Network Working Group
Internet Engineering Task Force (IETF)                           L. Yong
Internet Draft
Request for Comments: 8151                                     L. Dunbar
Category: Informational                                           Huawei
ISSN: 2070-1721                                                   M. Toy
                                                                 Verizon
                                                                A. Isaac
                                                        Juniper Networks
                                                               V. Manral
                                                         Ionos Networks

Expires: July 2017                                 February 20,
                                                             Nano Sec Co
                                                                May 2017

   Use Cases for Data Center Network Virtualization Overlay Networks

                       draft-ietf-nvo3-use-case-17

Abstract

   This document describes data center network virtualization overlay Network Virtualization over Layer 3 (NVO3) network
   use cases that can be deployed in various data centers and serve
   different data center data-center applications.

Status of this This Memo

   This Internet-Draft document is submitted to IETF in full conformance with
   the provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum
   (IETF).  It represents the consensus of six
   months the IETF community.  It has
   received public review and may be updated, replaced, or obsoleted has been approved for publication by other the
   Internet Engineering Steering Group (IESG).  Not all documents
   at
   approved by the IESG are a candidate for any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list status of Internet-Draft Shadow Directories can this document, any errata,
   and how to provide feedback on it may be accessed obtained at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on July 21, 2017.
   http://www.rfc-editor.org/info/rfc8151.

Copyright Notice

   Copyright (c) 2016 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction...................................................3 Introduction ....................................................3
      1.1. Terminology...............................................4 Terminology ................................................4
      1.2. NVO3 Background...........................................5 Background ............................................5
   2. DC with a Large Number of Virtual Networks.......................6 Networks ......................6
   3. DC NVO3 virtual network Virtual Network and External Network Interconnection...6 Interconnection ....6
      3.1. DC NVO3 virtual network Virtual Network Access via the Internet...........7 Internet ............7
      3.2. DC NVO3 virtual network Virtual Network and SP WAN VPN Interconnection....8 Interconnection .....8
   4. DC Applications Using NVO3.....................................9 NVO3 ......................................9
      4.1. Supporting Multiple Technologies..........................9 Technologies ...........................9
      4.2. DC Applications Spanning Multiple Physical Zones.........10 Zones ..........10
      4.3. Virtual Data Center (vDC)................................10 (vDC) .................................10
   5. Summary.......................................................12 Summary ........................................................12
   6. Security Considerations.......................................12 Considerations ........................................12
   7. IANA Considerations...........................................13 Considerations ............................................12
   8. Informative References........................................13
   Contributors.....................................................14
   Acknowledgements.................................................14 References .........................................13
   Acknowledgements...................................................14
   Contributors ......................................................15
   Authors' Addresses...............................................15 Addresses.................................................16

1.  Introduction

   Server virtualization has changed the Information Technology (IT)
   industry in terms of the efficiency, cost, and speed of providing new
   applications and/or services such as cloud applications. However  However,
   traditional data center (DC) networks have limits in supporting cloud
   applications and multi tenant multi-tenant networks [RFC7364].  The goals goal of data
   center network virtualization overlay Network Virtualization over Layer 3 (NVO3) networks are is to
   decouple the communication among tenant systems from DC physical
   infrastructure networks and to allow one physical network
   infrastructure to:

   o  Carry  carry many NVO3 virtual networks and isolate the traffic of
      different NVO3 virtual networks on a physical network.

   o  Provide  provide independent address space in individual NVO3 virtual
      network such as MAC Media Access Control (MAC) and IP.

   o  Support flexible Virtual Machines (VM) (VMs) and/or workload placement
      including the ability to move them from one server to another
      without requiring VM address changes and physical infrastructure
      network configuration changes, and the ability to perform a "hot
      move" with no disruption to the live application running on those
      VMs.

   These characteristics of NVO3 virtual networks (VNs) help address the
   issues that cloud applications face in data centers [RFC7364].

