Shulou(Shulou.com)05/31 Report--

This article mainly introduces the example analysis of OpenStack SFC, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Introduction to SFC

Traditional networks are all physical devices, and network advanced services are strongly related to network topology, and special processing methods such as complex routing policies or ARP fraud must be configured to guide traffic through these advanced service functional units. All special processing requests are aimed at the layer 2 and layer 3 headers of the message, and there is another problem that is difficult to scale horizontally.

After computing virtualization, the requirements of network virtualization are also put forward. Virtual network cards, virtual machine switches, virtual routers, overlay network topology customization, virtual machines drift everywhere, the traditional network to add network advanced services has been unable to cope with this complex and changeable situation.

SFC full name Service Function Chain,RFC 7665 Service Function Chaining (SFC) Architecture gives a detailed introduction to the system of SFC. End to end traffic should pass through network function units such as FW,NAT,IDS in an orderly manner. The definition and management of these network functions, and how to guide traffic through these network function units in an orderly manner is SFC. Why we need SFC now is because in the past, network functional units such as FW,NAT,IDS are physical devices, and its deployment location is strongly related to the network topology. All traffic shares these devices, and the sequence of traffic passing through these devices is fixed, so the summary is not flexible enough. SFC can customize network functional units and customize traffic paths, which provides a good support for the SDN network.

SFC first identifies the traffic to pass through this chain by classifier, and then continuously passes through the service function on this chain, from classifier to the first service function and from the next service function to the next service function, the message needs to be encapsulated. At present, the main push is RFC 8300 Network Service Header (NSH). The encapsulation header generally contains the position on chain id and chain, that is, which chain is the message, and now it has taken several steps on chain. In this way, you can rely on this header to ensure that the message goes to the correct chain, and one by one on the chain to go service function, will not repeat the service function, will not skip some service function. The NSH header can contain more fields to carry data so that information can be shared between service function.

From the previous service function to the next service function is forwarded by sf forwarder, and service function is divided into service function aware and service function unaware,service function aware, which can correctly parse the NSH header carried by the message. On the contrary, service function unaware cannot recognize headers such as NSH, and proxy needs to remove the header such as NSH and send it to service function.

two

Network-sfc

Networking-sfc is a project to achieve sfc function in openstack, and port in openstack neutron is a very important concept, so networking-sfc connects port together to form a chain, that is, service function chain. In opnestack, it is called port chain,RFC and does not say how to transmit messages between SFF and SF. Port chain clearly points out that port is used and is divided into ingress port and egress port. Networking-sfc implements neutron extension, provides api,service plugin for real work, and plugin contains a variety of driver, among which ovs driver,ovs driver communicates with sfc extension in opensvswitch agent on computing nodes through rpc.

There are several important concepts in networking-sfc:

Port pair

Port pair is a pair of ports on a service function node, one port is ingress in service function, the other is egress out service function,ingress and egress can be the same port, this port can be in and out, and whether proxy is required is specified by the parameter service-function-parameters correlation=xxxx, which is the parameter when creating port pair.

Port pair group

Port pair group contains one or more port pair, mainly for traffic load balancing. If there are two firewall service function in a firewall, traffic can go to any firewall. Port pair group is used to guide traffic load balancing on these two firewall. Specify parameters when creating a port pair group, such as-- load.

Port chain

Port chain assigns some port pair group in order, and then adds a classifier to identify the first service function on the traffic to form a port chain. How to install the traffic is specified by the parameter-chain-parameters correlation=,symmetric=].

Service graph

Service graph combines several chain together to form a complex traffic multipath, the traffic passes through a chain and then bifurcates, and the two branches go through different chain. Theoretically, this graph can not form a loop.

three

Networking-sfc mode

Chain

There is only one path for traffic, and there is an ingress port and an egress port,ingress and egress port that can be the same port from the src through the service function node to the dst,service function.

Tap

This mode is suitable for modes where traffic can only enter and exit, such as IDS, where a copy of the traffic is copied to the IDS and continues to flow to the next node.

LB

The traffic is load balanced between the two service function nodes, which is realized by openflow's group table and hash according to the message information (eth_src,eth_dst,ip_src,ip_dst,tcp_src,tcp_dst,udp_src,udp_dst).

Service graph

This mode consists of several chain, one of which is split into several, and the bifurcation point is controlled by the re-classifier. This mode is suitable for messages that will be modified by service function. For example, service function is a NAT function. After the IP of the message is modified, the original classifier may not match, so a new port chain is created and a new classifier is associated.

four

Application

This is an example of a networking-sfc service graph that is divided into four port chain, each of which is a separate chain,service graph that forks and merges. Traffic comes out of src to sf1, forks to sf2 and sf3,sf4, merges traffic from sf2 and sf3, and finally sends it to dst. The ovs driver,src,sf1,sf2,sf3,sf4,dst using networking-sfc is a virtual machine, distributed in two different physics, and the physical machines communicate with each other by vxlan tunnel. Traffic forwarding is blocked due to the bug of NSH implemented by ovs. Here, MPLS is used for SFC encapsulation.

The biggest feature of the flow table is the introduction of reg0 at the bifurcation or merge point, the original flow tables match in_port=xxx and flowclassifier, and then to group table. Now it becomes the egress port of the last service function of the previous port chain of in_port, temporarily stores the label in the reg0, resubmit (, 0), and then match reg0 and flowclassifier send it to group table, turning the original flow table into multiple. When the group table is the same, it merges, but when the group table is different, it forks.

Thank you for reading this article carefully. I hope the article "sample Analysis of OpenStack SFC" shared by the editor will be helpful to you. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.