idnits 2.17.1 draft-song-sfc-legacy-sf-mapping-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 44 instances of too long lines in the document, the longest one being 2 characters in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 226: '... SFF MUST relay the metadata to the ...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 19, 2015) is 3171 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SFC working group H. Song 3 Internet-Draft J. You 4 Intended status: Informational L. Yong 5 Expires: February 20, 2016 Y. Jiang 6 L. Dunbar 7 Huawei 8 N. Bouthors 9 Qosmos 10 D. Dolson 11 Sandvine 12 August 19, 2015 14 SFC Header Mapping for Legacy SF 15 draft-song-sfc-legacy-sf-mapping-06 17 Abstract 19 A Service Function Chain (SFC) defines a set of abstract Service 20 Functions (SF) and ordering constraints that must be applied to 21 packets and/or frames selected as a result of classification. One 22 assumption of this document is that legacy service functions can 23 participate in service function chains without having support for the 24 SFC header, or even being aware of it. This document provides a 25 mechanism between an SFC proxy and an SFC-unaware service function 26 (herein termed "legacy SF"), to identify the SFC header associated 27 with a packet that is returned from a legacy SF, without an SFC 28 header being explicitly carried in the wired protocol between SFC 29 proxy and legacy SF. 31 Status of This Memo 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF). Note that other groups may also distribute 38 working documents as Internet-Drafts. The list of current Internet- 39 Drafts is at http://datatracker.ietf.org/drafts/current/. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 This Internet-Draft will expire on February 20, 2016. 48 Copyright Notice 50 Copyright (c) 2015 IETF Trust and the persons identified as the 51 document authors. All rights reserved. 53 This document is subject to BCP 78 and the IETF Trust's Legal 54 Provisions Relating to IETF Documents 55 (http://trustee.ietf.org/license-info) in effect on the date of 56 publication of this document. Please review these documents 57 carefully, as they describe your rights and restrictions with respect 58 to this document. Code Components extracted from this document must 59 include Simplified BSD License text as described in Section 4.e of 60 the Trust Legal Provisions and are provided without warranty as 61 described in the Simplified BSD License. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 66 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 67 3. Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . 6 68 3.1. For Transparent Service Functions . . . . . . . . . . . . 6 69 3.1.1. Layer 2 MAC Address . . . . . . . . . . . . . . . . . 6 70 3.1.2. VLAN . . . . . . . . . . . . . . . . . . . . . . . . 8 71 3.1.3. QinQ . . . . . . . . . . . . . . . . . . . . . . . . 9 72 3.1.4. VXLAN . . . . . . . . . . . . . . . . . . . . . . . . 10 73 3.1.5. 5-tuple . . . . . . . . . . . . . . . . . . . . . . . 12 74 3.2. For Non-transparent Service Functions . . . . . . . . . . 12 75 4. Operation Considerations . . . . . . . . . . . . . . . . . . 13 76 4.1. Metadata Consideration . . . . . . . . . . . . . . . . . 15 77 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 78 6. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 15 79 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 80 7.1. Normative References . . . . . . . . . . . . . . . . . . 15 81 7.2. Informative References . . . . . . . . . . . . . . . . . 16 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 84 1. Introduction 86 A Service Function Chain (SFC) [I-D.ietf-sfc-architecture] defines a 87 set of abstract service functions and ordering constraints that must 88 be applied to packets and/or frames selected as a result of 89 classification. One assumption of this document is that some service 90 functions may remain as legacy implementations, and they neither have 91 to be aware of the SFC header, nor interpret it. It is a 92 straightforward function for an SFC proxy to remove an SFC header to 93 send a packet to a legacy SF, but it is not obvious what SFC header 94 should be added to packets arriving at the SFC proxy from the legacy 95 SF. 97 This document provides a mechanism between an SFC proxy and a legacy 98 SF, to identify the SFC header associated with a packet that