, Internet-Draft, draft-ietf- Service", Work in Progress, Internet-Draft, draft-ietf-
teas-ietf-network-slice-nbi-yang-13, 9 May 2024, teas-ietf-network-slice-nbi-yang-20, 27 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-teas- <https://datatracker.ietf.org/doc/html/draft-ietf-teas-
ietf-network-slice-nbi-yang-13>. ietf-network-slice-nbi-yang-20>.
[I-D.ietf-teas-nrp-scalability] [NGMN-NS-Concept]
hao ,, "NGMN NS Concept", <https://www.ngmn.org/fileadmin/
user_upload/161010_NGMN_Network_Slicing_framework_v1.0.8.p
df>.
[NRP-SCALABILITY]
Dong, J., Li, Z., Gong, L., Yang, G., and G. S. Mishra, Dong, J., Li, Z., Gong, L., Yang, G., and G. S. Mishra,
"Scalability Considerations for Network Resource "Scalability Considerations for Network Resource
Partition", Work in Progress, Internet-Draft, draft-ietf- Partition", Work in Progress, Internet-Draft, draft-ietf-
teas-nrp-scalability-04, 4 March 2024, teas-nrp-scalability-06, 21 October 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-teas- <https://datatracker.ietf.org/doc/html/draft-ietf-teas-
nrp-scalability-04>. nrp-scalability-06>.
[I-D.ietf-teas-nrp-yang] [NRP-YANG] Wu, B., Dhody, D., Beeram, V. P., Saad, T., and S. Peng,
Wu, B., Dhody, D., Beeram, V. P., Saad, T., and S. Peng,
"YANG Data Models for Network Resource Partitions (NRPs)", "YANG Data Models for Network Resource Partitions (NRPs)",
Work in Progress, Internet-Draft, draft-ietf-teas-nrp- Work in Progress, Internet-Draft, draft-ietf-teas-nrp-
yang-01, 16 March 2024, yang-02, 5 July 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-teas- <https://datatracker.ietf.org/doc/html/draft-ietf-teas-
nrp-yang-01>. nrp-yang-02>.
[NGMN-NS-Concept] [RESOURCE-AWARE-SEGMENTS]
hao ,, "NGMN NS Concept", <https://www.ngmn.org/fileadmin/ Dong, J., Miyasaka, T., Zhu, Y., Qin, F., and Z. Li,
user_upload/161010_NGMN_Network_Slicing_framework_v1.0.8.p "Introducing Resource Awareness to SR Segments", Work in
df>. Progress, Internet-Draft, draft-ietf-spring-resource-
aware-segments-10, 12 October 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-spring-
resource-aware-segments-10>.
[RFC2211] Wroclawski, J., "Specification of the Controlled-Load [RFC2211] Wroclawski, J., "Specification of the Controlled-Load
Network Element Service", RFC 2211, DOI 10.17487/RFC2211, Network Element Service", RFC 2211, DOI 10.17487/RFC2211,
September 1997, <https://www.rfc-editor.org/info/rfc2211>. September 1997, <https://www.rfc-editor.org/info/rfc2211>.
[RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z.,
and W. Weiss, "An Architecture for Differentiated and W. Weiss, "An Architecture for Differentiated
Services", RFC 2475, DOI 10.17487/RFC2475, December 1998, Services", RFC 2475, DOI 10.17487/RFC2475, December 1998,
<https://www.rfc-editor.org/info/rfc2475>. <https://www.rfc-editor.org/info/rfc2475>.
skipping to change at page 43, line 47 skipping to change at line 1954
[RFC9408] Boucadair, M., Ed., Gonzalez de Dios, O., Barguil, S., Wu, [RFC9408] Boucadair, M., Ed., Gonzalez de Dios, O., Barguil, S., Wu,
Q., and V. Lopez, "A YANG Network Data Model for Service Q., and V. Lopez, "A YANG Network Data Model for Service
Attachment Points (SAPs)", RFC 9408, DOI 10.17487/RFC9408, Attachment Points (SAPs)", RFC 9408, DOI 10.17487/RFC9408,
June 2023, <https://www.rfc-editor.org/info/rfc9408>. June 2023, <https://www.rfc-editor.org/info/rfc9408>.
