fut1643bu an introduction to service function chaining for ......an introduction to service function...

Dharma RajanPhilip Kippen

FUT1643BU

#VMworld #FUT1643BU

An Introduction to Service Function Chaining for Network Function Virtualization

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#FUT1634BU CONFIDENTIAL



bution

Agenda

#FUT1634BU CONFIDENTIAL 3

1 Introduction to Service Function Chaining (SFC)

2 SFC Architectural Models

3 SFC In vCloud NFV Today Using NSX

4 Future Direction

5 Q&A



bution

What is Service Function Chaining?


Deep Packet Inspection

Access Control

NAT

L2 Switching

L3 Routing

QOS

Should every

packet have

every service

applied to it

inline?

Instantiation of an ordered set of service functions and subsequent "steering" of traffic through them.

Service Function Chaining (SFC)

Physical Firewall Physical Router

::

vFW vFWvFW

X86 HW

Virtualization Layer

vRoutervNATvDPI



bution

Traditional Network – Inefficiency in Service Functions


Fixed service chains

Complex scale-out architecture

Limited visibility for troubleshooting

Policy enforcement challenges

Rules

SLAs

Actions QoS

Security

L4-L7

Policy-based routing and box-to-box cabling using



bution

vCPE – Virtual Customer Premises Equipment

SD-WAN – Software Defined Wide Area Network

vEPC – Virtual Evolved Packet Core

VNF – Virtual Network Function

Why is SFC Important for Enterprise and Service Providers?

6

Network Functions Virtualization (NFV) is driving SFC use cases

Customer Need: Speed / Agility / Security / Multitenant / Topology and Location Independence

Expectation:

• SFC based on metadata information for L2 to L7 services

• Dynamic SFC modification based on changes to metadata

• Orchestration and Automation

WAN OPTIMIZER

TRAFFIC SHAPING

PROTOCOL

PROXY

SD-WAN

TCP OPTIMIZATION

LAWFUL INTERCEPT

HTTP HEADER ENRICHMENT

CACHING

vEPC - Gi-LAN

DHCP

NGFW

POLICY

CGNAT

DDOS

PARENTAL CONTROL

CONTENT FILTERING

ROUTER

AD INSERTION

vCPE - VNFs

IDS

IPS

VPN

LB

AV

DPI

#FUT1634BU CONFIDENTIAL



bution

Agenda


1 Introduction To Service Function Chaining (SFC)



4 Future Direction

5 Q&A



bution

Dynamic SFC Architecture


Enterprise A Enterprise B

Management Plane

Control Plane

Data Plane

Classifier

NAT

SFC Controller

Topology Server

Service Function

Forwarder Classifier

FW LB Public Cloud

Access

Orchestration / Automation

DPI Dynamic

Redirection



bution

VNF

5

Simple and Nested SFC

9

Classifier VNF

1

ClassifierVNF

4

VNF

3

VNF

2

Metadata Redirect

Dropped Packet

Simple VNF SFC

Nested VNF SFC

Efficient SFC Design and Orchestration is Paramount for Success




bution

SFC Implementation Model – Network Service Header (NSH)


NSH Base Header 64-Bit

Network Platform

Service Platform

Network Shared

Services Shared

Four 32-bit context headers

Carrying opaque metadata

User Payload Service Chain Header Original Header

Layer 2 (e.g. Ethernet)

Network Service Header

Layer 3

Further Reading:

RFC – 7665 – SFC Arch.

Requirements:

• Need NSH-aware network switches

• VNFs need to understand NSH

• NSH protocol support and additional new header

– Adds 24 bytes per packet that will use SFC

Challenges:

• Additional packet processing overhead

• No state management, Security

• Need Services Topology layer built



bution

SFC Implementation Model – VLAN-Based Q-in-Q Encoding

• A simpler alternative, and an efficient method to do SFC without NSH

• Meets all known use cases

– Uses two VLAN-IDs. One for service chain ID and the other for metadata encapsulation

– Creates services plane using 802.1Q and 802.1ad Q-in-Q encoding


Ether Type – 32 bits

Tag

Protocol

ID 16 bits

TCI

PCP

3 bits

DEI

1 bit

VID

12 bits

0x000, 0x001

Reserved 0xFFF (4095) Reserved0x002

0xFFE

(4094)…………………….

Ether Type – 32 bits

Tag

Protocol

ID 16 bits

TCI

PCP

3 bitsDEI

1 bit

VID

12 bits

Service Chain ID 12 bits Traffic Class 3 bits Application / User Classification 9 bits

(511 applications)

PCP – Priority Code Point

DEI – Drop Eligibility Indicator

VID – VLAN Identifier

TCI – Tag Control Information



bution

SFC Using VLAN-Based Q-in-Q Encoding


Advantages:

• Use of virtual network topology for SFC

• Uses IEEE 802.1ad standard

• No Ethernet frame overhead

• Ability to change the forwarding route on the service chain ID

• Supports dynamic SFC

• Works for any SDN overlay solution

– OpenContrail

– Nuage Networks

– VMware NSX®, and so forth . . .

