idnits 2.17.00 (12 Aug 2021) /tmp/idnits65241/draft-ietf-teas-ietf-network-slices-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document date (4 March 2022) is 78 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'EP1' is mentioned on line 1173, but not defined == Missing Reference: 'EP2' is mentioned on line 1173, but not defined == Missing Reference: 'EPm' is mentioned on line 1177, but not defined == Missing Reference: 'EPn' is mentioned on line 1177, but not defined == Outdated reference: A later version (-07) exists of draft-ietf-opsawg-sap-02 == Outdated reference: A later version (-10) exists of draft-ietf-teas-enhanced-vpn-09 Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Farrel, Ed. 3 Internet-Draft Old Dog Consulting 4 Intended status: Informational J. Drake 5 Expires: 5 September 2022 Juniper Networks 6 R. Rokui 7 Ciena 8 S. Homma 9 NTT 10 K. Makhijani 11 Futurewei 12 L.M. Contreras 13 Telefonica 14 J. Tantsura 15 Microsoft 16 4 March 2022 18 Framework for IETF Network Slices 19 draft-ietf-teas-ietf-network-slices-07 21 Abstract 23 This document describes network slicing in the context of networks 24 built from IETF technologies. It defines the term "IETF Network 25 Slice" and establishes the general principles of network slicing in 26 the IETF context. 28 The document discusses the general framework for requesting and 29 operating IETF Network Slices, the characteristics of an IETF Network 30 Slice, the necessary system components and interfaces, and how 31 abstract requests can be mapped to more specific technologies. The 32 document also discusses related considerations with monitoring and 33 security. 35 This document also provides definitions of related terms to enable 36 consistent usage in other IETF documents that describe or use aspects 37 of IETF Network Slices. 39 Status of This Memo 41 This Internet-Draft is submitted in full conformance with the 42 provisions of BCP 78 and BCP 79. 44 Internet-Drafts are working documents of the Internet Engineering 45 Task Force (IETF). Note that other groups may also distribute 46 working documents as Internet-Drafts. The list of current Internet- 47 Drafts is at https://datatracker.ietf.org/drafts/current/. 49 Internet-Drafts are draft documents valid for a maximum of six months 50 and may be updated, replaced, or obsoleted by other documents at any 51 time. It is inappropriate to use Internet-Drafts as reference 52 material or to cite them other than as "work in progress." 54 This Internet-Draft will expire on 5 September 2022. 56 Copyright Notice 58 Copyright (c) 2022 IETF Trust and the persons identified as the 59 document authors. All rights reserved. 61 This document is subject to BCP 78 and the IETF Trust's Legal 62 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 63 license-info) in effect on the date of publication of this document. 64 Please review these documents carefully, as they describe your rights 65 and restrictions with respect to this document. Code Components 66 extracted from this document must include Revised BSD License text as 67 described in Section 4.e of the Trust Legal Provisions and are 68 provided without warranty as described in the Revised BSD License. 70 Table of Contents 72 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 73 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . 4 74 2. Terms and Abbreviations . . . . . . . . . . . . . . . . . . . 5 75 2.1. Core Terminology . . . . . . . . . . . . . . . . . . . . 5 76 3. IETF Network Slice Objectives . . . . . . . . . . . . . . . . 7 77 3.1. Definition and Scope of IETF Network Slice . . . . . . . 7 78 3.2. IETF Network Slice Service . . . . . . . . . . . . . . . 8 79 3.2.1. Ancillary SDPs . . . . . . . . . . . . . . . . . . . 11 80 4. IETF Network Slice System Characteristics . . . . . . . . . . 11 81 4.1. Objectives for IETF Network Slices . . . . . . . . . . . 11 82 4.1.1. Service Level Objectives . . . . . . . . . . . . . . 12 83 4.1.2. Service Level Expectations . . . . . . . . . . . . . 14 84 4.2. IETF Network Slice Service Demarcation Points . . . . . . 16 85 4.3. IETF Network Slice Decomposition . . . . . . . . . . . . 18 86 5. Framework . . . . . . . . . . . . . . . . . . . . . . . . . . 19 87 5.1. IETF Network Slice Stakeholders . . . . . . . . . . . . . 19 88 5.2. Expressing Connectivity Intents . . . . . . . . . . . . . 19 89 5.3. IETF Network Slice Controller (NSC) . . . . . . . . . . . 21 90 5.3.1. IETF Network Slice Controller Interfaces . . . . . . 23 91 5.3.2. Management Architecture . . . . . . . . . . . . . . . 25 92 5.4. IETF Network Slice Structure . . . . . . . . . . . . . . 25 93 6. Realizing IETF Network Slices . . . . . . . . . . . . . . . . 27 94 6.1. Architecture to Realize IETF Network Slices . . . . . . . 27 95 6.2. Procedures to Realize IETF Network Slices . . . . . . . . 30 96 6.3. Applicability of ACTN to IETF Network Slices . . . . . . 31 97 6.4. Applicability of Enhanced VPNs to IETF Network Slices . . 31 98 6.5. Network Slicing and Aggregation in IP/MPLS Networks . . . 32 99 7. Isolation in IETF Network Slices . . . . . . . . . . . . . . 32 100 7.1. Isolation as a Service Requirement . . . . . . . . . . . 32 101 7.2. Isolation in IETF Network Slice Realization . . . . . . . 33 102 8. Management Considerations . . . . . . . . . . . . . . . . . . 33 103 9. Security Considerations . . . . . . . . . . . . . . . . . . . 33 104 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 34 105 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 106 12. Informative References . . . . . . . . . . . . . . . . . . . 35 107 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 38 108 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 39 109 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 111 1. Introduction 113 A number of use cases benefit from network connections that along 114 with the connectivity provide assurance of meeting a specific set of 115 objectives with respect to network resources use. This connectivity 116 and resource commitment is referred to as a network slice. Since the 117 term network slice is rather generic, the qualifying term "IETF" is 118 used in this document to limit the scope of network slice to network 119 technologies described and standardized by the IETF. This document 120 defines the concept of IETF Network Slices that provide connectivity 121 coupled with a set of specific commitments of network resources 122 between a number of endpoints (known as Service Demarcation Points 123 (SDPs) - see Section 2.1) over a shared underlay network. Services 124 that might benefit from IETF Network Slices include, but are not 125 limited to: 127 * 5G services (e.g. eMBB, URLLC, mMTC)(See [TS23501]) 129 * Network wholesale services 131 * Network infrastructure sharing among operators 133 * NFV connectivity and Data Center Interconnect 135 IETF Network Slices are created and managed within the scope of one 136 or more network technologies (e.g., IP, MPLS, optical). They are 137 intended to enable a diverse set of applications that have different 138 requirements to coexist on the shared underlay network. A request 139 for an IETF Network Slice is agnostic to the technology in the 140 underlying network so as to allow a customer to describe their 141 network connectivity objectives in a common format, independent of 142 the underlying technologies used. 144 This document also provides a framework for discussing IETF Network 145 Slices. This framework is intended as a structure for discussing 146 interfaces and technologies. It is not intended to specify a new set 147 of concrete interfaces or technologies. Rather, the idea is that 148 existing or under-development IETF technologies (plural) can be used 149 to realize the concepts expressed herein. 151 For example, virtual private networks (VPNs) have served the industry 152 well as a means of providing different groups of users with logically 153 isolated access to a common network. The common or base network that 154 is used to support the VPNs is often referred to as an underlay 155 network, and the VPN is often called an overlay network. An overlay 156 network may, in turn, serve as an underlay network to support another 157 overlay network. 159 Note that it is conceivable that extensions to these IETF 160 technologies are needed in order to fully support all the ideas that 161 can be implemented with slices. Evaluation of existing technologies, 162 proposed extensions to existing protocols and interfaces, and the 163 creation of new protocols or interfaces is outside the scope of this 164 document. 166 1.1. Background 168 Driven largely by needs surfacing from 5G, the concept of network 169 slicing has gained traction ([NGMN-NS-Concept], [TS23501], and 170 [TS28530]). In [TS23501], a Network Slice is defined as "a logical 171 network that provides specific network capabilities and network 172 characteristics", and a Network Slice Instance is defined as "A set 173 of Network Function instances and the required resources (e.g. 174 compute, storage and networking resources) which form a deployed 175 Network Slice." According to [TS28530], an end-to-end network slice 176 consists of three major types of network segments: Radio Access 177 Network (RAN), Transport Network (TN) and Core Network (CN). An IETF 178 Network Slice provides the required connectivity between different 179 entities in RAN and CN segments of an end-to-end network slice, with 180 a specific performance commitment. For each end-to-end network 181 slice, the topology and performance requirement on a customer's use 182 of IETF Network Slice can be very different, which requires the 183 underlay network to have the capability of supporting multiple 184 different IETF Network Slices. 186 While network slices are commonly discussed in the context of 5G, it 187 is important to note that IETF Network Slices are a narrower concept, 188 and focus primarily on particular network connectivity aspects. 189 Other systems, including 5G deployments, may use IETF Network Slices 190 as a component to create entire systems and concatenated constructs 191 that match their needs, including end-to-end connectivity. 193 A IETF Network Slice could span multiple technologies and multiple 194 administrative domains. Depending on the IETF Network Slice 195 customer's requirements, an IETF Network Slice could be isolated from 196 other, often concurrent IETF Network Slices in terms of data, control 197 and management planes. 