[RFC9552] Talaulikar, K., Ed., "Distribution of Link-State and [RFC9552] Talaulikar, K., Ed., "Distribution of Link-State and
Traffic Engineering Information Using BGP", RFC 9552, Traffic Engineering Information Using BGP", RFC 9552,
DOI 10.17487/RFC9552, December 2023, DOI 10.17487/RFC9552, December 2023,
<https://www.rfc-editor.org/info/rfc9552>. <https://www.rfc-editor.org/info/rfc9552>.
[TS23501] "3GPP TS23.501", [RFC9731] Lee, Y., Ed., Dhody, D., Ed., Ceccarelli, D., Bryskin, I.,
and B. Y. Yoon, "A YANG Data Model for Virtual Network
(VN) Operations", RFC 9731, DOI 10.17487/RFC9731, January
2025, <https://www.rfc-editor.org/info/rfc9731>.
[SR-ENHANCED-VPN]
Dong, J., Miyasaka, T., Zhu, Y., Qin, F., and Z. Li,
"Segment Routing based Network Resource Partition (NRP)
for Enhanced VPN", Work in Progress, Internet-Draft,
draft-ietf-spring-sr-for-enhanced-vpn-08, 12 October 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-spring-
sr-for-enhanced-vpn-08>.
[SRv6-SRH-COMPRESSION]
Cheng, W., Ed., Filsfils, C., Li, Z., Decraene, B., and F.
Clad, Ed., "Compressed SRv6 Segment List Encoding", Work
in Progress, Internet-Draft, draft-ietf-spring-srv6-srh-
compression-18, 22 July 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-spring-
srv6-srh-compression-18>.
[TS23501] 3GPP, "System architecture for the 5G system (5GS)", 3GPP
TS 23.501,
<https://portal.3gpp.org/desktopmodules/Specifications/ <https://portal.3gpp.org/desktopmodules/Specifications/
SpecificationDetails.aspx?specificationId=3144>. SpecificationDetails.aspx?specificationId=3144>.
[TS28530] "3GPP TS28.530", [TS28530] 3GPP, "Management and orchestration; Concepts, use cases
and requirements", 3GPP TS 28.530,
<https://portal.3gpp.org/desktopmodules/Specifications/ <https://portal.3gpp.org/desktopmodules/Specifications/
SpecificationDetails.aspx?specificationId=3273>. SpecificationDetails.aspx?specificationId=3273>.
[TSN] ""Time-Sensitive Networking", IEEE 802.1 Time-Sensitive [TSN] IEEE 802.1 Working Group, "Time-Sensitive Networking (TSN)
Networking (TSN) Task Group", Task Group", <https://1.ieee802.org/tsn/>.
<https://1.ieee802.org/tsn/>.
Acknowledgements
The authors would like to thank Charlie Perkins, James N. Guichard,
John E. Drake, Shunsuke Homma, Luis M. Contreras, and Joel Halpern
for their review and valuable comments.
This work was supported in part by the European Commission funded
H2020-ICT-2016-2 METRO-HAUL project (G.A. 761727).
Contributors
Daniel King
Email: daniel@olddog.co.uk
Adrian Farrel
Email: adrian@olddog.co.uk
Jeff Tantsura
Email: jefftant.ietf@gmail.com
Zhenbin Li
Email: lizhenbin@huawei.com
Qin Wu
Email: bill.wu@huawei.com
Bo Wu
Email: lana.wubo@huawei.com
Daniele Ceccarelli
Email: daniele.ietf@gmail.com
Mohamed Boucadair
Email: mohamed.boucadair@orange.com
Sergio Belotti
Email: sergio.belotti@nokia.com
Haomian Zheng
Email: zhenghaomian@huawei.com
Authors' Addresses Authors' Addresses
Jie Dong Jie Dong
Huawei Huawei
Email: jie.dong@huawei.com Email: jie.dong@huawei.com
Stewart Bryant Stewart Bryant
University of Surrey University of Surrey
Email: stewart.bryant@gmail.com Email: stewart.bryant@gmail.com
 End of changes. 209 change blocks. 
720 lines changed or deleted 742 lines changed or added

This html diff was produced by rfcdiff 1.48.