idnits 2.17.1 draft-ietf-sfc-nsh-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([SFC-arch]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 15 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 19, 2016) is 3013 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3022' is mentioned on line 172, but not defined == Missing Reference: 'RFC6146' is mentioned on line 172, but not defined == Missing Reference: 'RFC6296' is mentioned on line 172, but not defined == Unused Reference: 'RFC0791' is defined on line 1349, but no explicit reference was found in the text == Unused Reference: 'RFC2784' is defined on line 1360, but no explicit reference was found in the text == Unused Reference: 'VXLAN-gpe' is defined on line 1385, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 1 error (**), 0 flaws (~~), 9 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Quinn, Ed. 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Standards Track U. Elzur, Ed. 5 Expires: July 22, 2016 Intel 6 January 19, 2016 8 Network Service Header 9 draft-ietf-sfc-nsh-02.txt 11 Abstract 13 This draft describes a Network Service Header (NSH) inserted onto 14 encapsulated packets or frames to realize service function paths. 15 NSH also provides a mechanism for metadata exchange along the 16 instantiated service path. NSH is the SFC encapsulation as per SFC 17 Architecture [SFC-arch] 19 1. Requirements Language 21 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 22 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 23 document are to be interpreted as described in RFC 2119 [RFC2119]. 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on July 22, 2016. 42 Copyright Notice 44 Copyright (c) 2016 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 60 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 2.1. Definition of Terms . . . . . . . . . . . . . . . . . . . 4 62 2.2. Problem Space . . . . . . . . . . . . . . . . . . . . . . 7 63 2.3. NSH-based Service Chaining . . . . . . . . . . . . . . . . 8 64 3. Network Service Header . . . . . . . . . . . . . . . . . . . . 10 65 3.1. Network Service Header Format . . . . . . . . . . . . . . 10 66 3.2. NSH Base Header . . . . . . . . . . . . . . . . . . . . . 10 67 3.3. Service Path Header . . . . . . . . . . . . . . . . . . . 12 68 3.4. NSH MD-type 1 . . . . . . . . . . . . . . . . . . . . . . 13 69 3.5. NSH MD-type 2 . . . . . . . . . . . . . . . . . . . . . . 13 70 3.5.1. Optional Variable Length Metadata . . . . . . . . . . 14 71 4. NSH Actions . . . . . . . . . . . . . . . . . . . . . . . . . 16 72 5. NSH Encapsulation . . . . . . . . . . . . . . . . . . . . . . 18 73 6. Fragmentation Considerations . . . . . . . . . . . . . . . . . 19 74 7. Service Path Forwarding with NSH . . . . . . . . . . . . . . . 20 75 7.1. SFFs and Overlay Selection . . . . . . . . . . . . . . . . 20 76 7.2. Mapping NSH to Network Overlay . . . . . . . . . . . . . . 22 77 7.3. Service Plane Visibility . . . . . . . . . . . . . . . . . 23 78 7.4. Service Graphs . . . . . . . . . . . . . . . . . . . . . . 23 79 8. Policy Enforcement with NSH . . . . . . . . . . . . . . . . . 26 80 8.1. NSH Metadata and Policy Enforcement . . . . . . . . . . . 26 81 8.2. Updating/Augmenting Metadata . . . . . . . . . . . . . . . 27 82 8.3. Service Path ID and Metadata . . . . . . . . . . . . . . . 29 83 9. NSH Encapsulation Examples . . . . . . . . . . . . . . . . . . 31 84 9.1. GRE + NSH . . . . . . . . . . . . . . . . . . . . . . . . 31 85 9.2. VXLAN-gpe + NSH . . . . . . . . . . . . . . . . . . . . . 31 86 9.3. Ethernet + NSH . . . . . . . . . . . . . . . . . . . . . . 32 87 10. Security Considerations . . . . . . . . . . . . . . . . . . . 33 88 11. Open Items for WG Discussion . . . . . . . . . . . . . . . . . 34 89 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 35 90 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 38 91 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 92 14.1. NSH EtherType . . . . . . . . . . . . . . . . . . . . . . 39 93 14.2. Network Service Header (NSH) Parameters . . . . . . . . . 39 94 14.2.1. NSH Base Header Reserved Bits . . . . . . . . . . . . 39 95 14.2.2. MD Type Registry . . . . . . . . . . . . . . . . . . . 39 96 14.2.3. TLV Class Registry . . . . . . . . . . . . . . . . . . 40 97 14.2.4. NSH Base Header Next Protocol . . . . . . . . . . . . 40 98 15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41 99 15.1. Normative References . . . . . . . . . . . . . . . . . . . 41 100 15.2. Informative References . . . . . . . . . . . . . . . . . . 41 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 43 103 2. Introduction 105 Service functions are widely deployed and essential in many networks. 106 These service functions provide a range of features such as security, 107 WAN acceleration, and server load balancing. Service functions may 108 be instantiated at different points in the network infrastructure 109 such as the wide area network, data center, campus, and so forth. 111 The current service function deployment models are relatively static, 112 and bound to topology for insertion and policy selection. 113 Furthermore, they do not adapt well to elastic service environments 114 enabled by virtualization. 116 New data center network and cloud architectures require more flexible 117 service function deployment models. Additionally, the transition to 118 virtual platforms requires an agile service insertion model that 119 supports dynamic and elastic service delivery; the movement of 120 service functions and application workloads in the network and the 121 ability to easily bind service policy to granular information such as 122 per-subscriber state and steer traffic to the requisite service 123 function(s) are necessary. 125 NSH defines a new dataplane protocol specifically for the creation of 126 dynamic service chains and is composed of the following elements: 128 1. Service Function Path identification 130 2. Transport independent service function chain 132 3. Per-packet network and service metadata or optional variable TLV 133 metadata. 135 NSH is designed to be easy to implement across a range of devices, 136 both physical and virtual, including hardware platforms. 138 An NSH aware control plane is outside the scope of this document. 140 The SFC Architecture document [SFC-arch] provides an overview of a 141 service chaining architecture that clearly defines the roles of the 142 various elements and the scope of a service function chaining 143 encapsulation. NSH is the SFC encapsulation defined in that draft. 145 2.1. Definition of Terms 146 Classification: Locally instantiated matching of traffic flows 147 against policy for subsequent application of the required set of 148 network service functions. The policy may be customer/network/ 149 service specific. 