opnfv service function chaining
TRANSCRIPT
Service Function Chaining Overview
What is Service Function Chaining
• Service Chaining Downstreamed from OpenDaylight
– Open Daylight Service Function Chaining (ODL SFC)
– ODL SFC implements the NSH and SFC IETF specification drafts
• Integrates SFC into NFV Cloud Data Center environments
• Use Cases solved with SFC
– Service Function scaling
– Any sort of Dynamic Service Insertion
11/3/2015 Footer Lorem Ipsum Dolor Sit 3
Service Function Chaining Use Case: Parental Control
1. Update/create chains
ODL SFC GUI
ODL SFC
Operator
2. Subscriber
classification
rules
HTTP Content Filtering
(Block URLs) SF HTTP
SF NAT
Legend:
SFF: Service Function Forwarder
SF: Service Function
RSP: Rendered Service Path, a Service Chain
RSP1
RSP2
Parental control,
block certain URLs
No control for parents
SDN network
SFF Internet
Classifier
Service Chaining Encapsulation Network Service Headers (NSH) in detail
Service Function
Forwarder
NSH
Classify once:
Encapsulate Chain
info with every packet
SDN network
Service Function
Service Function
Forwarder
NSH
Service Function
NSH
Tunnel
Switch on NSH fields:
NSP – NSH Path (Chain ID)
NSI – NSH index (Hop in chain)
ACL
Classifier
Service Function Chaining with NSH
• Network Service Headers (NSH)
– Reusable classification for pre-programmed paths
Service Function Chaining with NSH
Outer Eth hdr
Outer IP hdr
VxLAN NSH
NSH Base Header
Service Path (24 bit) / Index
Optional Metadata
Network Services Header
Example: NSH encapsulated in VXLAN
Inner Eth hdr
Inner IP hdr
Payload Outer
UDP hdr
Service Path: The Service Chain ID
Index: The hop in the Service Chain
Advantages Challenges
• Forwarding complexity is much simpler
• Optional Metadata can be sent with packets
• Supports flexible encapsulation (Ethernet, MPLS, VXLAN, etc)
• Limited support in switches, kernels, and applications
• Service Function needs to become NSH-aware
Service Chaining Classification Mapping Subscriber traffic to Service Chains
with Group Based Policy
Group Based Policy made easy
11/3/2015 Footer Lorem Ipsum Dolor Sit 9
EPG: Hosts
EPG: Web Servers
web, ssh
any
EP:1
EP:2
EP:3
EP:4
Copied from Ed Warnicke’s GBP slides: https://docs.google.com/presentation/d/1vsYddlHFRnVG9cDwWxyldT2BNSfYUTPcR1lYtUrFA8U/edit?usp=sharing
Concepts: • Group Endpoints (Eps) into
Endpoint Groups (EPGs) • Apply Policy (Contracts) to
traffic between groups • Contracts apply directionally
Contracts
Match: dstport:80 Action: Allow
Match: dstport:22 Action: Allow
Match: * Action: Allow
web
ssh
any
Group Based Policy with SFC
11/3/2015 Footer Lorem Ipsum Dolor Sit 10
EPG: Web Servers
chain-in chain-out
EPG: Hosts EP:1
EP:2
EP:3
EP:4
Add Contracts for “chain-in” and “chain-out” with the name of the SFC chain.
Contracts
Match: * Action: chain:foo
Match: * Action: chain:bar
chain-in
chain-out Service
Function Forwarder
Service Function
Service Function
SFC network
OPNFV SFC The Current Status
OPNFV SFC Current Network Topology
11/3/2015 Footer Lorem Ipsum Dolor Sit 12
OPNFV SFC Current Network Topology
Compute Node
VM
SF1
VM
SF2
SFF
VM
Clients
VM
Servers
Legend VxLAN tunnel SF/SFF
GBP creates VxLAN tunnel OpenFlow 1.3/OVSDB
Original packets, no encap
OVS OVS GBP EPG2
GBP EPG1
Control Node
Top Of Rack Switch
ODL SFC
Open Stack
GBP EPG: Group Based Policy, End Point Group
Used as Classifier in OPNFV
VNF Mgr
OPNFV SFC Brahmaputra Target Use Case
1. Update/create chains
SDN network
ODL SFC
1) Can NOT do HTTP
2) Can do SSH
1) Can do HTTP
2) Can NOT do SSH
2. Subscriber
classification
rules SFF
Legend:
SFF: Service Function Forwarder
SF: Service Function
RSP: Rendered Service Path, a Service Chain
SF Firewall
SF Firewall
Classifier
RSP1
RSP2
Simple
HTTP
Server Test Cases
Block
HTTP Block
SSH
The VNF Manager
• The technical definition of a VNF Manager
– Lifecycle management of VNF instances
– Overall coordination and adaption role for configuration and event reporting between NFV-Infrastructure and Network management system (NMS)
• What do we need a VNF Manager for in OPNFV SFC?
– Coordinating Service Function VM Lifecycle management
– We decided to use the OpenStack Tacker VNF Mgr
• Technically MANO (management and orchestration) is out of scope for Brahmaputra
– We’ll install Tacker post-installation for testing
11/3/2015 Footer Lorem Ipsum Dolor Sit 15
Additional Information
• OPNFV SFC wiki
– https://wiki.opnfv.org/service_function_chaining
• OPNFV SFC Brahmaputra Release Planning
– https://docs.google.com/presentation/d/1GEt8Vi6hQL9kOknowxr3o9aE_VYoe5zljz8MyQtdgw/edit?usp=sharing
• OPNFV SFC discussion slides
– https://docs.google.com/presentation/d/1gbhAnrTYbLCrNMhMXin0lxjyg7IHNPjrlBTIjwAzys/edit?usp=sharing
• OPNFV JIRA
– https://jira.opnfv.org/browse/SFC/?selectedTab=com.atlassian.jira.jira-projectsplugin:summary-panel
11/3/2015 Footer Lorem Ipsum Dolor Sit 16
What’s next in OPNFV SFC? Brahmaputra and beyond
On the Roadmap…
• Multiple compute nodes
– OpenDaylight clustering
– Enhanced SF VM placement (load balancing, fault tolerance)
• Hybrid Service Chains
– Multi-protocol SFFs (OpenFlow, Netconf)
• Enhanced VnfMgr functionality in Tacker
• Scale SF VMs in/out based on CPU/Network load
• SF network readiness detection
– Block RSP creation until all SFs “ready”
11/3/2015 Footer Lorem Ipsum Dolor Sit 18
Demo Group Based Policy and
Service Function Chaining