Network Working Group P. Quinn
Internet-Draft J. Guichard
Intended status: Informational S. Kumar
Expires: March 27, 2014 C. Pignataro
Cisco Systems, Inc.
September 23, 2013
Service Function Chaining (SFC) Architecture
draft-quinn-nsc-arch-00.txt
Abstract
This document describes a standard architecture for the creation of
Service Function Chains. It includes architectural concepts,
principles, and components used for the application of services in a
network. This document does not propose solutions or protocols.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 27, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
Quinn, et al. Expires March 27, 2014 [Page 1]
Internet-Draft NSC Arch September 2013
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 3
1.3. Service Function Chaining . . . . . . . . . . . . . . . . 4
2. Architectural Concepts . . . . . . . . . . . . . . . . . . . . 5
2.1. Service Function Chains . . . . . . . . . . . . . . . . . 5
2.2. Service Function Chain Symmetry . . . . . . . . . . . . . 7
2.3. Service Function Paths . . . . . . . . . . . . . . . . . . 7
3. Service Function Chaining Architecture . . . . . . . . . . . . 8
3.1. Architecture Principles . . . . . . . . . . . . . . . . . 8
3.2. Fundamental Components . . . . . . . . . . . . . . . . . . 8
4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 12
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
7.1. Normative References . . . . . . . . . . . . . . . . . . . 14
7.2. Informative References . . . . . . . . . . . . . . . . . . 14
Appendix A. Existing Service Deployments . . . . . . . . . . . . 15
Appendix B. Issues with Existing Deployments . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17
Quinn, et al. Expires March 27, 2014 [Page 2]
Internet-Draft NSC Arch September 2013
1. Introduction
This document describes a standard architecture for the creation of
Service Function Chains. It includes architectural concepts,
principles, and components used for the application of services in a
network. This document does not propose solutions or protocols.
1.1. Scope
The architecture described herein is assumed to be applicable to a
single network administrative domain. While it is possible for the
principals and architectural components to be applied to inter-domain
service function chains, these are left for future study.
1.2. Definition of Terms
Service Function (SF): A network or application based packet
treatment, application, compute or storage resource, used
singularly or in concert with other service functions within a
service chain to enable a service offered by a network operator.
A non-exhaustive list of Service Functions includes: firewalls,
WAN and application acceleration, Deep Packet Inspection (DPI),
server load balancers, NAT44 [RFC3022], NAT64 [RFC6146], HOST_ID
injection, HTTP Header Enrichment functions, TCP optimizer, etc.
The generic term "L4-L7 services" is often used to describe many
service functions.
Service: An offering provided by a network operator that is
delivered using one or more service functions. This may also be
referred to as a composite service.
Note: The term "service" is overloaded with varying definitions.
For example, to some a service is an offering composed of several
elements within the operators network whereas for others a
service, or more specifically a network service, is a discrete
element such as a firewall. Traditionally, these network services
host a set of service functions and have a network location where
the service is delivered.
Service Node (SN): Physical or virtual element that hosts one or
more service functions and has one or more network locaters
associated with it for reachability and service delivery.
Quinn, et al. Expires March 27, 2014 [Page 3]
Internet-Draft NSC Arch September 2013
Service Function Chain (SFC): The combination of a set of service
functions that are to be applied to selected traffic in a specific
order.
Service Chain (SC): A short form of Service Function Chain.
1.3. Service Function Chaining
Service Function Chaining is a concept that implies more than just an
ordered set of service functions, rather it describes a method for
deploying service functions that enables not only ordering but
topological independence of those service functions as well as value
addition. A basic service function chain might simply utilize an
existing overlay technology along with service specific forwarding in
the network to steer traffic through the necessary service functions.
However, additional information that is shared across a subset of
service functions enables value added service functions and a richer
service function chain. For example, shared information, such as the
results of a classification function, may be passed to downstream
service functions to enable the offloading of service function
processing. As another example, sharing the information derived at
one service function to the rest in the service chain would not only
obviate the need to re-derive the same information but also
simplifies the service as re-deriving may be impractical.
Quinn, et al. Expires March 27, 2014 [Page 4]
Internet-Draft NSC Arch September 2013
2. Architectural Concepts
The following sections describe the core principles of a service
function chaining infrastructure.
2.1. Service Function Chains
In most networks services are constructed as a sequence of service
functions that represent a Service Function Chain. The collection of
available service functions within an administrative domain forms a
directed graph where the vertices represent an individual service
function and the edges form the overlay connecting those vertices as
partially represented in figure 1.
,---.
/ \
+------->( 5 )
| \ /
| `---'
|
|
,---.+ ,---. ,---.
/ \ / \ / \
+---->( 2 +------->( 6 )+--------->( 8 )
| \ / \ / \ /
| `-+-' `---' `---'
| |
| |
| ,-v-.
| / \ ,---.
,-+-. ( 3 + / \
/ \ \ /+------------> 7 +
( 1 ) `---'<--------------+ /|
\ / `---' |
`---' |
|
,---. +------->---.