151 Service Function Forwarder (SFF): A service function forwarder is 152 responsible for forwarding traffic to one or more connected 153 service functions according to information carried in the NSH, as 154 well as handling traffic coming back from the SF. Additionally, a 155 service function forwarder is responsible for transporting traffic 156 to another SFF (in the same or different type of overlay), and 157 terminating the SFP. 159 Service Function (SF): A function that is responsible for specific 160 treatment of received packets. A Service Function can act at 161 various layers of a protocol stack (e.g., at the network layer or 162 other OSI layers). As a logical component, a Service Function can 163 be realized as a virtual element or be embedded in a physical 164 network element. One or more Service Functions can be embedded in 165 the same network element. Multiple occurrences of the Service 166 Function can exist in the same administrative domain. 168 One or more Service Functions can be involved in the delivery of 169 added-value services. A non-exhaustive list of abstract Service 170 Functions includes: firewalls, WAN and application acceleration, 171 Deep Packet Inspection (DPI), LI (Lawful Intercept), server load 172 balancing, NAT44 [RFC3022], NAT64 [RFC6146], NPTv6 [RFC6296], 173 HOST_ID injection, HTTP Header Enrichment functions, TCP 174 optimizer. 176 An SF may be NSH-aware, that is it receives and acts on 177 information in the NSH. The SF may also be NSH-unaware in which 178 case data forwarded to the SF does not contain NSH. 180 Service Function Chain (SFC): A service function chain defines an 181 ordered set of abstract service functions (SFs) and ordering 182 constraints that must be applied to packets and/or frames and/or 183 flows selected as a result of classification. An example of an 184 abstract service function is "a firewall". The implied order may 185 not be a linear progression as the architecture allows for SFCs 186 that copy to more than one branch, and also allows for cases where 187 there is flexibility in the order in which service functions need 188 to be applied. The term service chain is often used as shorthand 189 for service function chain. 191 Service Function Path (SFP): The Service Function Path is a 192 constrained specification of where packets assigned to a certain 193 service function path must go. While it may be so constrained as 194 to identify the exact locations, it can also be less specific. 195 The SFP provides a level of indirection between the fully abstract 196 notion of service chain as a sequence of abstract service 197 functions to be delivered, and the fully specified notion of 198 exactly which SFF/SFs the packet will visit when it actually 199 traverses the network. By allowing the control components to 200 specify this level of indirection, the operator may control the 201 degree of SFF/SF selection authority that is delegated to the 202 network. 204 Network Node/Element: Device that forwards packets or frames based 205 on outer header information. 207 Network Overlay: Logical network built on top of existing network 208 (the underlay). Packets are encapsulated or tunneled to create 209 the overlay network topology. 211 Network Service Header: provides SFP identification, and is used by 212 the NSH-aware functions, such as the Classifier, SFF and NSH-aware 213 SFs. In addition to SFP identification, the NSH may carry data 214 plane metadata. 216 Service Classifier: Logical entity providing classification 217 function. Since they are logical, classifiers may be co-resident 218 with SFC elements such as SFs or SFFs. Service classifiers 219 perform classification and impose NSH. The initial classifier 220 imposes the initial NSH and sends the NSH packet to the first SFF 221 in the path. Non-initial (i.e. subsequent) classification can 222 occur as needed and can alter, or create a new service path. 224 Network Locator: dataplane address, typically IPv4 or IPv6, used to 225 send and receive network traffic. 227 NSH Proxy: Removes and inserts NSH on behalf of an NSH-unaware 228 service function. The proxy node removes the NSH header and 229 delivers the original packet/frame via a local attachment circuit 230 to the service function. Examples of a local attachment circuit 231 include, but are not limited to: VLANs, IP in IP, GRE, VXLAN. 232 When complete, the Service Function returns the packet to the NSH 233 proxy via the same or different attachment circuit. The NSH 234 Proxy, in turn, re-imposes NSH on the returned packets. Often, an 235 SFF will act as an NSH-proxy when required. 237 2.2. Problem Space 239 Network Service Header (NSH) addresses several limitations associated 240 with service function deployments today (i.e. prior to use of NSH). 241 A short reference is included below, RFC 7498 [RFC7498], provides a 242 more comprehensive review of the SFC Problem Statement. 244 1. Topological Dependencies: Network service deployments are often 245 coupled to network topology. Such a dependency imposes 246 constraints on the service delivery, potentially inhibiting the 247 network operator from optimally utilizing service resources, and 248 reduces the flexibility. This limits scale, capacity, and 249 redundancy across network resources. 251 2. Service Chain Construction: Service function chains today are 252 most typically built through manual configuration processes. 253 These are slow and error prone. With the advent of newer dynamic 254 service deployment models, the control/management planes provide 255 not only connectivity state, but will also be increasingly 256 utilized for the creation of network services. Such a control/ 257 management planes could be centralized, or be distributed. 259 3. Application of Service Policy: Service functions rely on topology 260 information such as VLANs or packet (re) classification to 261 determine service policy selection, i.e. the service function 262 specific action taken. Topology information is increasingly less 263 viable due to scaling, tenancy and complexity reasons. The 264 topological information is often stale, providing the operator 265 with inaccurate service Function (SF) placement that can result 266 in suboptimal resource utilization. Furthermore topology-centric 267 information often does not convey adequate information to the 268 service functions, forcing functions to individually perform more 269 granular classification. 271 4. Per-Service (re)Classification: Classification occurs at each 272 service function independent from previously applied service 273 functions. More importantly, the classification functionality 274 often differs per service function and service functions may not 275 leverage the results from other service functions. 277 5. Common Header Format: Various proprietary methods are used to 278 share metadata and create service paths. A standardized protocol 279 provides a common format for all network and service devices. 