Internet-Draft | SR based SFC Control Plane | March 2024 |
Yin, et al. | Expires 2 September 2024 | [Page] |
Segment Routing (SR) introduces a versatile methodology for defining end-to-end network paths by encoding sequences of topological sub-paths, known as "segments". This architecture can be deployed over both MPLS and IPv6 data planes, offering a flexible routing solution.¶
Service Function Chaining (SFC) supports the establishment of composite services through an ordered sequence of Service Functions (SFs) that are applied to packets or frames based on initial classification. SFC's implementation can utilize various underlying technologies, including the Network Service Header (NSH) and SR, to facilitate the creation and management of service chains.¶
This document presents a comprehensive control framework for developing SFC architectures using Segment Routing. It explores control plane solutions for the distribution of service function instance routes and service function paths, as well as techniques for directing packets into specific service function chains. The discussion encompasses both theoretical foundations and practical considerations for integrating SR into SFC deployments.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 September 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Segment Routing (SR), as defined in [RFC8402], introduces a source routing paradigm that assigns a specific forwarding path for packets at the ingress node via an ordered list of directives, known as segments. SR's implementation varies with the underlying data plane: SR-MPLS [RFC8660] for MPLS and SRv6 [RFC8754] for IPv6.¶
Service Function Chaining (SFC), outlined in [RFC7665], facilitates the assembly of composite services through a sequenced application of Service Functions (SF) on packets or frames, triggered by classification processes.¶
Network Service Header (NSH) [RFC8300] provides a basis for SFC, enabling a "stateful SFC" by necessitating nodes along the Service Function Path (SFP) to maintain specific SFC states, such as mappings between the Service Path Identifier (SPI) and Service Index (SI) for subsequent forwarding actions. [RFC9015] introduces the use of BGP as a control plane mechanism for SFC architectures utilizing NSH and MPLS. It proposes a new BGP address family, the SFC AFI/SAFI, comprising two route types: Service Function Instance Route (SFIR) and Service Function Path Route (SFPR), facilitating the construction of NSH or MPLS-based SFCs with SFIR and SFPR data.¶
Alternatively, SFC can leverage SR for instantiation, where the SR source node explicitly embeds the forwarding path into packets. In SR-based SFC, an SFC is denoted by a SID list from the source SR node, potentially linked with service details (e.g., Deep Packet Inspection, DPI), obviating the need for maintaining per-SFC state along the SFP, hence termed "stateless SFC."¶
To deploy SR-based SFC, this document explores several mechanisms, including the distribution of SFIR and SFPR, as well as packet steering into an SFP. The review aims to establish a comprehensive framework for constructing an SFC system utilizing Segment Routing.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
MPLS: Multiprotocol Label Switching.¶
SID: Segment Identifier.¶
SR: Segment Routing.¶
SR-MPLS: Segment Routing with MPLS data plane.¶
SRH: Segment Routing Header.¶
SFIR: Service Function Instance Route¶
SFPR: Service Function Path Route¶
Further, this document makes use of the terms defined in [RFC7665] and [I-D.ietf-spring-sr-service-programming].¶
As per [RFC7665], the architecture of SFC consists of classifiers, Service Function Forwarders (SFFs), Service Functions (SFs) and SFC Proxies. This is illustrated in Figure 1.¶
+-----+ +-----+ +-----+ | | | SFC | | | | SF1 | |Proxy|---| SF2 | +-----+ +-----+ +-----+ | | +--------------+ | | | Service | SFC +------+ +------+ |Classification| Encapsulation | SFF1 | | SFF2 | --->| Function |+---------------->| |--------| |-------> | | | | | | +--------------+ +------+ +------+ SFC-enabled Domain Figure 1. SFC Architecture¶
In order to construct an SFC, SFIR and SFPR should be distributed to classifiers and SFFs. Also, the rules of steering packets into specific SFPs should be configured at the classifier. [RFC9015].¶
In SR, a source node can explicitly indicate the forwarding path for packets by inserting an ordered list of instructions. These packet steering policies, known as SR policy, can be installed by a central controller via BGP [I-D.ietf-idr-sr-policy-safi] or other mechanisms.¶
When SFC is constructed based on SR, SFPR and packet steering rules can be installed by SR policy at the ingress node, which plays the role of classifier in the SFC architecture. In other words, SFPR does not need to be distributed to all the nodes along the SFP. The architecture of SR based SFC is illustrated in Figure 2.¶
+-----+ +-----+ +-----+ +-----+ | | | | | SR | | | |SR-C | | SF1 | |Proxy|---| SF2 | +-----+ +-----+ +-----+ +-----+ | | | | | | +--------------+ +------+ +------+ | | SFC Encap/SR | SFF1/| | SFF2/| --->|CF/SR ingress |+---------------->| SR |--------| SR |-------> | | | | | | +--------------+ +------+ +------+ SFC-enabled Domain Figure 2. SR based SFC architecture.¶
CF/SR ingress: an SR ingress node plays the role of Classifier in the SFC architecture, and it connects to an SR controller, where the SR policies originate.¶
SR-C: SR Controller (SR-C) is connected to the SR ingress node, and may be attached to any node in the network. SR-C is capable of discovering topology, and calculating constrained paths for SFCs.¶
SFF/SR nodes: the SFF component in SFC architecture, which enables SR to steer packets to SFs.¶
SFn: Service Functions, can be SR-aware or SR-unaware. If an SF is SR-unaware then SR proxy is needed.¶