199 The customer expresses requirements for a particular IETF Network 200 Slice by specifying what is required rather than how the requirement 201 is to be fulfilled. That is, the IETF Network Slice customer's view 202 of an IETF Network Slice is an abstract one. 204 Thus, there is a need to create logical network structures with 205 required characteristics. The customer of such a logical network can 206 require a degree of isolation and performance that previously might 207 not have been satisfied by overlay VPNs. Additionally, the IETF 208 Network Slice customer might ask for some level of control of their 209 virtual networks, e.g., to customize the service paths in a network 210 slice. 212 This document specifies definitions and a framework for the provision 213 of an IETF Network Slice service. Section 6 briefly indicates some 214 candidate technologies for realizing IETF Network Slices. 216 2. Terms and Abbreviations 218 The following abbreviations are used in this document. 220 * NSC: Network Slice Controller 222 * SLA: Service Level Agreement 224 * SLI: Service Level Indicator 226 * SLO: Service Level Objective 228 The meaning of these abbreviations is defined in greater details in 229 the remainder of this document. 231 2.1. Core Terminology 233 The following terms are presented here to give context. Other 234 terminology is defined in the remainder of this document. 236 Customer: A customer is the requester of an IETF Network Slice 237 service. Customers may request monitoring of SLOs. A customer 238 may be an entity such as an enterprise network or a network 239 operator, an individual working at such an entity, a private 240 individual contracting for a service, or an application or 241 software component. A customer may be an external party 242 (classically a paying customer) or a division of a network 243 operator that uses the service provided by another division of the 244 same operator. Other terms that have been applied to the customer 245 role are "client" and "consumer". 247 Provider: A provider is the organization that delivers an IETF 248 Network Slice service. A provider is the network operator that 249 controls the network resources used to construct the network slice 250 (that is, the network that is sliced). The provider's network 251 maybe a physical network or may be a virtual network supplied by 252 another service provider. 254 Customer Edge (CE): The customer device that provides connectivity 255 to a service provider. Examples include routers, Ethernet 256 switches, firewalls, 4G/5G RAN or Core nodes, application 257 accelerators, server load balancers, HTTP header enrichment 258 functions, and PEPs (Performance Enhancing Proxy). In some 259 circumstances CEs are provided to the customer and managed by the 260 provider. 262 Provider Edge: The device within the provider network to which a CE 263 is attached. A CE may be attached to multiple PEs, and multiple 264 CEs may be attached to a given PE. 266 Attachment Circuit (AC): A channel connecting a CE and a PE over 267 which packets that belong to an IETF Network Slice service are 268 exchanged. The customer and provider agree (through 269 configuration) on which values in which combination of layer 2 and 270 layer 3 header and payload fields within a packet identify to 271 which {IETF Network Slice service, connectivity construct, and 272 SLOs/SLEs} that packet is assigned. The customer and provider may 273 agree on a per {IETF Network Slice service, connectivity 274 construct, and SLOs/SLEs} basis to police or shape traffic on the 275 AC in both the ingress (CE to PE) direction and egress (PE to CE) 276 direction, This ensures that the traffic is within the capacity 277 profile that is agreed in an IETF Network Slice service. Excess 278 traffic is dropped by default, unless specific out-of-profile 279 policies are agreed between the customer and the provider. As 280 described in Section 4.2 the AC may be part of the IETF Network 281 Slice service or may be external to it. 283 Service Demarcation Point (SDP): The point at which an IETF Network 284 Slice service is delivered by a service provider to a customer. 285 Depending on the service delivery model (see Section 4.2 this may 286 be a CE or a PE, and could be a device, a software component, or 287 in the case of network functions virtualization (for example), be 288 an abstract function supported within the provider's network. 290 Each SDP must have a unique identifier (e.g., an IP address or MAC 291 address) within a given IETF Network Slice service and may use the 292 same identifier in multiple IETF Network Slice services. 294 An SDP may be abstracted as a Service Attachment Point (SAP) 295 [I-D.ietf-opsawg-sap] for the purpose generalizing the concept 296 across multiple service types and representing it in management 297 and configuration systems. 299 3. IETF Network Slice Objectives 301 It is intended that IETF Network Slices can be created to meet 302 specific requirements, typically expressed as bandwidth, latency, 303 latency variation, and other desired or required characteristics. 304 Creation is initiated by a management system or other application 305 used to specify network-related conditions for particular traffic 306 flows. 308 It is also intended that, once created, these slices can be 309 monitored, modified, deleted, and otherwise managed. 311 It is also intended that applications and components will be able to 312 use these IETF Network Slices to move packets between the specified 313 end-points of the service in accordance with specified 314 characteristics. 316 3.1. Definition and Scope of IETF Network Slice 318 An IETF Network Slice service enables connectivity between a set of 319 Service Demarcation Points (SDPs) with specific Service Level 320 Objectives (SLOs) and Service Level Expectations (SLEs) over a common 321 underlay network. 323 An IETF Network Slice combines the connectivity resource requirements 324 and associated network behaviors such as bandwidth, latency, jitter, 325 and network functions with other resource behaviors such as compute 326 and storage availability. The definition of an IETF Network Slice 327 service is independent of the connectivity and technologies used in 328 the underlay network. This allows an IETF Network Slice service 329 customer to describe their network connectivity and relevant 330 objectives in a common format, independent of the underlying 331 technologies used. 333 IETF Network Slices may be combined hierarchically, so that a network 334 slice may itself be sliced. They may also be combined sequentially 335 so that various different networks can each be sliced and the network 336 slices placed into a sequence to provide an end-to-end service. This 337 form of sequential combination is utilized in some services such as 338 in 3GPP's 5G network [TS23501]. 340 An IETF Network Slice service is agnostic to the technology of the 341 underlying network, and its realization may be selected based upon 342 multiple considerations including its service requirements and the 343 capabilities of the underlay network. 345 The term "Slice" refers to a set of characteristics and behaviours 346 that separate one type of user-traffic from another. An IETF Network 347 Slice assumes that an underlay network is capable of changing the 348 configurations of the network devices on demand, through in-band 349 signaling or via controller(s) and fulfilling all or some of SLOs/ 350 SLEs to all of the traffic in the slice or to specific flows. 352 3.2. IETF Network Slice Service 354 A service provider delivers an IETF Network Slice service for a 355 customer. The IETF Network Slice service is specified in terms of a 356 set of SDPs, a set of one or more connectivity constructs between 357 subsets of these SDPs, and a set of SLOs and SLEs for each SDP 358 sending to each connectivity construct. A communication type (point- 359 to-point (P2P) both unidirectional and bidirectional, point-to- 360 multipoint (P2MP), multipoint-to-point (MP2P), multipoint-to- 361 multipoint (MP2MP), or any-to-any (A2A)) is specified for each 362 connectivity construct. That is, in a given IETF Network Slice 363 service there may be one or more connectivity constructs of the same 364 or different type, each connectivity construct may be between a 365 different subset of SDPs, and for a given connectivity construct each 366 sending SDP has its own set of SLOs and SLEs, and the SLOs and SLEs 367 in each set may be different. Note that a service provider may 368 decide how many connectivity constructs per IETF Network Slice 369 service it wishes to support. 371 This approach results in the following possible connectivity 372 constructs: 374 * For a P2P connectivity construct, there is one sending SDP and one 375 receiving SDP. This construct is like a private wire or a tunnel. 376 All traffic injected at the sending SDP is intended to be received 377 by the receiving SDP. The SLOs and SLEs apply at the sender (and 378 implicitly at the receiver). 380 * A bidirectional P2P connectivity construct may also be defined, 381 with two SDPs each of which may send to the other. There are two 382 sets of SLOs and SLEs which may be different and each of which 383 applies to one of the SDPs as a sender. 385 * For a P2MP connectivity construct, there is only one sending SDP 386 and more than one receiving SDP. This is like a P2MP tunnel or 387 multi-access VLAN segment. All traffic from the sending SDP is 388 intended to be received by all the receiving SDPs. There is one 389 set of SLOs and SLEs that apply at the sending SDP (and implicitly 390 at all receiving SDPs). Activating unicast or multicast 391 capabilities to deliver an IETF Slice service can be explicitly 392 requested by a customer or can be an engineering decision of a 393 service provider based on capabilities of the network and 394 operational choices. 396 * An MP2P connectivity construct has N SDPs: there is one receiving 397 SDP and (N - 1) sending SDPs. This is like a set of P2P 398 connections all with a common receiver. All traffic injected at 399 any sending SDP is received by the single receiving SDP. Each 400 sending SDP has its own set of SLOs and SLEs, and they may all be 401 different (the combination of those SLOs and SLEs gives the 402 implicit SLOs and SLEs for the receiving SDP - that is, the 403 receiving SDP is expected to receive all traffic from all 404 senders). 406 * In an MP2MP connectivity construct each of the N SDPs can be a 407 sending SDP such that its traffic is delivered to all of the other 408 SDPs. Each sending SDP has its own set of SLOs and SLEs and they 409 may all be different. The combination of those SLOs/SLEs gives 410 the implicit SLOs/SLEs for each/all of the receiving SDPs since 411 each receiving SDP is expect to receive all traffic from all/any 412 sender. 414 * With an A2A construct, any sending SDP may send to any one 415 receiving SDP or any set of receiving SDPs in the construct. 