The present disclosure relates to networking for service chains.
Service chains define a set of service functions (e.g., firewalls, Deep Packet Inspection, etc.), and their order (service1→service2) to be applied to selective packets as they are forwarded through a network. The order in which services are applied is predetermined through an orchestration function and that order is mapped into each network node that is involved in the forwarding of packets through a given service chain. The mapping of forwarding state to service chain structure is referred to as a service path.
The service path for a given service chain may be unidirectional or bidirectional dependent upon whether one or more of the service functions in the chain hold state information that needs to be maintained in the forward and reverse packet forwarding paths.
Presented herein are techniques to decouple service chain structure from the underlying network forwarding state and allow for data plane learning of service chain forwarding requirements and any association between services function state requirements and the forward and reverse forwarding paths for a service chain. In a network comprising a plurality of network nodes each configured to apply a service function to traffic that passes through the respective network node, a packet is received at a network node, the packet having a network service header that includes service path identifier information that identifies a service chain comprised of one or more service functions and order of service functions to be applied to a forward path of traffic matching classification criteria, and context information indicating whether a service function applied at a corresponding network node is stateful and thus a reverse path of traffic matching the classification criteria needs to be directed to the network node at which the stateful service function is applied. The network node applies a service function to a packet that is forwarded to it in the forward path, and determines whether the service function that it applies is stateful. When the network node determines that the service function it applies is stateful, it updates the context information in the network service header to indicate that the service function applied at the network node is stateful and that traffic for a reverse path matching the classification criteria is to be returned to the network node.
A service chain is a data structure comprised of an ordered list of service functions to be applied to packets that are forwarded along the chain. The specific instances of traversed service functions form a service path. Each individual service function referenced by the service chain may be deployed at multiple locations and therefore each chain may be executable through one or more independent service paths.
Stateful Internet Protocol (IP) services (firewall, network address translation (NAT), Deep Packet Inspection (DPI), etc.) require that flow state information be maintained and forward/reverse traffic flows be forwarded through the same service functions at the same locations. A service location is also referred to herein as a service node or network node.
In current state of the art systems, service chains are constructed using a centralized controller function and pushed out to each network node before traffic is allowed to flow through the service chain. The information pushed by the controller includes not only the details of the service chain data structures but also the state information necessary for successful packet forwarding. In this sense service chain structure and forwarding state are tightly coupled and controlled by a central orchestrator. A controller needs to have knowledge of the state requirements (stateful vs. not stateful) of every service function in a chain (or it is assumed that all services are stateful) to determine forward and reverse service path forwarding.
Each individual service function is represented using a unique service-id, e.g. FW1 located at service-node1 and service-node2 share a common “service-id”, and each service chain is represented using a unique service-path-id. The correlation/mapping of the service-id's and service-path-id forms the service chain. For example:
Service chains are constructed via a central controller that determines the order of service functions that should be applied for the chain and allocates a globally unique service-path-id for each service chain it creates. To perform this function the controller needs only to keep “service-id” data structure information. However, as traffic passes through a service chain the physical location of the next service function to be applied must be known. This requires a ([service-id]-to-[location]) mapping where “location” is the infrastructure address (Internet Protocol or other address) of the service node hosting the service function. Such mappings may be held by the central controller (increasing the amount of state it must maintain) or may be distributed independently to network nodes thereby relieving the controller from having to hold the location of each individual instance of the service function.
For the purposes of the techniques presented herein, the ([service-id]-to-[location]) mappings are distributed independently, for example, through a routing protocol such as Border Gateway Protocol (BGP), Intermediate System to Intermediate System (IS-IS)/Open Shortest Path First (OSPF) or via a central controller update message.
For each service chain created at the central controller, the controller needs to push the following to the head-end of the service chain:
Each network node will already hold the following information that will allow for successful building of the service chain:
Packet forwarding through a service chain is unidirectional and driven by information contained within network service headers carried in the data plane. The head-end network node acts as a packet classifier into the service chain and determines which traffic flows require redirection through the service chain, imposing the necessary data plane network service headers and transport encapsulation to force the traffic into the service chain.
Each service function is aware of its own service-id and the location of the next service in a chain. Service functions are also aware of their state requirements: stateful (i.e., need to see bi-directional traffic) or non-stateful (unidirectional traffic is sufficient). Stateful and non-stateful are not mutually exclusive. A service function might elect to be stateful for some flows and non-stateful for other flows. Ideally, a controller would also have enough information to determine state requirements of the service functions, however, in practice the service function detail might be largely unknown to the controller. In that case, data plane state learning is required to optimize the service forwarding.
Presented herein are techniques to use a network service header (NSH), that is a service chaining specific header, added to the packets to be directed through a service chain. The NSH provides path information (i.e. service-path), location information (i.e. where the packet is in the service path) and opaque metadata, and is described in more detail hereinafter in connection with
Referring to
Consider the following example service chain definition.
The [service-id] to [service-location] mappings are:
For this example, the controller 10 pushes state/control plane information to the head-end node 20 as shown at reference numerals 100 and 110. Specifically, at 100, the controller 10 sends/pushes Service-path-id[10]: [service-id1, service-id22, service-id44] to the head-end node 20 (classifier1) and at 110, the controller 10 configures the Action: Forward trafficY on to service-path-id[10] on the head-end node 20 (classifier1).
