Network Working Group V. Moreno Internet-Draft F. Maino Intended status: Experimental D. Lewis Expires: August 18, 2014 M. Smith S. Sinha Cisco Systems February 14, 2014 LISP Deployment Considerations in Data Center Networks draft-moreno-lisp-datacenter-deployment-00 Abstract This document discusses scenarios and implications of LISP based overlay deployment in the Data Center. The alternatives for topological location of the different LISP functions are analyzed in the context of the most prevalent Data Center topologies. The role and deployment of LISP in the Wide Area Network and Data Center Interconnection are also discussed. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 18, 2014. Moreno, et al. Expires August 18, 2014 [Page 1] Internet-Draft LISP Data Center Deployment February 2014 Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. LISP in the Data Center . . . . . . . . . . . . . . . . . . . 3 2. Definition of Terms . . . . . . . . . . . . . . . . . . . . . 4 3. Data Center Network Reference Topologies . . . . . . . . . . 4 4. LISP Deployment in Data Center Fabric Topologies . . . . . . 6 4.1. xTR Topological Placement . . . . . . . . . . . . . . . . 7 4.1.1. vLeaf nodes as xTRs . . . . . . . . . . . . . . . . . 7 4.1.2. Disjoint xTR function: vLeaf to Leaf-proxy function separation . . . . . . . . . . . . . . . . . . . . . 7 4.1.3. Full LISP xTR function at Leaf node . . . . . . . . . 8 4.2. Mapping System topological placement . . . . . . . . . . 9 4.2.1. Map-Server/Resolver out of band . . . . . . . . . . . 9 4.2.2. Map-Server/Resolver in-line . . . . . . . . . . . . . 10 5. LISP deployment in the DC WAN and Data Center Interconnect . 12 5.1. Fabric-WAN handoff: topology, peering and administrative delineation . . . . . . . . . . . . . . . . . . . . . . . 13 5.1.1. Two-tier Fabric-WAN normalized handoff . . . . . . . 13 5.1.2. Single-tier Fabric-WAN handoff . . . . . . . . . . . 14 5.2. Fabric to WAN interoperability scenarios . . . . . . . . 14 5.2.1. LISP Fabric to LISP WAN interoperability with common RLOC space . . . . . . . . . . . . . . . . . . . . . 14 5.2.2. LISP Fabric to LISP WAN interoperability with disjoint RLOC spaces . . . . . . . . . . . . . . . . 15 5.2.3. Non-LISP Fabric to LISP WAN interoperability . . . . 15 5.2.4. LISP Fabric to Non-LISP WAN interoperability . . . . 16 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 9.1. Normative References . . . . . . . . . . . . . . . . . . 17 9.2. Informative References . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Moreno, et al. Expires August 18, 2014 [Page 2] Internet-Draft LISP Data Center Deployment February 2014 1. LISP in the Data Center Data Center Networks require support for segmentation, mobility and scale as described in [I-D.ietf-nvo3-overlay-problem-statement]. These requirements can be addressed with the use of overlay networks. The LISP [RFC6830] control plane can be used for the creation of network overlays that support mobility and segmentation at large scale in Layer 2, Layer 3 and combined Layer2/Layer3 overlays as described in [I-D.maino-nvo3-lisp-cp] and [I-D.hertoghs-nvo3-lisp-controlplane-unified]. The needs for overlay provided services are typically different within and across Data Centers versus the needs for Data Center Wide Area Network connectivity. LISP is relevant in both of these areas. The use of LISP as a control protocol for the creation of overlays can be optimized for the specific topologies that are relevant in the context of Data Center Networks within and across Data Centers. This document discusses different deployment options for LISP in the context of different data center topologies, the implications of the use of the different deployment options are part of the discussion. Data Center Networks include an intra-Data-Center fabric topology as well as inter-Data-Center and Wide Area Network components. The topologies found inside the Data Center Network fabric are designed in a deterministic manner with a very high degree of symmetry. This high degree of symmetry assures that a multitude of paths exist between any two end-points in the data center and that these paths are of equal cost and deterministic latency. As a result of such designs, traffic patterns within or across the data center are guaranteed to traverse specific tiers of the network. A reference Data Center Network inclusive of an intra-Data-Center fabric topology as well as inter-Data-Center and Wide Area Network components is described in Section 3. The predictability of the different possible data paths in the Data Center Network opens opportunities for optimizations in the deployment of demand based control plane models such as LISP. In the specific case of LISP, some of the interesting deployment options are centered around the topological location of the mapping-system and