281 6. Limited End-to-End Service Visibility: Troubleshooting service 282 related issues is a complex process that involve both network- 283 specific and service-specific expertise. This is especially the 284 case, when service function chains span multiple DCs, or across 285 administrative boundaries. Furthermore, physical and virtual 286 environments (network and service) can be highly divergent in 287 terms of topology and that topological variance adds to these 288 challenges. 290 7. Transport Dependence: Service functions can and will be deployed 291 in networks with a range of transports requiring service 292 functions to support and participate in many transports (and 293 associated control planes) or for a transport gateway function to 294 be present. 296 2.3. NSH-based Service Chaining 298 The NSH creates a dedicated service plane, that addresses many of the 299 limitations highlighted in Section 2.2. More specifically, NSH 300 enables: 302 1. Topological Independence: Service forwarding occurs within the 303 service plane, via a network overlay, the underlying network 304 topology does not require modification. NSH provides an 305 identifier used to select the network overlay for network 306 forwarding. 308 2. Service Chaining: NSH contains path identification information 309 needed to realize a service path. Furthermore, NSH provides the 310 ability to monitor and troubleshoot a service chain, end-to-end 311 via service-specific OAM messages. The NSH fields can be used by 312 administrators (via, for example a traffic analyzer) to verify 313 (account, ensure correct chaining, provide reports, etc.) the 314 path specifics of packets being forwarded along a service path. 316 3. NSH provides a mechanism to carry shared metadata between network 317 devices and service function, and between service functions. The 318 semantics of the shared metadata is communicated via a control 319 plane to participating nodes. Examples of metadata include 320 classification information used for policy enforcement and 321 network context for forwarding post service delivery. 323 4. Classification and re-classification: sharing the metadata allows 324 service functions to share initial and intermediate 325 classification results with downstream service functions saving 326 re-classification, where enough information was enclosed. 328 5. NSH offers a common and standards based header for service 329 chaining to all network and service nodes. 331 6. Transport Agnostic: NSH is transport independent and is carried 332 in an overlay, over existing underlays. If an existing overlay 333 topology provides the required service path connectivity, that 334 existing overlay may be used. 336 3. Network Service Header 338 A Network Service Header (NSH) contains service path information and 339 optionally metadata that are added to a packet or frame and used to 340 create a service plane. The original packets preceded by NSH, are 341 then encapsulated in an outer header for transport. 343 NSH is added by a Service Classifier. The NSH header is removed by 344 the last SFF in the chain or by a SF that consumes the packet. 346 3.1. Network Service Header Format 348 A NSH is composed of a 4-byte Base Header, a 4-byte Service Path 349 Header and Context Headers, as shown in Figure 1 below. 351 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 352 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 353 | Base Header | 354 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 355 | Service Path Header | 356 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 357 | | 358 ~ Context Headers ~ 359 | | 360 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 362 Figure 1: Network Service Header 364 Base header: provides information about the service header and the 365 payload protocol. 367 Service Path Header: provide path identification and location within 368 a path. 370 Context headers: carry opaque metadata and variable length encoded 371 information. 373 3.2. NSH Base Header 375 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 376 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 377 |Ver|O|C|R|R|R|R|R|R| Length | MD Type | Next Protocol | 378 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 379 Figure 2: NSH Base Header 381 Base Header Field Descriptions: 383 Version: The version field is used to ensure backward compatibility 384 going forward with future NSH updates. It MUST be set to 0x0 by the 385 sender, in this first revision of NSH. 387 O bit: when set to 0x1 indicates that this packet is an operations 388 and management (OAM) packet. The receiving SFF and SFs nodes MUST 389 examine the payload and take appropriate action (e.g. return status 390 information). 392 OAM message specifics and handling details are outside the scope of 393 this document. 395 C bit: Indicates that a critical metadata TLV is present (see Section 396 3.4.2). This bit acts as an indication for hardware implementers to 397 decide how to handle the presence of a critical TLV without 398 necessarily needing to parse all TLVs present. The C bit MUST be set 399 to 0x0 when MD Type= 0x1 and MAY be used with MD Type = 0x2 and MUST 400 be set to 0x1 if one or more critical TLVs are present. 402 All other flag fields are reserved for future use. Reserved bits 403 MUST be set to zero and MUST be ignored upon receipt. 405 Length: total length, in 4-byte words, of NSH including the Base 406 Header, the Service Path Header and the optional variable TLVs. The 407 Length MUST be of value 0x6 for MD Type = 0x1 and MUST be of value 408 0x2 or higher for MD Type = 0x2. The NSH header length MUST be an 409 integer number of 4 bytes. 411 MD Type: indicates the format of NSH beyond the mandatory Base Header 412 and the Service Path Header. MD Type defines the format of the 413 metadata being carried. A new registry will be requested from IANA 414 for the MD Type. 416 NSH defines two MD types: 418 0x1 - which indicates that the format of the header includes fixed 419 length context headers (see Figure 4 below). 421 0x2 - which does not mandate any headers beyond the Base Header and 422 Service Path Header, and may contain optional variable length context 423 information. 425 The format of the base header and the service path header is 426 invariant, and not affected by MD Type. 428 NSH implementations MUST support MD-Type = 0x1, and SHOULD support 429 MD- Type = 0x2. 