416 There is an implicit level of routing in this connectivity 417 construct that is not present in the other connectivity constructs 418 as the construct must determine to which receiving SDPs to deliver 419 each packet. The SLOs/SLEs apply to individual sending SDPs and 420 individual receiving SDPs, but there is no implicit linkage and a 421 sending SDP may be "disappointed" if the receiver is over- 422 subscribed. This construct may be used to support P2P traffic 423 between any pair of SDPs or to support multicast or broadcast 424 traffic from one SDP to a set of other SDPs. In the latter case, 425 whether the service is delivered using multicast within the 426 provider's network or using "ingress replication" or some other 427 means is out of scope of the specification of the service. A 428 service provider may choose to support A2A constructs but limit 429 the traffic to P2P. 431 If an SDP has multiple attachment circuits to a given IETF Network 432 Slice service and they are operating in single-active mode, then all 433 traffic between the SDP and its attached PEs transits a single 434 attachment circuit; if they are operating in in all-active mode, then 435 traffic between the SDP and its attached PEs is distributed across 436 all of the active attachment circuits. 438 A given sending SDP may be part of multiple connectivity constructs 439 within a single IETF Network Slice service, and the SDP may have 440 different SLOs and SLEs for each connectivity construct to which it 441 is sending. Note that a given sending SDP's SLOs and SLEs for a 442 given connectivity construct apply between it and each of the 443 receiving SDPs for that connectivity construct. 445 An IETF Network Slice service provider may freely make a deployment 446 choice as to whether to offer a 1:1 relationship between IETF Network 447 Slice service and connectivity construct, or to support multiple 448 connectivity constructs in a single IETF Network Slice service. In 449 the former case, the provider might need to deliver multiple IETF 450 Network Slice services to achieve the function of the second case. 452 It should be noted that per Section 9 of [RFC4364] an IETF Network 453 Slice service customer may actually provide IETF Network Slice 454 services to other customers in a mode sometimes referred to as 455 "carrier's carrier". In this case, the underlying IETF Network Slice 456 service provider may be owned and operated by the same or a different 457 provider network. As noted in Section 3.1, network slices may be 458 composed hierarchically or serially. 460 Section 4.2 provides a description of endpoints in the context of 461 IETF network slicing. These are known as Service Demarcation Points 462 (SDPs). For a given IETF Network Slice service, the customer and 463 provider agree, on a per-SDP basis which end of the attachment 464 circuit provides the service demarcation point (i.e., whether the 465 attachment circuit is inside or outside the IETF Network Slice 466 service). This determines whether the attachment circuit is subject 467 to the set of SLOs and SLEs at the specific SDP. 469 3.2.1. Ancillary SDPs 471 It may be the case that the set of SDPs needs to be supplemented with 472 additional senders or receivers. An additional sender could be, for 473 example, an IPTV or DNS server either within the provider's network 474 or attached to it, while an extra receiver could be, for example, a 475 node reachable via the Internet. This will be modelled as a set of 476 ancillary SDPs which supplement the other SDPs in one or more 477 connectivity constructs, or which have their own connectivity 478 constructs. Note that an ancillary SDP can either have a resolvable 479 address, e.g., an IP address or MAC address, or it may be a 480 placeholder, e.g., IPTV or DNS server, which is resolved within the 481 provider's network when the IETF Network Slice service is 482 instantiated. 484 4. IETF Network Slice System Characteristics 486 The following subsections describe the characteristics of IETF 487 Network Slices. 489 4.1. Objectives for IETF Network Slices 491 An IETF Network Slice service is defined in terms of quantifiable 492 characteristics known as Service Level Objectives (SLOs) and 493 unquantifiable characteristics known as Service Level Expectations 494 (SLEs). SLOs are expressed in terms Service Level Indicators (SLIs), 495 and together with the SLEs form the contractual agreement between 496 service customer and service provider known as a Service Level 497 Agreement (SLA). 499 The terms are defined as follows: 501 * A Service Level Indicator (SLI) is a quantifiable measure of an 502 aspect of the performance of a network. For example, it may be a 503 measure of throughput in bits per second, or it may be a measure 504 of latency in milliseconds. 506 * A Service Level Objective (SLO) is a target value or range for the 507 measurements returned by observation of an SLI. For example, an 508 SLO may be expressed as "SLI <= target", or "lower bound <= SLI <= 509 upper bound". A customer can determine whether the provider is 510 meeting the SLOs by performing measurements on the traffic. 512 * A Service Level Expectation (SLE) is an expression of an 513 unmeasurable service-related request that a customer of an IETF 514 Network Slice makes of the provider. An SLE is distinct from an 515 SLO because the customer may have little or no way of determining 516 whether the SLE is being met, but they still contract with the 517 provider for a service that meets the expectation. 519 * A Service Level Agreement (SLA) is an explicit or implicit 520 contract between the customer of an IETF Network Slice service and 521 the provider of the slice. The SLA is expressed in terms of a set 522 of SLOs and SLEs that are to be applied for a given connectivity 523 construct between a sending SDP and the set of receiving SDPs, and 524 may describe the extent to which divergence from individual SLOs 525 and SLEs can be tolerated, and commercial terms as well as any 526 consequences for violating these SLOs and SLEs. 528 4.1.1. Service Level Objectives 530 SLOs define a set of measurable network attributes and 531 characteristics that describe an IETF Network Slice service. SLOs do 532 not describe how an IETF Network Slice service is implemented or 533 realized in the underlying network layers. Instead, they are defined 534 in terms of dimensions of operation (time, capacity, etc.), 535 availability, and other attributes. 537 An IETF Network Slice service may include multiple connection 538 constructs that associate sets of endpoints (SDPs). SLOs apply to a 539 given connectivity construct and apply to specific directions of 540 traffic flow. That is, they apply to a specific sending SDP and the 541 connection to specific receiving SDPs. 543 The SLOs are combined with Service Level Expectations in an SLA. 545 4.1.1.1. Some Common SLOs 547 SLOs can be described as 'Directly Measurable Objectives': they are 548 always measurable. See Section 4.1.2 for the description of Service 549 Level Expectations which are unmeasurable service-related requests 550 sometimes known as 'Indirectly Measurable Objectives'. 552 Objectives such as guaranteed minimum bandwidth, guaranteed maximum 553 latency, maximum permissible delay variation, maximum permissible 554 packet loss rate, and availability are 'Directly Measurable 555 Objectives'. Future specifications (such as IETF Network Slice 556 service YANG models) may precisely define these SLOs, and other SLOs 557 may be introduced as described in Section 4.1.1.2. 559 The definition of these objectives are as follows: 561 Guaranteed Minimum Bandwidth: Minimum guaranteed bandwidth between 562 two endpoints at any time. The bandwidth is measured in data rate 563 units of bits per second and is measured unidirectionally. 565 Guaranteed Maximum Latency: Upper bound of network latency when 566 transmitting between two endpoints. The latency is measured in 567 terms of network characteristics (excluding application-level 568 latency). [RFC2681] and [RFC7679] discuss round trip times and 569 one-way metrics, respectively. 571 Maximum Permissible Delay Variation: Packet delay variation (PDV) as 572 defined by [RFC3393], is the difference in the one-way delay 573 between sequential packets in a flow. This SLO sets a maximum 574 value PDV for packets between two endpoints. 576 Maximum Permissible Packet Loss Rate: The ratio of packets dropped 577 to packets transmitted between two endpoints over a period of 578 time. See [RFC7680]. 580 Availability: The ratio of uptime to the sum of uptime and downtime, 581 where uptime is the time the IETF Network Slice is available in 582 accordance with the SLOs associated with it. 584 4.1.1.2. Other Service Level Objectives 586 Additional SLOs may be defined to provide additional description of 587 the IETF Network Slice service that a customer requests. These would 588 be specified in further documents. 590 If the IETF Network Slice service is traffic aware, other traffic 591 specific characteristics may be valuable including MTU, traffic-type 592 (e.g., IPv4, IPv6, Ethernet or unstructured), or a higher-level 593 behavior to process traffic according to user-application (which may 594 be realized using network functions). 596 4.1.2. Service Level Expectations 598 SLEs define a set of network attributes and characteristics that 599 describe an IETF Network Slice service, but which are not directly 600 measurable by the customer. Even though the delivery of an SLE 601 cannot usually be determined by the customer, the SLEs form an 602 important part of the contract between customer and provider. 604 Quite often, an SLE will imply some details of how an IETF Network 605 Slice service is realized by the provider, although most aspects of 606 the implementation in the underlying network layers remain a free 607 choice for the provider. 609 SLEs may be seen as aspirational on the part of the customer, and 610 they are expressed as behaviors that the provider is expected to 611 apply to the network resources used to deliver the IETF Network Slice 612 service. The SLEs are combined with SLOs in an SLA. 614 An IETF Network Slice service may include multiple connection 615 constructs that associate sets of endpoints (SDPs). SLEs apply to a 616 given connectivity construct and apply to specific directions of 617 traffic flow. That is, they apply to a specific sending SDP and the 618 connection to specific receiving SDPs. However, being more general 619 in nature that SLOs, SLEs may commonly be applied to all connection 620 constructs in an IETF Network Slice service. 622 4.1.2.1. Some Common SLEs 624 SLEs can be described as 'Indirectly Measurable Objectives': they are 625 not generally directly measurable by the customer. 