   Hosts in one NVO3 virtual network VN may communicate with hosts in another NVO3 virtual network VN
   that is carried by the same physical network, or different physical
   network, via a gateway.  The use case use-case examples for the latter are: are as
   follows:

   1) DCs that migrate toward an NVO3 solution will be done in steps,
      where a portion of tenant systems in a VN are on virtualized
      servers while others exist on a LAN.

   2) many DC applications serve to Internet users who are on different
      physical networks;

   3) some applications are CPU bound, such as Big Data analytics, and
      may not run on virtualized resources.

   The inter-
   VN inter-VN policies are usually enforced by the gateway.

   This document describes general NVO3 virtual network VN use cases that apply to
   various data centers.  The use cases described here represent the DC
   provider's interests and vision for their cloud services.  The
   document groups the use cases into three categories from simple to sophiscated
   sophisticated in terms of implementation. However  However, the
   implementation details of these use cases are outside the scope of
   this document.  These three categories are highlighted described below:

   o  Basic NVO3 virtual networks VNs (Section 2).  All Tenant Systems (TS) (TSs) in the
      network are located within the same DC.  The individual networks
      can be either Layer 2 (L2) or Layer 3 (L3).  The number of NVO3 virtual networks
      VNs in a DC is much larger than the number that traditional VLAN VLAN-
      based virtual networks [IEEE 802.1Q] [IEEE802.1Q] can support.

   o  A virtual network that spans across multiple Data Centers DCs and/or to
      customer premises where NVO3 virtual networks are constructed and
      interconnect other virtual or physical networks outside the
      data center. DC.
      An enterprise customer may use a traditional carrier-grade VPN or
      an IPsec tunnel over the Internet to communicate with its systems
      in the DC.  This is described in Section 3.

   o  DC applications or services require an advanced network that
      contains several NVO3 virtual networks that are interconnected by
      gateways.  Three scenarios are described in Section 4. 4:
      (1) supporting multiple technologies;
      (2) constructing several virtual networks as a tenant network; and
      (3) applying NVO3 to a virtual Data Center (vDC).

   The document uses the architecture reference model defined in
   [RFC7365] to describe the use cases.

1.1.  Terminology

   This document uses the terminology defined in [RFC7365] and
   [RFC4364].  Some additional terms used in the document are listed
   here.

   ASBR:        Autonomous System Border Routers (ASBR) Router.

   DC:          Data Center.

   DMZ:         Demilitarized Zone.  A computer or small sub-network that sits subnetwork
                between a more trusted more-trusted internal network, such as a
                corporate private LAN, and an un-trusted untrusted or less trusted less-trusted
                external network, such as the public Internet.

   DNS:         Domain Name Service [RFC1035] [RFC1035].

   DC Operator: An entity that is responsible for constructing and
                managing all resources in data centers, DCs, including, but not
                limited to, compute, computing, storage, networking, etc.

   DC Provider: An entity that uses its DC infrastructure to offer
                services to its customers.

   NAT:         Network Address Translation [RFC3022] [RFC3022].

   vGW:         virtual Gateway; a GateWay.  A gateway component used for an NVO3
                virtual network to interconnect with another
                virtual/physical network.

   NVO3 virtual network: a

   NVO3:        Network Virtualization over Layer 3.  A virtual network
                that is implemented based on the NVO3 architecture [NVO3-ARCH]. architecture.

   PE:          Provider Edge Edge.

   SP:          Service Provider Provider.

   TS:          A TS Tenant System, which can be instantiated on a physical server/device
                server or a virtual machine (VM)
   on a server, i.e., end-device [RFC7365]. (VM).

   VRF-LITE:    Virtual Routing and Forwarding - LITE [VRF-LITE] [VRF-LITE].

   VN: NVO3 virtual network.          Virtual Network

   VoIP:        Voice over IP

   WAN VPN:     Wide Area Network Virtual Private Network [RFC4364]
   [RFC7432]
                [RFC7432].

