Internet DRAFT - draft-nh-sr-hsfc-usecases-requirements

draft-nh-sr-hsfc-usecases-requirements







SPRING                                                        K. Ni, Ed.
Internet-Draft                                              China Mobile
Intended status: Standards Track                           H. Huang, Ed.
Expires: 3 September 2024                                         Huawei
                                                                Y. Zhang
                                                              J. Ye, Ed.
                                                            China Mobile
                                                            2 March 2024


Problem Statement, Use Cases, and Requirements of Hierarchical SFC with
                            Segment Routing
               draft-nh-sr-hsfc-usecases-requirements-01

Abstract

   Hierarchical Service Function Chaining (hSFC) is a network service
   chaining method that utilizes a hierarchical structure to efficiently
   organize and manage service function chains, enhancing network
   performance and scalability.  This document primarily describes the
   use case of hSFC, which is the security resource pool.  It outlines
   the associated problem statement and requirements for the security
   resource pool.  The document aims to assist in identifying candidate
   solution architectures and solutions.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 3 September 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.





Ni, et al.              Expires 3 September 2024                [Page 1]

Internet-Draft              SR hSFC Usecases                  March 2024


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  Requirements Language . . . . . . . . . . . . . . . . . .   4
   2.  Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . .   4
     2.1.  Problem Statement . . . . . . . . . . . . . . . . . . . .   5
       2.1.1.  Dispersion Of Service Resources . . . . . . . . . . .   5
       2.1.2.  Multi-tenant  . . . . . . . . . . . . . . . . . . . .   5
       2.1.3.  Multi-vendor  . . . . . . . . . . . . . . . . . . . .   6
       2.1.4.  Dynamic Orchestration . . . . . . . . . . . . . . . .   6
   3.  Requirements  . . . . . . . . . . . . . . . . . . . . . . . .   6
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   8
   Contributors  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   Service Function Chaining (SFC) [RFC7665] is a network service
   delivery and traffic processing technique that allows for the
   definition and execution of specific service chain routing policies,
   ensuring that data flows through a sequence of service functions in a
   predetermined order as it traverses the network.  As network scales
   have grown, such as the decentralization of service resources and the
   diversification of tenants and vendors, it is difficult to
   administrate such a large network.  A new network architecture known
   as Hierarchical Service Function Chaining (hSFC) [RFC8459] has
   emerged. hSFC enables an organization to decompose large-scale
   networks into multiple administrative domains.  This means that it
   can provide better network design, simplified control, and support
   for different functional groups within the network, thereby enhancing
   overall efficiency and management.





Ni, et al.              Expires 3 September 2024                [Page 2]

Internet-Draft              SR hSFC Usecases                  March 2024


   To enhance network service security and offer a wide range of
   protective services to users, network operators have centrally
   constructed numerous security resource pools.  Within these pools,
   various security network devices, such as firewalls, Web Application
   Firewalls (WAFs), Intrusion Prevention Systems (IPS), and more, are
   deployed to deliver diverse value-added services (i.e Service
   Function).  According to tenants' business requirements or their
   geographical location the user traffic is steered into the
   corresponding security resource pool, after arriving which a series
   of services in a certain order are provided based on security
   protection needs, network topology, and resource usage.  The packets
   need to continue the remaining original forwardness when finishing
   the processes inside the resource pool.  As per [RFC8459], the
   original path information before entering security resource pool is
   expected to be stored somewhere, within the packets or in the gateway
   of resource pools, so that it can be restored later.  Therefore, it
   is suitable to orchestrate with hSFC architecture. hSFC introduces a
   solution based on NSH (Network Service Header).  This approach
   involves network configurations of each type of traffic and
   additional NSH header in packet headers, which is complicated and not
   conducive to expansive.  However, in cases where SR (Segment Routing)
   networks are deployed, it only needs to issue the SR policy to define
   transmission path and update a new one to alter the path when
   physical topology or business requirements change.  By contrast, the
   NSH solution may not be the preferred choice.