is 99 returned from a legacy SF, without anything in the SFC header being 100 explicitly carried in the wired protocol between SFC proxy and legacy 101 SF. The motivation for supporting legacy SF is that existing service 102 functions don't need to be upgraded to support SFC, removing one 103 barrier to wide adoption of SFC. 105 +----------------+ 106 |SFC-unaware | 107 |Service Function| 108 | (Legacy SF) | 109 +----+----+------+ 110 ^ | 111 | | 112 +----+----+------+ 113 | Switch | 114 +----+----+------+ 115 | | 116 (2)| |(3) 117 | | 118 +----+----V--------+ 119 (1) | SFC | (4) 120 -------->| Proxy +-------> 121 +------------------+ 123 Figure 1: Procedure of a packet processed by a legacy SF 125 The legacy service function (i.e., "SFC-unaware Service Function" in 126 the Figure 1) only handles packets without SFC header, because it 127 does not understand the SFC header. Note that different classes of 128 legacy SF may have varying support for different types of packets 129 with respect to parsing and semantics (e.g., some classes of legacy 130 SF may accept VLAN-tagged traffic; others may not.). 132 This document focuses heavily on legacy SFs that are transparent at 133 layer 2. In particular, we assume the following about layer- 134 2-transparent legacy SFs: 136 1. Traffic is forwarded between pairs of interfaces, such that 137 packets received on the "left" are forwarded on the "right" and 138 vice versa. 140 2. A packet is forwarded between interfaces without modifying the 141 layer 2 header; i.e., neither source MAC nor destination MAC is 142 modified. 144 3. When supported, VLAN-tagged or Q-in-Q packets are forwarded 145 with the original VLAN tag(s) intact (S-tags and C-tags). 147 4. Traffic may be discarded by some functions (e.g., by a 148 firewall). 150 5. Traffic may be injected in either direction by some functions 151 (e.g., extra data coming from a cache, or simply TCP 152 retransmissions). We assume injected traffic relates to a layer 3 153 or layer 4 flow, and the SF clones layer 2 headers from exemplar 154 packets of the same flow. 156 6. Traffic may be modified by some functions at layer 3 (e.g., 157 DSCP marking) or higher layers (e.g., HTTP header enrichment or 158 anonymization). Note that modification can be considered a 159 special case of discarding following by injection. 161 7. Traffic may be reordered by some functions (e.g., due to 162 queuing/scheduling). 164 We leave the legacy SFs which modify the original layer 2 packet 165 headers as an open issue for further study. 167 To support this class of legacy SF, if the payload in the SFC 168 encapsulation is layer 3 traffic, the SFC proxy will extract the 169 layer 3 payload from SFC encapsulation and prepend a new layer 2 170 header before sending the packet to the SF. However if the payload 171 in the SFC encapsulation is layer 2 traffic, the SFC proxy may 172 extract the layer 2 packet from SFC encapsulation, modify the 173 original source MAC address and use the new source MAC address for 174 mapping to the stored SFC and layer 2 headers when the packets are 175 returned to the SFC proxy. This will not impact the SF processing. 176 The SF will send the traffic back after processing. 178 As shown in Figure 1, there are four steps. The SFC proxy receives a 179 packet, and removes its SFC header, which may optionally contain 180 metadata, and store the SFC header locally, and then sends the de- 181 encapsulated packet to the SF. After the SF processes the packet, 182 the packet will be sent back to the SFC proxy. The SFC proxy 183 retrieves the pre-stored SFC header accordingly, determines the SFC 184 header for the next stage of the path and encapsulates the packet 185 with the next SFC header. 187 The key problem contemplated in this document is: what layer 2 header 188 should be put on the packets sent to a legacy SF such that packets 189 returned from the legacy SF can be mapped to the original SFC header? 