idnits 2.17.00 (12 Aug 2021) /tmp/idnits5198/draft-ietf-teas-ietf-network-slices-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document date (2 March 2022) is 80 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'EP1' is mentioned on line 1174, but not defined == Missing Reference: 'EP2' is mentioned on line 1174, but not defined == Missing Reference: 'EPm' is mentioned on line 1178, but not defined == Missing Reference: 'EPn' is mentioned on line 1178, but not defined == Outdated reference: A later version (-10) exists of draft-ietf-teas-enhanced-vpn-09 Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Farrel, Ed. 3 Internet-Draft Old Dog Consulting 4 Intended status: Informational E. Gray 5 Expires: 3 September 2022 Independent 6 J. Drake, Ed. 7 Juniper Networks 8 R. Rokui 9 Ciena 10 S. Homma 11 NTT 12 K. Makhijani 13 Futurewei 14 LM. Contreras 15 Telefonica 16 J. Tantsura 17 Microsoft 18 2 March 2022 20 Framework for IETF Network Slices 21 draft-ietf-teas-ietf-network-slices-06 23 Abstract 25 This document describes network slicing in the context of networks 26 built from IETF technologies. It defines the term "IETF Network 27 Slice" and establishes the general principles of network slicing in 28 the IETF context. 30 The document discusses the general framework for requesting and 31 operating IETF Network Slices, the characteristics of an IETF Network 32 Slice, the necessary system components and interfaces, and how 33 abstract requests can be mapped to more specific technologies. The 34 document also discusses related considerations with monitoring and 35 security. 37 This document also provides definitions of related terms to enable 38 consistent usage in other IETF documents that describe or use aspects 39 of IETF Network Slices. 41 Status of This Memo 43 This Internet-Draft is submitted in full conformance with the 44 provisions of BCP 78 and BCP 79. 46 Internet-Drafts are working documents of the Internet Engineering 47 Task Force (IETF). Note that other groups may also distribute 48 working documents as Internet-Drafts. The list of current Internet- 49 Drafts is at https://datatracker.ietf.org/drafts/current/. 51 Internet-Drafts are draft documents valid for a maximum of six months 52 and may be updated, replaced, or obsoleted by other documents at any 53 time. It is inappropriate to use Internet-Drafts as reference 54 material or to cite them other than as "work in progress." 56 This Internet-Draft will expire on 3 September 2022. 58 Copyright Notice 60 Copyright (c) 2022 IETF Trust and the persons identified as the 61 document authors. All rights reserved. 63 This document is subject to BCP 78 and the IETF Trust's Legal 64 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 65 license-info) in effect on the date of publication of this document. 66 Please review these documents carefully, as they describe your rights 67 and restrictions with respect to this document. Code Components 68 extracted from this document must include Revised BSD License text as 69 described in Section 4.e of the Trust Legal Provisions and are 70 provided without warranty as described in the Revised BSD License. 72 Table of Contents 74 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 75 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . 4 76 2. Terms and Abbreviations . . . . . . . . . . . . . . . . . . . 5 77 2.1. Core Terminology . . . . . . . . . . . . . . . . . . . . 6 78 3. IETF Network Slice Objectives . . . . . . . . . . . . . . . . 7 79 3.1. Definition and Scope of IETF Network Slice . . . . . . . 7 80 3.2. IETF Network Slice Service . . . . . . . . . . . . . . . 8 81 3.2.1. Ancillary SDPs . . . . . . . . . . . . . . . . . . . 10 82 4. IETF Network Slice System Characteristics . . . . . . . . . . 11 83 4.1. Objectives for IETF Network Slices . . . . . . . . . . . 11 84 4.1.1. Service Level Objectives . . . . . . . . . . . . . . 12 85 4.1.2. Service Level Expectations . . . . . . . . . . . . . 13 86 4.2. IETF Network Slice Service Demarcation Points . . . . . . 15 87 4.3. IETF Network Slice Decomposition . . . . . . . . . . . . 18 88 5. Framework . . . . . . . . . . . . . . . . . . . . . . . . . . 18 89 5.1. IETF Network Slice Stakeholders . . . . . . . . . . . . . 19 90 5.2. Expressing Connectivity Intents . . . . . . . . . . . . . 19 91 5.3. IETF Network Slice Controller (NSC) . . . . . . . . . . . 21 92 5.3.1. IETF Network Slice Controller Interfaces . . . . . . 23 93 5.3.2. Management Architecture . . . . . . . . . . . . . . . 25 95 5.4. IETF Network Slice Structure . . . . . . . . . . . . . . 25 96 6. Realizing IETF Network Slices . . . . . . . . . . . . . . . . 27 97 6.1. Architecture to Realize IETF Network Slices . . . . . . . 27 98 6.2. Procedures to Realize IETF Network Slices . . . . . . . . 30 99 6.3. Applicability of ACTN to IETF Network Slices . . . . . . 31 100 6.4. Applicability of Enhanced VPNs to IETF Network Slices . . 31 101 6.5. Network Slicing and Aggregation in IP/MPLS Networks . . . 32 102 7. Isolation in IETF Network Slices . . . . . . . . . . . . . . 32 103 7.1. Isolation as a Service Requirement . . . . . . . . . . . 32 104 7.2. Isolation in IETF Network Slice Realization . . . . . . . 33 105 8. Management Considerations . . . . . . . . . . . . . . . . . . 33 106 9. Security Considerations . . . . . . . . . . . . . . . . . . . 33 107 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 34 108 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 109 12. Informative References . . . . . . . . . . . . . . . . . . . 35 110 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 38 111 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 39 112 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 114 1. Introduction 116 A number of use cases benefit from network connections that along 117 with the connectivity provide assurance of meeting a specific set of 118 objectives with respect to network resources use. This connectivity 119 and resource commitment is referred to as a network slice. Since the 120 term network slice is rather generic, the qualifying term "IETF" is 121 used in this document to limit the scope of network slice to network 122 technologies described and standardized by the IETF. This document 123 defines the concept of IETF Network Slices that provide connectivity 124 coupled with a set of specific commitments of network resources 125 between a number of endpoints (known as Service Demarcation Points 126 (SDPs) - see Section 2.1) over a shared underlay network. Services 127 that might benefit from IETF Network Slices include, but are not 128 limited to: 130 * 5G services (e.g. eMBB, URLLC, mMTC)(See [TS23501]) 132 * Network wholesale services 134 * Network infrastructure sharing among operators 136 * NFV connectivity and Data Center Interconnect 138 IETF Network Slices are created and managed within the scope of one 139 or more network technologies (e.g., IP, MPLS, optical). They are 140 intended to enable a diverse set of applications that have different 141 requirements to coexist on the shared underlay network. A request 142 for an IETF Network Slice is agnostic to the technology in the 143 underlying network so as to allow a customer to describe their 144 network connectivity objectives in a common format, independent of 145 the underlying technologies used. 147 This document also provides a framework for discussing IETF Network 148 Slices. This framework is intended as a structure for discussing 149 interfaces and technologies. It is not intended to specify a new set 150 of concrete interfaces or technologies. Rather, the idea is that 151 existing or under-development IETF technologies (plural) can be used 152 to realize the concepts expressed herein. 154 For example, virtual private networks (VPNs) have served the industry 155 well as a means of providing different groups of users with logically 156 isolated access to a common network. The common or base network that 157 is used to support the VPNs is often referred to as an underlay 158 network, and the VPN is often called an overlay network. An overlay 159 network may, in turn, serve as an underlay network to support another 160 overlay network. 162 Note that it is conceivable that extensions to these IETF 163 technologies are needed in order to fully support all the ideas that 164 can be implemented with slices. Evaluation of existing technologies, 165 proposed extensions to existing protocols and interfaces, and the 166 creation of new protocols or interfaces is outside the scope of this 167 document. 169 1.1. Background 171 Driven largely by needs surfacing from 5G, the concept of network 172 slicing has gained traction ([NGMN-NS-Concept], [TS23501], [TS28530], 173 and [BBF-SD406]). In [TS23501], a Network Slice is defined as "a 174 logical network that provides specific network capabilities and 175 network characteristics", and a Network Slice Instance is defined as 176 "A set of Network Function instances and the required resources (e.g. 177 compute, storage and networking resources) which form a deployed 178 Network Slice." According to [TS28530], an end-to-end network slice 179 consists of three major types of network segments: Radio Access 180 Network (RAN), Transport Network (TN) and Core Network (CN). An IETF 181 Network Slice provides the required connectivity between different 182 entities in RAN and CN segments of an end-to-end network slice, with 183 a specific performance commitment. For each end-to-end network 184 slice, the topology and performance requirement on a customer's use 185 of IETF Network Slice can be very different, which requires the 186 underlay network to have the capability of supporting multiple 187 different IETF Network Slices. 189 While network slices are commonly discussed in the context of 5G, it 190 is important to note that IETF Network Slices are a narrower concept, 191 and focus primarily on particular network connectivity aspects. 192 Other systems, including 5G deployments, may use IETF Network Slices 193 as a component to create entire systems and concatenated constructs 194 that match their needs, including end-to-end connectivity. 196 A IETF Network Slice could span multiple technologies and multiple 197 administrative domains. Depending on the IETF Network Slice 198 customer's requirements, an IETF Network Slice could be isolated from 199 other, often concurrent IETF Network Slices in terms of data, control 200 and management planes. 