   This document describes a use case involving the deployment of
   multiple resource pools by network service provider.  Every resource
   pool is designed to offer tenants a wide range of security protection
   services.  The document also analyzes the challenges and issues
   associated with this use case, discussing the requirements, seeking
   an SR-based hSFC solution.

1.1.  Terminology

   hSFC: Hierarchical Service Function Chaining

   NSH: Network Service Header

   PBR: Policy Based Routing

   SR: Segment Routing

   SFC: Service Function Chaining







Ni, et al.              Expires 3 September 2024                [Page 3]

Internet-Draft              SR hSFC Usecases                  March 2024


1.2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Use Cases

   To defend against network attacks, ensure the security of enterprise
   tenants' business applications against viruses, malware, and other
   security threats, and meet their customized security protection
   needs, network operators have established security resource pools in
   multiple regions.  Typically, these security resource pools host
   various security network devices, including firewalls, Web
   Application Firewalls (WAF), Intrusion Prevention Systems (IPS), and
   more, to provide a variety of security-focused value-added services.
   In practical applications, the first step involves routing user
   traffic to the appropriate security resource pool based on user
   location, which typically utilizing SR in the existing Internet
   environment.  Then, customized security protection services are
   provided to customers according to their specific requirements.  For
   example, some tenants may require the use of a firewall followed by
   IPS services, while others may need to use IPS first and then utilize
   firewall services.  After traversing through all SFs in a SFC,
   packets are returned to the gateway (i.e., security resource pool)
   and continue to be forwarded to devices outside of IDC.  This
   necessitates hierarchical service chains to orchestrate SFs within
   security resource pool (lower-level sub-domain)and service nodes
   outside the IDC (upper-level domain) respectively and independently.

   SR is a novel network orchestration technology that guides packet
   paths by adding Segment Identifiers (Segment Routing) in the packet
   header.  Each Segment Identifier corresponds to a node or service
   function within the network, creating an ordered path from source to
   destination, defining the packet's transmission route.  SR service
   chain orchestration offers several advantages, including the
   flexibility to define and customize service chain paths based on
   specific application and business requirements, support for dynamic
   adjustment of service chain paths based on real-time application
   needs, and the ability to guide packets directly to the desired
   service functions, reducing unnecessary delays within the service
   chain.  Furthermore, SR enables network administrators to manage
   service chains without altering the underlying network topology,
   simplifying network configuration.





Ni, et al.              Expires 3 September 2024                [Page 4]

Internet-Draft              SR hSFC Usecases                  March 2024


   As a result, SR represents a user-friendly service chain
   orchestration method suitable for complex network environments that
   need to meet diverse application requirements.  Given the complexity
   of internet architecture, the widespread deployment of SR, and the
   dynamic updates of security devices within a security resource pool,
   it is recommended to use SR-based service chaining for traffic
   steering within the security resource pool.  This enables dynamic
   adjustment of service chains and reduces traffic bypass.

2.1.  Problem Statement

   Due to the growth of network scales and the constraints of the
   existing orchestration method, security resource pools is facing some
   challenges of delivering value-added security protection services for
   different users.  This section provides an overview of these
   challenges.

2.1.1.  Dispersion Of Service Resources

   Due to varying geographical locations of different tenants and for
   the purpose of minimizing latency, facilitating network management,
   and maintenance, the security resource pool is physically deployed in
   a distributed manner.

2.1.2.  Multi-tenant

   In the existing Internet environment, tenants' network service
   requirements have become diverse, with different tenants facing
   various threats and demands.  In the security resource pool, On one
   hand, some tenants may only require basic access control
   functionality, in which case, tenants would only need firewall
   services.  On the other hand, other tenants may necessitate more
   complex and comprehensive security services.  For instance, certain
   tenants may require initial use of Web Application Firewall services
   to isolate potential malicious websites and code, followed by
   additional security checks using firewall services.  Different
   tenants have different needs, and the security resource pool needs to
   provide tenant-level customized security protection capabilities.
   Additionally, the network security device needs to be differentiated
   between different tenants to provide them with distinct
   configuration.