100 – Direct traffic

101 – Referral traffic

102 – Organic traffic

103 – HTTP

104 – HTTPS

:

:

200 – Unknown

Traffic TypeVLAN-ID

Start

VLAN-ID

End

100Web Traffic 200

201Video 300

301SSH 400

401SSL 500

801 – Sensitive traffic

802 – Best-effort traffic

803 – Undesired traffic

804 – Social traffic

805 – Parental control

:

:

900 – Unknown

501Voice 600

601Signaling 700

701Routing 800

801QoS 900

1901Application 2000

2001Future Use 4094



bution

Agenda





4 Future Direction

5 Q&A



bution

Some Terminology

NSH - Network Service Header : Protocol

NFV - Network Function Virtualization : A Industry Terminology

NSX - Network Virtualization : A VMware Product

14#FUT1634BU CONFIDENTIAL



bution

VMware vCloud NFV Platform

15

Multi-vendor VNF support

Ecosystem of partners

vSAN NSXvSphere

NFVI NFVI Operations

vCloud Director

VMware Integrated OpenStack

vRealize Operations

vRealize Log Insight

vRealize Network Insight

Storage NetworkingCompute VIM Analytics

VNF VNFVNF

EMS EMSEMS

OSS/BSS Orchestrator

NFVO

VNF-MSome Vendor-specific SFC today at VNF level

Target :SFC at infrastructure levels to support multi-vendor VNFsfor all services

vCloud NFV – A Modular NFVI Platform To Support SFC




bution

Support Today in NSX


VDS

Guest VMPartner

Service 1 VM

DFWSlot 2

Slot 4

Traffic Redirection

Module

Slot 5Filtering Module

Partner

Service 2 VM

• “Semi-dynamic” service chaining

• Policy rule based

• Selective steering

Guest

Introspection

Services

Network

Introspection

Services

Security

Service

IDS / IPS

Security Policy

Inserted into traffic flow and

chained together

Antivirus or vulnerability

management

IPS and Forensics

• Supports integrated third-party VNFs with NetX

• Number of VNFs limited to 8

• Assign unique service chain for different VMs



bution

An Innovative New Approach for SFC

17

• Build general topologies at L2 and L3

• Extend DvFilter and NetX functionality of NSX

• Dynamic policy-based routing and classification

Benefits:

• Leverage existing NSX overlay network

• No new service topology

• No new network header

• Will work with VXLAN, SST, GENEVE

• Support for orchestration

• NetX API and REST API

Distributed Logical Router

VNF1 VNF2 VNF3 VNF4

LS1 LS2 LS3 LS4

NSX-M

1.1.1.2

1.1.1.1 3.3.3.12.2.2.1 4.4.4.1

2.2.2.2 3.3.3.2 4.4.4.2

Policy Passed

Next hop 2.2.2.2 3.3.3.2 4.4.4.2 NULL

Previous hop NULL 1.1.1.2 2.2.2.2 3.3.3.2

4.4.4.2Next Hop

Egress Port

Policy installed on

ingress port

Next hop 2.2.2.2 3.3.3.2 4.4.4.2 NULL

Previous hop NULL 1.1.1.2 2.2.2.2 3.3.3.2

Install




bution

Agenda





4 Future Direction

5 Q&A



bution

Future Direction

19

HOST SYSTEM

VM-1 VM-2 VM-3 VM-4

HYPERVISOR-1

PHYSICAL COMPUTING RESOURCE

DLR-1

HOST SYSTEM

VM-5 VM-6 VM-7Control

VM

HYPERVISOR-2

PHYSICAL COMPUTING RESOURCE

DLR-1

Source

Network

Destination

Network

✦ Provision

✦ Configure

✦ Monitor

✦ Manage

Service

Orchestration

Virtual

Infrastructure

Manager

Private Micro

Datacenter

Mobile Edge

Computing Node




bution

Industry Direction on SFC

• Demand for SFC is increasing

– Cable, Enterprises, Mobile Core, Edge and Wireline

• Implementations to date are vendor specific at VNF level

– NSH implementation has challenges.

– VLAN-ID based technique – a step in the right direction


HOME CLOUD POINT

• Future use cases, such as cross-cloud, micro data center, IOT, and 5G networks, will depend on SFC



bution

Summary

21

vCPE SD-WAN

vEPC

Classifier

NA

T

SFC Controller

Topology Server

Service Function

Forwarder Classifier

FW L

BPublic Cloud

Acces

s

Orchestration / Automation

DPI

Dynamic Redirection

NFV Orchestrator

VNF-M

VNF

5

VNF

1

VNF

4

VNF

3

VNF

2

vSAN NSXvSphere

NFVI NFVI Operations

vCloud Director

VMware Integrated OpenStack

vRealize Operations

vRealize Log Insight

vRealize Network Insight

Storage NetworkingComputeVIM Analytics




bution

@ VMworld

22

NFV HOL Labs 1886-01-EMT

1886-02-EMT

Tuesday Aug 29 1:30 p.m. - 3:00 p.m.

[ELW188601U] vCloud NFV - Getting Started

Workshop

Wednesday, Aug 30

1:15 p.m. - 2:00 p.m. [MTE4855U] NFV – Meet the

Expert Session – Dharma Rajan

2:00 p.m. - 3:00 p.m [FUT1744BU] The Benefits of

VMware Integrated OpenStack for

Your NFV Platform Hassan Hamade and Mauricio

Valdueza




bution



bution

www.vmware.com/go/nfv

# vmworld2017

# vmwaretelco

[email protected] 2017 Content: N

ot for publicatio

n or distribution

http://www.vmware.com/go/nfv

fut1643bu an introduction to service function chaining for ......an introduction to service function...

Documents