Service Function Chaining

Brady Johnson brady.allen.johnson@ericsson.com

Keith Burns krb@cisco.com

Service Function Chaining Overview

What is Service Function Chaining

• Service Chaining Downstreamed from OpenDaylight

– Open Daylight Service Function Chaining (ODL SFC)

– ODL SFC implements the NSH and SFC IETF specification drafts

• Integrates SFC into NFV Cloud Data Center environments

• Use Cases solved with SFC

– Service Function scaling

– Any sort of Dynamic Service Insertion

11/3/2015 Footer Lorem Ipsum Dolor Sit 3

Service Function Chaining Use Case: Parental Control

1. Update/create chains

ODL SFC GUI

ODL SFC

Operator

2. Subscriber

classification

rules

HTTP Content Filtering

(Block URLs) SF HTTP

SF NAT

Legend:

SFF: Service Function Forwarder

SF: Service Function

RSP: Rendered Service Path, a Service Chain

RSP1

RSP2

Parental control,

block certain URLs

No control for parents

SDN network

SFF Internet

Classifier

Service Chaining Encapsulation Network Service Headers (NSH) in detail

Service Function

Forwarder

NSH

Classify once:

Encapsulate Chain

info with every packet

SDN network

Service Function

Service Function

Forwarder

NSH

Service Function

NSH

Tunnel

Switch on NSH fields:

NSP – NSH Path (Chain ID)

NSI – NSH index (Hop in chain)

ACL

Classifier

Service Function Chaining with NSH

• Network Service Headers (NSH)

– Reusable classification for pre-programmed paths

Service Function Chaining with NSH

Outer Eth hdr

Outer IP hdr

VxLAN NSH

NSH Base Header

Service Path (24 bit) / Index

Optional Metadata

Network Services Header

Example: NSH encapsulated in VXLAN

Inner Eth hdr

Inner IP hdr

Payload Outer

UDP hdr

Service Path: The Service Chain ID

Index: The hop in the Service Chain

Advantages Challenges

• Forwarding complexity is much simpler

• Optional Metadata can be sent with packets

• Supports flexible encapsulation (Ethernet, MPLS, VXLAN, etc)

• Limited support in switches, kernels, and applications

• Service Function needs to become NSH-aware

Service Chaining Classification Mapping Subscriber traffic to Service Chains

with Group Based Policy

Group Based Policy made easy

11/3/2015 Footer Lorem Ipsum Dolor Sit 9

EPG: Hosts

EPG: Web Servers

web, ssh

any

EP:1

EP:2

EP:3

EP:4

Copied from Ed Warnicke’s GBP slides: https://docs.google.com/presentation/d/1vsYddlHFRnVG9cDwWxyldT2BNSfYUTPcR1lYtUrFA8U/edit?usp=sharing

Concepts: • Group Endpoints (Eps) into

Endpoint Groups (EPGs) • Apply Policy (Contracts) to

traffic between groups • Contracts apply directionally

Contracts

Match: dstport:80 Action: Allow

Match: dstport:22 Action: Allow

Match: * Action: Allow

web

ssh

any

Group Based Policy with SFC

11/3/2015 Footer Lorem Ipsum Dolor Sit 10

EPG: Web Servers

chain-in chain-out

EPG: Hosts EP:1

EP:2

EP:3

EP:4

Add Contracts for “chain-in” and “chain-out” with the name of the SFC chain.

Contracts

Match: * Action: chain:foo

Match: * Action: chain:bar

chain-in

chain-out Service

Function Forwarder

Service Function

Service Function

SFC network

OPNFV SFC The Current Status

OPNFV SFC Current Network Topology

11/3/2015 Footer Lorem Ipsum Dolor Sit 12

OPNFV SFC Current Network Topology

Compute Node

VM

SF1

VM

SF2

SFF

VM

Clients

VM

Servers

Legend VxLAN tunnel SF/SFF

GBP creates VxLAN tunnel OpenFlow 1.3/OVSDB

Original packets, no encap

OVS OVS GBP EPG2

GBP EPG1

Control Node

Top Of Rack Switch

ODL SFC

Open Stack

GBP EPG: Group Based Policy, End Point Group

Used as Classifier in OPNFV

VNF Mgr

OPNFV SFC Brahmaputra Target Use Case

1. Update/create chains

SDN network

ODL SFC

1) Can NOT do HTTP

2) Can do SSH

1) Can do HTTP

2) Can NOT do SSH

2. Subscriber

classification

rules SFF

Legend:

SFF: Service Function Forwarder

SF: Service Function

RSP: Rendered Service Path, a Service Chain

SF Firewall

SF Firewall

Classifier

RSP1

RSP2

Simple

HTTP

Server Test Cases

Block

HTTP Block

SSH

The VNF Manager

• The technical definition of a VNF Manager

– Lifecycle management of VNF instances

– Overall coordination and adaption role for configuration and event reporting between NFV-Infrastructure and Network management system (NMS)

• What do we need a VNF Manager for in OPNFV SFC?

– Coordinating Service Function VM Lifecycle management

– We decided to use the OpenStack Tacker VNF Mgr

• Technically MANO (management and orchestration) is out of scope for Brahmaputra

– We’ll install Tacker post-installation for testing

11/3/2015 Footer Lorem Ipsum Dolor Sit 15

Additional Information

• OPNFV SFC wiki

– https://wiki.opnfv.org/service_function_chaining

• OPNFV SFC Brahmaputra Release Planning

– https://docs.google.com/presentation/d/1GEt8Vi6hQL9kOknowxr3o9aE_VYoe5zljz8MyQtdgw/edit?usp=sharing

• OPNFV SFC discussion slides

– https://docs.google.com/presentation/d/1gbhAnrTYbLCrNMhMXin0lxjyg7IHNPjrlBTIjwAzys/edit?usp=sharing

• OPNFV JIRA

– https://jira.opnfv.org/browse/SFC/?selectedTab=com.atlassian.jira.jira-projectsplugin:summary-panel

11/3/2015 Footer Lorem Ipsum Dolor Sit 16

What’s next in OPNFV SFC? Brahmaputra and beyond

On the Roadmap…

• Multiple compute nodes

– OpenDaylight clustering

– Enhanced SF VM placement (load balancing, fault tolerance)

• Hybrid Service Chains

– Multi-protocol SFFs (OpenFlow, Netconf)

• Enhanced VnfMgr functionality in Tacker

• Scale SF VMs in/out based on CPU/Network load

• SF network readiness detection

– Block RSP creation until all SFs “ready”

11/3/2015 Footer Lorem Ipsum Dolor Sit 18

Demo Group Based Policy and

Service Function Chaining