NVO3 Working GroupInternet Engineering Task Force (IETF) Y. LiINTERNET-DRAFTRequest for Comments: 8394 D. EastlakeIntended Status:3rd Category: Informational Huawei Technologies ISSN: 2070-1721 L. Kreeger Arrcus,IncInc. T. Narten IBM D. Black Dell EMCExpires: September 14, 2018 March 13,May 2018 Split Network Virtualization Edge (Split-NVE)Control PlaneControl-Plane Requirementsdraft-ietf-nvo3-hpvr2nve-cp-req-17Abstract Inathe Split Network Virtualization Edge (Split-NVE) architecture, the functions of the NVE(Network Virtualization Edge)are split across a server andana piece of external network equipmentwhichthat is called anexternal NVE."External NVE". The server-residentcontrol planecontrol-plane functionality resides in control software, which may be part of hypervisor orcontainer managementcontainer-management software; for simplicity, this document refers to the hypervisor as thelocation"location" of this software.Control plane protocol(s)One or more control-plane protocols between a hypervisor and its associatedexternalExternal NVE(s) are used by the hypervisor to distribute itsvirtual machinevirtual-machine networking state to theexternalExternal NVE(s) for further handling. This document illustrates the functionality required by this type ofcontrol planecontrol-plane signaling protocol and outlines thehigh levelhigh-level requirements.Virtual machineVirtual-machine states as well as state transitioning are summarized to help clarify the protocol requirements. Status ofthisThis Memo ThisInternet-Draftdocument issubmitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsnot an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force(IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum(IETF). It represents the consensus ofsix monthsthe IETF community. It has received public review andmay be updated, replaced, or obsoletedhas been approved for publication byotherthe Internet Engineering Steering Group (IESG). Not all documentsatapproved by the IESG are candidates for anytime. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The listlevel of Internet Standard; see Section 2 of RFC 7841. Information about the currentInternet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The liststatus ofInternet-Draft Shadow Directories canthis document, any errata, and how to provide feedback on it may beaccessedobtained athttp://www.ietf.org/shadow.htmlhttps://www.rfc-editor.org/info/rfc8394. Copyrightand LicenseNotice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents(http://trustee.ietf.org/license-info)(https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . .. 4 1.12 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . .. 5 1.24 1.2. Target Scenarios . . . . . . . . . . . . . . . . . . . .. 65 2. VM Lifecycle . . . . . . . . . . . . . . . . . . . . . . . .. 8 2.17 2.1. VM Creation Event . . . . . . . . . . . . . . . . . . . .. 8 2.27 2.2. VM Live Migration Event . . . . . . . . . . . . . . . . .. 9 2.38 2.3. VM Termination Event . . . . . . . . . . . . . . . . . .. . 10 2.49 2.4. VM Pause,SuspensionSuspension, and Resumption Events . . . . . . .. . 109 3. Hypervisor-to-NVEControl PlaneControl-Plane Protocol Functionality . . .. 11 3.1 VN Connect10 3.1. VN_Connect andDisconnect . .VN_Disconnect . . . . . . . . . . . . . .. 11 3.210 3.2. TSI Associate and Activate . . . . . . . . . . . . . . .. . 13 3.312 3.3. TSIDisassociateDe-Associate and Deactivate . . . . . . . . . . . . .. 1514 4. Hypervisor-to-NVEControl PlaneControl-Plane Protocol Requirements . . . .. 1615 5. VDP Applicability and Enhancement Needs . . . . . . . . . . .. 1716 6. Security Considerations . . . . . . . . . . . . . . . . . . .. 1918 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . .. 2019 8.AcknowledgementsReferences . . . . . . . . . . . . . . . . . . . . . . . . . 208.8.1. Normative References . . . . . . . . . . . . . . . . . . 20 8.2. Informative References . . . . . . . . . . . . . . . . . 208.1 Normative ReferencesAppendix A. VDP Illustrations (per IEEE 802.1Q) (for Information Only) . . . . . . . . . . . . . . . . . . .20 8.2 Informative References. . . . 21 Acknowledgements . . . . . . . . . . . . . .21 Appendix A. IEEE 802.1Q VDP Illustration (For information only).21. . . . . . . . . 24 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . ..24 1. Introduction In theSplit-NVESplit Network Virtualization Edge (Split-NVE) architecture shown in Figure 1, the functionality of the NVE(Network Virtualization Edge)is split across an end device supporting virtualization and an external network devicewhichthat is called anexternal NVE."External NVE". The portion of the NVE functionality located on the end device is called thetNVE"tNVE" (terminal-sideNVE)NVE), and the portion located on theexternalExternal NVE is called thenNVE"nNVE" (network-side NVE) in this document. Overlay encapsulation/decapsulation functions are normallyoff-loadedoffloaded to the nNVE on theexternalExternal NVE. +------------ Split-NVE ---------+ | | | | +-----------------|-----+ | | +---------------|----+| | | | +--+ \|/ || | | | |V |TSI +-------+ || +------|-------------+ | | |M |-----+ | || | \|/ | | | +--+ | | || |+--------+ | | | +--+ | tNVE | ||-------------------|| | | | | |V |TSI | | || || nNVE | | | | |M |-----| | || || | | | | +--+ +-------+ || |+--------+ | | | || +--------------------+ | +-----Hypervisor-----+| +-----------------------+ End Device External NVE Figure11: Split-NVEstructureStructure The tNVE is normally implemented as a part of a hypervisor or container and/or a virtual switch inana virtualized end device. This document uses the term "hypervisor" throughout when describing the Split-NVE scenario where part of the NVE functionality isoff-loadedoffloaded to a separate device from the "hypervisor" that contains a VM (Virtual Machine) connected to a VN(Virutal(Virtual Network). In this context, the term "hypervisor" is meant to cover any device type where part of the NVE functionality isoff-loadedoffloaded in this fashion,e.g.,ae.g., a Network Service Appliance or Linux Container. TheNVO3Network Virtualization over Layer 3 (NVO3) problem statement[RFC7364],[RFC7364] discusses theneedsneed for acontrol planecontrol-plane protocol (or protocols) to populate each NVE with the state needed to perform the required functions. In one scenario, an NVE provides overlay encapsulation/decapsulationpacket forwardingpacket-forwarding services to Tenant Systems(TSs)that are co-resident within the NVE on the sameEnd Device (e.g.end device (e.g., when the NVE is embedded within a hypervisor or a Network Service Appliance). In such cases, there is no need for a standardized protocol between the hypervisor and the NVE, as the interaction is implemented via software on a single device.WhileHowever, in the Split-NVE architecturescenarios, asscenarios shown infigureFigures 2to figure 4, control plane protocol(s)through 4 (see Section 1.2), one or more control-plane protocols between a hypervisor and its associatedexternalExternal NVE(s) are required for the hypervisor to distribute thevirtual machinesVM's networking states to the NVE(s) for further handling. The protocol is an NVE-internal protocol and runs between tNVE and nNVE