SDN实战团分享(十二):Service Function Chain
SDN实战团分享(十二):Service Function Chain
我今天主要介绍一下SFC,主要内容是英文的,用中文做解释,大概介绍一些SFC的概念,主要的时间会放在demo上。 What's SFC Service Function Chaining provides the ability to define an ordered list of a network services (e.g. firewalls, load balancers). These service are then "stitched" together in the network to create a service chain. This project provides the infrastructure (chaining logic, APIs) needed for ODL to provision a service chain in the network and an end-user application for defining such chains.
SFC DC Usage
SFC Mobility Usage
SFC Project This OpenDaylight project provides a sfc function that resides within the controller platform and presents service chaining functionality to external user-centric applications via the ODL Northbound REST APIs. Using this ODL service, network operators may create, update, and delete service chains, as well as specify the exchange of opaque metadata with network and service nodes in a service path. When applicable, APIs will allow specification of the selection criteria to be used by the sfc function to determine the service path for traffic incident upon the chain.
Service chain: defines “intent” and is, in essence, a list of required service functions (e.g. FW ? SLB ? IPS)
Service path: instantiation of a service chain. Specific instances of a service type are selected and connectivity established between instances. (e.g. FW1@1.1.1.1 ? SLB3@2.2.2.2 ? IPS34@3.3.3.3)
NSH encapsulation
SFC Demo 103
1. source code is in sfc/sfc-demo/sfc103 2. demo topology
Reference
- https://wiki.opendaylight.org/view/Service_Function_Chaining:Main
2. https://github.com/opendaylight/sfc.git
3. https://datatracker.ietf.org/wg/sfc/documents/
Q&A
Q1:ovs里面有流表吗?如果有,贴出来看看,对ovs来实现SFC比较迷茫 A1:
vagrant@classifier1:~$ sudo ovs-ofctl dump-flows -OOpenflow13 br-sfc
OFPST_FLOW reply (OF1.3) (xid=0x2):
cookie=0x0, duration=126598.327s, table=0, n_packets=25, n_bytes=2130, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=80 actions=load:0xc0a80114->NXM_NX_TUN_IPV4_DST[],set_nsp:0x14,set_nsi:255,set_nshc1:0x1,set_nshc2:0x2,set_nshc3:0x3,set_nshc4:0x4,output:2
cookie=0x0, duration=126598.587s, table=0, n_packets=25, n_bytes=8352, priority=1000,nsp=8388628,nsi=253 actions=output:1
cookie=0x14, duration=126599.520s, table=0, n_packets=0, n_bytes=0, priority=5 actions=goto_table:1
vagrant@sff1:~$ sudo ovs-ofctl dump-flows -OOpenflow13 br-sfc
OFPST_FLOW reply (OF1.3) (xid=0x2):
cookie=0x14, duration=126636.987s, table=0, n_packets=75, n_bytes=12612, priority=5 actions=goto_table:1
cookie=0x0, duration=126635.524s, table=0, n_packets=25, n_bytes=8352, priority=1000,nsp=8388628,nsi=253 actions=load:0xc0a8010a->NXM_NX_TUN_IPV4_DST[],move:NXM_NX_NSP[]->NXM_NX_NSP[],move:NXM_NX_NSI[]->NXM_NX_NSI[],move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],IN_PORT
cookie=0x14, duration=126636.987s, table=1, n_packets=0, n_bytes=0, priority=5 actions=drop
cookie=0x14, duration=126636.240s, table=1, n_packets=50, n_bytes=4260, priority=250,nsp=20 actions=goto_table:4
cookie=0x14, duration=126635.392s, table=1, n_packets=25, n_bytes=8352, priority=250,nsp=8388628 actions=goto_table:4
cookie=0x14, duration=126636.987s, table=2, n_packets=0, n_bytes=0, priority=5 actions=goto_table:3
cookie=0x14, duration=126636.987s, table=3, n_packets=0, n_bytes=0, priority=5 actions=goto_table:4
cookie=0x14, duration=126636.987s, table=4, n_packets=0, n_bytes=0, priority=5 actions=goto_table:10
