SERVICE FUNCTION CHAINING BASED ON MAC ADDRESSES

Description

BACKGROUND

A computing device may transmit packets via a network. The network packet may comprise source and destination machine access control (MAC) addresses.

BRIEF DESCRIPTION OF THE DRAWINGS

Certain examples are described in the following detailed description and in reference to the drawings, in which:

FIG. 1 is a conceptual diagram of an example computing device that may perform service function chaining;

FIG. 2 is another conceptual diagram of an example computing system that may perform service function chaining;

FIG. 3 is a flowchart of an example method for performing service function chaining;

FIG. 4 is a flowchart an example method for performing service function chaining; and

FIG. 5 is a block diagram of an example for performing service function chaining.

FIG. 6 is a block diagram of an example for performing service function chaining.

DETAILED DESCRIPTION

Service function chaining (SFC) is an increasingly popular method of providing network services. Service function chaining routes packets through multiple service functions. As an example, a service function chain may comprise a firewall service and an intrusion protection service (IPS). In this example, a packet that is part of the service function chain may be routed first to the firewall and then to the IPS.

One way of enabling service function chaining is using MAC (media access control) chaining. In MAC address chaining, a MAC-chaining compatible network device (e.g. a switch, router, or network appliance) determines that a packet is part of a service function chain. The network device then modifies the source and destination MAC addresses of the packet such that the packet is transmitted to a particular service function, the destination address of which is specified by the modified destination address. After a service function is performed on the packet, a switch or router modifies the destination MAC address of the packet such that the packet is transmitted to a subsequent function in the service function chain. MAC chaining-compatible network devices repeatedly modify the MAC addresses of the packet until the packet has traversed each service function of the chain. The packet is then transmitted to a source network device that originated the packet.

For campus environments (i.e. network environments in which heterogeneous network devices are present, a level 3 (L3) gateway may be restore the destination MAC address of the packet once the packet has traversed each service of the chain. Requiring an L3 gateway is unsuitable for such campus environments. Additionally, MAC chaining may utilize significant memory overhead from network switching/routing devices.

The techniques of this disclosure enable MAC chaining while also preserving the destination MAC address. The techniques of this disclosure store SFC information in a portion of the source MAC address. Additionally, a compatible network device that implements the techniques of this disclosure stores a tunnel ID (identifier), an SFC ID, an index of a next service function to which the packet pill be transmitted, and an action for the packet, in the source MAC address of the packet.

FIG. 1 is a conceptual diagram of an example computing system that may perform service function chaining. Computing system 100 is illustrated in FIG. 1. Computing system 100 comprises a device 102, which may comprise a switch, router, bridge router (BRouter), software defined network device, networking appliance, or the like. Device 102 comprises a processor 104 and a non-transitory medium containing instructions stored thereon that, when executed, cause the processor to perform certain functionality.

Processor 104 may comprise a central processing unit (CPU), graphics processing unit (GPU), application specific integrated circuit (ASIC), digital signal processor (DSP), field programmable gate array (FPGA) or the like. Processor 104 may comprise any combination of the aforementioned. Processor 104 may also comprise one or more virtual devices, such as virtual processors of one or more virtual machines. Medium 106 may comprise software, firmware, non-volatile memory, or the like. Medium 106 may also be any combination of the aforementioned types of media. Processor 104 executes the instructions on medium 106.

Processor 104 receives a packet 108 e.g. via a network interface of device 102. In some examples, the network interface may comprise one or more virtual network interfaces. Packet 108 comprises source MAC address 110. Source MAC address 110 may comprise a MAC address in accordance with the Institute of Electrical and Electronics Engineers (IEEE) 802 format. In various examples, source MAC address 110 may be a 48 bit field of packet 108.

In the example of FIG. 1, source MAC address 110 may comprise an action value 112, an SFC identifier (ID) 114, service function index (“SF Index”) 116, and a tunnel identifier 118. Action value 112 may indicate an action for packet 108. As examples, action value 112 may indicate that packet 108 should stop being processed by the service function chain. In some examples, action value 112 may indicate a block flow, block device, a rate limit, or another action that should be performed on packet 108.

SFC ID 114 identifies a particular service function chain that is associated with packet 108. An SFC comprises one or more service functions that network device(s) apply to packet 108. As an example, a service function chain may comprise a firewall service function followed by an intrusion prevention system service function.

SF index 116 corresponds to an index of a particular service function of the service function chain indicated by the value of SFC ID 116. For example, SF index 116 may indicate that a particular service that is to be performed, or has been performed on packet 108.

