<?xmlversion='1.0' encoding='utf-8'?>version="1.0" encoding="UTF-8"?> <!DOCTYPE rfc [ <!ENTITYRFC3290 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3290.xml">nbsp " "> <!ENTITYRFC3393 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3393.xml">zwsp "​"> <!ENTITYRFC4208 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4208.xml">nbhy "‑"> <!ENTITYRFC4303 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4303.xml"> <!ENTITY RFC4364 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4364.xml"> <!ENTITY RFC4397 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4397.xml"> <!ENTITY RFC5212 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5212.xml"> <!ENTITY RFC5440 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5440.xml"> <!ENTITY RFC6020 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6020.xml"> <!ENTITY RFC6241 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6241.xml"> <!ENTITY RFC7239 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7239.xml"> <!ENTITY RFC7665 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7665.xml"> <!ENTITY RFC7679 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7679.xml"> <!ENTITY RFC7680 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7680.xml"> <!ENTITY RFC7926 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7926.xml"> <!ENTITY RFC7950 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7950.xml"> <!ENTITY RFC8040 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8040.xml"> <!ENTITY RFC8300 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8300.xml"> <!ENTITY RFC8309 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8309.xml"> <!ENTITY RFC8453 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8453.xml"> <!ENTITY RFC8454 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8454.xml"> <!ENTITY RFC8596 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8596.xml"> <!ENTITY RFC9408 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9408.xml"> <!ENTITY I-D.ietf-spring-nsh-sr SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-spring-nsh-sr.xml"> <!ENTITY I-D.ietf-spring-resource-aware-segments SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-spring-resource-aware-segments.xml"> <!ENTITY I-D.ietf-teas-applicability-actn-slicing SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-teas-applicability-actn-slicing.xml"> <!ENTITY I-D.ietf-teas-enhanced-vpn SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-teas-enhanced-vpn.xml"> <!ENTITY I-D.ietf-teas-ietf-network-slice-use-cases SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-teas-ietf-network-slice-use-cases.xml"> <!ENTITY I-D.openconfig-rtgwg-gnmi-spec SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.openconfig-rtgwg-gnmi-spec.xml">wj "⁠"> ]><?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="3"?> <?rfc tocindent="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-teas-ietf-network-slices-25" number="9543" submissionType="IETF" category="info" consensus="true" obsoletes="" updates=""submissionType="IETF"xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="true" version="3"> <front> <title abbrev="IETF Network Slices">A Framework for Network Slices in Networks Built from IETF Technologies</title> <seriesInfoname="Internet-Draft" value="draft-ietf-teas-ietf-network-slices-25"/>name="RFC" value="9543"/> <author initials="A." surname="Farrel" fullname="Adrian Farrel" role="editor"> <organization>Old Dog Consulting</organization> <address> <postal><street/> <city/><country>United Kingdom</country> </postal> <email>adrian@olddog.co.uk</email> </address> </author> <author initials="J." surname="Drake" fullname="John Drake" role="editor"><organization>Juniper Networks</organization><organization>Individual</organization> <address> <postal><street/> <city/><country>United States of America</country> </postal><email>jdrake@juniper.net</email><email>je_drake@yahoo.com</email> </address> </author> <author fullname="Reza Rokui" initials="R." surname="Rokui"> <organization>Ciena</organization> <address> <email>rrokui@ciena.com</email> </address> </author> <author fullname="Shunsuke Homma" initials="S." surname="Homma"> <organization abbrev="NTT">NTT</organization> <address> <postal><street/> <city/><country>Japan</country> </postal> <email>shunsuke.homma.ietf@gmail.com</email> </address> </author> <author fullname="Kiran Makhijani" initials="K." surname="Makhijani"> <organization abbrev="Futurewei">Futurewei</organization> <address> <postal><street/> <city/><country>United States of America</country> </postal><email>kiranm@futurewei.com</email><email>kiran.ietf@gmail.com</email> </address> </author> <author fullname="Luis M. Contreras"initials="L.M."initials="L." surname="Contreras"> <organization abbrev="Telefonica">Telefonica</organization> <address> <postal><street/> <city/><country>Spain</country> </postal> <email>luismiguel.contrerasmurillo@telefonica.com</email> </address> </author> <author fullname="Jeff Tantsura" initials="J." surname="Tantsura"> <organization abbrev="Nvidia">Nvidia</organization> <address> <email>jefftant.ietf@gmail.com</email> </address> </author> <dateyear="2023"/>year="2024" month="March"/> <area>rtg</area> <workgroup>teas</workgroup> <keyword>Network Slicing</keyword> <abstract> <t>This document describes network slicing in the context of networks built from IETF technologies. It defines the term "IETF Network Slice" to describe this type of networkslice,slice and establishes the general principles of network slicing in the IETF context.</t> <t>The document discusses the general framework for requesting and operating IETF Network Slices, the characteristics of an IETF Network Slice, the necessary system components and interfaces, andhowthe mapping of abstract requestscan be mappedto more specific technologies. The document also discusses related considerations with monitoring and security.</t> <t>This document also provides definitions of related terms to enable consistent usage in other IETF documents that describe or use aspects of IETF Network Slices.</t> </abstract> </front> <middle> <section anchor="introduction" numbered="true" toc="default"> <name>Introduction</name> <t>A number of use cases would benefit from a network service that supplements connectivity, such as that offered by a VPN service, with an assurance of meeting a set of specific network performance objectives. This connectivity and resource commitment is referred to as anetwork slice"network slice" and is expressed in terms of connectivity constructs (see <xref target="objectives" format="default"/>) and service objectives (see <xref target="NS-Char" format="default"/>). Since the termnetwork slice"network slice" is rather generic and has wider or different interpretations within other standards bodies, the qualifying term "IETF" is used in this document to limit the scope of the network slices described to network technologiesdescribeddefined and standardized by the IETF. This document defines the concept of "IETF Network Slices" that provide connectivity coupled with a set of specific commitments of network resources between a number of endpoints (known as Service Demarcation Points(SDPs) -(SDPs); see Sections <xref target="Terms"format="default"/>format="counter"/> and <xref target="sdp"format="default"/>)format="counter"/>) over a shared underlay network that utilizes IETF technology. The term "IETF Network Slice Service" is also introduced to describe the service requested by and provided to the service provider's customer.</t><t>RFC EDITOR NOTE: Please replace both occurrences of XXXX in the paragraph that follows with the RFC number assigned to this document, and remove this note.</t><t>It is intended that the terms "IETF Network Slice" and "IETF Network Slice Service"arebe used only in this document. Other documents that need to indicate the type of network slice or network slice service described in this document can use the terms "RFCXXXX9543 Network Slice" and "RFCXXXX9543 Network Slice Service".</t> <t>This document also provides a general framework for requesting and operating IETF Network Slices. The framework is intended as a structure for discussing interfaces and technologies.</t> <t>Services that might benefit from IETF Network Slicesinclude,include but are not limited to:</t> <ul spacing="normal"> <li>5G services (e.g.,eMBB, URLLC, mMTC -enhanced Mobile Broadband (eMBB), Ultra-Reliable and Low Latency Communications (URLLC), and massive Machine Type Communications (mMTC) -- see <xreftarget="TS23501"target="TS23.501" format="default"/>)</li> <li>Network wholesale services</li> <li>Network infrastructure sharing among operators</li> <li>NetworkFunctionsFunction Virtualization (NFV) <xref target="NFVArch" /> connectivity and Data Center Interconnect</li> </ul> <t>Further analysis of the needs of IETF Network Slice Service customers is provided in <xref target="I-D.ietf-teas-ietf-network-slice-use-cases" format="default" />.</t> <t>IETF Network Slices are created and managed within the scope of one or more network technologies (e.g., IP, MPLS, and optical) that use an IETF-specified data plane and/or management/control plane. They are intended to enable a diverse set of applications with different requirements to coexist over a shared underlay network. A request for an IETF Network Slice Service is agnostic to the technology in the underlay network so as to allow customers to describe their network connectivity objectives in a common format, independent of the underlay technologies used.</t> <t>Manypre-existingpreexisting approaches to service delivery and traffic engineering already use mechanisms that can be considered as network slicing. For example,virtual private networksVirtual Private Networks (VPNs) have served the industry well as a means of providing different groups of users with logically isolated access to a common network. The common or base network that is used to support the VPNs is often referred to as anunderlay network,"underlay network", and the VPN is often called anoverlay network."overlay network". An overlay network may, in turn, serve as an underlay network to support another overlay network.</t> <t>Note that it is conceivable that extensions to IETF technologies are needed in order to fully support all the capabilities that can be implemented with network slices. Evaluation of existing technologies, proposed extensions to existing protocols and interfaces, andthecreation of new protocols or interfaces are outside the scope of this document.</t> </section> <section anchor="bg" numbered="true" toc="default"> <name>Background</name> <t>The concept of network slicing has gainedtractiontraction, driven largely by needs surfacing from 5G(<xref(see <xref target="NGMN-NS-Concept" format="default"/>, <xreftarget="TS23501"target="TS23.501" format="default"/>, and <xreftarget="TS28530"target="TS28.530" format="default"/>). In <xreftarget="TS23501"target="TS23.501" format="default"/>, a Network Slice is defined as"a logicala "logical network that provides specific network capabilities and network characteristics", and a Network Slice Instance is defined as"A seta "set of Network Function instances and the required resources(e.g.,(e.g. compute, storage and networking resources) which form a deployed NetworkSlice."Slice". According to <xreftarget="TS28530"target="TS28.530" format="default"/>, an end-to-end (E2E) network slice consists of three major types of network segments: Radio Access Network (RAN), Transport Network(TN)(TN), and Core Network (CN). An IETF Network Slice provides the required connectivity between different entities in RAN and CN segments of an end-to-end network slice, with a specific performance commitment (for example, serving as a TN slice). For each end-to-end network slice, the topology and performance requirement on a customer's use of an IETF Network Slice can be very different, which requires the underlay network to have the capability of supporting multiple different IETF Network Slices.</t> <t>While network slices are commonly discussed in the context of 5G, it is important to note that IETF Network Slices are a narrower concept with a broader usageprofile,profile and focus primarily on particular network connectivity aspects. Other systems, including 5G deployments, may use IETF Network Slices as a component to create entire systems and concatenated constructs that match their needs, including end-to-end connectivity.</t> <t>An IETF Network Slice could span multiple technologies and multiple administrative domains. Depending on the IETF Network Slice Service customer's requirements, an IETF Network Slice could be isolated from other, oftenconcurrentconcurrent, IETF Network Slices in terms of data, control, and management planes.</t> <t>The customer expresses requirements for a particular IETF Network Slice Service by specifying what is required rather than how the requirement is to be fulfilled. That is, the IETF Network Slice Service customer's view of an IETF Network Slice Service is an abstract one.</t> <t>Thus, there is a need to create logical network structures with required characteristics. The customer of such a logical network can require a level of isolation and performance that previously might not have been satisfied by overlay VPNs. Additionally, the IETF Network Slice Service customer might ask for some level of control to, e.g., customize the service paths in a network slice.</t> <t>This document specifies definitions and a framework for the provision of an IETF Network Slice Service. <xref target="realize" format="default"/> briefly indicates some candidate technologies for realizing IETF Network Slices.</t> </section> <section numbered="true" toc="default"> <name>Terms and Abbreviations</name> <section numbered="true" toc="default"> <name>Abbreviations</name> <t>The following abbreviations are used in this document.</t><ul spacing="normal"> <li>NSC: Network Slice Controller</li> <li>SDP: Service<dl spacing="normal" newline="false" indent="7"> <dt>NSC:</dt> <dd>Network Slice Controller</dd> <dt>SDP:</dt> <dd>Service DemarcationPoint</li> <li>SLA: ServicePoint</dd> <dt>SLA:</dt> <dd>Service LevelAgreement</li> <li>SLE: ServiceAgreement</dd> <dt>SLE:</dt> <dd>Service LevelExpectation</li> <li>SLI: ServiceExpectation</dd> <dt>SLI:</dt> <dd>Service LevelIndicator</li> <li>SLO: ServiceIndicator</dd> <dt>SLO:</dt> <dd>Service LevelObjective</li> </ul>Objective</dd> </dl> <t>The meaning of these abbreviations is defined in greater detail in the remainder of this document.</t> </section> <section anchor="Terms" numbered="true" toc="default"> <name>Core Terminology</name> <t>The following terms are presented here to give context. Other terminology is defined in the remainder of this document.</t> <dl newline="false" spacing="normal"> <dt>Customer:</dt><dd>A customer is the<dd>The requester of an IETF Network Slice Service. Customers may request monitoring of SLOs. A customer may be an entity such as an enterprise network or a network operator, an individual working at such an entity, a private individual contracting for a service, or an application or software component. A customer may be an external party(classically(classically, a paying customer) or a division of a network operator that uses the service provided by another division of the same operator. Other terms that have been applied to the customer role are "client" and "consumer".