Network Working Group W. Liu Internet-Draft H. Li Intended status: Informational O. Huang Expires: January 16, 2014 Huawei Technologies N. Leymann Deutsche Telekom AG Z. Cao China Mobile July 15, 2013 Service Chaining Use Cases draft-liu-service-chaining-use-cases-01 Abstract For some network services, traffic is forwarded through a sequence of network functions, which usually have dedicated capabilities other than forwarding, e.g. firewall. Forwarding of traffic along a sequence of service processing functions is usually based on service characteristics, but not destination addresses. We call such way of forwarding as service chaining. This memo describes use cases of service chaining. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 16, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Liu, et al. Expires January 16, 2014 [Page 1] Internet-Draft Service Chaining Use Cases July 2013 (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Use Cases of Service Chaining . . . . . . . . . . . . . . . . 3 3.1. General use case for service chain . . . . . . . . . . . 3 3.2. Use case for service chain with NAT function . . . . . . 4 3.3. Use case for multiple underlay networks . . . . . . . . . 5 3.4. Use case of service path forking . . . . . . . . . . . . 5 3.5. Use case of multiple service paths share one network service function . . . . . . . . . . . . . . . . . . . . 6 3.6. Use case for distributed service chain . . . . . . . . . 7 3.7. Use case of service layer traffic optimization . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 6. Normative References . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction Service flow traffic is forwarded through some network middle boxes for specific purposes, for example: a) Direct some kinds of traffic to a domain border gateway for monitoring and charging. b) Before sending traffic to DC servers, steer the traffic to go through a load balancer to distribute performance pressure. c) Mobile network operators split mobile broadband traffic and steer them along an offloading path. d) Use firewall for filtering traffic for IDS(Intrusion Detection System)/IPS(Intrusion Protection System). e) Use security gateway to encrypt/decrypt traffic. f) When traffic has to traverse different network technology segments, for example IPv4/IPv6, direct the traffic to CGNAT. Liu, et al. Expires January 16, 2014 [Page 2] Internet-Draft Service Chaining Use Cases July 2013 Cloud computing technology has been more mature in recent years and triggers an idea that moves above service processing functions from purpose-designed hardware box into general computing servers. This idea can greatly save operators' cost for buying/maintaining the network middle boxes and give a big chance to operators on value added services. We call the mechanism of steering traffic to service processing functions/service nodes before the traffic arrive their destination as Service chaining. This document describes some use cases of service chaining. 2. Terminology The following terms are used in this document: Service Classifier: functionality inside the network which identifies and classifies traffic into different service flows based on their service characteristics or some policies, in order to send it through the corresponding service chain. Service Processing Function: a logical entity which can provide one or more service processing functions for packets/frames such as firewall, DPI (Deep Packet Inspection), LI (Lawful Intercept) and etc. Usually these processing functions are computation intensive. Service Chain: one or more service processing functions in a specific order which are chained to provide a composite service, and packets/ frames from one or more service flow should follow. Service Path: a path that traffic flows are forwarded through in a service chain. There might be multiple paths in a service chain. Service Flow: packets/frames with specific service characteristics (e.g., packets matching a specific tuple of fields in Ethernet, IP, TCP, HTTP headers and etc.) or determined by some service policies (such as access port and etc.) 3. Use Cases of Service Chaining 3.1. General use case for service chain Traffic in a network is usually forwarded based on destination IP or MAC addresses. In an operator's network, some service processing functions or middle boxes are implemented, where traffic is steered through these service processing functions in a certain sequence according to service characters of traffic. Liu, et al. Expires January 16, 2014 [Page 3] Internet-Draft Service Chaining Use Cases July 2013 +-------------------------+ |Service Chain A | ------------>| | | +-------------------------+ +------------+ | |Service | | ------->|Classifier |--->| +------------+ | | +-------------------------+ | |Service Chain B | ------------>| | +-------------------------+ General Service Chain Traffic comes to a service classifier, which identifies traffic and classifies it into service flows. Service flows are forwarded to service chains respectively per service chain forwarding rules. 