Internet-Draft | IETF Network Slices | October 2021 |
Farrel, et al. | Expires 28 April 2022 | [Page] |
This document describes network slicing in the context of networks built from IETF technologies. It defines the term "IETF Network Slice" and establishes the general principles of network slicing in the IETF context.¶
The document discusses the general framework for requesting and operating IETF Network Slices, the characteristics of an IETF Network Slice, the necessary system components and interfaces, and how abstract requests can be mapped to more specific technologies. The document also discusses related considerations with monitoring and security.¶
This document also provides definitions of related terms to enable consistent usage in other IETF documents that describe or use aspects of IETF Network Slices.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 28 April 2022.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
A number of use cases benefit from network connections that along with the connectivity provide assurance of meeting a specific set of objectives with respect to network resources use. This connectivity and resource commitment is referred to as a network slice. Since the term network slice is rather generic, the qualifying term "IETF" is used in this document to limit the scope of network slice to network technologies described and standardized by the IETF. This document defines the concept of IETF Network Slices that provide connectivity coupled with a set of specific commitments of network resources between a number of endpoints (known as customer edge (CE) devices - see Section 2.1) over a shared underlay network. Services that might benefit from IETF Network Slices include, but are not limited to:¶
IETF Network Slices are created and managed within the scope of one or more network technologies (e.g., IP, MPLS, optical). They are intended to enable a diverse set of applications that have different requirements to coexist on the shared underlay network. A request for an IETF Network Slice is technology-agnostic so as to allow a customer to describe their network connectivity objectives in a common format, independent of the underlying technologies used.¶
This document also provides a framework for discussing IETF Network Slices. This framework is intended as a structure for discussing interfaces and technologies. It is not intended to specify a new set of concrete interfaces or technologies. Rather, the idea is that existing or under-development IETF technologies (plural) can be used to realize the concepts expressed herein.¶
For example, virtual private networks (VPNs) have served the industry well as a means of providing different groups of users with logically isolated access to a common network. The common or base network that is used to support the VPNs is often referred to as an underlay network, and the VPN is often called an overlay network. An overlay network may, in turn, serve as an underlay network to support another overlay network.¶
Note that it is conceivable that extensions to these IETF technologies are needed in order to fully support all the ideas that can be implemented with slices. Evaluation of existing technologies, proposed extensions to existing protocols and interfaces, and the creation of new protocols or interfaces is outside the scope of this document.¶
Driven largely by needs surfacing from 5G, the concept of network slicing has gained traction ([NGMN-NS-Concept], [TS23501], [TS28530], and [BBF-SD406]). In [TS23501], a Network Slice is defined as "a logical network that provides specific network capabilities and network characteristics", and a Network Slice Instance is defined as "A set of Network Function instances and the required resources (e.g. compute, storage and networking resources) which form a deployed Network Slice." According to [TS28530], an end-to-end network slice consists of three major types of network segments: Radio Access Network (RAN), Transport Network (TN) and Core Network (CN). An IETF Network Slice provides the required connectivity between different entities in RAN and CN segments of an end-to-end network slice, with a specific performance commitment. For each end-to-end network slice, the topology and performance requirement on a customer's use of IETF Network Slice can be very different, which requires the underlay network to have the capability of supporting multiple different IETF Network Slices.¶
While network slices are commonly discussed in the context of 5G, it is important to note that IETF Network Slices are a narrower concept, and focus primarily on particular network connectivity aspects. Other systems, including 5G deployments, may use IETF Network Slices as a component to create entire systems and concatenated constructs that match their needs, including end-to-end connectivity.¶
A IETF Network Slice could span multiple technologies and multiple administrative domains. Depending on the IETF Network Slice customer's requirements, an IETF Network Slice could be isolated from other, often concurrent IETF Network Slices in terms of data, control and management planes.¶
The customer expresses requirements for a particular IETF Network Slice by specifying what is required rather than how the requirement is to be fulfilled. That is, the IETF Network Slice customer's view of an IETF Network Slice is an abstract one.¶