logical entities. This protocol is mentioned in the "third work area" text in Section 4.5 of the NVO3 problem statement[RFC7364] and appears as the third work item. Virtual machine[RFC7364]. VM states and state transitioning are summarized in thisdocumentdocument, showing events where the NVE needs to take specific actions. Such events might correspond to actions that thecontrol planecontrol-plane signalingprotocol(s)protocol or protocols need to take between the tNVE and the nNVE in the Split-NVE scenario. Thehigh levelhigh-level requirements to be fulfilled arestated. Thislisted in Section 4. To describe the requirements, this document uses VMs as an example of TenantSystems (TSs) in order to describe the requirements,Systems, even though a VM is just one type of Tenant System that may connect to a VN. For example, a service instance within a Network Service Appliance is another type ofTS,Tenant System, as are systems running onanOS-level virtualization technologies like containers. The fact that VMs have lifecycles (e.g., can be created and destroyed, can be moved, and can be started or stopped) results in a general set of protocol requirements, most of which are applicable to other forms ofTSsTenant Systems, although not all of the requirements are applicable to all forms ofTSs.Tenant Systems. Section 2 describes VM states and state transitioning in the VM's lifecycle. Section 3 introducesHypervisor-to-NVE control planehypervisor-to-NVE control-plane protocol functionality derived from VM operations and network events. Section 4 outlines the requirements of thecontrol planecontrol-plane protocol to achieve the required functionality.1.11.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. This document uses the same terminology as the terminology found in [RFC7365]. This section defines additional terminology used by this document. Split-NVE:aA type of NVE (Network Virtualization Edge) where the functionalities are split across an end device supporting virtualization and an external network device. tNVE:theTerminal-side NVE. The portion of Split-NVE functionalities located on the end device supporting virtualization.ItThe tNVE interacts with atenant systemTenant System through an internal interface in the end device. nNVE:theNetwork-side NVE. The portion of Split-NVE functionalities located on the network device that is directly or indirectly connected to the end deviceholdingthat contains the corresponding tNVE. The nNVE normally performs encapsulation to and decapsulation from the overlay network. External NVE:theThe physical network deviceholdingthat contains thenNVEnNVE. Hypervisor:theThe logical collection of software,firmwarefirmware, and/or hardware that allows the creation and running of server or service appliance virtualization. The tNVE is located under aHypervisor. Hypervisorhypervisor. The term "hypervisor" is loosely used in this document to refer to the end device supporting the virtualization. For simplicity, we also useHypervisor to represent both hypervisor and container. Container: Please refer to Hypervisor. For simplicity this document usethe termhypervisor"hypervisor" to represent both the hypervisor and the container. Container: Please see "Hypervisor:" above. VN Profile:Meta dataMetadata that is associated with a VN(Virtual Network) that isand applied to any attachment point to theVN. That is,VN (i.e., VAP (Virtual Access Point) properties that are applied to all VAPs associated with a given VN and used by an NVE when ingressing/egressing packets to/from a specificVN. Meta dataVN). Metadata could include such information asACLs,Access Control Lists (ACLs) and QoSsettings, etc.settings. The VN Profile contains parameters that apply to the VN as a whole. Control protocols between the NVE and the NVA (Network Virtualization Authority) could use the VN ID or VN Name to obtain the VN Profile. VSI: Virtual Station Interface.[IEEE 802.1Q]See [IEEE802.1Q]. VDP: VSI Discovery and ConfigurationProtocol [IEEE 802.1Q] 1.2Protocol. See [IEEE802.1Q]. 1.2. Target Scenarios In the Split-NVE architecture, anexternalExternal NVE can providean offloadoffloading of theencapsulation / decapsulationencapsulation/decapsulation functions and network policy enforcement as well as offloading of overhead from the VNOverlay protocol overhead.overlay protocol. This offloading may improve performance and/or save resources in theEnd Device (e.g.end device (e.g., hypervisor) using theexternalExternal NVE.The following figuresFigures 2 through 4 give example scenariosof afor the Split-NVE architecture. Hypervisor Access Switch +------------------+ +-----+-------+ | +--+ +-------+ | | | | | |VM|---| | | VLAN | | | | +--+ | tNVE |---------+ nNVE| +--- Underlying | +--+ | | | Trunk | | | Network | |VM|---| | | | | | | +--+ +-------+ | | | | +------------------+ +-----+-------+ Figure22: Hypervisor with an External NVE Hypervisor L2 Switch +---------------+ +-----+ +----+---+ | +--+ +----+ | | | | | | | |VM|---| | |VLAN | |VLAN | | | | +--+ |tNVE|-------+ +-----+nNVE| +--- Underlying | +--+ | | |Trunk| |Trunk| | | Network | |VM|---| | | | | | | | | +--+ +----+ | | | | | | +---------------+ +-----+ +----+---+ Figure33: Hypervisor with an External NVEconnectedConnected through an Ethernet Access Switch Network Service Appliance Access Switch+--------------------------++-----------------------------+ +-----+-------+ |+------------++---------------+ | \ | | | | ||Net Service |----||Network Service|----| \ | | | | | |Instance | | \ | VLAN | | | |+------------++---------------+ |tNVE| |------+nNVE | +--- Underlying |+------------++---------------+ | | | Trunk| | | Network ||Net Service |----||Network Service|----| / | | | | | |Instance | | / | | | | |+------------++---------------+ | / | | | |+--------------------------++-----------------------------+ +-----+-------+ Figure44: Physical Network Service Appliance with an External NVE Tenant Systems connect toexternalExternal NVEs via a Tenant System Interface (TSI). The TSI logically connects to theexternalExternal NVE via aVirtual Access Point (VAP)VAP [RFC8014]. TheexternalExternal NVE may provide Layer 2 or Layer 3 forwarding. In the Split-NVE architecture, theexternalExternal NVE may be able to reach multipleMACMedia Access Control (MAC) addresses and IP addresses via a TSI. An IP address can be in either IPv4 or IPv6 format. For example, Tenant Systems that are providing network services (such as a transparent firewall, load balancer, or VPN gateway) are likely to have a complex address hierarchy. This implies that if a given TSIdisassociatesde-associates from one VN, all the MAC and/or IP addresses are alsodisassociated.de-associated. There is no need to signal the deletion of every MAC or IP address when the TSI is brought down or deleted. In the majority of cases, a VM will be acting as a simple host that will have a single TSIandas well as a single MAC and IP address visible to theexternalExternal NVE. Figures 2 through 4 show the use of VLANs to separate traffic for multiple VNs between the tNVE and the nNVE; VLANs are not strictly necessary if only one VN is involved, but multiple VNs are expected in most cases.HenceHence, thisdraftdocument assumes the presence of VLANs. 