empower your nfv services through service function chaining and sfc graphs
TRANSCRIPT
Empower your NFV Services through Service Function Chaining and SFC GraphsCathy Zhang (Huawei) | Igor Duarte Cardoso (Intel)
27th October 2016
Service Chain Logical Model and API
Flow Classifier
OpenStack Service Chain API
Neutron Port for FW1
Neutron Port for
IPS1Neutron Port
for Video Optimizer1Neutron
Port for IPS2
Neutron Port for
IPS3
FW Port Pair Group
Traffic Source
Neutron Port for FW2 Neutron Port
for Video Optimizer2
Flow ClassifierFlow Classifier
EthertypeProtocolSource Logical Port Source IP prefixSource TCP/UDP portDestination Logical portDestination IP prefixDestination TCP/UDP portL7 parameters
IPS Port Pair Group Video Optimizer Port Pair Group
Traffic Destination
Port Chain
2
3
Logical Model of networking-sfcPort Chain• name - Readable name.• description - Readable description.• port_pair_groups - List of port-pair-group IDs.• flow_classifiers - List of flow-classifier IDs.• chain_parameters - Dict. of chain parameters.• chain_id - Data-plane chain path ID.
Port Pair Group• name - Readable name.• description - Readable description.• port_pairs - List of service function port-pairs.• port_pair_group_parameters - Dict. of port pair
group parameters.
Port Pair• name - Readable name.• description - Readable description.• ingress - Ingress port.• egress - Egress port.• service_function_parameters –Dict. of service function parameters.
Flow Classifier
• name - Readable name.
• description - Readable description.
• ethertype - Ethertype (‘IPv4’/’IPv6’).
• protocol - IP protocol.
• source_port_range_min - Minimum source protocol port.
• source_port_range_max - Maximum source protocol port.
• destination_port_range_min - Minimum destination protocol port.
• destination_port_range_max - Maximum destination protocol port.
• source_ip_prefix - Source IP address or prefix.
• destination_ip_prefix - Destination IP address or prefix.
• logical_source_port - Neutron source port.
• logical_destination_port - Neutron destination port.
• l7_parameters - Dictionary of L7 parameters.
Chain Graph (Classification Rules change)• SF could modify N-tuple, for example NAT, then the original SFC classification
does not work• Orchestrator creates two Port Chains:
• PC1 before NAT, PC2 after NAT
4
Chain Graph (Classification Rules do not change)
5
Why SFC Graphs– In Essence• SFs may change the classification attributes of traffic;
• SFs may include advanced classification features (in which case they are logically classifiers as well);
• Certain chains may have a dependency on other chains (regardless of classification criteria).
6
Why SFC Graphs – A Use Case• Encrypted Tunnel Termination:
7
PC2
PC3
PC1: FC(srcPort=IPSec_src) {SF}PC2: FC(ChainPathID=PC1, protocol=TCP) {TO, LB}PC3: FC(ChainPathID=PC1) {LB}
PC1
Why SFC Graphs – A Use Case• Video Optimizer SFC [6]:
Let’s focus here 8
Why SFC Graphs – Another Use Case• Video Optimizer SFC [6]:
9
Why SFC Graphs – Another Use Case• Video Optimizer SFC (focus):
10
PC1: FC(srcPort=PGW) {LB}PC2: FC(ChainPathID=PC1, protocol=TCP, port=80) {DPI}PC3: FC(ChainPathID=PC1) {LB’}PC4: FC(ChainPathID=PC2, l7_type=video) {VO, LB’}PC5: FC(ChainPathID=PC2) {LB’}
How to achieve SFC Graphs?
• How can the dependencies for reaching a port-chain be guaranteed?
• How to guarantee traffic segregation when Service Functions are reused by different chains?
• How to attach different classifiers right before branching points?
11
SFC Encapsulation(How to achieve SFC Graphs?)
• “The SFC encapsulation provides, at a minimum, SFP identification, and is used by the SFC-aware functions, such as the SFF and SFC-aware SFs.” [3];
• “It also enables the sharing of metadata/context information” [3];
• “One of the key architecture principles of SFC is that the SFC encapsulation remain transport independent.” [3];
• “NSH is the SFC encapsulation referenced in RFC7665.” [4, referring to 3];
• “NSH contains a Service Path Identifier (SPI) and a Service Index (SI)” [4].
Service Function Path
Network Service Header
Service Function Forwarder
12
SFC – Reclassification and Branching(How to achieve SFC Graphs?)
• “The SFC architecture supports reclassification (or non-initial classification)” [3];
• “Reclassification may result in the selection of a new SFP, an update of the associated metadata, or both.” [3];
• “The implied order may not be a linear progression as the architecture allows for SFCs that copy to more than one branch” [3].
13
SFC – Network Service Header (NSH)(How to achieve SFC Graphs?)