1.2.  NVO3 Background

   An NVO3 virtual network is a virtual network in a DC that is implemented based on the NV03
   NVO3 architecture [RFC8014].  This architecture is often referred to
   as an overlay architecture.  The traffic carried by an NVO3 virtual
   network is encapsulated at a Network Virtual Virtualization Edge (NVE)
   [RFC8014] and carried by a tunnel to another NVE where the traffic is
   decapsulated and sent to a destination Tenant System (TS).  The NVO3
   architecture decouples NVO3 virtual networks from the DC physical
   network configuration.  The architecture uses common tunnels to carry
   NVO3 traffic that belongs to multiple NVO3 virtual networks.

   An NVO3 virtual network may be an L2 or L3 domain.  The network
   provides switching (L2) or routing (L3) capability to support host
   (i.e., tenant systems) TS) communications.  An NVO3 virtual network may be required
   to carry unicast traffic and/or multicast,
   broadcast/unknown-unicast multicast or broadcast/unknown-
   unicast (for L2 only) traffic from/to tenant
   systems. to/from TSs.  There are several ways to
   transport NVO3 virtual network
   BUM (Broadcast, Unknown-unicast, Multicast) Broadcast, Unknown Unicast, and
   Multicast (BUM) traffic [NVO3MCAST].

   An NVO3 virtual network provides communications among Tenant Systems
   (TS) TSs in a DC.  A
   TS can be a physical server/device or a virtual
   machine (VM) VM on a server end-device
   [RFC7365].

2.  DC with a Large Number of Virtual Networks

   A DC provider often uses NVO3 virtual networks for internal
   applications where each application runs on many VMs or physical
   servers and the provider requires applications to be segregated from
   each other.  A DC may run a larger number of NVO3 virtual networks to
   support many applications concurrently, where a traditional IEEE802.1Q
   based VLAN
   solution based on IEEE 802.1Q is limited to 4094 VLANs.

   Applications running on VMs may require a different quantity of
   computing resource, resources, which may result in computing resource a computing-resource
   shortage on some servers and other servers being nearly idle. Shortage  A
   shortage of computing resource resources may impact application performance.
   DC operators desire VM or workload movement for resource usage resource-usage
   optimization.  VM dynamic placement and mobility results in frequent
   changes of the binding between a TS and an NVE.  The TS reachability
   update mechanisms should take significantly less time than the
   typical re-
   transmission Time-out retransmission Timeout window of a reliable transport
   protocol such as TCP and SCTP, Stream Control Transmission Protocol (SCTP),
   so that end points' endpoints' transport connections won't be impacted by a TS
   becoming bound to a different NVE.  The capability of supporting many
   TSs in a virtual network and many virtual networks in a DC is
   critical for an NVO3 solution.

   When NVO3 virtual networks segregate VMs belonging to different
   applications, DC operators can independently assign MAC and/or IP
   address space to each virtual network.  This addressing is more
   flexible than requiring all hosts in all NVO3 virtual networks to
   share one address space.  In contrast, typical use of IEEE 802.1Q
   VLANs requires a single common MAC address space.

3.  DC NVO3 virtual network Virtual Network and External Network Interconnection

   Many customers (enterprises or individuals) who utilize a DC
   provider's compute and storage resources to run their applications
   need to access their systems hosted in a DC through Internet or
   Service Providers' Wide Area Networks (WAN).  A DC provider can
   construct a NVO3 virtual network that provides connectivity to all
   the resources designated for a customer customer, and it allows the customer
   to access the resources via a virtual gateway GateWay (vGW).  WAN
   connectivity to the virtual gateway vGW can be provided by VPN technologies such as
   IPsec VPNs [RFC4301] and BGP/MPLS IP VPNs [RFC 4364]. [RFC4364].

   If a virtual network spans multiple DC sites, one design using NVO3
   is to allow the network to seamlessly span the sites without DC
   gateway routers' termination.  In this case, the tunnel between a
   pair of NVEs can be carried within other intermediate tunnels over
   the Internet or other WANs, or an intra-DC tunnel and inter DC inter-DC
   tunnel(s) can be stitched together to form an end-to-end tunnel
   between the pair of NVEs that are in different DC sites.  Both cases
   will form one NVO3 virtual network across multiple DC sites.

