Network Working Group S. Lee Internet-Draft M. Shin Intended status: Informational Y. Choi Expires: January 16, 2014 ETRI July 15, 2013 Problem statement for Verification of Network Service Chains draft-lee-nsc-verification-problem-statement-01 Abstract This document addresses the possible conflicts between service overlays in the network service chaining. These conflicts are due to overlapping in classification rules and resource sharing of service overlays. The verification of service chains provides a method for network administrators to detect such conflicts and correct a problematic service chain before applying it on the real network. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 16, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Lee, et al. Expires January 16, 2014 [Page 1] Internet-Draft Problem Statement for NSC Verification July 2013 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Problem Areas . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Verification of Service Chains . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 6.2. Informative References . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction The current network service model is bound to static topologies and manually configured resources. This has motivated a more flexible deployment model which orchestrates the service delivery separated from the network. Network service chaining (NSC) [I-D.quinn-nsc-problem-statement] [I-D.boucadair-network-function-chaining] provides a new network service model that delivers the traffic along the predefined logical paths of network services (i.e., service overlays or service chains). The service overlay provides a specific order of network services with no regard of network topologies. The traffic is classified with a set of rules in different granularity to select a target service overlay. The service overlays are configured to be isolated from each other with virtualization of the network resources and different traffic classification rules. However, the service overlays can share the physical network resources (i.e., network services); and the traffic classification rules can overlap each other. This may cause unexpected QoS degradation in a composite network service due to network service overload; and service failure due to loops or interventions of the service overlays. In order to these conflicts of service overlays over network resources and classification rules, it is required to verify the newly added service overlays before applying them on the real network. This document formulates the problems in network service chaining for the verification of service overlays to avoid any conflicts between them. Lee, et al. Expires January 16, 2014 [Page 2] Internet-Draft Problem Statement for NSC Verification July 2013 2. Problem Areas The main reasons why service chains may bring conflicts between each other are as follows: 1. Sharing of network services: The service overlay provides the identifiers of network services; and invocation orders and logical links between them. The network service is instantiated with the identifier so that one or more physical network service nodes are located for it. While the network service instantiation can be orchestrated by NSC functions in a load balanced manner, the computing resource for the network service is limited and dynamic so that it is not avoidable for different service chains to share the same network service instances. This brings uncertainty in QoS of the network service chains because they cannot see which service chains share the same network services. Thus, the network administrator should carefully check the conflict over the network resources before adding a new service chain to the real network for its stability. 2. Overlapping of classification rules: An incoming packet (or traffic) is classified according to the classification rules to determine which service overlay will handle it. The classification is based on the contents of one or more packet header fields so that the classification rule may vary in different granularity. This may bring a problematic case that an incoming packet matches two or more classification rules with different service chains, which can result in a service chain loop or intervention. Different priorities of the rules can help the problem but it is not easy to predict which rules may be in a conflict. Moreover, the service chains of low priorities may be unreachable but not intended to. Thus, the network administrator should carefully check the conflict of the classification rules between service chains before adding a new one to the real network for its consistency. 3. Verification of Service Chains The service chain verification function provides an ability to check whether there is any conflict between a new service chain and the existing ones in the network before applying the new service chain in the network. The aforementioned problems arise from the rule or resource conflicts between service chains. Thus, the verification targets are the classification rules and network resources used for a new service chain. Lee, et al. Expires January 16, 2014 [Page 3] Internet-Draft Problem Statement for NSC Verification July 2013 As a result of the rule verification, the classification rules whose target packets are a subset or a superset of the ones of the new rule are presented out of the existing rules in the network. In the similar way, the shared network services between the new service chain and the existing ones are listed with their frequencies of being shared as a result of resource verification. The verification results are provided to network administrators so that they can easily anticipate the possible problematic cases and determine if the service chain is required to be corrected or not. The verification procedure above is performed in an off-line manner. In other words, it is a formal verification method which checks the conflicts of configurations at design time. This method is relatively simple and can test a set of service chains in an exhaustive manner. However, dynamic state of network resources and topologies cannot be considered at the verification. 4. Security Considerations TBD. 5. IANA Considerations TBD. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 6.2. Informative References [I-D.boucadair-network-function-chaining] Boucadair, M., Jacquenet, C., Parker, R., Lopez, D., Yegani, P., Guichard, J., and P. Quinn, "Differentiated Network-Located Function Chaining Framework", draft- boucadair-network-function-chaining-02, July 2013. [I-D.quinn-nsc-problem-statement] Quinn, P., Guichard, J., Kumar, S., Chauhan, A., Leymann, N., Boucadair, M., Jacquenet, C., Smith, M., Yadav, N., Nadeau, T., Gray, K., and B. McConnell, "Network Service Chaining Problem Statement", draft-quinn-nsc-problem- statement-01, July 2013. Lee, et al. Expires January 16, 2014 [Page 4] Internet-Draft Problem Statement for NSC Verification July 2013 Authors' Addresses Seung-Ik Lee ETRI 218 Gajeong-ro Yuseung-Gu Daejeon 305-700 Korea Phone: +82 42 860 1483 Email: seungiklee@etri.re.kr Myung-Ki Shin ETRI 218 Gajeong-ro Yuseung-Gu Daejeon 305-700 Korea Phone: +82 42 860 4847 Email: mkshin@etri.re.kr Yoon-Chul Choi ETRI 218 Gajeong-ro Yuseung-Gu Daejeon 305-700 Korea Phone: +82 42 860 5978 Email: cyc79@etri.re.kr Lee, et al. Expires January 16, 2014 [Page 5]