</dd> <dt>Provider:</dt><dd>A provider is the<dd>The organization that delivers an IETF Network Slice Service. A provider is the network operator that controls the network resources used to construct the network slice (that is, the network that is sliced). The provider's network may be a physicalnetwork,network ormay bea virtual network created within the operator's network or supplied by another service provider.</dd> <dt>Customer Edge (CE):</dt> <dd>The customer device that provides connectivity to a service provider. Examples include routers, Ethernet switches, firewalls, 4G/5G RAN or Core nodes, application accelerators, server load balancers, HTTP header enrichment functions (such as proxy components adding the Forwarded HTTP Extension Header <xref target="RFC7239" />), andPEPs (PerformancePerformance EnhancingProxy).Proxies (PEPs). In somecircumstancescircumstances, CEs are provided to the customer and managed by the provider.</dd> <dt>Provider Edge (PE):</dt> <dd>The device within the provider network to which a CE is attached. A CE may be attached to multiple PEs, and multiple CEs may be attached to a given PE.</dd> <dt>Attachment Circuit (AC):</dt> <dd>A channel connecting a CE and a PE over which packets that belong to an IETF Network Slice Service are exchanged. An AC is, by definition, technology specific: that is, the AC defines how customer traffic is presented to the provider network. The customer and provider agree (for example, through configuration) on which values in which combination oflayerLayer 2 (L2) andlayerLayer 3 (L3) header and payload fields within a packet identify to which {IETF Network Slice Service, connectivity construct, and SLOs/SLEs} that packet is assigned. The customer and provider may agree to police or shape traffic, based ona per {IETFthe specific IETF Network SliceService,Service including connectivityconstruct,construct andSLOs/SLEs} basis to police or shape trafficSLOs/SLEs, on the AC in both the ingress (CE to PE) direction and egress (PE to CE) direction. This ensures that the traffic is within the capacity profile that is agreed upon in an IETF Network Slice Service. Excess traffic is dropped by default, unless specific out-of-profile policies are agreed upon between the customer and the provider. As described in <xref target="sdp"format="default"/>format="default"/>, the AC may be part of the IETF Network Slice Service or may be external to it. Because SLOs and SLEs characterize the performance of the underlay network between a sending SDP and a set of receiving SDPs, the traffic policers and traffic shapers apply to a specific connectivity construct on an AC.</dd> <dt>Service Demarcation Point (SDP):</dt> <dd> <t>The point at which an IETF Network Slice Service is delivered by a service provider to a customer. Depending on the service delivery model (see <xref target="sdp"format="default"/>)format="default"/>), this may be a CE or aPE,PE and could be a device, a software component, or an abstract virtual function supported within the provider's network. Each SDP must have a unique identifier (e.g., an IP address orMACMedia Access Control (MAC) address) within a given IETF Network Slice Service and may use the same identifier in multiple IETF Network Slice Services.</t> <t>An SDP may be abstracted as a Service Attachment Point (SAP) <xref target="RFC9408" format="default"/> for the purpose of generalizing the concept across multiple service types and representing it in management and configuration systems.</t> </dd> <dt>Connectivity Construct:</dt> <dd>A set of SDPs together with a communication type that defines how traffic flows between the SDPs. An IETF Network Slice Service is specified in terms of a set of SDPs, the associated connectivityconstructsconstructs, and the service objectives that the customer wishes to see fulfilled. Connectivity constructs may be grouped for administrative purposes.</dd> </dl> </section> </section> <section anchor="objectives" numbered="true" toc="default"> <name>IETF Network Slice</name> <t>IETF Network Slices are created to meet specific requirements, typically expressed as bandwidth, latency, latency variation, and other desired or required characteristics. Creation of an IETF Network Slice is initiated by a management system or other application used to specify network-related conditions for particular traffic flows in response to an actual or logical IETF Network Slice Service request.</t> <t>Once created, these slices can be monitored, modified, deleted, and otherwise managed.</t> <t>Applications and components will be able to use these IETF Network Slices to move packets between the specified endpoints of the service in accordance with specified characteristics.</t> <t>A clear distinction should be made between the "IETF Network Slice Service"which isand the IETF Network Slice:</t> <dl newline="false" spacing="normal"> <dt>IETF Network Slice Service:</dt> <dd>The function delivered to the customer (see <xref target="NS-Service" format="default"/>) and which/>). It is agnostic to the technologies and mechanisms used by the serviceprovider, and the "IETFprovider. </dd> <dt>IETF NetworkSlice" which is theSlice:</dt> <dd>The realization of the service in the provider's network achieved by partitioning network resources and by applying certain tools and techniques within the network (see Sections <xref target="defns"format="default"format="counter" /> and <xref target="realize"format="default" />).</t>format="counter"/>). </dd> </dl> <section anchor="defns" numbered="true" toc="default"> <name>Definition and Scope of IETF Network Slice</name> <t>The term "Slice" refers to a set of characteristics and behaviors that differentiate one type ofuser-trafficuser traffic from another within a network. An IETF Network Slice is a logical partition of a network that uses IETF technology. An IETF Network Slice assumes that an underlay network is capable of changing the configurations of the network devices on demand, through in-band signaling, or via controllers.</t> <t>An IETF Network Slice enables connectivity between a set of SDPs with specific Service Level Objectives (SLOs) and Service Level Expectations (SLEs) (see <xref target="NS-Char" format="default"/>) over a common underlay network. The SLOs and SLEs characterize the performance of the underlay network between a sending SDP and a set of receiving SDPs. Thus, an IETF Network Slice delivers a service to a customer by meeting connectivity resource requirements and associated network capabilities such as bandwidth, latency, jitter, and network functions with other resource behaviors such as compute and storage availability.</t> <t>IETF Network Slices may be combinedhierarchically,hierarchically so that a network slice may itself be sliced. They may also be combined sequentially so that various different networks can each be sliced and the network slices placed into a sequence to provide an end-to-end service. This form of sequential combination is utilized in some services such as in 3GPP's 5G network <xreftarget="TS23501"target="TS23.501" format="default"/>.</t><t>RFC EDITOR NOTE: Please replace XXXX in the paragraph that follows with the RFC number assigned to this document, and remove this note.</t><t>It is intended that the term "IETF Network Slice"isbe used only in this document. Other documents that need to indicate the type of network slice described in this document can use the term "RFCXXXX9543 Network Slice".</t> </section> <section anchor="NS-Service" numbered="true" toc="default"> <name>IETF Network Slice Service</name> <t>A service provider delivers an IETF Network Slice Service for a customer by realizing an IETF Network Slice in the underlay network. The IETF Network Slice Service is agnostic to the technology of the underlay network, and its realization may be selected based upon multipleconsiderationsconsiderations, including its service requirements and the capabilities of the underlay network. This allows an IETF Network Slice Service customer to describe their network connectivity and relevant objectives in a common format, independent of the underlay technologies used.</t> <t>The IETF Network Slice Service is specified in terms of a set of SDPs, a set of one or more connectivity constructs between subsets of these SDPs, and a set of SLOs and SLEs (see <xref target="NS-Char" format="default"/>) for each SDP sending to each connectivity construct. A communication type(point-to-point(Point-to-Point (P2P),point-to-multipointPoint-to-Multipoint (P2MP), orany-to-anyAny-to-Any (A2A)) is specified for each connectivity construct. That is, in a given IETF Network SliceService thereService:</t> <ul spacing="normal"> <li> There may be one or more connectivity constructs of the same or differenttype, eachtype. </li> <li> Each connectivity construct may be between a different subset ofSDPs, for a given connectivity construct eachSDPs. </li> <li> Each sending SDP has its own set of SLOs andSLEs,SLEs for a given connectivity construct, and the SLOs and SLEs in each set may be different.Note</li> </ul> <t>Note that different connectivity constructs can be specified in the service request, but the service provider may decide how many connectivity constructs per IETF Network Slice Service it wishes to support such that an IETF Network Slice Service may be limited to one connectivity construct or may support many.</t> <t>An IETF Network Slice Service customer may provide IETF Network Slice Services to other customers in a mode sometimes referred to as "carrier's carrier" (seeSection 9 of<xref target="RFC4364"format="default"/>).sectionFormat="of" section="9"/>). In this case, the relationship between IETF Network Slice Service providers may be internal to a commercialorganization,organization or may be external through service provision contracts. As noted in <xref target="ExtConcept" format="default"/>, network slices may be composed hierarchically or serially.</t> <t><xref target="sdp" format="default"/> provides a description of SDPs as endpoints in the context of IETF network slicing. For a given IETF Network Slice Service, the customer and provider agree, on a per-SDPbasisbasis, which end of the attachment circuit provides the SDP (i.e., whether the attachment circuit is inside or outside the IETF Network Slice Service). This determines whether the attachment circuit is subject to the set of SLOs and SLEs at the specific SDP.</t><t>RFC EDITOR NOTE: Please replace XXXX in the paragraph that follows with the RFC number assigned to this document, and remove this note.</t><t>It is intended that the term "IETF Network Slice Service"isbe used only in this document. Other documents that need to indicate the type of network slice service described in this document can use the term "RFCXXXX9543 Network Slice Service".</t> <section anchor="ConCon" numbered="true" toc="default"> <name>Connectivity Constructs</name> <t>The approach of specifying a Network Slice Service as a set of SDPs with connectivityconstructs,constructs results in the following possible connectivity constructs:</t> <ul spacing="normal"> <li>For a P2P connectivity construct, there is one sending SDP and one receiving SDP. This construct is like a private wire or a tunnel. All traffic injected at the sending SDP is intended to be received by the receiving SDP. The SLOs and SLEs apply at the sender (andimplicitlyimplicitly, at the receiver).</li> <li>For a P2MP connectivity construct, there is only one sending SDP and more than one receiving SDP. This is like a P2MP tunnel or multi-access VLAN segment. All traffic from the sending SDP is intended to be received by all the receiving SDPs. There is one set of SLOs and SLEs that applies at the sending SDP (andimplicitlyimplicitly, at all receiving SDPs).</li> <li> <t>With an A2A connectivity construct, any sending SDP may send to any one receiving SDP or any set of receiving SDPs in the construct. There is an implicit level of routing in this connectivity construct that is not present in the other connectivity constructs because the provider's network must determine to which receiving SDPs to deliver each packet. This construct may be used to support P2P traffic between any pair ofSDPs,SDPs or to support multicast or broadcast traffic from one SDP to a set of other SDPs. In the latter case, whether the service is delivered using multicast within the provider's network or using "ingress replication" or some other means is out of scope of the specification of the service. A service provider may choose to support A2Aconstructs,constructs but to limit the traffic to unicast.</t> <t>The SLOs/SLEs in an A2A connectivity construct apply to individual sending SDPs regardless of the receiving SDPs, and there is no linkage between sender and receiver in the specification of the connectivity construct. A sending SDP may be "disappointed" if the receiver is over-subscribed. If a customer wants to be more specific about different behaviors from one SDP to another SDP, they should use P2P connectivity constructs.</t> </li> </ul> <t>A given sending SDP may be part of multiple connectivity constructs within a single IETF Network Slice Service, and the SDP may have different SLOs and SLEs for each connectivity construct to which it is sending. Note that a given sending SDP's SLOs and SLEs for a given connectivity construct apply between it and each of the receiving SDPs for that connectivity construct.</t> <t>An IETF Network Slice Service provider may freely make a deployment choice as to whether to offer a 1:1 relationship between an IETF Network Slice Service and connectivityconstruct,construct or to support multiple connectivity constructs in a single IETF Network Slice Service. In the former case, the provider might need to deliver multiple IETF Network Slice Services to achieve the function of the second case.</t> </section> <section anchor="Traflow" numbered="true" toc="default"> <name>Mapping Traffic Flows to Network Realizations</name> <t>A customer traffic flow may be unicast or multicast, and various network realizations are possible:</t> <ul spacing="normal"> <li>Unicast traffic may be mapped to a P2P connectivity construct for directdelivery,delivery or to an A2A connectivity construct for the service provider to perform routing to the destination SDP. It would be unusual to use a P2MP connectivity construct to deliver unicast traffic because all receiving SDPs would get a copy, but this can still be done if the receivers are capable of dropping the unwanted traffic.</li> <li>A bidirectional unicast service can be constructed by specifying two P2P connectivity constructs. An additional SLE may specify fate-sharing in this case.