/ \ / \
( 4 +---------------------------> 9 )
\ / \ /
+--^' `---'
| |
+--+
Figure 1: Service Function Chain Directed Graph
Quinn, et al. Expires March 27, 2014 [Page 5]
Internet-Draft NSC Arch September 2013
At a high level, service function chaining creates an abstracted view
of a service and specifies the set of required service functions as
well as the order in which they must be executed. Sub-graphs, from
the overall directed graph, define each Service Function Chain.
Service functions can be part of none, one, or many service function
chains.
,-+-. ,---. ,---. ,---.
/ \ / \ / \ / \
( 1 )+----->( 2 )+------>( 6 )+------> ( 8 )
\ / \ / \ / \ /
`---' `---' `---' `---'
,---.
/ \
+----->( 2 )
| \ /
| `---'
| +
,-+-. |
/ \ v
( 1 ) ,---. ,---. ,---.
\ / / \ / \ / \
`---' ( 3 )+---->( 7 )+----->( 9 )
\ / \ / \ /
`---' `---' `---'
+---+
| |
| |
| v
+---.
/ \
+-----> 4 )
| \ /+
| `---' |
| |
,-+-. |
/ \ |
( 1 ) | ,---.
\ / | / \
`---' +------>( 9 )
\ /
`---'
Quinn, et al. Expires March 27, 2014 [Page 6]
Internet-Draft NSC Arch September 2013
Figure 2: Service Function Chain Sub-Graphs
2.2. Service Function Chain Symmetry
Service Function Chains may be unidirectional or bidirectional. A
unidirectional service function chain requires traffic to be
forwarded through the ordered service functions in one direction (SF1
-> SF2 -> SF3), whereas a bidirectional service function chain
requires a symmetric path (SF1 -> SF2 -> SF3 and SF3 -> SF2 -> SF1).
A hybrid service function chain has attributes of both bidirectional
and unidirectional service function chains: some service functions
require symmetric traffic, other service functions do not process
reverse traffic.
2.3. Service Function Paths
Service function chains, when instantiated in the network, leads to
the selection of specific instances of service functions at various
SNs as well as the creation of the service topology using the network
locator of each individual SN. Thus, instantiation of the service
function chain results in the creation of a Service Function Path and
is used for forwarding packets through the service function chain.
In other words, Service Function Path is the instantiation of the
defined service function chain.
This abstraction enables the binding of service function chains to
specific service function instances based on a range of policy
attributes defined by the operator. For example, a service function
chain definition might specify that one of the service function
elements of the chain is a firewall. However, on the network, there
might exist a number of firewall service function elements (each
providing the same policy enforcement) and only when the service
function path is created is one of those firewall instances selected.
The selection can be based on a range of policy attributes, ranging
from simple to more elaborate criteria.
Quinn, et al. Expires March 27, 2014 [Page 7]
Internet-Draft NSC Arch September 2013
3. Service Function Chaining Architecture
3.1. Architecture Principles
Service function chaining is predicated on several key architectural
principles:
1. Topological independence: no changes to the underlying forwarding
topology - implicit, or explicit - are needed to deploy service
functions.
2. Consistent policy identifiers: per-service policy leverages
policy identifier(s) that are consistent for the service function
chain.
3. Classification: the start of a service function chain is defined
by classification and only required traffic is forwarded through
the service function chain.
4. Sharing of metadata/context: the network and service functions no
longer exist in separate silos. Metadata/context data can be
shared amongst all participating nodes - network or service
functions.
3.2. Fundamental Components
Service function chaining can be divided into several components that
together form the basis of the architecture:
1. Service Functions as Resources: The concept of a service function
evolves: rather than being viewed as a bump in the wire, a
service function becomes a resource within a specified
administrative domain that is available for consumption. As
such, service functions have a network locator and a variable set
of attributes that describe the function offered. The
combination of locator and attributes are used to construct a
service function chain.
2. Classifier: A component that performs traffic classification.
Classification is the precursor to the start of a service
function path: traffic that matches classification criteria is
forwarded along a given service function path to realize the
requirements of a service function chain. The granularity of
classification varies based on operator requirements and device
capabilities. While initial classification at a network node
starts a service function path, subsequent classifications may
occur along the service function chain and further alter the
service function path. This re-classification may also update
Quinn, et al. Expires March 27, 2014 [Page 8]
Internet-Draft NSC Arch September 2013
the context information (see below).
3. Overlay Service Topology: A service topology is created to
interconnect the elements used to form the service function path.
The overlay topology is specific to the service function path: it
is created for the express purpose of steering the service
packets through the service functions and optionally passing
context data. The overlay topology can be constructed using any
existing transport, for example IP, MPLS, etc.
4. Control plane: The service function chaining control plane is
responsible for constructing the service function paths:
translating the service function chains to the forwarding paths
and propagating path information to participating nodes - network
and service - to achieve requisite forwarding behavior to
construct the service overlay. For instance, a service function
chain construction may be static - using specific service
function instances, or dynamic - choosing service function
instances at the time of delivering traffic to the service
function. In service function chaining, service functions are
resources; the control plane advertises their capabilities,
availability and location. The control plane is also responsible
for the creation of the context (see below).