202 The customer expresses requirements for a particular IETF Network 203 Slice by specifying what is required rather than how the requirement 204 is to be fulfilled. That is, the IETF Network Slice customer's view 205 of an IETF Network Slice is an abstract one. 207 Thus, there is a need to create logical network structures with 208 required characteristics. The customer of such a logical network can 209 require a degree of isolation and performance that previously might 210 not have been satisfied by traditional overlay VPNs. Additionally, 211 the IETF Network Slice customer might ask for some level of control 212 of their virtual networks, e.g., to customize the service paths in a 213 network slice. 215 This document specifies definitions and a framework for the provision 216 of an IETF Network Slice service. Section 6 briefly indicates some 217 candidate technologies for realizing IETF Network Slices. 219 2. Terms and Abbreviations 221 The following abbreviations are used in this document. 223 * NSC: Network Slice Controller 225 * SLA: Service Level Agreement 227 * SLI: Service Level Indicator 229 * SLO: Service Level Objective 231 The meaning of these abbreviations is defined in greater details in 232 the remainder of this document. 234 2.1. Core Terminology 236 The following terms are presented here to give context. Other 237 terminology is defined in the remainder of this document. 239 Customer: A customer is the requester of an IETF Network Slice 240 service. Customers may request monitoring of SLOs. A customer 241 may be an entity such as an enterprise network or a network 242 operator, an individual working at such an entity, a private 243 individual contracting for a service, or an application or 244 software component. A customer may be an external party 245 (classically a paying customer) or a division of a network 246 operator that uses the service provided by another division of the 247 same operator. Other terms that have been applied to the customer 248 role are "client" and "consumer". 250 Provider: A provider is the organization that delivers an IETF 251 Network Slice service. A provider is the network operator that 252 controls the network resources used to construct the network slice 253 (that is, the network that is sliced). The provider's network 254 maybe a physical network or may be a virtual network supplied by 255 another service provider. 257 Customer Edge (CE): The customer device that provides connectivity 258 to a service provider. Examples include routers, Ethernet 259 switches, firewalls, 4G/5G RAN or Core nodes, application 260 accelerators, server load balancers, HTTP header enrichment 261 functions, and PEPs (Performance Enhancing Proxy). In some 262 circumstances CEs are provided to the customer and managed by the 263 provider. 265 Provider Edge: The device within the provider network to which a CE 266 is attached. A CE may be attached to multiple PEs, and multiple 267 CEs may be attached to a given PE. 269 Attachment Circuit (AC): A channel connecting a CE and a PE over 270 which packets are exchanged. The customer and provider agree 271 (through configuration) on which values in which combination of 272 layer 2 and layer 3 fields within a packet identify to which {IETF 273 Network Slice service, connectivity construct, and SLOs/SLEs} that 274 packet is assigned. The customer and provider may agree on a per 275 {IETF Network Slice service, connectivity construct, and SLOs/ 276 SLEs} basis to police or shape traffic in both the ingress (CE to 277 PE) direction and egress (PE to CE) direction: this ensures that 278 the traffic is within the capacity profile that is agreed in an 279 IETF Network Slice service. Excess traffic is dropped by default, 280 unless specific out-of-profile policies are agreed between the 281 customer and the provider. As described in Section 4.2 the AC may 282 be part of the IETF Network Slice service or may be external to 283 it. 285 Service Demarcation Point (SDP): The point at which an IETF Network 286 Slice service is delivered by a service provider to a customer. 287 Depending on the service delivery model (see Section 4.2 this may 288 be a CE or a PE, and could be a device, a software component, or 289 in the case of network functions virtualization (for example), be 290 an abstract function supported within the provider's network. 291 Each SDP must have a unique identifier (e.g., an IP address or MAC 292 address) within a given IETF Network Slice Service and may use the 293 same identifier in multiple IETF Network Slice Services. 295 3. IETF Network Slice Objectives 297 It is intended that IETF Network Slices can be created to meet 298 specific requirements, typically expressed as bandwidth, latency, 299 latency variation, and other desired or required characteristics. 300 Creation is initiated by a management system or other application 301 used to specify network-related conditions for particular traffic 302 flows. 304 It is also intended that, once created, these slices can be 305 monitored, modified, deleted, and otherwise managed. 307 It is also intended that applications and components will be able to 308 use these IETF Network Slices to move packets between the specified 309 end-points of the service in accordance with specified 310 characteristics. 312 3.1. Definition and Scope of IETF Network Slice 314 An IETF Network Slice Service enables connectivity between a set of 315 Service Demarcation Points (SDPs) with specific Service Level 316 Objectives (SLOs) and Service Level Expectations (SLEs) over a common 317 underlay network. 319 An IETF Network Slice combines the connectivity resource requirements 320 and associated network behaviors such as bandwidth, latency, jitter, 321 and network functions with other resource behaviors such as compute 322 and storage availability. The definition of an IETF Network Slice 323 Service is independent of the connectivity and technologies used in 324 the underlay network. This allows an IETF Network Slice Service 325 customer to describe their network connectivity and relevant 326 objectives in a common format, independent of the underlying 327 technologies used. 329 IETF Network Slices may be combined hierarchically, so that a network 330 slice may itself be sliced. They may also be combined sequentially 331 so that various different networks can each be sliced and the network 332 slices placed into a sequence to provide an end-to-end service. This 333 form of sequential combination is utilized in some services such as 334 in 3GPP's 5G network [TS23501]. 336 An IETF Network Slice Service is agnostic to the technology of the 337 underlying network, and its realization may be selected based upon 338 multiple considerations including its service requirements and the 339 capabilities of the underlay network. 341 The term "Slice" refers to a set of characteristics and behaviours 342 that separate one type of user-traffic from another. An IETF Network 343 Slice assumes that an underlay network is capable of changing the 344 configurations of the network devices on demand, through in-band 345 signaling or via controller(s) and fulfilling all or some of SLOs/ 346 SLEs to all of the traffic in the slice or to specific flows. 348 3.2. IETF Network Slice Service 350 A service provider instantiates an IETF Network Slice service for a 351 customer. The IETF Network Slice service is specified in terms of a 352 set of SDPs, a set of one or more connectivity constructs (point-to- 353 point (P2P) both unidirectional and bidirectional, point-to- 354 multipoint (P2MP), multipoint-to-point (MP2P), multipoint-to- 355 multipoint (MP2MP), or any-to-any (A2A)) between subsets of these 356 SDPs, and a set of SLOs and SLEs for each SDP sending to each 357 connectivity construct. That is, in a given IETF Network Slice 358 service there may be one or more connectivity constructs of the same 359 or different type, each connectivity construct may be between a 360 different subset of SDPs, and for a given connectivity construct each 361 sending SDP has its own set of SLOs and SLEs, and the SLOs and SLEs 362 in each set may be different. Note that it is a service provider's 363 prerogative to decide how many connectivity constructs per IETF 364 Network Slice Service it wishes to offer. 366 This approach results in the following possible connectivity 367 constructs: 369 * For a P2P connectivity construct, there is one sending SDP and one 370 receiving SDP. This construct is like a private wire or a tunnel. 371 All traffic injected at the sending SDP is intended to be received 372 by the receiving SDP. The SLOs and SLEs apply at the sender (and 373 implicitly at the receiver). 375 * A bidirectional P2P connectivity construct may also be defined, 376 with two SDPs each of which may send to the other. There are two 377 sets of SLOs and SLEs which may be different and each of which 378 applies to one of the SDPs as a sender. 380 * For a P2MP connectivity construct, there is only one sending SDP 381 and more than one receiving SDP. This is like a P2MP tunnel or 382 multi-access VLAN segment. All traffic from the sending SDP is 383 intended to be received by all the receiving SDPs. There is one 384 set of SLOs and SLEs that apply at the sending SDP (and implicitly 385 at all receiving SDPs). 387 * An MP2P connectivity construct has N SDPs: there is one receiving 388 SDP and (N - 1) sending SDPs. This is like a set of P2P 389 connections all with a common receiver. All traffic injected at 390 any sending SDP is received by the single receiving SDP. Each 391 sending SDP has its own set of SLOs and SLEs, and they may all be 392 different (the combination of those SLOs and SLEs gives the 393 implicit SLOs and SLEs for the receiving SDP - that is, the 394 receiving SDP is expected to receive all traffic from all 395 senders). 397 * In an MP2MP connectivity construct each of the N SDPs can be a 398 sending SDP such that its traffic is delivered to all of the other 399 SDPs. Each sending SDP has its own set of SLOs and SLEs and they 400 may all be different. The combination of those SLOs/SLEs gives 401 the implicit SLOs/SLEs for each/all of the receiving SDPs since 402 each receiving SDP is expect to receive all traffic from all/any 403 sender. 405 * With an A2A construct, any sending SDP may send to any one 406 receiving SDP or any set of receiving SDPs. There is an implicit 407 level of routing in this connectivity construct that is not 408 present in the other connectivity constructs as the construct must 409 determine to which receiving SDPs to deliver each packet. The 410 SLOs/SLEs apply to individual sending SDPs and individual 411 receiving SDPs, but there is no implicit linkage and a sending SDP 412 may be "disappointed" if the receiver is over-subscribed. 