   Two use cases are described in the following sections.

3.1.  DC NVO3 virtual network Virtual Network Access via the Internet

   A customer can connect to an NVO3 virtual network via the Internet in
   a secure way.  Figure 1 illustrates an example of this case.  The
   NVO3 virtual network has an instance at NVE1 and NVE2 NVE2, and the two
   NVEs are connected via an IP tunnel in the Data Center. DC.  A set of
   tenant systems TSs are
   attached to NVE1 on a server.  NVE2 resides on a DC Gateway device.
   NVE2 terminates the tunnel and uses the VNID VN Identifier (VNID) on the
   packet to pass the packet to the corresponding vGW entity on the DC
   GW (the vGW is the default gateway for the virtual network).  A
   customer can access their systems, i.e., TS1 or TSn, in the DC via
   the Internet by using an IPsec tunnel [RFC4301].  The IPsec tunnel is
   configured between the vGW and the customer gateway at the customer
   site.  Either a static route or Interior Internal Border Gateway Protocol
   (iBGP)
   (IBGP) may be used for prefix advertisement.  The vGW provides IPsec
   functionality such as authentication scheme and encryption; iBGP
   protocol IBGP
   traffic is carried within the IPsec tunnel.  Some vGW features are
   listed below:

   o  The vGW maintains the TS/NVE mappings and advertises the TS prefix
      to the customer via static route or iBGP. IBGP.

   o  Some vGW functions such as the firewall and load balancer load-balancer (LB) can
      be performed by locally attached network appliance devices.

   o  If the NVO3 virtual network uses different address space than
      external users, then the vGW needs to provide the NAT function.

   o  More than one IPsec tunnel can be configured for redundancy.

   o  The vGW can be implemented on a server or VM.  In this case, IP
      tunnels or IPsec tunnels can be used over the DC infrastructure.

   o  DC operators need to construct a vGW for each customer.

   Server+---------------+
         |   TS1 TSn     |
         |    |...|      |
         |  +-+---+-+    |             Customer Site
         |  |  NVE1 |    |               +-----+
         |  +---+---+    |               | GW  |
         +------+--------+               +--+--+
                |                           *
            L3 Tunnel                       *
                |                           *
   DC GW +------+---------+            .--.  .--.
         |  +---+---+     |           (    '*   '.--.
         |  |  NVE2 |     |        .-.'   *          )
         |  +---+---+     |       (    *  Internet    )
         |  +---+---+.    |        ( *               /
         |  |  vGW  | * * * * * * * * '-'          '-'
         |  +-------+ |   | IPsec       \../ \.--/'
         |   +--------+   | Tunnel
         +----------------+

           DC Provider Site

           Figure 1 - 1: DC Virtual Network Access via the Internet

3.2.  DC NVO3 virtual network Virtual Network and SP WAN VPN Interconnection

   In this case, an Enterprise enterprise customer wants to use a Service Provider
   (SP) WAN VPN [RFC4364] [RFC7432] to interconnect its sites with an
   NVO3 virtual network in a DC site.  The Service Provider SP constructs a VPN for the
   enterprise customer.  Each enterprise site peers with an SP PE.  The
   DC Provider provider and VPN Service Provider SP can build an NVO3 virtual network and a WAN
   VPN independently, and then interconnect them via a local link, link or a
   tunnel between the DC GW and WAN
   Provider Edge (PE) PE devices.  The control plane
   interconnection options between the DC and WAN are described in
   [RFC4364].  Using the option A "a" specified in [RFC4364] with VRF-LITE
   [VRF-LITE], both
   Autonomous System Border Routers (ASBR), ASBRs, i.e., DC GW and SP PE, maintain a
   routing/forwarding table (VRF).  Using the option B "b" specified in
   [RFC4364], the DC ASBR and SP ASBR do not maintain the VRF table;
   they only maintain the NVO3 virtual network and VPN identifier
   mappings, i.e., label mapping, and swap the label on the packets in
   the forwarding process.  Both option A "a" and B option "b" allow the se
   of NVO3 virtual network VNs and VPN VPNs using their own identifiers identifiers, and two identifiers
   are mapped at the DC GW.  With the option C "c" in [RFC4364], the VN
   and VPN use the same identifier and both ASBRs perform the tunnel
   stitching, i.e., tunnel segment mapping.  Each option has pros/cons pros and
   cons [RFC4364] and has been deployed in SP networks depending on the
   application requirements.  BGP is used in these options for route
   distribution between DCs and SP WANs.  Note that if the DC is the
   SP's Data Center, DC, the DC GW and SP PE in this case can be merged into one device that
   performs the interworking of the VN and VPN within an AS. Autonomous
   System.

