Jump to: navigation, search

Neutron/ServiceChainUseCases

< Neutron
Revision as of 17:12, 11 November 2016 by Igordcard (talk | contribs) (SFC Encapsulation / SFC Graphs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Service Chain Use Cases

Security Micro-Segmentation

  • Environment: Datacenter/Enterprise/Private/Public Cloud
  • Problem Statement: A large number of successful attacks are enabled not by a direct attack on a system containing sensitive information but rather start at a weak point in the organization and then the attackers move laterally through the organization (east-west) to reach the sensitive system(s). To detect and prevent this type of attack it is necessary to apply a zero trust policy through-out the organization. This requires inserting security between most applications to restrict access and detect anomalous behavior.
  • Solution Requirements: Ability to seamlessly insert security virtual network functions into the traffic flow. As workloads are dynamically changing the solution must be able to be inserted and removed in an arbitrary order, with applications as they are deployed and removed.
  • Performance Requirements: <=10G
  • VNFs Used: L7-Firewall, L7-IPS, L7-IDS
  • Flow Classification Required:For security it is typical to inspect all traffic so the classification is simply the host port that is to be protected.
  • Primary Flow Direction: BI-Directional
  • References: 1,3

vCPE [Mini Private Cloud]

  • Environment: Enterprise/Customer Edge
  • User Problem Statement: Service providers are replacing dedicated hardware (routers, wireless gateways, firewalls) with VNF running on standard x86 hardware. The virtual CPE is a small cloud of VNF that can be re-configured by the service provider to deliver updated or new services without the need for on site visits which are very expensive.
  • Solution Requirements: Ability to service chain a collection of VNFs, automatic updates, automated scaling and deployment of new VNFs
  • Performance Requirements: < 1G
  • VNFs Used: L7-Firewall, L7-IPS, L7-IDS, Router, WAN Optimizer, IPSec Gateway
  • Flow Classification Required:This is a gateway use case so all traffic should go through the security VNF, however if there are function specific VNFs in the vCPE some additional flow classification could be required.
  • Primary Flow Direction: Bi-Directional
  • References: 10,11

vPE [Large Private Cloud]

  • Environment:Private Cloud/Service ProviderEdge
  • User Problem Statement: Service providers are replacing dedicated hardware (routers, wireless gateways, firewalls) with VNF running on standard x86 hardware. The virtual PE is a large cloud of VNFs that can be re-configured by the service provider to deliver updated or new services from their data centers. The footprint on the customer premises is significantly reduced. The challenges for the service provider is providing the scale, flexibility, with a high SLA.
  • Solution Requirements: Ability to service chain a collection of VNFs, automatic updates and automated scaling. Large scale hosting of multi-tenant service.
  • Performance Requirements: <1G per link, aggregate may go to 100G.
  • VNFs Used: L7-Firewall, L7-IPS, L7-IDS, WAN Optimizer, CGNAT, IPSec Gateway, LI
  • Flow Classification Required: Depending on the services offered there can be a set of chains that are minimal classification leading into function specific VNF chains.
  • Flow Direction: Bi-Directional for ingress/egress.
  • References: 12

VNF as a Service [Public or Private Cloud Service]

  • Environment: Cloud private and public
  • Problem Statement: Cloud providers want to offer specific VNF’s as a service. To optimize use of VNF’s they are clustered together on a set of racks that are provisions and managed by the cloud provider. They are allocated on demand to customers and traffic is steered through the VNFs according to customer needs.
  • Solution Requirements: Very flexible traffic steering for multiple tenants, ability to scale VNF or load balance VNFs.
  • Performance Requirements: <=10 G
  • VNFs Used: L7-Firewall, L7-IPS, L7-IDS, Load Balancer, Video Optimizer
  • Flow Classification Required:Depending on the VNF provided there can be a variety of classification. Security services will be very coarse grained classification, while a video service will be defined by at minimum port based classification.
  • Primary Flow Direction: Bi-Directional
  • References: 4