190 We need to consider the relationship between an SFC path and flows 191 within the path. Should the path act as a qualifier to the flow, or 192 should a flow be allowed to change paths? Below, we assume flows can 193 change path; this means that a given legacy SF cannot handle traffic 194 from more than one routing domain. (Private IP addresses cannot be 195 qualified by the SFC header; different VPNs must use different legacy 196 SFs.) 198 Because we've assumed that a flow can be on multiple paths, or change 199 paths, or if metadata can vary during the life of a flow, we need to 200 ask to what extent packet accuracy matters. If the SFC header used 201 with a flow is changed from one path to another by the classifier, 202 does it matter if packets retain exactly the original SFC header? If 203 the change is to handle routing updates or fail-over then it would be 204 acceptable to put all packets returning from the legacy SF onto the 205 most recently updated header. If metadata is changed, can that 206 update be applied to all packets of a flow, or does it apply to a 207 specific packet? 209 In the case that changes to paths and metadata are considered updates 210 to the flow vs. packet properties, the SFC proxy can find the SFC 211 header based on flow (e.g., the 5-tuple of the returning IP packet). 213 If, in contrast, packet accuracy of SFC headers does matter, (e.g., 214 the metadata says something about the specific packet associated with 215 it), then some form of per-packet bookkeeping must be done by the SFC 216 proxy and the 5-tuple cannot be used for the mapping to retrieve the 217 original SFC header. 219 When packet accuracy does matter, packets injected by the legacy SF 220 pose a fundamental problem. Is there any correct SFC header that can 221 be added? Observation: the same problem exists for a normal (not 222 legacy) SF that wishes to modify or inject a packet. 224 When metadata is sent without any associated payload (congruent 225 metadata) and the associated service function is a legacy one, then 226 SFF MUST relay the metadata to the next hop SFF, without sending the 227 metadata to SFC proxy. For some types of metadata, the metadata 228 should be saved in case it needs to be added to packets injected by 229 the legacy SF. 231 Because the SFC proxy needs to keep dynamic state by storing packet 232 headers, an expiration time should be used for each mapping entry in 233 the SFC proxy. If the SFC header in that entry has not been 234 witnessed or retrieved after the expiration time, the entry will be 235 deleted from the entry table. 237 Observation: if metadata is not used, the number distinct SFC headers 238 is known at configuration time, equivalent to the number of paths 239 configured to pass through the SF. The mappings between SFC headers 240 and layer 2 encodings could be configured at this time vs. at run 241 time. However, if metadata is used, a combinatorial explosion of 242 distinct SFC headers may result, which is a problem for any device 243 attempting to store them for later retrieval. 245 2. Terminology 247 The terminology used in this document is defined below: 249 Legacy SF: A conventional service function that does not support 250 SFC header, i.e. SFC-unaware SF. 252 Transparent SF: A service function that does not change any bit of 253 the original service packet header (Layer 2, layer 3, and layer 4) 254 sent to it, but it may drop packets. 256 Non-transparent SF: A service function that changes some part of 257 the original service packet header sent to it. 259 Original Service Packet: The payload in an SFC encapsulation 260 packet or a packet constructed based on the original payload. 262 SFC Proxy: A network function that operates as an SF node within 263 the SFC architecture while delegating application functions to one 264 or more attached Legacy SFs by acting as an adapter or bridge 265 between the SFC protocol and SF wire protocols understood by the 266 legacy SF. 268 3. Mechanisms 270 The mechanisms used in this document require that each forwarding 271 entity and its connected service functions in the same layer 2 272 network. The following are considerations mainly for transparent 273 SFs. If the original payload packet is a layer 2 packet, and the 274 mapping method used is layer 2 MAC address, then the assumption is 275 that the SF does not need to look into the layer 2 header. If it 276 does, other mechanisms should be used. 278 3.1. For Transparent Service Functions 280 If the service function is transparent to packet headers, the 281 following methods can be used for SFC header mapping. 