• NSH [4] is not only a protocol, but a (proposed) standard;• It is specifically designed for Service Function Chaining;• It materializes the concept of SFC Encapsulation from RFC 7498 [2] and RFC 7665 [3];• It defines the fields necessary to segregate and identify traffic from different SFPs;• It is able to carry TLV metadata;• It is transport independent, so you can use any other protocol to forward packets
• NSH will be used as input to decide what transport/overlay to use;
14
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+ |Ver|O|C|R|R|R|R|R|R| Length | MD Type | Next Protocol
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+ | Service Path Identifier (SPI) | Service Index
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+ | Metadata
| | (total length depends on MD Type)
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+
Bringing SFC Graphs to networking-sfc • The first change (merged) was to expose the SPI
(chain_id) in networking-sfc’s API [7 - https://review.openstack.org/#/c/355336];
• It is useful to integrate with an NFV Orchestrator [5], but not required to achieve SFC Graphs;
• Then, if wanted, any SF can act as a Classifier (other than the Neutron backend itself).
15
16
Bringing SFC Graphs to networking-sfc
Port Chain• name - Readable name.• description - Readable description.• port_pair_groups - List of port-pair-group IDs.• flow_classifiers - List of flow-classifier IDs.• chain_parameters - Dict. of chain parameters.• chain_id - Data-plane chain path ID.
Port Pair Group• name - Readable name.• description - Readable description.• port_pairs - List of service function port-pairs.• port_pair_group_parameters - Dict. of port pair
group parameters.
Port Pair• name - Readable name.• description - Readable description.• ingress - Ingress port.• egress - Egress port.• service_function_parameters –Dict. of service function parameters.
Flow Classifier
• name - Readable name.
• description - Readable description.
• ethertype - Ethertype (‘IPv4’/’IPv6’).
• protocol - IP protocol.
• source_port_range_min - Minimum source protocol port.
• source_port_range_max - Maximum source protocol port.
• destination_port_range_min - Minimum destination protocol port.
• destination_port_range_max - Maximum destination protocol port.
• source_ip_prefix - Source IP address or prefix.
• destination_ip_prefix - Destination IP address or prefix.
• logical_source_port - Neutron source port.
• logical_destination_port - Neutron destination port.
• l7_parameters - Dictionary of L7 parameters.
Shared SFP informationacross SFs/VNFs and Neutron
17
Bringing SFC Graphs to networking-sfc • The second change is to enable NSH support [8 -
https://review.openstack.org/#/c/373465];
• Includes API additions (to choose whether to use NSH or not) and respective changes in the Open vSwitch driver (control NSH flows);
• This requires a modified version of Open vSwitch that supports NSH [10];
18
19
Bringing SFC Graphs to networking-sfc
Flow Classifier
• name - Readable name.
• description - Readable description.
• ethertype - Ethertype (‘IPv4’/’IPv6’).
• protocol - IP protocol.
• source_port_range_min - Minimum source protocol port.
• source_port_range_max - Maximum source protocol port.
• destination_port_range_min - Minimum destination protocol port.
• destination_port_range_max - Maximum destination protocol port.
• source_ip_prefix - Source IP address or prefix.
• destination_ip_prefix - Destination IP address or prefix.
• logical_source_port - Neutron source port.
• logical_destination_port - Neutron destination port.
• l7_parameters - Dictionary of L7 parameters.
Port Chain• name - Readable name.• description - Readable description.• port_pair_groups - List of port-pair-group IDs.• flow_classifiers - List of flow-classifier IDs.• chain_parameters - Dict. of chain parameters: newvalue for the correlation parameter: nsh (instead of mpls) –this means the NSH SFC protocol will be used for SFC Encapsulation.• chain_id - Data-plane chain path ID.
Port Pair Group• name - Readable name.• description - Readable description.• port_pairs - List of service function port-pairs.• port_pair_group_parameters - Dict. of port pair group
parameters.
Port Pair• name - Readable name.• description - Readable description.• ingress - Ingress port.• egress - Egress port.• service_function_parameters –Dict. of service function parameters: new value for thecorrelation parameter: nsh (instead of None) – this meansthe VMs will get NSH traffic instead of SFC-proxied traffic.
Bringing SFC Graphs to networking-sfc • The final change is to add the new SFC Graph API
resource [9 - https://review.openstack.org/#/c/388802] and future implementation patches;
• The OVS driver will be slightly modified to guarantee that traffic from a SFC is handed over to the next correct SFC.
20
21
Bringing SFC Graphs to networking-sfc
Flow Classifier•name - Readable name.•description - Readable description.•ethertype - Ethertype (‘IPv4’/’IPv6’).•protocol - IP protocol.•source_port_range_min - Minimum source protocol port.•source_port_range_max - Maximum source protocol port.•destination_port_range_min - Minimum destination protocol port.•destination_port_range_max - Maximum destination protocol port.•source_ip_prefix - Source IP address or prefix.•destination_ip_prefix - Destination IP address or prefix.•logical_source_port - Neutron source port.•logical_destination_port - Neutron destination port.•l7_parameters - Dictionary of L7 parameters.