2. VM Lifecycle Figure 2 of [RFC7666] shows thestate transitionstates and transitions of a VM. Some of the VM states are of interest to theexternalExternal NVE. This section illustrates the relevant phases and events in the VM lifecycle. Note that the following subsections do not giveanexhaustivetraversaldescriptions of VM lifecyclestate. Theystates. Rather, they are intended astheillustrative exampleswhichthat are relevant to the Split-NVEarchitecture,architecture and not as prescriptive text; the goal is to capture sufficient detail to set a context for thesignaling protocolsignaling-protocol functionality and requirements described in the following sections.2.12.1. VM Creation Event The VM creation event causes the VM state to transition fromPreparingthe "preparing" state toShutdownthe "shutdown" state and then toRunningthe "running" state [RFC7666]. The end device allocates and initializes local virtual resources like storage in theVM PreparingVM's preparing state. In theShutdownshutdown state, the VM has everythingreadyready, except that CPU execution is not scheduled by the hypervisor and the VM's memory is not resident in the hypervisor. The transition from theShutdownshutdown state to theRunningrunning state normally requires human action or asystem triggeredsystem-triggered event.RunningThe running state indicates that the VM is in the normal execution state. As part of transitioning the VM to theRunningrunning state, the hypervisor must also provision network connectivity for the VM's TSI(s) so that Ethernet frames can be sent and received correctly. Initially, whenRunning,in the running state, no ongoing migration,suspensionsuspension, or shutdown is in process. In the VM creation phase, the VM's TSI has to be associated with theexternalExternal NVE.Association"Association" here indicates that the hypervisor and theexternalExternal NVE have signaled each other and reached some form of agreement. Relevant networking parameters or information have been provisioned properly. The External NVE should be informed of the VM's TSI MAC address and/or IP address. In addition to external network connectivity, the hypervisor may provide local network connectivity between the VM's TSI and TSIs for otherVM's TSIVMs that are co-resident on the same hypervisor. When the intra- or inter-hypervisor connectivity is extended to theexternalExternal NVE, a locally significant tag,e.g.e.g., VLAN ID, should be used between the hypervisor and theexternalExternal NVE to differentiate each VN's traffic. Both the hypervisor andexternalExternal NVE sides must agree on that tag value for traffic identification, isolation, and forwarding. TheexternalExternal NVE may need to do some preparation before it signals successful association with the TSI. Such preparation may include locally saving the states and binding information of thetenant system interfaceTSI and itsVN,VN or communicating with the NVA for networkprovisioning, etc. Tenant System interfaceprovisioning. A TSI association should be performed before the VM enters theRunningrunning state, preferably in theShutdownshutdown state. If the association with anexternalExternal NVE fails, the VM should not go into theRunningrunning state.2.22.2. VM Live Migration Event Live migration is sometimes referred to as "hot" migration in that, from an external viewpoint, the VM appears to continue to run while being migrated to another server (e.g., TCP connections generally survive this class of migration). In contrast, "cold" migration consists of shutting down VM execution on one server and restarting it on another. For simplicity, the following abstract summary of live migration assumes shared storage, so that the VM's storage is accessible to the source and destination servers. Assume that the VMlive migrates"live migrates" from hypervisor 1 to hypervisor 2. Such a migration event involves state transitions on both source hypervisor 1 and destination hypervisor 2. The VM state on source hypervisor 1transitstransitions fromRunningthe running state toMigratingthe "migrating" state and then toShutdownthe shutdown state [RFC7666]. The VM state on destination hypervisor 2transitstransitions fromShutdownthe shutdown state toMigratingthe migrating state and thenRunning.to the running state. TheexternalExternal NVE connected to destination hypervisor 2 has to associate the migrating VM's TSI withititself (i.e., the External NVE) by discovering the TSI's MAC and/or IP addresses, discovering its VN, discovering its locally significant VLAN IDif any,(if any), and provisioning othernetwork relatednetwork-related parameters of the TSI. TheexternalExternal NVE may be informed about the VM's peer VMs, storagedevicesdevices, and other network appliances with which the VM needs to communicate or is communicating. The migrated VM on destination hypervisor 2 should not go toRunningthe running state until all the network provisioning and bindinghashave been done. Thestates ofVM state on both the source hypervisor and the destinationhypervisors both are Migratinghypervisor will be the migrating state during the transfer ofmigrationVM execution. The migrating VM should not be inRunningthe running state at the same time on the source hypervisor and destination hypervisor during migration. The VM on the source hypervisor does not transitioninto Shutdownto the shutdown state until the VM successfully enters theRunningrunning state on the destination hypervisor. It is possible that the VM on the source hypervisor stays inMigratingthe migrating state for a while after the VM on the destination hypervisor entersRunningthe running state.2.32.3. VM Termination Event A VM termination event is also referred to as "powering off" a VM. A VM termination event leads toits state becoming Shutdown. Therethe VM's transition to the shutdown state. Per [RFC7666], there are two possible causes of VMtermination [RFC7666]. One is the normal "power off" of atermination: 1. A runningVM; the other is that theVM has undergone a normal "power-off". 2. The VM has been migrated to anotherhypervisorhypervisor, and the VM image on the source hypervisor has to stop executing and beshutdown.shut down. In VM termination, theexternalExternal NVE connecting to that VM needs to deprovision the VM,i.e.i.e., delete the network parameters associated with that VM. In other words, theexternalExternal NVE has to de-associate the VM's TSI.2.42.4. VM Pause,SuspensionSuspension, and Resumption Events A VM pause event leads to the VMtransitingtransitioning fromRunningthe running state toPausedthe "paused" state. ThePausedpaused state indicates that the VM is resident in memory butno longerthat CPU execution is not scheduledto executeby the hypervisor [RFC7666]. The VM can be easilyre-activatedreactivated fromPausedthe paused state toRunningthe running state. A VM suspension event leads to the VMtransitingtransitioning fromRunningthe running state toSuspendedthe "suspended" state. A VM resumption event leads to the VMtransiting statetransitioning fromSuspendedthe suspended state toRunningthe running state.Suspended state meansIn the suspended state, the memory and CPU execution state of thevirtual machineVM are saved