</li> <li>Multicast traffic may be mapped to a set of P2P connectivity constructs, a single P2MP connectivity construct, or a mixture of P2P and P2MP connectivity constructs. Multicast may also be supported by an A2A connectivity construct. The choice clearly influences how and where traffic is replicated in the network. With a P2MP or A2A connectivity construct, it is the operator's choice whether to realize the construct with ingress replication, multicast in the core, P2MP tunnels, or hub-and-spoke. This choice should not change how the customer perceives the service.</li> <li>The concept of amultipoint-to-pointMultipoint-to-Point (MP2P) service can be realized with multiple P2P connectivity constructs. Note that, in this case, the egress may simultaneously receive traffic from all ingresses. The SLOs at the sending SDPs must be set with this in mind because the provider's network is not capable of coordinating the policing of traffic across multiple distinct source SDPs. It is assumed that the customer, requesting SLOs for the various P2P connectivity constructs, is aware of the capabilities of the receiving SDP. If the receiver receives more traffic than it can handle, it may drop some and introduce queuing delays.</li> <li>The concept of amultipoint-to-multipointMultipoint-to-Multipoint (MP2MP) service can best be realized using a set of P2MP connectivityconstructs,constructs but could be delivered over an A2A connectivity construct if each sender is using multicast. As with MP2P, the customer is assumed to be familiar with the capabilities of all receivers. A customer may wish to achieve an MP2MP service using a hub-and-spoke architecture where they control thehub:hub; that is, the hub may be an SDP or an ancillary CE (see <xref target="ancillary"format="default"/>)format="default"/>), and the service may be achieved by using a set of P2P connectivity constructs to thehub,hub and a single P2MP connectivity construct from the hub.</li> </ul> <t>From the above, it can be seen that the SLOs of the senders define the SLOs for the receivers on any connectivity construct.That is, and inIn particular, the network may be expected to handle the traffic volume from a sender to all destinations. This extends to all connectivity constructs in an IETF Network Slice Service.</t> <t>Note that the realization of an IETF Network Slice Service does not need to map the connectivity constructs one-to-one onto underlying network constructs (such as tunnels). The service provided to the customer is distinct from how the provider decides to deliver that service.</t> <t>If a CE has multiple attachment circuits to PEs within a given IETF Network Slice Service and they are operating in single-active mode, then all traffic between the CE and its attached PEs transits a single attachment circuit; if they are operating in all-active mode, then traffic between the CE and its attached PEs is distributed across all of the active attachment circuits.</t> </section> <section anchor="ancillary" numbered="true" toc="default"> <name>Ancillary CEs</name> <t>It may be the case that the set of SDPs that delimits an IETF Network Slice Service needs to be supplemented with additional senders or receivers within the network that are not customer sites. An additional sender could be, for example, an IPTV or DNS server either within the provider's network or attached to it, while an extra receiver could be, for example, a node reachable via the Internet. This ismodelledmodeled in the Network Slicing architecture as a set of ancillary CEswhichthat supplement the other SDPs in one or more connectivityconstructs,constructs orwhichthat are linked by their own connectivity constructs. Note that an ancillary CE can either have a resolvable address (e.g., an IP address or MACaddress)address), or it may be a placeholder (e.g., a named IPTV or DNS service or server)whichthat is resolved within the provider's network when the IETF Network Slice Service is instantiated.</t> <t>Thus, an ancillary CE may be a node within the provider network (i.e., not a node at the edge of the customer's network). An example is a node that provides a service function. Another example is a node that acts as a hub. There will be times when the customer wishes to explicitly select one of these. Alternatively, an ancillary CE may be a service function at an unknown point in the provider's network. In this case, the function may be a placeholder that has its addresses resolved as part of the realization of the slice service.</t><t><xref<t>Appendices <xref target="APPA3"/>format="counter"/> and <xref target="APPA4"/>format="counter"/> give simple worked examples of the use of ancillary CEs that may aid understanding the concept.</t> </section> </section> </section> <section anchor="NS-Char" numbered="true" toc="default"> <name>IETF Network Slice System Characteristics</name> <t>The following subsections describe the characteristics of IETF Network Slices in addition to the list of SDPs, the connectivity constructs, and the technology of the ACs.</t> <section numbered="true" toc="default"> <name>Objectives for IETF Network Slices</name> <t>An IETF Network Slice Service is defined in terms of quantifiable characteristics known as Service Level Objectives (SLOs) and unquantifiable characteristics known as Service Level Expectations (SLEs). SLOs are expressed in terms Service Level Indicators(SLIs),(SLIs) and together with the SLEs form the contractual agreement between service customer and service provider known as a Service Level Agreement (SLA).</t> <t>The terms are defined as follows:</t><ul spacing="normal"> <li>A Service<dl spacing="normal" newline="false"> <dt>Service Level Indicator(SLI) is a(SLI):</dt> <dd>A quantifiable measure of an aspect of the performance of a network. For example, it may be a measure of throughput in bits per second, or it may be a measure of latency inmilliseconds.</li> <li>A Servicemilliseconds.</dd> <dt>Service Level Objective(SLO) is a(SLO):</dt> <dd>A target value or range for the measurements returned by observation of an SLI. For example, an SLO may be expressed as "SLI <=target",target" or "lower bound <= SLI <= upper bound". A customer can determine whether the provider is meeting the SLOs by performing measurements on thetraffic.</li> <li>A Servicetraffic.</dd> <dt>Service Level Expectation(SLE) is an(SLE):</dt> <dd>An expression of an unmeasurable service-related request that a customer of an IETF Network Slice Service makes of the provider. An SLE is distinct from an SLO because the customer may have little or no way of determining whether the SLE is being met, but they still contract with the provider for a service that meets theexpectation.</li> <li>A Serviceexpectation.</dd> <dt>Service Level Agreement(SLA) is an(SLA):</dt> <dd>An explicit or implicit contract between the customer of an IETF Network Slice Service and the provider of the slice. The SLA is expressed in terms of a set of SLOs and SLEs that are to be applied for a given connectivity construct between a sending SDP and the set of receivingSDPs, andSDPs. The SLA may describe the extent to which divergence from individual SLOs and SLEs can be tolerated, and commercial terms as well as any consequences for violating these SLOs andSLEs.</li> </ul>SLEs.</dd> </dl> <section anchor="SLO" numbered="true" toc="default"> <name>Service Level Objectives</name> <t>SLOs define a set of measurable network attributes and characteristics that describe an IETF Network Slice Service. SLOs do not describe how an IETF Network Slice Service is implemented or realized in the underlying network layers. Instead, they are defined in terms of dimensions of operation (time, capacity, etc.), availability, and other attributes.</t> <t>An IETF Network Slice Service may include multiple connectivity constructs that associate sets of endpoints (SDPs). SLOs apply to a given connectivity construct and apply to a specific direction of traffic flow. That is, they apply to a specific sending SDP and the set of receiving SDPs.</t> <section anchor="cmnSLOs" numbered="true" toc="default"> <name>Some Common SLOs</name> <t>SLOs can be described as'Directly"Directly MeasurableObjectives':Objectives"; they are always measurable. See <xref target="SLE" format="default"/> for the description of Service LevelExpectationsExpectations, which are unmeasurable service-related requests sometimes known as'Indirectly"Indirectly MeasurableObjectives'.</t>Objectives".</t> <t>Objectives such as guaranteed minimum bandwidth, guaranteed maximum latency, maximum permissible delay variation, maximum permissible packet loss ratio, and availability are'Directly"Directly MeasurableObjectives'.Objectives". Future specifications (such as IETF Network Slice Service YANG models) may precisely define these SLOs, and other SLOs may be introduced as described in <xref target="otherSLO" format="default"/>.</t> <t>The definition of these objectives are as follows:</t> <dl newline="false" spacing="normal"> <dt>Guaranteed Minimum Bandwidth:</dt> <dd>Minimum guaranteed bandwidth between two endpoints at any time. The bandwidth is measured in data rate units of bits per second and is measured unidirectionally.</dd> <dt>Guaranteed Maximum Latency:</dt> <dd>Upper bound of network latency when transmitting between two endpoints. The latency is measured in terms of network characteristics (excluding application-level latency). <xref target="RFC7679" format="default"/> discusses one-way metrics.</dd> <dt>Maximum Permissible Delay Variation:</dt> <dd>Packetdelay variationDelay Variation (PDV) as defined by <xref target="RFC3393"format="default"/>,format="default"/> is the difference in the one-way delay between sequential packets in a flow. This SLO sets a maximum value PDV for packets between two endpoints.</dd> <dt>Maximum Permissible Packet Loss Ratio:</dt> <dd>The ratio of packets dropped to packets transmitted between two endpoints over a period of time. See <xref target="RFC7680" format="default"/>.</dd> <dt>Availability:</dt> <dd>The ratio of uptime to the sum of uptime and downtime, where uptime is the time the connectivity construct is available in accordance with all of the SLOs associated with it. Availability will often be expressed along with the time period over which the availability ismeasured,measured andspecifyingthe maximum allowed single period of downtime.</dd> </dl> </section> <section anchor="otherSLO" numbered="true" toc="default"> <name>Other Service Level Objectives</name> <t>Additional SLOs may be defined to provide additional description of the IETF Network Slice Service that a customer requests. These would be specified in further documents.</t> <t>If the IETF Network Slice Service is traffic-aware, othertraffic specifictraffic-specific characteristics may be valuable including MTU, traffic type (e.g., IPv4, IPv6, Ethernet, or unstructured), or a higher-level behavior to process traffic according to user application (which may be realized using network functions).</t> </section> </section> <section anchor="SLE" numbered="true" toc="default"> <name>Service Level Expectations</name> <t>SLEs define a set of network attributes and characteristics that describe an IETF Network SliceService,Service butwhichare not directly measurable by the customer (e.g., diversity, isolation, and geographical restrictions). Even though the delivery of an SLE cannot usually be determined by the customer, the SLEs form an important part of the contract between customer and provider.</t> <t>Quite often, an SLE will imply some details of how an IETF Network Slice Service is realized by the provider, although most aspects of the implementation in the underlying network layers remain a free choice for the provider. For example, activating unicast or multicast capabilities to deliver an IETF Network Slice Service could be explicitly requested by a customer or could be left as an engineering decision for the service provider based on capabilities of the network and operational choices.</t> <t>SLEs may be seen as aspirational on the part of the customer, and they are expressed as behaviors that the provider is expected to apply to the network resources used to deliver the IETF Network Slice Service. Of course, over time, it is possible that mechanisms will be developed that enable a customer to verify the provision of an SLE, at which point it effectively becomes an SLO.</t> <t>An IETF Network Slice Service may include multiple connectivity constructs that associate sets of endpoints (SDPs). SLEs apply to a given connectivity construct and apply to specific directions of traffic flow. That is, they apply to a specific sending SDP and the set of receiving SDPs. However, being more general in nature than SLOs, SLEs may commonly be applied to all connectivity constructs in an IETF Network Slice Service.</t> <section anchor="cmnSLEs" numbered="true" toc="default"> <name>Some Common SLEs</name> <t>SLEs can be described as'Indirectly"Indirectly MeasurableObjectives':Objectives"; they are not generally directly measurable by the customer.</t> <t>Security, geographic restrictions, maximum occupancy level, and isolation are example SLEs as follows.</t> <dl newline="false" spacing="normal"> <dt>Security:</dt> <dd> <t>A customer may request that the provider applies encryption or other security techniques to traffic flowing between SDPs of a connectivity construct within an IETF Network Slice Service. For example, the customer could request that only network links that haveMACsecMedia Access Control Security (MACsec) <xref target="MACsec" format="default"/> enabled are used to realize the connectivity construct.</t> <t>This SLE may include a request for encryption (e.g., <xref target="RFC4303" format="default"/>) between the two SDPs explicitly to meet the architectural recommendations in <xref target="TS33.210" format="default"/> or for compliance with the HIPAA Security Rule <xref target="HIPAA" format="default"/> or the PCI Data Security Standard <xref target="PCI" format="default"/>.</t> <t>Whether or not the provider has met this SLE is generally not directly observable by the customer and cannot be measured as a quantifiable metric.</t> <t>Please see further discussion on security in <xref target="security-considerations" format="default"/>.</t> </dd> <dt>Geographic Restrictions:</dt> <dd> <t>A customer may request that certain geographic limits are applied to how the provider routes traffic for the IETF Network Slice Service. For example, the customer may have a preference that its traffic does not pass through a particular country for political or security reasons.</t> <t>Whether or not the provider has met this SLE is generally not directly observable by the customer and cannot be measured as a quantifiable metric.</t> </dd> <dt>Maximal Occupancy Level:</dt> <dd> <t>The maximal occupancy level specifies the number of flows to be admitted and optionally a maximum number of countable resource units (e.g., IP or MAC addresses) an IETF Network Slice Service can consume. Because an IETF Network Slice Service may include multiple connectivity constructs, this SLE should state whether it applies to all connectivity constructs, a specified subset of them, or an individual connectivity construct.