xTRs, equally interesting is the option of separating the LISP control-plane from the encapsulation/decapsulation functions in an xTR. Different deployment scenarios are discussed in Section 4 and Section 5. Moreno, et al. Expires August 18, 2014 [Page 3] Internet-Draft LISP Data Center Deployment February 2014 2. Definition of Terms Proxy Reply Mode: Map Servers may reply to a map-request directly, rather than forwarding the map-request to the registering ETR Fabric Manager: Orchestration tool in charge of provisioning and monitoring Fabric Network nodes. WAN Manager: Orchestration tool in charge of provisioning and monitoring WAN/DCI Network nodes. For definition of NVO3 related terms, notably Virtual Network (VN), Virtual Network Identifier (VNI), Network Virtualization Edge (NVE), Data Center (DC), please consult [I-D.ietf-nvo3-framework]. For definitions of LISP related terms, notably Map-Request, Map- Reply, Ingress Tunnel Router (ITR), Egress Tunnel Router (ETR), Map- Server (MS) and Map-Resolver (MR) please consult the LISP specification [RFC6830]. 3. Data Center Network Reference Topologies The reference topology that will be used for our discussion is a folded clos topology. The folded clos is considered to be the prevalent topology in large-scale data centers requiring the use of overlays. Although other topologies may be utilized within the data center, most of such topologies may be modeled as a folded clos or collection of clos topologies. The reference clos topology is illustrated in Figure 1. The connectivity depicted in the diagram is not exhaustive; every Leaf node has at least one connection to every Spine node, effectively providing at least N equal cost paths between any two Leaf nodes, where N is the number of spine nodes. Moreno, et al. Expires August 18, 2014 [Page 4] Internet-Draft LISP Data Center Deployment February 2014 +-----+ +-----+ +-----+ Spine | | | | | | | | | | | | +--+--+ +--+--+ +--+--+ /|\ /|\ /|\ / | \ / | \ / | \ / | \ / | \ / | \ / | \/ | \/ | \ / | /\ | /\ | \ / | / \ | / \ | \ / | / \ | / \ | \ / |/ \|/ \| \ +-----+ +-----+ +-----+ +-----+ +-----+ Leaf | | | | | | | | | | | | | | | | | | | X | bLeaf(s) +-----+ +-----+ +-----+ +-----+ +-----+ ^ ^ | ^ | | | | +--+--+ +--+--+ | --+-- vLeaf | | | | . . .... | | X | WAN/DCI Router(s) +-----+ +-----+ | ----- | | | | | | end-points V V . . .... P Figure 1: Folded Clos Data Center Topology The clos topology is a multi-stage topology. In the folded clos instantiation, there is an ingress stage, a middle stage and an egress stage. The elements of the topology are described as: o Spine Nodes: Nodes that make the middle stage of the clos. In the absence of failures, each Spine Node is connected to every Leaf Node. o Leaf Nodes: Nodes that make the ingress and egress stage of the clos. Each Leaf Node is connected to every Spine Node. In the case of a link or Spine Node failure, a Leaf Node will remain connected to the surviving Spine Nodes over the remaining healthy links. The fabric will continue to operate under such condition of partial connectivity. o vLeaf Nodes: Virtual Leaf Nodes are those network nodes that connect to the Leaf Nodes. vLeaf Nodes are usually in the form of Moreno, et al. Expires August 18, 2014 [Page 5] Internet-Draft LISP Data Center Deployment February 2014 virtual switches/routers running on the physical compute end- points hosts. Many vLeaf nodes may connect to a single Leaf node. Likewise, a vLeaf node may connect to multiple Leaf nodes for redundancy purposes. o WAN Routers: Routers attached to leaf nodes in the clos topology to provide connectivity outside the clos over a WAN or Data Center Interconnect (DCI). WAN Routers are usually deployed in pairs for resiliency and they are also usually attached to at least two Leaf nodes in a redundant topology. WAN routers participate in a Wide Area Network (WAN) or Data Center Interconnect (DCI). o bLeaf: Border Leaf nodes are Leaf nodes that attach to the WAN routers. o WAN: The Wide Area Network is the network over which client sites as well as Disaster Recovery sites connect to the data center. o DCI: Data Center Interconnect is a Metropolitan Area Network over which multiple Data Centers connect to each other. There is an assumption of bound latency over the DCI. o end-points: Hosts that connect to the Data Center Fabric. End- points can be physical (P) or virtual (V) o V: Virtual end-points such as Virtual Machines. o P: Physical end-points such as non-virtualized servers. 