Thus, there is a need to create logical network structures with required characteristics. The customer of such a logical network can require a degree of isolation and performance that previously might not have been satisfied by traditional overlay VPNs. Additionally, the IETF Network Slice customer might ask for some level of control of their virtual networks, e.g., to customize the service paths in a network slice.¶
This document specifies definitions and a framework for the provision of an IETF Network Slice service. Section 6 briefly indicates some candidate technologies for realizing IETF Network Slices.¶
The following abbreviations are used in this document.¶
The meaning of these abbreviations is defined in greater details in the remainder of this document.¶
The following terms are presented here to give context. Other terminology is defined in the remainder of this document.¶
It is intended that IETF Network Slices can be created to meet specific requirements, typically expressed as bandwidth, latency, latency variation, and other desired or required characteristics. Creation is initiated by a management system or other application used to specify network-related conditions for particular traffic flows.¶
It is also intended that, once created, these slices can be monitored, modified, deleted, and otherwise managed.¶
It is also intended that applications and components will be able to use these IETF Network Slices to move packets between the specified end-points in accordance with specified characteristics.¶
An IETF Network Slice Service enables connectivity between a set of CEs with specific Service Level Objectives (SLOs) and Service Level Expectations (SLEs) over a common underlay network.¶
An IETF Network Slice combines the connectivity resource requirements and associated network behaviors such as bandwidth, latency, jitter, and network functions with other resource behaviors such as compute and storage availability. The definition of an IETF Network Slice Service is independent of the connectivity and technologies used in the underlay network. This allows an IETF Network Slice Service customer to describe their network connectivity and relevant objectives in a common format, independent of the underlying technologies used.¶
IETF Network Slices may be combined hierarchically, so that a network slice may itself be sliced. They may also be combined sequentially so that various different networks can each be sliced and the network slices placed into a sequence to provide an end-to-end service. This form of sequential combination is utilized in some services such as in 3GPP's 5G network [TS23501].¶
An IETF Network Slice Service is technology-agnostic, and its realization may be selected based upon multiple considerations including its service requirements and the capabilities of the underlay network.¶
The term "Slice" refers to a set of characteristics and behaviours that separate one type of user-traffic from another. An IETF Network Slice assumes that an underlay network is capable of changing the configurations of the network devices on demand, through in-band signaling or via controller(s) and fulfilling all or some of SLOs/SLEs to all of the traffic in the slice or to specific flows.¶
A service provider instantiates an IETF Network Slice service for a customer. The IETF Network Slice service is specified in terms of a set of CEs, a set of one or more connectivity matrices (point-to-point (P2P), point-to-multipoint (P2MP), multipoint-to-point (MP2P), multipoint-to-multipoint (MP2MP), or any-to-any (A2A)) between subsets of these CEs, and a set of SLOs and SLEs for each CE sending to each connectivity matrix. That is, in a given IETF Network Slice service there may be one or more connectivity matrices of the same or different type, each connectivity matrix may be between a different subset of CEs, and for a given connectivity matrix each sending CE has its own set of SLOs and SLEs, and the SLOs and SLEs in each set may be different. Note that it is a service provider's prerogative to decide how many connectivity matrices per IETF Network Slice Service it wishes to offer.¶
This approach results in the following possible connectivity matrices:¶
If a CE has multiple attachment circuits to a given IETF Network Slice Service and they are operating in single-active mode, then all traffic between the CE and its attached PEs transits a single attachment circuit; if they are operating in in all-active mode, then traffic between the CE and its attached PEs is distributed across all of the active attachment circuits.¶
A given sending CE may be part of multiple connectivity matrices within a single IETF Network Slice service, and the CE may have different SLOs and SLEs for each connectivity matrix to which it is sending. Note that a given sending CE's SLOs and SLEs for a given connectivity matrix apply between it and each of the receiving CEs for that connectivity matrix.¶
An IETF Network Slice service provider may freely make a deployment choice as to whether to offer a 1:1 relationship between IETF Network Slice service and connectivity matrix, or to support multiple connectivity matrices in a single IETF Network Slice service. In the former case, the provider might need to deliver multiple IETF Network Slice services to achive the function of the second case.¶
It should be noted that per Section 9 of [RFC4364] an IETF Network Slice service customer may actually provide IETF Network Slice services to other customers in a mode sometimes refered to as "carrier's carrier". In this case, the underlying IETF Network Slice service provider may be owned and operated by the same or a different provider network. As noted in Section 3.1, network slices may be composed hierarchically or serially.¶