Security VNF Gateway

  • Environment: Datacenter/Enterprise/Private and Public Cloud
  • Problem Statement: When a new “cloud” network is created it is necessary to deploy security to protect the network. The security may be a VPN termination and a firewall. As the “cloud” scales then a load balancer needs to be deployed. As the application hosted in the cloud is built out it needs to be secured and scaled. In classic three tier architectures have a security device as a gateway between tiers as a standard practice. When a tier is deployed a security VNF must be deployed with the tier to inspect and traffic entering and leaving the tier, as the load increases the security service needs to be scaled, typically through a load-balacner. The tier segmentation can either be L2 or L3.
  • Solution Requirements: Capable of scaling with system load
  • Performance Requirements: < 1G per link aggregate >10G
  • VNFs Used: L7 Firewall, L7 IPS, L7 IDS, Load Balancer, VNF
  • Flow Classification Required: Typically coarse grained, inspect all traffic.
  • Primary Flow Direction: Bi-Directional
  • References: 6

Traffic Enhancement Service Chain

  • Environment: Evolved Packet Core/Cloud [Public or Private]
  • Problem Statement:In classic three tier architectures have a security device as a gateway between tiers is a standard practice. As these workloads are being moved to private and public clouds running on virtualized infrastructure there is a need to enable a virtual solution. When a tier is deployed a security VNF must be deployed with the tier to inspect and traffic entering and leaving the tier. The tier segmentation can either be L2 or L3
  • Solution Requirements: Capable of scaling with system load
  • Performance Requirements: <=10G per link , depending on deployments aggregate can reach 100G
  • VNFs Used: L7-IPS, L7-Firewall, Video-Optimizer, CGNAT,
  • Flow Classification Required:Could be very varied and flexible.
  • Primary Flow Direction: Uni-Directional
  • References: 2

Potential VNFs

Monitoring VNFs

  • Monitoring
  • L7 IDS
  • Billing and Charging Functions

In-Line VNFs

  • L7 Firewall
  • L7 IPS
  • Load Balancer
  • CGNAT (Carrier Grade NAT)
  • Video Optimizer
  • Deep Packet Inspection
  • LI (Lawful Intercept)
  • IPSEC Gateway
  • WAN Optimizer
  • Session Border Controller
  • Router
  • HTTP Insertion

SFC Encapsulation / SFC Graphs

Use case status: not yet supported.

SFC Encapsulation is an architectural principle of Service Function Chaining, as described in the respective published RFCs so far [5, 13]. The concept decouples the forwarding plane from the service plane and, besides being able to carry metadata, enables truly dynamic service chains by having them being composed of multiple SFPs (Service Function Paths) that can selected throughout the chain based on classification criteria (instead of pre-selected based on classification criteria, somewhat like pre-defining an RSP [Rendered Service Path]). The only approved, but not yet released, SFC Encapsulation protocol is NSH [14].

The networking-sfc team has stated its intent to support NSH, consequently embracing SFC Encapsulation. To fully leverage this concept, however, a few changes more changes to the project are necessary. The following links contain discussion and information relevant to understand and achieve this use case (or use case enabler): [15, 16].

If the networking-sfc team is welcoming of this proposal, a Proof of Concept based on networking-sfc will be developed to show this feature, based on the latest OVS NSH patches: [17].

A few examples of more concrete use cases that can be achieved with SFC Encapsulation and SFC Graphs:

  • Encrypted Tunnel Termination, when we don't yet know what is classification of the encrypted traffic but will need to branch depending on that classification (when known).
  • Video Optimization chain with L7 classifications detected by a DPI classifier, where we will need to branch depending on whether video traffic is detected (but not by an initial classifier) - IETF SFC Mobility use case presented in [18].

More information regarding this use case(s) can be obtained by watching the respective presentation at the OpenStack Summit Barcelona: Empower your NFV Services through Service Function Chaining and SFC Graphs.

Assignee: Igor Duarte Cardoso.

References

1. NSX Use cases for Micro Segmentation

2. Intel Paper for GI-LAN

3. Arista Micro-segmentation

4. Arista Security as a Service

5. Problem Statement for Service Function Chaining

6. Service Function Chaining Use Cases for Network Security

7. Service Function Chaining Use Cases In Data Centers

8. Service Chaining using Virtual Networks with BGP VPNs

9. ETSI Network Function Virtualization Use Cases (2013)

10. Why Operators Will Deploy Virtualized CPE

11. Layer 7 Visibility for Virtual CPE

12. BGP/MPLS VPN Virtual PE

13. Service Function Chaining (SFC) Architecture

14. Network Service Header

15. Supporting SFC Encapsulation in networking-sfc

16. Neutron IETF Service Function Chaining API

17. OVS NSH patches

18. Service Function Chaining in Mobile Networks

Retrieved from "https://wiki.openstack.org/w/index.php?title=Neutron/ServiceChainUseCases&oldid=138865"