HI Lucy: If I am offering a tenant a combined L2/L3 service that includes multicast then I am not sure what multicast specific policies I would be enforcing, other than perhaps saving the tenant from themselves.
If the VN connects to the internet, not sure I'd offer multicast as part of the service, nor for tenant extranets .... My initial reaction was that there was a lot of other things that needed to work to implement L3 multicast before we started considering policy....and use cases for policy did not leap out at me.... I hope this helps Dave -----Original Message----- From: Lucy yong [mailto:[email protected]] Sent: Wednesday, November 20, 2013 1:18 PM To: David Allan I; Erik Nordmark; Thomas Narten Cc: [email protected]; Linda Dunbar Subject: RE: [nvo3] Fwd: Arch: proposed text for Combined L2/L3 Service See inline. -----Original Message----- From: David Allan I [mailto:[email protected]] Sent: Wednesday, November 20, 2013 1:40 AM To: Lucy yong; Erik Nordmark; Thomas Narten Cc: [email protected]; Linda Dunbar Subject: RE: [nvo3] Fwd: Arch: proposed text for Combined L2/L3 Service I believe you are over complicating this. There are L2 multicast frames that have no L3 significance and are confined to the L2 broadcast domain. And there are L3 multicast frames that are also multicast or broadcast in the L2 domain (depending on if L2 filtering prunes the L2 topology or not). Any IP multicast frame has L2 terminated and is processed at L3. From an L2 POV the NVE is a bud node. It may simply go no further or mapped to one or more other subnets....(which may require the equivalent of additional edge replication if that is how mcast Is implemented).... I see this as a well understood behavior. Pulling policy into it is conflating the concept significantly....There is significant NVE/NVA interactions required to offer L3 multicast long before considering policy that should be in or out of scope. [Lucy] Yes, handling multicast traffic across VNs is more complex network function regardless using distributed gateway function or a gateway. IMO, NVO3 has to able to handle the networking policy. The policy can be simple or very complex. Excluding the policy completely in NVO3, IMO, is it a virtualized network? Lucy My 2 cents Dave -----Original Message----- From: nvo3 [mailto:[email protected]] On Behalf Of Lucy yong Sent: Wednesday, November 20, 2013 4:42 AM To: Erik Nordmark; Thomas Narten Cc: [email protected]; Linda Dunbar Subject: Re: [nvo3] Fwd: Arch: proposed text for Combined L2/L3 Service Erik, Good point. L2 service provides a broadcast domain. Whether the broadcast/multicast packet should be sent to another VN is depend on inter VN policy. It is possible. When the broadcast/multicast packet deliver to the L3 router too. If the policy allows the broadcast/multicast to broadcast to another VN, L3 router will forward the packet to another VN with the same DMAC. If the policy does not allow, L3 router will drop the packet. You are right, if dMAC is broadcast/multicast address, it should send to L3 router for the further process. I change the text to following. A tenant network may require both L2 and L3 services, i.e. the packets from a tenant may get L2 and/or L3 treatment. An NVE receiving packets from a TS determines the type of service to be applied to the packet on a per-packet basis and as indicated by the destination MAC address on the packet. If the MAC address corresponds to that of an L3 router (as determined by the NVE) traffic is given L3 semantics with inter-VN policy. When an NVE receives a broadcast/multicast packet, it should be processed by the L3 router. Depending on the inter-VN policy, the broadcast/multicast may be allowed or prohibited. Otherwise, the packet is given L2 semantics. Thus the packet from a tenant must contain IP header (as well as Ethernet header) . A combined L2/L3 service presents no special considerations for NVO3, other than packets received from a tenant must be classified as to what type of service they are to be given before they can be processed. Thanks, Lucy -----Original Message----- From: Erik Nordmark [mailto:[email protected]] Sent: Tuesday, November 19, 2013 6:56 PM To: Lucy yong; Thomas Narten Cc: [email protected]; Linda Dunbar Subject: Re: [nvo3] Fwd: Arch: proposed text for Combined L2/L3 Service Lucy, What would the rules be for multicast packets? Such packets are not addressed to a router's MAC address but instead the router receives all of them and processes them