Section 4.2 provides a description of endpoints in the context of IETF network slicing. For a given IETF Network Slice service, the IETF Network Slice customer and provider agree, on a per-CE basis which end of the attachment circuit provides the service demarcation point (i.e., whether the attachment circuit is inside or outside the IETF Network Slice service). This determines whether the attachment circuit is subject to the set of SLOs and SLEs for the specific CE.¶
Section 4.2 provides a description of service demarcation endpoints. For a given IETF Network Slice Service, the customer and provider agree, on a per-CE basis, which end of the attachment circuit provides the service demarcation endpoint (i.e., whether the attachment circuit is inside or outside the IETF Network Slice Service). This determines whether the attachment circuit is subject to the set of SLOs and SLEs for the specific CE. This point is illustrated further in Section 4.2.¶
It may be the case that a customer's set of CEs needs to be supplemented with additional senders or receivers. An additional sender could be, for example, an IPTV or DNS server either within the provider's network or attached to it, while an extra receiver could be, for example, a node reachable via the Internet. This will be modelled as a set of ancillary CEs which supplement the customer's set of CEs in one or more connectivity matrices, or which have their own connectivity matrices. Note that an ancillary CE can either have a resolvable address, e.g., an IP address or MAC address, or it may be a placeholder, e.g., IPTV or DNS server, which is resolved within the provider's network when the IETF Network Slice Service is instantiated.¶
The following subsections describe the characteristics of IETF Network Slices.¶
An IETF Network Slice service is defined in terms of quantifiable characteristics known as Service Level Objectives (SLOs) and unquantifiable characteristics known as Service Level Expectations (SLEs). SLOs are expressed in terms Service Level Indicators (SLIs), and together with the SLEs form the contractual agreement between service customer and service provider known as a Service Level Agreement (SLA).¶
The terms are defined as follows:¶
SLOs define a set of measurable network attributes and characteristics that describe an IETF Network Slice Service. SLOs do not describe how an IETF Network Slice Service is realized in the underlay network. Instead, they define the dimensions of operation (time, capacity, etc.), availability, and other attributes. An SLO is applied to a given connectivity matrix between a sending CE and the set of receiving CEs.¶
An IETF Network Slice service may include multiple connection constructs that associate sets of endpoints. SLOs apply to sets of two or more CEs and apply to specific directions of traffic flow. That is, they apply to a specific source CE and the connection to specific destination CEs.¶
The SLOs are combined with Service Level Expectations in an SLA.¶
SLOs can be described as 'Directly Measurable Objectives': they are always measurable. See Section 4.1.2 for the description of Service Level Expectations which are unmeasurable service-related requests sometimes known as 'Indirectly Measurable Objectives'.¶
Objectives such as guaranteed minimum bandwidth, guaranteed maximum latency, maximum permissible delay variation, maximum permissible packet loss rate, and availability are 'Directly Measurable Objectives'. Future specifications (such as IETF Network Slice service YANG models) may precisely define these SLOs, and other SLOs may be introduced as described in Section 4.1.1.2.¶
The definition of these objectives are as follows:¶
Guaranteed Minimum Bandwidth¶
Guaranteed Maximum Latency¶
Maximum Permissible Delay Variation¶
Maximum Permissible Packet Loss Rate¶
Availability¶
Additional SLOs may be defined to provide additional description of the IETF Network Slice service that a customer requests. These would be specified in further documents.¶
If the IETF Network Slice service is traffic aware, other traffic specific characteristics may be valuable including MTU, traffic-type (e.g., IPv4, IPv6, Ethernet or unstructured), or a higher-level behavior to process traffic according to user-application (which may be realized using network functions).¶
SLEs define a set of network attributes and characteristics that describe an IETF Network Slice service, but which are not directly measurable by the customer. Even though the delivery of an SLE cannot usually be determined by the customer, the SLEs form an important part of the contract between customer and provider.¶
Quite often, an SLE will imply some details of how an IETF Network Slice service is realized by the provider, although most aspects of the implementation in the underlying network layers remain a free choice for the provider.¶
SLEs may be seen as aspirational on the part of the customer, and they are expressed as behaviors that the provider is expected to apply to the network resources used to deliver the IETF Network Slice service. An IETF Network Slice service can have one or more SLEs associated with it. The SLEs are combined with SLOs in an SLA.¶
An IETF Network Slice service may include multiple connection constructs that associate sets of endpoints. SLEs apply to sets of two or more endpoints and apply to specific directions of traffic flow. That is, they apply to a specific source endpoint and the connection to specific destination endpoints. However, being more general in nature, SLEs may commonly be applied to all connection constructs in an IETF Network Slice service.¶
