Service Function Chaining Use Cases draft-liu-service-chaining-use-cases IETF 89 London, March 3, 2014 Will Liu, Hongyu Li, Oliver Huang, Huawei Technologies.

Slides:

Advertisements

Similar presentations

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Advertisements

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.

Network Based Services in Mobile Networks Context, Typical Use Cases, Problem Area, Requirements IETF 87 Berlin, 29 July 2013 BoF Meeting on Network Service.

Brief Background Service functions are used in almost every network

Use Cases for I2RS I2RS Interim Meeting Nicolai Leymann, Deutsche Telekom AG

Module 5 - Switches CCNA 3 version 3.0 Cabrillo College.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.

Ch.6 - Switches CCNA 3 version 3.0.

Management Information Base for Load Balancer Lianyuan Li, Chen Li China Mobile tina.tsou Huawei draft-li-opsawg-loadbalance-mib nd Taipei.

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

A Survey on Interfaces to Network Security

Norman SecureSurf Protect your users when surfing the Internet.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

Service Function Chaining in Mobile Networks Status draft-haeffner-sfc-use-case-mobility IETF 89 London, 3 March 2014 Service Function Chaining WG Walter.

Analysis of Existing Work for I2NSF draft-zhang-gap-analysis-00 H.Rafiee Dacheng Zhang Huawei IETF 91 I2NSF BoF.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Barracuda Load Balancer Server Availability and Scalability.

By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.

Chapter 13 – Network Security

Common Devices Used In Computer Networks

CAPWAP related draft-shao-opsawg-capwap-hybridmac-00 draft-chen-opsawg-capwap-extension-00 draft-zhang-opsawg-capwap-eap-00.

ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Security Requirements for Software Defined Networks Internet Area WG IETF 85: Atlanta November 4, 2012 Margaret Wasserman

© 2009 Wipro Ltd - Confidential 1 Security Challenges and Opportunities -Indian ISP Scenario.

Vic Liu Liang Xia Zu Qiang Speaker: Vic Liu China Mobile Network as a Service Architecture draft-liu-nvo3-naas-arch-01.

NAT64 Operational Experiences draft-chen-v6ops-nat64-experience-01 IETF 83- Paris, Mar 2012 Gang Chen, China Mobile Zhen Cao, China Mobile Cameron Byrne,

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91

NETWORKING FUNDAMENTALS. Network+ Guide to Networks, 4e2.

1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.

SOFTWARE DEFINED NETWORKING/OPENFLOW: A PATH TO PROGRAMMABLE NETWORKS April 23, 2012 © Brocade Communications Systems, Inc.

BBF Liaison on Service Chaining Hongyu Li Co-editor of SD-326 Flexible Service Chaining

Draft-carpenter-v6ops-label-balance-02 Brian Carpenter Sheng Jiang (Speaker) Willy Tarreau March 2012 IPv6 Flow Label for Server Load Balancing - update.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

NT1210 Introduction to Networking

I2RS Overlay usecase 1 Fangwei hu Bhumip Khasnabish.

J. Halpern (Ericsson), C. Pignataro (Cisco)

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

IETF SFC active drafts PRESENTER: VU ANH VU

IETF 85 Use cases for MAP-T draft-maglione-softwire-map-t-scenarios-01 R. Maglione.

CompTIA Security+ Study Guide (SY0-401)

Connecting MPLS-SPRING Islands over IP Networks

Barracuda Firewall The Next-Generation Firewall for Everyone

User-group-based Security Policy for Service Layer

CONNECTING TO THE INTERNET

Protecting your mobile devices away from virus by a cloud-based approach Wei Wu.

Enterprise vCPE use case requirement

Enterprise vCPE use case requirement

CompTIA Security+ Study Guide (SY0-401)

Module 5 - Switches CCNA 3 version 3.0.

Zhenbin Li, Shunwan Zhuang Huawei Technologies

Service Function Chaining-Enabled

Carlos J. Bernardos, Alain Mourad, Akbar Rahman

Firewalls Jiang Long Spring 2002.

دیواره ی آتش.

Comparing draft-ietf-mpls-sfc and draft-malis-mpls-sfc-encapsulation

draft-guichard-sfc-nsh-sr-02

Implementing Firewalls

Tokyo OpenStack® Summit

Presentation transcript:

Service Function Chaining Use Cases draft-liu-service-chaining-use-cases IETF 89 London, March 3, 2014 Will Liu, Hongyu Li, Oliver Huang, Huawei Technologies Mohamed Boucadair, France Telecom Nicolai Leymann, Deutsche Telekom AG Zhen Cao, China Mobile Jie Hu, China Telecom Chuong Pham, Telstra Corporation 1

Overall Context & Objective The delivery of value-added services relies on the invocation of advanced Service Functions (SFs) in a given order The traffic is forwarded through a set of SFs for specific purposes, such as: – Direct a portion of the traffic to a Network Element for monitoring or charging – Steer the traffic to cross a load balancer before DC servers – Split mobile broadband traffic and steer them along an offloading path – Filter the traffic for Intrusion Detection System /Intrusion Protection System – Parental Control, Malware Protection services, Video Optimization … This draft introduces a set of SFC Use Cases IETF 892