to persistentstore.storage. During this state, CPU execution for thevirtual machineVM is not scheduledto executeby the hypervisor [RFC7666]. In the Split-NVE architecture, theexternalExternal NVE should notdisassociatede-associate the paused or suspendedVMVM, as the VM can return toRunningthe running state at any time. 3. Hypervisor-to-NVEControl PlaneControl-Plane Protocol Functionality The following subsections show illustrative examples of the state transitions of anexternalExternal NVEwhichthat are relevant toHypervisor-to- NVE Signaling protocolhypervisor-to-NVE signaling-protocol functionality.It should be noted thisNote: This is not prescriptive text for the full state machine.3.1 VN Connect3.1. VN_Connect andDisconnectVN_Disconnect In the Split-NVE scenario, a protocol is needed between theEnd Device (e.g. Hypervisor)end device (e.g., hypervisor) and theexternalExternal NVE it isusingusing, in order to make theexternalExternal NVE aware of the changing VN membership requirements of the Tenant Systems within theEnd Device.end device. A key driver for using a protocol rather than using static configuration of theexternalExternal NVE isbecausethat the VN connectivity requirements can change frequently as VMs are brought up, moved, and brought down on various hypervisors throughout the data center or external cloud. Figure 5 shows the state transition for a VAP on theexternalExternal NVE. An NVE that supports thehypervisor to NVE control planehypervisor-to-NVE control-plane protocol should support one instance of the state machine for each active VN. The state transition on theexternalExternal NVE is normally triggered bythe hypervisor-facing sideevents andbehaviors.behaviors on the hypervisor-facing side. Some of the interleavedinteractioninteractions between the NVE and the NVA will be illustrated to better explain the wholeprocedure;procedure, whileothers of them mayother interactions will not be shown.+---------------++----------------+ ReceiveVN_connect; +-------------------+ |VN_Disconnected|VN_Connect; +----------------------+ |VN_Disconnected | return Local_Tag value |VN_Connected |+---------------++----------------+ for VN if successful;+-------------------++----------------------+ |VN_ID; |-------------------------->|VN_ID; | |VN_State= ||VN_State=connected;| |disconnected;|VN_State=VN_Connected;| |VN_Disconnected;| |Num_TSI_Associated; ||Num_TSI_Associated;|| |<--ReceiveVN_disconnect---|Local_Tag;VN_Disconnect---|Local_Tag; |+---------------++----------------+ |VN_Context; |+-------------------++----------------------+ Figure5.5: State Transition Example of a VAP Instance on an External NVE TheexternalExternal NVE must be notified when anEnd Deviceend device requires a connection to a particular VN and when it no longer requires a connection. Connectionclean upcleanup for the failed devices should beemployed whichemployed. Note that this topic is out ofthescopeoffor the protocol specified in this document. In addition, theexternalExternal NVE should provide a local tag value for each connected VN to theEnd Deviceend device to use for exchanging packets between theEnd Deviceend device and theexternalExternal NVE(e.g.(e.g., a locally significant[IEEE 802.1Q]tagvalue).value per [IEEE802.1Q]). How "local" the significance is depends on whether 1. theHypervisorhypervisor has a direct physical connection to theexternalExternal NVE (in which case the significance is local to the physicallink),link) orwhether2. there is an Ethernet switch(e.g.(e.g., a blade switch) connecting theHypervisorhypervisor to the NVE (in which case the significance is local to the intervening switch and all the links connected to it). These VLAN tags are used to differentiate between different VNs as packets cross theshared accessshared-access network to theexternalExternal NVE. When theexternalExternal NVE receives packets, it uses the VLAN tag to identify their VN coming from a given TSI, strips the tag, adds the appropriate overlay encapsulation for that VN, and sends it towards the corresponding remote NVE across the underlying IP network. The Identification of the VN in this protocol couldeitherbe through either a VN Name or a VN ID. A globally unique VN Name facilitates portability of aTenant's Virtual Data Center.tenant's virtual data center. Once anexternalExternal NVE receives aVN connect indication,VN_Connect message, the NVE needs a way to get aVN ContextVN_Context allocated (or to receive thealready allocated VN Context)already-allocated VN_Context) for a given VN Name or VN ID (as well as any other information needed to transmit encapsulated packets). How this is done is the subject of the NVE-to-NVAprotocol which are partprotocol; see the "first two areas ofwork items 1 and 2work" text in Section 4.5 of [RFC7364]. TheexternalExternal NVE needs to synchronize the mapping information of the local tag and VN Name or VN ID with the NVA. TheVN_connectVN_Connect message can be explicit or implicit.Explicit"Explicit" means that the hypervisor sends a request message explicitly for the connection to a VN.Implicit"Implicit" means that theexternalExternal NVE receives other messages,e.g.e.g., the very first TSIassociateAssociate message (see the next subsection) for a given VN, that implicitly indicate its interest in connecting to a VN. AVN_disconnectVN_Disconnect message indicates that the NVE can release all the resources for that disconnected VN andtransittransition toVN_disconnectedthe VN_Disconnected state. The local tag assigned for that VN can possibly be reclaimed for use by another VN.3.23.2. TSI Associate and Activate Typically, a TSI is assigned a single MACaddressaddress, and all frames transmitted and received on that TSI use that single MAC address. As mentioned earlier, it is also possible for a Tenant System to exchange frames using multiple MAC addresses or packets with multiple IP addresses. Particularly in the case of aTSTenant System that is forwarding frames or packets from otherTSs,Tenant Systems, theexternalExternal NVE will need to communicate the mapping between the NVE's IP address on the underlying network and ALL the addresses theTSTenant System is forwarding on behalf of the corresponding VN to the NVA. The NVE has two ways it can discover the tenant addresses for which frames are to be forwarded to a givenEnd Deviceend device (and ultimately to theTSTenant System within thatEnd Device).end device). 1. It can glean the addresses by inspecting the source addresses in packets it receives from theEnd Device.end device. 