SLEs can be described as 'Indirectly Measurable Objectives': they are not generally directly measurable by the customer.¶
Security, geographic restrictions, maximum occupancy level, and isolation are example SLEs as follows.¶
Security¶
Geographic Restrictions¶
Maximal Occupancy Level¶
Isolation¶
Diversity¶
As noted in Section 3.1, an IETF Network Slice is a logical network topology connecting a number of endpoints. Section 3.2 goes on to describe how the IETF Network Slice service is composed of a set of one or more connectivity matrices that describe connectivity between the endoints across the underlying network.¶
The characteristics of IETF Network Slice Endpoints (NSEs) are as follows:¶
IETF NSEs are mapped to endpoints of services/tunnels/paths within the IETF Network Slice during its initialization and realization.¶
For a given IETF network slice service, the IETF Network Slice customer and provider agree where the endpoint (i.e., the service demarcation point) is located. This determines what resrouces at the edge of the network form part of the IETF Network Slice and are subject to the set of SLOs and SLEs for a specific endpoint.¶
Figure 1 shows different potential scopes of an IETF Network Slice that are consistent with the different endpoint positions. For the purpose of example and without loss of generality, the figure shows customer edge (CE) and provider edge (PE) nodes connected by access circuits (ACs). Notes after the figure give some explanations.¶
Explanatory notes for Figure 1 are as follows:¶
The choice of which of these options to apply is entirely up to the network operator. It may limit or enable the provision of particular managed services and the operator will want to consider how they want to manage CE equipment and what control they wish to offer the customer or AC resources.¶
Note that Figure 1 shows a symmetrical positioning of endpoints, but this decision can be taken on a per-endpoint basis through agreement between the customer and provider.¶
In practice, it may be necessary to map traffic not only onto an IETF Network Slice, but also onto a specific connectivity matrix if the IETF Network Slice supports more than one connectivity matrix with a source at the specific endpoint. The mechanism used will be one of the mechanisms described above, dependent on how the endpoint is realized.¶
Finally, note (as described in Section 2.1) that a CE is an abstract endpoint of an IETF Network Slice Service and as such may be a device or software component and may, in the case of netork functions virtualization (for example), be an abstract function supported within the provider's network.¶
Operationally, an IETF Network Slice may be decomposed in two or more IETF Network Slices as specified below. Decomposed network slices are then independently realized and managed.¶
A number of IETF Network Slice services will typically be provided over a shared underlying network infrastructure. Each IETF Network Slice consists of both the overlay connectivity and a specific set of dedicated network resources and/or functions allocated in a shared underlay network to satisfy the needs of the IETF Network Slice customer. In at least some examples of underlying network technologies, the integration between the overlay and various underlay resources is needed to ensure the guaranteed performance requested for different IETF Network Slices.¶
An IETF Network Slice and its realization involves the following stakeholders and it is relevant to define them for consistent terminology. The IETF Network Slice customer and IETF Network Slice provider (see Section 2.1) are also stakeholders.¶
The NSC northbound interface (NBI) can be used to communicate between IETF Network Slice customers and the NSC.¶
An IETF Network Slice customer may be a network operator who, in turn, provides the IETF Network Slice to another IETF Network Slice customer.¶
Using the NBI, a customer expresses requirements for a particular slice by specifying what is required rather than how that is to be achieved. That is, the customer's view of a slice is an abstract one. Customers normally have limited (or no) visibility into the provider network's actual topology and resource availability information.¶
This should be true even if both the customer and provider are associated with a single administrative domain, in order to reduce the potential for adverse interactions between IETF Network Slice customers and other users of the underlay network infrastructure.¶
The benefits of this model can include:¶
The general issues of abstraction in a TE network is described more fully in [RFC7926].¶
This framework document does not assume any particular layer at which IETF Network Slices operate as a number of layers (including virtual L2, Ethernet or IP connectivity) could be employed.¶
Data models and interfaces are of course needed to set up IETF Network Slices, and specific interfaces may have capabilities that allow creation of specific layers.¶
Layered virtual connections are comprehensively discussed in IETF documents and are widely supported. See, for instance, GMPLS-based networks [RFC5212] and [RFC4397], or Abstraction and Control of TE Networks (ACTN) [RFC8453] and [RFC8454]. The principles and mechanisms associated with layered networking are applicable to IETF Network Slices.¶