SR proxy: A proxy between SFF/SR nodes and SR-unaware SF.¶
There are two solutions to encode SFC in the SR data plane. [I-D.ietf-spring-sr-service-programming] defines data plane functionality required to implement service segments and achieve service programming in SR-enabled MPLS and IP networks. It can be termed "Stateless SFC" since no per-SFC state is maintained on the SR nodes along the SFP.¶
The second solution can be termed "Stateful SFC" [RFC9491], since it still maintains per-SFC state on nodes. [RFC9491]describes two modes of operation:¶
NSH-based SFC with SR-based transport tunnel: SR is used as the transport tunnel to route packets between classifier and SFF or SFFs. Service plane routing relies on NSH.¶
SR-based SFC with Integrated NSH Service Plane: The SFP is encoded within the SR segment-list, while the NSH only maintains the service plane context information, which will be used at NSH-aware SFs, and at SFFs as a pointer to cache SR segment-lists.¶
In order to support these data plane encodings, control plane mechanisms are required. The existing control plane mechanisms are shown in Table 1.¶
SR based SFC | SFIR | SFPR | Steering policy |
---|---|---|---|
Stateless | BGP BGP-LS IGP |
BGP PCEP |
BGP PCEP |
NSH-based SFC with SR-based transport tunnel | BGP | BGP PCEP |
BGP |
SR-based SFC with Integrated NSH Service Plane | BGP BGP-LS IGP |
BGP PCEP |
BGP PCEP |
As describe in [I-D.ietf-spring-sr-service-programming], service instances are associated with a segment, called a service SID. These service SIDs are leveraged as part of a SID-list to steer packets through the corresponding services¶
To associate a segment with a service, service information, such as Service Function Type (SFT), should be included in segment distribution. [I-D.dawra-idr-bgp-ls-sr-service-segments] specifies the extensions to BGP-LS for discovery and advertisement of service segments to enable setup of service programming paths using Segment Routing. [I-D.dawra-idr-bgp-ls-sr-service-segments] extends SRv6 Node SID TLV [RFC9514] and SR-MPLS SID/ Label TLV [RFC9085] to associate the Service SID Value with Service-related Information using Service Chaining Sub-TLV. The Service Chaining Sub-TLV contains information of Service SID value, Function Identifier (Static Proxy, Dynamic Proxy, Shared Memory Proxy, Masquerading Proxy, SR Aware Service Etc.), Service Type (DPI, Firewall, Classifier, LB etc.), Traffic Type (IPv4 OR IPv6 OR Ethernet) and Opaque Data (such as brand and version, other extra information). This extension works for both SR- MPLS and SRv6.¶
[RFC9015] proposes a BGP-based SFC control plane solution, and it works for SR-MPLS as well. Service function instance route distribution can use SFIR in SFC AFI/SAFI. SFPR and steering rules for the classifier can be distributed by SR policy, which is defined in [I-D.ietf-idr-sr-policy-safi]. BGP control plane of SRv6-based SFC still needs to be defined.¶
IGP extensions are proposed by [I-D.xu-lsr-isis-service-function-adv] and [I-D.xu-lsr-ospf-service-function-adv]. In IS-IS solution, SFFs within the SFC domain need to advertise each SF they are offering by using a new sub-TLV of the IS-IS Router CAPABILITY TLV [RFC7981]. This new sub-TLV is called Service Function sub-TLV, and it can appear multiple times within a given IS-IS Router CAPABILITY TLV or when more than one SF needs to be advertised. OSPF extensions are similar, and use the OSPF Router Information (RI) Opaque LSA [RFC7770] to carry Service Function sub-TLV.¶
However, due to IGP flooding issues, IGP extensions are not very appropriate, and the drafts have expired for a long time.¶
With SR, the SFPR does not need to be distributed to nodes along the SFP but only to the ingress node. SFPR and steering rules for the classifier can be distributed by SR policy. The BGP extension is defined in [I-D.ietf-idr-sr-policy-safi]. The PCEP extension is defined in [I-D.ietf-pce-segment-routing-policy-cp].¶
In SR, packet steering rules are learned through SR policy. Thus, there is no need to install other rules in the classifier, which is the SR source node.¶
"Stateful SFC" [RFC9491] proposes two modes of SR based SFC:¶
For NSH-based SFC with SR-based transport tunnel, service information is maintained by NSH while SR is only used for transport between SFFs, so [RFC9015] can be used for this mode.¶
To indicate NSH, an SFF label [RFC8596] should be inserted as the last label in the label stack in SR-MPLS. The control plane of SFF is also described in [RFC9015]. For choosing/configuring SR as the transport tunnel, BGP route of SFF's BGP Tunnel Encapsulation Attribute Type should be "SR TE Policy Type" [I-D.ietf-idr-sr-policy-safi]. For SR-based SFC with Integrated NSH Service Plane, there is no control plane solution as yet defined.¶
Same as SFIR distribution, SFPR BGP distribution in NSH-based SFC with SR-based transport tunnel is identical to the mechanism defined in [RFC9015]. PCEP extension for SFPR distribution can reuse the NSH based SFC extension defined in [I-D.wu-pce-traffic-steering-sfc]. For SR-based SFC with Integrated NSH Service Plane, control plane solution is to be added in other documents.¶
For NSH-based SFC with SR-based transport tunnel, it is the same with the NSH based SFC. The Classifier is responsible for determining to which packet flow a packet belongs (usually by inspecting the packet header), imposing an NSH, and initializing the NSH with the SPI of the selected SFP and the SI of its first hop [RFC9015]. For SR-based SFC with Integrated NSH Service Plane, control plane solution is to be added in other document.¶
This document does not require any IANA actions.¶
This document does not introduce additional security requirements and mechanisms.¶
Many thanks for Ruizhao Hu's valuable comments and help.¶