based on the L3 multicast FIB. (For products which implement both L2 and L3 the processing of multicast depends on whether the input port is L2 or L3, and in some cases that will result in both bridging the packet out other L2 ports, and forwarding the packet out other L3 (virtual) ports.) Thus AFAICT the multicast rules can't depend on the destination MAC address to determine whether L2 or L3 service should be applied. Erik On 11/19/13 4:20 PM, Lucy yong wrote: > Hi Thomas, > > How about the following text: > > A tenant network may require both L2 and L3 > services, i.e. the packets from a tenant may get L2 and/or > L3 treatment. > > An NVE receiving packets from a TS determines the type of > service to be applied to > the packet on a per-packet basis and as indicated by the > destination MAC address on the packet. If > the MAC address corresponds to that of an L3 router (as > determined by the NVE), traffic is given L3 > semantics. Otherwise, the packet is given L2 > semantics. Thus the packet from a tenant must contain IP > header (as well > > as Ethernet header) . A combined L2/L3 service presents no > special > considerations for NVO3, other than packets received from a > tenant must be classified as to what type of service they > are to be given before they can be processed. > > Comment: should we use a tenant system (TS) or a tenant in the text to > make consistency? > > Regards, > > Lucy > > ---------- Forwarded message ---------- > From: *Thomas Narten* <[email protected] <mailto:[email protected]>> > Date: Mon, Nov 18, 2013 at 3:25 PM > Subject: [nvo3] Arch: proposed text for Combined L2/L3 Service > To: [email protected] <mailto:[email protected]> > > > There has been some discussion on the list about whether or not to > have a combined L2/L3 service. Here is proposed text for the > architecture document: > > <t> > A virtual network can also provide a combined L2 and L3 > service to tenants. In such cases, a tenant sends and > receives both L2 and L3 packets. An NVE recieving packets > from a TS determines the type of service to be applied to > the packet on a per-packet basis as indicated by the > packet's destination MAC address as provided by the TS. If > the MAC address corresponds to that of an L3 router (as > determined by the NVE), traffic is given L3 > semantics. Otherwise, the packet is given L2 service > semantics. A combined L2/L3 service presents no special > considerations for NVO3, other than packets received from a > tenant must be classified as to what type of service they > are to be given before they can be processed. > </t> > > This text would go at the end of Section 3.1 "VN Service (L2 and L3)". > > Make sense? > > Additional thinking behind this (taken from mail within the DT): > > > FWIW, I think that there are separate issues here. One is simply > > describing what we mean by a combined L2/L3 service. That is what my > > text was trying to do. The thinking is if the service definition is > > clear and simple, supporting it in NVO3 is not a problem. I.e., it's > > not really much different to provide a combined service than if you > > offer an L2 or L3 service. And the service semantics for combined > > L2/L3 are easy to understand and explain. That is goodness. :-) > > > Whether and how it makes sense to have distributed gateways in a > > combined service is a separate matter. What I'd like to be able to do > > here (if we need to say anything at all) is be able to say that if a > > distributed GW makes sense for L2 service, then having an L2 > > distributed GW for the L2 traffic would make sense in the combined > > service case too. Ditto for L3 service. > > > > A key point is that having a combined service is pretty much the > same > as taking the two separate L2 and L3 services and combining > them into > one implementation. There is nothing really "special" > about this that > would complicate the overall architecture. Where > we can easily get > into trouble is if we start defining a combined > service as has special > cases that have to be dealt with that don't > appear when you have only > L2 or only L3 service semantics. > > Thomas > > _______________________________________________ > nvo3 mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/nvo3 > > > > _______________________________________________ > nvo3 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nvo3 > _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3 _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