431 Next Protocol: indicates the protocol type of the original packet. A 432 new IANA registry will be created for protocol type. 434 This draft defines the following Next Protocol values: 436 0x1 : IPv4 437 0x2 : IPv6 438 0x3 : Ethernet 439 0xFE-0xFF: Experimental 441 3.3. Service Path Header 443 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 444 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 445 | Service Path ID | Service Index | 446 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 448 Service path ID (SPI): 24 bits 449 Service index (SI): 8 bits 451 Figure 3: NSH Service Path Header 453 Service Path Identifier (SPI): identifies a service path. 454 Participating nodes MUST use this identifier for Service Function 455 Path selection. 457 Service Index (SI): provides location within the SFP. The first 458 Classifier (i.e. at the boundary of the NSH domain)in the NSH Service 459 Function Path, SHOULD set the SI to 255, however the control plane 460 MAY configure the initial value of SI as appropriate (i.e. taking 461 into account the length of the service function path). A Classifier 462 MUST send the packet to the first SFF in the chain. Service index 463 MUST be decremented by service functions or proxy nodes after 464 performing required services and the new decremented SI value MUST be 465 reflected in the egress NSH packet. SI MAY be used in conjunction 466 with Service Path ID for Service Function Path selection. Service 467 Index (SI) is also valuable when troubleshooting/reporting service 468 paths. In addition to indicating the location within a Service 469 Function Path, SI can be used for loop detection. 471 3.4. NSH MD-type 1 473 When the Base Header specifies MD Type = 0x1, four Context Header, 474 4-byte each, MUST be added immediately following the Service Path 475 Header, as per Figure 4. Context Headers that carry no metadata MUST 476 be set to zero. 478 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 479 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 480 |Ver|O|C|R|R|R|R|R|R| Length | MD-type=0x1 | Next Protocol | 481 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 482 | Service Path ID | Service Index | 483 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 484 | Mandatory Context Header | 485 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 486 | Mandatory Context Header | 487 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 488 | Mandatory Context Header | 489 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 490 | Mandatory Context Header | 491 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 493 Figure 4: NSH MD-type=0x1 495 Draft-dc [dcalloc] and draft-mobility [moballoc] provide specific 496 examples of how metadata can be allocated. 498 3.5. NSH MD-type 2 500 When the base header specifies MD Type= 0x2, zero or more Variable 501 Length Context Headers MAY be added, immediately following the 502 Service Path Header. Therefore, Length = 0x2, indicates that only 503 the Base Header followed by the Service Path Header are present. The 504 optional Variable Length Context Headers MUST be of an integer number 505 of 4-bytes. 507 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 508 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 509 |Ver|O|C|R|R|R|R|R|R| Length | MD-type=0x2 | Next Protocol | 510 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 511 | Service Path ID | Service Index | 512 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 513 | | 514 ~ Variable Length Context Headers (opt.) ~ 515 | | 516 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 518 Figure 5: NSH MD-type=0x2 520 3.5.1. Optional Variable Length Metadata 522 The format of the optional variable length context headers, is as 523 described below. 525 0 1 2 3 526 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 527 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 528 | TLV Class |C| Type |R|R|R| Len | 529 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 530 | Variable Metadata | 531 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 533 Figure 6: Variable Context Headers 535 TLV Class: describes the scope of the "Type" field. In some cases, 536 the TLV Class will identify a specific vendor, in others, the TLV 537 Class will identify specific standards body allocated types. A new 538 IANA registry will be created for TLV Class type. 540 Type: the specific type of information being carried, within the 541 scope of a given TLV Class. Value allocation is the responsibility 542 of the TLV Class owner. 544 Encoding the criticality of the TLV within the Type field is 545 consistent with IPv6 option types: the most significant bit of the 546 Type field indicates whether the TLV is mandatory for the receiver to 547 understand/process. This effectively allocates Type values 0 to 127 548 for non-critical options and Type values 128 to 255 for critical 549 options. Figure 7 below illustrates the placement of the Critical 550 bit within the Type field. 552 +-+-+-+-+-+-+-+-+ 553 |C| Type | 554 +-+-+-+-+-+-+-+-+ 556 Figure 7: Critical Bit Placement Within the TLV Type Field 558 If a receiver receives an encapsulated packet containing a TLV with 559 the Critical bit set to 0x1 in the Type field and it does not 560 understand how to process the Type, it MUST drop the packet. Transit 561 devices MUST NOT drop packets based on the setting of this bit. 563 Reserved bits: three reserved bit are present for future use. The 564 reserved bits MUST be set to 0x0. 566 Length: Length of the variable metadata, in 4-byte words. A value of 567 0x0 or higher can be used. A value of 0x0 denotes a TLV header 568 without a Variable Metadata field. 570 4. NSH Actions 572 NSH-aware nodes are the only nodes that MAY alter the content of the 573 NSH headers. NSH-aware nodes include: service classifiers, SFF, SF 574 and NSH proxies. These nodes have several possible header related 575 actions: 577 1. Insert or remove NSH: These actions can occur at the start and 578 end respectively of a service path. Packets are classified, and 579 if determined to require servicing, NSH will be imposed. A 580 service classifier MUST insert NSH at the start of an SFP. An 581 imposed NSH MUST contain valid Base Header and Service Path 582 Header. At the end of a service function path, a SFF, MUST be 583 the last node operating on the service header and MUST remove it. 585 Multiple logical classifiers may exist within a given service 586 path. Non-initial classifiers may re-classify data and that re- 587 classification MAY result in a new Service Function Path. When 588 the logical classifier performs re-classification that results in 589 a change of service path, it MUST remove the existing NSH and 590 MUST impose a new NSH with the Base Header and Service Path 591 Header reflecting the new service path information and set the 592 initial SI. Metadata MAY be preserved in the new NSH. 594 2. Select service path: The Service Path Header provides service 595 chain information and is used by SFFs to determine correct 596 service path selection. SFFs MUST use the Service Path Header 597 for selecting the next SF or SFF in the service path. 599 3. Update a Service Path Header: NSH aware service functions (SF) 600 MUST decrement the service index. A service index = 0x0 601 indicates that a packet MUST be dropped by the SFF. 603 Classifier(s) MAY update Context Headers if new/updated context 604 is available. 