5. Shared context data: Sharing context data allows the network to
provide network-derived information to the service functions, as
well as enabling service function to service function information
passing. This component is optional. Service function chaining
infrastructure enables the exchange of this shared context along
the service function path. The shared context serves several key
functions within the architecture:
* Allows elements that typically operate as ships-in-the-night
to exchange information
* Encodes information about the network for post-service
forwarding
* Creates an identifier used for policy binding by service
functions
Context information can be derived in several ways:
* External sources
Quinn, et al. Expires March 27, 2014 [Page 9]
Internet-Draft NSC Arch September 2013
* Network node classification
* Service function classification
The figure below provides a high level view of the components:
+-------+
+----------+|control|+----------+
| |plane | |
| +---+---+ |
| | |
v v v
+----------+ ,---. ,---. ,---. +----------+
|classifier|+---> / \+------->/ \+-------->/ \+-------->|classifier|
| | ( 1 )<-----+( 2 )<------+( 3 )<-------+| |
+----------+ \ / \ / \ / +----------+
`---' `---' `---'
Figure 3: Service Function Chaining Architecture
Quinn, et al. Expires March 27, 2014 [Page 10]
Internet-Draft NSC Arch September 2013
4. Summary
Service function chains enable composite services that are
constructed from one or more service functions. This document
provides a standard architecture, including architectural concepts,
principles, and components, for the creation of Service function
chains.
Quinn, et al. Expires March 27, 2014 [Page 11]
Internet-Draft NSC Arch September 2013
5. Security Considerations
This document does not define a new protocol and therefore creates no
new security issues.
Quinn, et al. Expires March 27, 2014 [Page 12]
Internet-Draft NSC Arch September 2013
6. Acknowledgments
The authors would like to thank David Ward, Abhijit Patra and Nagaraj
Bagepalli for their contributions.
Quinn, et al. Expires March 27, 2014 [Page 13]
Internet-Draft NSC Arch September 2013
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
7.2. Informative References
[NSCprob] "Network Service Chaining Problem Statement", <http://
datatracker.ietf.org/doc/
draft-quinn-nsc-problem-statement/>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022,
January 2001.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, April 2011.
Quinn, et al. Expires March 27, 2014 [Page 14]
Internet-Draft NSC Arch September 2013
Appendix A. Existing Service Deployments
Existing service insertion and deployment techniques fail to address
new challenging requirements raised by modern network architectures
and evolving technologies such as multi-tenancy, virtualization,
elasticity, and orchestration. Networks, servers, storage
technologies, and applications, have all undergone significant change
in recent years: virtualization, network overlays, and orchestration
have increasingly become adopted techniques. All of these have
profound effects on network and services design.
As network service functions evolve, operators are faced with an
array of form factors - virtual and physical - as well as with a
range of insertion methods that often vary by vendor and type of
service.
Such existing services are deployed using a range of techniques, most
often associated with topology or forwarding modifications. For
example, firewalls often rely on layer-2 network changes for
deployment: a VLAN is created for the "inside" interface, and another
for the "outside" interface. In other words, a new L2 segment was
created simply to add a service function. In the case of server load
balancers, policy routing is often used to ensure traffic from
server's returns to the load balancer. As with the firewall example,
the policy routing serves only to ensure that the network traffic
ultimately flows to the service function(s).
The network-centric information (e.g. VLAN) is not limited to
insertion; this information is often used as a policy identifier on
the service itself. So, on a firewall, the layer-2 segment
identifies the local policy to be selected. If more granular policy
discrimination is required, more network identifiers must be created
either per-hop, or communicated consistently to all services.
Quinn, et al. Expires March 27, 2014 [Page 15]
Internet-Draft NSC Arch September 2013
Appendix B. Issues with Existing Deployments
Due to the tight coupling of network and service function resources
in existing networks, adding or removing service functions is a
complex task that is fraught with risk and is tied to
operationalizing topological changes leading to massively static
configuration procedures for network service delivery or update
purposes. The inflexibility of such deployments limits (and in many
cases precludes) dynamic service scaling (both horizontal and
vertical) and requires hop-by-hop configuration to ensure that the
correct service functions, and sequence of service functions are
traversed.
A non-exhaustive list of existing service deployment and insertion
techniques as well as the issues associated with each may be found in
[NSCprob].
Quinn, et al. Expires March 27, 2014 [Page 16]
Internet-Draft NSC Arch September 2013
Authors' Addresses
Paul Quinn
Cisco Systems, Inc.
Email: paulq@cisco.com
Jim Guichard
Cisco Systems, Inc.
Email: jguichar@cisco.com
Surendra Kumar
Cisco Systems, Inc.
Email: smkumar@cisco.com
Carlos Pignataro
Cisco Systems, Inc.
Email: cpignata@cisco.com
Quinn, et al. Expires March 27, 2014 [Page 17]