INTERNET-DRAFT David Dolson Intended Status: Informational Sandvine Expires: August 18, 2014 February 14, 2014 VLAN Service Function Chaining draft-dolson-sfc-vlan-00 Abstract This document describes an implementation of Service Function Chains (SFC) utilizing standard VLAN switching, appropriate for bump-in-the- wire Service Function nodes. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright and License Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect David Dolson Expires August 18, 2014 [Page 1] INTERNET DRAFT draft-dolson-sfc-vlan-00 February 14, 2014 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Network Architecture . . . . . . . . . . . . . . . . . . . . . 4 2.1 Assumptions about Service Functions . . . . . . . . . . . . 5 2.2 Configuration of the Switch . . . . . . . . . . . . . . . . 5 3 Configuration at the Classifier . . . . . . . . . . . . . . . . 7 3.1 Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2 Group . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.3 Rule and Action . . . . . . . . . . . . . . . . . . . . . . 8 4 Security Considerations . . . . . . . . . . . . . . . . . . . . 9 5 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 9 6 References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6.1 Normative References . . . . . . . . . . . . . . . . . . . 9 6.2 Informative References . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 David Dolson Expires August 18, 2014 [Page 2] INTERNET DRAFT draft-dolson-sfc-vlan-00 February 14, 2014 1 Introduction In the interest of sharing what we have learned, this document describes an approach to service chaining that Sandvine has been using for several years. The approach utilizes Ethernet VLAN tags to identify individual service chain instances. We find VLAN technology to be sufficient for some use cases, with simple requirements on the Service Function. 1.1 Terminology Although Sandvine products use different nomenclature, this document uses Service Function Chaining Architecture terminology [SFCarch], including "Classifier", "Service Function", "Service Function Chain". David Dolson Expires August 18, 2014 [Page 3] INTERNET DRAFT draft-dolson-sfc-vlan-00 February 14, 2014 2. Network Architecture Network diagram: +---------------+ Subscriber-----| Classifier1 |------Internet network +---------------+ MAC1, MAC2 | | | +---------------+ Subscriber--------| Classifier2 |------Internet network | +---------------+ | | MAC3, MAC4 | | | | 101,102,201,202 | |101,102,201,202 +-------------------------------------+ | 1 8 | | | | Switch | | | | 2 3 4 5 6 7 | +-------------------------------------+ | | | | | | 101| |101 | | 101,102| |101,102 | | 101,102| |101,102 | | | | | | | | +--------+ +--------+ +--------+ | SF A | | SF B | | SF C | +--------+ +--------+ +--------+ Figure 1: System involving 3 Service Functions. All switch interfaces are trunks. VLANs required for the examples in the tables below are indicated. For bidirectional traffic between a Subscriber network and the Internet, an operator may want various combinations of symmetric chains. E.g., A<-->B<-->C A<-->B B<-->C C<-->A In the notation above, traffic from a subscriber enters the left SF first, passing to the right; traffic from the Internet enters the right SF first, passing to the left. David Dolson Expires August 18, 2014 [Page 4] INTERNET DRAFT draft-dolson-sfc-vlan-00 February 14, 2014 Each Classifier has an interface into the SFC switching domain. This is a VLAN trunk interface having two Ethernet MAC addresses allowing packet direction to be specified. It should be noted that when referring to a bidirectional sequence, describing an ordered sequence of functions must always be qualified with a direction. After traffic exits a chain, it returns to the initiating Classifier. This is very useful for reasons of accounting and performing other actions after the service chain. 2.1 Assumptions about Service Functions Each service function node is assumed to be a bump-in-the-wire Ethernet device with the following properties: - the device has two interfaces, logically subscriber-side and Internet-side; - the device forwards Ethernet packets between the interfaces without modifying any aspect of the Ethernet header; - if the devices needs to inject packets that it has created for a particular connection, it uses Ethernet MAC addresses and VLANs previously observed for the connection; - the device may be capable of intersecting an Ethernet 802.1q trunk, in which case it can reside on more than one service chain. 2.2 Configuration of the Switch The solution requires the switch to be configured with a number of forwarding rules that consider the input interface and VLAN number to select the next output interface and new VLAN number. For example, the following rules implement a bidirectional path A<-- >B<-->C through the 3 hosts from either Classifier in Figure 1: David Dolson Expires August 18, 2014 [Page 5] INTERNET DRAFT draft-dolson-sfc-vlan-00 February 14, 2014 +---------+---------+------++---------+---------+ | Rx Port | Rx VLAN | MAC || Tx Port | Tx VLAN | +---------+---------+------++---------+---------+ | 1 | 101 | * || 2 | 101 | | 8 | 101 | * || 2 | 101 | | 3 | 101 | * || 4 | 101 | | 5 | 101 | * || 6 | 101 | | 7 | 101 | MAC2 || 1 | 201 | | 7 | 101 | MAC4 || 8 | 201 | | 1 | 201 | * || 7 | 101 | | 8 | 201 | * || 7 | 101 | | 6 | 101 | * || 5 | 101 | | 4 | 101 | * || 3 | 101 | | 2 | 101 | MAC1 || 1 | 101 | | 2 | 101 | MAC3 || 8 | 101 | +---------+---------+------++---------+---------+ Classifier1 sends a packet from the subscriber into this chain by inserting it on VLAN 101 from MAC1 to MAC2; it later receives the packet (or a modified packet) on VLAN 201. Classifier1 sends a packet from the Internet into this chain by inserting it on VLAN 201 from MAC2 to MAC1; it later receives the packet (or a modified packet) on VLAN 101. Similarly, Classifier2 makes use of MAC3 and MAC4 with VLANs 101 and 201. It is important to note the symmetry of the paths taken. Packets sent to the switch port 1 VLAN 101 traverse each SF with the same VLAN number as packets sent to the switch port 1 VLAN 201. And these compatible rules implement a bidirectional path C<-->B through hosts C and B from either Classifier in Figure 1: +---------+---------+------++---------+---------+ | Rx Port | Rx VLAN | MAC || Tx Port | Tx VLAN | +---------+---------+------++---------+---------+ | 1 | 102 | * || 6 | 102 | | 8 | 102 | * || 6 | 102 | | 7 | 102 | * || 4 | 102 | | 5 | 102 | MAC2 || 1 | 202 | | 5 | 102 | MAC4 || 8 | 202 | | 1 | 202 | * || 5 | 102 | | 4 | 102 | * || 7 | 102 | | 6 | 102 | MAC1 || 1 | 102 | | 6 | 102 | MAC3 || 8 | 102 | +---------+---------+------++---------+---------+ David Dolson Expires August 18, 2014 [Page 6] INTERNET DRAFT draft-dolson-sfc-vlan-00 February 14, 2014 There are many vendor-specific methods of achieving the configuration, ranging from manual CLI methods to methods that involve a Service Chaining Controller utilizing SDN. 3 Configuration at the Classifier Service Function Chains must be explicitly configured before they can be used in classifier rules at the SFC boundary. A classifier rule then names a chain in a "divert" action. ("Divert" is Sandvine terminology for sending a transport connection to a service chain.) Rules act on transport connections, affecting both directions of traffic in a transport-layer 5-tuple. When divert action is activated for a transport connection, all packets from the subscriber are forced to enter the subscriber end of the service chain and all packets from the Internet are forced to enter the Internet end of the service chain. A Classifier has two MAC addresses. It sends traffic to itself using two different VLANs. For example, in Figure 1, Classifier1 sends traffic from subscribers via hosts A, B and C by sending a packet from MAC1 to MAC2 on VLAN 101 into the switch port 1. It sends traffic from Internet into the same chain by sending a packet from MAC2 to MAC1 on VLAN 201 into the switch port 1. 3.1 Sequence A "Sequence" must be configured for each distinct service chain instance. In the following, Service Functions A, B and C are used, and new Service Functions D, E and F are introduced but not shown in Figure 1. # Identify a new sequence named "sequence1" # This sequence has SF nodes SF_A, SF_B and SF_C, and is # accessed with VLANs 101 and 201 destination "sequence1" divert_sequence \ destinations "SF_A" "SF_B" "SF_C" \ interface "left" vlan 101 interface "right" vlan 201 # Identify a new sequence named "sequence2" # This sequence has SF nodes SF_D, SF_E and SF_F, and is # accessed with VLANs 104 and 204 destination "sequence2" divert_sequence \ destinations "SF_D" "SF_E" "SF_F" \ interface "left" vlan 104 interface "right" vlan 204 David Dolson Expires August 18, 2014 [Page 7] INTERNET DRAFT draft-dolson-sfc-vlan-00 February 14, 2014 3.2 Group A "Group" definition specifies that multiple sequences are functionally equivalent, and that the Classifier may load-balance traffic across all of the healthy members of the group. # Define a group of equivalent sequences. destination "group1" group \ destinations "sequence1" "sequence2" \ healthchecks "ping" "inline" In a group definition, all of the destinations must have the same properties, including interface names. The health-checks serve to identify those chains that are failing and are removed from group selection. The "ping" health-check tests the control plane of each of the devices, whereas the "inline" health- check tests the data plane of the entire chain by sending packets in each end and expecting them to be received at the other end. 3.3 Rule and Action A particular transport connection can be sent to a chain with the divert action naming a sequence or group and the interfaces to use for each direction. if Flow.Server.Port = 80 then \ divert destination "group1" \ from subscriber interface "left" \ from internet interface "right" For TCP connections with a server TCP port number of 80, the above rule will select one of the chains "sequence1" or "sequence2" (assuming both are healthy) and bind the connection to it for the duration. Supposing sequence1 is selected, it will cause the traffic from the subscriber to enter the service chain on VLAN 101 and traffic from the internet to enter the service chain on VLAN 201. Traffic returning from a service chain is forwarded to the original Classifier. David Dolson Expires August 18, 2014 [Page 8] INTERNET DRAFT draft-dolson-sfc-vlan-00 February 14, 2014 4 Security Considerations The layer-2 network running the Service Function Chain should be isolated. Otherwise there may be methods for an attacker to flood the network or otherwise mount a denial of service attack on the switching. 5 IANA Considerations This memo makes no request to IANA. 6 References 6.1 Normative References 6.2 Informative References [SFCarch] "SFC Architecture", Authors' Addresses David Dolson Sandvine EMail: ddolson@sandvine.com David Dolson Expires August 18, 2014 [Page 9]