Tunnel ID 114 indicates a particular tunnel that is associated with packet 108. The tunnel ID indicates a particular tunnel through which packet 108 entered the SFC. Responsive to packet 108 completing the associated SFC, a device, such as device 102 may use tunnel ID 114 to determine a source network device. Device 102 may transmit packet 108 to the determined source network device. In various examples, Action Value 112, Tunnel ID 114, SFC ID 116, and SF index 118 may comprise fields of bits of source MAC address 110. The sizes of the bit fields of Action Value 112, Tunnel ID 114, SFC ID 116, and SF index 118 may be variable to accommodate different SFC configurations.

Device 102 stores Action Value 112, Tunnel ID 114, SFC ID 116, and SF index 118 in source. MAC address 110 to perform service function chaining. By storing the aforementioned fields in source MAC address 110, device 102 may be able to determine the service function chain associated with packet 108, the current service function in the service function chain, and an action (if any) to perform on packet 108. Responsive to traversing the service functions of the service function chain, device 102 may also be able to determine and transmit packet 108 to a source network device associated with packet 108.

By storing SFC data in the source MAC address as described herein, the techniques of this disclosure allow enable compatibility with campus environments, L3 gateway traversal, and transparency with legacy appliance middleboxes, which do not support MAC address chaining. Additionally, the variable numbers of bits that may be assigned to the various SFC-related fields in the source MAC address allow the SFC techniques of this disclosure to scale to hundreds or thousands of Service Chains on a single SFF, and to support hundreds of service functions per chain. Additionally, the action field supports out of band signaling from service functions, such as block flow and/or device signaling.

Thus, in accordance with examples of this disclosure, device 102 comprises a medium 106 storing instructions thereon. The instructions, when executed, cause processor 106 to: receive packet 108 comprising source MAC address 110, determine based on a first field of bits of source MAC address 110, a service function chain identifier 116 corresponding to a service function chain for packet 108.

The instructions further cause processor 106 to: determine, based on a second field of bits of source MAC address 110, a service function index (e.g. service function index 118) corresponding to a service function for the packet, determine, based on a third field of bits of the source MAC address, a tunnel identifier (e.g. tunnel identifier 114) corresponding to a tunnel for the packet, and determine, based on a fourth field of bits of the source MAC address, an action value (e.g. action value 112) for packet 108.

FIG. 2 is another conceptual diagram of an example computing system that may perform service function chaining. FIG. 2 illustrates a computing system 200. Computing system 200 comprises a device 102, and packet 108 as in FIG. 1. Additionally, computing system 200 comprises service function controller 202, rules 204, service function chain 210, service functions 212, and source device 214.

Service function controller 202 may comprise a software-defined networking (SDN) controller in various examples. Service function controller 202 may define service function chains and corresponding identifiers, service functions of service function chains, and tunnel identifiers of service function chains. Service function controller 202 may also define possible action values within a service function chain. In various examples, service function controller 202 may support various communication protocols, such as OpenFlow. Service function controller 202 may generate rules 204. Based on rules 204, device 102 may determine action value 112, service function chain ID 114, service function index 116, and tunnel ID 118.

In the example of FIG. 2, device 102 transmits packet 108 through SFC 210 comprising service functions 212. As described above, an example SFC may comprise a firewall service function and an IPS service functions. Each of service functions 212 may comprise a different service that one or more network devices may perform. For example, a network device or network devices may perform the firewall service function. The same or different network device or devices may perform the IPS service function.

In various examples, device 102 may transmit packet 108 to one of service functions 212 based on SF index 116. In various examples, device 102 may modify fields of source MAC address 110 responsive to packet 108 completing one of service functions 212 of SFC 210. As an example, device 102 may modify the value of SF index 116 to indicate that packet 108 is to perform a subsequent one of service functions 212. In some examples, device 102 may increment the value of SF index 116 responsive to packet 106 completing one of service functions 212. Responsive to modifying the value of SF index 116, device 102 may transmit packet 108.

Responsive to packet 108 traversing service functions 212 of SFC 210, device 102 may receive packet 108, and perform additional operations on packet 108. In some examples, device 102 may transmit packet 108 to a source network device indicated by tunnel ID 118, e.g. source device 206. Source device 206 may comprise a switch, router, or any other network device as described herein, which originated packet 108.

