Internet DRAFT - draft-dolson-sfc-nfv-patterns
draft-dolson-sfc-nfv-patterns
Service Function Chaining D. Dolson
Internet-Draft M. Marchetti
Intended status: Informational K. Larose
Expires: September 22, 2016 Sandvine
March 21, 2016
Efficient Patterns for Service Function Chaining within Network Function
Virtualization Infrastructure
draft-dolson-sfc-nfv-patterns-00
Abstract
The document presents some considerations for efficiently deploying
Service Function Chaining (SFC) within a Network Function
Virtualization Infrastructure (NFVI).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 22, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Dolson, et al. Expires September 22, 2016 [Page 1]
Internet-Draft Efficient Patterns for SFC within NFVI March 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2
2. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4.1. Use MAC-NSH to address functions . . . . . . . . . . . . 3
4.2. Locate SFF with the SF . . . . . . . . . . . . . . . . . 4
4.3. Prefer NSH MD Type 2 . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.1. Normative References . . . . . . . . . . . . . . . . . . 7
7.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
Service Function Chaining (SFC) is a technique for prescribing
differentiated traffic forwarding policies. SFC is described in
detail in the SFC architecture document [RFC7665], and is not
repeated here.
Network Function Virtualization (NFV) is technology for deploying
network forwarding software functions on an infrastructure providing
generic compute and network resources. Such an infrastructure is
termed NFVI [ETSI_NFV].
This document presents some efficient patterns for deploying SFC
within an NFVI, in the hope of sharing good practices.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Objectives
The patterns described in this document are designed to satisfy:
o Minimize latency by minimizing both the number of physical hops
and number of queues each packet traversing a service chain must
undergo.
o Minimize CPU processing by avoiding unnecessary software
switching.
Dolson, et al. Expires September 22, 2016 [Page 2]
Internet-Draft Efficient Patterns for SFC within NFVI March 2016
These objectives serve both to increase network performance that
would be measured by end users and increase efficiency of NFVI by
minimizing switching and CPU resources required to implement each
chain.
3. Assumptions
We wish to discuss solutions that are available with current
technology. In particular:
o the NFVI is to be built using only currently available commercial
off-the-shelf (COTS) hardware;
o the infrastructure is to be built using currently available NFVI
technology and hosting, in particular the ability of the NFV
infrastructure to provide virtual compute resources with
interfaces to virtual Ethernet LAN segments.
4. Patterns
The following sections describe design patterns for using SFC that we
consider to be appropriate under the above NFV assumptions.
4.1. Use MAC-NSH to address functions
A common infrastructure model (e.g., OpenStack/Neutron) allows
provisioning of virtual machines with interfaces on specified
Ethernet segments. Although the physical implementation of an
Ethernet segment is opaque to the tenants, all machines on a segment
can send packets to one another by addressing the destination MAC
address.
Single-Root I/O Virtualization (SR-IOV) is a technology that allows a
single physical interface on a compute host to be split into multiple
virtual interfaces such that each guest has a hardware interface to
the network. When so configured, the physical interface hardware
sorts incoming packets into queues for the distinct emulated
interfaces according to destination MAC addresses. This technology
removes any need for a software module to sort packets received from
the physical interfaces into virtual interfaces of the guests. Thus,
an extra queuing stage is avoided and no CPU switching resources are
required.
The NVFI operator may choose to deploy simple switching, with
hardware backplane and top-of-rack Ethernet/VLAN switches providing
minimum latency. The operator may also deploy Ethernet-over-IP
(e.g., VXLAN) when functions are remote. In any case, the virtual
host is agnostic to the implementation.
Dolson, et al. Expires September 22, 2016 [Page 3]
Internet-Draft Efficient Patterns for SFC within NFVI March 2016
Thus, by using SR-IOV and efficient zero-copy drivers, functions
naturally address one another by MAC address on the layer-2 segment.
In the optimal NFV scenario, software in one function queues packets
to an outbound SR-IOV queue, hardware sends the packet on the
physical interface, backplane or top-of-rack switches deliver the
packet to the physical destination and SR-IOV destination queue.
There need not be any software between functions, only Ethernet
switches.
Note that to capture the benefit of using SR-IOV to avoid software
switching, any L2-over-L3 (e.g., VXLAN) should be arranged for in
hardware. The functions themselves can then behave the same whether
virtual or physical network segments are used.
We conclude that carrying NSH packets directly within Ethernet frames
is an efficient and natural way to implement Service Function
Chaining. The Ethernet encapsulation of NSH is documented in
[I-D.ietf-sfc-nsh].