283 3.1.1. Layer 2 MAC Address 285 The layer 2 MAC address is used to associate a SFC header between SFC 286 proxy and SF; i.e., each SFC header will be assigned a source MAC 287 address on the SFC proxy. If SFC header can be changed per packet, 288 then SFC proxy assigns a new source MAC address for each packet it 289 received, otherwise, it assigns a new MAC address for each unique SFC 290 header that must be applied to returning packets. (It is not 291 necessary to have a unique MAC address for each flow received.) 293 When SFC proxy received the returned packet from the SF, it retrieves 294 the packet's original SFC header by using the source MAC address as a 295 key. And then it encapsulates the packet with that SFC header and 296 sends to the next hop. 298 Open issue: usually the MAC address table size in a switch is no more 299 than 16K. When there is a requirement that per packet metadata needs 300 to be restored to each packet after the packet returns from the SF 301 instance, it may require more MAC addresses than the MAC table size 302 in the switch. This may overflow the MAC table, thus the packet 303 cannot route back to the SFC proxy correctly. 305 An issue with the source-MAC address approach is that there is not 306 symmetry between packets going left-to-right with packets going 307 right-to-left. Such symmetry might be assumed by some legacy SFs. 308 For example, if a layer-2-transparent SF responds to a TCP SYN with a 309 TCP RST, it might do so by reversing the source and destination of 310 the layer 2 header. Such a packet received by the SFC proxy would 311 not result in finding of the correct SFC header. A variation that is 312 symmetric assigns a unique source/destination pair for each unique 313 SFC header. 315 0 1 2 3 316 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 318 Outer Ethernet Header: 320 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 321 | SF Destination MAC Address | 322 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 323 | SF Destination MAC Address | SFC Proxy Source MAC Address | 324 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 325 | SFC Proxy Source MAC Address | 326 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 327 | Ethertype = 0x0800 | 328 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 330 Original IP Payload: 332 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 333 | Original Payload | 334 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 336 3.1.2. VLAN 338 If the network between the SFC proxy and SF is a layer 2 network, and 339 in the case that an SF needs to look into the MAC address of the 340 packet, then VLAN can be used for the mapping between them. The SFC 341 proxy removes the SFC header and sends the packet to the SF, with 342 encapsulating a certain VLAN ID. It is a new encapsulation, 343 supposing that the legacy App can be configured to accept VLAN-tagged 344 packets and to send them back on the same VLAN. It is assumed that 345 the receiving service function host/VM can support multiple VLANs. 346 The SFC proxy locally maintains the mapping between VLAN ID/direction 347 and the SFC header. 349 When it gets the returned packet from the SF, the SFC proxy removes 350 the VLAN part from the packet and retrieves the corresponding SFC 351 header according to the VLAN ID and the direction of packet travel, 352 and then encapsulates SFC header into that packet before sending to 353 the next service function. Packet direction is required because the 354 SFC header for left-to-right packets is different than the SFC header 355 for right-to-left packets. 357 If metadata is not used, the number of VLAN tags required is exactly 358 the number of SFC paths that pass through the SF, and it can be known 359 at configuration time how many are required. 361 [I-D.dolson-sfc-vlan] describes an approach for service function 362 chaining by using the input interface and VLAN number to select the 363 next output interface and new VLAN number. SF devices that work with 364 the dolson-sfc-vlan scheme will work with the VLAN scheme described 365 here. 367 One open issue with VLAN tag is that if the use case requires per 368 packet metadata, then the address space of VLAN digits cannot be 369 enough. 