Analysis of Tungsten Fabric Architecture: service chain of TF 02/23 Update SLTechnology News&Howtos

Analysis of Tungsten Fabric Architecture: service chain of TF

2025-02-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Hi! This is the fourth article on the parsing of Tungsten Fabric architecture, and this article will introduce the service chain of Tungsten Fabric in detail.

A series of articles on Tungsten Fabric architecture analysis, presented to you by the TF Chinese community, are designed to help new entrants to the TF community to answer questions. We will systematically introduce the features of TF, how it works, how to collect / analyze / deploy, how to orchestrate, how to connect to physical networks, and so on.

A service chain is formed when network policy specifies that traffic between two networks must flow through one or more network services (such as firewalls, TCP agents, load balancers, etc.), which are also known as virtual network functions (VNF).

Network services are implemented in virtual machines (VM), which are identified as services in Tungsten Fabric and then included in the policy.

Tungsten Fabric supports service chains in OpenStack and VMware vCenter environments.

The following shows a simplified view of implementing a service chain between two VM (in the actual Tungsten Fabric implementation, a special "service" VRF is included in the routing of the service chain).

When VM is configured as a service instance (VNF) in the controller and the service instance is applied in the network policy, the controller installs routes in the VRF where the "Left" and "Right" ports are located to guide traffic through the VNF.

When encapsulated routes are published back to the controller via VNF vRouter, the routes are distributed to other vRouters with Red and Green VRF, and the end result is a set of routes indicating that traffic between the Red and Green networks passes through the service instance.

When VNF starts, the sequentially activated interfaces are identified by the tags "Left" and "Right".

VNF must have a configuration that correctly processes packets based on the interface on which they arrive.

There are three types of services (VNF):

Layer 2 Transparent-the Ethernet frame is sent to the service with the destination MAC address being the MAC address of the original destination. This is most commonly used for deep packet inspection services. Layer 3 (In Network)-the Ethernet frame is sent to the service, its destination MAC is set to the MAC of the ingress interface of the service, the L2 connection is terminated and the egress MAC is used as the source MAC of the frame sent to the destination to establish a new connection. This is used for firewalls, load balancers, and TCP agents. Layer 3 (NAT)-similar to In Network, except that the service changes the source IP address to an address that can be routed from the destination (network address translation).

The following describes the scenarios of various service chains, each of which is briefly described.

Basic service chain

In the first panel, create a simple service chain, including service FW and DPI, by editing the network policy between the Red and Green networks. These virtual machines were previously started in OpenStack or vCenter and then configured in Tungsten Fabric as service instances with interfaces in Red and Green networks.

After the policy is saved and applied to both networks, all routes in the vRouters with Red or Green VM attached are modified to send traffic over the service chain.

For example, before modifying the policy, each VRF in the Red network has a route to each VM in the green network, which contains the next hop of the host running VM, and the controller specifies the label of the host vRouter.

The route is modified to have the next hop of the ingress VRF with an instance of the FW service and the label specified for the FW Left interface. The VRF where the Right FW interface is located has routes to all Green destinations of the DPI Left interface, and the Right VRF of the DPI will contain the routes for all Green destinations and the next hop and original route labels of the hosts on which they are running.

The routing of reverse traffic is similarly handled.

Large-scale service

When a single VM does not have the ability to handle service chain traffic requirements, you can include multiple VM of the same type in the service, as shown in the second panel. After this operation is completed, use ECMP to load balance the traffic on the ingress interface of the service chain at both ends, and load balance among different service instances.

New service instances can be added to Tungsten Fabric as needed, and although traditional ECMP hash algorithm implementations typically move most sessions to other paths when the number of targets changes, in Tungsten Fabric, this applies only to new flows because the existing path traffic is based on the flow table described in the previous article (detailing the architecture of vRouters).

This behavior is critical for stateful services where all packets in the flow must be viewed, otherwise the flow will be blocked and the user session will be interrupted.

Through the same service instance, the flow table is also inversely populated to ensure reverse traffic in the data flow.

The Internet draft https://datatracker.ietf.org/doc/draft-ietf-bess-service-chaining contains more details about the extended service chain with stateful services.

Based on policy guidance

In some cases, different types of traffic need to be passed to different service chains. It can be implemented in Tungsten Fabric by including multiple sub-policies in the network or security policy. In the example in the figure, traffic on ports 80 and 8080 must pass through the firewall (FW-1) and DPI, while all other traffic only passes through the firewall (FW-2), which may have a different configuration than the firewall FW-1.

Master-standby service chain {# active-standby}

In some cases, traffic usually needs to pass through a specific service chain, but if a problem is detected in that chain, the traffic should be switched to backup. This may occur when the alternate service chain is located in a less favorable geographical location.

In Tungsten Fabric, the configuration of the active-standby mechanism is completed in two steps.

First, the routing policy is applied to the entry of each service chain, specifying a higher local priority value for the preferred active chain entry.

Second, a health check is attached to each chain to test whether the service instance is reachable or whether it can reach the destination on the other side of the chain. If the health check fails, the route to the normal active service chain is revoked and traffic flows through the standby service chain.