627 Security, geographic restrictions, maximum occupancy level, and 628 isolation are example SLEs as follows. 630 Security: A customer may request that the provider applies 631 encryption or other security techniques to traffic flowing between 632 SDPs of an IETF Network Slice service. For example, the customer 633 could request that only network links that have MACsec [MACsec] 634 enabled are used to realize the IETF Network Slice service. 636 This SLE may include the request for encryption (e.g., [RFC4303]) 637 between the two SDPs explicitly to meet architecture 638 recommendations as in [TS33.210] or for compliance with [HIPAA] or 639 [PCI]. 641 Whether or not the provider has met this SLE is generally not 642 directly observable by the customer and cannot be measured as a 643 quantifiable metric. 645 Please see further discussion on security in Section 9. 647 Geographic Restrictions: A customer may request that certain 648 geographic limits are applied to how the provider routes traffic 649 for the IETF Network Slice service. For example, the customer may 650 have a preference that its traffic does not pass through a 651 particular country for political or security reasons. 653 Whether or not the provider has met this SLE is generally not 654 directly observable by the customer and cannot be measured as a 655 quantifiable metric. 657 Maximal Occupancy Level: The maximal occupancy level specifies the 658 number of flows to be admitted and optionally a maximum number of 659 countable resource units (e.g., IP or MAC addresses) an IETF 660 Network Slice service can consume. Since an IETF Network Slice 661 service may include multiple connection constructs, this SLE 662 should also say whether it applies for the entire IETF Network 663 Slice service, for group of connections, or on a per connection 664 basis. 666 Again, a customer may not be able to fully determine whether this 667 SLE is being met by the provider. 669 Isolation: As described in Section 7, a customer may request that 670 its traffic within its IETF Network Slice service is isolated from 671 the effects of other network services supported by the same 672 provider. That is, if another service exceeds capacity or has a 673 burst of traffic, the customer's IETF Network Slice service should 674 remain unaffected and there should be no noticeable change to the 675 quality of traffic delivered. 677 In general, a customer cannot tell whether a service provider is 678 meeting this SLE. They cannot tell whether the variation of an 679 SLI is because of changes in the underlying network or because of 680 interference from other services carried by the network. And if 681 the service varies within the allowed bounds of the SLOs, there 682 may be no noticeable indication that this SLE has been violated. 684 Diversity: A customer may request that traffic on the connection 685 between one set of SDPs should use different network resources 686 from the traffic between another set of SDPs. This might be done 687 to enhance the availability of the IETF Network Slice service. 689 While availability is a measurable objective (see Section 4.1.1.1) 690 this SLE requests a finer grade of control and is not directly 691 measurable (although the customer might become suspicious if two 692 connections fail at the same time). 694 4.2. IETF Network Slice Service Demarcation Points 696 As noted in Section 3.1, an IETF Network Slice is a logical network 697 topology connecting a number of endpoints. Section 3.2 goes on to 698 describe how the IETF Network Slice service is composed of a set of 699 one or more connectivity constructs that describe connectivity 700 between the service demarcation points across the underlying network. 702 The characteristics of IETF Network Slice Service Demarcation Points 703 (SDPs) are as follows: 705 * SDPs are conceptual points of connection to an IETF Network Slice. 706 As such, they serve as the IETF Network Slice ingress/ egress 707 points. 709 * Each SDP maps to a device, application, or a network function, 710 such as (but not limited to) routers, switches, firewalls, WAN, 711 4G/5G RAN nodes, 4G/5G Core nodes, application accelerators, 712 server load balancers, NAT44 [RFC3022], NAT64 [RFC6146], HTTP 713 header enrichment functions, and Performance Enhancing Proxies 714 (PEPs) [RFC3135]. 716 * An SDP is identified by a unique identifier in the context of an 717 IETF Network Slice customer. 719 * Each SDP is associated with a set of provider-scope identifiers 720 such as IP addresses, encapsulation-specific identifiers (e.g., 721 VLAN tag, MPLS Label), interface/port numbers, node ID, etc. 723 * SDPs are mapped to endpoints of services/tunnels/paths within the 724 IETF Network Slice during its initialization and realization. 726 - A combination of the SDP identifier and SDP provider-network- 727 scope identifiers define an SDP in the context of the Network 728 Slice Controller (NSC). 730 - The NSC will use the SDP provider-network-scope identifiers as 731 part of the process of realizing the IETF Network Slice. 733 For a given IETF Network Slice service, the IETF Network Slice 734 customer and provider agree where the endpoint (i.e., the service 735 demarcation point) is located. This determines what resources at the 736 edge of the network form part of the IETF Network Slice and are 737 subject to the set of SLOs and SLEs for a specific endpoint. 739 Figure 1 shows different potential scopes of an IETF Network Slice 740 that are consistent with the different SDP positions. For the 741 purpose of example and without loss of generality, the figure shows 742 customer edge (CE) and provider edge (PE) nodes connected by 743 attachment circuits (ACs). Notes after the figure give some 744 explanations. 746 |<---------------------- (1) ---------------------->| 747 | | 748 | |<-------------------- (2) -------------------->| | 749 | | | | 750 | | |<----------- (3) ----------->| | | 751 | | | | | | 752 | | | |<-------- (4) -------->| | | | 753 | | | | | | | | 754 V V AC V V V V AC V V 755 +-----+ | +-----+ +-----+ | +-----+ 756 | |--------| | | |--------| | 757 | CE1 | | | PE1 |. . . . . . . . .| PE2 | | | CE2 | 758 | |--------| | | |--------| | 759 +-----+ | +-----+ +-----+ | +-----+ 760 ^ ^ ^ ^ 761 | | | | 762 | | | | 763 Customer Provider Provider Customer 764 Edge 1 Edge 1 Edge 2 Edge 2 766 Figure 1: Positioning IETF Service Demarcation Points 768 Explanatory notes for Figure 1 are as follows: 770 1. If the CE is operated by the IETF Network Slice service provider, 771 then the edge of the IETF Network Slice may be within the CE. In 772 this case the slicing process may utilize resources from within 773 the CE such as buffers and queues on the outgoing interfaces. 775 2. The IETF Network Slice may be extended as far as the CE, to 776 include the AC, but not to include any part of the CE. In this 777 case, the CE may be operated by the customer or the provider. 778 Slicing the resources on the AC may require the use of traffic 779 tagging (such as through Ethernet VLAN tags) or may require 780 traffic policing at the AC link ends. 782 3. In another model, the SDPs of the IETF Network Slice are the 783 customer-facing ports on the PEs. This case can be managed in a 784 way that is similar to a port-based VPN: each port (AC) or 785 virtual port (e.g., VLAN tag) identifies the IETF Network Slice 786 and maps to an IETF Network Slice SDP. 788 4. Finally, the SDP may be within the PE. In this mode, the PE 789 classifies the traffic coming from the AC according to 790 information (such as the source and destination IP addresses, 791 payload protocol and port numbers, etc.) in order to place it 792 onto an IETF Network Slice. 794 The choice of which of these options to apply is entirely up to the 795 network operator. It may limit or enable the provisioning of 796 particular managed services and the operator will want to consider 797 how they want to manage CEs and what control they wish to offer the 798 customer over AC resources. 800 Note that Figure 1 shows a symmetrical positioning of SDP, but this 801 decision can be taken on a per-SDP basis through agreement between 802 the customer and provider. 804 In practice, it may be necessary to map traffic not only onto an IETF 805 Network Slice, but also onto a specific connectivity construct if the 806 IETF Network Slice supports more than one connectivity construct with 807 a source at the specific SDP. The mechanism used will be one of the 808 mechanisms described above, dependent on how the SDP is realized. 810 Finally, note (as described in Section 2.1) that an SDP is an 811 abstract endpoint of an IETF Network Slice service and as such may be 812 a device or software component and may, in the case of netork 813 functions virtualization (for example), be an abstract function 814 supported within the provider's network. 816 4.3. IETF Network Slice Decomposition 818 Operationally, an IETF Network Slice may be composed of two or more 819 IETF Network Slices as specified below. Decomposed network slices 820 are independently realized and managed. 822 * Hierarchical (i.e., recursive) composition: An IETF Network Slice 823 can be further sliced into other network slices. Recursive 824 composition allows an IETF Network Slice at one layer to be used 825 by the other layers. This type of multi-layer vertical IETF 826 Network Slice associates resources at different layers. 828 * Sequential composition: Different IETF Network Slices can be 829 placed into a sequence to provide an end-to-end service. In 830 sequential composition, each IETF Network Slice would potentially 831 support different dataplanes that need to be stitched together. 833 5. Framework 835 A number of IETF Network Slice services will typically be provided 836 over a shared underlying network infrastructure. Each IETF Network 837 Slice consists of both the overlay connectivity and a specific set of 838 dedicated network resources and/or functions allocated in a shared 839 underlay network to satisfy the needs of the IETF Network Slice 840 customer. In at least some examples of underlying network 841 technologies, the integration between the overlay and various 842 underlay resources is needed to ensure the guaranteed performance 843 requested for different IETF Network Slices. 845 5.1. IETF Network Slice Stakeholders 847 An IETF Network Slice and its realization involves the following 848 stakeholders and it is relevant to define them for consistent 849 terminology. The IETF Network Slice customer and IETF Network Slice 850 provider (see Section 2.1) are also stakeholders. 