</t> <t>Again, a customer may not be able to fully determine whether this SLE is being met by the provider.</t> </dd> <dt>Isolation:</dt> <dd> <t>As described in <xref target="isolation" format="default"/>, a customer may request that its traffic within its IETF Network Slice Service is isolated from the effects of other network services supported by the same provider. That is, if another service exceeds capacity or has a burst of traffic, the customer's IETF Network Slice Service should remainunaffectedunaffected, and there should be no noticeable change to the quality of traffic delivered.</t> <t>In general, a customer cannot tell whether a service provider is meeting this SLE. They cannot tell whether the variation of an SLI is because of changes in the underlay network or because of interference from other services carried by the network. If the service varies within the allowed bounds of the SLOs, there may be no noticeable indication that this SLE has been violated.</t> </dd> <dt>Diversity:</dt> <dd> <t>A customer may request that different connectivity constructs use different underlay network resources. This might be done to enhance the availability of the connectivity constructs within an IETF Network Slice Service.</t> <t>While availability is a measurable objective (see <xref target="cmnSLOs"format="default"/>)format="default"/>), this SLE requests a finer grade of control and is not directly measurable (although the customer might become suspicious if two connectivity constructs fail at the same time).</t> </dd> </dl> </section> </section> </section> <section anchor="sdp" numbered="true" toc="default"> <name>IETF Network Slice Service Demarcation Points</name> <t>As noted in <xref target="defns" format="default"/>, an IETF Network Slice provides connectivity between sets of SDPs with specific SLOs and SLEs. <xref target="NS-Service" format="default"/> goes on to describe how the IETF Network Slice Service is composed of a set of one or more connectivity constructs that describe connectivity between the Service Demarcation Points (SDPs) across the underlay network.</t> <t>The characteristics of IETF Network Slice SDPs are as follows.</t> <ul spacing="normal"> <li>An SDP is the point of attachment to an IETF Network Slice Service. As such, SDPs serve as the IETF Network Slice ingress/egress points.</li> <li>An SDP is identified by a unique identifier in the context of an IETF Network Slice Service customer.</li> <li>The provider associates each SDP with a set of provider-scope identifiers such as IP addresses, encapsulation-specific identifiers (e.g., VLANtag,tag and MPLS Label), interface/port numbers, node ID, etc.</li> <li> <t>SDPs are mapped to endpoints of services/tunnels/paths within the IETF Network Slice during its initialization and realization.</t> <ul spacing="normal"> <li>A combination of the SDP identifier and SDP provider-network-scope identifiers define an SDP in the context of the Network Slice Controller (NSC) (see <xref target="nsc" format="default"/>).</li> <li>The NSC will use the SDP provider-network-scope identifiers as part of the process of realizing the IETF Network Slice.</li> </ul> </li> </ul> <t>Note that an ancillary CE (see <xref target="ancillary" format="default"/>) is the endpoint of a connectivity construct and so is an SDP in this discussion.</t> <t>For a given IETF Network Slice Service, the customer and provider agree where the SDP is located. This determines what resources at the edge of the network form part of the IETF Network Slice and are subject to the set of SLOs and SLEs for a specific SDP.</t> <t><xref target="fig_ep" format="default"/> shows different potential scopes of an IETF Network Slice that are consistent with the different SDP locations. For the purpose of this discussion and without loss of generality, the figure showscustomer edgeCustomer Edge (CE) andprovider edgeProvider Edge (PE) nodes connected byattachment circuitsAttachment Circuits (ACs). Notes after the figure give some explanations.</t> <figure anchor="fig_ep"> <name>Positioning IETF Service Demarcation Points</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ |<---------------------- (1) ---------------------->| | | | |<-------------------- (2) -------------------->| | | | | | | | |<----------- (3) ----------->| | | | | | | | | | | | |<-------- (4) -------->| | | | | | | | | | | | V V AC V V V V AC V V +-----+ | +-----+ +-----+ | +-----+ | |--------| | | |--------| | | CE1 | | | PE1 |. . . . . . . . .| PE2 | | | CE2 | | |--------| | | |--------| | +-----+ | +-----+ +-----+ | +-----+ ^ ^ ^ ^ | | | | | | | | Customer Provider Provider Customer Edge 1 Edge 1 Edge 2 Edge2 ]]> </artwork>2]]></artwork> </figure> <t>Explanatory notes for <xref target="fig_ep" format="default"/> are as follows:</t> <ol spacing="normal" type="1"> <li>If the CE is operated by the IETF Network Slice Service provider, then the edge of the IETF Network Slice may be within the CE. In thiscasecase, the IETF Network Slicing process may utilize resources from within the CE such as buffers and queues on the outgoing interfaces.</li> <li>The IETF Network Slice may be extended as far as theCE,CE to include theAC,AC but not to include any part of the CE. In this case, the CE may be operated by the customer or the provider. Slicing the resources on the AC may require the use of traffic tagging (such as through Ethernet VLAN tags) or may require traffic policing at the AC link ends.</li> <li>The SDPs of the IETF Network Slice are the customer-facing ports on the PEs. This case can be managed in a way that is similar to a port-based VPN: each port (AC) or virtual port (e.g., VLAN tag) identifies the IETF Network Slice and maps to an IETF Network Slice SDP.</li> <li>Finally, the SDP may be within the PE. In this mode, the PE classifies the traffic coming from the AC according to information (such as the source and destination IP addresses, payload protocol and port numbers, etc.) in order to place it onto an IETF Network Slice.</li> </ol> <t>The choice of which of these options to apply is entirely up to the network operator. It may limit or enable the provisioning of particular managedservicesservices, and the operator will want to consider how they want to manage CEs and what control they wish to offer the customer over AC resources.</t> <t>Note that <xref target="fig_ep" format="default"/> shows a symmetrical positioning of SDPs, but this decision can be taken on a per-SDP basis through agreement between the customer and provider.</t> <t>In practice, it may be necessary to map traffic not only onto an IETF NetworkSlice,Slice but also onto a specific connectivity construct if the IETF Network Slice supports more than one with a source at the specific SDP. The mechanism used will be one of the mechanisms described above, dependent on how the SDP is realized.</t> <t>Finally, note (as described in <xref target="Terms" format="default"/>) that an SDP is an abstract endpoint of an IETF Network Slice Service and as such may be a device, interface, or software component. An ancillary CE (<xref target="ancillary" format="default"/>) should also be thought of as an SDP.</t> </section> <section anchor="ExtConcept" numbered="true" toc="default"> <name>IETF Network Slice Composition</name> <t>Operationally, an IETF Network Slice may be composed of two or more IETF Network Slices as specified below. Decomposed network slices are independently realized and managed.</t><ul spacing="normal"> <li>Hierarchical<dl spacing="normal" newline="false"> <dt>Hierarchical (i.e., recursive)composition: Ancomposition:</dt> <dd>An IETF Network Slice can be further sliced into other network slices. Recursive composition allows an IETF Network Slice at one layer to be used by the other layers. This type of multi-layer vertical IETF Network Slice associates resources at differentlayers.</li> <li>Sequential composition: Differentlayers.</dd> <dt>Sequential composition:</dt> <dd>Different IETF Network Slices can be placed into a sequence to provide an end-to-end service. In sequential composition, each IETF Network Slice would potentially support differentdataplanesdata planes that need to be stitchedtogether.</li> </ul>together.</dd> </dl> </section> </section> <section anchor="framework" numbered="true" toc="default"> <name>Framework</name> <t>A number of IETF Network Slice Services will typically be provided over a shared underlay network infrastructure. Each IETF Network Slice consists of both the overlay connectivity and a specific set of dedicated network resources and/or functions allocated in a shared underlay network to satisfy the needs of the IETF Network Slice Service customer. In at least some examples of underlay network technologies, integration between the overlay and various underlay resources is needed to ensure the guaranteed performance requested for different IETF Network Slices.</t> <t>This section sets out thetheprincipal stakeholders in an IETF Network Slice and describes how thetheIETF Network Slice Service customer requests connectivity. It then introduces the IETF Network Slice Controller (the functional component responsible for receiving requests from customers and converting them into network configuration commands) and describes its interfaces.</t> <section anchor="actors" numbered="true" toc="default"> <name>IETF Network Slice Stakeholders</name> <t>An IETF Network Slice and its realization involve the following stakeholders.</t> <dl newline="false" spacing="normal"> <dt>Orchestrator:</dt> <dd>An orchestrator is an entity that composes different services, resource, and network requirements. It interfaces with the IETF NSC when composing a complex service such as an end-to-end network slice.</dd> <dt>IETF Network Slice Controller (NSC):</dt> <dd>The NSC realizes an IETF Network Slice in the underlaynetwork,network and maintains and monitors the run-time state of resources and topologies associated with it. A well-defined interface is needed to support interworking between different NSC implementations and different orchestrator implementations.</dd> <dt>Network Controller:</dt> <dd>The Network Controller is a form of network infrastructure controller that offers network resources to the NSC to realize a particular network slice. This may be an existing network controller associated with one or more specific technologies that may be adapted to the function of realizing IETF Network Slices in a network.</dd> </dl> <t>The IETF Network Slice Service customer and IETF Network Slice Service provider (see <xref target="Terms" format="default"/>) are also stakeholders.ClearlyClearly, the service provider operates the network that is sliced to provide the IETF Network Slice Service to the customer. The Network Controller and NSC are management components used by the service provider to operate their networks and deliver IETF Network Slice Services. As indicated in Figures <xref target="fig_interfaces"format="default"format="counter" /> and <xref target="fig_mgmt"format="default"format="counter" />, the Orchestrator may be a component in the customer environment that requests and coordinates IETF Network Slice Services from one or more service providers. In other circumstances, however, the Orchestrator may be a component used by the service provider to request and administer IETF Network Slices to deliver them to customers or to construct an infrastructure to deliver other services to the customer.</t> </section> <section anchor="intents" numbered="true" toc="default"> <name>Expressing Connectivity Intents</name> <t>An IETF Network Slice Service customer communicates with the NSC using the IETF Network Slice Service Interface.</t> <t>An IETF Network Slice Service customer may be a network operator who, in turn, uses the IETF Network Slice to provide a service for another IETF Network Slice Service customer.</t> <t>Using the IETF Network Slice Service Interface, a customer expresses requirements for a particular slice by specifying what is required rather than how that is to be achieved. That is, the customer's view of a slice is an abstract one. Customers normally have limited (or no) visibility into the provider network's actual topology and resource availability information.</t> <t>This should be true even if both the customer and provider are associated with a single administrative domain, in order to reduce the potential for adverse interactions between IETF Network Slice Service customers and other users of the underlay network infrastructure.</t> <t>The benefits of this model can include the following.</t><ul spacing="normal"> <li>Security: The<dl spacing="normal" newline="false"> <dt>Security:</dt> <dd>The underlay network components are less exposed to attack because the underlay network (or network operator) does not need to expose network details (topology, capacity, etc.) to the IETF Network Slice Servicecustomers.</li> <li>Layered Implementation: Thecustomers.</dd> <dt>Layered Implementation:</dt> <dd>The underlay network comprises network elements that belong to a different layer network than customer applications. Network information(advertizements,(advertisements, protocols, etc.) that a customer cannot interpret or respond to is not exposed to the customer. (Note-that a customer should not rely on network information not exposed directlybyto the customer by the network operator, such as via the IETF Network Slice ServiceInterface.)</li> <li>Scalability: CustomersInterface.)</dd> <dt>Scalability:</dt> <dd>Customers do not need to know any information concerning network topology, capabilities, or state beyond that which is exposed via the IETF Network Slice Service Interface. This protects the customer site from having to hold and process extrainformation,information and from receiving frequent updates about the status of thenetwork.</li> </ul>network.</dd> </dl> <t>The general issues of abstraction in a Traffic Engineered (TE) network are described more fully in <xref target="RFC7926" format="default"/>.</t> <t>This framework document does not assume any particular technology layer at which IETF Network Slices operate. A number of layers (including virtual L2, Ethernet, or IP connectivity) could be employed.</t> <t>Data models and interfaces are needed to set up IETF Network Slices, and specific interfaces may have capabilities that allow creation of slices within specific technology layers.</t> <t>Layered virtual connections are comprehensively discussed in other IETF documents.See, forFor instance, GMPLS-based networks are discussed in <xref target="RFC5212" format="default"/> and <xref target="RFC4397" format="default"/>,orand Abstraction and Control of TE Networks (ACTN) is discussed in <xref target="RFC8453" format="default"/> and <xref target="RFC8454" format="default"/>. The principles and mechanisms associated with layered networking are applicable to IETF Network Slices.