In various examples, device 102 may also store a client ID 214 in packet 108. Client ID 214 may identify a device that originally sent packet 218. Responsive to receiving packet 108, device 102 may store source MAC address 110, e.g. in a lockup table based on client ID 214 that device 102 associates with each stored MAC address. In this manner, when packet 108 completes traversal of services of a service function chain (e.g., service functions 212 of SFC 210), device 102 may restore the original source MAC address based on the association between client ID 214 stored in packet 108 and the corresponding source MAC address.

FIG. 3 is a flowchart of an example method for performing service function chaining. FIG. 3 comprises method 300. Method 300 may be described below as being executed or performed by a system, for example, computing system 100 (FIG. 1), or computing system 200 (FIG. 2). In various examples, method 300 may be performed by hardware, software, firmware, or any combination thereof. Other suitable systems and/or computing devices may be used as well. Method 308 may be implemented in the form of executable instructions stored on at least one machine-readable storage medium of the system and executed by at least one processor of the system. In various examples, the machine-readable storage medium is non-transitory. Alternatively or in addition, method 300 may be implemented in the form of electronic circuitry (e.g., hardware). In alternate examples of the present disclosure, one or more blocks of method 300 may be executed substantially concurrently or in a different order than shown in FIG. 3. In alternate examples of the present disclosure, method 300 may include more or fewer blocks than are shown in FIG. 3. In some examples, one or more of the blocks of method 300 may, at certain times, be ongoing and/or may repeat.

Method 300 may start at block 302 at which point a computing device, such as device 102 may receive a packet, e.g. packet 108. At block 304, device 102 may store, in a source MAC address of the packet (e.g. source MAC address 110), a value indicating a tunnel identifier of the packet, e.g. tunnel ID 114. In some examples, the tunnel identifier may indicate source device associated with the packet, e.g. source device 206.

At block 306, device 102 may store, in the source MAC address, a value indicating a service function chain of the packet, e.g. SFC ID 116, which may indicate that packet 108 is associated with SFC 210. At block 308, device 102 may store in the source MAC address, an index value (e.g. SF IDX 118) indicating a service function of the service function chain of the packet. SF IDX 118 may indicate one of service functions 212 in various examples. At block 310, device 102 may transmit the packet, i.e. packet 108.

FIG. 4 is a flowchart of an example method for performing service function chaining. FIG. 4 comprises method 400. Method 400 may begin at block 402. At block 402, a computing device, device 102, may receive a packet, e.g. packet 108. At block 404, device 102 may store, in a source MAC address of the packet (e.g. source MAC address 110), a value indicating a tunnel identifier of the packet, e.g. tunnel ID 114. In some examples, the tunnel identifier may indicate a source device associated with the packet, e.g. source device 206.

At block 406, device 102 may store, in the source MAC address, a value indicating a service function chain of the packet, e.g. SFC ID 116, which may indicate that packet 108 is associated with SFC 210 (illustrated in FIG. 2). At block 408, device 102 may store in the source MAC address, an index value (e.g. SF IDX 118) indicating a service function of the service function chain of the packet. SF IDX 118 may indicate one of service functions 212 in various examples. In some examples, storing the index value indicating the service function may comprise incrementing the value indicating the service function. In various examples, the value indicating the service function chain and the index value indicating the service function may be based on rules received from a service function controller (SFC).

At block 410, device 102 may store, in the source MAC address, a value (e.g. action value 112) indicating an action for the packet. In various examples, the value indicating the tunnel identifier may comprise a first field of bits of the source MAC address, the value indicating source function chain comprises a second field of bits of the source MAC address, the index value indicating the service function may comprise a third set of bits, and the value indicating the action for the packet may comprise a fourth set of bits.

At block 412, device 102 may transmit the packet, i.e. packet 108. In some examples packet 108 may traverse service functions 212 of SFC 210. At block 414, responsive to responsive to the packet completing the service function chain, device 102 may transmit the packet (e.g. packet 108) to the source network device indicated by the tunnel identifier, e.g. source device 206.

FIG. 5 is a block diagram of an example for performing service function chaining. In the example of FIG. 5, system 500 includes a processor 510 and a machine-readable storage medium 520. Although the following descriptions refer to a single processor and a single machine-readable storage medium, the descriptions may also apply to a system with multiple processors and multiple machine-readable storage mediums. In such examples, the instructions may be distributed (e.g., stored) across multiple machine-readable storage mediums and the instructions may be distributed (e.g., executed by) across multiple processors.

Processor 510 may be one or more central processing units (CPUs), microprocessors, and/or other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 520. In the particular example shown in FIG. 5, processor 510 may fetch, decode, and execute instructions 522, 524, 525, 528, 530 to perform service function chaining.