4.2. Locate SFF with the SF
Service function chains are often drawn like this two-SF example in
which a packet goes from ingress to Classifier, to SFF1, to SF1, back
to SFF1, to SFF2, to SF2, back to SF2 and finally to egress:
ingress --> Classifier --> SFF1 --> SFF2 --> Egress
^ ^
| |
| |
V V
SF1 SF2
Figure 1: A conceptual service function chain
But in NFV infrastructure, if SFFs are considered distinct processing
elements, the common reality is that each of the components are
separated by Ethernet switching:
Dolson, et al. Expires September 22, 2016 [Page 4]
Internet-Draft Efficient Patterns for SFC within NFVI March 2016
ingress-->Classifier-->switch-->SFF1-->switch-->SFF2-->switch-->Egress
^ ^
| |
| |
V V
switch switch
^ ^
| |
| |
V V
SF1 SF2
Figure 2: A service function chain showing switches
In an NFV environment, the "switch" blocks in Figure 2 can be
implemented by Ethernet backplane, top-of-rack switching or (for
remotely separated virtual machines) VXLAN virtual layer-2 network.
There is an optimization that can be made when all of the "switch"
modules are the same Ethernet switching domain. In other words, when
this is the logical topology of Figure 3:
SFF1 SFF2
| |
| |
ingress ---Classifier----- switch ---------- egress
| |
| |
SF1 SF2
Figure 3: Service chain components attached to a layer-2 network
Notice that to implement the path of Figure 1 and Figure 2, a packet
must pass through the switch seven times. It must also pass through
each SFF twice, limiting the capacity of an SFF.
We can reduce the number of transits through the switch by placing
SFF forwarding tables in the SF software module itself, like this:
ingress ---Classifier----- switch ---------- egress
| |
| |
SFF1 SFF2
SF1 SF2
Figure 4: SFFs embedded in SF machines
Dolson, et al. Expires September 22, 2016 [Page 5]
Internet-Draft Efficient Patterns for SFC within NFVI March 2016
In this case, a packet taking the path of Figure 1 only transits the
switch three times. For minimal latency, an implementation can avoid
queuing between the SF and attached SFF.
Although keeping the SFFs distinct from the SFs has an architectural
purity, the purity has a big cost in switching throughput and
corresponding cost in money and latency. Since each packet enters
and exits each SFF twice, there could also be contention on the SFF
interfaces.
There is additional control-plane burden to achieve this data-plane
efficiency gain:
o SF software must implement SFF lookup functions. We feel this
computation of next-hop and packet formatting can be done
efficienty in software, but it does require support of the SFF
feature in the software.
o There will be as many SFFs as SFs, each of which much have correct
forwarding entries populated by the control plane during the
orchestration of bringing an SF on line.
There are many ways to physically realize the logical switch entities
in Figure 3 and Figure 4. The best case is a hardware Ethernet
switch; considerations about how to optimally deploy functions are
discussed elsewhere, e.g., in Network Function Virtualization
Research Group (NFVRG). In any of these cases, reducing the number
of passages though the switch will reduce latency and reduce
operational cost.
4.3. Prefer NSH MD Type 2
The NSH draft [I-D.ietf-sfc-nsh] defines two options for metadata,
types 1 and 2. Type 2 is more efficient when there is no metadata,
and is the only choice supporting more than 128 bits of metadata.
Using the approaches described in Section 4.1 and Section 4.2, NSH
packets are transported from one MAC endpoint to another via standard
Ethernet switches, so there are no requirements on the NFV
Infrastructure to support NSH.
Given that parsing the variable-length header poses no concerns for
software, we feel these considerations make MD Type 2 the preferred
choice for service chaining with NFV.
Dolson, et al. Expires September 22, 2016 [Page 6]
Internet-Draft Efficient Patterns for SFC within NFVI March 2016
5. IANA Considerations
This memo includes no request to IANA.
6. Security Considerations
We are not aware of any additional security concerns raised by
employing the methods discussed in this memo.
The MAC-NSH approach assumes security of (virtual) LAN segments.
Employing SFF functionality within Service Function software puts
trust in that software, but SF functions must in any case be trusted
to return packets to the correct path.
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
7.2. Informative References
[ETSI_NFV]
ETSI, "Network Functions Virtualization (NFV);
Architectural Framework", October 2013,
<http://www.etsi.org/deliver/etsi_gs/
NFV/001_099/002/01.01.01_60/gs_NFV002v010101p.pdf>.
[I-D.ietf-sfc-nsh]
Quinn, P. and U. Elzur, "Network Service Header", draft-
ietf-sfc-nsh-02 (work in progress), January 2016.
[RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function
Chaining (SFC) Architecture", RFC 7665,
DOI 10.17487/RFC7665, October 2015,
<http://www.rfc-editor.org/info/rfc7665>.
Authors' Addresses
Dolson, et al. Expires September 22, 2016 [Page 7]
Internet-Draft Efficient Patterns for SFC within NFVI March 2016
David Dolson
Sandvine
408 Albert Street
Waterloo, ON N2L 3V3
Canada
Phone: +1 519 880 2400
Email: ddolson@sandvine.com
Michael Marchetti
Sandvine
408 Albert Street
Waterloo, ON N2L 3V3
Canada
Phone: +1 519 880 2400
Email: mmarchetti@sandvine.com
Kyle Larose
Sandvine
408 Albert Street
Waterloo, ON N2L 3V3
Canada
Phone: +1 519 880 2400
Email: klarose@sandvine.com
Dolson, et al. Expires September 22, 2016 [Page 8]