4. LISP Deployment in Data Center Fabric Topologies The main LISP functions to be deployed in the Data Center fabric topology are: o xTRs o Map-Servers o Map-Resolvers The Map-Server and Map-Resolver functions will generally be co- located on the same network nodes, we will refer to the co-located function as Map-Server/Resolver. Moreno, et al. Expires August 18, 2014 [Page 6] Internet-Draft LISP Data Center Deployment February 2014 4.1. xTR Topological Placement LISP xTRs perform both Data Plane as well as Control Plane tasks. From the Data Plane perspective the xTRs are tasked with encapsulating (ITRs) or decapsulating (ETRs) traffic. From the Control Plane perspective the tasks of registering mappings and requesting/caching mappings are handled by the ETRs and ITRs respectively. It is possible to split the roles of ETR and ITR to different network nodes. The most prevalent deployment model combines the roles of ETR and ITR onto a single device. We will focus our discussion on the combined ETR/ITR model. A device that serves as both ETR and ITR is generally referred to as an xTR. It is also possible to split the Data Plane and Control Plane responsibilities and distribute them across different network nodes. Some of the deployment options enabled by this separation are discussed in the following sections: 4.1.1. vLeaf nodes as xTRs The full xTR function including both Control and Data Plane can be deployed at the vLeaf nodes. The entire clos including Leaf nodes and Spine nodes simply serves as an underlay transport to the LISP overlay. The advantage of distributing the xTR role to the vLeaf is mainly that the map-cache state at each xTR is minimized by virtue of it being distributed to a larger number of nodes. Amongst the challenges are: o Operational implications of managing a larger number of overlay end-points. o Large number of xTRs sending requests and registrations to the mapping system has implications on the scale requirements and limits of the mapping system (servers and resolvers) o vLeaves do not service non-virtualized Physical end-points 4.1.2. Disjoint xTR function: vLeaf to Leaf-proxy function separation The control and data plane tasks can be separated and distributed amongst Leaf and vLeaf. In this approach the vLeaf can retain the Data Plane encap/decap function while the LISP signaling is done by Moreno, et al. Expires August 18, 2014 [Page 7] Internet-Draft LISP Data Center Deployment February 2014 the Leaf. Thus, the Leaf will proxy the signaling for the vLeaf nodes connected to it as follows o Map-register messages will be issued by the Leaf with the corresponding RLOC addresses of the vLeaf nodes. o Map-request messages will be sent by the ITR vLeaf to its upstream Leaf and then relayed by the Leaf to the Map-resolver on behalf of the vLeaf. o The mapping system, when not in proxy reply mode, will forward the map-request directly to the RLOC of the vLeaf node with which the EID being requested was registered. o Map-reply messages will be sent to the requesting Leaf and then relayed to the corresponding vLeaf where the mapping is cached. This scheme allows the caching of state to remain fully distributed and also enables more granular distribution of the mappings amongst a larger number of ETRs. The scheme also allows the consolidation of the signaling at the Leaf nodes where map-registers and map-requests can be batched. The scheme does however present the challenge of maintaining mappings in the mapping system for an increased number of xTRs since it will track the larger number of xTRs at the vLeaf level rather than the smaller number of xTRs at the Leaf level, this can be alleviated by fully proxying the vLeaf LISP functions at the Leaf as discussed in Section 4.1.3. 4.1.3. Full LISP xTR function at Leaf node Both the data plane and control plane xTR function may reside on the Leaf nodes. This deployment model leverages the LISP control plane without any changes and enables interworking of different hypervisor overlays across a normalized LISP fabric. vLeaf nodes may encapsulate traffic into the Fabric in different ways (802.1Q, VXLAN, NVGRE, etc) depending on the hypervisor they may use. It is the role of the Leaf node, in this model, to terminate any encapsulation being used by the vLeaf nodes, extract any metadata information, such as the VNID [I-D.ietf-nvo3-framework], from the headers imposed at the vLeaf nodes and normalize the different encapsulations received from different vLeaf nodes to a common LISP encapsulation amongst Leaf nodes. The LISP encapsulation at the Leaf nodes will encode the VNIDs extracted from the encapsulated vLeaf traffic as instance-ids in the LISP overlay. The mapping of the VNIDs imposed by the vLeaf nodes to LISP instance- ids is provisioned at each Leaf/xTR node either manually or by an Moreno, et al. Expires August 18, 2014 [Page 8] Internet-Draft LISP Data Center Deployment February 2014 automated provisioning system linked to an orchestration system with visibility into the different hypervisor overlays and the LISP overlay. The ability to normalize different hypervisor overlays is predicated on the use and exchange of Universally Unique Identifiers (UUIDs) as the constant parameter identifying a common segment across different overlay administrative domains that may use a variety of VNIDs to encapsulate traffic for the same segment. The assignment and administration of tenant UUIDs is an important orchestration task and outside the scope of this document. 