606 If an NSH proxy (see Section 7) is in use (acting on behalf of a 607 non-NSH-aware service function for NSH actions), then the proxy 608 MUST update Service Index and MAY update contexts. When an NSH 609 proxy receives an NSH-encapsulated packet, it MUST remove the NSH 610 headers before forwarding it to an NSH unaware SF. When the NSH 611 Proxy receives a packet back from an NSH unaware SF, it MUST re- 612 encapsulate it with the correct NSH, and MUST also decrement the 613 Service Index. 615 4. Service policy selection: Service Function instances derive 616 policy (i.e. service actions such as permit or deny) selection 617 and enforcement from the service header. Metadata shared in the 618 service header can provide a range of service-relevant 619 information such as traffic classification. Service functions 620 SHOULD use NSH to select local service policy. 622 Figure 8 maps each of the four actions above to the components in the 623 SFC architecture that can perform it. 625 +---------------+------------------+-------+----------------+---------+ 626 | | Insert |Select | Update |Service | 627 | | or remove NSH |Service| NSH |policy | 628 | | |Function| |selection| 629 | Component +--------+--------+Path +----------------+ | 630 | | | | | Dec. |Update | | 631 | | Insert | Remove | |Service |Context| | 632 | | | | | Index |Header | | 633 +----------------+--------+--------+-------+--------+-------+---------+ 634 | | + | + | | | + | | 635 |Classifier | | | | | | | 636 +--------------- +--------+--------+-------+--------+-------+---------+ 637 |Service Function| | + | + | | | | 638 |Forwarder(SFF) | | | | | | | 639 +--------------- +--------+--------+-------+--------+-------+---------+ 640 |Service | | | | + | | + | 641 |Function (SF) | | | | | | | 642 +--------------- +--------+--------+-------+--------+-------+---------+ 643 |NSH Proxy | + | + | | + | | | 644 +----------------+--------+--------+-------+--------+-------+---------+ 646 Figure 8: NSH Action and Role Mapping 648 5. NSH Encapsulation 650 Once NSH is added to a packet, an outer encapsulation is used to 651 forward the original packet and the associated metadata to the start 652 of a service chain. The encapsulation serves two purposes: 654 1. Creates a topologically independent services plane. Packets are 655 forwarded to the required services without changing the 656 underlying network topology 658 2. Transit network nodes simply forward the encapsulated packets as 659 is. 661 The service header is independent of the encapsulation used and is 662 encapsulated in existing transports. The presence of NSH is 663 indicated via protocol type or other indicator in the outer 664 encapsulation. 666 See Section 9 for NSH encapsulation examples. 668 6. Fragmentation Considerations 670 Work in progress: discussion of jumbo frames and PMTUD implications. 672 7. Service Path Forwarding with NSH 674 7.1. SFFs and Overlay Selection 676 As described above, NSH contains a Service Path Identifier (SPI) and 677 a Service Index (SI). The SPI is, as per its name, an identifier. 678 The SPI alone cannot be used to forward packets along a service path. 679 Rather the SPI provide a level of indirection between the service 680 path/topology and the network transport. Furthermore, there is no 681 requirement, or expectation of an SPI being bound to a pre-determined 682 or static network path. 684 The Service Index provides an indication of location within a service 685 path. The combination of SPI and SI provides the identification of a 686 logical SF and its order within the service plane, and is used to 687 select the appropriate network locator(s) for overlay forwarding. 688 The logical SF may be a single SF, or a set of eligible SFs that are 689 equivalent. In the latter case, the SFF provides load distribution 690 amongst the collection of SFs as needed. SI may also serve as a 691 mechanism for loop detection within a service path since each SF in 692 the path decrements the index; an Service Index of 0 indicates that a 693 loop occurred and packet must be discarded. 695 This indirection -- path ID to overlay -- creates a true service 696 plane. That is the SFF/SF topology is constructed without impacting 697 the network topology but more importantly service plane only 698 participants (i.e. most SFs) need not be part of the network overlay 699 topology and its associated infrastructure (e.g. control plane, 700 routing tables, etc.). As mentioned above, an existing overlay 701 topology may be used provided it offers the requisite connectivity. 703 The mapping of SPI to transport occurs on an SFF (as discussed above, 704 the first SFF in the path gets a NSH encapsulated packet from the 705 Classifier). The SFF consults the SPI/ID values to determine the 706 appropriate overlay transport protocol (several may be used within a 707 given network) and next hop for the requisite SF. Figure 9 below 708 depicts a simple, single next-hop SPI/SI to network overlay network 709 locator mapping. 711 +-------------------------------------------------------+ 712 | SPI | SI | NH | Transport | 713 +-------------------------------------------------------+ 714 | 10 | 255 | 1.1.1.1 | VXLAN-gpe | 715 | 10 | 254 | 2.2.2.2 | nvGRE | 716 | 10 | 251 | 10.1.2.3 | GRE | 717 | 40 | 251 | 10.1.2.3 | GRE | 718 | 50 | 200 | 01:23:45:67:89:ab | Ethernet | 719 | 15 | 212 | Null (end of path) | None | 720 +-------------------------------------------------------+ 722 Figure 9: SFF NSH Mapping Example 724 Additionally, further indirection is possible: the resolution of the 725 required SF network locator may be a localized resolution on an SFF, 726 rather than a service function chain control plane responsibility, as 727 per figures 10 and 11 below. 