There are several IETF-defined mechanisms for expressing the need for a desired logical network. The NBI carries data either in a protocol-defined format, or in a formalism associated with a modeling language.¶
For instance:¶
While several generic formats and data models for specific purposes exist, it is expected that IETF Network Slice management may require enhancement or augmentation of existing data models.¶
The IETF NSC takes abstract requests for IETF Network Slices and implements them using a suitable underlying technology. An IETF NSC is the key building block for control and management of the IETF Network Slice. It provides the creation/modification/deletion, monitoring and optimization of IETF Network Slices in a multi-domain, a multi-technology and multi-vendor environment.¶
The main task of the IETF NSC is to map abstract IETF Network Slice requirements to concrete technologies and establish required connectivity, and ensuring that required resources are allocated to the IETF Network Slice.¶
An NSC northbound interface (NBI) is needed for communicating details of a IETF Network Slice (configuration, selected policies, operational state, etc.), as well as providing information to a slice requester/customer about IETF Network Slice status and performance. The details for this NBI are not in scope for this document.¶
The controller provides the following functions:¶
Provides "Mapping Functions" for the realization of IETF Network Slices. In other words, it will use the mapping functions that:¶
An IETF Network Slice customer is served by the IETF Network Slice Controller (NSC), as follows:¶
The interworking and interoperability among the different stakeholders to provide common means of provisioning, operating and monitoring the IETF Network Slices is enabled by the following communication interfaces (see Figure 2).¶
The IETF Network Slice Controller provides a Northbound Interface (NBI) that allows customers of network slices to request and monitor IETF Network Slices. Customers operate on abstract IETF Network Slices, with details related to their realization hidden.¶
The NBI complements various IETF services, tunnels, path models by providing an abstract layer on top of these models.¶
The NBI is independent of type of network functions or services that need to be connected, i.e., it is independent of any specific storage, software, protocol, or platform used to realize physical or virtual network connectivity or functions in support of IETF Network Slices.¶
The NBI uses protocol mechanisms and information passed over those mechanisms to convey desired attributes for IETF Network Slices and their status. The information is expected to be represented as a well-defined data model, and should include at least endpoint and connectivity information, SLO specification, and status information.¶
To accomplish this, the NBI needs to convey information needed to support communication across the NBI, in terms of identifying the IETF Network Slices, as well providing the above model information.¶
An IETF Network Slice is a set of connections among various endpoints to form a logical network that meets the SLOs agreed upon.¶
Figure 4 illustrates a case where an IETF Network Slice provides connectivity between a set of IETF Network Slice endpoints (NSE) pairs with specific SLOs (e.g., guaranteed minimum bandwidth of x bps and guaranteed delay of no more than y ms). The IETF Network Slice endpoints are mapped to the service/tunnel/path Endpoints (EPs) in the underlay network. Also, the IETF NSEs in the same IETF Network Slice may belong to the same or different address spaces.¶
IETF Network Slice structure fits into a broader concept of end-to-end network slices. A network operator may be responsible for delivering services over a number of technologies (such as radio networks) and for providing specific and fine-grained services (such as CCTV feed or High definition realtime traffic data). That operator may need to combine slices of various networks to produce an end-to-end network service. Each of these networks may include multiple physical or virtual nodes and may also provide network functions beyond simply carrying of technology-specific protocol data units. An end-to-end network slice is defined by the 3GPP as a complete logical network that provides a service in its entirety with a specific assurance to the customer [TS23501].¶
An end-to-end network slice may be composed from other network slices that include IETF Network Slices. This composition may include the hierarchical (or recursive) use of underlying network slices and the sequential (or stitched) combination of slices of different networks.¶
Realization of IETF Network Slices is out of scope of this document. It is a mapping of the definition of the IETF Network Slice to the underlying infrastructure and is necessarily technology-specific and achieved by the NSC over the SBI. However, this section provides an overview of the components and processes involved in realizing an IETF Network Slice.¶
The realization can be achieved in a form of either physical or logical connectivity using VPNs, virtual networks (VNs), or a variety of tunneling technologies such as Segment Routing, MPLS, etc. Accordingly, endpoints (NSEs) may be realized as physical or logical service or network functions.¶
The architecture described in this section is deliberately at a high level. It is not intended to be prescriptive: implementations and technical solutions may vary freely. However, this approach provides a common framework that other documents may reference in order to facilitate a shared understanding of the work.¶