</t> <t>There are several IETF-defined mechanisms for expressing the need for a desired logical network. The IETF Network Slice Service Interface carries data either in a protocol-definedformat,format or in a formalism associated with a modeling language.</t> <t>For instance:</t> <ul spacing="normal"> <li>The Path Computation Element (PCE) Communication Protocol (PCEP) <xref target="RFC5440" format="default"/> and GMPLS User-Network Interface (UNI) using RSVP-TE <xref target="RFC4208" format="default"/> use a TLV-based binary encoding to transmit data.</li> <li>The Network Configuration Protocol (NETCONF) <xref target="RFC6241" format="default"/> and RESTCONF Protocol <xref target="RFC8040" format="default"/> use XML and JSON encoding.</li><li>gRPC/GNMI<li>gRPC and gRPC Network Management Interface (gNMI) <xref target="I-D.openconfig-rtgwg-gnmi-spec" format="default"/>usesuse a binary encoded programmable interface. ProtoBufs can be used to model gRPC andGNMIgNMI data.</li> <li>For data modeling, YANG(<xref<xref target="RFC6020" format="default"/>and<xref target="RFC7950"format="default"/>)format="default"/> may be used to model configuration and other data for NETCONF, RESTCONF, andGNMI,gNMI, amongothers. </li>others.</li> </ul> <t>While several generic formats and data models for specific purposes exist, it is expected that IETF Network Slice management may require enhancement or augmentation of existing data models. Further, it is possible that mechanisms will be needed to determine the feasibility of service requests before they are actually made.</t> </section> <section anchor="nsc" numbered="true" toc="default"> <name>IETF Network Slice Controller (NSC)</name> <t>An IETF NSC takes requests for IETF Network Slice Services and implements them using a suitable underlay technology. An IETF NSC is the key component for control and management of the IETF Network Slice. It provides the creation/modification/deletion, monitoring, and optimization of IETF Network Slices in a multi-domain, multi-technology, and multi-vendor environment.</t> <t>The main task of an IETF NSC is to map abstract IETF Network Slice Service requirements to concrete technologies and establish requiredconnectivityconnectivity, ensuring that resources are allocated to the IETF Network Slice as necessary.</t> <t>The IETF Network Slice Service Interface is used for communicating details of an IETF Network Slice Service (configuration, selected policies, operational state,etc.),etc.) as well as information about status and performance of the IETF Network Slice. The details for this IETF Network Slice Service Interface are not in scope for this document, but further considerations of the requirements are discussed in <xref target="I-D.ietf-teas-ietf-network-slice-use-cases" format="default" />.</t> <t>The controller provides the following functions.</t> <ul spacing="normal"> <li>Exposes an IETF Network Slice Service Interface for creation/modification/deletion of the IETF Network Slices thatisare agnostic to the technology of the underlay network. This API communicates the Service Demarcation Points of the IETF Network Slice, SLO parameters (and possibly monitoring thresholds), applicable input selection(filtering)(filtering), and various policies. If SLEs have been agreed between the customer and the network operator, and if they are supported for the IETF Network Slice Service, the API will also allow SLEs to be selected for the IETF NetworkSlice,Slice and will allow any associated parameters to be set. The API also provides a way to monitor the slice.</li> <li>Determines an abstract topology connecting the SDPs of the IETF Network Slice that meets criteria specified via the IETF Network Slice Service Interface. The NSC also retains information about the mapping of this abstract topology to underlay components of the IETF Network Slice as necessary to monitor IETF Network Slice status and performance.</li> <li><t>Supports "Mapping Functions" for the realization of IETF Network Slices. In other words, it will use the mapping functions that:</t> <ul spacing="normal"> <li>Map IETF Network Slice Service Interface requests that are agnostic to the technology of the underlay network to technology-specific network configuration interfaces.</li> <li>Map filtering/selection information to entities in the underlay network so that those entities are able to identifywhatwhich traffic is associated with which connectivity construct and IETFnetwork slice.</li>Network Slice.</li> <li>Depending on the realization solution, map to entities in the underlay network according to how traffic should be treated to meet the SLOs and SLEs of the connectivity construct.</li> </ul> </li> <li>Collects telemetry data (e.g.,OAMOperations, Administration, and Maintenance (OAM) results, statistics, states, etc.) via a network configuration interface for all elements in the abstract topology used to realize the IETF Network Slice.</li> <li>Evaluates the current performance against IETF Network Slice SLO parameters using telemetry data from the underlying realization of an IETF Network Slice (e.g.,services/paths/tunnels).services, paths, and tunnels). Exposes this performance to the IETF Network Slice Service customer via the IETF Network Slice Service Interface. The IETF Network Slice Service Interface may also include the capability to provide notifications if the IETF Network Slice performance reaches threshold values defined by the IETF Network Slice Service customer.</li> </ul> <section anchor="interfaces" numbered="true" toc="default"> <name>IETF Network Slice Controller Interfaces</name> <t>The interworking and interoperability among the different stakeholders to provide common means of provisioning,operatingoperating, and monitoring the IETF Network Slices is enabled by the following communication interfaces (see <xref target="fig_interfaces" format="default"/>).</t> <dl newline="false" spacing="normal"> <dt>IETF Network Slice Service Interface:</dt><dd>The IETF Network Slice Service Interface is an<dd>An interface between a customer'shigher levelhigher-level operation system (e.g., a network slice orchestrator or a customer network management system) and an NSC. It is agnostic to the technology of the underlay network. The customer can use this interface to communicate the requested characteristics and other requirements for the IETF Network Slice Service, and an NSC can use the interface to report the operational state of an IETF Network Slice Service to the customer. More discussion of the functionalities for the IETF Network Slice Service Interface can be found in <xref target="I-D.ietf-teas-ietf-network-slice-use-cases" format="default" />.</dd> <dt>Network Configuration Interface:</dt><dd>The Network Configuration Interface is an<dd>An interface between an NSC and network controllers. It istechnology-specifictechnology specific and may be built around the many network models already defined within the IETF.</dd> </dl> <t>These interfaces can be considered in the context of the Service Model and Network Service Model described in <xref target="RFC8309" format="default"/> and, together with the Device Configuration Interface used by the Network Controllers, provides a consistent view of service delivery and realization.</t> <figure anchor="fig_interfaces"> <name>Interfaces of the IETF Network Slice Controller</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ +------------------------------------------+ | Customerhigher levelhigher-level operation system | | (e.g., E2E network slice orchestrator, | | customer network management system) | +------------------------------------------+ A | IETF Network Slice Service Interface V +------------------------------------------+ | IETF Network Slice Controller (NSC) | +------------------------------------------+ A | Network Configuration Interface V +------------------------------------------+ | Network Controllers |+------------------------------------------+ ]]> </artwork>+------------------------------------------+]]></artwork> </figure> <section anchor="nbi" numbered="true" toc="default"> <name>IETF Network Slice Service Interface</name> <t>The IETF Network Slice Controller provides an IETF Network Slice Service Interface that allows customers to manage IETF Network Slice Services. Customers operate on abstract IETF Network Slice Services, with details related to their realization hidden.</t> <t>The IETF Network Slice Service Interface is also independent of the type of network functions or services that need to be connected, i.e., it is independent of any specific storage, software, protocol, or platform used to realize physical or virtual network connectivity or functions in support of IETF Network Slices.</t> <t>The IETF Network Slice Service Interface uses protocol mechanisms and information passed over those mechanisms to convey desired attributes for IETF Network Slices and their status. The information is expected to be represented as a well-defined datamodel,model and should include at least SDP and connectivity information, SLO/SLE specification, and status information.</t> </section> </section> <section anchor="mgmt_arch" numbered="true" toc="default"> <name>Management Architecture</name> <t>The management architecture described in <xref target="fig_interfaces" format="default"/> may be further decomposed as shown in <xref target="fig_mgmt" format="default"/>. This should also be seen in the context of the component architecture shown in <xref target="archfig" format="default"/> and corresponds to the architecture in <xref target="RFC8309" format="default"/>.</t> <t>Note that the customerhigher levelhigher-level operation system of <xref target="fig_interfaces" format="default"/> and the Network Slice Orchestrator of <xref target="fig_mgmt" format="default"/> may be considered equivalent to the Service Management & Orchestration (SMO) of <xref target="ORAN" format="default" />.</t> <figure anchor="fig_mgmt"> <name>Interface of IETF Network Slice Management Architecture</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ -------------- | Network | | Slice | | Orchestrator | -------------- | IETF Network Slice | Service Request | Customer view ....|................................ -v------------------- Operator view |Controller | | ------------ | | | IETF | | | | Network | |--> Virtual Network | | Slice | | | | Controller | | | | (NSC) | | | ------------ | ..| | Network |............ | | Configuration | Underlay Network | v | | ------------ | | | Network | | | | Controller | | | | (NC) | | | ------------ | --------------------- | Device Configurationv ]]> </artwork>v]]></artwork> </figure> </section> </section> </section> <section anchor="realize" numbered="true" toc="default"> <name>Realizing IETF Network Slices</name> <t>Realization of IETF Network Slices is a mapping of the definition of the IETF Network Slice to the underlying infrastructure and is necessarilytechnology-specifictechnology specific and achieved by an NSC over the Network Configuration Interface. Details of how realizations may be achieved is out of scope of thisdocument,document; however, this section provides an overview of the components and processes involved in realizing an IETF Network Slice.</t> <section anchor="arch" numbered="true" toc="default"> <name>An Architecture to Realize IETF Network Slices</name> <t>The architecture described in this section is deliberately at a high level. It is not intended to be prescriptive: implementations and technical solutions may vary freely. However, this approach provides a common framework that other documents may reference in order to facilitate a shared understanding of the work.</t> <t><xref target="archfig" format="default"/> shows the architectural components of a network managed to provide IETF Network Slices. The customer's view is of individual IETF Network Slice Services with theirSDPs,SDPs and connectivity constructs. Requests for IETF Network Slice Services are delivered to an NSC.</t><t>The figure<t><xref target="archfig" format="default"/> shows, without loss of generality, the CEs, ACs, andPEs,PEs that exist in the network. The SDPs are not shown and can be placed in any of the ways described in <xref target="sdp" format="default"/>.</t> <figure anchor="archfig"> <name>Architecture of an IETF Network Slice</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ -- -- -- |CE| |CE| |CE| -- -- -- AC : AC : AC : ---------------------- ------- ( |PE|....|PE|....|PE| ) ( IETF ) IETF Network ( --: -- :-- ) ( Network ) Slice Service ( :............: ) ( Slice ) Request ( IETF Network Slice ) ( ) Customer v ---------------------- ------- View v ............................\........./............... v \ / Provider v >>>>>>>>>>>>>>> Grouping/Mapping v v View v ^ ----------------------------------------- v ^ ( |PE|.......|PE|........|PE|.......|PE| ) --------- ( --: -- :-- -- ) | | ( :...................: ) | NSC | ( Network Resource Partition ) | | ----------------------------------------- | | ^ | |>>>>> Resource Partitioning | --------- of Filtered Topology | v v | v v ----------------------------- -------- v v (|PE|..-..|PE|... ..|PE|..|PE|) ( ) v v ( :-- |P| -- :-: -- :-- ) ( Filter ) v v ( :.- -:.......|P| :- ) ( Topology ) v v ( |P|...........:-:.......|P| ) ( ) v v ( - Filtered Topology ) -------- v v ----------------------------- ^ v >>>>>>>>>>>> Topology Filter ^ / v ...........................\............../........... v \ / Underlay ---------- \ / (Physical) | | \ / Network | Network | ---------------------------------------------- |Controller| ( |PE|.....-.....|PE|...... |PE|.......|PE| ) | | ( -- |P| -- :-...:-- -..:-- ) ---------- ( : -:.............|P|.........|P| ) v ( -......................:-:..- - ) >>>>>>> ( |P|.........................|P|......: ) Program the ( - - ) Network---------------------------------------------- ]]> </artwork>----------------------------------------------]]></artwork> </figure> <t>The network itself (at the bottom ofthe figure)<xref target="archfig" format="default"/>) comprises an underlay network. This could be a physicalnetwork,network but may be a virtual network. The underlay network is provisioned through network controllers <xref target="RFC8309" format="default"/> that may, themselves, utilize device controllers.</t> <t>The underlay network may optionally be filtered or customized by the network operator to produce a number of network topologies that we callFiltered Topologies."Filtered Topologies". Customization is just a way of selecting specific resources (e.g., nodes and links) from the underlay network according to their capabilities and connectivity in the underlay network. Filtering and customization are configuration options or operator policies that preselect links and nodes with certain performance characteristics to enable easier construction of Network ResourcePartition (NRPs,Partitions (NRPs; see below) that can reliably support specific IETF Network SliceSLAs:SLAs, for example, preselection of links with certain security characteristics, preselection of links with specific geographic properties, or mapping to colored topologies. The resulting topologies can be used as candidates to host IETF Network Slices and provide a useful way for the network operator to know in advance that all of the resources they are using to plan an IETF Network Slice would be able to meet specific SLOs and SLEs. The creation of a Filtered Topology could be an offline planning activity or could be performed dynamically as new demands arise. The use of Filtered Topologies is entirely optional in the architecture, and IETF Network Slices could be hosted directly on the underlay network.