The NSH is imposed at the start of the service path by the head-end node 20 which performs service classification operations. The head-end node 20 performs several functions. First, it receives from the controller 10 service-path-id and service-id information via a control plane as well as policy and classification rules into the service chain. Next, it determines if traffic requires servicing and therefore needs to be forwarded through the service chain. Then, it imposes the network service header: service-path-id, and metadata. The head-end node performs a lookup based on service-path-id and service-id to determine the location for the first service-id to be applied in the service chain, and forwards the data based on the lookup and mapping of service-path-id+service-id→location.
The NSH shown at reference numeral 120 includes a base service header 122, a service path header 124, and a context header 126. The base service header 122 provides information about the service header, including service chain information, and is used by participating nodes to determine correct service path selection and forwarding as well as loop detection. The service path header 124 identifies a service path and participating nodes use this identifier for path selection. The context header 126 is used to provide data plane state information, and in particular to signal per-service function state requirements.
To summarize, the NSH includes a string of bits whose length corresponds to a number of service functions to be performed in the forward path for a service chain and each bit in the string of bits indicates whether a service function at a location in the service chain represented by a corresponding position in the first string of bits is stateful.
Any service node in the service chain, upon receipt of a packet containing a NSH, applies local policy based on its location within the service chain. If the service is stateful, the service also sets an S bit that corresponds to its L bit. Having executed its service function, the service node determines which is the next service node in the service chain through consultation of the ([service-id]-to-[location]) mapping table and then pushes (i.e., updates) the fields of the NSH header.
The last service node in the chain determines it is the exit point for the service chain by receipt of a NSH header indicating that the previous node executed the last service-id. Again, the last service node uses the context header to identify a stateful service (based on the S bit or bits that have been set) and records the flow information for return service path forwarding. To create the reverse chain, the context header created on the forward flow path is copied to a new NSH and service functions (based on service-id) that have S=1 receive the reverse traffic.
A more detailed example of this operation is now described in connection with
Turning now to
Turning now to
As explained above, each network node receives from a central controller and stores information mapping service function identifiers to network nodes. Each network node will determine a next network node in the service chain at which a next service function is to be applied to the packet based on the network service header and the stored information, update the location information in the network service header to indicate an updated location of the packet along the service chain, and forward the packet to the next network node at which the next service function is to be applied to the packet.
Furthermore, each network node in the service chain determines whether it is an exit point for a packet for the service chain based on location information in the network service header indicating that a previous network node executed a last service function for the service chain, identifies a stateful service function, if any, applied in the forward path of the service chain based on the context information in the network service header and records classification criteria for forwarding traffic into the reverse path, and generates information defining a reverse service chain for the reverse path by copying, from the context information of the network service header of the forward path, information indicating which one or more service functions are stateful and to which the reverse path of traffic needs to be directed. Updating the context information is performed when the network node determines that the service function it applies is stateful and involves setting a particular bit of the second string of bits at a position of the second string of bits that corresponds to its location in the service chain.
To restate the techniques presented herein, methods are provided to decouple service chain structure from underlying network forwarding state. This allows for data plane learning of service chain forwarding requirements and association between service function state requirements and the forward/reverse forwarding paths. Advantages of these techniques include enabling dynamic bidirectional service chain construction through data plane metadata, and in-network service chain redundancy and packet forwarding. Service function locality information is pushed into the network, relieving a central controller from having to store all of the service function state. These techniques also facilitate multi-tenancy applicability to service chaining.
The operations of a service function associated with network node 400 are implemented by service function software 450 running on a processor core or server blade 460 that is in communication with a port, e.g., port 410(m), of the network node.
The memory 430 may comprise read only memory (ROM), random access memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible memory storage devices. In general, the memory 430 may comprise one or more tangible (non-transitory) computer readable storage media (e.g., a memory device) encoded with software comprising computer executable instructions and when the software is executed (by the processor 420) it is operable to perform the operations described herein.
Turning now to
The memory 520 may comprise read only memory (ROM), random access memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible memory storage devices. In general, the memory 520 may comprise one or more tangible (non-transitory) computer readable storage media (e.g., a memory device) encoded with software comprising computer executable instructions and when the software is executed (by the processor 510) it is operable to perform the operations described herein.
Thus, in apparatus form, an apparatus is provided comprising a network interface unit configured to enable communications over a network including a plurality of network nodes each configured to apply a service function to traffic that passes through the respective network node; memory; and a processor coupled to the network interface unit and the memory, wherein the processor is configured to: receive at a network node a packet that has a network service header including service path identifier information that identifies a service chain comprised of one or more service functions and order of service functions to be applied to a forward path of traffic matching classification criteria, and context information indicating whether a service function applied at a corresponding network node is stateful and thus a reverse path of traffic matching the classification criteria needs to be directed to the network node at which the stateful service function is applied; apply a service function to a packet that is forwarded to it in the forward path; determine whether the service function that it applies is stateful; and when it determined that the service function it applies is stateful, update the context information in the network service header to indicate that the service function applied at the network node is stateful and that traffic for a reverse path matching the classification criteria is to be returned to the network node.