Figure 5 shows the architectural components of a network managed to provide IETF Network Slices. The customer's view is of individual IETF Network Slices with their endpoint CEs and connectivity matrices. Requests for IETF Network Slices are delivered to the NSC.¶
The network itself (at the bottom of the figure) comprises an underlay network. This could be a physical network, but may be a virtual network. The underlay network is provisioned through network controllers.¶
The underlay network may be filtered by the network operator into a number of Filter Topologies. Filter actions may include selection of specific resources (e.g., nodes and links) according to their capabilities, and are based on network-wide policies. The resulting topologies can be used as candidates to host IETF Network Slices and provide a useful way for the network operator to know in advance that all of the resources they are using to plan an IETF Network Slice would be able to meet specific SLOs and SLEs. The filtering procedure could be an offline planning activity or could be performed dynamically as new demands arise. The use of Filter Topologies is entirely optional in the architecture, and IETF Network Slices could be hosted directly on the underlay network.¶
For scalability reasons, IETF Network Slices may be grouped together according to characteristics (including SLOs and SLEs). This grouping allows an operator to host a number of slices on a particular set of resources and so reduce the amount of state information needed in the network. The NSC is responsible for grouping the IETF Network Slice requests.¶
Each group of IETF Network Slices is mapped onto a set of network resources that are available to carry traffic and meet the SLOs and SLEs. These resources are known as a Network Resource Partition and are selected from the Filter Topology (or direct from the underlay network): they may be reserved and dedicated for use by the group of IETF Network Slices, or may be shared between groups depending on the details of the SLOs and SLEs.¶
The steps described here can be applied in a variety of orders according to implementation and deployment preferences. Furthermore, the steps may be iterative so that the components are continually refined and modified as network conditions change and as service requests are received or relinquished, and even the underlay network could be extended if necessary to meet the customers' demands.¶
There are a number of different technologies that can be used in the underlay, including physical connections, MPLS, time-sensitive networking (TSN), Flex-E, etc.¶
An IETF Network Slice can be realized in a network, using specific underlying technology or technologies. The creation of a new IETF Network Slice will be realized with following steps:¶
Regardless of how IETF Network Slice is realized in the network (i.e., using tunnels of different types), the definition of the IETF Network Slice does not change at all. The only difference is how the slice is realized. The following sections briefly introduce how some existing architectural approaches can be applied to realize IETF Network Slices.¶
Abstraction and Control of TE Networks (ACTN - [RFC8453]) is a management architecture and toolkit used to create virtual networks (VNs) on top of a TE underlay network. The VNs can be presented to customers for them to operate as private networks.¶
In many ways, the function of ACTN is similar to IETF network slicing. Customer requests for connectivity-based overlay services are mapped to dedicated or shared resources in the underlay network in a way that meets customer guarantees for service level objectives and for separation from other customers' traffic. [RFC8453] the function of ACTN as collecting resources to establish a logically dedicated virtual network over one or more TE networks. Thus, in the case of a TE-enabled underlying network, the ACTN VN can be used as a basis to realize an IETF network slicing.¶
While the ACTN framework is a generic VN framework that can be used for VN services beyond the IETF Network Slice, it also a suitable basis for delivering and realizing IETF Network Slices.¶
Further discussion of the applicability of ACTN to IETF Network Slices including a discussion of the relevant YANG models can be found in [I-D.king-teas-applicability-actn-slicing].¶
An enhanced VPN (VPN+) is designed to support the needs of new applications, particularly applications that are associated with 5G services, by utilizing an approach that is based on existing VPN and TE technologies and adds characteristics that specific services require over and above traditional VPNs.¶
An enhanced VPN can be used to provide enhanced connectivity services between customer sites (a concept similar to an IETF Network Slice) and can be used to create the infrastructure to underpin network slicing.¶
It is envisaged that enhanced VPNs will be delivered using a combination of existing, modified, and new networking technologies.¶
[I-D.ietf-teas-enhanced-vpn] describes the framework for Enhanced Virtual Private Network (VPN+) services.¶
Network slicing provides the ability to partition a physical network into multiple isolated logical networks of varying sizes, structures, and functions so that each slice can be dedicated to specific services or customers.¶