414 If an SDP has multiple attachment circuits to a given IETF Network 415 Slice Service and they are operating in single-active mode, then all 416 traffic between the SDP and its attached PEs transits a single 417 attachment circuit; if they are operating in in all-active mode, then 418 traffic between the SDP and its attached PEs is distributed across 419 all of the active attachment circuits. 421 A given sending SDP may be part of multiple connectivity constructs 422 within a single IETF Network Slice service, and the SDP may have 423 different SLOs and SLEs for each connectivity construct to which it 424 is sending. Note that a given sending SDP's SLOs and SLEs for a 425 given connectivity construct apply between it and each of the 426 receiving SDPs for that connectivity construct. 428 An IETF Network Slice service provider may freely make a deployment 429 choice as to whether to offer a 1:1 relationship between IETF Network 430 Slice service and connectivity construct, or to support multiple 431 connectivity constructs in a single IETF Network Slice service. In 432 the former case, the provider might need to deliver multiple IETF 433 Network Slice services to achieve the function of the second case. 435 It should be noted that per Section 9 of [RFC4364] an IETF Network 436 Slice service customer may actually provide IETF Network Slice 437 services to other customers in a mode sometimes referred to as 438 "carrier's carrier". In this case, the underlying IETF Network Slice 439 service provider may be owned and operated by the same or a different 440 provider network. As noted in Section 3.1, network slices may be 441 composed hierarchically or serially. 443 Section 4.2 provides a description of endpoints in the context of 444 IETF network slicing. These are known as Service Demarcation Points 445 (SDPs). For a given IETF Network Slice service, the customer and 446 provider agree, on a per-SDP basis which end of the attachment 447 circuit provides the service demarcation point (i.e., whether the 448 attachment circuit is inside or outside the IETF Network Slice 449 service). This determines whether the attachment circuit is subject 450 to the set of SLOs and SLEs at the specific SDP. 452 3.2.1. Ancillary SDPs 454 It may be the case that the set of SDPs needs to be supplemented with 455 additional senders or receivers. An additional sender could be, for 456 example, an IPTV or DNS server either within the provider's network 457 or attached to it, while an extra receiver could be, for example, a 458 node reachable via the Internet. This will be modelled as a set of 459 ancillary SDPs which supplement the other SDPs in one or more 460 connectivity constructs, or which have their own connectivity 461 constructs. Note that an ancillary SDP can either have a resolvable 462 address, e.g., an IP address or MAC address, or it may be a 463 placeholder, e.g., IPTV or DNS server, which is resolved within the 464 provider's network when the IETF Network Slice service is 465 instantiated. 467 4. IETF Network Slice System Characteristics 469 The following subsections describe the characteristics of IETF 470 Network Slices. 472 4.1. Objectives for IETF Network Slices 474 An IETF Network Slice service is defined in terms of quantifiable 475 characteristics known as Service Level Objectives (SLOs) and 476 unquantifiable characteristics known as Service Level Expectations 477 (SLEs). SLOs are expressed in terms Service Level Indicators (SLIs), 478 and together with the SLEs form the contractual agreement between 479 service customer and service provider known as a Service Level 480 Agreement (SLA). 482 The terms are defined as follows: 484 * A Service Level Indicator (SLI) is a quantifiable measure of an 485 aspect of the performance of a network. For example, it may be a 486 measure of throughput in bits per second, or it may be a measure 487 of latency in milliseconds. 489 * A Service Level Objective (SLO) is a target value or range for the 490 measurements returned by observation of an SLI. For example, an 491 SLO may be expressed as "SLI <= target", or "lower bound <= SLI <= 492 upper bound". A customer can determine whether the provider is 493 meeting the SLOs by performing measurements on the traffic. 495 * A Service Level Expectation (SLE) is an expression of an 496 unmeasurable service-related request that a customer of an IETF 497 Network Slice makes of the provider. An SLE is distinct from an 498 SLO because the customer may have little or no way of determining 499 whether the SLE is being met, but they still contract with the 500 provider for a service that meets the expectation. 502 * A Service Level Agreement (SLA) is an explicit or implicit 503 contract between the customer of an IETF Network Slice service and 504 the provider of the slice. The SLA is expressed in terms of a set 505 of SLOs and SLEs that are to be applied for a given connectivity 506 construct between a sending SDP and the set of receiving SDPs, and 507 may include commercial terms as well as any consequences for 508 violating these SLOs and SLEs. 510 4.1.1. Service Level Objectives 512 SLOs define a set of measurable network attributes and 513 characteristics that describe an IETF Network Slice Service. SLOs do 514 not describe how an IETF Network Slice Service is realized in the 515 underlay network. Instead, they define the dimensions of operation 516 (time, capacity, etc.), availability, and other attributes. An SLO 517 is applied to a given connectivity construct between a sending SDP 518 and the set of receiving SDPs. 520 An IETF Network Slice service may include multiple connection 521 constructs that associate sets of endpoints (SDPs). SLOs apply to 522 sets of two or more SDPs and apply to specific directions of traffic 523 flow. That is, they apply to a specific source SDP and the 524 connection to specific destination SDPs. 526 The SLOs are combined with Service Level Expectations in an SLA. 528 4.1.1.1. Some Common SLOs 530 SLOs can be described as 'Directly Measurable Objectives': they are 531 always measurable. See Section 4.1.2 for the description of Service 532 Level Expectations which are unmeasurable service-related requests 533 sometimes known as 'Indirectly Measurable Objectives'. 535 Objectives such as guaranteed minimum bandwidth, guaranteed maximum 536 latency, maximum permissible delay variation, maximum permissible 537 packet loss rate, and availability are 'Directly Measurable 538 Objectives'. Future specifications (such as IETF Network Slice 539 service YANG models) may precisely define these SLOs, and other SLOs 540 may be introduced as described in Section 4.1.1.2. 542 The definition of these objectives are as follows: 544 Guaranteed Minimum Bandwidth 546 Minimum guaranteed bandwidth between two endpoints at any time. 547 The bandwidth is measured in data rate units of bits per second 548 and is measured unidirectionally. 550 Guaranteed Maximum Latency 552 Upper bound of network latency when transmitting between two 553 endpoints. The latency is measured in terms of network 554 characteristics (excluding application-level latency). 555 [RFC2681] and [RFC7679] discuss round trip times and one-way 556 metrics, respectively. 558 Maximum Permissible Delay Variation 560 Packet delay variation (PDV) as defined by [RFC3393], is the 561 difference in the one-way delay between sequential packets in a 562 flow. This SLO sets a maximum value PDV for packets between 563 two endpoints. 565 Maximum Permissible Packet Loss Rate 567 The ratio of packets dropped to packets transmitted between two 568 endpoints over a period of time. See [RFC7680]. 570 Availability 572 The ratio of uptime to the sum of uptime and downtime, where 573 uptime is the time the IETF Network Slice is available in 574 accordance with the SLOs associated with it. 576 4.1.1.2. Other Service Level Objectives 578 Additional SLOs may be defined to provide additional description of 579 the IETF Network Slice service that a customer requests. These would 580 be specified in further documents. 582 If the IETF Network Slice service is traffic aware, other traffic 583 specific characteristics may be valuable including MTU, traffic-type 584 (e.g., IPv4, IPv6, Ethernet or unstructured), or a higher-level 585 behavior to process traffic according to user-application (which may 586 be realized using network functions). 588 4.1.2. Service Level Expectations 590 SLEs define a set of network attributes and characteristics that 591 describe an IETF Network Slice service, but which are not directly 592 measurable by the customer. Even though the delivery of an SLE 593 cannot usually be determined by the customer, the SLEs form an 594 important part of the contract between customer and provider. 596 Quite often, an SLE will imply some details of how an IETF Network 597 Slice service is realized by the provider, although most aspects of 598 the implementation in the underlying network layers remain a free 599 choice for the provider. 601 SLEs may be seen as aspirational on the part of the customer, and 602 they are expressed as behaviors that the provider is expected to 603 apply to the network resources used to deliver the IETF Network Slice 604 service. An IETF Network Slice service can have one or more SLEs 605 associated with it. The SLEs are combined with SLOs in an SLA. 607 An IETF Network Slice service may include multiple connection 608 constructs that associate sets of endpoints (SDPs). SLEs apply to 609 sets of two or more SDPs and apply to specific directions of traffic 610 flow. That is, they apply to a specific source and the connection to 611 specific destinations. However, being more general in nature, SLEs 612 may commonly be applied to all connection constructs in an IETF 613 Network Slice service. 615 4.1.2.1. Some Common SLEs 617 SLEs can be described as 'Indirectly Measurable Objectives': they are 618 not generally directly measurable by the customer. 620 Security, geographic restrictions, maximum occupancy level, and 621 isolation are example SLEs as follows. 623 Security 625 A customer may request that the provider applies encryption or 626 other security techniques to traffic flowing between SDPs of an 627 IETF Network Slice service. For example, the customer could 628 request that only network links that have MACsec [MACsec] 629 enabled are used to realize the IETF Network Slice service. 