729 +-------------------+ 730 | SPI | SI | NH | 731 +-------------------+ 732 | 10 | 3 | SF2 | 733 | 245 | 12 | SF34 | 734 | 40 | 9 | SF9 | 735 +-------------------+ 737 Figure 10: NSH to SF Mapping Example 739 +-----------------------------------+ 740 | SF | NH | Transport | 741 +-----------------------------------| 742 | SF2 | 10.1.1.1 | VXLAN-gpe | 743 | SF34| 192.168.1.1 | UDP | 744 | SF9 | 1.1.1.1 | GRE | 745 +-----------------------------------+ 747 Figure 11: SF Locator Mapping Example 749 Since the SPI is a representation of the service path, the lookup may 750 return more than one possible next-hop within a service path for a 751 given SF, essentially a series of weighted (equally or otherwise) 752 overlay links to be used (for load distribution, redundancy or 753 policy), see Figure 12. The metric depicted in Figure 12 is an 754 example to help illustrated weighing SFs. In a real network, the 755 metric will range from a simple preference (similar to routing next- 756 hop), to a true dynamic composite metric based on some service 757 function-centric state (including load, sessions state, capacity, 758 etc.) 760 +----------------------------------+ 761 | SPI | SI | NH | Metric | 762 +----------------------------------+ 763 | 10 | 3 | 10.1.1.1 | 1 | 764 | | | 10.1.1.2 | 1 | 765 | | | | | 766 | 20 | 12 | 192.168.1.1 | 1 | 767 | | | 10.2.2.2 | 1 | 768 | | | | | 769 | 30 | 7 | 10.2.2.3 | 10 | 770 | | | 10.3.3.3 | 5 | 771 +----------------------------------+ 772 (encap type omitted for formatting) 774 Figure 12: NSH Weighted Service Path 776 7.2. Mapping NSH to Network Overlay 778 As described above, the mapping of SPI to network topology may result 779 in a single overlay path, or it might result in a more complex 780 topology. Furthermore, the SPI to overlay mapping occurs at each SFF 781 independently. Any combination of topology selection is possible. 782 Please note, there is no requirement to create a new overlay topology 783 if a suitable one already existing. NSH packets can use any (new or 784 existing) overlay provided the requisite connectivity requirements 785 are satisfied. 787 Examples of mapping for a topology: 789 1. Next SF is located at SFFb with locator 10.1.1.1 790 SFFa mapping: SPI=10 --> VXLAN-gpe, dst-ip: 10.1.1.1 792 2. Next SF is located at SFFc with multiple network locators for 793 load distribution purposes: 794 SFFb mapping: SPI=10 --> VXLAN-gpe, dst_ip:10.2.2.1, 10.2.2.2, 795 10.2.2.3, equal cost 797 3. Next SF is located at SFFd with two paths to SFFc, one for 798 redundancy: 799 SFFc mapping: SPI=10 --> VXLAN-gpe, dst_ip:10.1.1.1 cost=10, 800 10.1.1.2, cost=20 802 In the above example, each SFF makes an independent decision about 803 the network overlay path and policy for that path. In other words, 804 there is no a priori mandate about how to forward packets in the 805 network (only the order of services that must be traversed). 807 The network operator retains the ability to engineer the overlay 808 paths as required. For example, the overlay path between service 809 functions forwarders may utilize traffic engineering, QoS marking, or 810 ECMP, without requiring complex configuration and network protocol 811 support to be extended to the service path explicitly. In other 812 words, the network operates as expected, and evolves as required, as 813 does the service function plane. 815 7.3. Service Plane Visibility 817 The SPI and SI serve an important function for visibility into the 818 service topology. An operator can determine what service path a 819 packet is "on", and its location within that path simply by viewing 820 the NSH information (packet capture, IPFIX, etc.). The information 821 can be used for service scheduling and placement decisions, 822 troubleshooting and compliance verification. 824 7.4. Service Graphs 826 In some cases, a service path is exactly that -- a linear list of 827 service functions that must be traversed. However, the "path" is 828 actually a directed graph. Furthermore, within a given service 829 topology several directed graphs may exist with packets moving 830 between graphs based on non-initial classification (in Figure 13, co- 831 located with the SFs). 833 ,---. ,---. ,---. 834 / \ / \ / \ 835 ( SF2 +------+ SF7 +--------+ SF3 ) 836 ,------\ / \ / /-+ / 837 ; |---' `---'\ / `-+-' 838 | : \ / 839 | \ /---:--- 840 ,-+-. `. ,---. / : 841 / \ '---+ \/ \ 842 ( SF1 ) ( SF6 ) \ 843 \ / \ +--. : 844 `---' `---' `-. ,-+-. 845 `+ \ 846 ( SF4 ) 847 \ / 848 `---' 850 Figure 13: Service Graph Example 852 The SPI/SI combination provides a simple representation of a directed 853 graph, the SPI represents a graph ID; and the SI a node ID. The 854 service topology formed by SPI/SI support cycles, weighting, and 855 alternate topology selection, all within the service plane. The 856 realization of the network topology occurs as described above: SPI/ID 857 mapping to an appropriate transport and associated next network hops. 859 NSH-aware services receive the entire header, including the SPI/SI. 860 An non-initial logical classifier (in many deployment, this 861 classifier will be co-resident with a SF) can now, based on local 862 policy, alter the SPI, which in turn effects both the service graph, 863 and in turn the selection of overlay at the SFF. The figure below 864 depicts the policy associated with the graph in Figure 13 above. 865 Note: this illustrates multiple graphs and their representation; it 866 does not depict the use of metadata within a single service function 867 graph. 869 SF1: 870 SPI: 10 871 NH: SF2 872 SF2: 873 Class: Bad 874 SPI: 20 875 NH: SF6 876 Class: Good 877 SPI: 30 878 NH: SF7 879 SF6: 880 Class: Employee 881 SPI: 21 882 NH: SF4 883 Class: Guest 884 SPI: 22 885 NH: SF3 886 SF7: 887 Class: Employee 888 SPI: 31 889 NH: SF4 890 Class: Guest 891 SPI: 32 892 NH: SF3 894 Figure 14: Service Graphs Using SPI 896 This example above does not show the mapping of the service topology 897 to the network overlay topology. As discussed in the sections above, 898 the overlay selection occurs as per network policy. 900 8. Policy Enforcement with NSH 902 8.1. NSH Metadata and Policy Enforcement 904 As described in Section 3, NSH provides the ability to carry metadata 905 along a service path. This metadata may be derived from several 906 sources, common examples include: 908 Network nodes/devices: Information provided by network nodes can 909 indicate network-centric information (such as VRF or tenant) that 910 may be used by service functions, or conveyed to another network 911 node post service path egress. 913 External (to the network) systems: External systems, such as 914 orchestration systems, often contain information that is valuable 915 for service function policy decisions. In most cases, this 916 information cannot be deduced by network nodes. For example, a 917 cloud orchestration platform placing workloads "knows" what 918 application is being instantiated and can communicate this 919 information to all NSH nodes via metadata carried in the context 920 header(s). 922 Service Functions: A classifier co-resident with Service Functions 923 often perform very detailed and valuable classification. In some 924 cases they may terminate, and be able to inspect encrypted 925 traffic. 