As an alternative or in addition to retrieving and executing instructions, processor 510 may include one or more electronic circuits comprising a number of electronic components for performing the functionality of one or more of the instructions in machine-readable storage medium 520. With respect to the executable instruction representations (e.g., boxes) described and shown herein, it should be understood that part or all of the executable instructions and/or electronic circuits included within one box may, in alternate examples, be included in a different box shown in the figures or in a different box not shown.

Machine-readable storage medium 520 may be any electronic, magnetic, optical, or other physical storage device that stores executable instructions. Thus, machine-readable storage medium 520 may be, for example, Random Access Memory (RAM), an Electrically-Erasable Programmable Read-Only Memory (EEPROM), non-volatile memory, a storage drive, an optical disc, and the like. Machine-readable storage medium 520 may be disposed within system 500, as shown in FIG. 5. Machine-readable medium 520 is non-transitory in venous examples. In this situation, the executable instructions may be “installed” on the system 500. Alternatively, machine-readable storage medium 520 may be a portable, external or remote storage medium, for example, that allows system 500 to download the instructions from the portable/external/remote storage medium.

Referring to FIG. 5, packet receiving instructions 522, when executed by a processor, e.g. processor 510, may cause processor 510 to receive a packet. Service function chain storage instructions 524, when executed, may cause processor 510 to store, in a first bit field of the source MAC address, a service function chain identifier corresponding to the service function chain of the packet.

Service function index storage instructions 526, when executed, may cause processor 510 to store, in a second bit field of the source MAC address, a service function index that corresponds to a service function of the service function chain. Tunnel identifier storage instructions 528, when executed, may cause processor 510 to store, in a third bit field of the source MAC address, a tunnel identifier, wherein the tunnel identifier corresponds to a source network device associated with the packet. Action value storage instructions 530, when executed, may cause processor 510 to store, in a fourth bit field of the source MAC address, an action value (e.g. action value 112), wherein the action value indicates an action for the packet.

FIG. 6 is a block diagram of an example for performing service function chaining. In the example of FIG. 6, system 600 includes a processor 610 and a machine-readable storage medium 620. Although the following descriptions refer to a single processor and a single machine-readable storage medium, the descriptions may also apply to a system with multiple processors and multiple machine-readable storage mediums. In such examples, the instructions may be distributed (e.g., stored) across multiple machine-readable storage mediums and the instructions may be distributed (e.g., executed by) across multiple processors.

Processor 610 may be one or more central processing units (CPUs), microprocessors, and/or other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 620. In the particular example shown in FIG. 6, processor 610 may fetch, decode, and execute instructions 622, 624, 626, 628, 630, 632, 634 to perform service function chaining.

As an alternative or in addition to retrieving and executing instructions, processor 610 may include one or more electronic circuits comprising a number of electronic components for performing the functionality of one or more of the instructions in machine-readable storage medium 620. With respect to the executable instruction representations (e.g., boxes) described and shown herein, it should be understood that part or all of the executable instructions and/or electronic circuits included within one box may, in alternate examples, be included in a different box shown in the figures or in a different box not shown.

Machine-readable storage medium 620 may be any electronic, magnetic, optical, or other physical storage device that stores executable instructions. Thus, machine-readable storage medium 620 may be, for example, Random Access Memory (RAM), an Electrically-Erasable Programmable Read-Only Memory (EEPROM), non-volatile memory, a storage drive, an optical disc, and the like. Machine-readable storage medium 620 may be disposed within system 600, as shown in FIG. 6. Machine-readable medium 620 is non-transitory in various examples. In this situation, the executable instructions may be “installed” on the system 600. Alternatively, machine-readable storage medium 620 may be a portable, external or remote storage medium, for example, that allows system 600 to download the instructions from the portable/external/remote storage medium.

Referring to FIG. 6, packet receiving instructions 622, when executed by a processor, e.g. processor 610, may cause processor 610 to receive a packet. Rule receiving instructions 624, when executed, may cause processor 610 to receive rules for determining a tunnel identifier, a service function chain, a service function, and an action of the packet (e.g. packet 108 of FIG. 1). Value determination instructions 626, when executed, may cause processor 610 to determine the action value, the service function chain identifier, the service function index, and the tunnel identifier based on the received rules.