2. The hypervisor can explicitly signal the address associations of a TSI to theexternalExternal NVE. An address association includes all the MAC and/or IP addresses possibly used as source addresses in a packet sent from the hypervisor toexternalthe External NVE. TheexternalExternal NVE may further use this information to filter the future traffic from the hypervisor. To use the second approach above, the"hypervisor-to-NVE"control-plane protocol running between the hypervisor and the NVE must supportEnd Devicesend devices communicating newtenant addressestenant-address associations for a given TSI within a given VN. Figure 6 showsthean example of a state transition for a TSI connecting to a VAP on theexternalExternal NVE. An NVE that supports thehypervisor to NVE control planehypervisor- to-NVE control-plane protocol may support one instance of the state machine for each TSI connecting to a given VN.disassociateDe-Associate +--------+disassociateDe-Associate +--------------->| Init |<--------------------+ | +--------+ | | | | | | | | | | +--------+ | | | | | |associateAssociate | |activateActivate | | +-----------+ +-----------+ | | | | | | | | | | \|/ \|/ | +--------------------+ +---------------------+ | Associated | | Activated | +--------------------+ +---------------------+ |TSI_ID; | |TSI_ID; | |Port;|-----activate---->|Port;|-----Activate---->|Port; | |VN_ID; | |VN_ID; ||State=associated;|State=Associated; ||State=activated ;|State=Activated; |-+ +-|Num_Of_Addr;|<---deactivate|<---Deactivate ---|Num_Of_Addr; | | | |List_Of_Addr; | |List_Of_Addr; | | | +--------------------+ +---------------------+ | | /|\ /|\ | | | | | +---------------------+ +-------------------+ add/remove/updt addr; add/remove/updt addr; or update port; or update port; Figure66: State Transition Example of a TSI Instance on an External NVE The Associated state of a TSI instance on anexternalExternal NVE indicates that all the addresses for that TSI have already associated with the VAP of theexternalExternal NVE on a givenport e.g.port, e.g., on port p for a givenVNVN, but no real traffic to and from the TSI is expected and allowed to pass through. An NVE has reserved all the necessary resources for that TSI. AnexternalExternal NVE may report the mappings of its underlay IP address and the associated TSI addresses toNVAthe NVA, and relevant network nodes may save such information to their mapping tables but not their forwarding tables. An NVE may createACLACLs or filter rules based on the associated TSI addresses on that attached port p but not enable them yet. The local tag for the VN corresponding to the TSI instance should be provisioned on port p to receive packets. The VM migration event (discussedsectionin Section 2) may cause the hypervisor to send anassociateAssociate message to the NVE connected to the destination hypervisor of the migration. A VM creation event may alsocause totrigger the samepractice.scenario. The Activated state of a TSI instance on anexternalExternal NVE indicates that all the addresses for that TSI are functioning correctly on a given port, e.g., porte.g. port pp, and traffic can be received from and sent to that TSI via the NVE. The mappings of the NVE's underlay IP address and the associated TSI addresses should beput intoadded to the forwarding table rather than the mapping table on relevant network nodes.ACLACLs or filter rules based on the associated TSI addresses on the attached port pinon the NVE are enabled. The local tag for the VN corresponding to the TSI instance must be provisioned on port p to receive packets. The Activate message makes the statetransittransition from Init or Associated to Activated. VM creation, VM migration, and VM resumption eventsdiscussed(discussed in Section42) may trigger sending the Activate message from the hypervisor to theexternalExternal NVE. TSI information may get updated in either the Associated state or the Activated state. The following are considered updates to the TSI information: add or remove the associated addresses, update the current associated addresses (forexample updatingexample, update the IP address for a givenMAC),MAC address), and update the NVE port information based on where the NVE receives messages. Such updates do not change the state of the TSI. When any address associated with a given TSI changes, the NVE should inform the NVA to update the mapping information for the NVE's underlying address and the associated TSI addresses. The NVE should also change its localACLACLs or filter settings accordingly for the relevant addresses. Port information updates will cause the provisioning of the local tag for the VN corresponding to the TSI instance on the new port and removal from the old port.3.33.3. TSIDisassociateDe-Associate and DeactivateDisassociateDe-Associate anddeactivateDeactivate behaviors are conceptually the reverse ofassociateAssociate andactivate.Activate. From the Activated state to the Associated state, theexternalExternal NVE needs to make sure the resources are still reserved but the addresses associatedtowith the TSI are not functioning. No traffic to or from the TSI is expected or allowed to pass through. For example, the NVE needs to tell the NVA to remove the relevantaddresses mappinginformation regarding address mapping from the forwarding and routing tables.ACLACLs andfilteringfilter rules regarding the relevant addresses should be disabled. From the Associated or Activated state to the Init state, the NVE releases all the resources relevant to TSI instances. The NVE should also inform the NVA to remove the relevant entries from the mapping table.ACLACLs orfilteringfilter rules regarding the relevant addresses should be removed. Local tag provisioning on the connecting port on the NVE should be cleared. A VM suspension event (discussed insectionSection 2) may cause the relevant TSI instance(s) on the NVE totransittransition from the Activated state to the Associated state. A VM pause event normally does not affect the state of the relevant TSI instance(s) on theNVENVE, as the VM is expected to run again soon. A VM shutdown event will normally cause the relevant TSI instance(s) on the NVE to transition to the Init state from the Activated state. All resources should be released. A VM migration will cause the TSI instance on the source NVE to leave the Activated state. When a VM migrates to another hypervisor connecting to the same NVE,i.e.i.e., the source and destination NVE are the same, the NVE should use the TSI_ID and the incoming port to differentiate two TSI instances. Although the triggering messages for the state transition shown in Figure 6doesdo not indicate the difference between a VM creation/shutdown event and a VM migration arrival/departure event, theexternalExternal NVE can make optimizations if it is given such information. For example, if the NVE knows that the incomingactivateActivate message is caused by migration rather than VM creation, some mechanisms may be employed or triggered to make sure the dynamic configurations or provisionings on the destination NVE are the same as those on the source NVE for the migrated VM. Forexampleexample, an IGMP query [RFC2236] can be triggered by the destinationexternalExternal NVE to the migrated VM so that the VM is forced to send an IGMP report to the multicast router.Then aThe multicast router can then correctly route the multicast traffic to the newexternalExternal NVE for those multicast groups the VM joined before the migration. 