852 Orchestrator: An orchestrator is an entity that composes different 853 services, resource and network requirements. It interfaces with 854 the IETF NSC. 856 IETF Network Slice Controller (NSC): The NSC realizes an IETF 857 Network Slice in the underlying network, and maintains and 858 monitors the run-time state of resources and topologies associated 859 with it. A well-defined interface is needed to support 860 interworking between different NSC implementations and different 861 orchestrator implementations. 863 Network Controller: The Network Controller is a form of network 864 infrastructure controller that offers network resources to the NSC 865 to realize a particular network slice. These may be existing 866 network controllers associated with one or more specific 867 technologies that may be adapted to the function of realizing IETF 868 Network Slices in a network. 870 5.2. Expressing Connectivity Intents 872 An IETF Network Slice customer communicates with the NSC using the 873 IETF Network Slice Service Interface. 875 An IETF Network Slice customer may be a network operator who, in 876 turn, provides the IETF Network Slice to another IETF Network Slice 877 customer. 879 Using the IETF Network Slice Service Interface, a customer expresses 880 requirements for a particular slice by specifying what is required 881 rather than how that is to be achieved. That is, the customer's view 882 of a slice is an abstract one. Customers normally have limited (or 883 no) visibility into the provider network's actual topology and 884 resource availability information. 886 This should be true even if both the customer and provider are 887 associated with a single administrative domain, in order to reduce 888 the potential for adverse interactions between IETF Network Slice 889 customers and other users of the underlay network infrastructure. 891 The benefits of this model can include: 893 * Security: because the underlay network (or network operator) does 894 not need to expose network details (topology, capacity, etc.) to 895 IETF Network Slice customers the underlay network components are 896 less exposed to attack; 898 * Layered Implementation: the underlay network comprises network 899 elements that belong to a different layer network than customer 900 applications, and network information (advertisements, protocols, 901 etc.) that a customer cannot interpret or respond to (note - a 902 customer should not use network information not exposed via the 903 IETF Network Slice Service Interface, even if that information is 904 available); 906 * Scalability: customers do not need to know any information beyond 907 that which is exposed via the IETF Network Slice Service 908 Interface. 910 The general issues of abstraction in a TE network is described more 911 fully in [RFC7926]. 913 This framework document does not assume any particular layer at which 914 IETF Network Slices operate as a number of layers (including virtual 915 L2, Ethernet or, IP connectivity) could be employed. 917 Data models and interfaces are of course needed to set up IETF 918 Network Slices, and specific interfaces may have capabilities that 919 allow creation of specific layers. 921 Layered virtual connections are comprehensively discussed in other 922 IETF documents. See, for instance, GMPLS-based networks [RFC5212] 923 and [RFC4397], or Abstraction and Control of TE Networks (ACTN) 924 [RFC8453] and [RFC8454]. The principles and mechanisms associated 925 with layered networking are applicable to IETF Network Slices. 927 There are several IETF-defined mechanisms for expressing the need for 928 a desired logical network. The IETF Network Slice Service Interface 929 carries data either in a protocol-defined format, or in a formalism 930 associated with a modeling language. 932 For instance: 934 * Path Computation Element (PCE) Communication Protocol (PCEP) 935 [RFC5440] and GMPLS User-Network Interface (UNI) using RSVP-TE 936 [RFC4208] use a TLV-based binary encoding to transmit data. 938 * Network Configuration Protocol (NETCONF) [RFC6241] and RESTCONF 939 Protocol [RFC8040] use XML and JSON encoding. 941 * gRPC/GNMI [I-D.openconfig-rtgwg-gnmi-spec] uses a binary encoded 942 programmable interface; 944 * For data modeling, YANG ([RFC6020] and [RFC7950]) may be used to 945 model configuration and other data for NETCONF, RESTCONF, and GNMI 946 - among others; ProtoBufs can be used to model gRPC and GNMI data. 948 While several generic formats and data models for specific purposes 949 exist, it is expected that IETF Network Slice management may require 950 enhancement or augmentation of existing data models. Further, it is 951 possible that mechanisms will be needed to determine the feasibility 952 of service requests before they are actually made. 954 5.3. IETF Network Slice Controller (NSC) 956 The IETF NSC takes abstract requests for IETF Network Slices and 957 implements them using a suitable underlying technology. An IETF NSC 958 is the key building block for control and management of the IETF 959 Network Slice. It provides the creation/modification/deletion, 960 monitoring and optimization of IETF Network Slices in a multi-domain, 961 a multi-technology and multi-vendor environment. 963 The main task of the IETF NSC is to map abstract IETF Network Slice 964 requirements to concrete technologies and establish required 965 connectivity, and ensuring that required resources are allocated to 966 the IETF Network Slice. 968 The IETF Network Slice Service Interface is needed for communicating 969 details of a IETF Network Slice (configuration, selected policies, 970 operational state, etc.), as well as providing information to a slice 971 requester/customer about IETF Network Slice status and performance. 972 The details for this IETF Network Slice Service Interface are not in 973 scope for this document. 975 The controller provides the following functions: 977 * Provides an IETF Network Slice Service Interface for 978 creation/modification/deletion of the IETF Network Slices tht is 979 agnostic to the technology of the underlying network. The API 980 exposed by this interface communicates the Service Demarcation 981 Points of the IETF Network Slice, IETF Network Slice SLO 982 parameters (and possibly monitoring thresholds), applicable input 983 selection (filtering) and various policies, and provides a way to 984 monitor the slice. 986 * Determines an abstract topology connecting the SDPs of the IETF 987 Network Slice that meets criteria specified via the IETF Network 988 Slice Service Interface. The NSC also retains information about 989 the mapping of this abstract topology to underlying components of 990 the IETF Network Slice as necessary to monitor IETF Network Slice 991 status and performance. 993 * Provides "Mapping Functions" for the realization of IETF Network 994 Slices. In other words, it will use the mapping functions that: 996 - map IETF Network Slice Service Interface requests that are 997 agnostic to the technology of the underlying network to 998 technology-specific network configuration interfaces 1000 - map filtering/selection information as necessary to entities in 1001 the underlay network. 1003 * Via a network configuration interface, the controller collects 1004 telemetry data (e.g., OAM results, statistics, states, etc.) for 1005 all elements in the abstract topology used to realize the IETF 1006 Network Slice. 1008 * Using the telemetry data from the underlying realization of a IETF 1009 Network Slice (i.e., services/paths/tunnels), evaluates the 1010 current performance against IETF Network Slice SLO parameters and 1011 exposes them to the IETF Network Slice customer via the IETF 1012 Network Slice Service Interface. The IETF Network Slice Service 1013 Interface may also include a capability to provide notification in 1014 case the IETF Network Slice performance reaches threshold values 1015 defined by the IETF Network Slice customer. 1017 An IETF Network Slice customer is served by the IETF Network Slice 1018 Controller (NSC), as follows: 1020 * The NSC takes requests from a management system or other 1021 application, which are then communicated via the IETF Network 1022 Slice Service Interface. This interface carries data objects the 1023 IETF Network Slice customer provides, describing the needed IETF 1024 Network Slices in terms of topology, applicable service level 1025 objectives (SLO), and any monitoring and reporting requirements 1026 that may apply. Note that - in this context - "topology" means 1027 what the IETF Network Slice connectivity is meant to look like 1028 from the customer's perspective; it may be as simple as a list of 1029 mutually (and symmetrically) connected SDPs, or it may be 1030 complicated by details of connection asymmetry, per-connection SLO 1031 requirements, etc. 1033 * These requests are assumed to be translated by one or more 1034 underlying systems, which are used to establish specific IETF 1035 Network Slice instances on top of an underlying network 1036 infrastructure. 1038 * The NSC maintains a record of the mapping from customer requests 1039 to slice instantiations, as needed to allow for subsequent control 1040 functions (such as modification or deletion of the requested 1041 slices), and as needed for any requested monitoring and reporting 1042 functions. 1044 5.3.1. IETF Network Slice Controller Interfaces 1046 The interworking and interoperability among the different 1047 stakeholders to provide common means of provisioning, operating and 1048 monitoring the IETF Network Slices is enabled by the following 1049 communication interfaces (see Figure 2). 1051 IETF Network Slice Service Interface: The IETF Network Slice Service 1052 Interface is an interface between a customer's higher level 1053 operation system (e.g., a network slice orchestrator) and the NSC. 1054 It is agnostic to the technology of the underlying network. The 1055 customer can use this interface to communicate the requested 1056 characteristics and other requirements (i.e., the SLOs) for the 1057 IETF Network Slice, and the NSC can use the interface to report 1058 the operational state of an IETF Network Slice to the customer. 1060 Network Configuration Interface: The Network Configuration Interface 1061 is an interface between the NSC and network controllers. It is 1062 technology-specific and may be built around the many network 1063 models defined within the IETF. 1065 These interfaces can be considered in the context of the Service 1066 Model and Network Model described in [RFC8309] and, together with the 1067 Device Configuration Interface used by the Network Controllers, 1068 provides a consistent view of service delivery and realization. 