631 This SLE may include the request for encryption (e.g., 632 [RFC4303]) between the two SDPs explicitly to meet architecture 633 recommendations as in [TS33.210] or for compliance with [HIPAA] 634 or [PCI]. 636 Whether or not the provider has met this SLE is generally not 637 directly observable by the customer and cannot be measured as a 638 quantifiable metric. 640 Please see further discussion on security in Section 9. 642 Geographic Restrictions 644 A customer may request that certain geographic limits are 645 applied to how the provider routes traffic for the IETF Network 646 Slice service. For example, the customer may have a preference 647 that its traffic does not pass through a particular country for 648 political or security reasons. 650 Whether or not the provider has met this SLE is generally not 651 directly observable by the customer and cannot be measured as a 652 quantifiable metric. 654 Maximal Occupancy Level 655 The maximal occupancy level specifies the number of flows to be 656 admitted and optionally a maximum number of countable resource 657 units (e.g., IP or MAC addresses) an IETF Network Slice service 658 can consume. Since an IETF Network Slice service may include 659 multiple connection constructs, this SLE should also say 660 whether it applies for the entire IETF Network Service slice, 661 for group of connections, or on a per connection basis. 663 Again, a customer may not be able to fully determine whether 664 this SLE is being met by the provider. 666 Isolation 668 As described in Section 7, a customer may request that its 669 traffic within its IETF Network Slice service is isolated from 670 the effects of other network services supported by the same 671 provider. That is, if another service exceeds capacity or has 672 a burst of traffic, the customer's IETF Network Slice service 673 should remain unaffected and there should be no noticeable 674 change to the quality of traffic delivered. 676 In general, a customer cannot tell whether a service provider 677 is meeting this SLE. They cannot tell whether the variation of 678 an SLI is because of changes in the underlying network or 679 because of interference from other services carried by the 680 network. And if the service varies within the allowed bounds 681 of the SLOs, there may be no noticeable indication that this 682 SLE has been violated. 684 Diversity 686 A customer may request that traffic on the connection between 687 one set of SDPs should use different network resources from the 688 traffic between another set of SDPs. This might be done to 689 enhance the availability of the IETF Network Slice service. 691 While availability is a measurable objective (see 692 Section 4.1.1.1) this SLE requests a finer grade of control and 693 is not directly measurable (although the customer might become 694 suspicious if two connections fail at the same time). 696 4.2. IETF Network Slice Service Demarcation Points 698 As noted in Section 3.1, an IETF Network Slice is a logical network 699 topology connecting a number of endpoints. Section 3.2 goes on to 700 describe how the IETF Network Slice service is composed of a set of 701 one or more connectivity constructs that describe connectivity 702 between the service demarcation points across the underlying network. 704 The characteristics of IETF Network Slice Service Demarcation Points 705 (SDPs) are as follows: 707 * SDPs are conceptual points of connection to an IETF Network Slice. 708 As such, they serve as the IETF Network Slice ingress/ egress 709 points. 711 * Each SDP maps to a device, application, or a network function, 712 such as (but not limited to) routers, switches, firewalls, WAN, 713 4G/5G RAN nodes, 4G/5G Core nodes, application accelerators, Deep 714 Packet Inspection (DPI) engines, server load balancers, NAT44 715 [RFC3022], NAT64 [RFC6146], HTTP header enrichment functions, and 716 TCP optimizers. 718 * An SDP is identified by a unique identifier in the context of an 719 IETF Network Slice customer. 721 * Each SDP is associated with a set of provider-scope identifiers 722 such as IP addresses, encapsulation-specific identifiers (e.g., 723 VLAN tag, MPLS Label), interface/port numbers, node ID, etc. 725 * SDPs are mapped to endpoints of services/tunnels/paths within the 726 IETF Network Slice during its initialization and realization. 728 - A combination of the SDP identifier and SDP network-scope 729 identifiers define an SDP in the context of the Network Slice 730 Controller (NSC). 732 - The NSC will use the SDP network-scope identifiers as part of 733 the process of realizing the IETF Network Slice. 735 For a given IETF Network Slice service, the IETF Network Slice 736 customer and provider agree where the endpoint (i.e., the service 737 demarcation point) is located. This determines what resources at the 738 edge of the network form part of the IETF Network Slice and are 739 subject to the set of SLOs and SLEs for a specific endpoint. 741 Figure 1 shows different potential scopes of an IETF Network Slice 742 that are consistent with the different SDP positions. For the 743 purpose of example and without loss of generality, the figure shows 744 customer edge (CE) and provider edge (PE) nodes connected by 745 attachment circuits (ACs). Notes after the figure give some 746 explanations. 748 |<---------------------- (1) ---------------------->| 749 | | 750 | |<-------------------- (2) -------------------->| | 751 | | | | 752 | | |<----------- (3) ----------->| | | 753 | | | | | | 754 | | | |<-------- (4) -------->| | | | 755 | | | | | | | | 756 V V AC V V V V AC V V 757 +-----+ | +-----+ +-----+ | +-----+ 758 | |--------| | | |--------| | 759 | CE1 | | | PE1 |. . . . . . . . .| PE2 | | | CE2 | 760 | |--------| | | |--------| | 761 +-----+ | +-----+ +-----+ | +-----+ 762 ^ ^ ^ ^ 763 | | | | 764 | | | | 765 Customer Provider Provider Customer 766 Edge 1 Edge 1 Edge 2 Edge 2 768 Figure 1: Positioning IETF Service Demarcation Points 770 Explanatory notes for Figure 1 are as follows: 772 1. If the CE is operated by the IETF Network Slice service provider, 773 then the edge of the IETF Network Slice may be within the CE. In 774 this case the slicing process may utilize resources from within 775 the CE such as buffers and queues on the outgoing interfaces. 777 2. The IETF Network Slice may be extended as far as the CE, to 778 include the AC, but not to include any part of the CE. In this 779 case, the CE may be operated by the customer or the provider. 780 Slicing the resources on the AC may require the use of traffic 781 tagging (such as through Ethernet VLAN tags) or may require 782 traffic policing at the AC link ends. 784 3. In another model, the SDPs of the IETF Network Slice are the 785 customer-facing ports on the PEs. This case can be managed in a 786 way that is similar to a port-based VPN: each port (AC) or 787 virtual port (e.g., VLAN tag) identifies the IETF Network Slice 788 and maps to an IETF Network Slice SDP. 790 4. Finally, the SDP may be within the PE. In this mode, the PE 791 classifies the traffic coming from the AC according to 792 information (such as the source and destination IP addresses, 793 payload protocol and port numbers, etc.) in order to place it 794 onto an IETF Network Slice. 796 The choice of which of these options to apply is entirely up to the 797 network operator. It may limit or enable the provisioning of 798 particular managed services and the operator will want to consider 799 how they want to manage CEs and what control they wish to offer the 800 customer over AC resources. 802 Note that Figure 1 shows a symmetrical positioning of SDP, but this 803 decision can be taken on a per-SDP basis through agreement between 804 the customer and provider. 806 In practice, it may be necessary to map traffic not only onto an IETF 807 Network Slice, but also onto a specific connectivity construct if the 808 IETF Network Slice supports more than one connectivity construct with 809 a source at the specific SDP. The mechanism used will be one of the 810 mechanisms described above, dependent on how the SDP is realized. 812 Finally, note (as described in Section 2.1) that an SDP is an 813 abstract endpoint of an IETF Network Slice Service and as such may be 814 a device or software component and may, in the case of netork 815 functions virtualization (for example), be an abstract function 816 supported within the provider's network. 818 4.3. IETF Network Slice Decomposition 820 Operationally, an IETF Network Slice may be composed of two or more 821 IETF Network Slices as specified below. Decomposed network slices 822 are independently realized and managed. 824 * Hierarchical (i.e., recursive) composition: An IETF Network Slice 825 can be further sliced into other network slices. Recursive 826 composition allows an IETF Network Slice at one layer to be used 827 by the other layers. This type of multi-layer vertical IETF 828 Network Slice associates resources at different layers. 830 * Sequential composition: Different IETF Network Slices can be 831 placed into a sequence to provide an end-to-end service. In 832 sequential composition, each IETF Network Slice would potentially 833 support different dataplanes that need to be stitched together. 835 5. Framework 837 A number of IETF Network Slice services will typically be provided 838 over a shared underlying network infrastructure. Each IETF Network 839 Slice consists of both the overlay connectivity and a specific set of 840 dedicated network resources and/or functions allocated in a shared 841 underlay network to satisfy the needs of the IETF Network Slice 842 customer. In at least some examples of underlying network 843 technologies, the integration between the overlay and various 844 underlay resources is needed to ensure the guaranteed performance 845 requested for different IETF Network Slices. 847 5.1. IETF Network Slice Stakeholders 849 An IETF Network Slice and its realization involves the following 850 stakeholders and it is relevant to define them for consistent 851 terminology. The IETF Network Slice customer and IETF Network Slice 852 provider (see Section 2.1) are also stakeholders. 