927 Regardless of the source, metadata reflects the "result" of 928 classification. The granularity of classification may vary. For 929 example, a network switch, acting as a classifier, might only be able 930 to classify based on a 5-tuple, whereas, a service function may be 931 able to inspect application information. Regardless of granularity, 932 the classification information can be represented in NSH. 934 Once the data is added to NSH, it is carried along the service path, 935 NSH-aware SFs receive the metadata, and can use that metadata for 936 local decisions and policy enforcement. The following two examples 937 highlight the relationship between metadata and policy: 939 +-------+ +-------+ +-------+ 940 | SFF )------->( SFF |------->| SFF | 941 +---^---+ +---|---+ +---|---+ 942 ,-|-. ,-|-. ,-|-. 943 / \ / \ / \ 944 ( Class ) SF1 ) ( SF2 ) 945 \ ify / \ / \ / 946 `---' `---' `---' 947 5-tuple: Permit Inspect 948 Tenant A Tenant A AppY 949 AppY 951 Figure 15: Metadata and Policy 953 +-----+ +-----+ +-----+ 954 | SFF |---------> | SFF |----------> | SFF | 955 +--+--+ +--+--+ +--+--+ 956 ^ | | 957 ,-+-. ,-+-. ,-+-. 958 / \ / \ / \ 959 ( Class ) ( SF1 ) ( SF2 ) 960 \ ify / \ / \ / 961 `-+-' `---' `---' 962 | Permit Deny AppZ 963 +---+---+ employees 964 | | 965 +-------+ 966 external 967 system: 968 Employee 969 AppZ 971 Figure 16: External Metadata and Policy 973 In both of the examples above, the service functions perform policy 974 decisions based on the result of the initial classification: the SFs 975 did not need to perform re-classification, rather they rely on a 976 antecedent classification for local policy enforcement. 978 8.2. Updating/Augmenting Metadata 980 Post-initial metadata imposition (typically performed during initial 981 service path determination), metadata may be augmented or updated: 983 1. Metadata Augmentation: Information may be added to NSH's existing 984 metadata, as depicted in Figure 17. For example, if the initial 985 classification returns the tenant information, a secondary 986 classification (perhaps co-resident with DPI or SLB) may augment 987 the tenant classification with application information, and 988 impose that new information in the NSH metadata. The tenant 989 classification is still valid and present, but additional 990 information has been added to it. 992 2. Metadata Update: Subsequent classifiers may update the initial 993 classification if it is determined to be incorrect or not 994 descriptive enough. For example, the initial classifier adds 995 metadata that describes the traffic as "internet" but a security 996 service function determines that the traffic is really "attack". 997 Figure 18 illustrates an example of updating metadata. 999 +-----+ +-----+ +-----+ 1000 | SFF |---------> | SFF |----------> | SFF | 1001 +--+--+ +--+--+ +--+--+ 1002 ^ | | 1003 ,---. ,---. ,---. 1004 / \ / \ / \ 1005 ( Class ) ( SF1 ) ( SF2 ) 1006 \ / \ / \ / 1007 `-+-' `---' `---' 1008 | Inspect Deny 1009 +---+---+ employees employee+ 1010 | | Class=AppZ appZ 1011 +-------+ 1012 external 1013 system: 1014 Employee 1016 Figure 17: Metadata Augmentation 1018 +-----+ +-----+ +-----+ 1019 | SFF |---------> | SFF |----------> | SFF | 1020 +--+--+ +--+--+ +--+--+ 1021 ^ | | 1022 ,---. ,---. ,---. 1023 / \ / \ / \ 1024 ( Class ) ( SF1 ) ( SF2 ) 1025 \ / \ / \ / 1026 `---' `---' `---' 1027 5-tuple: Inspect Deny 1028 Tenant A Tenant A attack 1029 --> attack 1031 Figure 18: Metadata Update 1033 8.3. Service Path ID and Metadata 1035 Metadata information may influence the service path selection since 1036 the Service Path Identifier can represent the result of 1037 classification. A given SPI can represent all or some of the 1038 metadata, and be updated based on metadata classification results. 1039 This relationship provides the ability to create a dynamic services 1040 plane based on complex classification without requiring each node to 1041 be capable of such classification, or requiring a coupling to the 1042 network topology. This yields service graph functionality as 1043 described in Section 7.4. Figure 19 illustrates an example of this 1044 behavior. 1046 +-----+ +-----+ +-----+ 1047 | SFF |---------> | SFF |------+---> | SFF | 1048 +--+--+ +--+--+ | +--+--+ 1049 | | | | 1050 ,---. ,---. | ,---. 1051 / \ / \ | / \ 1052 ( SCL ) ( SF1 ) | ( SF2 ) 1053 \ / \ / | \ / 1054 `---' `---' +-----+ `---' 1055 5-tuple: Inspect | SFF | Original 1056 Tenant A Tenant A +--+--+ next SF 1057 --> DoS | 1058 V 1059 ,-+-. 1060 / \ 1061 ( SF10 ) 1062 \ / 1063 `---' 1064 DoS 1065 "Scrubber" 1067 Figure 19: Path ID and Metadata 1069 Specific algorithms for mapping metadata to an SPI are outside the 1070 scope of this draft. 1072 9. NSH Encapsulation Examples 1074 9.1. GRE + NSH 1076 IPv4 Packet: 1077 +----------+--------------------+--------------------+ 1078 |L2 header | L3 header, proto=47|GRE header,PT=0x894F| 1079 +----------+--------------------+--------------------+ 1080 --------------+----------------+ 1081 NSH, NP=0x1 |original packet | 1082 --------------+----------------+ 1084 L2 Frame: 1085 +----------+--------------------+--------------------+ 1086 |L2 header | L3 header, proto=47|GRE header,PT=0x894F| 1087 +----------+--------------------+--------------------+ 1088 ---------------+---------------+ 1089 NSH, NP=0x3 |original frame | 1090 ---------------+---------------+ 1092 Figure 20: GRE + NSH 1094 9.2. VXLAN-gpe + NSH 1096 IPv4 Packet: 1097 +----------+------------------------+---------------------+ 1098 |L2 header | IP + UDP dst port=4790 |VXLAN-gpe NP=0x4(NSH)| 1099 +----------+------------------------+---------------------+ 1100 --------------+----------------+ 1101 NSH, NP=0x1 |original packet | 1102 --------------+----------------+ 1104 L2 Frame: 1105 +----------+------------------------+---------------------+ 1106 |L2 header | IP + UDP dst port=4790 |VXLAN-gpe NP=0x4(NSH)| 1107 +----------+------------------------+---------------------+ 1108 ---------------+---------------+ 1109 NSH,NP=0x3 |original frame | 1110 ---------------+---------------+ 1112 Figure 21: VXLAN-gpe + NSH 1114 9.3. Ethernet + NSH 1116 IPv4 Packet: 1117 +-------------------------------+---------------+--------------------+ 1118 |Outer Ethernet, ET=0x894F | NSH, NP = 0x1 | original IP Packet | 1119 +-------------------------------+---------------+--------------------+ 1121 L2 Frame: 1122 +-------------------------------+---------------+----------------+ 1123 |Outer Ethernet, ET=0x894F | NSH, NP = 0x3 | original frame | 1124 +-------------------------------+---------------+----------------+ 1126 Figure 22: Ethernet + NSH 1128 10. Security Considerations 1130 As with many other protocols, NSH data can be spoofed or otherwise 1131 modified. In many deployments, NSH will be used in a controlled 1132 environment, with trusted devices (e.g. a data center) thus 1133 mitigating the risk of unauthorized header manipulation. 1135 NSH is always encapsulated in a transport protocol and therefore, 1136 when required, existing security protocols that provide authenticity 1137 (e.g. RFC 2119 [RFC6071]) can be used. 1139 Similarly if confidentiality is required, existing encryption 1140 protocols can be used in conjunction with encapsulated NSH. 1142 11. Open Items for WG Discussion 1144 1. MD type 1 metadata semantics specifics 1146 2. Bypass bit in NSH. 1148 3. Rendered Service Path ID (RSPID). 