Ni, et al.              Expires 3 September 2024                [Page 5]

Internet-Draft              SR hSFC Usecases                  March 2024


2.1.3.  Multi-vendor

   In a security resource pool, security network devices are usually
   provided by different vendors, they need to be orchestrated by
   unified external network communication.  For example, in the security
   resource pool, firewalls are provided by Vendor A, and WAF is
   provided by Vendor B.  If a customer subscribes to both firewall and
   WAF security value-added services, the traffic needs to pass through
   Vendor A's firewall first and then through Vendor B's WAF device.
   This implies that Vendor A's firewall needs to be aware of the next
   hop being Vendor B's WAF device, and there is an expectation for the
   traffic to flow directly from Vendor A's firewall device to Vendor
   B's WAF.

2.1.4.  Dynamic Orchestration

   In a security resource pool, security network devices may encounter
   dynamic adjustments.  For example, adding new security network
   devices to the pool may require existing service chains, such as NSH,
   to undergo state updates across multiple devices.  The main issue in
   this situation is the presence of state (SPI, SI index tables) within
   the network devices.  Therefore, when there are changes in business
   deployments, all network devices need to undergo state updates.  This
   is unfavorable for flexible and agile deployments.  In contrast, SR
   is friendly as it does not require the presence of specific states in
   the network.

3.  Requirements

   [REQ-1] Tenant-level Service Orchestration

   Different tenants have varying security protection needs.
   specifically, the types and order of security protection they require
   are differently.  Therefore, it is imperative to cater to multiple
   tenants and support tenant-level service chain orchestration.

   [REQ-2] Tenant Information Carriage

   As the security resource pool needs to meet service chaining at the
   tenant level, it is essential for the packets to support carrying
   tenant information.

   [REQ-3] Dynamic Allocation Of Service Resources (Scalability)








Ni, et al.              Expires 3 September 2024                [Page 6]

Internet-Draft              SR hSFC Usecases                  March 2024


   The security resource pool is in a constant state of dynamic
   adjustment, and with the evolution of business needs, there may be
   additions or removals of certain security network devices.  When
   there are updates to the security network devices within the resource
   pool, it is essential to support their dynamic orchestration into the
   service chain.

   [REQ-4] Independent Resource Pool Orchestration

   Service functions in different security resource pools support
   different protocols (i.e., some security network devices within
   certain resource pools do not support SR), and their suitable methods
   for service chaining may also vary.  Achieving unified orchestration
   is challenging.  Therefore, it is necessary for security resource
   pools to support independent orchestration, without interfering with
   each other.

   [REQ-5] Reliability Of Service Function

   During service chain orchestration, it is necessary to support the
   retrieval of device information, including device operational status,
   identification details, etc.  In the event of network equipment
   issues, bypassing the problematic equipment to avoid traffic
   disruption should be enabled.

4.  Security Considerations

   TBD.

5.  IANA Considerations

   This document has no IANA actions.

6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

6.2.  Informative References




Ni, et al.              Expires 3 September 2024                [Page 7]

Internet-Draft              SR hSFC Usecases                  March 2024


   [RFC7665]  Halpern, J., Ed. and C. Pignataro, Ed., "Service Function
              Chaining (SFC) Architecture", RFC 7665,
              DOI 10.17487/RFC7665, October 2015,
              <https://www.rfc-editor.org/rfc/rfc7665>.

   [RFC8459]  Dolson, D., Homma, S., Lopez, D., and M. Boucadair,
              "Hierarchical Service Function Chaining (hSFC)", RFC 8459,
              DOI 10.17487/RFC8459, September 2018,
              <https://www.rfc-editor.org/rfc/rfc8459>.

Acknowledgments

Contributors

Authors' Addresses

   Kangkang Ni (editor)
   China Mobile
   Email: nikangkang@chinamobile.com


   Hongyi Huang (editor)
   Huawei
   Email: hongyi.huang@huawei.com


   Yige Zhang
   China Mobile
   Email: zhangyige@chinamobile.com


   Jiaming Ye (editor)
   China Mobile
   Email: yejiaming@chinamobile.com

















Ni, et al.              Expires 3 September 2024                [Page 8]