   These solutions allow the enterprise networks to communicate with the
   tenant systems attached to the NVO3 virtual network in the DC without
   interfering with the DC provider's underlying physical networks and
   other NVO3 virtual networks in the DC.  The enterprise can use its
   own address space in the NVO3 virtual network.  The DC provider can
   manage which VM and storage elements attach to the NVO3 virtual
   network.  The enterprise customer manages which applications run on
   the VMs without knowing the location of the VMs in the DC.  (See
   Section 4 for more) more information.)

   Furthermore, in this use case, the DC operator can move the VMs
   assigned to the enterprise from one sever to another in the DC
   without the enterprise customer being aware, i.e., with no impact on
   the enterprise's 'live' "live" applications.  Such advanced technologies
   bring DC providers great benefits in offering cloud services, but add
   some requirements for NVO3 [RFC7364] as well.

4.  DC Applications Using NVO3

   NVO3 technology provides DC operators with the flexibility in
   designing and deploying different applications in an end-to-end
   virtualization overlay environment.  The operators no longer need to
   worry about the constraints of the DC physical network configuration
   when creating VMs and configuring a network to connect them.  A DC
   provider may use NVO3 in various ways, in conjunction with other
   physical networks and/or virtual networks in the DC.  This section
   highlights some use cases for this goal.

4.1.  Supporting Multiple Technologies

   Servers deployed in a large data center DC are often installed at different
   times, and they may have different capabilities/features.  Some
   servers may be virtualized, while others may not; some may be
   equipped with virtual switches, while others may not.  For the
   servers equipped with Hypervisor-based virtual switches, some may
   support a standardized NVO3 encapsulation, some may not support any
   encapsulation, and some may support a documented encapsulation
   protocol (e.g. VxLAN [RFC7348], NVGRE (e.g., Virtual eXtensible Local Area Network (VXLAN)
   [RFC7348] and Network Virtualization using Generic Routing
   Encapsulation (NVGRE) [RFC7637]) or proprietary encapsulations.  To
   construct a tenant network among these servers and the ToR Top-of-Rack
   (ToR) switches, operators can construct one traditional VLAN network
   and two virtual networks where one uses VxLAN VXLAN encapsulation and the
   other uses NVGRE, and interconnect these three networks via a gateway
   or virtual GW.  The GW performs packet encapsulation/decapsulation
   translation between the networks.

   Another case is that some software of a tenant has high CPU and
   memory consumption, which only makes a sense to run on standalone
   servers; other software of the tenant may be good to run on VMs.
   However
   However, provider DC infrastructure is configured to use NVO3 to
   connect VMs and VLAN VLANs [IEEE802.1Q] to physical servers.  The tenant
   network requires interworking between NVO3 and traditional VLAN.