cookie=0x14, duration=126636.133s, table=4, n_packets=25, n_bytes=2130, priority=550,nsp=20,nsi=255 actions=load:0xc0a8011e->NXM_NX_TUN_IPV4_DST[],goto_table:10
cookie=0x14, duration=126635.655s, table=4, n_packets=25, n_bytes=2130, priority=550,nsp=20,nsi=254 actions=load:0xc0a80132->NXM_NX_TUN_IPV4_DST[],goto_table:10
cookie=0x14, duration=126635.369s, table=4, n_packets=25, n_bytes=8352, priority=550,nsp=8388628,nsi=254 actions=load:0xc0a8011e->NXM_NX_TUN_IPV4_DST[],goto_table:10
cookie=0x14, duration=126636.987s, table=10, n_packets=0, n_bytes=0, priority=5 actions=drop
cookie=0xba5eba11ba5eba11, duration=126635.869s, table=10, n_packets=25, n_bytes=2130, priority=650,nsp=20,nsi=255 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT
cookie=0xba5eba11ba5eba11, duration=126635.619s, table=10, n_packets=25, n_bytes=2130, priority=650,nsp=20,nsi=254 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT
cookie=0xba5eba11ba5eba11, duration=126635.294s, table=10, n_packets=25, n_bytes=8352, priority=650,nsp=8388628,nsi=254 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT
cookie=0xba5eba11ba5eba11, duration=126635.245s, table=10, n_packets=0, n_bytes=0, priority=650,nsp=8388628,nsi=253 actions=move:NXM_NX_NSI[]->NXM_NX_NSI[],move:NXM_NX_NSP[]->NXM_NX_NSP[],move:NXM_NX_NSH_C1[]->NXM_NX_TUN_IPV4_DST[],move:NXM_NX_NSH_C2[]->NXM_NX_TUN_ID[0..31],IN_PORT
cookie=0xba5eba11ba5eba11, duration=126635.259s, table=10, n_packets=0, n_bytes=0, priority=660,nsp=8388628,nsi=253,nshc1=0 actions=IN_PORT
vagrant@sff1:~$Q2:
请问这个图是摘自某个draft或者rfc么? A2:是的,NSH encapsulation是最重要的
Q3:我想请问一下, 我看到了你使用ODL建立了两条sfc并分别证明了通过的middlebox, 但是这些middlebox在物理层是怎么引入ODL的呢?或者说怎么向ODL import这些middlebox呢? 就是fw, dpi, firewall这些function. A3:用户配置的,我可以摘抄一些configuration
"service-nodes": {
"service-node": [
{
"name": "node0",
"service-function": [
],
"ip-mgmt-address": "192.168.1.10"
},
{
"name": "node1",
"service-function": [
],
"ip-mgmt-address": "192.168.1.20"
},
{
"name": "node2",
"service-function": [
"dpi-1"
],
"ip-mgmt-address": "192.168.1.30"
},
{
"name": "dpi-1",
"ip-mgmt-address": "192.168.1.30",
"rest-uri": "http://192.168.1.30:5000",
"type": "dpi",
"nsh-aware": "true",
"sf-data-plane-locator": [
{
"name": "sf1-dpl",
"port": 6633,
"ip": "192.168.1.30",
"transport": "service-locator:vxlan-gpe",
"service-function-forwarder": "SFF1"
}
]
},所有的脚本,我都commit到sfc/sfc-demo下面了
Q4:目前ODL实现用的OVS是私有版本吗?主线版本还不支持NSH吧 A4:对的,目前的SFC有两类:一个是基于NSH,一个不基于NSH的 openstack的SFC不支持NSH,ODL SFC支持NSH,NSH目前还没有进入OVS,所以属于私有patch,sfc-demo下面有安装OVS +NSH的脚本 curl https://raw.githubusercontent.com/priteshk/ovs/nsh-v8/third-party/start-ovs-deb.sh | bash 如果不基于NSH,只能象管道一样的,一节一节连起来,基于NSH,可以根据包来foward
Q5:脚本里面设置dp的端口是6633,这个端口好像是odl的隧道端口,是不是有意设置成6633的?换成其他的行吗? A5:6633这个端口是可以改的,原来的vxlan-gpe有一个缺省的端口,我需要确认一下是不是就是这个
Q6:做SF的image ,有相关资源么?最近也在玩这个,苦于找不到合适image ,ODL的SFC现在做到什么程度了,是处在迭代中还是已经可以demo了? A6:如果是基于NSH的SF image,目前还没有,我们最近在开发这个 NSH aware + DPDK 的 SF image
Q7:你说的这个image是指vagrant的box文件吗? A7:这个image不是vagrant box,这个image应该是openstack glance能管理的image,Tacker + OpenStack + ODL (netvirt + SFC) 是整个解决方案,SF image需要由OpenStack glance来管理,这个SF应该属于NSH Aware
Q8:如果是基于NSH的话,SF image是不是也要支持NSH? A8:是的,legecy的SF, 需要有一个NSH aware 的proxy
Q9:demo中的网络,是不是不能和我的宿主网络同一个网段?vagrant up 的时候,提示的意思是192.168.1.x和我的网络不能通一个网络,我的wifi是192.168.1网段的 A9:你可以全替代192.168.1 到192.168.2
Q10:如果用了nsh的方案,nsh的头是在classify上加上的然后在sff里面去掉吗 A10:NSH的方案,ingress classifier 加头,egress classifer 减头,SFF保持头不变,SF会把service index --这样SFF就只怎么forward这个包,传统的DPI没有能力理解NSH的头的,所以要proxy,NSH 可以理解成带有meta data 的MPLS