371 0 1 2 3 372 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 374 Outer Ethernet Header: 376 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 377 | SFI Destination MAC Address | 378 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 379 | SF Destination MAC Address | SFC Proxy Source MAC Address | 380 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 381 | SFC Proxy Source MAC Address | 382 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 383 |OptnlEthtype = C-Tag 802.1Q |Outer.VLAN Tag Information | 384 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 385 | Ethertype = 0x0800 | 386 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 388 Original IP Payload: 390 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 391 | Original Payload | 392 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 394 3.1.3. QinQ 396 If the network between the SFC proxy and SF is already a VLAN 397 network, and the SF needs to look into the MAC address, then QinQ is 398 used for the communication between SFC proxy and SF. The SFC proxy 399 removes the SFC header and sends the original traffic to legacy SF 400 with a certain outer VLAN ID. It locally maintains the mapping 401 between outer VLAN ID and the SFC header. 403 If the network between SFC proxy and SF is not a VLAN network, then 404 QinQ can be used for either per flow mapping or per packet mapping, 405 using two layer VLAN fields. Because of the increase in address 406 space, QinQ can be used in two-layer VLAN: outer VLAN-id per flow, 407 and inner VLAN-id per packet. If the network between SFC proxy and 408 SF is a VLAN network, then QinQ can only be used for per flow 409 mapping, using one VLAN field. 411 It is assumed that the receiving service function host/VM can support 412 multiple service VLAN IDs with multiple inner VLAN IDs. 414 0 1 2 3 415 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 417 Outer Ethernet Header: 419 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 420 | SF Destination MAC Address | 421 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 422 | SF Destination MAC Address | SFC Proxy Source MAC Address | 423 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 424 | SFC Proxy Source MAC Address | 425 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 426 |OptnlEthtype = S-Tag 802.1Q |Outer.VLAN Tag Information | 427 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 428 |Ethertype = C-Tag 802.1Q |Inner.VLAN Tag Information | 429 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 430 | Ethertype = 0x0800 | 431 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 433 Original IP Payload: 435 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 436 | Original Payload | 437 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 439 3.1.4. VXLAN 441 If the SFC proxy and SF are already deployed in a QinQ network, then 442 VXLAN [RFC7348] can be used for the mapping, i.e. VNI can be used for 443 the mapping between them. This tunneling technology is only used 444 when the original packet type is at layer 2 and the SF has to look 445 into the layer 2 MAC header. 447 The drawback of this mechanism is that it requires both SFC proxy and 448 SF to support VXLAN. 450 This approach has similar features and drawbacks of the VLAN scheme, 451 but the number of possible VLANs is larger. 453 0 1 2 3 454 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 456 Outer Ethernet Header: 458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 459 | SF Destination MAC Address | 460 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 461 |SFI Destination MAC Address | SFC Proxy Source MAC Address | 462 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 463 | SFC Proxy Source MAC Address | 464 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 465 |OptnlEthtype = C-Tag 802.1Q |Outer.VLAN Tag Information | 466 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 467 | Ethertype = 0x0800 | 468 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 470 Outer IP Header: 472 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 473 |Version| IHL |Type of Service| Total Length | 474 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 475 | Identification |Flags| Fragment Offset | 476 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 477 |Time to Live |Protocol=17(UDP) | Header Checksum | 478 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 479 | Outer Source IPv4 Address | 480 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 481 | Outer Destination IPv4 Address | 482 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 484 Outer UDP Header: 486 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 487 | Source Port = xxxx | Dest Port = VXLAN Port | 488 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 489 | UDP Length | UDP Checksum | 490 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 492 VXLAN Header: 494 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 495 |R|R|R|R|I|R|R|R| Reserved | 496 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 497 | VXLAN Network Identifier (VNI) | Reserved | 498 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 500 3.1.5. 