4.2.  DC Applications Spanning Multiple Physical Zones

   A DC can be partitioned into multiple physical zones, with each zone
   having different access permissions and runs running different
   applications.  For example, a three-tier zone design has a front zone
   (Web tier) with Web applications, a mid zone (application tier) where
   service applications such as credit payment or ticket booking run,
   and a back zone (database tier) with Data.  External users are only
   able to communicate with the Web application in the front zone; the
   back zone can only receive traffic from the application zone.  In
   this case, communications between the zones must pass through one or
   more security functions in a physical DMZ zone.  Each zone can be
   implemented by one NVO3 virtual network and the security functions in
   DMZ zone can be used to between two NVO3 virtual networks, i.e., two
   zones.  If network functions (NF), (NFs), especially the security functions
   in the physical DMZ DMZ, can't process encapsulated NVO3 traffic, the
   NVO3 tunnels have to be terminated for the NF to perform its
   processing on the application traffic.

4.3.  Virtual Data Center (vDC)

   An enterprise data center today DC may deploy routers, switches, and network appliance
   devices to construct its internal network, DMZ, and external network
   access; it may have many servers and storage running various
   applications.  With NVO3 technology, a DC Provider provider can construct a virtual Data Center (vDC)
   vDC over its physical DC infrastructure and offer a virtual Data Center vDC service to
   enterprise customers.  A vDC at the DC Provider provider site provides the
   same capability as the physical DC at a customer site.  A customer
   manages its own applications running in its vDC.  A DC Provider provider can
   further offer different network service functions to the customer.
   The network service functions may include a firewall, DNS, load balancer, LB,
   gateway, etc.

   Figure 2 below illustrates one such scenario at the service
   abstraction service-abstraction
   level.  In this example, the vDC contains several L2 VNs (L2VNx,
   L2VNy, L2VNz) to group the tenant systems together on a per-
   application basis, and one L3 VN (L3VNa) for the internal routing.  A
   network firewall and gateway runs on a VM or server that connects to
   L3VNa and is used for inbound and outbound traffic processing. A
   load balancer (LB)  An LB
   is used in L2VNx.  A VPN is also built between the gateway and
   enterprise router.  An Enterprise customer runs Web/Mail/Voice
   applications on VMs within the vDC.  The users at the Enterprise site
   access the applications running in the vDC via the VPN; Internet
   users access these applications via the gateway/firewall at the provider DC
   provider site.

                Internet                    ^ Internet
                                            |
                   ^                     +--+---+
                   |                     |  GW  |
                   |                     +--+---+
                   |                        |
           +-------+--------+            +--+---+
           |Firewall/Gateway+--- VPN-----+router|
           +-------+--------+            +-+--+-+
                   |                       |  |
                ...+....                   |..|
       +-------: L3 VNa :---------+        LANs
     +-+-+      ........          |
     |LB |          |             |     Enterprise Site
     +-+-+          |             |
    ...+...      ...+...       ...+...
   : L2VNx :    : L2VNy :     : L2VNz :
    .......      .......       .......
      |..|         |..|          |..|
      |  |         |  |          |  |
    Web App.     Mail App.      VoIP App.

                        Provider

             DC Provider Site

              Figure 2 - 2: Virtual Data Center Abstraction View

   The enterprise customer decides which applications should be
   accessible only via the intranet and which should be assessable via
   both the intranet and Internet, and it configures the proper security
   policy and gateway function at the firewall/gateway.  Furthermore, an
   enterprise customer may want multi-zones in a vDC (See section (see Section 4.2)
   for the security and/or the ability to set different QoS levels for
   the different applications.

   The vDC use case requires an NVO3 solution to provide DC operators
   with an easy and quick way to create an NVO3 virtual network and NVEs
   for any vDC design, to allocate TSs and assign TSs to the
   corresponding NVO3 virtual network, network and to illustrate vDC topology and
   manage/configure individual elements in the vDC in a secure way.

5.  Summary

   This document describes some general NVO3 use cases in DCs.  The
   combination of these cases will give operators the flexibility and
   capability to design more sophisticated support for various cloud
   applications.

   DC services may vary, NVO3 virtual networks make it possible to scale
   a large number of virtual networks in a DC and ensure the network
   infrastructure not impacted by the number of VMs and dynamic workload
   changes in a DC.