General Observations (1) Instantiated chains are driven by business and engineering needs The amount of instantiated SFCs can vary in time, depending on the service engineering objectives and service engineering choices The amount of instantiated SFCs are policy-driven and are local to each administrative entity The technical characterization of each Service Function is not frozen in time – A Service Function can be upgraded to support new features or disable an existing feature, etc. IETF July 20133

General Observations (2) Some stateful SFs (e.g., NAT or firewall) may need to treat both outgoing and incoming packets – The design of SF Maps must take into account such constraints, otherwise, the service may be disturbed. The set of SFs that need to be invoked for direction is up to the responsibility of each administrative entity operating an SFC-enabled domain For subscription-based traffic steering, subscriber- awareness capability is required Some Service Functions may be in the same subnet; while others may not Service Functions are deployed directly on physical hardware, as one or more Virtual Machines, or any combination thereof IETF July 20134

Rationale of the Document Identify a set of SFC use cases For each use case, provide description with a focus on specific considerations to be considered during the SFC design phase It is not the purpose of this document to be exhaustive..but instead – Draw the set of deployments context that are likely to see SFC solutions deployed IETF July 20135

Typical SFC Use Cases This draft describes a set of scenarios for SFC deployment – Use Case of Service Function Chain in Broadband Network – Use Case of Service Function Chain in Mobile Networks: The Gi/SGi Interface – Use Case for Distributed Service Function – Use Case of Service Function Chain in Data Center – Use Cases of Service Function Chaining Technical Scenario This draft also describes SFC use cases from technical view – Use Case for Service Function Chain with NAT Function – Use Case for Multiple Underlay Networks – Use Case of Service Path Forking – Use Case of Multiple Service Paths Share one Service Function – Use Case of Service Layer Traffic Optimization IETF 896

Typical SFC Use Case: Broadband Network In broadband networks, an operator may deploy value-added service nodes on POP (Point of Presence) site. The figure illustrates a possible deployment position for Service Function Chaining: between BNG and CR (Core Router). The Service Function Chain may include several Service Functions to perform services such as DPI, NAT44, DS-Lite, NPTv6, Parental control, Firewall, load balancer, Cache, etc. IETF 897

Typical SFC Use Case: Mobile Networks The traffic from GGSN/PGW to Internet can be categorized and directed into the following SFCs by DPI: – Chain 1: WAP GW. DPI performs traffic classification function, recognizes WAP protocol traffic, and directs these traffic to the WAP GW through Service Function Chain 1. – Chain 2: Optimizer + cache + Firewall + NAT. DPI recognizes and directs the HTTP traffic to the Optimizer, Cache, Firewall and NAT in order, to perform HTTP video optimization, HTTP content cache, firewall and NAT function, respectively. – Chain 3: Firewall +NAT. For other traffic to the Internet, DPI directs these traffic by Service Function Chain 3, the traffic would travel the firewall and NAT in order. IETF 898

Next Step The draft has benefited from a large review – Many thanks to the reviewers We have addressed comments from the reviewers – Several iterations of the draft so far We do think the document is ready for WG adoption – Positive feedback from the mailing list to adopt this draft as starting point: – Adopt as a WG item? Any question? IETF 899

SFC Deployment Use Case: Data Center The figure illustrates a possible scenario for Service Function Chain in Data Center: SFs are located between the DC Router (access router) and the Servers. From Servers to Internet, there are multiple Service Functions such as IDS/IPS, FW, NAT lined up and a monolithic SFC created for all incoming traffic. IETF 8910

SFC Traffic Steering Use Case: In an operator's network, some Service Functions are implemented, where traffic is steered through these Service Functions in a certain sequence according to service characteristics and objectives. Traffic enters a SFC-enabled domain in a service classifier, which identifies traffic and classifies it into service flows. Service flows are forwarded on a per SF Map basis. IETF 8911

SFC Traffic Steering Use Case: When a DPI function is part of a Service Function Chain, packets processed by the DPI function may be directed to different paths according to result of DPI processing, often leading to a forking service path. In the figure, traffic first goes through a firewall and then arrives at DPI function which discerns virus risk. If a certain pre-configured pattern is matched, the traffic is directed to an anti-virus function. IETF 8912

SFC Traffic Steering Use Case: Some carrier grade hardware box or Service Functions running on high performance servers can be shared to support multiple Service Function Chains. In the figure, there are three Service Functions, firewall, VideoOpt and Parental Control, and two Service Functions Chains SFC1 and SFC2. – SFC1 serves broadband user group1 which subscribes to secure web surfing and Internet video optimization – SFC2 serves broadband user group2 which subscribes to secure web surfing with parental control. SF Firewall is shared by both Service Function Chains IETF 8913