</t> <t>Recall that an IETF Network Slice is a service requested by/and/or provided for the customer. The IETF Network Slice Service is expressed in terms of one or more connectivity constructs. An implementation or operator is free to limit the number of connectivity constructs in an IETF Network Slice to exactly one. Each connectivity construct is associated within the IETF Network Slice Service request with a set of SLOs and SLEs. The set of SLOs and SLEs does not need to be the same for every connectivity construct in the IETF Network Slice, but an implementation or operator is free to require that all connectivity constructs in an IETF Network Slice have the same set of SLOs and SLEs.</t> <t>An NRP is a subset of the buffer/queuing/scheduling resources and associated policies on each of a connected set of links in the underlay network (for example, as achieved in <xref target="I-D.ietf-spring-resource-aware-segments" format="default"/>). The connected set of links could be the entire set of links with all of their buffer/queuing/scheduling resources and behaviors in the underlaynetworknetwork, and in thiscasecase, there would be just one NRP supported in the underlay network. The amount and granularity of resources allocated in an NRP is flexible and depends on the operator's policy. Some NRP realizations may build NRPs with dedicated topologies, while other realizations may use a shared topology for multiple NRPs. Realizations of an NRP may be built on a range of existing or new technologies, and this document does not constrain solution technologies.</t> <t>One or more connectivity constructs from one or more IETF Network Slices are mapped to an NRP. A single connectivity construct is mapped to only one NRP (that is, the relationship is many to one). Thus, all traffic flows in a connectivity construct assigned to an NRP are assigned to that NRP. Further, all PEs connected by a connectivity construct must be present in the NRP to which that connectivity construct is assigned.</t> <t>An NRP may be chosen to support a specific connectivity construct because of its ability to support a specific set of SLOs and SLEs,orits ability to support particular connectivity constructs, orforany administrative or operational reason. An implementation or operator is free to map each connectivity construct to a separate NRP, although there may be scaling implications depending on the solution implemented. Thus, the connectivity constructs from one slice may be mapped to one or more NRPs. By implication from the above, an implementation or operator is free to map all the connectivity constructs in a slice to a singleNRP,NRP and to not share that NRP with connectivity constructs from another slice.</t> <t>An NRP may use work-conserving schedulers,non-work conservingnon-work-conserving schedulers, or both (seeSection 2 of<xref target="RFC3290"format="default" />)sectionFormat="of" section="2"/>) according to the function that it needs to deliver. The choice of how network resources are allocated and managed for an NRP, and whether a work-conserving scheduling approach or anon-work conservingnon-work-conserving scheduling approach is adopted, is technology specific: an implementation or operator is free to choose the set of techniques for NRP realization.</t> <t>The process of determining the NRP may be made easier if the underlay network topology is first filtered into a Filtered Topology in order to be aware of the subset of network resources that are suitable for specific NRPs. In this case, each Filtered Topology is treated as an underlay network on which NRPs can be constructed. The stage of generating Filtered Topologies is optional within this framework.</t> <t>The steps described here can be applied in a variety of orders according to implementation and deployment preferences. Furthermore, the steps may be iterative so that the components are continually refined and modified as network conditions change and as service requests are received or relinquished, and even the underlay network could be extended if necessary to meet the customers' demands.</t> </section> <section anchor="reality" numbered="true" toc="default"> <name>Procedures to Realize IETF Network Slices</name> <t>There are a number of different technologies that can be used in the underlay, including physical connections, MPLS,time-sensitive networkingTime-Sensitive Networking (TSN), Flex-E, etc.</t> <t>An IETF Network Slice can be realized in a network, using specific underlay technology or technologies. The creation of a new IETF Network Slice will be realized with the following steps:</t><ul spacing="normal"><ol spacing="normal" type="1"> <li>An NSC exposes the network slicing capabilities that it offers for the network it manages so that the customer can determine whether to request services and what features are in scope.</li> <li>The customer may issue a request to determine whether a specific IETF Network Slice Service could be supported by the network. An NSC may respond indicating a simple yes orno,no and may supplement a negative response with information about what it could support were the customer to change some requirements.</li> <li>The customer requests an IETF Network Slice Service. An NSC may respond that the slice has or has not beencreated,created and may supplement a negative response with information about what it could support were the customer to change some requirements.</li> <li>When processing a customer request for an IETF Network Slice Service, an NSC maps the request to the network capabilities and applies provider policies before creating or supplementing the NRP.</li></ul></ol> <t>Regardless of how an IETF Network Slice is realized in the network (e.g., using tunnels of different types), the definition of the IETF Network Slice Service does not change at all. The only difference is how the slice is realized. The following sections briefly introduce how some existing architectural approaches can be applied to realize IETF Network Slices.</t> </section> <section anchor="actn" numbered="true" toc="default"> <name>Applicability of ACTN to IETF Network Slices</name> <t>Abstraction and Control of TE Networks(ACTN -(ACTN) <xref target="RFC8453"format="default"/>)format="default"/> is a management architecture and toolkit used to create virtual networks (VNs) on top of a TE underlay network. The VNs can be presented to customers for them to operate as private networks.</t> <t>In many ways, the function of ACTN is similar to IETF network slicing. Customer requests for connectivity-based overlay services are mapped to dedicated or shared resources in the underlay network in a way that meets customer guarantees forservice level objectivesSLOs and for separation from other customers' traffic. <xref target="RFC8453" format="default"/> describes the function of ACTN as collecting resources to establish a logically dedicated virtual network over one or more TE networks. Thus, in the case of a TE-enabled underlay network, the ACTN VN can be used as a basis to realize IETF network slicing.</t> <t>While the ACTN framework is a generic VN framework that can be used for VN services beyond the IETF Network Slice, it is also a suitable basis for delivering and realizing IETF Network Slices.</t> <t>Further discussion of the applicability of ACTN to IETF NetworkSlicesSlices, including a discussion of the relevant YANGmodelsmodels, can be found in <xref target="I-D.ietf-teas-applicability-actn-slicing" format="default"/>.</t> </section> <section anchor="eVPN" numbered="true" toc="default"> <name>Applicability of Enhanced VPNs to IETF Network Slices</name> <t>An enhanced VPN(VPN+)is designed to support the needs of new applications, particularly applications that are associated with 5G services. The approach is based on existing VPN and TEtechnologies,technologies but adds characteristics that specific services require over and above those previously associated with VPN services.</t> <t>An enhanced VPN can be used to provide enhanced connectivity services between customer sites and can be used to create the infrastructure to underpin an IETF Network Slice Service.</t> <t>It is envisaged that enhanced VPNs will be delivered using a combination of existing, modified, and new networking technologies.</t> <t><xref target="I-D.ietf-teas-enhanced-vpn" format="default"/> describes the framework forEnhanced Virtual Private Network (VPN+)enhanced VPN services.</t> </section> <section anchor="aggie" numbered="true" toc="default"> <name>Network Slicing and Aggregation in IP/MPLS Networks</name> <t>Network slicing provides the ability to partition a physical network into multiple logical networks of varying sizes, structures, and functions so that each slice can be dedicated to specific services or customers. The support of resource preemption between IETFnetwork slicesNetwork Slices is deployment specific.</t> <t>Many approaches are currently being worked on to support IETF Network Slices in IP and MPLS networks with or without the use of Segment Routing. Most of these approaches utilize a way of marking packets so that network nodes can apply specific routing and forwarding behaviors to packets that belong to different IETF Network Slices. Different mechanisms for marking packets have been proposed (including using MPLS labels and Segment Routing segmentIDs)IDs), and those mechanisms are agnostic to the path control technology used within the underlay network.</t> <t>These approaches are also sensitive to the scaling concerns of supporting a large number of IETF Network Slices within a single IP or MPLSnetwork,network and so offer ways to aggregate the connectivity constructs of slices (or whole slices) so that the packet markings indicate an aggregate or grouping where all of the packets are subject to the same routing and forwarding behavior.</t> <t>At this stage, it is inappropriate to cite any of these proposed solutions that are currently work in progress and not yet adopted as IETF work.</t> </section> <section anchor="sfc" numbered="true" toc="default"> <name>Network Slicing and Service Function Chaining (SFC)</name> <t>A customer may request an IETF Network Slice Service that involves a set of service functions (SFs) together with the order in which these SFs are invoked. Also, the customer can specify the service objectives to be met by the underlay network (e.g., one-way delay to cross a service function path, one-way delay to reach a specific SF). These SFs are considered as ancillary CEs and are possibly placeholders (i.e., the SFs are identified, but not their locators).</t> <t>Service Function Chaining (SFC) <xref target="RFC7665" format="default"/> techniques can be used by a provider to instantiate such an IETF Network Slice Service. An NSC may proceed as follows.</t> <ul spacing="normal"> <li>Expose a set of ancillary CEs that are hosted in the underlay network.</li> <li>Capture the SFC requirements(including,(including traffic performance metrics) from the customer. One or more service chains may be associated with the same IETF Network Slice Service as connectivity constructs.</li> <li>Execute an SF placement algorithm to decide where to locate the ancillary CEs in order to fulfill the service objectives.</li> <li> <t>Generate SFC classification rules to identify(part of)part of the slice traffic that will be bound to an SFC. These classification rules may be the same as or distinct from the identification rules used to bind incoming traffic to the associated IETF Network Slice.</t> <t>An NSC also generates a set of SFC forwarding policies that govern how the traffic will be forwarded along aservice function pathService Function Path (SFP).</t> </li> <li>Identify the appropriate Classifiers in the underlay network and provision them with the classification rules. Likewise, an NSC communicates the SFC forwardingpolicespolicies to the appropriate Service Function Forwarders(SFF).</li>(SFFs).</li> </ul> <t>The provider can enable an SFC data plane mechanism, such as those described in <xref target="RFC8300" format="default"/>, <xref target="RFC8596" format="default"/>, or <xreftarget="I-D.ietf-spring-nsh-sr"target="RFC9491" format="default"/>.</t> </section> </section> <section anchor="isolation" numbered="true" toc="default"> <name>Isolation in IETF Network Slices</name> <section anchor="isoslo" numbered="true" toc="default"> <name>Isolation as a Service Requirement</name> <t>An IETF Network Slice Service customer may request that the IETF Network Slice delivered to them is such that changes to other IETF Network Slices or to other services do not have any negative impact on the delivery of the IETF Network Slice. The IETF Network Slice Service customer may specify the extent to which their IETF Network Slice Service is unaffected by changes in the provider network or by the behavior of other IETF Network Slice Service customers. The customer may express this via an SLE it agrees with the provider. This concept is termed'isolation'.</t>"isolation".</t> <t>In general, a customer cannot tell whether a service provider is meeting an isolation SLE. If the service varies such that an SLO isbreachedbreached, then the customer will become aware of the problem, and if the service varies within the allowed bounds of the SLOs, there may be no noticeable indication that this SLE has been violated.</t> </section> <section anchor="isoreal" numbered="true" toc="default"> <name>Isolation in IETF Network Slice Realization</name> <t>Isolation may be achieved in the underlay network by various forms of resourcepartitioningpartitioning, ranging from dedicated allocation of resources for a specific IETF NetworkSlice,Slice to sharing of resources with safeguards. For example, traffic separation between different IETF Network Slices may be achieved using VPN technologies, such as L3VPN, L2VPN, EVPN, etc. Interference avoidance may be achieved by network capacity planning, allocating dedicated network resources, traffic policing or shaping, prioritizing in using shared network resources, etc. Finally, service continuity may be ensured by reserving backup paths for critical traffic and dedicating specific network resources for a selected number of IETF Network Slices.</t> </section> </section> <section anchor="monitoring" numbered="true" toc="default"> <name>Management Considerations</name> <t>IETF Network Slice realization needs to be instrumented in order to track how it is working, and it might be necessary to modify the IETF Network Slice as requirements change. Dynamic reconfiguration might be needed.