1070 +------------------------------------------+ 1071 | Customer higher level operation system | 1072 | (e.g E2E network slice orchestrator) | 1073 +------------------------------------------+ 1074 A 1075 | IETF Network Slice Service Interface 1076 V 1077 +------------------------------------------+ 1078 | IETF Network Slice Controller (NSC) | 1079 +------------------------------------------+ 1080 A 1081 | Network Configuration Interface 1082 V 1083 +------------------------------------------+ 1084 | Network Controllers | 1085 +------------------------------------------+ 1087 Figure 2: Interface of IETF Network Slice Controller 1089 5.3.1.1. IETF Network Slice Service Interface 1091 The IETF Network Slice Controller provides an IETF Network Slice 1092 Service Interface that allows customers of network slices to request 1093 and monitor IETF Network Slices. Customers operate on abstract IETF 1094 Network Slices, with details related to their realization hidden. 1096 The IETF Network Slice Service Interface complements various IETF 1097 services, tunnels, path models by providing an abstract layer on top 1098 of these models. 1100 The IETF Network Slice Service Interface is independent of type of 1101 network functions or services that need to be connected, i.e., it is 1102 independent of any specific storage, software, protocol, or platform 1103 used to realize physical or virtual network connectivity or functions 1104 in support of IETF Network Slices. 1106 The IETF Network Slice Service Interface uses protocol mechanisms and 1107 information passed over those mechanisms to convey desired attributes 1108 for IETF Network Slices and their status. The information is 1109 expected to be represented as a well-defined data model, and should 1110 include at least SDP and connectivity information, SLO specification, 1111 and status information. 1113 To accomplish this, the IETF Network Slice Service Interface needs to 1114 convey information needed to support communication across the 1115 interface, in terms of identifying the IETF Network Slices, as well 1116 providing the above model information. 1118 5.3.2. Management Architecture 1120 The management architecture described in Figure 2 may be further 1121 decomposed as shown in Figure 3. This should also be seen in the 1122 context of the component architecture shown in Figure 5. 1124 -------------- 1125 | Network | 1126 | Slice | 1127 | Orchestrator | 1128 -------------- 1129 | IETF Network Slice 1130 | Service Request 1131 | Customer view 1132 ..|................................ 1133 -v------------------- Operator view 1134 |Controller | 1135 | ------------ | 1136 | | IETF | | 1137 | | Network | | 1138 | | Slice | | 1139 | | Controller | | 1140 | | (NSC) | | 1141 | ------------ |--> Virtual Network 1142 | | Network | 1143 | | Configuration | 1144 | v | 1145 | ------------ | 1146 | | Network | | 1147 | | Controller | | 1148 | | (NC) | | 1149 | ------------ | 1150 --------------------- 1151 | Device Configuration 1152 ..|................................ 1153 v Underlay Network 1155 Figure 3: Interface of IETF Network Slice Management Architecture 1157 5.4. IETF Network Slice Structure 1159 An IETF Network Slice is a set of connections among various SDPs to 1160 form a logical network that meets the SLOs agreed upon. 1162 |------------------------------------------| 1163 SDP1 O....| |....O SDP2 1164 . | | . 1165 . | IETF Network Slice | . 1166 . | (SLOs e.g. B/W > x bps, Delay < y ms) | . 1167 SDPm O....| |....O SDPn 1168 |------------------------------------------| 1170 == == == == == == == == == == == == == == == == == == == == == == 1172 .--. .--. 1173 [EP1] ( )- . ( )- . [EP2] 1174 . .' IETF ' SLO .' IETF ' . 1175 . ( Network-1 ) ... ( Network-p ) . 1176 `-----------' `-----------' 1177 [EPm] [EPn] 1179 Legend 1180 SDP: IETF Network Slice Service Demarcation Point 1181 EP: Serivce/tunnel/path Endpoint used to realize the 1182 IETF Network Slice 1184 Figure 4: IETF Network Slice 1186 Figure 4 illustrates a case where an IETF Network Slice provides 1187 connectivity between a set of IETF Network Slice Service Demarcation 1188 Point (SDP) pairs with specific SLOs (e.g., guaranteed minimum 1189 bandwidth of x bps and guaranteed delay of no more than y ms). The 1190 IETF Network Slice endpoints are mapped to the service/tunnel/path 1191 Endpoints (EPs) in the underlay network. Also, the SDPs in the same 1192 IETF Network Slice may belong to the same or different address 1193 spaces. 1195 IETF Network Slice structure fits into a broader concept of end-to- 1196 end network slices. A network operator may be responsible for 1197 delivering services over a number of technologies (such as radio 1198 networks) and for providing specific and fine-grained services (such 1199 as CCTV feed or High definition realtime traffic data). That 1200 operator may need to combine slices of various networks to produce an 1201 end-to-end network service. Each of these networks may include 1202 multiple physical or virtual nodes and may also provide network 1203 functions beyond simply carrying of technology-specific protocol data 1204 units. An end-to-end network slice is defined by the 3GPP as a 1205 complete logical network that provides a service in its entirety with 1206 a specific assurance to the customer [TS23501]. 1208 An end-to-end network slice may be composed from other network slices 1209 that include IETF Network Slices. This composition may include the 1210 hierarchical (or recursive) use of underlying network slices and the 1211 sequential (or stitched) combination of slices of different networks. 1213 6. Realizing IETF Network Slices 1215 Realization of IETF Network Slices is out of scope of this document. 1216 It is a mapping of the definition of the IETF Network Slice to the 1217 underlying infrastructure and is necessarily technology-specific and 1218 achieved by the NSC over the Network Configuration Interface. 1219 However, this section provides an overview of the components and 1220 processes involved in realizing an IETF Network Slice. 1222 The realization can be achieved in a form of either physical or 1223 logical connectivity using VPNs, virtual networks (VNs), or a variety 1224 of tunneling technologies such as Segment Routing, MPLS, etc. 1225 Accordingly, SDPs may be realized as physical or logical service or 1226 network functions. 1228 6.1. Architecture to Realize IETF Network Slices 1230 The architecture described in this section is deliberately at a high 1231 level. It is not intended to be prescriptive: implementations and 1232 technical solutions may vary freely. However, this approach provides 1233 a common framework that other documents may reference in order to 1234 facilitate a shared understanding of the work. 1236 Figure 5 shows the architectural components of a network managed to 1237 provide IETF Network Slices. The customer's view is of individual 1238 IETF Network Slices with their CEs, PEs, and connectivity constructs. 1239 Requests for IETF Network Slices are delivered to the NSC. 1241 The figure shows, without loss of generality, the CEs, ACs, and PEs, 1242 that exist in the network. The SDPs are not shown and can be placed 1243 in any of the ways described in Section 4.2. 1245 -- -- -- 1246 |CE| |CE| |CE| 1247 -- -- -- 1248 AC : AC : AC : 1249 ---------------------- ------- 1250 ( |PE|....|PE|....|PE| ) ( IETF ) 1251 IETF Network ( --: -- :-- ) ( Network ) 1252 Slice Service ( :............: ) ( Slice ) 1253 Request ( IETF Network Slice ) ( ) Customer 1254 v ---------------------- ------- View 1255 v ............................\........./............... 1256 v \ / Provider 1257 v >>>>>>>>>>>>>>> Grouping/Mapping v v View 1258 v ^ ----------------------------------------- 1259 v ^ ( |PE|.......|PE|........|PE|.......|PE| ) 1260 --------- ( --: -- :-- -- ) 1261 | | ( :...................: ) 1262 | NSC | ( Network Resource Partition ) 1263 | | ----------------------------------------- 1264 | | ^ 1265 | |>>>>> Resource Partitioning | 1266 --------- of Filter Topology | 1267 v v | 1268 v v ----------------------------- -------- 1269 v v (|PE|..-..|PE|... ..|PE|..|PE|) ( ) 1270 v v ( :-- |P| -- :-: -- :-- ) ( Filter ) 1271 v v ( :.- -:.......|P| :- ) ( Topology ) 1272 v v ( |P|...........:-:.......|P| ) ( ) 1273 v v ( - Filter Topology ) -------- 1274 v v ----------------------------- ^ 1275 v >>>>>>>>>>>> Topology Filter ^ / 1276 v ...........................\............../........... 1277 v \ / Underlay 1278 ---------- \ / (Physical) 1279 | | \ / Network 1280 | Network | ---------------------------------------------- 1281 |Controller| ( |PE|.....-.....|PE|...... |PE|.......|PE| ) 1282 | | ( -- |P| -- :-...:-- -..:-- ) 1283 ---------- ( : -:.............|P|.........|P| ) 1284 v ( -......................:-:..- - ) 1285 >>>>>>> ( |P|.........................|P|......: ) 1286 Program the ( - - ) 1287 Network ---------------------------------------------- 1289 Figure 5: Architecture of an IETF Network Slice 1291 The network itself (at the bottom of the figure) comprises an 1292 underlay network. This could be a physical network, but may be a 1293 virtual network. The underlay network is provisioned through network 1294 controllers. 1296 The underlay network may optionally be filtered or customized by the 1297 network operator to produce a number of network topologies that we 1298 call Filter Topologies. Customization is just a way of selecting 1299 specific resources (e.g., nodes and links) from the underlay network 1300 according to their capabilities and connectivity in the underlay 1301 network. These actions are configuration options or operator 1302 policies. The resulting topologies can be used as candidates to host 1303 IETF Network Slices and provide a useful way for the network operator 1304 to know in advance that all of the resources they are using to plan 1305 an IETF Network Slice would be able to meet specific SLOs and SLEs. 1306 The creation of a Filter Topology could be an offline planning 1307 activity or could be performed dynamically as new demands arise. The 1308 use of Filter Topologies is entirely optional in the architecture, 1309 and IETF Network Slices could be hosted directly on the underlay 1310 network. 