SFC Graph•name - Readable name.•description - Readable description.•port_chains - Dictionary of Service Function Path (port-chain) dependencies (i.e.
how one port-chain can branch into other port chains, depending on classification criteria, while still keeping every flow isolated), example:
{ port-chain-1: [port-chain-2, port-chain-3], port-chain-2: [port-chain-4, port-chain-5],(…) }
Port Chain• name - Readable name.• description - Readable description.• port_pair_groups - List of port-pair-group IDs.• flow_classifiers - List of flow-classifier IDs.• chain_parameters - Dict. of chain parameters: newvalue for the correlation parameter: nsh (instead of mpls) –this means the NSH SFC protocol will be used for SFC Encapsulation.• chain_id - Data-plane chain path ID.
Port Pair Group• name - Readable name.• description - Readable description.• port_pairs - List of service function port-pairs.• port_pair_group_parameters - Dict. of port pair group
parameters.
Port Pair• name - Readable name.• description - Readable description.• ingress - Ingress port.• egress - Egress port.• service_function_parameters –Dict. of service function parameters: new value for thecorrelation parameter: nsh (instead of None) – this meansthe VMs will get NSH traffic instead of SFC-proxied traffic.
Bringing SFC Graphs to networking-sfc • Video Optimizer SFC:
22
Bringing SFC Graphs to networking-sfc • Video Optimizer SFC – dataplane elements illustration:
23
CL1 sets SFP (SPI/SI)based on whetherTCP port 80 or not SFF looks up SPI/SI
to select branch
Project Status Update Since Austin Summit• Two Official Releases: Liberty and Mitaka
• New Feature For Mitaka: Add chain-id to port-chain parameters, Add weight to service function parameter, Add port-pair-group parameters, Insert/remove service function to/from a port-chain, Add tempest tests, etc.
• New Feature for Newton and Release Plan: Symmetric Chain, Exact Match Based Flow Rule Creation/Deletion, Release in December 2016.
• Information Links http://docs.openstack.org/developer/networking-sfc/
https://github.com/openstack/networking-sfc https://wiki.openstack.org/wiki/Neutron/ServiceInsertionAndChaining https://wiki.openstack.org/wiki/Meetings/ServiceFunctionChainingMeeting https://pypi.python.org/pypi/networking-sfc
References• [1] GitHub mirror of the networking-sfc project’s source code, https://github.com/openstack/networking-sfc• [2] Problem Statement for Service Function Chaining, IETF SFC Working Group, https://
tools.ietf.org/rfc/rfc7498.txt• [3] Service Function Chaining (SFC) Architecture, IETF SFC Working Group, https://tools.ietf.org/rfc/rfc7665.txt• [4] Network Service Header (Draft 10), IETF SFC Working Group, https://www.ietf.org/id/draft-ietf-sfc-nsh-10.txt• [5] ETSI GS NFV 003 v1.2.1 - Terminology for Main Concepts in NFV, ETSI, https://
www.etsi.org/deliver/etsi_gs/NFV/001_099/003/01.02.01_60/gs_NFV003v010201p.pdf• [6] Service Function Chaining in Mobile Networks, http://
www.ietf.org/proceedings/89/slides/slides-89-sfc-7.pptx• [7] Add chain_id support in port chain and group_id support in port pair group, https://review.openstack.org/#/
c/355336• [8] Support NSH dataplane protocol, https://review.openstack.org/#/c/373465• [9] Introduce the SFC Graph API resource, https://review.openstack.org/#/c/388802• [10] OVS NSH patches (latest), https://github.com/yyang13/ovs_nsh_patches• [11] OVS NSH patches (ovs-dev), http://openvswitch.org/pipermail/dev/2016-July/074922.html
25
Thank you,let us know your questions!
Legal notices and disclaimersIntel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com, or from the OEM or retailer.
No computer system can be absolutely secure. Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For more complete information about performance and benchmark results, visit http://www.intel.com/performance.
Intel, the Intel logo and others are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. © 2016 Intel Corporation.
27
Backup Slides
Assumptions• Service Functions will refer to the abstract resource, not the actual
instance/VM/machine – in networking-sfc this is known as a Port Pair Group;
• Service Function Chain will refer to a “linear” list of functions – in networking-sfc this is known as a Port Chain;
• SFC Graph relates to the broader definition of an SFC as described in IETF SFC’s Architecture [3] and the NSH draft [4], due to reclassification and branching – not to be confused with VNF Forwarding Graph (VNFFG),which presents the different VNFs and how they are interconnected by different, independent chains;
• Unless stated otherwise, any figure showing Service Functions are scoped to a particular SFC or SFC Graph (not VNFFG).
29
Defining SFC Graph
30
• Natural extension to Service Function Chain when we consider that branching or reclassification can occur [3];
• Not to be confused with VNF Forwarding Graph [5]:• Which shows how different SFs are connected by independent
chains;• No particular scope or use case.
• Networking-sfc is a base to build both.
Bringing SFC Graphs to networking-sfc • Chains can be created today in networking-sfc, but what if
we want to branch out of a (linear) chain depending on classification criteria?
• How to guarantee traffic segregation when Service Functions are reused by different chains (providing different services)?
• How to achieve both, keeping traffic from one set of chains segregated from another set of chains, when branching has occurred?
31
Complex SFCs Illustration• The diagram on the
right is not scoped to any particular SFC or SFC Graph;
• Instead, it illustrates many functions and the many traffic flows (from different chains/contexts) that they can receive.
32