854 Orchestrator: An orchestrator is an entity that composes different 855 services, resource and network requirements. It interfaces with 856 the IETF NSC. 858 IETF Network Slice Controller (NSC): It realizes an IETF Network 859 Slice in the underlying network, maintains and monitors the run- 860 time state of resources and topologies associated with it. A 861 well-defined interface is needed between different types of IETF 862 NSCs and different types of orchestrators. An IETF Network Slice 863 operator (or slice operator for short) manages one or more IETF 864 Network Slices using the IETF NSCs. 866 Network Controller: is a form of network infrastructure controller 867 that offers network resources to the NSC to realize a particular 868 network slice. These may be existing network controllers 869 associated with one or more specific technologies that may be 870 adapted to the function of realizing IETF Network Slices in a 871 network. 873 5.2. Expressing Connectivity Intents 875 An IETF Network Slice customer communicates with the NSC using the 876 IETF Network Slice Service Interface. 878 An IETF Network Slice customer may be a network operator who, in 879 turn, provides the IETF Network Slice to another IETF Network Slice 880 customer. 882 Using the IETF Network Slice Service Interface, a customer expresses 883 requirements for a particular slice by specifying what is required 884 rather than how that is to be achieved. That is, the customer's view 885 of a slice is an abstract one. Customers normally have limited (or 886 no) visibility into the provider network's actual topology and 887 resource availability information. 889 This should be true even if both the customer and provider are 890 associated with a single administrative domain, in order to reduce 891 the potential for adverse interactions between IETF Network Slice 892 customers and other users of the underlay network infrastructure. 894 The benefits of this model can include: 896 * Security: because the underlay network (or network operator) does 897 not need to expose network details (topology, capacity, etc.) to 898 IETF Network Slice customers the underlay network components are 899 less exposed to attack; 901 * Layered Implementation: the underlay network comprises network 902 elements that belong to a different layer network than customer 903 applications, and network information (advertisements, protocols, 904 etc.) that a customer cannot interpret or respond to (note - a 905 customer should not use network information not exposed via the 906 IETF Network Slice Service Interface, even if that information is 907 available); 909 * Scalability: customers do not need to know any information beyond 910 that which is exposed via the IETF Network Slice Service 911 Interface. 913 The general issues of abstraction in a TE network is described more 914 fully in [RFC7926]. 916 This framework document does not assume any particular layer at which 917 IETF Network Slices operate as a number of layers (including virtual 918 L2, Ethernet or IP connectivity) could be employed. 920 Data models and interfaces are of course needed to set up IETF 921 Network Slices, and specific interfaces may have capabilities that 922 allow creation of specific layers. 924 Layered virtual connections are comprehensively discussed in IETF 925 documents and are widely supported. See, for instance, GMPLS-based 926 networks [RFC5212] and [RFC4397], or Abstraction and Control of TE 927 Networks (ACTN) [RFC8453] and [RFC8454]. The principles and 928 mechanisms associated with layered networking are applicable to IETF 929 Network Slices. 931 There are several IETF-defined mechanisms for expressing the need for 932 a desired logical network. The IETF Network Slice Service Interface 933 carries data either in a protocol-defined format, or in a formalism 934 associated with a modeling language. 936 For instance: 938 * Path Computation Element (PCE) Communication Protocol (PCEP) 939 [RFC5440] and GMPLS User-Network Interface (UNI) using RSVP-TE 940 [RFC4208] use a TLV-based binary encoding to transmit data. 942 * Network Configuration Protocol (NETCONF) [RFC6241] and RESTCONF 943 Protocol [RFC8040] use XML and JSON encoding. 945 * gRPC/GNMI [I-D.openconfig-rtgwg-gnmi-spec] uses a binary encoded 946 programmable interface; 948 * For data modeling, YANG ([RFC6020] and [RFC7950]) may be used to 949 model configuration and other data for NETCONF, RESTCONF, and GNMI 950 - among others; ProtoBufs can be used to model gRPC and GNMI data. 952 While several generic formats and data models for specific purposes 953 exist, it is expected that IETF Network Slice management may require 954 enhancement or augmentation of existing data models. 956 5.3. IETF Network Slice Controller (NSC) 958 The IETF NSC takes abstract requests for IETF Network Slices and 959 implements them using a suitable underlying technology. An IETF NSC 960 is the key building block for control and management of the IETF 961 Network Slice. It provides the creation/modification/deletion, 962 monitoring and optimization of IETF Network Slices in a multi-domain, 963 a multi-technology and multi-vendor environment. 965 The main task of the IETF NSC is to map abstract IETF Network Slice 966 requirements to concrete technologies and establish required 967 connectivity, and ensuring that required resources are allocated to 968 the IETF Network Slice. 970 The IETF Network Slice Service Interface is needed for communicating 971 details of a IETF Network Slice (configuration, selected policies, 972 operational state, etc.), as well as providing information to a slice 973 requester/customer about IETF Network Slice status and performance. 974 The details for this IETF Network Slice Service Interface are not in 975 scope for this document. 977 The controller provides the following functions: 979 * Provides an IETF Network Slice Service Interface for 980 creation/modification/deletion of the IETF Network Slices tht is 981 agnostic to the technology of the underlying network. The API 982 exposed by this interface communicates the Service Demarcation 983 Points of the IETF Network Slice, IETF Network Slice SLO 984 parameters (and possibly monitoring thresholds), applicable input 985 selection (filtering) and various policies, and provides a way to 986 monitor the slice. 988 * Determines an abstract topology connecting the SDPs of the IETF 989 Network Slice that meets criteria specified via the IETF Network 990 Slice Service Interface. The NSC also retains information about 991 the mapping of this abstract topology to underlying components of 992 the IETF Network Slice as necessary to monitor IETF Network Slice 993 status and performance. 995 * Provides "Mapping Functions" for the realization of IETF Network 996 Slices. In other words, it will use the mapping functions that: 998 - map technology-agnostic IETF Network Slice Service Interface 999 request to technology-specific network configuration interfaces 1001 - map filtering/selection information as necessary to entities in 1002 the underlay network. 1004 * Via a network configuration interface, the controller collects 1005 telemetry data (e.g., OAM results, statistics, states, etc.) for 1006 all elements in the abstract topology used to realize the IETF 1007 Network Slice. 1009 * Using the telemetry data from the underlying realization of a IETF 1010 Network Slice (i.e., services/paths/tunnels), evaluates the 1011 current performance against IETF Network Slice SLO parameters and 1012 exposes them to the IETF Network Slice customer via the IETF 1013 Network Slice Service Interface. The IETF Network Slice Service 1014 Interface may also include a capability to provide notification in 1015 case the IETF Network Slice performance reaches threshold values 1016 defined by the IETF Network Slice customer. 1018 An IETF Network Slice customer is served by the IETF Network Slice 1019 Controller (NSC), as follows: 1021 * The NSC takes requests from a management system or other 1022 application, which are then communicated via the IETF Network 1023 Slice Service Interface. This interface carries data objects the 1024 IETF Network Slice customer provides, describing the needed IETF 1025 Network Slices in terms of topology, applicable service level 1026 objectives (SLO), and any monitoring and reporting requirements 1027 that may apply. Note that - in this context - "topology" means 1028 what the IETF Network Slice connectivity is meant to look like 1029 from the customer's perspective; it may be as simple as a list of 1030 mutually (and symmetrically) connected SDPs, or it may be 1031 complicated by details of connection asymmetry, per-connection SLO 1032 requirements, etc. 1034 * These requests are assumed to be translated by one or more 1035 underlying systems, which are used to establish specific IETF 1036 Network Slice instances on top of an underlying network 1037 infrastructure. 1039 * The NSC maintains a record of the mapping from customer requests 1040 to slice instantiations, as needed to allow for subsequent control 1041 functions (such as modification or deletion of the requested 1042 slices), and as needed for any requested monitoring and reporting 1043 functions. 1045 5.3.1. IETF Network Slice Controller Interfaces 1047 The interworking and interoperability among the different 1048 stakeholders to provide common means of provisioning, operating and 1049 monitoring the IETF Network Slices is enabled by the following 1050 communication interfaces (see Figure 2). 1052 IETF Network Slice Service Interface: The IETF Network Slice Service 1053 Interface is an interface between a customer's higher level 1054 operation system (e.g., a network slice orchestrator) and the NSC. 1055 It agnostic to the technology of the underlying network. The 1056 customer can use this interface to communicate the requested 1057 characteristics and other requirements (i.e., the SLOs) for the 1058 IETF Network Slice, and the NSC can use the interface to report 1059 the operational state of an IETF Network Slice to the customer. 1061 Network Configuration Interface: The Network Configuration Interface 1062 is an interface between the NSC and network controllers. It is 1063 technology-specific and may be built around the many network 1064 models defined within the IETF. 1066 These interfaces can be considered in the context of the Service 1067 Model and Network Model described in [RFC8309] and, together with the 1068 Device Configuration Interface used by the Network Controllers, 1069 provides a consistent view of service delivery and realization. 