1312 Recall that an IETF Network Slice is a service requested by / 1313 provided for the customer. The IETF Network Slice service is 1314 expressed in terms of one or more connectivity constructs. An 1315 implementation or operator is free to limit the number of 1316 connectivity constructs in a slice to exactly one. Each connectivity 1317 construct is associated within the IETF Network Slice service request 1318 with a set of SLOs and SLEs. The set of SLOs and SLEs does not need 1319 to be the same for every connectivity construct in the slice, but an 1320 implementation or operator is free to require that all connectivity 1321 constructs in a slice have the same set of SLOs and SLEs. 1323 One or more connectivity constructs from one or more slices are 1324 mapped to a set of network resources called a Network Resource 1325 Partition (NRP). A single connectivity construct is mapped to only 1326 one NRP (that is, the relationship is many to one). An NRP may be 1327 chosen to support a specific connectivity construct because of its 1328 ability to support a specific set of SLOs and SLEs, or its ability to 1329 support particular connectivity types, or for any administrative or 1330 operational reason. An implementation or operator is free to map 1331 each connectivity construct to a separate NRP, although there may be 1332 scaling implications depending on the solution implemented. Thus, 1333 the connectivity constructs in one slice may be mapped to one or more 1334 NRPs. By implication from the above, an implementation or operator 1335 is free to map all the connectivity constructs in a slice to a single 1336 NRP, and to not share that NRP with connectivity constructs from 1337 another slice. 1339 An NRP is simply a collection of resources identified in the underlay 1340 network. The process of determining the NRP may be made easier if 1341 the underlay network topology is first filtered into a Filter 1342 Topology in order to be aware of the subset of network resources that 1343 are suitable for specific NRPs, but this is optional. 1345 The steps described here can be applied in a variety of orders 1346 according to implementation and deployment preferences. Furthermore, 1347 the steps may be iterative so that the components are continually 1348 refined and modified as network conditions change and as service 1349 requests are received or relinquished, and even the underlay network 1350 could be extended if necessary to meet the customers' demands. 1352 6.2. Procedures to Realize IETF Network Slices 1354 There are a number of different technologies that can be used in the 1355 underlay, including physical connections, MPLS, time-sensitive 1356 networking (TSN), Flex-E, etc. 1358 An IETF Network Slice can be realized in a network, using specific 1359 underlying technology or technologies. The creation of a new IETF 1360 Network Slice will be realized with following steps: 1362 * The NSC exposes the network slicing capabilities that it offers 1363 for the network it manages. 1365 * The customer may issue a request to determine whether a specific 1366 IETF Network Slice could be supported by the network. The NSC may 1367 respond indicating a simple yes or no, and may supplement a 1368 negative response with information about what it could support 1369 were the customer to change some requirements. 1371 * The customer requests an IETF Network Slice. The NSC may respond 1372 that the slice has or has not been created, and may supplement a 1373 negative response with information about what it could support 1374 were the customer to change some requirements. 1376 * When processing a customer request for an IETF Network Slice, the 1377 NSC maps the request to the network capabilities and applies 1378 provider policies before creating or supplementing the resource 1379 partition. 1381 Regardless of how IETF Network Slice is realized in the network 1382 (i.e., using tunnels of different types), the definition of the IETF 1383 Network Slice does not change at all. The only difference is how the 1384 slice is realized. The following sections briefly introduce how some 1385 existing architectural approaches can be applied to realize IETF 1386 Network Slices. 1388 6.3. Applicability of ACTN to IETF Network Slices 1390 Abstraction and Control of TE Networks (ACTN - [RFC8453]) is a 1391 management architecture and toolkit used to create virtual networks 1392 (VNs) on top of a TE underlay network. The VNs can be presented to 1393 customers for them to operate as private networks. 1395 In many ways, the function of ACTN is similar to IETF network 1396 slicing. Customer requests for connectivity-based overlay services 1397 are mapped to dedicated or shared resources in the underlay network 1398 in a way that meets customer guarantees for service level objectives 1399 and for separation from other customers' traffic. [RFC8453] the 1400 function of ACTN as collecting resources to establish a logically 1401 dedicated virtual network over one or more TE networks. Thus, in the 1402 case of a TE-enabled underlying network, the ACTN VN can be used as a 1403 basis to realize an IETF network slicing. 1405 While the ACTN framework is a generic VN framework that can be used 1406 for VN services beyond the IETF Network Slice, it also a suitable 1407 basis for delivering and realizing IETF Network Slices. 1409 Further discussion of the applicability of ACTN to IETF Network 1410 Slices including a discussion of the relevant YANG models can be 1411 found in [I-D.king-teas-applicability-actn-slicing]. 1413 6.4. Applicability of Enhanced VPNs to IETF Network Slices 1415 An enhanced VPN (VPN+) is designed to support the needs of new 1416 applications, particularly applications that are associated with 5G 1417 services, by utilizing an approach that is based on existing VPN and 1418 TE technologies and adds characteristics that specific services 1419 require over and above VPNs as they have previously been specified. 1421 An enhanced VPN can be used to provide enhanced connectivity services 1422 between customer sites and can be used to create the infrastructure 1423 to underpin a network slicing service. 1425 It is envisaged that enhanced VPNs will be delivered using a 1426 combination of existing, modified, and new networking technologies. 1428 [I-D.ietf-teas-enhanced-vpn] describes the framework for Enhanced 1429 Virtual Private Network (VPN+) services. 1431 6.5. Network Slicing and Aggregation in IP/MPLS Networks 1433 Network slicing provides the ability to partition a physical network 1434 into multiple isolated logical networks of varying sizes, structures, 1435 and functions so that each slice can be dedicated to specific 1436 services or customers. 1438 Many approaches are currently being worked on to support IETF Network 1439 Slices in IP and MPLS networks with or without the use of Segment 1440 Routing. Most of these approaches utilize a way of marking packets 1441 so that network nodes can apply specific routing and forwarding 1442 behaviors to packets that belong to different IETF Network Slices. 1443 Different mechanisms for marking packets have been proposed 1444 (including using MPLS labels and Segment Routing segment IDs) and 1445 those mechanisms are agnostic to the path control technology used 1446 within the underlay network. 1448 These approaches are also sensitive to the scaling concerns of 1449 supporting a large number of IETF Network Slices within a single IP 1450 or MPLS network, and so offer ways to aggregate the connectivity 1451 constructs of slices (or whole slices) so that the packet markings 1452 indicate an aggregate or grouping where all of the packets are 1453 subject to the same routing and forwarding behavior. 1455 At this stage, it is inappropriate to mention any of these proposed 1456 solutions that are currently work in progress and not yet adopted as 1457 IETF work. 1459 7. Isolation in IETF Network Slices 1461 7.1. Isolation as a Service Requirement 1463 An IETF Network Slice customer may request that the IETF Network 1464 Slice delivered to them is delivered such that changes to other IETF 1465 Network Slices or services do not have any negative impact on the 1466 delivery of the IETF Network Slice. The IETF Network Slice customer 1467 may specify the degree to which their IETF Network Slice is 1468 unaffected by changes in the provider network or by the behavior of 1469 other IETF Network Slice customers. The customer may express this 1470 via an SLE it agrees with the provider. This concept is termed 1471 'isolation' 1473 7.2. Isolation in IETF Network Slice Realization 1475 Isolation may be achieved in the underlying network by various forms 1476 of resource partitioning ranging from dedicated allocation of 1477 resources for a specific IETF Network Slice, to sharing of resources 1478 with safeguards. For example, traffic separation between different 1479 IETF Network Slices may be achieved using VPN technologies, such as 1480 L3VPN, L2VPN, EVPN, etc. Interference avoidance may be achieved by 1481 network capacity planning, allocating dedicated network resources, 1482 traffic policing or shaping, prioritizing in using shared network 1483 resources, etc. Finally, service continuity may be ensured by 1484 reserving backup paths for critical traffic, dedicating specific 1485 network resources for a selected number of IETF Network Slices. 1487 8. Management Considerations 1489 IETF Network Slice realization needs to be instrumented in order to 1490 track how it is working, and it might be necessary to modify the IETF 1491 Network Slice as requirements change. Dynamic reconfiguration might 1492 be needed. 1494 9. Security Considerations 1496 This document specifies terminology and has no direct effect on the 1497 security of implementations or deployments. In this section, a few 1498 of the security aspects are identified. 1500 * Conformance to security constraints: Specific security requests 1501 from customer defined IETF Network Slices will be mapped to their 1502 realization in the underlay networks. It will be required by 1503 underlay networks to have capabilities to conform to customer's 1504 requests as some aspects of security may be expressed in SLEs. 1506 * IETF NSC authentication: Underlying networks need to be protected 1507 against the attacks from an adversary NSC as they can destabilize 1508 overall network operations. It is particularly critical since an 1509 IETF Network Slice may span across different networks, therefore, 1510 IETF NSC should have strong authentication with each those 1511 networks. Furthermore, both the IETF Network Slice Service 1512 Interface and the Network Configuration Interface need to be 1513 secured. 1515 * Specific isolation criteria: The nature of conformance to 1516 isolation requests means that it should not be possible to attack 1517 an IETF Network Slice service by varying the traffic on other 1518 services or slices carried by the same underlay network. In 1519 general, isolation is expected to strengthen the IETF Network 1520 Slice security. 1522 * Data Integrity of an IETF Network Slice: A customer wanting to 1523 secure their data and keep it private will be responsible for 1524 applying appropriate security measures to their traffic and not 1525 depending on the network operator that provides the IETF Network 1526 Slice. It is expected that for data integrity, a customer is 1527 responsible for end-to-end encryption of its own traffic. 