4.2. Mapping System topological placement Within the data center, we will assume that the functions of map- server and map-resolver are co-located on the same nodes. We will refer to such nodes as Map-Server/Resolver. Resiliency is important in the deployment of Map-Server/Resolvers for the Data Center. Multiple Map-Server/Resolvers must be deployed for redundancy. Depending on the topological location of the Map-Server/ Resolver nodes, there may be different deployment requirements to achieve appropriate reachability to the multiple Map-Server/Resolvers involved. 4.2.1. Map-Server/Resolver out of band The Map-Server/Resolver function can be deployed out of band on one or more network nodes that are either reachable in the WAN or attached to a leaf as end-points but are not part of the clos topology. Out of band Map-Server/Resolvers will only be exposed to control plane traffic. Clusters of Map-Server/Resolver nodes can be deployed by having ETRs register to multiple Map-Server addresses and ITRs issue map-requests to an anycast address that is shared by the map-resolver function of the Map-Server/Resolver nodes in the cluster. Thus, the map-resolver function can use a common anycast IP address across all Map-Server/ Resolver nodes, separate unicast IP addresses will be assigned the map-server component in each node. ETRs registering to the map- servers should be configured to send map-registers to all map-server IP addresses. ITRs should issue map-requests to the shared anycast IP address of the map-resolver component of the cluster. Alternatively, clusters of Map-Server/Resolver nodes can be deployed by having ETRs register to one Map-Server and use an alternate mechanism to allow the synchronization of this registration across all Map-Servers in the cluster. In this case ETRs will be configured Moreno, et al. Expires August 18, 2014 [Page 9] Internet-Draft LISP Data Center Deployment February 2014 to register to a single IP address, this would likely be a shared anycast IP address amongst the Map-Servers in order to ensure resiliency. ITRs will continue to issue requests to a Map-Resolver shared anycast IP. The creation of Map-Server/Resolver resiliency clusters based on IP addressing is a topologically agnostic deployment model which fits the out of band model well and gives a high degree of flexibility for the deployment of the necessary mapping system nodes. 4.2.2. Map-Server/Resolver in-line The Map-Server/Resolver function can be deployed in-line on one or more network nodes that participate in the clos topology either as Spine nodes or Leaf nodes. In-line Map-Server/Resolvers will receive both Control Plane and Data Plane traffic. 4.2.2.1. Map-Server/Resolver at the Spine The Map-Server/Resolver function can be deployed on Spine nodes. In order to guarantee resiliency, Map-Server/Resolvers are deployed on at least two Spine nodes, but preferably on all Spine nodes. Any map-register messages must be sent to all Map-Server/Resolver enabled Spine nodes in order to ensure synchronization of the mapping system. Therefore in a system where all Spine nodes host the Map- Server/Resolver functionality, all Spine nodes will have complete mapping state for all EIDs in the fabric. Alternatively, map- register messages can be sent to a single Map-Server and the state may be relayed by other methods to other Map-Servers in the Spine. When all Spine nodes host the Map-Server/Resolver functionality, all data plane traffic that cuts across different leaf nodes will traverse a Spine node that has the full LISP mapping state for the fabric. In this deterministic topology it is possible to implement avoid transient drops that may occur when looking up destinations that have not been previously cached at the ITRs. In order to avoid transient drops during Mapping System lookups, ITRs (Leaf or vLeaf nodes) without a pre-existing cache entry for a particular destination must encapsulate and forward the traffic with the unknown destination to the Spine. Since the Spine has full location information, it knows which ETR to send the traffic to, so it encapsulates and forwards the traffic accordingly. Simultaneously, the ITR may send a map-request to the anycast address for the map-resolvers that are present across the spine. The ITR will continue to send the traffic for the unknown destination towards the Spine until a mapping for the destination is received in a map- Moreno, et al. Expires August 18, 2014 [Page 10] Internet-Draft LISP Data Center Deployment February 2014 reply and cached at the ITR, at which