Internet DRAFT - draft-lee-sfc-verification
draft-lee-sfc-verification
Network Working Group S. Lee
Internet-Draft M. Shin
Intended status: Informational ETRI
Expires: August 18, 2014 February 14, 2014
Service Function Chaining Verification
draft-lee-sfc-verification-00
Abstract
This document addresses the possible conflicts among different
service function chains. These conflicts may occur when 1) a traffic
flow satisfies two or more classification rules of different service
function chains; and 2) a service function cannot provide enough
resource for a service function chain due to load of other service
function chains. These conflicts need to be detected and resolved at
deploying a new service chain.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Lee & Shin Expires August 18, 2014 [Page 1]
Internet-Draft SFC Verification February 2014
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Problem Areas . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Verification of Service Function Chains . . . . . . . . . . . 3
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1. Normative References . . . . . . . . . . . . . . . . . . 4
6.2. Informative References . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction
The current service delivery model is bound to static topologies and
manually configured resources. This has motivated a more flexible
deployment model which orchestrates the service delivery separated
from the network. Service Function Chaining (SFC)
[I-D.ietf-sfc-problem-statement] provides a new service deployment
model that delivers the traffic along the predefined logical paths of
service functions (i.e., service overlays or service chains). The
service overlay provides a specific order of network services with no
regard of network topologies. The traffic is classified with a set
of rules in different granularity to select a target service overlay.
The service overlays are configured to be isolated from each other
with virtualization of the network resources and different traffic
classification rules. However, the service overlays can share the
physical network resources (such as network links, service nodes, and
service functions); and the traffic classification rules can overlap
each other. This may cause unexpected QoS degradation in a composite
network service due to network service overload; and service failure
due to loops or interventions of the service overlays. It is
required to detect and resolve these conflicts when deploying a new
service function chain.
This document formulates these problems as two conflicts at deploying
service function chains: rule conflict and resource conflict.
2. Problem Areas
The problem areas of the conflicts can be specified as follows:
1. Rule conflict:
Lee & Shin Expires August 18, 2014 [Page 2]
Internet-Draft SFC Verification February 2014
An incoming traffic flow (i.e., a series of packets) is
classified according to a classification rules to determine which
service function chain will handle it. The classification is
based on the contents of one or more packet header fields so that
the classification rule may vary in different granularity. This
may bring a problematic case that an incoming packet matches two
or more classification rules of different service function
chains, which can result in a service chain loop or intervention.
For example, let's assume that there are two service function
chains: SFC_A which handles the video traffics; and SFC_B which
handles the packets sent by host H. Video traffic from host H
satisfies both of SFC_A and SFC_B and this brings a rule conflict
at service classification.
2. Resource conflict:
A service function chain constitutes a service-specific overlay
that utilizes network resources such as service nodes, network
links between service functions, and service function instances.
These network resources may be shared by different service
function chains. This brings an uncertainty in QoS of service
function chains if there is no coordination for the use of
network resources. For example, let's assume that a service
function instance F is shared by the service function paths of
SFC_A and SFC_B. If the service function instance F is fully
loaded by the traffic over SFC_A, SFC_B cannot provide an
expected service quality due to resource shortage.
3. Verification of Service Function Chains
The aforementioned problems arise from the conflicts between two or
more service function chains. Thus, it is required to have a
verification function to detect and avoid those conflicts.
The rule conflict can be detected by examining if there is any
overlapping in a new classification rule with the existing
classification rules when deploying a new service function chain. A
bitwise comparison of target packet headers can be used for the
examination. However, if the rules classify the packets with the
header filed values in different layers (e.g., IP address and TCP
port), then inclusive relationship between different classification
rules should be also considered.
When a new classification rule is detected to have a conflict with
the existing ones, then the new service function chain should be
rejected to remove an uncertainty. While different priorities of the
classification rules in a conflict can be used instead, it may bring
higher complexity in rule matching and priority decisions.
Lee & Shin Expires August 18, 2014 [Page 3]
Internet-Draft SFC Verification February 2014
The resource conflict can be detected by checking if the resource of
the network and service functions is available enough for the new
service function chain. An explicit request for the resources can be
made beforehand by the service function chain or the resource usage
can be dynamically determined by classified traffic over the service
function path. When the resource is not available enough for a
request, the new service function chain can be rejected to be
deployed. An alternative service function path can be dynamically
initiated instead to utilize different network resources or service
function instances for the chain.
4. Security Considerations
TBD.
5. IANA Considerations
TBD.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
6.2. Informative References
[I-D.ietf-sfc-problem-statement]
Quinn, P. and T. Nadeau, "Service Function Chaining
Problem Statement", draft-ietf-sfc-problem-statement-00,
January 2014.
Authors' Addresses
Seung-Ik Lee
ETRI
218 Gajeong-ro Yuseung-Gu
Daejeon 305-700
Korea
Phone: +82 42 860 1483
Email: seungiklee@etri.re.kr
Lee & Shin Expires August 18, 2014 [Page 4]
Internet-Draft SFC Verification February 2014
Myung-Ki Shin
ETRI
218 Gajeong-ro Yuseung-Gu
Daejeon 305-700
Korea
Phone: +82 42 860 4847
Email: mkshin@etri.re.kr
Lee & Shin Expires August 18, 2014 [Page 5]