3.2. Use case for service chain with NAT function Due to IPv4 address exhaustion, more and more operators have deployed or are about to deploy IPv6 transition technologies such as NAT. The traffic traversing a NAT function may go through different types of IP address domain. One key feature of this scenario is that characteristics of packets before and after processed by the service processing function are different, e.g., from IPv4 to IPv6. The unpredictability of processed packets, due to the algorithm in the service processing function, brings difficulties in steering the traffic. +---------+ +----------+ +----------+ | | | | | | ---->+ SPF C +------->+ SPF NAT +------->+ SPF E +--> | | | | | | +---------+ +----------+ +----------+ Figure 1: service chain with NAT function Figure 1 shows a specific example of service chain with NAT function. Service flow1 is processed by service processing function C, (NAT) and E sequentially. In this example, the service processing function(NAT) performs a NAT46 operation onto the flow. As a result, packets after processing by the service processing function(NAT) are in IPv6, which is a different version of IP header from the packets before processing. Service chaining in this scenario should be able to identify the flow even if it is changed after processed by service processing functions. Liu, et al. Expires January 16, 2014 [Page 4] Internet-Draft Service Chaining Use Cases July 2013 3.3. Use case for multiple underlay networks Operators may need to deploy their networks with various types of underlay technologies. Therefore, service chaining needs to support different types of underlay networks. +---------+ +----------+ +----------+ | | | | | | -->+ SPF A | | SPF B | | SPF C +--> | | | | | | +----+----+ +---+-+----+ +-----+----+ | ^ | ^ | ------ | | ------ | | // \\ | | // \\ | | | Ethernet | | v | | | +->+ network +->+ +->+ IP network +->+ | | | | \\ // \\ // ------ ------ Figure 2: multiple underlay networks: Ethernet and IP Figure 2 illustrates an example of Ethernet and IP network, very common and easy for deployment based on existing network status, as underlay networks. Service processing functions A, B and C locate in Ethernet and IP networks respectively. To build a service chain of SPF A, B and C, service chaining needs to support steering traffic across Ethernet and IP underlay networks. 3.4. Use case of service path forking To enable service or content awareness, operators need DPI functions to look into packets. When a DPI function is part of a service chain, packets processed by the DPI function may be directed to different paths according to result of DPI processing. That means a forking service path. +---------+ +----------+ +----------+ | | | | | | ---->| Firewall+------->+ DPI +------->+anti-virus|---> | | | | | | +---------+ +-----+----+ +----------+ | | V +-----+----+ | | | Parental | Liu, et al. Expires January 16, 2014 [Page 5] Internet-Draft Service Chaining Use Cases July 2013 | control | +-----+----+ | | V Figure 3: a forking service path Figure 3 shows the use case of a forking service path. Traffic first goes through a firewall and then arrives at DPI function which discerns virus risk. If a certain preconfigured pattern is matched, the traffic is directed to an anti-virus function. Such DPI function may fork out more than one path. 3.5. Use case of multiple service paths share one network service function Some carrier grade hardware box or service processing functions running on high performance servers can be shared to support multiple service chains. Following is an example. SC1 +---------+ +--------+ ------->+---------+------->+--------+---> SC2 |Firewall | |Video | ------->+-->+ | |Optimise| +---|-----+ +--------+ | v +---+-----+ | | | |Parental | |Control | +---+-----+ | v Figure 4: Two service chains share one service processing function In Figure 4, there are three service processing functions, firewall, VideoOpt and Parental Control, and two service chains SC1 and SC2. SC1 serves broadband user group1 which subscribes to secure web surfing and Internet video optimization, while SC2 serves broadband user group2 which subscribes to secure web surfing with parental control. SPF Firewall is shared by both service chains. Liu, et al. Expires January 16, 2014 [Page 6] Internet-Draft Service Chaining Use Cases July 2013 3.6. Use case for distributed service chain A service chain is not necessarily implemented in a single location (e.g. data center) but can also be distributed crossing several data centers or even a using a service processing functions which is located at an network element close to the customer (e.g. certain security functions). 3.7. Use case of service layer traffic optimization +----------+ | | +-----+ SPF_A1 +---------+ / | | \ +-------+ / +----------+ \ | SPF0 |____/ \______ | | \ / +-------+ \ +----------+ / \ | | / +-----+ SPF_A2 +---------+ | | +----------+ service layer traffic optimization In Figure.5, one SPF has two instances SPF_A1 and SPF_A2 on different networking paths. When data traffic hits the first SPF_0, it will be forwarded to SPF_A1 or SPF_A2 depending on the traffic load on different paths. Such service layer traffic optimization is the essential requirement for many computing-intensive service process functions. 4. Security Considerations N/A. 5. Acknowledgements N/A. 6. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Authors' Addresses Liu, et al. Expires January 16, 2014 [Page 7] Internet-Draft Service Chaining Use Cases July 2013 Will(Shucheng) Liu Huawei Technologies Bantian, Longgang District Shenzhen 518129 P.R. China Email: liushucheng@huawei.com Hongyu Li Huawei Technologies Bantian, Longgang District Shenzhen 518129 P.R. China Email: hongyu.li@huawei.com Oliver Huang Huawei Technologies Bantian, Longgang District Shenzhen 518129 P.R. China Email: oliver.huang@huawei.com Nicolai Leymann, Deutsche Telekom AG Email: n.leymann@telekom.de Zhen Cao China Mobile Email: caozhen@chinamobile.com Liu, et al. Expires January 16, 2014 [Page 8]