point the ITR will start encapsulating traffic directly to the appropriate ETR. In order to forward traffic for unknown destinations to the Spine, the ITR must LISP encapsulate the unknown destination traffic towards the anycast IP address configured for the map-resolver function on the Spine nodes or it may hash the traffic to select a discrete RLOC for a specific Spine node. It is important that traffic be LISP encapsulated in order to preserve the semantics of instance-id and other parameters that may be encoded in the LISP header. An alternative implementation could leverage the data plane traffic in order to reduce the amount of control plane messages that are exchanged. For instance, when traffic with unknown destinations is sent to the spine, rather than waiting to receive a map-request for the unknown destination, the spine could react to the reception of the unknown destination data plane traffic by sending a map-reply to the source ITR with the mappings for the corresponding unknown destination. This effectively replaces the map-request messaging with data plane events. Either way this is implemented, the main benefit of the deployment model is the ability to avoid packet drops while mapping system lookups are completed. 4.2.2.2. Map-Server/Resolver at Leaf nodes The Map-Server/Resolver function could be deployed at Leaf nodes. In this scenario it may be beneficial to make the different Leaf hosted Map-Server/Resolvers authoritative for specific prefixes or instance- ids (VNIs) and allow the distribution of the mapping state across the different Leaf nodes. One mechanism to achieve the distribution of the mapping state across the different leaf nodes is to have different Leaf nodes be the authority for a particular prefix or instance-id in a Delegated Database Tree (DDT)[I-D.ietf-lisp-ddt]. The Leaf nodes can be arranged in pairs for redundancy and the association of a particular prefix or instance-id to specific Leaf nodes is achieved by configuration of the Leaf nodes and the DDT. This type of in-line deployment of the Map-Server/Resolver could, in theory, also provide a no-drop LISP lookup service at the expense of maintaining all LISP mapping state at all Leaf nodes. In the case of a no-drop LISP lookup service, the Map-Server/Resolver function would be deployed in the same way as explained for deployment in the Spine and the system would therefore not benefit from the distribution of state at the Leaf nodes. Moreno, et al. Expires August 18, 2014 [Page 11] Internet-Draft LISP Data Center Deployment February 2014 5. LISP deployment in the DC WAN and Data Center Interconnect The placement of IP workloads within and across Data Centers has a high degree of entropy, which renders existing topology congruent routing summarization methods ineffective in containing the explosion of routing state in the Data Center WAN and Data Center Interconnect. The problem of entropy in the placement of workloads across Data Centers is analogous to the challenge of prefix disaggregation found on the Internet. The seminal motivation behind the development of LISP was the mitigation of the scale issues caused by the disaggregation of user prefixes in the Internet, the multi-Data Center problem is of similar nature, hence LISP is a very good fit to address such scale problem. In the WAN, LISP will be in charge of handling reachability information between Branch sites and IP workloads that are distributed across different Data Centers. The use of LISP allows the scalable handling of very granular location information as IP workloads are deployed in diverse Data Centers. The management domain is usually a single one for the LISP WAN environment and the diverse Data Centers involved may be managed independently. The diversity of management domains is a key deployment consideration which is found in the WAN and DCI connectivity scenarios and requires a certain level of federation between the different domains as will be discussed in the next few sections. In the Data Center Interconnect (DCI), LISP provides reachability and policies (such as inbound load-balancing) between Data Centers for those cases in which IP workloads must communicate with each other across Data Centers. The communication may happen between Data Centers in independent administrative domains, with a single administrative domain being a more specific instantiation of the general case. In the WAN and DCI, as inside the Data Center, the main LISP functions to deploy are: o xTRs o Map-Servers o Map-Resolvers o PxTRs Map-Servers/Map-Resolvers will be distributed across Data Centers and over the WAN following the DDT model. DDT prefix delegation provides Moreno, et al. Expires August 18, 2014 [Page 12] Internet-Draft LISP Data Center Deployment February 2014 a way to parition different administrative domains, providing a very basic form of federation. xTRs will normally be deployed at the edge of the Data Center on the WAN/DCI routers. PxTR location may vary, but in general will be placed as close as possible to Internet gateways, or other non LISP-speaking sources. See [RFC6832] for considerations on Interworking with non-LISP sites. Particularly interesting in the deployment of LISP is the type of handoff between the Data Center Fabric and the devices providing the WAN/DCI services. Different handoff options are discussed in Section 5.1. Of further relevance is the careful evaluation of the different interoperability scenarios between the Data Center Fabric and the WAN /DCI that are discussed in Section 5.2. 