SFC R. Gu, Ed. Internet-Draft C. Li Intended status: Informational China Mobile Expires: January 6, 2016 July 5, 2015 Usecase and hierarchical models of service function chaining in cloud datacenters draft-gu-sfc-usecase-and-hierarchical-models-00 Abstract In providing the service functions such as VPN, FW, LB, DPI and so on, usecase and hierarchical models in cloud datacenters are introduced.In order to realize the practical deployment,the cascade and hang-on network architecture are comparied to make the guidance.By adopting the hang-on network architecture and the hierarchical models, services to the tenants are more flexible and elastic while services to the operators are more convenient in management. Status of This Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 6, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Gu & Li Expires January 6, 2016 [Page 1] Internet-Draft sfc-usecase-and-hierarchical-models-00 July 2015 carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Definition of terms . . . . . . . . . . . . . . . . . . . . . 2 4. Cloud datacenters network architecture . . . . . . . . . . . 3 5. Usecase and hierarchical models . . . . . . . . . . . . . . . 4 6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 9. Normative References . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction Network service functions including NAT, firewall, load balancing, DPI, and many others are provided in cloud datacenters as value-added services (VAS). Service chain is a traffic steering technology in directing the traffic flows of network service functions. This draft describes a typical use case of service function chaining in cloud datacenters based on the recommended network architecture. Besides, the concept of typical models including service model, network model and device model are introduced. By adopting the hierarchical model, standardized services are more convenient to both the tenants and the operators. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Definition of terms VPN: virtual private network NAT: network address translation FW: firewall LB: load balancer DPI: deep packet inspection Gu & Li Expires January 6, 2016 [Page 2] Internet-Draft sfc-usecase-and-hierarchical-models-00 July 2015 VM: virtual machine VAS: value-added services 4. Cloud datacenters network architecture In order to provide service functions better, we compare the recent physical network architectures including the cascade architecture and the hang-on architecture. In the cascade network architecture, all the physical devices are directly connected one by one. Take the traffic from the Internet into the datacenters as an example. From top to down, the traffic goes from the Internet through firewall devices, DPI devices, Load balancers and other devices to the virtual machines. While in the hang-on architecture, all the devices such as firewalls, DPIs, Load balancers and other devices are hanging on the switch. Thus traffic goes to the switch and then is forwarded to the service nodes which are needed. Compared with the hang-on architecture, the cascade architecture has disadvantages such as inflexible and inefficient. Traffic should go through all these nodes cascaded in the link. When one of the nodes is congested, all the links will be influenced. While in the hang-on architecture, traffic flow can be improved with service function chaining. In the real practice, the hang-on architecture is recommended in providing the service functions in datacenters. In the cascade architecture, traffic should be designed in other ways in order to satisfy the service function chain, which needs to be taken into consideration. Gu & Li Expires January 6, 2016 [Page 3] Internet-Draft sfc-usecase-and-hierarchical-models-00 July 2015 -------- -------- ---- ---- ---- ---- ---- Internet ---- ---- Internet ---- ---- ---- ---- ---- ----+--- ----+--- | | ------+------ ------------- | ------------- | VPN | | VPN | | | FW | ------+------ ------+------ | ------+------ | | | | ------+------ | ------------- | | FW | | | | | ------+------ +----+ +-----+ | | | ------+------ | SW | | DPI | +-----| +-----+ ------+------ | | | | | | | | | ------+------ | ------+------ | | SW | | | | ------+------ ------+----- | -----+------ | | LB | | | DPI | ------+------ ------------ | ------------ | LB | | ------+------ | | | ------+------ ------+------ | VM | | VM | ------------- ------------- cascade network architecture hang-on network architecture Figure 1: cascade and hang-on network architecture 5. Usecase and hierarchical models Services such as NAT, VPN, FW, VLB, and DPI are provided to the public in datacenters. In datacenters, devices of NAT, VPN, FW, VLB and DPI as several resource pools are hanging on the switch. When one of the services is needed, traffic is redirected to the responding resource pool. We divide the practical deployment into hierarchical models, service models, network models and device models due to our actual practice. (1) Service models Gu & Li Expires January 6, 2016 [Page 4] Internet-Draft sfc-usecase-and-hierarchical-models-00 July 2015 Service models are facing to tenants directly. Up to now, five typical service models are summarized according to the typical services provided in cloud