4. Hypervisor-to-NVEControl PlaneControl-Plane Protocol Requirements Req-1: The protocol MUST support a bridged network connectingEnd Devicesend devices to the External NVE. Req-2: The protocol MUST support multipleEnd Devicesend devices sharing the same External NVE via the same physical port across a bridged network. Req-3: The protocol MAY support anEnd Deviceend device using multipleexternalExternal NVEs simultaneously, but only oneexternalExternal NVE for eachVN.VN (active-standby External NVE case for a VN). Req-4: The protocol MAY support anEnd Deviceend device using multipleexternalExternal NVEs simultaneously for the sameVN.VN (active-active External NVE case for a VN). Req-5: The protocol MUST allow theEnd Deviceend device to initiate a request to its associated External NVE to be connected/disconnected to a given VN. Req-6: The protocol MUST allow an External NVE initiating a request to its connectedEnd Devicesend devices to be disconnected from a given VN. Req-7: When aTSTenant System attaches to a VN, the protocol MUST allow for anEnd Deviceend device and itsexternalExternal NVE to negotiate one or morelocally-locally significanttag(s)tags for carrying traffic associated with a specific VN (e.g.,[IEEE 802.1Q] tags).tags per [IEEE802.1Q]). Req-8: The protocol MUST allow anEnd Deviceend device initiating a request toassociate/disassociateassociate/de-associate and/oractivate/deactiveactivate/deactivate some or alladdress(es)addresses of a TSI instance to a VN on an NVE port. Req-9: The protocol MUST allow the External NVE initiating a request todisassociatede-associate and/or deactivate some or alladdress(es)addresses of a TSI instance to a VN on an NVE port. Req-10: The protocol MUST allow anEnd Deviceend device initiating a request to add,removeremove, or update address(es) associated with a TSI instance on theexternalExternal NVE. Addresses can be expressed in differentformats,formats -- for example, MAC,IPIP, orpair of IP and MAC.IP-MAC pair. Req-11: The protocol MUST allow the External NVE and the connectedEnd Deviceend device to authenticate each other. Req-12: The protocol MUST be able to run overL2Layer 2 links between theEnd Deviceend device and its External NVE. Req-13: The protocol SHOULD supportthe End Device indicating ifanassociateend device that indicates that an Associate oractivateActivate request fromitthe end device is the result of a VM hot migration event. 5. VDP Applicability and Enhancement Needs The Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP)[IEEE 802.1Q][IEEE802.1Q] can be thecontrol planecontrol-plane protocol running between the hypervisor and theexternalExternal NVE. Appendix Aillustratesprovides informative VDP illustrations for thereader's information.reader. VDP facilitates the automatic discovery and configuration of Edge Virtual Bridging (EVB) stations andEdge Virtual Bridging (EVB)EVB bridges. An EVB station is normally an end station running multiple VMs.ItIn this document, it is considered conceptually equivalent to ahypervisor in this document.hypervisor. An EVB bridge is conceptually equivalent to theexternalExternal NVE. VDP is able to pre-associate/associate/de-associate a VSI on an EVB station with a port on the EVB bridge.A VSI is approximatelyIn theconceptcontext of this document, a VSI is conceptually approximate to a virtual port by which a VM connects to thehypervisor in this document's context.hypervisor. The EVB station and the EVB bridge can reach agreement on VLAN ID(s) assigned to a VSI via a VDP message exchange. Other configuration parameters can be exchanged via VDP as well. VDP is carried over the Edge ControlProtocol(ECP) [IEEE 802.1Q]Protocol (ECP) [IEEE802.1Q], which providesareliable transportation over alayerLayer 2 network. VDPprotocolneeds some extensions to fulfill the requirements listed in Section 4 of this document. Table 1 shows the needed extensions and/or clarifications in the NVO3 context. +------+-----------+-----------------------------------------------+ | Req | Supported |remarksRemarks | | | by VDP? | | +------+-----------+-----------------------------------------------+ | Req-1| | | +------+ |Needs extension. Must be able to send to a | | Req-2| |specific unicastMACMAC, and should be able tosend|| +------+ Partially|to|send to a non-reservedwell knownwell-known multicastaddress| | Req-3||other|address other than the nearest customer bridgeaddress.| +------+| +------+ |address. | | Req-4| | | +------+-----------+-----------------------------------------------+ | Req-5| Yes|VN|The VN is indicated byGroupIDGroupID. | +------+-----------+-----------------------------------------------+ | Req-6| Yes|Bridge|The bridge sendsDe-Associatea De-Associate. | +------+-----------+------------------------+----------------------+ | | |VID==NULL inrequest andthe request. The bridge returnsthe| |Req-7| Yes |assigned| |the assigned VLAN ID (VID) value inresponse or specify GroupIDthe | | Req-7| Yes |response. GroupID, which is optionally present| | | |inrequest and get VID assignedthe request, is equivalent to the VN ID inreturning| | ||response.|the context of NVO3. Multiple VLANs per groupare allowed.| +------+-----------+------------------------+----------------------+| | |requirements|are allowed. |VDP equivalence+------+-----------+------------------------+----------------------+ | | |+------------------------+----------------------+Requirements | VDP Equivalent | |associate/disassociate|pre-asso/de-associate| +------------------------+----------------------+ | Req-8| Partially |activate/deactivate |associate/de-associate|Associate/De-Associate |Pre-Assoc/De-Associate| | | | Activate/Deactivate |Associate/De-Associate| | | +------------------------+----------------------| | | |Needs extension to allowassociate->pre-assocAssociate->Pre-Assoc. | +------+-----------+------------------------+----------------------+ | Req-9| Yes||The VDP bridge initiatesde-associatea De-Associate. | +------+-----------+-----------------------------------------------+ |Req-10| Partially |Needs extension for an IPv4/IPv6 address.Add a| | ||new|Add a new "filterinfoinformation format" type. | +------+-----------+-----------------------------------------------+|Req-11| No |Out-of-band| | |An out-of-band mechanism is preferred,e.g. MACSec|e.g., | ||or| |MACsec or 802.1X. Implicit authenticationbased on ||| |control|Req-11| No |based on control of physical connectivityexists in VDP| | ||when|exists in VDP when the External NVE connectsto the Endto| | || |Device|the end device directly and is reachable withthe| | ||nearest|the nearest customer bridge address. | +------+-----------+-----------------------------------------------+ |Req-12| Yes|L2 protocol|VDP naturally runs on the Layer 2 protocol. | +------+-----------+-----------------------------------------------+ | ||M bit for migrated VM on destination hypervisor||A migration event may cause the M-bit to be set| | ||and S bit for that on source hypervisor.|to 1 in the VDP request to the migration | | | |destination hypervisor and the S-bit to be set | | | |to 1 in the VDP request to the migration source| | | |hypervisor. However, a setting of M-bit = 0 or| |Req-13| Partially|It is indistinguishable when M/S is|S-bit = 0betweencan indicate that no information is | | ||no guidance and events|available regarding migration or that the | | | |events in question are not caused bymigration |migration.| | ||where NVE may act differently. Needs new|To fully meet the requirement, this ambiguity | | ||New bits for|would need to be fixed so that migrationindication in newor no | | ||"filter info format" type.