5.1. Fabric-WAN handoff: topology, peering and administrative delineation There are a couple of approaches to realizing the handoff between the Fabric and the WAN: o Two-tier: Border-Leaf to WAN-router peering o Single-tier: Consolidated border-Leaf/WAN-router function 5.1.1. Two-tier Fabric-WAN normalized handoff In the two-tier approach the border-Leaf and WAN-router peer over a normalized handoff. There is clear administrative delineation at the handoff between Fabric and WAN where the Fabric Manager is authoritative solely over the border-Leaf and the WAN Manager is authoritative solely over the WAN-router. The border-Leaf and WAN router may enter a peering relationship and exchange routes and other attributes of their respective overlay services. Segments (VNs) in the Fabric overlay will map at the border-Leaf to a normalized segment over the handoff that can be realized by use of VRFs or VLANs interconnected over an 802.1Q trunked set of links or over an overlay encapsulation such as VXLAN, GRE, NVGRE, MPLS, LISP or other. These segments will in turn be mapped at the WAN-router to their corresponding segments in the WAN service (for example, a VRF in an IP MPLS VPN or a VRF/instance-id segment in LISP). Reachability and other information can be exchanged between the border-Leaf nodes and the WAN routers over the normalized handoff using an extensible routing protocol such as MP-BGP or IS-IS. Moreno, et al. Expires August 18, 2014 [Page 13] Internet-Draft LISP Data Center Deployment February 2014 5.1.2. Single-tier Fabric-WAN handoff In the single tier approach, the border-Leaf and the WAN-router are the same device. Mapping of segments (VNs) in one domain to segments in the other domain is achieved by sharing certain components between the two domains. One good example is a VRF that routes traffic between the Fabric overlay domain and the WAN overlay domain at the consolidated border-Leaf/WAN-router device. The device that consolidates the border-Leaf and WAN-router roles is managed by two entities: the Fabric manager and the WAN manager. Delineation of management authority must be established carefully and precisely to separate WAN relevant elements within the device from Fabric relevant elements and their corresponding administration. There will be a series of common components where the mapping between the domains happens (e.g. VRFs). Policy to resolve any conflicts related to the administration of common components in the handoff must be in place. 5.2. Fabric to WAN interoperability scenarios 5.2.1. LISP Fabric to LISP WAN interoperability with common RLOC space To integrate a LISP based Fabric with the LISP WAN it is possible to merge the Fabric LISP domain with the WAN LISP domain. To achieve this, the Map-Servers/Resolvers for the Fabric can join the DDT structure in the WAN. The merging of the domains assumes that the Fabric ITR/Leaf nodes are reachable in the underlay (RLOC space) from the WAN. In this model the xTRs are the Fabric Leaf nodes as well as the Branch Routers at the different WAN sites and an end-to-end overlay is realized between xTRs cutting across WAN and Fabric. Although the domains are merged into one, the hierarchical structure of the DDT provides some isolation of the control plane and failure isolation. The granular state for the Fabric is maintained solely on the Fabric Map-Server/Resolvers and LISP signaling for the Fabric xTRs will be scoped and serviced by the Fabric Map-Server/Resolvers. The domain isolation achieved with this model may not be sufficient for specific deployments, it is possible to follow the model described for a disjoint RLOC space in Section 5.2.2 even if the RLOC space is contiguous. Moreno, et al. Expires August 18, 2014 [Page 14] Internet-Draft LISP Data Center Deployment February 2014 5.2.2. LISP Fabric to LISP WAN interoperability with disjoint RLOC spaces There are scenarios in which the RLOC space in the Fabric is not part of the WAN routing space. In these scenarios the LISP overlay realized inside the Fabric must terminate at the border of the Fabric and should be mapped to a WAN overlay that terminates at the border of the WAN. The