ODL SFC, Implementing IETF SFC November 14, 2016 Seoul, South Korea ODL SFC, Implementing IETF SFC November 14, 2016 Brady Johnson ODL SFC Project Technical Lead brady.allen.johnson@ericsson.com

OpenDaylight SFC Data Model Service Function Chain (SFC) Abstract, ordered list of Service Function Types ex: [DPI, FW, NAT, QoS] Service Function Path (SFP) Concrete, directional details about an SFC Specific transport details (VxLAN-GPE+NSH, Eth+NSH, etc) Optionally specify concrete Service Functions and Service Function Forwarders Rendered Service Path (RSP) The actual service chain, combining info from the SFC and SFP Includes dynamic runtime representation of SFP resulting from load balancing and/or failover Service Chaining Classification Map subscriber/tenant traffic flows to Service Chains Applies Service Chain Encapsulation (NSH) Uses IETF ACL matching for traffic flow matching SFP SFC SF-Type1 SF-Type2 SF-Type3 Concrete SF1 Concrete SF2 Concrete SF3 Classifier RSP Concrete SFF1 Concrete SFF2

OpenDaylight SFC Use Case: SF Reclassification and branching P2P/BitTorrent ⇒ Blue HTTP ⇒ Red HTTP Header Enrichment P2P Rate Limiting SF-DPI SF-QoS SF-HTTP Re-Classify Feedback ODL-SFC Update/Create Service Chains SFF br-int Classifier Classifier Internet Classification Rules SDN Network

Service Chaining Encapsulation: Network Service Headers (NSH) NSH-Aware Service Functions (decrement NSI on pkt egress) NSH encapsulated packets: NSP: NSH Path, Chain ID NSI: NSH index, Hop in chain The shown NSI is after being decremented by the SF SF-NAT NSH-UnAware Service Function SF-HTTP SF-NAT Original packets NSH Proxy Classify once: Encapsulate Chain info with every packet 1,253 7,254 1,254 7,253 SFF br-int SFF br-int Classifier Classifier 1,255 7,254 7,253 Host 2 Host 2 7,255 Host 1 1,253 Original packets SDN Network Original packets

NSH Header and transport details As supported in ODL SFC Outer Eth hdr Outer IP hdr Outer UDP hdr VxLAN GPE Inner Eth hdr Inner IP hdr Payload Example 1: NSH encapsulated in VXLAN-GPE Network Services Header Service Path: The Service Chain ID NSH Base Header Index: The hop in the Service Chain Service Path (24 bit) / Index Optional Metadata Example 2: NSH encapsulated in Ethernet NSH Outer Eth hdr Inner Eth hdr Inner IP hdr Payload

OpenDaylight: Just 1 piece of the puzzle ODL NFV OpenStack OVS fd.io Linux OPNFV: Integrating it all together https://www.opnfv.org/ https://wiki.opnfv.org/display/sfc/Service+Function+Chaining+Home

OPNFV SFC Compute Node Control Node OVS (br-int) OVS VM VM VM VM Tacker Clients Servers SF1 SF2 ODL SFC Open Stack OVS (br-int) Ingress Classifier SFF Egress Classifier OVS Top Of Rack Switch Legend VxLAN tunnel SF/SFF OpenFlow 1.3/OVSDB Classifier encaps VxLAN-GPE NSH Original packets, no encap

IETF SFC RFC improvements Terminating SFPs and how to handle SFP egress rfc7665 - Section 4.3, point 2 The specification mentions that the last SFF should remove the SFC encapsulation and send the packet back to the network. This can be done by any SFC egress boundary node, and shouldnt be required by the last SFF. Its not always feasible for the SFF to know what to do with the original packet. When using GBP and Netvirt classifiers, the egress classifier removes the SFC encapsulation, thus acting as an SFC egress boundary node If the packet is sent back to the network (OpenStack br-int bridge) without SFC encapsulation, and it enters the classifier again, then there will be a loop Reclassification Several use cases that can be problematic TCP proxy How to handle when the SF generates traffic, which SFP to use Symmetric classifier Should be more explicitly specified