|migration could be safely inferred from the | | | |M-bit or S-bit settings. | +------+-----------+-----------------------------------------------+ Table1 Compare1: Comparison of Split-NVE Requirements and VDPwith the requirements SimplyCapabilities By simply adding the ability to carrylayerLayer 3addresses,addresses as per Req-10, VDP canserve the Hypervisor-to-NVE control plane functions pretty well. Other extensions are the improvementprovide most of theprotocol capabilities for better fit in an NVO3 network.hypervisor-to-NVE control-plane functionality required. 6. Security Considerations External NVEs must ensure that only properly authorized Tenant Systems are allowed to join and become a part of any particularVirtual Network.VN. In some cases, the tNVE may want to connect to the nNVE for provisioning purposes. This may require that the tNVE authenticate the nNVE in addition to the nNVE authenticating the tNVE. If a secure channel is required between the tNVE and the nNVE to carry the encryptedsplit-NVE control planeSplit-NVE control-plane protocol, then existing mechanisms such as MACsec[IEEE 802.1AE][IEEE802.1AE] can be used. In some deployments, authentication may beimplicitimplicit, based on control of physical connectivity, e.g., if the nNVE is located in the bridge that is directly connected to the server that contains the tNVE.UseThe use of the "nearest customer bridge address" in VDP[IEEE 802.1Q][IEEE802.1Q] is an example of where this sort of implicit authentication is possible, although explicit authentication also applies in that case. As thecontrol planecontrol-plane protocol results in configuration changes for both the tNVE and the nNVE, tNVE and nNVE implementations should log all state changes, including those described in Section 3. Implementations should also log significant protocol events, such as the establishment or loss ofcontrol planecontrol-plane protocol connectivity between the tNVE andnNVE andthe nNVE, as well as authentication results. In addition,externalExternal NVEs will need appropriate mechanisms to ensure that any hypervisor wishing to use the services of an NVE is properly authorized to do so. One design point is whether the hypervisor should 1. supply theexternalExternal NVE with necessary information (e.g., VM addresses, VN information, or other parameters) that theexternalExternal NVE usesdirectly,directly orwhether the hypervisor should2. only supply a VN ID and an identifier for the associated VM (e.g., its MAC address), with theexternalExternal NVE using that information to obtain the information needed to validate the hypervisor-provided parameters or obtain related parameters in a secure manner. The former approach can be used in a trusted environment so that theexternalExternal NVE can directly use all the information retrieved from the hypervisor for local configuration. Itsavesrelieves theeffort on the externalExternal NVE sidefromof effort related to information retrieval and/or validation. The latter approach gives more reliableinformationinformation, as theexternalExternal NVE needs to retrievethemit fromsome management systema management-system database.EspeciallyIn particular, somenetwork related parameters likenetwork-related parameters, such as VLANIDsIDs, can be passed back to the hypervisor to be used as a form of provisioning that is moreauthoritative provisioning. Howeverauthoritative. However, in certaincases,cases it is difficult or inefficient for anexternalExternal NVE tohavebe granted rights to access or queryon someinformationtoon those management systems.Then the externalThe External NVE then has to obtainthosethe information from the hypervisor. 7. IANA ConsiderationsNoThis document has no IANAaction is required.actions. 8. References8.18.1. Normative References [IEEE802.1Q] IEEE, "IEEE Standard for Local and metropolitan area networks--Bridges and Bridged Networks", IEEE Standard 802.1Q-2014, DOI 10.1109/IEEESTD.2014.6991462. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March1997.1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC7365] Lasserre, M., Balus, F., Morin, T., Bitar, N., and Y. Rekhter, "Framework forDCData Center (DC) Network Virtualization", RFC 7365, DOI 10.17487/RFC7365, October2014.2014, <https://www.rfc-editor.org/info/rfc7365>. [RFC7666]AsaiAsai, H.,MacFadenMacFaden, M.,SchoenwaelderSchoenwaelder, J.,ShimaShima, K.,Tsou T.,and T. Tsou, "Management Information Base for Virtual Machines Controlled by a Hypervisor", RFC 7666, DOI 10.17487/RFC7666, October2015.2015, <https://www.rfc-editor.org/info/rfc7666>. [RFC8014] Black, D., Hudson, J., Kreeger, L., Lasserre, M., and T. Narten,T.,"An Architecture for Data-Center Network Virtualization over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December2016.2016, <https://www.rfc-editor.org/info/rfc8014>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 KeyWords ",Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May2017. [IEEE 802.1Q]2017, <https://www.rfc-editor.org/info/rfc8174>. 8.2. Informative References [IEEE802.1AE] IEEE,"Media"IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC)BridgesSecurity", IEEE Standard 802.1AE-2006, DOI 10.1109/IEEESTD.2006.245590. [NVO3-HYPERVISOR-NVE-CP] Kreeger, L., Narten, T., and D. Black, "Network Virtualization Hypervisor-to-NVE Overlay Control Protocol Requirements", Work in Progress, draft-kreeger-nvo3- hypervisor-nve-cp-01, February 2013. [NVO3-TES-NVE] Yingjie, G. and L. Yizhou, "The mechanism and signalling between TES and NVE", Work in Progress, draft-gu-nvo3-tes- nve-mechanism-01, October 2012. [NVO3-VM-NVE] Kompella, K., Rekhter, Y., Morin, T., and D. Black, "Signaling VirtualBridged Local Area Networks", IEEE Std 802.1Q-2014, November 2014. 8.2 Informative ReferencesMachine Activity to the Network Virtualization Edge", Work in Progress, draft-kompella- nvo3-server2nve-02, April 2013. [RFC2236] Fenner, W., "Internet Group Management Protocol, Version 2", RFC 2236, DOI 10.17487/RFC2236, November1997.1997, <https://www.rfc-editor.org/info/rfc2236>. [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July2005.2005, <https://www.rfc-editor.org/info/rfc4122>. [RFC7364] Narten, T., Ed., Gray, E., Ed., Black, D., Fang, L., Kreeger, L., and M. Napierala, "Problem Statement: Overlays for Network Virtualization", RFC 7364, DOI 10.17487/RFC7364, October2014. [IEEE 802.1AE] IEEE, "MAC Security (MACsec)", IEEE Std 802.1AE-2006, August 2006.2014, <https://www.rfc-editor.org/info/rfc7364>. Appendix A.IEEE 802.1QVDPIllustration (For information only) TheIllustrations (per IEEE 802.1Q) (for Information Only) VDP(VSI(the VSI Discovery and Discovery and ConfigurationProtocol, clauseProtocol; see Clause 41 of[IEEE 802.1Q])[IEEE802.1Q]) can be considered as a controlling protocol running between the hypervisor and the external bridge. The VDP association TLV structureareis formatted as shown in FigureA.1.7. +--------+--------+------+-----+--------+------+------+------+------+ |TLVtype|TLV info|Status|VSIType|TLV Info|Status|VSI |VSI Type|VSI ID|VSI ID|Filter|Filter| ||string|String | |Type |Version |Format| |Info |Info | ||length|Length | |ID | | ||format||Format| | +--------+--------+------+-----+--------+------+------+------+------+ | ||<----VSI type&instance----->|<--Filter--->||<--VSI Type and instance--->|<--Filter--->| | | |<-------------VSI attributes------------->| |<--TLV header--->|<-----------TLV information string ------------->| FigureA.1:7: VDPassociationAssociation TLV There are basically four TLV types. 