   NVO3 uses tunnel techniques to deliver NVO3 traffic over DC physical
   infrastructure network.  A tunnel encapsulation protocol is
   necessary.  An NVO3 tunnel may may, in turn turn, be tunneled over other
   intermediate tunnels over the Internet or other WANs.

   An NVO3 virtual network in a DC may be accessed by external users in
   a secure way.  Many existing technologies can help achieve this.

6.  Security Considerations

   Security is a concern.  DC operators need to provide a tenant with a
   secured virtual network, which means one tenant's traffic is isolated
   from other tenants' traffic and is not leaked to the underlay
   networks.  Tenants are vulnerable to observation and data
   modification/injection by the operator of the underlay and should
   only use operators they trust.  DC operators also need to prevent a
   tenant application attacking their underlay DC network; networks; further,
   they need to protect a tenant application attacking another tenant
   application via the DC infrastructure network.  For example, a tenant
   application attempts to generate a large volume of traffic to
   overload the DC's underlying network.  This can be done by limiting
   the bandwidth of such communications.

7.  IANA Considerations

   This document does not request require any action from IANA. IANA actions.

8.  Informative References

   [IEEE802.1Q]   IEEE, "IEEE Standard for Local and metropolitan area
                  networks -- Media Access Control (MAC) Bridges and
                  Virtual Bridged Local Area", Area Networks", IEEE Std 802.1Q, 2011.

   [NIST]    National Institute of Standards and Technology, "The NIST
             Definition of Cloud Computing", SP 880-145, September,
             2011.
                  802.1Q-2011, DOI 10.1109/IEEESTD.2011.6009146.

   [NVO3MCAST]    Ghanwani, A., Dunbar, L., et al, McBride, M., Bannai, V., and
                  R. Krishnan, "A Framework for Multicast in Network
                  Virtualization Overlays", draft-ietf-
             nvo3-mcast-framework-05, work Work in progress. Progress,
                  draft-ietf-nvo3-mcast-framework-07, May 2016.

   [RFC1035]      Mockapetris, P., "DOMAIN NAMES "Domain names - Implementation implementation and
             Specification", RFC1035,
                  specification", STD 13, RFC 1035,
                  DOI 10.17487/RFC1035, November 1987. 1987,
                  <http://www.rfc-editor.org/info/rfc1035>.

   [RFC3022]      Srisuresh, P. and K. Egevang, K., "Traditional IP Network
                  Address Translator (Traditional NAT)", RFC3022, RFC 3022,
                  DOI 10.17487/RFC3022, January
             2001. 2001,
                  <http://www.rfc-editor.org/info/rfc3022>.

   [RFC4301]      Kent, S., S. and K. Seo, "Security Architecture for the
                  Internet Protocol", rfc4301, RFC 4301, DOI 10.17487/RFC4301,
                  December 2005 2005,
                  <http://www.rfc-editor.org/info/rfc4301>.

   [RFC4364]      Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
                  Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364,
                  February 2006. 2006,
                  <http://www.rfc-editor.org/info/rfc4364>.

   [RFC7348]      Mahalingam, M., Dutt, D., et al, Duda, K., Agarwal, P.,
                  Kreeger, L., Sridhar, T., Bursell, M., and C. Wright,
                  "Virtual eXtensible Local Area Network (VXLAN): A
                  Framework for Overlaying Virtualized Layer 2 Networks
                  over Layer 3 Networks",
             RFC7348 RFC 7348,
                  DOI 10.17487/RFC7348, August 2014. 2014,
                  <http://www.rfc-editor.org/info/rfc7348>.

   [RFC7364]      Narten, T., et al Ed., Gray, E., Ed., Black, D., Fang, L.,
                  Kreeger, L., and M. Napierala, "Problem Statement:
                  Overlays for Network Virtualization", RFC7364, RFC 7364,
                  DOI 10.17487/RFC7364, October 2014. 2014,
                  <http://www.rfc-editor.org/info/rfc7364>.