handoff between the two domains may be a single-tier handoff. In this case, the WAN/DCI device and bLeaf are the same device. The WAN /DCI device will be an xTR in two domains: Fabric and WAN/DCI. In one deployment model the xTR may receive Map-Notifications from the WAN Mapping System and these may trigger registrations into the Fabric Mapping System and vice versa. This model basically uses the xTR as an exchange point between the two LISP control plane instances. From the data plane perspective the xTR acts as an RTR (Re-encapsulating Tunnel Router). A different deployment model may rely heavily on Mapping System intelligence and may assume that the mapping systems are federated and that the location of the requesting ITR gives the mapping system enough context to provide map-replies that will steer traffic to the appropriate RTRs as packets progress through the different Data Center edges. In the disjoint RLOC scenario, the handoff between the two domains may alternatively be a two-tier handoff with separate border-Leaf and WAN-router devices. The exchange of routing information between the bLeaf and WAN-router may be achieved by dynamic routing protocols such as MP-BGP or IS-IS. The routes received by either device must be registered into the respective mapping system. Similarly, any mappings in one domain must be advertised as routes on the handoff to the other domain. When the LISP implementation does not support redistribution of routes into LISP and the converse redistribution of Mappings into routing protocols, the use of static routes and static mappings can help the interoperability of the two domains. 5.2.3. Non-LISP Fabric to LISP WAN interoperability In order to support mobility, Data Center Fabrics are either built as pure Layer 2 Fabrics or, when built as Layer 3 networks, they rely on host routing to achieve mobility in the routed Fabric. The implication of the use of Layer 3 in the Fabric is that every Leaf will advertise host routes for the devices that are directly connected to the Leaf and all Leaf nodes will hold complete state for all end-points that attach to the fabric. Moreno, et al. Expires August 18, 2014 [Page 15] Internet-Draft LISP Data Center Deployment February 2014 When multiple Fabrics are interconnected with a DCI/WAN service, end- points that are reachable outside the fabric can be represented inside the fabric by a default route advertised by the bLeaves into the Fabric. The routing is thus made of specific host routes for end-points attached to the local Fabric and any end-points attached to other Fabrics will not be known specifically, but would be assumed to be reachable via the default route that points to the bLeaf. Another way of describing this model is to simply state that all local end-points are explicitly known and that traffic destined to any unknown destinations will be default forwarded to the bLeaf. The bLeaf can be a LISP xTR (in the single-tier model) and it would receive default routed traffic for which it can issue map-requests and encapsulate to the appropriate destination as the traffic is received. Altenatively, the bLeaf may handoff the traffic to a WAN/ DCI router that provides the required xTR functionality. The advantages of this model are several: o Remote state is kept out of the local fabric by using default routing o xTRs in the LISP WAN/DCI only resolve and cache mappings for active flows as expected of an on-demand control plane o Host routes terminate at the bLeaf and are kept outside of the routing tables in the WAN/DCI as they are handled by LISP instead 5.2.4. LISP Fabric to Non-LISP WAN interoperability In this scenario, the prefixes handled by LISP inside the Fabric must be advertised to the Non-LISP WAN/DCI. In order to do so, the bLeaf must be able to pull all EIDs that are registered with the Fabric's mapping system and advertise these EIDs in a routing protocol. If the EIDs are easily summarizable, it may be sufficient to simply add a static route at the bLeaf. More generally, the EIDs may not be easily summarizable and may even change dynamically. When the EIDs are not summarizable or static, a mechanism for the bLeaf to subscribe to the mapping system and download all EIDs dynamically is required. Since LISP does not provide such subscription service, one option is to run a push protocol such as BGP between the mapping system and the bLeaf, since all registered EIDs are known at the Map- Server/Resolver, the Map-Server/Resolver may redistribute these EIDs into BGP and the required information may be advertised over BGP to the xTRs on the bLeaves. Another option is for the Map-Server- Resolver to be located at the bLeaves and have the EIDs be redistributed from LISP into a routing protocol on the same device. Moreno, et al. Expires August 18, 2014 [Page 16] Internet-Draft LISP Data Center Deployment February 2014 6. Security Considerations [I-D.ietf-lisp-sec] defines a set of security mechanisms that provide origin authentication, integrity and anti-replay protection to LISP's EID-to-RLOC mapping data conveyed via mapping lookup process. LISP- SEC also enables verification of authorization on EID-prefix claims in Map-Reply messages. Additional security mechanisms to protect the LISP Map-Register messages are defined in [RFC6833]. The security of the Mapping System Infrastructure depends on the particular mapping database used. The [I-D.ietf-lisp-ddt] specification, as an example, defines a public-key based mechanism that provides origin authentication and integrity protection to the LISP DDT protocol. 