1071 +------------------------------------------+ 1072 | Customer higher level operation system | 1073 | (e.g E2E network slice orchestrator) | 1074 +------------------------------------------+ 1075 A 1076 | IETF Network Slice Service Interface 1077 V 1078 +------------------------------------------+ 1079 | IETF Network Slice Controller (NSC) | 1080 +------------------------------------------+ 1081 A 1082 | Network Configuration Interface 1083 V 1084 +------------------------------------------+ 1085 | Network Controllers | 1086 +------------------------------------------+ 1088 Figure 2: Interface of IETF Network Slice Controller 1090 5.3.1.1. IETF Network Slice Service Interface 1092 The IETF Network Slice Controller provides an IETF Network Slice 1093 Service Interface that allows customers of network slices to request 1094 and monitor IETF Network Slices. Customers operate on abstract IETF 1095 Network Slices, with details related to their realization hidden. 1097 The IETF Network Slice Service Interface complements various IETF 1098 services, tunnels, path models by providing an abstract layer on top 1099 of these models. 1101 The IETF Network Slice Service Interface is independent of type of 1102 network functions or services that need to be connected, i.e., it is 1103 independent of any specific storage, software, protocol, or platform 1104 used to realize physical or virtual network connectivity or functions 1105 in support of IETF Network Slices. 1107 The IETF Network Slice Service Interface uses protocol mechanisms and 1108 information passed over those mechanisms to convey desired attributes 1109 for IETF Network Slices and their status. The information is 1110 expected to be represented as a well-defined data model, and should 1111 include at least SDP and connectivity information, SLO specification, 1112 and status information. 1114 To accomplish this, the IETF Network Slice Service Interface needs to 1115 convey information needed to support communication across the 1116 interface, in terms of identifying the IETF Network Slices, as well 1117 providing the above model information. 1119 5.3.2. Management Architecture 1121 The management architecture described in Figure 2 may be further 1122 decomposed as shown in Figure 3. This should also be seen in the 1123 context of the component architecture shown in Figure 5. 1125 -------------- 1126 | Network | 1127 | Slice | 1128 | Orchestrator | 1129 -------------- 1130 | IETF Network Slice 1131 | Service Request 1132 | Customer view 1133 ..|................................ 1134 -v------------------- Operator view 1135 |Controller | 1136 | ------------ | 1137 | | IETF | | 1138 | | Network | | 1139 | | Slice | | 1140 | | Controller | | 1141 | | (NSC) | | 1142 | ------------ |--> Virtual Network 1143 | | Network | 1144 | | Configuration | 1145 | v | 1146 | ------------ | 1147 | | Network | | 1148 | | Controller | | 1149 | | (NC) | | 1150 | ------------ | 1151 --------------------- 1152 | Device Configuration 1153 ..|................................ 1154 v Underlay Network 1156 Figure 3: Interface of IETF Network Slice Management Architecture 1158 5.4. IETF Network Slice Structure 1160 An IETF Network Slice is a set of connections among various SDPs to 1161 form a logical network that meets the SLOs agreed upon. 1163 |------------------------------------------| 1164 SDP1 O....| |....O SDP2 1165 . | | . 1166 . | IETF Network Slice | . 1167 . | (SLOs e.g. B/W > x bps, Delay < y ms) | . 1168 SDPm O....| |....O SDPn 1169 |------------------------------------------| 1171 == == == == == == == == == == == == == == == == == == == == == == 1173 .--. .--. 1174 [EP1] ( )- . ( )- . [EP2] 1175 . .' IETF ' SLO .' IETF ' . 1176 . ( Network-1 ) ... ( Network-p ) . 1177 `-----------' `-----------' 1178 [EPm] [EPn] 1180 Legend 1181 SDP: IETF Network Slice Service Demarcation Point 1182 EP: Serivce/tunnel/path Endpoint used to realize the 1183 IETF Network Slice 1185 Figure 4: IETF Network Slice 1187 Figure 4 illustrates a case where an IETF Network Slice provides 1188 connectivity between a set of IETF Network Slice service Demarcation 1189 Point (SDP) pairs with specific SLOs (e.g., guaranteed minimum 1190 bandwidth of x bps and guaranteed delay of no more than y ms). The 1191 IETF Network Slice endpoints are mapped to the service/tunnel/path 1192 Endpoints (EPs) in the underlay network. Also, the SDPs in the same 1193 IETF Network Slice may belong to the same or different address 1194 spaces. 1196 IETF Network Slice structure fits into a broader concept of end-to- 1197 end network slices. A network operator may be responsible for 1198 delivering services over a number of technologies (such as radio 1199 networks) and for providing specific and fine-grained services (such 1200 as CCTV feed or High definition realtime traffic data). That 1201 operator may need to combine slices of various networks to produce an 1202 end-to-end network service. Each of these networks may include 1203 multiple physical or virtual nodes and may also provide network 1204 functions beyond simply carrying of technology-specific protocol data 1205 units. An end-to-end network slice is defined by the 3GPP as a 1206 complete logical network that provides a service in its entirety with 1207 a specific assurance to the customer [TS23501]. 1209 An end-to-end network slice may be composed from other network slices 1210 that include IETF Network Slices. This composition may include the 1211 hierarchical (or recursive) use of underlying network slices and the 1212 sequential (or stitched) combination of slices of different networks. 1214 6. Realizing IETF Network Slices 1216 Realization of IETF Network Slices is out of scope of this document. 1217 It is a mapping of the definition of the IETF Network Slice to the 1218 underlying infrastructure and is necessarily technology-specific and 1219 achieved by the NSC over the Network Configuration Interface. 1220 However, this section provides an overview of the components and 1221 processes involved in realizing an IETF Network Slice. 1223 The realization can be achieved in a form of either physical or 1224 logical connectivity using VPNs, virtual networks (VNs), or a variety 1225 of tunneling technologies such as Segment Routing, MPLS, etc. 1226 Accordingly, SDPs may be realized as physical or logical service or 1227 network functions. 1229 6.1. Architecture to Realize IETF Network Slices 1231 The architecture described in this section is deliberately at a high 1232 level. It is not intended to be prescriptive: implementations and 1233 technical solutions may vary freely. However, this approach provides 1234 a common framework that other documents may reference in order to 1235 facilitate a shared understanding of the work. 1237 Figure 5 shows the architectural components of a network managed to 1238 provide IETF Network Slices. The customer's view is of individual 1239 IETF Network Slices with their CEs, PEs, and connectivity constructs. 1240 Requests for IETF Network Slices are delivered to the NSC. 1242 The figure shows, without loss of generality, the CEs, ACs, and PEs, 1243 that exist in the network. The SDPs are not shown and can be placed 1244 in any of the ways described in Section 4.2. 1246 -- -- -- 1247 |CE| |CE| |CE| 1248 -- -- -- 1249 AC : AC : AC : 1250 ---------------------- ------- 1251 ( |PE|....|PE|....|PE| ) ( IETF ) 1252 IETF Network ( --: -- :-- ) ( Network ) 1253 Slice Service ( :............: ) ( Slice ) 1254 Request ( IETF Network Slice ) ( ) Customer 1255 v ---------------------- ------- View 1256 v ............................\........./............... 1257 v \ / Provider 1258 v >>>>>>>>>>>>>>> Grouping/Mapping v v View 1259 v ^ ----------------------------------------- 1260 v ^ ( |PE|.......|PE|........|PE|.......|PE| ) 1261 --------- ( --: -- :-- -- ) 1262 | | ( :...................: ) 1263 | NSC | ( Network Resource Partition ) 1264 | | ----------------------------------------- 1265 | | ^ 1266 | |>>>>> Resource Partitioning | 1267 --------- of Filter Topology | 1268 v v | 1269 v v ----------------------------- -------- 1270 v v (|PE|..-..|PE|... ..|PE|..|PE|) ( ) 1271 v v ( :-- |P| -- :-: -- :-- ) ( Filter ) 1272 v v ( :.- -:.......|P| :- ) ( Topology ) 1273 v v ( |P|...........:-:.......|P| ) ( ) 1274 v v ( - Filter Topology ) -------- 1275 v v ----------------------------- ^ 1276 v >>>>>>>>>>>> Topology Filter ^ / 1277 v ...........................\............../........... 1278 v \ / Underlay 1279 ---------- \ / (Physical) 1280 | | \ / Network 1281 | Network | ---------------------------------------------- 1282 |Controller| ( |PE|.....-.....|PE|...... |PE|.......|PE| ) 1283 | | ( -- |P| -- :-...:-- -..:-- ) 1284 ---------- ( : -:.............|P|.........|P| ) 1285 v ( -......................:-:..- - ) 1286 >>>>>>> ( |P|.........................|P|......: ) 1287 Program the ( - - ) 1288 Network ---------------------------------------------- 1290 Figure 5: Architecture of an IETF Network Slice 1292 The network itself (at the bottom of the figure) comprises an 1293 underlay network. This could be a physical network, but may be a 1294 virtual network. The underlay network is provisioned through network 1295 controllers. 1297 The underlay network may optionally be filtered by the network 1298 operator into a number of Filter Topologies. Filter actions may 1299 include selection of specific resources (e.g., nodes and links) 1300 according to their capabilities, and are based on network-wide 1301 policies. The resulting topologies can be used as candidates to host 1302 IETF Network Slices and provide a useful way for the network operator 1303 to know in advance that all of the resources they are using to plan 1304 an IETF Network Slice would be able to meet specific SLOs and SLEs. 1305 The filtering procedure could be an offline planning activity or 1306 could be performed dynamically as new demands arise. The use of 1307 Filter Topologies is entirely optional in the architecture, and IETF 1308 Network Slices could be hosted directly on the underlay network. 