</t> <t>The various management interfaces and components are discussed in <xref target="framework" format="default"/>.</t> </section> <section anchor="security-considerations" numbered="true" toc="default"> <name>Security Considerations</name> <t>This document specifies terminology and has no direct effect on the security of implementations or deployments. In this section, a few of the security aspects are identified.</t> <dl newline="false" spacing="normal"> <dt>Conformance to security constraints:</dt> <dd>Specific security requests from customer-defined IETF Network Slice Services will be mapped to their realization in the underlay networks. Underlay networks will require capabilities to conform to customer's requests as some aspects of security may be expressed in SLEs.</dd> <dt>IETF NSC authentication:</dt> <dd>Underlay networks need to be protected against attacks from an adversary NSC as this could destabilize overall network operations. An IETF Network Slice may span differentnetworks,networks; therefore, an NSC should have strong authentication with each of these networks. Furthermore, both the IETF Network Slice Service Interface and the Network Configuration Interface need to be secured with a robust authentication andauthorization;authorization mechanism and associated auditing mechanism.</dd> <dt>Specific isolation criteria:</dt> <dd>The nature of conformance to isolation requests means that it should not be possible to attack an IETF Network Slice Service by varying the traffic on other services or slices carried by the same underlay network. In general, isolation is expected to strengthen the IETF Network Slice security.</dd> <dt>DataConfidentialityconfidentiality andIntegrityintegrity of an IETF Network Slice:</dt> <dd>An IETF Network Slice might include encryption and other security features as part of the service (for example, as SLEs). However, a customer wanting to guarantee that their data is secure from inspection or modification as it passes through the network of the operator that provides the IETF Network Slice Service will need to provision their own security solutions (e.g., with IPsec) or send only already otherwise-encrypted traffic through the slice.</dd> </dl><t>Note: See<t>See <xreftarget="NGMN_SEC"target="NGMN-SEC" format="default"/> on 5G network slice security for discussion relevant to this section.</t> <t>IETF Network Slices might use underlying virtualized networking. All types of virtual networking require special consideration to be given to the separation of traffic between distinct virtual networks, as well as some amount of protection from effects of traffic use of underlay network (and other) resources from other virtual networks sharing those resources.</t> <t>For example, if a service requires a specific upper bound on latency, then that service could be degraded with added delay caused by the processing of packets from another service or application that shares the same network resources. Thus, without careful planning or traffic policing, it may be possible to attack an IETF Network Slice Service simply by increasing the traffic on another service in the network.</t> <t>Similarly, in a network with virtual functions, noticeably impeding access to a function used by another IETF Network Slice (for instance, compute resources) can be just as service-degrading as delaying physical transmission of associated packet in the network. Again, careful planning and policing of service demands may mitigate such attacks.</t> <t>Both of these forms of attack may also be mitigated by reducing the access to information about how IETF Network Slice Services are supported in a network.</t> </section> <section anchor="privacy-considerations" numbered="true" toc="default"> <name>Privacy Considerations</name> <t>Privacy of IETF Network Slice Service customers must be preserved. It should not be possible for one IETF Network Slice Service customer to discover the presence of other customers, nor should sites that are members of one IETF Network Slice be visible outside the context of that IETF Network Slice.</t> <t>In this sense, it is of paramount importance that the system uses the privacy protection mechanism defined for the specific underlay technologies that support the slice, including in particular those mechanisms designed to preclude acquiring identifying information associated with any IETF Network Slice Service customer.</t> </section> <section anchor="iana-considerations" numbered="true" toc="default"> <name>IANA Considerations</name> <t>This documentmakeshas norequests forIANAaction.</t> </section> <section anchor="acknowledgments" numbered="false" toc="default"> <name>Acknowledgments</name> <t>The entire TEAS Network Slicing design team and everyone participating in related discussions has contributed to this document. Some text fragments in the document have been copied from the <xref target="I-D.ietf-teas-enhanced-vpn" format="default"/>, for which we are grateful.</t> <t>Significant contributions to this document were gratefully received from the contributing authors listed in the "Contributors" section. In addition we would like to also thank those others who have attended one or more of the design team meetings, including the following people not listed elsewhere:</t> <ul spacing="normal"> <li>Aihua Guo</li> <li>Bo Wu</li> <li>Greg Mirsky</li> <li>Lou Berger</li> <li>Rakesh Gandhi</li> <li>Ran Chen</li> <li>Sergio Belotti</li> <li>Stewart Bryant</li> <li>Tomonobu Niwa</li> <li>Xuesong Geng</li> </ul> <t>Further useful comments were received from Daniele Ceccarelli, Uma Chunduri, Pavan Beeram, Tarek Saad, Kenichi Ogaki, Oscar Gonzalez de Dios, Xiaobing Niu, Dan Voyer, Igor Bryskin, Luay Jalil, Joel Halpern, John Scudder, John Mullooly, Krzysztof Szarkowicz, Jingrong Xie, Jia He, Reese Enghardt, Dirk Von Hugo, Erik Kline, and Eric Vyncke.</t> <t>This work is partially supported by the European Commission under Horizon 2020 grant agreement number 101015857 Secured autonomic traffic management for a Tera of SDN flows (Teraflow).</t> </section> <section anchor="contributors" numbered="false" toc="default"> <name>Contributors</name> <t>The following authors contributed significantly to this document:</t> <artwork name="" type="" align="left" alt=""> <![CDATA[ Eric Gray (The original editor of the foundation documents) Retired Jari Arkko Ericsson Email: jari.arkko@piuha.net Mohamed Boucadair Orange Email: mohamed.boucadair@orange.com Dhruv Dhody Huawei, India Email: dhruv.ietf@gmail.com Jie Dong Huawei Email: jie.dong@huawei.com Xufeng Liu Volta Networks Email: xufeng.liu.ietf@gmail.com ]]> </artwork>actions.</t> </section> </middle> <back> <displayreference target="I-D.ietf-spring-resource-aware-segments" to="RESOURCE-AWARE-SEGMENTS"/> <displayreference target="I-D.ietf-teas-applicability-actn-slicing" to="ACTN-NS"/> <displayreference target="I-D.ietf-teas-enhanced-vpn" to="ENHANCED-VPN"/> <displayreference target="I-D.ietf-teas-ietf-network-slice-use-cases" to="USE-CASES"/> <displayreference target="I-D.openconfig-rtgwg-gnmi-spec" to="GNMI"/> <references> <name>Informative References</name>&RFC3290; &RFC3393; &RFC4208; &RFC4303; &RFC4364; &RFC4397; &RFC5212; &RFC5440; &RFC6020; &RFC6241; &RFC7239; &RFC7665; &RFC7679; &RFC7680; &RFC7926; &RFC7950; &RFC8040; &RFC8300; &RFC8309; &RFC8453; &RFC8454; &RFC8596; &RFC9408; &I-D.ietf-spring-nsh-sr; &I-D.ietf-spring-resource-aware-segments; &I-D.ietf-teas-applicability-actn-slicing; &I-D.ietf-teas-enhanced-vpn; &I-D.ietf-teas-ietf-network-slice-use-cases; &I-D.openconfig-rtgwg-gnmi-spec;<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3290.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3393.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4208.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4303.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4364.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4397.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5212.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5440.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6020.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6241.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7239.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7665.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7679.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7680.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7926.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8300.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8309.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8453.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8454.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8596.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9408.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9491.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-spring-resource-aware-segments.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-teas-applicability-actn-slicing.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-teas-enhanced-vpn.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-teas-ietf-network-slice-use-cases.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.openconfig-rtgwg-gnmi-spec.xml"/> <reference anchor="NFVArch" target="http://www.etsi.org/deliver/etsi_gs/nfv/001_099/002/01.01.01_60/gs_nfv002v010101p.pdf"> <front> <title>Network Functions Virtualisation(NFV):(NFV); Architectural Framework</title> <author> <organization>ETSI</organization> </author> <date month="October" year="2013"/> </front> <seriesInfoname="ETSI" value="GS NFVname="ETSI GS" value="NFV 002"/> <refcontent>V1.1.1</refcontent> </reference> <referenceanchor="NGMN-NS-Concept">anchor="NGMN-NS-Concept" target="https://ngmn.org/wp-content/uploads/160113_NGMN_Network_Slicing_v1_0.pdf"> <front> <title>Description of Network Slicing Concept</title> <author> <organization>NGMN Alliance</organization> </author> <date month="January" year="2016"/> </front><seriesInfo name="https://www.ngmn.org/uploads/media/161010_NGMN_Network_Slicing_framework_v1.0.8.pdf" value=""/></reference> <referenceanchor="TS23501">anchor="TS23.501"> <front> <title>System architecture for the 5G System (5GS)</title> <author> <organization>3GPP</organization> </author> <date year="2019"/> </front> <seriesInfoname="3GPP" value="TS 23.501"/>name="3GPP TS" value="23.501"/> </reference> <referenceanchor="TS28530">anchor="TS28.530"> <front> <title>Management and orchestration; Concepts, use cases and requirements</title> <author> <organization>3GPP</organization> </author> <date year="2019"/> </front> <seriesInfoname="3GPP" value="TS 28.530"/>name="3GPP TS" value="28.530"/> </reference> <reference anchor="TS33.210" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2279"> <front><title>3G security; Network<title>Network Domain Security (NDS); IP network layersecurity (Release 14).</title>security</title> <author> <organization>3GPP</organization> </author> <date month="December" year="2016"/> </front> <refcontent>Release 14</refcontent> </reference> <reference anchor="HIPAA" target="https://www.hhs.gov/hipaa/for-professionals/security/index.html"> <front><title>Health Insurance Portability and Accountability Act - The<title>The Security Rule</title> <author> <organization>HHS</organization> </author><date month="February" year="2003"/></front> </reference> <reference anchor="PCI"target="https://www.pcisecuritystandards.org">target="https://www.pcisecuritystandards.org/document_library"> <front> <title>PCI DSS</title> <author> <organization>PCI Security Standards Council</organization> </author> <datemonth="May" year="2018"/>month="March" year="2022"/> </front> </reference> <referenceanchor="NGMN_SEC"anchor="NGMN-SEC" target="https://www.ngmn.org/wp-content/uploads/Publications/2016/160429_NGMN_5G_Security_Network_Slicing_v1_0.pdf"> <front><title>NGMN 5G Security<title>5G security recommendations Package #2 - Network Slicing</title> <author><organization>NGMN Alliance</organization><organization>NGMN</organization> </author> <date month="April" year="2016"/> </front> </reference> <reference anchor="MACsec"target="https://1.ieee802.org/security/802-1ae">target="https://ieeexplore.ieee.org/document/8585421"> <front> <title>IEEE Standard for Local and metropolitan area networks - Media Access Control (MAC) Security</title> <author> <organization>IEEE</organization> </author> <date month="December" year="2018"/> </front> <seriesInfo name="IEEE Std" value="802.1AE-2018"/> <seriesInfo name="DOI" value="10.1109/IEEESTD.2018.8585421"/> </reference> <reference anchor="ORAN" target="https://orandownloadsweb.azurewebsites.net/specifications"> <front> <title>O-RAN Working Group 1 Slicing Architecture</title> <author> <organization>O-RAN</organization> </author> <date year="2022"/> </front><seriesInfo name="O-RAN.WG1" value="v06.00"/><refcontent>O-RAN.WG1 v06.00</refcontent> </reference> </references> <section anchor="APPA" title="Examples"> <t>This appendix containsrealisationrealization examples. This is not intended to be a complete set of possible deployments, nor does it provide definitive ways to realize these deployments.</t> <t>The examples shown here must not be considered to be normative. The descriptions of terms and concepts in the body of the document take precedence.</t> <section anchor="APPA2" title="Multi-Point to Point Service"> <t>As described in <xref target="NS-Service"format="default" />format="default"/>, an MP2P service can be realized with multiple P2P connectivity constructs. <xref target="mp2pfig" format="default" /> shows a simple MP2P service where traffic is sent from any of CE1, CE2, andCE3,CE3 to thereceiverreceiver, which is CE4. The service comprises three P2P connectivityconstructsconstructs: CE1-CE4, CE2-CE4, and CE3-CE4.</t> <figure anchor="mp2pfig"> <name>Example MP2P Service with P2P Connections</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ CE1 ___|________ / \ \ ( \______ ) ( \) CE2---(--------------)---CE4 ( _______/) ( / ) \___|________/ |CE3 ]]> </artwork>CE3]]></artwork> </figure> </section> <section anchor="APPA3" title="Service Function Chaining and Ancillary CEs"> <t><xref target="ancillary" format="default" /> introduces the concept of ancillary CEs. <xref target="ancfig" format="default" /> shows a simple example of IETF Network Slices with connectivity constructs that are used to deliver traffic from CE1 toCE3CE3, taking in a service function along the path.</t> <figure anchor="ancfig"> <name>ExampleWithwith Ancillary CEs</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ CE1 CE2 CE3 xo* * * *ox ____xo*_________*_*_________*ox____ _/ xo* * * *ox \_ / xo*********** ***********ox \ ( xo ox ) ( xooooooooo(ACE1)oooooooooox ) ( x x ) ( x ------------------ x ) ( x | Service Function | x ) ( x | ....(ACE2).... | x ) ( x | : : | x ) ( xxxx.:....(ACE3)....:.xxxxx ) ( | : : | ) ( | ....