Many approaches are currently being worked on to support IETF Network Slices in IP and MPLS networks with or without the use of Segment Routing. Most of these approaches utilize a way of marking packets so that network nodes can apply specific routing and forwarding behaviors to packets that belong to different IETF Network Slices. Different mechanisms for marking packets have been proposed (including using MPLS labels and Segment Rouing segment IDs) and those mechanisms are agnostic to the path control technology used within the underlay network.¶
These approaches are also sensitive to the scaling concerns of supporting a large number of IETF Network Slices within a single IP or MPLS network, and so offer ways to aggregate the slices so that the packet markings indicate an aggregate or grouping of IETF Network Slices where all of the packets are subject to the same routing and forwarding behavior.¶
At this stage, it is inappropriate to mention any of these proposed solutions that are currently work in progress and not yet adopted as IETF work.¶
An IETF Network Slice customer may request that the IETF Network Slice delivered to them is delivered such that changes to other IETF Network Slices or services do not have any negative impact on the delivery of the IETF Network Slice. The IETF Network Slice customer may specify the degree to which their IETF Network Slice is unaffected by changes in the provider network or by the behavior of other IETF Network Slice customers. The customer may express this via an SLE it agrees with the provider. This concept is termed 'isolation'¶
Isolation may be achieved in the underlying network by various forms of resource partitioning ranging from dedicated allocation of resources for a specific IETF Network Slice, to sharing of resources with safeguards. For example, traffic separation between different IETF Network Slices may be achieved using VPN technologies, such as L3VPN, L2VPN, EVPN, etc. Interference avoidance may be achieved by network capacity planning, allocating dedicated network resources, traffic policing or shaping, prioritizing in using shared network resources, etc. Finally, service continuity may be ensured by reserving backup paths for critical traffic, dedicating specific network resources for a selected number of IETF Network Slices.¶
IETF Network Slice realization needs to be instrumented in order to track how it is working, and it might be necessary to modify the IETF Network Slice as requirements change. Dynamic reconfiguration might be needed.¶
This document specifies terminology and has no direct effect on the security of implementations or deployments. In this section, a few of the security aspects are identified.¶
Note: see NGMN document[NGMN_SEC] on 5G network slice security for discussion relevant to this section.¶
IETF Network Slices might use underlying virtualized networking. All types of virtual networking require special consideration to be given to the separation of traffic between distinct virtual networks, as well as some degree of protection from effects of traffic use of underlying network (and other) resources from other virtual networks sharing those resources.¶
For example, if a service requires a specific upper bound of latency, then that service can be degraded by added delay in transmission of service packets through the activities of another service or application using the same resources.¶
Similarly, in a network with virtual functions, noticeably impeding access to a function used by another IETF Network Slice (for instance, compute resources) can be just as service degrading as delaying physical transmission of associated packet in the network.¶
While a IETF Network Slice might include encryption and other security features as part of the service, customers might be well advised to take responsibility for their own security needs, possibly by encrypting traffic before hand-off to a service provider.¶
Privacy of IETF Network Slice service customers must be preserved. It should not be possible for one IETF Network Slice customer to discover the presence of other customers, nor should sites that are members of one IETF Network Slice be visible outside the context of that IETF Network Slice.¶
In this sense, it is of paramount importance that the system use the privacy protection mechanism defined for the specific underlying technologies used, including in particular those mechanisms designed to preclude acquiring identifying information associated with any IETF Network Slice customer.¶
This document makes no requests for IANA action.¶
The entire TEAS Network Slicing design team and everyone participating in related discussions has contributed to this document. Some text fragments in the document have been copied from the [I-D.ietf-teas-enhanced-vpn], for which we are grateful.¶
Significant contributions to this document were gratefully received from the contributing authors listed in the "Contributors" section. In addition we would like to also thank those others who have attended one or more of the design team meetings, including the following people not listed elsewhere:¶
Further useful comments were received from Daniele Ceccarelli, Uma Chunduri, Pavan Beeram, Tarek Saad, Med Boucadair, Kenichi Okagi, Oscar Gonzalez de Dios, and Xiaobing Niu.¶
This work is partially supported by the European Commission under Horizon 2020 grant agreement number 101015857 Secured autonomic traffic management for a Tera of SDN flows (Teraflow).¶
The following authors contributed significantly to this document:¶
Jari Arkko Ericsson Email: jari.arkko@piuha.net Dhruv Dhody Huawei, India Email: dhruv.ietf@gmail.com Jie Dong Huawei Email: jie.dong@huawei.com Xufeng Liu Volta Networks Email: xufeng.liu.ietf@gmail.com¶