1310 Recall that an IETF Network Slice is a service requested by / 1311 provided for the customer. The IETF Network Slice service is 1312 expressed in terms of one or more connectivity constructs. An 1313 implementation or operator is free to limit the number of 1314 connectivity constructs in a slice to exactly one. Each connectivity 1315 construct is associated within the IETF Network Slice service request 1316 with a set of SLOs and SLEs. The set of SLOs and SLEs does not need 1317 to be the same for every connectivity construct in the slice, but an 1318 implementation or operator is free to require that all connectivity 1319 constructs in a slice have the same set of SLOs and SLEs. 1321 One or more connectivity constructs from one or more slices are 1322 mapped to a set of network resources called a Network Resource 1323 Partition (NRP). A single connectivity construct is mapped to only 1324 one NRP (that is, the relationship is many to one). An NRP may be 1325 chosen to support a specific connectivity construct because of its 1326 ability to support a specific set of SLOs and SLEs, or its ability to 1327 support particular connectivity types, or for any administrative or 1328 operational reason. An implementation or operator is free to map 1329 each connectivity construct to a separate NRP, although there may be 1330 scaling implications depending on the solution implemented. Thus, 1331 the connectivity constructs in one slice may be mapped to one or more 1332 NRPs. By implication from the above, an implementation or operator 1333 is free to map all the connectivity constructs in a slice to a single 1334 NRP, and to not share that NRP with connectivity constructs from 1335 another slice. 1337 An NRP is simply a collection of resources identified in the underlay 1338 network. The process of determining the NRP may be made easier if 1339 the underlay network topology is first filtered into a Filter 1340 Topology in order to be aware of the subset of network resources that 1341 are suitable for specific NRPs, but this is optional. 1343 The steps described here can be applied in a variety of orders 1344 according to implementation and deployment preferences. Furthermore, 1345 the steps may be iterative so that the components are continually 1346 refined and modified as network conditions change and as service 1347 requests are received or relinquished, and even the underlay network 1348 could be extended if necessary to meet the customers' demands. 1350 6.2. Procedures to Realize IETF Network Slices 1352 There are a number of different technologies that can be used in the 1353 underlay, including physical connections, MPLS, time-sensitive 1354 networking (TSN), Flex-E, etc. 1356 An IETF Network Slice can be realized in a network, using specific 1357 underlying technology or technologies. The creation of a new IETF 1358 Network Slice will be realized with following steps: 1360 * The NSC exposes the network slicing capabilities that it offers 1361 for the network it manages. 1363 * The customer may issue a request to determine whether a specific 1364 IETF Network Slice could be supported by the network. The NSC may 1365 respond indicating a simple yes or no, and may supplement a 1366 negative response with information about what it could support 1367 were the customer to change some requirements. 1369 * The customer requests an IETF Network Slice. The NSC may respond 1370 that the slice has or has not been created, and may supplement a 1371 negative response with information about what it could support 1372 were the customer to change some requirements. 1374 * When processing a customer request for an IETF Network Slice, the 1375 NSC maps the request to the network capabilities and applies 1376 provider policies before creating or supplementing the resource 1377 partition. 1379 Regardless of how IETF Network Slice is realized in the network 1380 (i.e., using tunnels of different types), the definition of the IETF 1381 Network Slice does not change at all. The only difference is how the 1382 slice is realized. The following sections briefly introduce how some 1383 existing architectural approaches can be applied to realize IETF 1384 Network Slices. 1386 6.3. Applicability of ACTN to IETF Network Slices 1388 Abstraction and Control of TE Networks (ACTN - [RFC8453]) is a 1389 management architecture and toolkit used to create virtual networks 1390 (VNs) on top of a TE underlay network. The VNs can be presented to 1391 customers for them to operate as private networks. 1393 In many ways, the function of ACTN is similar to IETF network 1394 slicing. Customer requests for connectivity-based overlay services 1395 are mapped to dedicated or shared resources in the underlay network 1396 in a way that meets customer guarantees for service level objectives 1397 and for separation from other customers' traffic. [RFC8453] the 1398 function of ACTN as collecting resources to establish a logically 1399 dedicated virtual network over one or more TE networks. Thus, in the 1400 case of a TE-enabled underlying network, the ACTN VN can be used as a 1401 basis to realize an IETF network slicing. 1403 While the ACTN framework is a generic VN framework that can be used 1404 for VN services beyond the IETF Network Slice, it also a suitable 1405 basis for delivering and realizing IETF Network Slices. 1407 Further discussion of the applicability of ACTN to IETF Network 1408 Slices including a discussion of the relevant YANG models can be 1409 found in [I-D.king-teas-applicability-actn-slicing]. 1411 6.4. Applicability of Enhanced VPNs to IETF Network Slices 1413 An enhanced VPN (VPN+) is designed to support the needs of new 1414 applications, particularly applications that are associated with 5G 1415 services, by utilizing an approach that is based on existing VPN and 1416 TE technologies and adds characteristics that specific services 1417 require over and above traditional VPNs. 1419 An enhanced VPN can be used to provide enhanced connectivity services 1420 between customer sites (a concept similar to an IETF Network Slice) 1421 and can be used to create the infrastructure to underpin network 1422 slicing. 1424 It is envisaged that enhanced VPNs will be delivered using a 1425 combination of existing, modified, and new networking technologies. 1427 [I-D.ietf-teas-enhanced-vpn] describes the framework for Enhanced 1428 Virtual Private Network (VPN+) services. 1430 6.5. Network Slicing and Aggregation in IP/MPLS Networks 1432 Network slicing provides the ability to partition a physical network 1433 into multiple isolated logical networks of varying sizes, structures, 1434 and functions so that each slice can be dedicated to specific 1435 services or customers. 1437 Many approaches are currently being worked on to support IETF Network 1438 Slices in IP and MPLS networks with or without the use of Segment 1439 Routing. Most of these approaches utilize a way of marking packets 1440 so that network nodes can apply specific routing and forwarding 1441 behaviors to packets that belong to different IETF Network Slices. 1442 Different mechanisms for marking packets have been proposed 1443 (including using MPLS labels and Segment Routing segment IDs) and 1444 those mechanisms are agnostic to the path control technology used 1445 within the underlay network. 1447 These approaches are also sensitive to the scaling concerns of 1448 supporting a large number of IETF Network Slices within a single IP 1449 or MPLS network, and so offer ways to aggregate the connectivity 1450 constructs of slices (or whole slices) so that the packet markings 1451 indicate an aggregate or grouping where all of the packets are 1452 subject to the same routing and forwarding behavior. 1454 At this stage, it is inappropriate to mention any of these proposed 1455 solutions that are currently work in progress and not yet adopted as 1456 IETF work. 1458 7. Isolation in IETF Network Slices 1460 7.1. Isolation as a Service Requirement 1462 An IETF Network Slice customer may request that the IETF Network 1463 Slice delivered to them is delivered such that changes to other IETF 1464 Network Slices or services do not have any negative impact on the 1465 delivery of the IETF Network Slice. The IETF Network Slice customer 1466 may specify the degree to which their IETF Network Slice is 1467 unaffected by changes in the provider network or by the behavior of 1468 other IETF Network Slice customers. The customer may express this 1469 via an SLE it agrees with the provider. This concept is termed 1470 'isolation' 1472 7.2. Isolation in IETF Network Slice Realization 1474 Isolation may be achieved in the underlying network by various forms 1475 of resource partitioning ranging from dedicated allocation of 1476 resources for a specific IETF Network Slice, to sharing of resources 1477 with safeguards. For example, traffic separation between different 1478 IETF Network Slices may be achieved using VPN technologies, such as 1479 L3VPN, L2VPN, EVPN, etc. Interference avoidance may be achieved by 1480 network capacity planning, allocating dedicated network resources, 1481 traffic policing or shaping, prioritizing in using shared network 1482 resources, etc. Finally, service continuity may be ensured by 1483 reserving backup paths for critical traffic, dedicating specific 1484 network resources for a selected number of IETF Network Slices. 1486 8. Management Considerations 1488 IETF Network Slice realization needs to be instrumented in order to 1489 track how it is working, and it might be necessary to modify the IETF 1490 Network Slice as requirements change. Dynamic reconfiguration might 1491 be needed. 1493 9. Security Considerations 1495 This document specifies terminology and has no direct effect on the 1496 security of implementations or deployments. In this section, a few 1497 of the security aspects are identified. 1499 * Conformance to security constraints: Specific security requests 1500 from customer defined IETF Network Slices will be mapped to their 1501 realization in the underlay networks. It will be required by 1502 underlay networks to have capabilities to conform to customer's 1503 requests as some aspects of security may be expressed in SLEs. 1505 * IETF NSC authentication: Underlying networks need to be protected 1506 against the attacks from an adversary NSC as they can destabilize 1507 overall network operations. It is particularly critical since an 1508 IETF Network Slice may span across different networks, therefore, 1509 IETF NSC should have strong authentication with each those 1510 networks. Furthermore, both the IETF Network Slice Service 1511 Interface and the Network Configuration Interface need to be 1512 secured. 1514 * Specific isolation criteria: The nature of conformance to 1515 isolation requests means that it should not be possible to attack 1516 an IETF Network Slice service by varying the traffic on other 1517 services or slices carried by the same underlay network. In 1518 general, isolation is expected to strengthen the IETF Network 1519 Slice security. 