1.Pre-associate: Pre-associatePre-Associate: The Pre-Associate is used topre-associatePre-Associate a VSI instance with a bridge port. The bridge validates the request and returns a failureStatusstatus in the case of errors.Successful pre-associateA successful Pre-Associate does not imply that the indicated VSI Type or provisioning will be applied to any traffic flowing through the VSI.The pre-associate enables faster response to an associate, byBy allowing the bridge to obtain the VSI Type prior to anassociation.association, the Pre-Associate enables faster response to an Associate. 2.Pre-associatePre-Associate withresource reservation: Pre-associateResource Reservation: The Pre-Associate with Resource Reservation involves the same steps asPre-associate,those for the Pre-Associate, but on success it also reserves resources in the bridge to prepare for a subsequent Associate request. 3. Associate: The Associate request creates and activates an association between a VSI instance and a bridge port.AnA bridge allocates any required bridge resources for the referenced VSI. The bridge activates the configuration for the VSI Type ID. This association is then applied to the traffic flow to/from the VSI instance. 4.De-associate:De-Associate: Thede-associateDe-Associate is used to remove an association between a VSI instance and a bridge port. Pre-associated and associated VSIs can be de-associated.De-associateThe De-Associate releases any resources that were reserved as a result of priorassociate or pre-Associate or Pre-Associate operations for that VSI instance.De-associateThe De-Associate can be initiated by eithersideside, and the other types can only be initiated by the server side. Some important flag values in the VDP Statusfield:field are as follows: 1. M-bit (Bit 5):IndicatesM-bit = 1: indicates that the user of the VSI (e.g., the VM) ismigrating (M-bitmigrating. M-bit =1) or provides0: noguidance on the migration of the userindication of whether the VSI(M-bit = 0).user is migrating. The M-bit is used as an indicator relative to the VSIthatto which the user ismigrating to.migrating. 2. S-bit (Bit 6):IndicatesS-bit = 1: indicates that the VSI user (e.g., the VM) issuspended (S-bitsuspended. S-bit =1) or provides0: noguidance as to whether the userindication of whether the VSI user issuspended (S-bit = 0).suspended. A keep-alive Associate request with S-bit = 1 can be sent when the VSI user is suspended. The S-bit is used as an indicator relative to the VSIthatfrom which the user ismigrating from.migrating. The filter information format currently defines4four types.EachInformation for each ofthe filter informationthese types is shown indetailsdetail in Figures 8 through 11. "PCP" stands for Priority Code Point [IEEE802.1Q]. The PCP value, if specified, is used by the EVB station asfollows. 1. VID Filter Info format +---------+------+-------+--------+the default PCP value associated with the VSI and VID. The filter information contains a PCP Significant (PS) bit associated with each PCP field, indicating whether the PCP field carries a PCP value (binary 1) or does not carry a PCP value (binary 0). +----------+-------+--------+--0------+ |#of# of | PS | PCP | VID | |entries|(1bit)|(3bits)|(12bits)| |(2octets)||(1 bit)|(3 bits)|(12 bits)| |(2 octets)| | | |+---------+------+-------+--------+ |<--Repeated+----------+-------+--------+---------+ |<---Repeated perentry->|entry--->| FigureA.28: VID FilterInfo format 2. MAC/VID Filter Info format +---------+--------------+------+-------+--------+Information Format +----------+--------------+-------+--------+---------+ |#of# of | MAC address | PS | PCP | VID | |entries | (6 octets)|(1bit)|(3bits)|(12bits)| |(2octets)||(1 bit)|(3 bits)|(12 bits)| |(2 octets)| | | | |+---------+--------------+------+-------+--------+ |<--------Repeated+----------+--------------+-------+--------+---------+ |<----------Repeated perentry---------->|entry----------->| FigureA.39: MAC/VIDfilter format 3. GroupID/VIDFilterInfo format +---------+--------------+------+-------+--------+Information Format +----------+--------------+-------+--------+---------+ |#of# of | GroupID | PS | PCP | VID | |entries | (4 octets)|(1bit)|(3bits)|(12bits)| |(2octets)||(1 bit)|(3 bits)|(12 bits)| |(2 octets)| | | | |+---------+--------------+------+-------+--------+ |<--------Repeated+----------+--------------+-------+--------+---------+ |<----------Repeated perentry---------->|entry----------->| FigureA.410: GroupID/VIDfilter format 4. GroupID/MAC/VIDFilterInfo format +---------+----------+-------------+------+-----+--------+Information Format +----------+----------+-------------+-------+--------+---------+ |#of# of | GroupID | MAC address | PS | PCP | VID | |entries |(4 octets)| (6 octets)|(1bit)|(3b )|(12bits)| |(2octets)||(1 bit)|(3 bits)|(12 bits)| |(2 octets)| | | | | |+---------+----------+-------------+------+-----+--------+ |<-------------Repeated+----------+----------+-------------+-------+--------+---------+ |<---------------Repeated perentry------------->|entry---------------->| FigureA.511: GroupID/MAC/VIDfilter formatFilter Information Format The null VID can be used in the VDP Request sent from the station to the external bridge.Use of theThe null VID indicates that the set of VID values associated with the VSI is expected to be supplied by the bridge. The set of VID values is returned to the station via the VDP Response. The returned VIDvaluevalues can bealocally significantvalue.values. When GroupID is used, it is equivalent to the VN ID in NVO3. GroupID will be provided by the station to the bridge. The bridge maps GroupID to a locally significant VLAN ID. The VSI ID in the VDP association TLV thatidentifyidentifies a VM can be in one of the followingformat: IPV4formats: IPv4 address,IPV6IPv6 address, MAC address,UUIDUniversally Unique Identifier (UUID) [RFC4122], or locally defined.8.Acknowledgements This document was initiated based on the merger of thedrafts draft- kreeger-nvo3-hypervisor-nve-cp, draft-gu-nvo3-tes-nve-mechanism,following documents: [NVO3-HYPERVISOR-NVE-CP], [NVO3-TES-NVE], anddraft-kompella-nvo3-server2nve.[NVO3-VM-NVE]. Thanks to all theco-authorscoauthors and contributing members of thosedrafts.documents. The authors would like to specially thank Lucy Yong and Jon Hudson for their generous help in improving this document. Authors' Addresses Yizhou Li Huawei Technologies 101 SoftwareAvenue,Avenue Nanjing 210012 China Phone: +86-25-56625409EMail:Email: liyizhou@huawei.com Donald Eastlake 3rd Huawei R&D USA 155 Beaver Street Milford, MA 01757USAUnited States of America Phone: +1-508-333-2270EMail:Email: d3e3e3@gmail.com Lawrence Kreeger Arrcus,IncInc. Email: lkreeger@gmail.com Thomas Narten IBM Email: narten@us.ibm.com David Black Dell EMC 176 SouthStreet,Street Hopkinton, MA 01748USAUnited States of America Email: david.black@dell.com