Similarly, one or more computer readable storage media are provided encoded with software comprising computer executable instructions and when the software is executed operable to: in a network comprising a plurality of network nodes each configured to apply a service function to traffic that passes through the respective network node, receive a packet at a network node, the packet having a network service header that includes service path identifier information that identifies a service chain comprised of one or more service functions and order of service functions to be applied to a forward path of traffic matching classification criteria, and context information indicating whether a service function applied at a corresponding network node is stateful and thus a reverse path of traffic matching the classification criteria needs to be directed to the network node at which the stateful service function is applied; apply a service function to a packet that is forwarded to it in the forward path; determine whether the service function that it applies is stateful; and when it determined that the service function it applies is stateful, update the context information in the network service header to indicate that the service function applied at the network node is stateful and that traffic for a reverse path matching the classification criteria is to be returned to the network node.
Described above are examples. The concepts described herein may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The foregoing examples are therefore to be considered in all respects illustrative and not meant to be limiting. Accordingly, it is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of any claims filed in applications claiming priority hereto interpreted in accordance with the breadth to which they are fairly, legally and equitably entitled.
This application is a continuation of U.S. patent application Ser. No. 13/891,245 filed on May 10, 2013, which issued as U.S. Pat. No. 9,246,799 on Jan. 26, 2016, which are incorporated herein by reference in their entirety.
Number | Name | Date | Kind |
---|---|---|---|
6985488 | Pan | Jan 2006 | B2 |
7480283 | Sylvain | Jan 2009 | B1 |
7558261 | Arregoces et al. | Jul 2009 | B2 |
7571470 | Arregoces et al. | Aug 2009 | B2 |
7610375 | Portolani et al. | Oct 2009 | B2 |
7643468 | Arregoces et al. | Jan 2010 | B1 |
7657940 | Portolani et al. | Feb 2010 | B2 |
7895425 | Khalid | Feb 2011 | B2 |
8150963 | Baek et al. | Apr 2012 | B2 |
8166205 | Farinacci | Apr 2012 | B2 |
8311045 | Quinn et al. | Nov 2012 | B2 |
8369330 | Allan et al. | Feb 2013 | B2 |
8442043 | Sharma et al. | May 2013 | B2 |
8532087 | Kojima et al. | Sep 2013 | B2 |
8645576 | Farinacci | Feb 2014 | B2 |
8948055 | Bragg | Feb 2015 | B2 |
8953590 | Aggarwal | Feb 2015 | B1 |
9240975 | Roberson | Jan 2016 | B2 |
9258243 | Guichard | Feb 2016 | B2 |
9258742 | Pianigiani | Feb 2016 | B1 |
9455901 | Davie | Sep 2016 | B2 |
9485147 | Gu | Nov 2016 | B2 |
9699070 | Davie | Jul 2017 | B2 |
20060092950 | Arregoces et al. | May 2006 | A1 |
20060095960 | Arregoces et al. | May 2006 | A1 |
20070286204 | Ould-Brahim | Dec 2007 | A1 |
20080049621 | McGuire | Feb 2008 | A1 |
20080120394 | Yokoyama et al. | May 2008 | A1 |
20080177896 | Quinn et al. | Jul 2008 | A1 |
20090037713 | Khalid et al. | Feb 2009 | A1 |
20090292824 | Marashi | Nov 2009 | A1 |
20090304010 | Kurebayashi et al. | Dec 2009 | A1 |
20100077063 | Amit et al. | Mar 2010 | A1 |
20100165985 | Sharma et al. | Jul 2010 | A1 |
20110054644 | Baek et al. | Mar 2011 | A1 |
20120324091 | Raleigh et al. | Dec 2012 | A9 |
20130065551 | Raleigh et al. | Mar 2013 | A1 |
20130322444 | Ossipov | Dec 2013 | A1 |
20140050223 | Foo et al. | Feb 2014 | A1 |
20140307744 | Dunbar | Oct 2014 | A1 |
20140334488 | Guichard et al. | Nov 2014 | A1 |
20150281173 | Quinn | Oct 2015 | A1 |
20150326473 | Dunbar | Nov 2015 | A1 |
20160285736 | Gu | Sep 2016 | A1 |
Number | Date | Country |
---|---|---|
101772918 | Jul 2010 | CN |
Entry |
---|
International Search Report and Written Opinion in counterpart International Application No. PCT/US2014/036789, dated Aug. 21, 2014, 14 pages. |
Rosen et al., “BGP/MPLS IP Virtual Private Networks (VPNs),” Network Working Group, RFC 4364, Feb. 2006, pp. 1-47. |
English translation of First Office Action and Search Report in corresponding Chinese Application No. 201480026180.9, dated Jan. 30, 2018, 6 pgs. |
Number | Date | Country | |
---|---|---|---|
20160099867 A1 | Apr 2016 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 13891245 | May 2013 | US |
Child | 14966737 | US |