1150 12. Contributors 1152 This WG document originated as draft-quinn-sfc-nsh and had the 1153 following co-authors and contributors. The editors of this document 1154 would like to thank and recognize them and their contributions. 1155 These co-authors and contributors provided invaluable concepts and 1156 content for this document's creation. 1158 Surendra Kumar 1159 Cisco Systems 1160 smkumar@cisco.com 1162 Michael Smith 1163 Cisco Systems 1164 michsmit@cisco.com 1166 Jim Guichard 1167 Cisco Systems 1168 jguichar@cisco.com 1170 Rex Fernando 1171 Cisco Systems 1172 Email: rex@cisco.com 1174 Navindra Yadav 1175 Cisco Systems 1176 Email: nyadav@cisco.com 1178 Wim Henderickx 1179 Alcatel-Lucent 1180 wim.henderickx@alcatel-lucent.com 1182 Andrew Dolganow 1183 Alcaltel-Lucent 1184 Email: andrew.dolganow@alcatel-lucent.com 1186 Praveen Muley 1187 Alcaltel-Lucent 1188 Email: praveen.muley@alcatel-lucent.com 1190 Tom Nadeau 1191 Brocade 1192 tnadeau@lucidvision.com 1194 Puneet Agarwal 1195 puneet@acm.org 1197 Rajeev Manur 1198 Broadcom 1199 rmanur@broadcom.com 1201 Abhishek Chauhan 1202 Citrix 1203 Abhishek.Chauhan@citrix.com 1205 Joel Halpern 1206 Ericsson 1207 joel.halpern@ericsson.com 1209 Sumandra Majee 1210 F5 1211 S.Majee@f5.com 1213 David Melman 1214 Marvell 1215 davidme@marvell.com 1217 Pankaj Garg 1218 Microsoft 1219 Garg.Pankaj@microsoft.com 1221 Brad McConnell 1222 Rackspace 1223 bmcconne@rackspace.com 1225 Chris Wright 1226 Red Hat Inc. 1227 chrisw@redhat.com 1229 Kevin Glavin 1230 Riverbed 1231 kevin.glavin@riverbed.com 1233 Hong (Cathy) Zhang 1234 Huawei US R&D 1235 cathy.h.zhang@huawei.com 1237 Louis Fourie 1238 Huawei US R&D 1239 louis.fourie@huawei.com 1241 Ron Parker 1242 Affirmed Networks 1243 ron_parker@affirmednetworks.com 1245 Myo Zarny 1246 Goldman Sachs 1247 myo.zarny@gs.com 1249 13. Acknowledgments 1251 The authors would like to thank Nagaraj Bagepalli, Abhijit Patra, 1252 Peter Bosch, Darrel Lewis, Pritesh Kothari, Tal Mizrahi and Ken Gray 1253 for their detailed review, comments and contributions. 1255 A special thank you goes to David Ward and Tom Edsall for their 1256 guidance and feedback. 1258 Additionally the authors would like to thank Carlos Pignataro and 1259 Larry Kreeger for their invaluable ideas and contributions which are 1260 reflected throughout this draft. 1262 Lastly, Reinaldo Penno deserves a particular thank you for his 1263 architecture and implementation work that helped guide the protocol 1264 concepts and design. 1266 14. IANA Considerations 1268 14.1. NSH EtherType 1270 An IEEE EtherType, 0x894F, has been allocated for NSH. 1272 14.2. Network Service Header (NSH) Parameters 1274 IANA is requested to create a new "Network Service Header (NSH) 1275 Parameters" registry. The following sub-sections request new 1276 registries within the "Network Service Header (NSH) Parameters " 1277 registry. 1279 14.2.1. NSH Base Header Reserved Bits 1281 There are ten bits at the beginning of the NSH Base Header. New bits 1282 are assigned via Standards Action [RFC5226]. 1284 Bits 0-1 - Version 1285 Bit 2 - OAM (O bit) 1286 Bits 2-9 - Reserved 1288 14.2.2. MD Type Registry 1290 IANA is requested to set up a registry of "MD Types". These are 1291 8-bit values. MD Type values 0, 1, 2, 254, and 255 are specified in 1292 this document. Registry entries are assigned by using the "IETF 1293 Review" policy defined in RFC 5226 [RFC5226]. 1295 +---------+--------------+---------------+ 1296 | MD Type | Description | Reference | 1297 +---------+--------------+---------------+ 1298 | 0 | Reserved | This document | 1299 | | | | 1300 | 1 | NSH | This document | 1301 | | | | 1302 | 2 | NSH | This document | 1303 | | | | 1304 | 3..253 | Unassigned | | 1305 | | | | 1306 | 254 | Experiment 1 | This document | 1307 | | | | 1308 | 255 | Experiment 2 | This document | 1309 +---------+--------------+---------------+ 1311 Table 1 1313 14.2.3. TLV Class Registry 1315 IANA is requested to set up a registry of "TLV Types". These are 16- 1316 bit values. Registry entries are assigned by using the "IETF Review" 1317 policy defined in RFC 5226 [RFC5226]. 1319 14.2.4. NSH Base Header Next Protocol 1321 IANA is requested to set up a registry of "Next Protocol". These are 1322 8-bit values. Next Protocol values 0, 1, 2 and 3 are defined in this 1323 draft. New values are assigned via Standards Action [RFC5226]. 1325 +---------------+--------------+---------------+ 1326 | Next Protocol | Description | Reference | 1327 +---------------+--------------+---------------+ 1328 | 0 | Reserved | This document | 1329 | | | | 1330 | 1 | IPv4 | This document | 1331 | | | | 1332 | 2 | IPv6 | This document | 1333 | | | | 1334 | 3 | Ethernet | This document | 1335 | | | | 1336 | 4..253 | Unassigned | | 1337 | | | | 1338 | 254 | Experiment 1 | This document | 1339 | | | | 1340 | 255 | Experiment 2 | This document | 1341 +---------------+--------------+---------------+ 1343 Table 2 1345 15. References 1347 15.1. Normative References 1349 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1350 DOI 10.17487/RFC0791, September 1981, 1351 . 1353 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1354 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 1355 RFC2119, March 1997, 1356 . 1358 15.2. Informative References 1360 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 1361 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 1362 DOI 10.17487/RFC2784, March 2000, 1363 . 1365 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1366 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1367 DOI 10.17487/RFC5226, May 2008, 1368 . 1370 [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and 1371 Internet Key Exchange (IKE) Document Roadmap", RFC 6071, 1372 DOI 10.17487/RFC6071, February 2011, 1373 . 1375 [RFC7498] Quinn, P., Ed. and T. Nadeau, Ed., "Problem Statement for 1376 Service Function Chaining", RFC 7498, DOI 10.17487/ 1377 RFC7498, April 2015, 1378 . 1380 [SFC-arch] 1381 Quinn, P., Ed. and J. Halpern, Ed., "Service Function 1382 Chaining (SFC) Architecture", 2014, 1383 . 1385 [VXLAN-gpe] 1386 Quinn, P., Manur, R., Agarwal, P., Kreeger, L., Lewis, D., 1387 Maino, F., Smith, M., Yong, L., Xu, X., Elzur, U., Garg, 1388 P., and D. Melman, "Generic Protocol Extension for VXLAN", 1389 . 1392 [dcalloc] Guichard, J., Smith, M., and S. Kumar, "Network Service 1393 Header (NSH) Context Header Allocation (Data Center)", 1394 2014, . 1397 [moballoc] 1398 Napper, J. and S. Kumar, "NSH Context Header Allocation -- 1399 Mobility", 2014, . 1402 Authors' Addresses 1404 Paul Quinn (editor) 1405 Cisco Systems, Inc. 1407 Email: paulq@cisco.com 1409 Uri Elzur (editor) 1410 Intel 1412 Email: uri.elzur@intel.com