Network Working Group W. Liu Internet-Draft H. Li Intended status: Informational O. Huang Expires: December 29, 2013 Huawei Technologies June 27, 2013 Service Chaining Use Cases draft-liu-service-chaining-use-cases-00 Abstract For some network services, traffic is forwarded through a sequence of network functions, which usually have dedicated capabilities other than forwarding, e.g. firewall. Forwarding of traffic along a sequence of service processing functions is usually based on service characteristics, but not destination addresses. We call such way of forwarding as service chaining. This memo describes use cases of service chaining. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on December 29, 2013. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Liu, et al. Expires December 29, 2013 [Page 1] Internet-Draft Service Chaining Use Cases June 2013 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Use Cases of Service Chaining . . . . . . . . . . . . . . . . 3 3.1. Use case for service chain with NAT function . . . . . . 3 3.2. Use Case For Multiple Underlay Networks . . . . . . . . . 4 3.3. Use case of service path forking . . . . . . . . . . . . 5 3.4. Use case of multiple service paths share one network service function . . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 6. Normative References . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction Service flow traffic is fowarded through some network middle boxes for specific purposes, for example: a) Direct some kinds of traffic to a domain border gateway for monitoring and charging. b) Before sending traffic to DC servers, steer the traffic to go through a load balancer to distribute performance pressure. c) Mobile network operators split mobile broadband traffic and steer them along an offloading path. d) Use firewall for filtering traffic for IDS(Intrusion Detection System)/IPS(Intrusion Protection System). e) Use security gateway to encrypt/decrypt traffic. f) When traffic has to traverse different network technology segements, for example IPv4/IPv6, direct the traffic to CGNAT. Cloud computing technology has been more mature in recent years and triggers an idea that moves above service processing functions from purpose-designed hardware box into general computing servers. This idea can greatly save operators' cost for buying/maintaining the network middle boxes and give a big chance to operators on value added services. Liu, et al. Expires December 29, 2013 [Page 2] Internet-Draft Service Chaining Use Cases June 2013 We call the mechanism of steering traffic to service processing functions/service nodes before the traffic arrive their destination as Service chaining. This document describes some use cases of service chaining. 2. Terminology The following terms are used in this document: Service Processing Function: a logical entity which can provide one or more service processing functions for packets/frames such as firewall, DPI (Deep Packet Inspection), LI (Lawful Intercept) and etc. Usually these processing functions are computation intensive. Service Chain: one or more service processing functions in a specific order which are chained to provide a composite service, and packets/frames from one or more service flow should follow. Service Chaining: a mechanism of building service chains and forwarding packets/frames of service flows through them. Service Path: a path that traffic flows are forwarded through in a service chain. There might be multiple paths in a service chain. Service Flow: packets/frames with specific service characteristics (e.g., packets matching a specific tuple of fields in Ethernet, IP, TCP, HTTP headers and etc.) or determined by some service policies (such as access port and etc.) 3. Use Cases of Service Chaining 3.1. Use case for service chain with NAT function Due to IPv4 address exhaustion, more and more operators have deployed or are about to deploy IPv6 transition technologies such as NAT. The traffic traversing a NAT function may go through different types of IP address domain. One key feature of this scenario is that characteristics of packets before and after processed by the service processing function are different, e.g., from IPv4 to IPv6. The unpredictability of processed packets, due to the algorithm in the service processing function, brings difficulties in steering the traffic. Liu, et al. Expires December 29, 2013 [Page 3] Internet-Draft Service Chaining Use Cases June 2013 +---------+ +----------+ +----------+ | | | | | | ---->+ SPF C +------->+ SPF NAT +------->+ SPF E +--> | | | | | | +---------+ +----------+ +----------+ Figure 1: service chain with NAT function Figure 1 shows a specific example of service chain with NAT function. Service flow1 is processed by service processing function C, (NAT) and E sequentially. In this example, the service processing function(NAT) performs a NAT46 operation onto the flow. As a result, packets after processing by the service processing function(NAT) are in IPv6, which is a different version of IP header from the packets before processing. Service chaining in this scenario should be able to identify the flow even if it is changed after processed by service processing functions. 3.2. Use Case For Multiple Underlay Networks Operators may need to deploy their networks with various types of underlay technologies. Therefore, service chaining needs to support different types of underlay networks. +---------+ +----------+ +----------+ | | | | | | -->+ SPF A | | SPF B | | SPF C +--> | | | | | | +----+----+ +---+-+----+ +-----+----+ | ^ | ^ | ------ | | ------ | | // \\ | | // \\ | | | Ethernet | | v | | | +->+ network +->+ +->+ IP network +->+ | | | | \\ // \\ // ------ ------ Figure 2: multiple underlay networks: Ethernet and IP Figure 2 illustrates an example of Ethernet and IP network, very common and easy for deployment based on existing network status, as underlay networks. Service processing functions A, B and C locate in Ethernet and IP networks respectively. To build a service chain of SPF A, B and C, service chaining needs to support steering traffic across Ethernet and IP underlay networks. Liu, et al. Expires December 29, 2013 [Page 4] Internet-Draft Service Chaining Use Cases June 2013 3.3. Use case of service path forking To enable service or content awareness, operators need DPI functions to look into packets. When a DPI function is part of a service chain, packets processed by the DPI function may be directed to different paths according to result of DPI processing. That means a forking service path. +---------+ +----------+ +----------+ | | | | | | ---->| Firewall+------->+ DPI +------->+anti-virus|---> | | | | | | +---------+ +-----+----+ +----------+ | | V +-----+----+ | | | Parental | | control | +-----+----+ | | V Figure 3: a forking service path Figure 3 shows the use case of a forking service path. Traffic first goes through a firewall and then arrives at DPI function which discerns virus risk. If a certain preconfigured pattern is matched, the traffic is directed to an anti-virus function. Such DPI function may fork out more than one path. 3.4. Use case of multiple service paths share one network service function Some carrier grade hardware box or service processing functions runing on high performance servers can be shared to support multiple service chains. Following is an example. Liu, et al. Expires December 29, 2013 [Page 5] Internet-Draft Service Chaining Use Cases June 2013 SC1 +---------+ +--------+ ------->+---------+------->+--------+---> SC2 |Firewall | |Video | ------->+-->+ | |Optimise| +---|-----+ +--------+ | v +---+-----+ | | | |Parental | |Control | +---+-----+ | v Figure 4: two service chains share one service processing function In Figure 4, there are three service processing functions, firewall, VideoOpt and Parental Control, and two service chains SC1 and SC2. SC1 serves broadband user group1 which subscribes to secure web surfing and internet video optimization, while SC2 serves broadband user group2 which subscribes to secure web surfing with parental control. SFP Firewall is shared by both service chains. 4. Security Considerations N/A. 5. Acknowledgements N/A. 6. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Authors' Addresses Will(Shucheng) Liu Huawei Technologies Bantian, Longgang District Shenzhen 518129 P.R. China Email: liushucheng@huawei.com Liu, et al. Expires December 29, 2013 [Page 6] Internet-Draft Service Chaining Use Cases June 2013 Hongyu Li Huawei Technologies Bantian, Longgang District Shenzhen 518129 P.R. China Email: hongyu.li@huawei.com Oliver Huang Huawei Technologies Bantian, Longgang District Shenzhen 518129 P.R. China Email: oliver.huang@huawei.com Liu, et al. Expires December 29, 2013 [Page 7]