   [RFC7365]      Lasserre, M., Motin, Balus, F., Morin, T., et al, Bitar, N., and Y.
                  Rekhter, "Framework for DC Data Center (DC) Network
                  Virtualization", RFC7365, RFC 7365, DOI 10.17487/RFC7365,
                  October 2014. 2014,
                  <http://www.rfc-editor.org/info/rfc7365>.

   [RFC7432]      Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A. and
             J. A.,
                  Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS MPLS-
                  Based Ethernet VPN", RFC7432, RFC 7432, DOI 10.17487/RFC7432,
                  February 2015 2015,
                  <http://www.rfc-editor.org/info/rfc7432>.

   [RFC7637]      Garg, P., Ed., and Y. Wang, Y., Ed., "NVGRE: Network
                  Virtualization
             using Using Generic Routing Encapsulation", RFC7637, Sept. 2015.
                  RFC 7637, DOI 10.17487/RFC7637, September 2015,
                  <http://www.rfc-editor.org/info/rfc7637>.

   [RFC8014]      Black, D., et al, Hudson, J., Kreeger, L., Lasserre, M., and
                  T. Narten, "An Architecture for Overlay Networks Data-Center Network
                  Virtualization over Layer 3 (NVO3)", rfc8014, January 2017. RFC 8014,
                  DOI 10.17487/RFC8014, December 2016,
                  <http://www.rfc-editor.org/info/rfc8014>.

   [VRF-LITE]     Cisco, "Configuring VRF-lite", http://www.cisco.com
                  <http://www.cisco.com/c/en/us/td/docs/switches/lan/
                  catalyst4500/12-2/31sg/configuration/guide/conf/
                  vrf.pdf>.

Acknowledgements

   The authors would like to thank Sue Hares, Young Lee, David Black,
   Pedro Marques, Mike McBride, David McDysan, Randy Bush, Uma Chunduri,
   Eric Gray, David Allan, Joe Touch, Olufemi Komolafe, Matthew Bocci,
   and Alia Atlas for the reviews, comments, and suggestions.

Contributors

   David Black
   Dell EMC
   176 South Street
   Hopkinton, MA 01748
   United States of America
   Email: David.Black@dell.com

   Vinay Bannai
   PayPal
   2211 N. First St, Street
   San Jose, CA 95131
   United States of America
   Phone: +1-408-967-7784
   Email: vbannai@paypal.com

   Ram Krishnan
   Brocade Communications
   San Jose, CA 95134
   United States of America
   Phone: +1-408-406-7890
   Email: ramk@brocade.com

   Kieran Milne
   Juniper Networks
   1133 Innovation Way
   Sunnyvale, CA 94089
   United States of America
   Phone: +1-408-745-2000
   Email: kmilne@juniper.net

Acknowledgements

   Authors like to thank Sue Hares, Young Lee, David Black, Pedro
   Marques, Mike McBride, David McDysan, Randy Bush, Uma Chunduri, Eric
   Gray, David Allan, Joe Touch, Olufemi Komolafe, Matthew Bocci, and
   Alia Atlas for the review, comments, and suggestions.

Authors' Addresses

   Lucy Yong
   Huawei Technologies
   Phone: +1-918-808-1918
   Email: lucy.yong@huawei.com

   Linda Dunbar
   Huawei Technologies,
   5340 Legacy Dr. Drive
   Plano, TX 75025 US
   United States of America
   Phone: +1-469-277-5840
   Email: linda.dunbar@huawei.com

   Mehmet Toy
   Verizon

   E-mail : mtoy054@yahoo.com
   Email: mehmet.toy@verizon.com

   Aldrin Isaac
   Juniper Networks
   E-mail:
   1133 Innovation Way
   Sunnyvale, CA 94089
   United States of America
   Email: aldrin.isaac@gmail.com

   Vishwas Manral
   Nano Sec Co
   3350 Thomas Rd.
   Santa Clara, CA
   United States of America
   Email: vishwas@ionosnetworks.com vishwas@nanosec.io