1521 * Data Integrity of an IETF Network Slice: A customer wanting to 1522 secure their data and keep it private will be responsible for 1523 applying appropriate security measures to their traffic and not 1524 depending on the network operator that provides the IETF Network 1525 Slice. It is expected that for data integrity, a customer is 1526 responsible for end-to-end encryption of its own traffic. 1528 Note: see NGMN document[NGMN_SEC] on 5G network slice security for 1529 discussion relevant to this section. 1531 IETF Network Slices might use underlying virtualized networking. All 1532 types of virtual networking require special consideration to be given 1533 to the separation of traffic between distinct virtual networks, as 1534 well as some degree of protection from effects of traffic use of 1535 underlying network (and other) resources from other virtual networks 1536 sharing those resources. 1538 For example, if a service requires a specific upper bound of latency, 1539 then that service can be degraded by added delay in transmission of 1540 service packets through the activities of another service or 1541 application using the same resources. 1543 Similarly, in a network with virtual functions, noticeably impeding 1544 access to a function used by another IETF Network Slice (for 1545 instance, compute resources) can be just as service degrading as 1546 delaying physical transmission of associated packet in the network. 1548 While a IETF Network Slice might include encryption and other 1549 security features as part of the service, customers might be well 1550 advised to take responsibility for their own security needs, possibly 1551 by encrypting traffic before hand-off to a service provider. 1553 10. Privacy Considerations 1555 Privacy of IETF Network Slice service customers must be preserved. 1556 It should not be possible for one IETF Network Slice customer to 1557 discover the presence of other customers, nor should sites that are 1558 members of one IETF Network Slice be visible outside the context of 1559 that IETF Network Slice. 1561 In this sense, it is of paramount importance that the system use the 1562 privacy protection mechanism defined for the specific underlying 1563 technologies used, including in particular those mechanisms designed 1564 to preclude acquiring identifying information associated with any 1565 IETF Network Slice customer. 1567 11. IANA Considerations 1569 This document makes no requests for IANA action. 1571 12. Informative References 1573 [BBF-SD406] 1574 Broadband Forum, "End-to-end network slicing", BBF SD-406, 1575 . 1578 [HIPAA] HHS, "Health Insurance Portability and Accountability Act 1579 - The Security Rule", February 2003, 1580 . 1583 [I-D.ietf-teas-enhanced-vpn] 1584 Dong, J., Bryant, S., Li, Z., Miyasaka, T., and Y. Lee, "A 1585 Framework for Enhanced Virtual Private Network (VPN+) 1586 Services", Work in Progress, Internet-Draft, draft-ietf- 1587 teas-enhanced-vpn-09, 25 October 2021, 1588 . 1591 [I-D.king-teas-applicability-actn-slicing] 1592 King, D., Drake, J., Zheng, H., and A. Farrel, 1593 "Applicability of Abstraction and Control of Traffic 1594 Engineered Networks (ACTN) to Network Slicing", Work in 1595 Progress, Internet-Draft, draft-king-teas-applicability- 1596 actn-slicing-10, 31 March 2021, 1597 . 1600 [I-D.openconfig-rtgwg-gnmi-spec] 1601 Shakir, R., Shaikh, A., Borman, P., Hines, M., Lebsack, 1602 C., and C. Morrow, "gRPC Network Management Interface 1603 (gNMI)", Work in Progress, Internet-Draft, draft- 1604 openconfig-rtgwg-gnmi-spec-01, 5 March 2018, 1605 . 1608 [MACsec] IEEE, "IEEE Standard for Local and metropolitan area 1609 networks - Media Access Control (MAC) Security", 2018, 1610 . 1612 [NGMN-NS-Concept] 1613 NGMN Alliance, "Description of Network Slicing Concept", 1614 https://www.ngmn.org/uploads/ 1615 media/161010_NGMN_Network_Slicing_framework_v1.0.8.pdf , 1616 2016. 1618 [NGMN_SEC] NGMN Alliance, "NGMN 5G Security - Network Slicing", April 1619 2016, . 1622 [PCI] PCI Security Standards Council, "PCI DSS", May 2018, 1623 . 1625 [RFC2681] Almes, G., Kalidindi, S., and M. Zekauskas, "A Round-trip 1626 Delay Metric for IPPM", RFC 2681, DOI 10.17487/RFC2681, 1627 September 1999, . 1629 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 1630 Address Translator (Traditional NAT)", RFC 3022, 1631 DOI 10.17487/RFC3022, January 2001, 1632 . 1634 [RFC3393] Demichelis, C. and P. Chimento, "IP Packet Delay Variation 1635 Metric for IP Performance Metrics (IPPM)", RFC 3393, 1636 DOI 10.17487/RFC3393, November 2002, 1637 . 1639 [RFC4208] Swallow, G., Drake, J., Ishimatsu, H., and Y. Rekhter, 1640 "Generalized Multiprotocol Label Switching (GMPLS) User- 1641 Network Interface (UNI): Resource ReserVation Protocol- 1642 Traffic Engineering (RSVP-TE) Support for the Overlay 1643 Model", RFC 4208, DOI 10.17487/RFC4208, October 2005, 1644 . 1646 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 1647 RFC 4303, DOI 10.17487/RFC4303, December 2005, 1648 . 1650 [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 1651 Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February 1652 2006, . 1654 [RFC4397] Bryskin, I. and A. Farrel, "A Lexicography for the 1655 Interpretation of Generalized Multiprotocol Label 1656 Switching (GMPLS) Terminology within the Context of the 1657 ITU-T's Automatically Switched Optical Network (ASON) 1658 Architecture", RFC 4397, DOI 10.17487/RFC4397, February 1659 2006, . 1661 [RFC5212] Shiomoto, K., Papadimitriou, D., Le Roux, JL., Vigoureux, 1662 M., and D. Brungard, "Requirements for GMPLS-Based Multi- 1663 Region and Multi-Layer Networks (MRN/MLN)", RFC 5212, 1664 DOI 10.17487/RFC5212, July 2008, 1665 . 1667 [RFC5440] Vasseur, JP., Ed. and JL. Le Roux, Ed., "Path Computation 1668 Element (PCE) Communication Protocol (PCEP)", RFC 5440, 1669 DOI 10.17487/RFC5440, March 2009, 1670 . 1672 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1673 the Network Configuration Protocol (NETCONF)", RFC 6020, 1674 DOI 10.17487/RFC6020, October 2010, 1675 . 1677 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1678 NAT64: Network Address and Protocol Translation from IPv6 1679 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1680 April 2011, . 1682 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1683 and A. Bierman, Ed., "Network Configuration Protocol 1684 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1685 . 1687 [RFC7679] Almes, G., Kalidindi, S., Zekauskas, M., and A. Morton, 1688 Ed., "A One-Way Delay Metric for IP Performance Metrics 1689 (IPPM)", STD 81, RFC 7679, DOI 10.17487/RFC7679, January 1690 2016, . 1692 [RFC7680] Almes, G., Kalidindi, S., Zekauskas, M., and A. Morton, 1693 Ed., "A One-Way Loss Metric for IP Performance Metrics 1694 (IPPM)", STD 82, RFC 7680, DOI 10.17487/RFC7680, January 1695 2016, . 1697 [RFC7926] Farrel, A., Ed., Drake, J., Bitar, N., Swallow, G., 1698 Ceccarelli, D., and X. Zhang, "Problem Statement and 1699 Architecture for Information Exchange between 1700 Interconnected Traffic-Engineered Networks", BCP 206, 1701 RFC 7926, DOI 10.17487/RFC7926, July 2016, 1702 . 1704 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1705 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1706 . 1708 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1709 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1710 . 1712 [RFC8309] Wu, Q., Liu, W., and A. Farrel, "Service Models 1713 Explained", RFC 8309, DOI 10.17487/RFC8309, January 2018, 1714 . 1716 [RFC8453] Ceccarelli, D., Ed. and Y. Lee, Ed., "Framework for 1717 Abstraction and Control of TE Networks (ACTN)", RFC 8453, 1718 DOI 10.17487/RFC8453, August 2018, 1719 . 1721 [RFC8454] Lee, Y., Belotti, S., Dhody, D., Ceccarelli, D., and B. 1722 Yoon, "Information Model for Abstraction and Control of TE 1723 Networks (ACTN)", RFC 8454, DOI 10.17487/RFC8454, 1724 September 2018, . 1726 [TS23501] 3GPP, "System architecture for the 5G System (5GS)", 1727 3GPP TS 23.501, 2019. 1729 [TS28530] 3GPP, "Management and orchestration; Concepts, use cases 1730 and requirements", 3GPP TS 28.530, 2019. 1732 [TS33.210] 3GPP, "3G security; Network Domain Security (NDS); IP 1733 network layer security (Release 14).", December 2016, 1734 . 1737 Acknowledgments 1739 The entire TEAS Network Slicing design team and everyone 1740 participating in related discussions has contributed to this 1741 document. Some text fragments in the document have been copied from 1742 the [I-D.ietf-teas-enhanced-vpn], for which we are grateful. 1744 Significant contributions to this document were gratefully received 1745 from the contributing authors listed in the "Contributors" section. 1746 In addition we would like to also thank those others who have 1747 attended one or more of the design team meetings, including the 1748 following people not listed elsewhere: 1750 * Aihua Guo 1752 * Bo Wu 1754 * Greg Mirsky 1755 * Lou Berger 1757 * Rakesh Gandhi 1759 * Ran Chen 1761 * Sergio Belotti 1763 * Stewart Bryant 1765 * Tomonobu Niwa 1767 * Xuesong Geng 1769 Further useful comments were received from Daniele Ceccarelli, Uma 1770 Chunduri, Pavan Beeram, Tarek Saad, Med Boucadair, Kenichi Ogaki, 1771 Oscar Gonzalez de Dios, Xiaobing Niu, Dan Voyer. 1773 The editor of this document would like to express particular thanks 1774 to John Drake who has consistently provided expert advice, opinons, 1775 and editorial suggestions for this document. 1777 This work is partially supported by the European Commission under 1778 Horizon 2020 grant agreement number 101015857 Secured autonomic 1779 traffic management for a Tera of SDN flows (Teraflow). 1781 Contributors 1783 The following authors contributed significantly to this document: 1785 Jari Arkko 1786 Ericsson 1787 Email: jari.arkko@piuha.net 1789 Dhruv Dhody 1790 Huawei, India 1791 Email: dhruv.ietf@gmail.com 1793 Jie Dong 1794 Huawei 1795 Email: jie.dong@huawei.com 1797 Xufeng Liu 1798 Volta Networks 1799 Email: xufeng.liu.ietf@gmail.com 1801 Authors' Addresses 1802 Adrian Farrel (editor) 1803 Old Dog Consulting 1804 United Kingdom 1805 Email: adrian@olddog.co.uk 1807 Eric Gray 1808 Independent 1809 United States of America 1810 Email: ewgray@graiymage.com 1812 John Drake (editor) 1813 Juniper Networks 1814 United States of America 1815 Email: jdrake@juniper.net 1817 Reza Rokui 1818 Ciena 1819 Email: rrokui@ciena.com 1821 Shunsuke Homma 1822 NTT 1823 Japan 1824 Email: shunsuke.homma.ietf@gmail.com 1826 Kiran Makhijani 1827 Futurewei 1828 United States of America 1829 Email: kiranm@futurewei.com 1831 Luis M. Contreras 1832 Telefonica 1833 Spain 1834 Email: luismiguel.contrerasmurillo@telefonica.com 1836 Jeff Tantsura 1837 Microsoft Inc. 1838 Email: jefftant.ietf@gmail.com