5-tuple 502 The 5-tuple of an SFC packet can be used as a key to associate an SFC 503 header in the SFC proxy when the 5-tuple is not modified by the 504 legacy SF. The SFC proxy maintains a mapping table for the 5-tuple 505 and the SFC header. When the packet returns from the SF instance, 506 the original SFC header for this packet can be retrieved by inquiring 507 the mapping table using 5-tuple as the key. However, this method may 508 not work in multi-tenant organizations, as such unicity could be 509 Valid only within the scope of a single tenant. So if the SFC is 510 provided as a multi-tenant service, this method would fail. 512 Another similar use case could be that a client and a server use http 513 80 port for transporting different types of data, and if each type 514 has its specific SFC header with metadata, then 5-tuple does not work 515 either. 517 This method cannot support per-packet metadata. 519 3.2. For Non-transparent Service Functions 521 Non transparent service functions including NAT (Network Address 522 Translation), WOC (WAN Optimization Controller) and etc, are more 523 complicated, as they may change any part of the original packet sent 524 to them. It is better to analyze case by case, to utilize a specific 525 field that the SF does not change for the mapping and retrieving the 526 SFC header. We would like to leave it for open discussion. 528 The Figure below shows an example that SFC proxy can learn the 529 behavior of the SF changing the packet. In this example, the 530 following method is used for SFC header mapping. The SF needs to 531 report its mapping rules (e.g. 5-tuple mapping rules) to the control 532 plane (e.g. by static configuration), and then the control plane can 533 notify the SFC proxy the mapping information (step 1) via interface 534 C4 [I-D.ww-sfc-control-plane]. According to the mapping information, 535 the SFC proxy can establish a mapping table for the SFC header, the 536 original header, and the processed header of the packet. After 537 receiving the packet from the SF (step 4), the SFC proxy retrieves 538 the SFC header from the mapping table by using the processed header 539 as a key. 541 +-------------+ 542 |Control Plane| 543 +--+----------+ 544 ^ 545 | 546 | +----------------+ 547 | |SFC-unaware | 548 (1)| |Service Function| 549 | +-----+---+------+ 550 | (3)^ |(4) 551 +---------------+ | | 552 | | | 553 +--V---+---V-------+ 554 (2) | SFC | (5) 555 --------->+ Proxy +-------> 556 +------------------+ 558 4. Operation Considerations 560 The following table shows all the methods and the conditions to use. 562 Table 1: Operation Consideration 564 +-----------+--------+-------------------------------+-------------------+ 565 | |Methods | Stored Key-Value |Application | 566 | | | |Scenario | 567 +-----------+--------+-------------------------------+-------------------+ 568 | |MAC | (Source MAC Address, SFC |L2 header won't | 569 |For Trans- |Address | header) |be modified by the | 570 |parent SF | | |SF. | 571 | | |e.g. assign a source MAC | | 572 | | |address per packet or path ID | | 573 | +--------+-------------------------------+-------------------+ 574 | |VLAN | (Direction, VLAN ID, |L2 header won't | 575 | | | SFC header) |be modified by the | 576 | | |e.g. assign a VLAN ID per |SF. | 577 | | |bidirectional path-pair | | 578 | +--------+-------------------------------+-------------------+ 579 | |QinQ | (Direction, Outer VLAN ID, |The SF is required | 580 | | | SFC header) |to support QinQ. | 581 | | |e.g. assign an outer VLAN ID |L2 header won't | 582 | | |per bidirectional path-pair |be modified by | 583 | | | |the SF. | 584 | +--------+-------------------------------+-------------------+ 585 | |VXLAN | (Direction, VNI, SFC header) |The SF is required | 586 | | |e.g. assign a VNI per |to support VXLAN. | 587 | | |bidirectional path-pair |VNI is not modified| 588 | | | |by the SF. | 589 | +--------+-------------------------------+-------------------+ 590 | |5-tuple |(5-tuple, SFC