7. IANA Considerations This document has no IANA implications 8. Acknowledgements The authors want to thank Yves Hertoghs for the early review, insightful comments and suggestions. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 9.2. Informative References [I-D.farinacci-lisp-mr-signaling] Farinacci, D. and M. Napierala, "LISP Control-Plane Multicast Signaling", draft-farinacci-lisp-mr-signaling-03 (work in progress), September 2013. [I-D.hertoghs-nvo3-lisp-controlplane-unified] Hertoghs, Y., Maino, F., Moreno, V., Smith, M., Farinacci, D., and L. Iannone, "A Unified LISP Mapping Database for L2 and L3 Network Virtualization Overlays", draft- hertoghs-nvo3-lisp-controlplane-unified-01 (work in progress), February 2014. Moreno, et al. Expires August 18, 2014 [Page 17] Internet-Draft LISP Data Center Deployment February 2014 [I-D.ietf-lisp-ddt] Fuller, V., Lewis, D., Ermagan, V., and A. Jain, "LISP Delegated Database Tree", draft-ietf-lisp-ddt-01 (work in progress), March 2013. [I-D.ietf-lisp-lcaf] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical Address Format (LCAF)", draft-ietf-lisp-lcaf-04 (work in progress), January 2014. [I-D.ietf-lisp-sec] Maino, F., Ermagan, V., Cabellos-Aparicio, A., Saucez, D., and O. Bonaventure, "LISP-Security (LISP-SEC)", draft- ietf-lisp-sec-05 (work in progress), October 2013. [I-D.ietf-nvo3-dataplane-requirements] Bitar, N., Lasserre, M., Balus, F., Morin, T., Jin, L., and B. Khasnabish, "NVO3 Data Plane Requirements", draft- ietf-nvo3-dataplane-requirements-02 (work in progress), November 2013. [I-D.ietf-nvo3-framework] Lasserre, M., Balus, F., Morin, T., Bitar, N., and Y. Rekhter, "Framework for DC Network Virtualization", draft- ietf-nvo3-framework-05 (work in progress), January 2014. [I-D.ietf-nvo3-nve-nva-cp-req] Kreeger, L., Dutt, D., Narten, T., and D. Black, "Network Virtualization NVE to NVA Control Protocol Requirements", draft-ietf-nvo3-nve-nva-cp-req-01 (work in progress), October 2013. [I-D.ietf-nvo3-overlay-problem-statement] Narten, T., Gray, E., Black, D., Fang, L., Kreeger, L., and M. Napierala, "Problem Statement: Overlays for Network Virtualization", draft-ietf-nvo3-overlay-problem- statement-04 (work in progress), July 2013. [I-D.maino-nvo3-lisp-cp] Maino, F., Ermagan, V., Hertoghs, Y., Farinacci, D., and M. Smith, "LISP Control Plane for Network Virtualization Overlays", draft-maino-nvo3-lisp-cp-03 (work in progress), October 2013. [I-D.smith-lisp-layer2] Smith, M., Dutt, D., Farinacci, D., and F. Maino, "Layer 2 (L2) LISP Encapsulation Format", draft-smith-lisp- layer2-03 (work in progress), September 2013. Moreno, et al. Expires August 18, 2014 [Page 18] Internet-Draft LISP Data Center Deployment February 2014 [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The Locator/ID Separation Protocol (LISP)", RFC 6830, January 2013. [RFC6831] Farinacci, D., Meyer, D., Zwiebel, J., and S. Venaas, "The Locator/ID Separation Protocol (LISP) for Multicast Environments", RFC 6831, January 2013. [RFC6832] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller, "Interworking between Locator/ID Separation Protocol (LISP) and Non-LISP Sites", RFC 6832, January 2013. [RFC6833] Fuller, V. and D. Farinacci, "Locator/ID Separation Protocol (LISP) Map-Server Interface", RFC 6833, January 2013. [RFC6836] Fuller, V., Farinacci, D., Meyer, D., and D. Lewis, "Locator/ID Separation Protocol Alternative Logical Topology (LISP+ALT)", RFC 6836, January 2013. Authors' Addresses Victor Moreno Cisco Systems 170 Tasman Drive San Jose, California 95134 USA Email: vimoreno@cisco.com Fabio Maino Cisco Systems 170 Tasman Drive San Jose, California 95134 USA Email: fmaino@cisco.com Darrel Lewis Cisco Systems 170 West Tasman Dr. San Jose, California 95134 USA Email: darlewis@cisco.com Moreno, et al. Expires August 18, 2014 [Page 19] Internet-Draft LISP Data Center Deployment February 2014 Michael Smith Cisco Systems 170 West Tasman Dr. San Jose, California 95134 USA Email: michsmit@cisco.com Satyam Sinha Cisco Systems 170 West Tasman Dr. San Jose, California 95134 USA Email: satysinh@cisco.com Moreno, et al. Expires August 18, 2014 [Page 20]