1529 Note: see NGMN document [NGMN_SEC] on 5G network slice security for 1530 discussion relevant to this section. 1532 IETF Network Slices might use underlying virtualized networking. All 1533 types of virtual networking require special consideration to be given 1534 to the separation of traffic between distinct virtual networks, as 1535 well as some degree of protection from effects of traffic use of 1536 underlying network (and other) resources from other virtual networks 1537 sharing those resources. 1539 For example, if a service requires a specific upper bound of latency, 1540 then that service can be degraded by added delay in transmission of 1541 service packets through the activities of another service or 1542 application using the same resources. 1544 Similarly, in a network with virtual functions, noticeably impeding 1545 access to a function used by another IETF Network Slice (for 1546 instance, compute resources) can be just as service degrading as 1547 delaying physical transmission of associated packet in the network. 1549 While a IETF Network Slice might include encryption and other 1550 security features as part of the service, customers might be well 1551 advised to take responsibility for their own security needs, possibly 1552 by encrypting traffic before hand-off to a service provider. 1554 10. Privacy Considerations 1556 Privacy of IETF Network Slice service customers must be preserved. 1557 It should not be possible for one IETF Network Slice customer to 1558 discover the presence of other customers, nor should sites that are 1559 members of one IETF Network Slice be visible outside the context of 1560 that IETF Network Slice. 1562 In this sense, it is of paramount importance that the system use the 1563 privacy protection mechanism defined for the specific underlying 1564 technologies used, including in particular those mechanisms designed 1565 to preclude acquiring identifying information associated with any 1566 IETF Network Slice customer. 1568 11. IANA Considerations 1570 This document makes no requests for IANA action. 1572 12. Informative References 1574 [HIPAA] HHS, "Health Insurance Portability and Accountability Act 1575 - The Security Rule", February 2003, 1576 . 1579 [I-D.ietf-opsawg-sap] 1580 Boucadair, M., Dios, O. G. D., Barguil, S., Wu, Q., and V. 1581 Lopez, "A Network YANG Model for Service Attachment Points 1582 (SAPs)", Work in Progress, Internet-Draft, draft-ietf- 1583 opsawg-sap-02, 22 February 2022, 1584 . 1587 [I-D.ietf-teas-enhanced-vpn] 1588 Dong, J., Bryant, S., Li, Z., Miyasaka, T., and Y. Lee, "A 1589 Framework for Enhanced Virtual Private Network (VPN+) 1590 Services", Work in Progress, Internet-Draft, draft-ietf- 1591 teas-enhanced-vpn-09, 25 October 2021, 1592 . 1595 [I-D.king-teas-applicability-actn-slicing] 1596 King, D., Drake, J., Zheng, H., and A. Farrel, 1597 "Applicability of Abstraction and Control of Traffic 1598 Engineered Networks (ACTN) to Network Slicing", Work in 1599 Progress, Internet-Draft, draft-king-teas-applicability- 1600 actn-slicing-10, 31 March 2021, 1601 . 1604 [I-D.openconfig-rtgwg-gnmi-spec] 1605 Shakir, R., Shaikh, A., Borman, P., Hines, M., Lebsack, 1606 C., and C. Morrow, "gRPC Network Management Interface 1607 (gNMI)", Work in Progress, Internet-Draft, draft- 1608 openconfig-rtgwg-gnmi-spec-01, 5 March 2018, 1609 . 1612 [MACsec] IEEE, "IEEE Standard for Local and metropolitan area 1613 networks - Media Access Control (MAC) Security", 2018, 1614 . 1616 [NGMN-NS-Concept] 1617 NGMN Alliance, "Description of Network Slicing Concept", 1618 https://www.ngmn.org/uploads/ 1619 media/161010_NGMN_Network_Slicing_framework_v1.0.8.pdf , 1620 2016. 1622 [NGMN_SEC] NGMN Alliance, "NGMN 5G Security - Network Slicing", April 1623 2016, . 1626 [PCI] PCI Security Standards Council, "PCI DSS", May 2018, 1627 . 1629 [RFC2681] Almes, G., Kalidindi, S., and M. Zekauskas, "A Round-trip 1630 Delay Metric for IPPM", RFC 2681, DOI 10.17487/RFC2681, 1631 September 1999, . 1633 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 1634 Address Translator (Traditional NAT)", RFC 3022, 1635 DOI 10.17487/RFC3022, January 2001, 1636 . 1638 [RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z. 1639 Shelby, "Performance Enhancing Proxies Intended to 1640 Mitigate Link-Related Degradations", RFC 3135, 1641 DOI 10.17487/RFC3135, June 2001, 1642 . 1644 [RFC3393] Demichelis, C. and P. Chimento, "IP Packet Delay Variation 1645 Metric for IP Performance Metrics (IPPM)", RFC 3393, 1646 DOI 10.17487/RFC3393, November 2002, 1647 . 1649 [RFC4208] Swallow, G., Drake, J., Ishimatsu, H., and Y. Rekhter, 1650 "Generalized Multiprotocol Label Switching (GMPLS) User- 1651 Network Interface (UNI): Resource ReserVation Protocol- 1652 Traffic Engineering (RSVP-TE) Support for the Overlay 1653 Model", RFC 4208, DOI 10.17487/RFC4208, October 2005, 1654 . 1656 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 1657 RFC 4303, DOI 10.17487/RFC4303, December 2005, 1658 . 1660 [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 1661 Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February 1662 2006, . 1664 [RFC4397] Bryskin, I. and A. Farrel, "A Lexicography for the 1665 Interpretation of Generalized Multiprotocol Label 1666 Switching (GMPLS) Terminology within the Context of the 1667 ITU-T's Automatically Switched Optical Network (ASON) 1668 Architecture", RFC 4397, DOI 10.17487/RFC4397, February 1669 2006, . 1671 [RFC5212] Shiomoto, K., Papadimitriou, D., Le Roux, JL., Vigoureux, 1672 M., and D. Brungard, "Requirements for GMPLS-Based Multi- 1673 Region and Multi-Layer Networks (MRN/MLN)", RFC 5212, 1674 DOI 10.17487/RFC5212, July 2008, 1675 . 1677 [RFC5440] Vasseur, JP., Ed. and JL. Le Roux, Ed., "Path Computation 1678 Element (PCE) Communication Protocol (PCEP)", RFC 5440, 1679 DOI 10.17487/RFC5440, March 2009, 1680 . 1682 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1683 the Network Configuration Protocol (NETCONF)", RFC 6020, 1684 DOI 10.17487/RFC6020, October 2010, 1685 . 1687 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1688 NAT64: Network Address and Protocol Translation from IPv6 1689 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1690 April 2011, . 1692 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1693 and A. Bierman, Ed., "Network Configuration Protocol 1694 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1695 . 1697 [RFC7679] Almes, G., Kalidindi, S., Zekauskas, M., and A. Morton, 1698 Ed., "A One-Way Delay Metric for IP Performance Metrics 1699 (IPPM)", STD 81, RFC 7679, DOI 10.17487/RFC7679, January 1700 2016, . 1702 [RFC7680] Almes, G., Kalidindi, S., Zekauskas, M., and A. Morton, 1703 Ed., "A One-Way Loss Metric for IP Performance Metrics 1704 (IPPM)", STD 82, RFC 7680, DOI 10.17487/RFC7680, January 1705 2016, . 1707 [RFC7926] Farrel, A., Ed., Drake, J., Bitar, N., Swallow, G., 1708 Ceccarelli, D., and X. Zhang, "Problem Statement and 1709 Architecture for Information Exchange between 1710 Interconnected Traffic-Engineered Networks", BCP 206, 1711 RFC 7926, DOI 10.17487/RFC7926, July 2016, 1712 . 1714 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1715 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1716 . 1718 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1719 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1720 . 1722 [RFC8309] Wu, Q., Liu, W., and A. Farrel, "Service Models 1723 Explained", RFC 8309, DOI 10.17487/RFC8309, January 2018, 1724 . 1726 [RFC8453] Ceccarelli, D., Ed. and Y. Lee, Ed., "Framework for 1727 Abstraction and Control of TE Networks (ACTN)", RFC 8453, 1728 DOI 10.17487/RFC8453, August 2018, 1729 . 1731 [RFC8454] Lee, Y., Belotti, S., Dhody, D., Ceccarelli, D., and B. 1732 Yoon, "Information Model for Abstraction and Control of TE 1733 Networks (ACTN)", RFC 8454, DOI 10.17487/RFC8454, 1734 September 2018, . 1736 [TS23501] 3GPP, "System architecture for the 5G System (5GS)", 1737 3GPP TS 23.501, 2019. 1739 [TS28530] 3GPP, "Management and orchestration; Concepts, use cases 1740 and requirements", 3GPP TS 28.530, 2019. 1742 [TS33.210] 3GPP, "3G security; Network Domain Security (NDS); IP 1743 network layer security (Release 14).", December 2016, 1744 . 1747 Acknowledgments 1749 The entire TEAS Network Slicing design team and everyone 1750 participating in related discussions has contributed to this 1751 document. Some text fragments in the document have been copied from 1752 the [I-D.ietf-teas-enhanced-vpn], for which we are grateful. 1754 Significant contributions to this document were gratefully received 1755 from the contributing authors listed in the "Contributors" section. 1756 In addition we would like to also thank those others who have 1757 attended one or more of the design team meetings, including the 1758 following people not listed elsewhere: 1760 * Aihua Guo 1762 * Bo Wu 1764 * Greg Mirsky 1766 * Lou Berger 1768 * Rakesh Gandhi 1770 * Ran Chen 1772 * Sergio Belotti 1774 * Stewart Bryant 1776 * Tomonobu Niwa 1778 * Xuesong Geng 1780 Further useful comments were received from Daniele Ceccarelli, Uma 1781 Chunduri, Pavan Beeram, Tarek Saad, Kenichi Ogaki, Oscar Gonzalez de 1782 Dios, Xiaobing Niu, Dan Voyer, Igor Bryskin, Luay Jalil, Joel 1783 Halpern, and John Scudder. 1785 This work is partially supported by the European Commission under 1786 Horizon 2020 grant agreement number 101015857 Secured autonomic 1787 traffic management for a Tera of SDN flows (Teraflow). 1789 Contributors 1791 The following authors contributed significantly to this document: 1793 Eric Gray (The original editor of the foundation documents) 1794 Independent 1795 Email: ewgray@graiymage.com 1797 Jari Arkko 1798 Ericsson 1799 Email: jari.arkko@piuha.net 1801 Mohamed Boucadair 1802 Orange 1803 Email: mohamed.boucadair@orange.com 1805 Dhruv Dhody 1806 Huawei, India 1807 Email: dhruv.ietf@gmail.com 1809 Jie Dong 1810 Huawei 1811 Email: jie.dong@huawei.com 1813 Xufeng Liu 1814 Volta Networks 1815 Email: xufeng.liu.ietf@gmail.com 1817 Authors' Addresses 1819 Adrian Farrel (editor) 1820 Old Dog Consulting 1821 United Kingdom 1822 Email: adrian@olddog.co.uk 1824 John Drake 1825 Juniper Networks 1826 United States of America 1827 Email: jdrake@juniper.net 1829 Reza Rokui 1830 Ciena 1831 Email: rrokui@ciena.com 1833 Shunsuke Homma 1834 NTT 1835 Japan 1836 Email: shunsuke.homma.ietf@gmail.com 1837 Kiran Makhijani 1838 Futurewei 1839 United States of America 1840 Email: kiranm@futurewei.com 1842 Luis M. Contreras 1843 Telefonica 1844 Spain 1845 Email: luismiguel.contrerasmurillo@telefonica.com 1847 Jeff Tantsura 1848 Microsoft Inc. 1849 Email: jefftant.ietf@gmail.com