header) |5-tuple is not | 591 | | | |modified by the | 592 | | |The SFC proxy maintains the |SF. | 593 | | |mapping table for 5-tuple and | | 594 | | |the SFC header. | | 595 | | |Note: an SFC header for each | | 596 | | |direction of a TCP flow. | | 597 +-----------+--------+----------------- -------------+-------------------+ 598 | |TBD |Mapping rules: |The SFC proxy is | 599 |For | |e.g. 5-tuple -> 5-tuple' |configured or is | 600 |Non-trans- | | |able to obtain the | 601 |parent SF | |SFC Proxy: |mapping rules of | 602 | | |5-tuple -> 5-tuple' |the SF. The SF | 603 | | |5-tuple'-> SFC header |modifies the | 604 | | | |5-tuple based on | 605 | | | |the mapping | 606 | | | |rules. | 607 +-----------+--------+---------------------------------------------------+ 608 4.1. Metadata Consideration 610 Some classes of SF may need to inject new packets, for example a 611 transparent cache sending content from its disk. The legacy SF 612 usually encapsulates the new packets with the same encapsulation with 613 the related received packets, e.g. with the same 5-tuple, or V-LAN 614 ID. The SFC proxy would associate the new packet with the 615 corresponding SFC header based on the mechanisms discussed in 616 Section 3. However, per-packet metadata should be prohibited for 617 this case. 619 Some classes of SF may need to inject a packet in the opposite 620 direction of a received packet, for example a firewall responding to 621 a TCP SYN with a RST. If the RST generator is VLAN-type legacy, it 622 may know what VLAN to use; then the SFC proxy would translate VLAN 623 into a reverse SFP and attach a corresponding SFC header insetad of 624 the original SFC header. In this case, the SFC proxy should be 625 configured with the bidirectional SFP, i.e. SFC proxy needs to be 626 designed according to the properties of the SF. Similarly, packet- 627 specific metadata is not recommended to be used. 629 We leave the metadata model as an open issue that will be documented 630 in other documents. In some cases this information will also assist 631 normal (non-legacy) SFs that wish to modify or inject packets. 633 5. Security Considerations 635 When the layer 2 header of the original packet is modified and sent 636 to the SF, if the SF needs to look into the layer 2 header, it may 637 cause security threats. It also provides diagrams of the main 638 entities that the information model is comprised of. 640 6. Acknowledgement 642 The authors would like to thank Ron Parker and Joel Halpern for their 643 comments. 645 7. References 647 7.1. Normative References 649 [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 650 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 651 eXtensible Local Area Network (VXLAN): A Framework for 652 Overlaying Virtualized Layer 2 Networks over Layer 3 653 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014, 654 . 656 7.2. Informative References 658 [I-D.dolson-sfc-vlan] 659 Dolson, D., "VLAN Service Function Chaining", draft- 660 dolson-sfc-vlan-00 (work in progress), February 2014. 662 [I-D.ietf-sfc-architecture] 663 Halpern, J. and C. Pignataro, "Service Function Chaining 664 (SFC) Architecture", draft-ietf-sfc-architecture-11 (work 665 in progress), July 2015. 667 [I-D.ww-sfc-control-plane] 668 Li, H., Wu, Q., Boucadair, M., Jacquenet, C., Haeffner, 669 W., Lee, S., Parker, R., Dunbar, L., Malis, A., Halpern, 670 J., Reddy, T., and P. Patil, "Service Function Chaining 671 (SFC) Control Plane Components & Requirements", draft-ww- 672 sfc-control-plane-06 (work in progress), June 2015. 674 Authors' Addresses 676 Haibin Song 677 Huawei 678 101 Software Avenue, Yuhuatai District 679 Nanjing, Jiangsu 210012 680 China 682 Email: haibin.song@huawei.com 684 Jianjie You 685 Huawei 686 101 Software Avenue, Yuhuatai District 687 Nanjing, 210012 688 China 690 Email: youjianjie@huawei.com 692 Lucy Yong 693 Huawei 694 5340 Legacy Drive 695 Plano, TX 75025 696 U.S.A. 698 Email: lucy.yong@huawei.com 699 Yuanlong Jiang 700 Huawei 701 Bantian, Longgang district 702 Shenzhen 518129 703 China 705 Email: jiangyuanlong@huawei.com 707 Linda Dunbar 708 Huawei 709 1700 Alma Drive, Suite 500 710 Plano, TX 75075 711 U.S.A. 713 Email: ldunbar@huawei.com 715 Nicolas Bouthors 716 Qosmos 718 Email: nicolas.bouthors@qosmos.com 720 David Dolson 721 Sandvine 722 408 Albert Street 723 Waterloo, ON N2L 3V3 724 Canada 726 Email: ddolson@sandvine.com