datacenters. Service Model A: FW+VM -------- ---- ---- ---- Internet ---- ---- ---- ----+--- | | ------------- | | FW pool | | ------+------ | | ------------- | | | | | SW +-----+ | | | | ------+------ | | ------+------ | VM | ------------- Figure 2: Service Model A To the customers who need the firewall service, the template of firewall and the virtual machine is suitable. In the service application, tenants can subscribe their own service with firewalls by choosing the service model A. Service Model B: FW+LB+VM Gu & Li Expires January 6, 2016 [Page 5] Internet-Draft sfc-usecase-and-hierarchical-models-00 July 2015 -------- ---- ---- ---- Internet ---- ---- ---- ----+--- | | ------------- | | FW pool | | ------+------ | | ------------- | | | | | +-----+ | SW | +-----+ | | | | | ------+------ | | ------+----- | | LB pool | | ------------ | | ------+------ | VM | ------------- Figure 3: Service Model B Service model B is designed for the customers to whom firewalls and load balance services are required. When choosing the service model B, traffic goes through the firewall, load balancer until arriving at the virtual machines. Service Model C: VPN+FW+LB+VM Gu & Li Expires January 6, 2016 [Page 6] Internet-Draft sfc-usecase-and-hierarchical-models-00 July 2015 -------- ---- ---- ---- Internet ---- ---- ---- ----+--- | ------------- | ------------- | VPN | | | FW pool | ------+------ | ------+------ | | | | ------------- | | | | | +-----+ +-----+ | SW | +-----+ | | | | | ------+------ | | ------+----- | | LB pool | | ------------ | | ------+------ | VM | ------------- Figure 4: Service Model C Service model C is service model B plus VPN service in order to satisfy some customers with the demand of private line, firewall and load balancer. Service Model D: VPN+FW+VM Gu & Li Expires January 6, 2016 [Page 7] Internet-Draft sfc-usecase-and-hierarchical-models-00 July 2015 -------- ---- ---- ---- Internet ---- ---- ---- ----+--- | ------------- | ------------- | VPN | | | FW pool | ------+------ | ------+------ | | | | ------------- | | | | | +-----+ +-----+ | SW | | | | | ------+------ | | ------+------ | VM | ------------- Figure 5: Service Model D Service model D is for the service chain of VPN and firewall. Service Model E: VPN+LB+VM Gu & Li Expires January 6, 2016 [Page 8] Internet-Draft sfc-usecase-and-hierarchical-models-00 July 2015 -------- ---- ---- ---- Internet ---- ---- ---- ----+--- | ------------- | | VPN | | ------+------ | | | | ------------- | | | +-----+ | | SW | +-----+ | | | | | ------+------ | | ------+----- | | LB pool | | ------------ | | ------+------ | VM | ------------- Figure 6: Service Model E Service model E is for the service chain of VPN and load balancer. Every typical service belongs to a service model. A customer can require a service by choosing one from these service models. For providing more services, service models need to be updated. (2) Network models Network models include the network architecture, the traffic flow and the policy and routing protocol in the practical network. Service models need to be realized by the network models. When the tenant selects one service model, the corresponding network model is set up at the same time. Network Model A: FW+VM Traffic flow is filtered by the firewall to the virtual machines by traffic steering policy. Gu & Li Expires January 6, 2016 [Page 9] Internet-Draft sfc-usecase-and-hierarchical-models-00 July 2015 Network Model B: FW+LB+VM Combining the firewall and load balance service, traffic goes through firewall and load balancer in turn. Network Model C: VPN+FW+LB+VM Corresponding to service model C, traffic goes by-pass VPN, firewall and load balancer devices with the help of network policy. Network Model D: VPN+FW+VM In providing VPN and firewall services, network model D is established. Network Model E: VPN+LB+VM In providing VPN and load balancer services, network model E is established. (3) Device models The physical or virtual devices belong to device models. In the practical deployment, devices are deployed as a resource pool such as the VPN device pool, firewall pool, load balancer pool and so on contributed by different vendors. All of these devices are interconnected by the core switch. 6. Conclusion Usecase and hierarchical models of service functions in cloud datacenters are introduced by providing services such as VPN, FW, LB, DPI and so on. Comparison between the cascade and hang-on network architecture is made in guiding the deployment of service function in datacenters.By adopting the hang-on network architecture and the hierarchical models, services are more flexible, convenient and elastic. The improvement of the cascade network architecture needs to be further studied. 7. Security Considerations None. 8. IANA Considerations None. Gu & Li Expires January 6, 2016 [Page 10] Internet-Draft sfc-usecase-and-hierarchical-models-00 July 2015 9. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997. Authors' Addresses Rong Gu (editor) China Mobile 32 Xuanwumen West Ave, Xicheng District Beijing 100053 China Email: gurong_cmcc@outlook.com Chen Li China Mobile 32 Xuanwumen West Ave, Xicheng District Beijing 100053 China Email: lichenyj@chinamobile.com Gu & Li Expires January 6, 2016 [Page 11]