Service function chain storage instructions 628, when executed, may cause processor 610 to store, in a first bit field of the source MAC address, a service function chain identifier corresponding to the service function chain of the packet. Service function index storage instructions 630, when executed, may cause processor 610 to store, in a second bit field of the source MAC address, a service function index that corresponds to a service function of the service function chain. Tunnel identifier storage instructions 632, when executed, may cause processor 610 to store, in a third bit field of the source MAC address, a tunnel identifier, wherein the tunnel identifier corresponds to a source network device associated with the packet. Action value storage instructions 634, when executed, may cause processor 610 to store, in a fourth bit field of the source MAC address, an action value (e.g. action value 112), wherein the action value indicates an action for the packet.

Claims

1. A method comprising: receiving a packet;storing, in a source machine access control (MAC) address of the packet, a value indicating a tunnel identifier of the packet, wherein the tunnel identifier indicates a source device associated with the packet;storing, in the source MAC address, a value indicating a service function chain of the packet;storing, in the source MAC address, an index value indicating a service function of the service function chain of the packet; andtransmitting the packet.
2. The method of claim 1, further comprising: storing, in the source MAC address, a value indicating an action for the packet.
3. The method of claim 2, wherein the value indicating the tunnel identifier comprises a first field of bits of the source MAC address,wherein the value indicating source function chain comprises a second field of bits of the source MAC address,wherein the index value indicating the service function comprises a third set of bits, andwherein the value indicating the action for the packet comprises a fourth set of bits.
4. The method of claim 1, wherein the value indicating the service function chain and the index value indicating the service function are based on rules received from a service function controller (SFC).
5. The method of claim 1, further comprising: responsive to the packet completing the service function chain, transmitting the packet to the source network device indicated by the tunnel identifier.
6. The method of claim 1, wherein storing the index value indicating the service function comprises incrementing the value indicating the service function.
7. A device comprising: a processor; anda non-transitory medium storing instructions thereon that, when executed, cause the processor to:receive a packet, wherein the packet comprises a machine access control (MAC) source address;determine, based on a first field of bits of the source MAC address, a service function chain identifier corresponding to a service function chain for the packet;determine, based o a second field of bits of the source MAC address, a service function index corresponding to a service function for the packet;determine, based on a third field of bits of the source MAC address, a tunnel identifier corresponding to a tunnel for the packet; anddetermine, based on a fourth field of bits of the source MAC address, an action value for the packet.
8. The device of claim 7, wherein the medium comprises instructions that, when executed, cause the processor to: transmit the packet to the corresponding service function.
9. The device of claim 8, wherein the medium comprises instructions that, when executed, cause the processor to: receive the packet from the service function;modify the service function index of the second bit field to indicate a subsequent service function of the service function chain; andtransmit the packet to the subsequent service function.
10. The device of claim 7, wherein the medium comprises instructions that, when executed, cause the processor to: responsive to performing all functions of the service function chain, receive a packet from a function of the service function chain; andtransmit the packet to a source address based on the tunnel identifier.
11. The device of claim 7, wherein a size of the first field, a size of the second field, a size of the third field of bits, and a size of the fourth field of bits are variable.
12. The device of claim 7, wherein the medium further comprises instructions that, when executed, cause the processor to: receive rules from a service function controller; anddetermine the service function chain, the service function index, the tunnel identifier, and the action value based on rules received from the service function controller.
13. The medium of claim 7, wherein the medium further comprises instructions that, when executed, cause the processor to: store, in the source MAC address, a client identifier based on an original value of the source MAC address; andresponsive to the packet completing the service function chain, restore the original value of the source MAC address based on the client identifier.
14. A non-transitory machine-readable storage medium encoded with instructions, the instructions that, when executed, cause a processor to: receive a packet;store, in a first bit field of the source MAC address, a service function chain identifier corresponding to the service function chain of the packet;store, in a second bit field of the source MAC address, a service function index that corresponds to a service function of the service function chain;store, in a third bit field of the source MAC address, a tunnel identifier, wherein the tunnel identifier corresponds to a source network device associated with the packet; andstore, in a fourth bit field of the source MAC address, an action value, wherein the action value indicates an action for the packet.
15. The non-transitory machine-readable storage medium of claim 14, wherein the processor to: receive rules for determining the tunnel identifier, the service function chain, the service function, and the action; anddetermine the action value, the service function chain identifier, the service function index, and the tunnel identifier based on the received rules.

PCT Information

Filing Document	Filing Date	Country	Kind
PCT/US2016/027047	4/12/2016	WO	00

SERVICE FUNCTION CHAINING BASED ON MAC ADDRESSES

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims

PCT Information