(ACE4).... | ) ( | | ) ( ------------------ ) ( ) \_ Operator Network _/\___________________________________/ ]]> </artwork>\___________________________________/]]></artwork> </figure> <t>A customer may want to utilize a service where traffic is delivered from CE1 toCE3CE3, including a service function sited within the customer's network at CE2. To achieve this, the customer may request an IETF Network Slice Service comprising two P2P connectivityconstructs (CE1-CE2constructs: CE1-CE2 and CE2-CE3represented as ***(represented with "*" inthe figure).</t><xref target="ancfig" format="default" />).</t> <t>Alternatively, the service function for the same CE1 to CE3 flow may be hosted at a node within the network operator's infrastructure. This is an ancillary CE in the IETF Network Slice Service that the customer requests. This service contains two P2P connectivityconstructs (CE1-ACE1constructs: CE1-ACE1 and ACE1-CE3represented as ooo(represented with "o" inthe figure).<xref target="ancfig" format="default" />). How the customer knows of the existence of the ancillaryCE,CE and the service functions itoffers,offers is a matter for agreement between the customer and the network operator.</t> <t>Finally, it may be that the customer knows that the network operator is able to provide the servicefunction,function but does not know the location of the ancillary CE at which the service function is hosted. Indeed, it may be that the service function is hosted at a number of ancillary CEs (ACE2, ACE3, and ACE4 inthe figure):<xref target="ancfig" format="default" />); the customer may know the identities of the ancillaryCEs,CEs but be unwilling or unable to chooseone;one, or the customer may not know about the ancillary CEs. In this case, the IETF Network Slice Service request contains two P2P connectivityconstructs (CE1-ServiceFunctionconstructs: CE1-ServiceFunction and ServiceFunction-CE3represented as xxx(represented with "x" inthe figure).<xref target="ancfig" format="default" />). It is left as a choice for the network operator as to which ancillary CE to use and how to realize the connectivity constructs.</t> </section> <section anchor="APPA4" title="Hub and Spoke"> <t>Hub and spoke is a popular way to realizeany-to-anyA2A connectivity in support of multiple P2P traffic flows (where the hub performsrouting),routing) orofP2MP flows (where the hub is responsible for replication). In many cases, it is the network operator's choice whether to use hub and spoke to realize a mesh of P2P connectivity constructs or P2MP connectivityconstructs:constructs; this is entirely their business as the customer is not aware of how the connectivity constructs are supported within the network.</t> <t>However, it may be the case that the customer wants to control the behavior and location of the hub. In this case, the hub appears as an ancillary CE as shown in <xref target="hns1fig"format="default" />.</t>format="default"/>.</t> <t>For the P2P mesh case, the customer does not specify a mesh of P2P connectivity constructs (such as CE1-CE2, CE1-CE3,CE2-CE3CE2-CE3, and the equivalent reverse directionconnectivity),connectivity) but connects each CE to the hub with P2P connectivity constructs (as CE1-Hub, CE2-Hub,CE3-HubCE3-Hub, and the equivalent reverse direction connectivity). This scales better in terms of provisioning compared to a fullmesh,mesh butdoes requirerequires that the hub is capable of routing traffic between connectivity constructs.</t> <t>For the P2MP case, the customer does not specify a single P2MP connectivity construct (in this case,CE3-{CE1+CE2}),CE3-{CE1+CE2}) but requests three P2P connectivity constructs (as CE3-Hub, Hub-CE1, and Hub-CE2). It is the hub's responsibility to replicate the traffic from CE3 and send it to both CE1 and CE2.</t> <figure anchor="hns1fig"> <name>Example Hub and SpokeUnderunder Customer Control</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ ------------ CE1 | Hub | CE2 || ------------ || ___||_____||__||__||_____||___ / || || || || || \ ( ====== || ====== ) ( || ) ( || ) \______________||______________/ ||CE3 ]]> </artwork>CE3]]></artwork> </figure> </section> <section anchor="APPA5" title="Layer 3 VPN"> <t>Layer 3 VPNs are a common service offered by network operators to their customers. They may bemodelledmodeled as anany-to-any service,A2A service but are often realized as a mesh of P2P connections, or if multicast is supported, they may be realized as a mesh of P2MP connections.</t> <t><xref target="vpnfig" format="default" /> shows an IETF Network Slice Service with a single A2A connectivity construct between the SDPs CE1, CE2, CE3, and CE4. It is a free choice how the network operator realizes this service. They may use a full mesh of P2P connections, ahub and spokehub-and-spoke configuration, or some combination of these approaches.</t> <figure anchor="vpnfig"> <name>Example L3VPN Service</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ CE1 CE2 ____|_______________|____ / :...............: \ ( :. . : ) ( : ...... . : ) ( : ..... : ) ( : .... . : ) ( : . .... : ) ( : . . : ) ( :...............: ) \____:_______________:____/ | | CE3CE4 ]]> </artwork>CE4]]></artwork> </figure> </section> <section anchor="APPA6" title="Hierarchical Composition of Network Slices"> <t>As mentioned in <xref target="ExtConcept" format="default" />, IETF Network Slices may be arranged hierarchically. There is nothing special or novel about such an arrangement, and it models the hierarchical arrangement of services of virtual networks in many other environments.</t> <t>As shown in <xref target="hierfig" format="default" />, an Operator's Controller (NSC) that is requested to provide an IETF Network Slice Service for a customer may, in turn, request an IETF Network Slice Service from another carrier. The Operator's NSC may manage and control the underlay IETF Network Slice by modifying the requested connectivity constructs and changing the SLAs. The customer is entirely unaware of the hierarchy of slices, and the underlay carrier is entirely unaware of how its slice is being used.</t> <t>This"stacking"stacking of IETF Network Slice constructs is not different to the way virtual networks may be arranged.</t> <figure anchor="hierfig"> <name>Example Hierarchical Arrangement of IETF Network Slices</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ -------------- | Network | | Slice | | Orchestrator | -------------- | IETF Network Slice | Service Request | Customer view ....|................................ -v---------------- Operator view |Controller | | ------------ | | | IETF | | | | Network |---|--- | | Slice | | | | | Controller | | | | | (NSC) | | | | ------------ | | ------------------ | | IETF Network Slice | Service Request | .........................|..................... ----------v------- Carrier view |Controller | | ------------ | | | IETF | | | | Network | | | | Slice | | | | Controller | | | | (NSC) | | | ------------ | ....| | Network |............ | | Configuration | Underlay Network | v | | ------------ | | | Network | | | | Controller | | | | (NC) | | | ------------ | ------------------ | Device Configurationv ]]> </artwork>v]]></artwork> </figure> <t>In this case, the network hierarchy may also be used to provide connectivity between points in thehigher layer networkhigher-layer network, as shown in <xref target="bridgefig" format="default" />. Here, an IETF Network Slice may be requested of thelower layerlower-layer network to provide the desired connectivity constructs to supplement the connectivity in thehigher layerhigher-layer network where this connectivity might be presented as a virtual link.</t> <figure anchor="bridgefig"> <name>Example Hierarchical Arrangement of IETF Network Slices to Bridge Connectivity</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ CE1 CE2 | | | | _|_________________________________________|_ ( : : ) ( :.............. ..............: ) (_______________:_____________:_______________) __|_____________|__ ( : : ) ( :.............: )(___________________) ]]> </artwork>(___________________)]]></artwork> </figure> </section> <section anchor="APPA7" title="Horizontal Composition of Network Slices"> <t>It may be that end-to-end connectivity is achieved using a set of cooperating networks as described in <xref target="ExtConcept" format="default" />. For example, there may be multiple interconnected networks that provide the required connectivity as shown in <xref target="peerfig" format="default" />. The networks may utilize different technologies and may be under separate administrative control.</t> <figure anchor="peerfig"> <name>Example Customer View of Interconnected Networks Providing End-to-End Connectivity</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ CE1 CE2 | | SDP1 SDP2 | | _|____ ______ ______ ____|_ ( ) ( ) ( ) ( ) ( )---( )---( )---( ) (______) (______) (______)(______) ]]> </artwork>(______)]]></artwork> </figure> <t>In this scenario, the customer (represented by CE1 and CE2) may request an IETF Network Slice Service connecting the CEs. The customer considers the SDPs at the edge (shown as SDP1 and SDP2 in <xref target="peerfig" format="default" />) and might not be aware of how the end-to-end connectivity is composed.</t> <t>However, because the various networks may be of different technologies and under separate administrative control, the networks are slicedindividuallyindividually, and coordination is necessary to deliver the desired connectivity. Thenetwork to network interfacesNetwork-to-Network Interfaces (NNIs) are present as SDPs for the IETF Network Slices in eachnetworknetwork, so that each network is individually sliced. In the example in <xref target="peerdlvrfig" format="default" />, this is illustrated as network 1 (N/w1) being sliced between SDP1 and SDPX, N/w2 being sliced between SDPY and SDPU, etc. The coordination activity involves binding the SDPs, and hence the connectivity constructs, to achieve end-to-end connectivity with the required SLOs and SLEs. In this way, simple and complex end-to-end connectivity can be achieved with a variety of connectivity constructs in the IETF Network Slices of different networks "stitched" together.</t> <figure anchor="peerdlvrfig"> <name>Example Delivery ofAnan End-to-End IETF Network Slice with Interconnected Networks</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ CE1 CE2 | | SDP1 SDP2 | | _|____ ______ ______ ____|_ ( ) SDPX ( ) SDPU ( ) SDPS ( ) ( N/w1 )------( N/w2 )------( N/w3 )------( N/w4 ) (______) SDPY (______) SDPV (______) SDPT(______) ]]> </artwork>(______)]]></artwork> </figure> <t>The controller/coordinator relationship is shown in <xref target="coordfig" format="default" />.</t> <figure anchor="coordfig"> <name>Example Relationship of IETF Network Slice Coordination</name> <artwork align="center" name="" type=""alt=""> <![CDATA[alt=""><![CDATA[ -------------- | Network | | Slice | | Orchestrator | -------------- | IETF Network Slice | Service Request | Customer view ....|................................ -v---------------- Coordinator view |Coordinator | | | ------------------ | |_________________ | | | | ....|....................... ....|..................... -v-------------- -v-------------- |Controller1 | Operator1 |Controller2 | Operator2 | ------------ | | ------------ | | | IETF | | | | IETF | | | | Network | | | | Network | | | | Slice | | | | Slice | | | | Controller | | | | Controller | | | | (NSC) | | | | (NSC) | | | ------------ | | ------------ | ....| | Network |............ | | Network |............ | | Config | Underlay1 | | Config | Underlay2 | v | | v | | ------------ | | ------------ | | | Network | | | | Network | | | | Controller | | | | Controller | | | | (NC) | | | | (NC) | | | ------------ | | ------------ | ---------------- ---------------- | Device Configurationv ]]> </artwork>v]]></artwork> </figure> </section> </section> <section anchor="acknowledgments" numbered="false" toc="default"> <name>Acknowledgments</name> <t>The entire TEAS Network Slicing design team and everyone participating in related discussions has contributed to this document. Some text fragments in the document have been copied from the <xref target="I-D.ietf-teas-enhanced-vpn" format="default"/>, for which we are grateful.</t> <t>Significant contributions to this document were gratefully received from the contributing authors listed in the "<xref target="contributors" format="title"/>" section. In addition, we would like to also thank those others who have attended one or more of the design team meetings, including the following people not listed elsewhere:</t> <ul spacing="compact"> <li><t><contact fullname="Aihua Guo"/></t></li> <li><t><contact fullname="Bo Wu"/></t></li> <li><t><contact fullname="Greg Mirsky"/></t></li> <li><t><contact fullname="Lou Berger"/></t></li> <li><t><contact fullname="Rakesh Gandhi"/></t></li> <li><t><contact fullname="Ran Chen"/></t></li> <li><t><contact fullname="Sergio Belotti"/></t></li> <li><t><contact fullname="Stewart Bryant"/></t></li> <li><t><contact fullname="Tomonobu Niwa"/></t></li> <li><t><contact fullname="Xuesong Geng"/></t></li> </ul> <t>Further useful comments were received from <contact fullname="Daniele Ceccarelli"/>, <contact fullname="Uma Chunduri"/>, <contact fullname="Pavan Beeram"/>, <contact fullname="Tarek Saad"/>, <contact fullname="Kenichi Ogaki"/>, <contact fullname="Oscar Gonzalez de Dios"/>, <contact fullname="Xiaobing Niu"/>, <contact fullname="Dan Voyer"/>, <contact fullname="Igor Bryskin"/>, <contact fullname="Luay Jalil"/>, <contact fullname="Joel Halpern"/>, <contact fullname="John Scudder"/>, <contact fullname="John Mullooly"/>, <contact fullname="Krzysztof Szarkowicz"/>, <contact fullname="Jingrong Xie"/>, <contact fullname="Jia He"/>, <contact fullname="Reese Enghardt"/>, <contact fullname="Dirk Von Hugo"/>, <contact fullname="Erik Kline"/>, and <contact fullname="Éric Vyncke"/>.</t> <t>This work is partially supported by the European Commission under Horizon 2020 grant agreement number 101015857 Secured autonomic traffic management for a Tera of SDN flows (Teraflow).</t> </section> <section anchor="contributors" numbered="false" toc="default"> <name>Contributors</name> <t>The following people contributed substantially to the content of this document and should be considered coauthors. <contact fullname="Eric Gray"/> was the original editor of the fundation documents.</t> <contact fullname="Eric Gray" > <organization>Retired</organization> </contact> <contact fullname="Jari Arkko" > <organization>Ericsson</organization> <address> <email>jari.arkko@piuha.net</email> </address> </contact> <contact fullname="Mohamed Boucadair" > <organization>Orange</organization> <address> <email>mohamed.boucadair@orange.com</email> </address> </contact> <contact fullname="Dhruv Dhody" > <organization>Huawei</organization> <address> <postal> <country>India</country> </postal> <email>dhruv.ietf@gmail.com</email> </address> </contact> <contact fullname="Jie Dong" > <organization>Huawei</organization> <address> <email>jie.dong@huawei.com</email> </address> </contact> <contact fullname="Xufeng Liu" > <organization>Volta Networks</organization> <address> <email>xufeng.liu.ietf@gmail.com</email> </address> </contact> </section> </back> </rfc>