draft-ietf-sfc-nsh-00.txt   draft-ietf-sfc-nsh-01.txt 
Network Working Group P. Quinn, Ed. Network Working Group P. Quinn, Ed.
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track U. Elzur, Ed. Intended status: Standards Track U. Elzur, Ed.
Expires: September 25, 2015 Intel Expires: January 24, 2016 Intel
March 24, 2015 July 23, 2015
Network Service Header Network Service Header
draft-ietf-sfc-nsh-00.txt draft-ietf-sfc-nsh-01.txt
Abstract Abstract
This draft describes a Network Service Header (NSH) inserted onto This draft describes a Network Service Header (NSH) inserted onto
encapsulated packets or frames to realize service function paths. encapsulated packets or frames to realize service function paths.
NSH also provides a mechanism for metadata exchange along the NSH also provides a mechanism for metadata exchange along the
instantiated service path. instantiated service path. NSH is the SFC encapsulation as per SFC
Architecture [SFC-arch]
1. Requirements Language 1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 2, line 26 skipping to change at page 2, line 26
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 25, 2015. This Internet-Draft will expire on January 24, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 10 skipping to change at page 3, line 10
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 1. Requirements Language . . . . . . . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Definition of Terms . . . . . . . . . . . . . . . . . . . 4 2.1. Definition of Terms . . . . . . . . . . . . . . . . . . . 4
2.2. Problem Space . . . . . . . . . . . . . . . . . . . . . . 6 2.2. Problem Space . . . . . . . . . . . . . . . . . . . . . . 7
3. Network Service Header . . . . . . . . . . . . . . . . . . . . 8 2.3. NSH-based Service Chaining . . . . . . . . . . . . . . . . 8
3.1. Network Service Header Format . . . . . . . . . . . . . . 8 3. Network Service Header . . . . . . . . . . . . . . . . . . . . 10
3.2. NSH Base Header . . . . . . . . . . . . . . . . . . . . . 8 3.1. Network Service Header Format . . . . . . . . . . . . . . 10
3.3. Service Path Header . . . . . . . . . . . . . . . . . . . 10 3.2. NSH Base Header . . . . . . . . . . . . . . . . . . . . . 10
3.4. NSH MD-type 1 . . . . . . . . . . . . . . . . . . . . . . 10 3.3. Service Path Header . . . . . . . . . . . . . . . . . . . 12
3.4.1. Mandatory Context Header Allocation Guidelines . . . . 11 3.4. NSH MD-type 1 . . . . . . . . . . . . . . . . . . . . . . 13
3.5. NSH MD-type 2 . . . . . . . . . . . . . . . . . . . . . . 12 3.5. NSH MD-type 2 . . . . . . . . . . . . . . . . . . . . . . 13
3.5.1. Optional Variable Length Metadata . . . . . . . . . . 13 3.5.1. Optional Variable Length Metadata . . . . . . . . . . 14
4. NSH Actions . . . . . . . . . . . . . . . . . . . . . . . . . 15 4. NSH Actions . . . . . . . . . . . . . . . . . . . . . . . . . 16
5. NSH Encapsulation . . . . . . . . . . . . . . . . . . . . . . 17 5. NSH Encapsulation . . . . . . . . . . . . . . . . . . . . . . 18
6. NSH Usage . . . . . . . . . . . . . . . . . . . . . . . . . . 18 6. Fragmentation Considerations . . . . . . . . . . . . . . . . . 19
7. NSH Proxy Nodes . . . . . . . . . . . . . . . . . . . . . . . 19 7. Service Path Forwarding with NSH . . . . . . . . . . . . . . . 20
8. Fragmentation Considerations . . . . . . . . . . . . . . . . . 20 7.1. SFFs and Overlay Selection . . . . . . . . . . . . . . . . 20
9. Service Path Forwarding with NSH . . . . . . . . . . . . . . . 21 7.2. Mapping NSH to Network Overlay . . . . . . . . . . . . . . 22
9.1. SFFs and Overlay Selection . . . . . . . . . . . . . . . . 21 7.3. Service Plane Visibility . . . . . . . . . . . . . . . . . 23
9.2. Mapping NSH to Network Overlay . . . . . . . . . . . . . . 23 7.4. Service Graphs . . . . . . . . . . . . . . . . . . . . . . 23
9.3. Service Plane Visibility . . . . . . . . . . . . . . . . . 24 8. Policy Enforcement with NSH . . . . . . . . . . . . . . . . . 26
9.4. Service Graphs . . . . . . . . . . . . . . . . . . . . . . 24 8.1. NSH Metadata and Policy Enforcement . . . . . . . . . . . 26
10. Policy Enforcement with NSH . . . . . . . . . . . . . . . . . 26 8.2. Updating/Augmenting Metadata . . . . . . . . . . . . . . . 27
10.1. NSH Metadata and Policy Enforcement . . . . . . . . . . . 26 8.3. Service Path ID and Metadata . . . . . . . . . . . . . . . 29
10.2. Updating/Augmenting Metadata . . . . . . . . . . . . . . . 27 9. NSH Encapsulation Examples . . . . . . . . . . . . . . . . . . 31
10.3. Service Path ID and Metadata . . . . . . . . . . . . . . . 29 9.1. GRE + NSH . . . . . . . . . . . . . . . . . . . . . . . . 31
11. NSH Encapsulation Examples . . . . . . . . . . . . . . . . . . 30 9.2. VXLAN-gpe + NSH . . . . . . . . . . . . . . . . . . . . . 31
11.1. GRE + NSH . . . . . . . . . . . . . . . . . . . . . . . . 30 9.3. Ethernet + NSH . . . . . . . . . . . . . . . . . . . . . . 32
11.2. VXLAN-gpe + NSH . . . . . . . . . . . . . . . . . . . . . 30 10. Security Considerations . . . . . . . . . . . . . . . . . . . 33
11.3. Ethernet + NSH . . . . . . . . . . . . . . . . . . . . . . 31 11. Open Items for WG Discussion . . . . . . . . . . . . . . . . . 34
12. Security Considerations . . . . . . . . . . . . . . . . . . . 32 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 35
13. Open Items for WG Discussion . . . . . . . . . . . . . . . . . 33 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 38
14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 34 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39
15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 14.1. NSH EtherType . . . . . . . . . . . . . . . . . . . . . . 39
16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 14.2. Network Service Header (NSH) Parameters . . . . . . . . . 39
16.1. NSH EtherType . . . . . . . . . . . . . . . . . . . . . . 38 14.2.1. NSH Base Header Reserved Bits . . . . . . . . . . . . 39
16.2. Network Service Header (NSH) Parameters . . . . . . . . . 38 14.2.2. MD Type Registry . . . . . . . . . . . . . . . . . . . 39
16.2.1. NSH Base Header Reserved Bits . . . . . . . . . . . . 38 14.2.3. TLV Class Registry . . . . . . . . . . . . . . . . . . 40
16.2.2. MD Type Registry . . . . . . . . . . . . . . . . . . . 38 14.2.4. NSH Base Header Next Protocol . . . . . . . . . . . . 40
16.2.3. TLV Class Registry . . . . . . . . . . . . . . . . . . 39 15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41
16.2.4. NSH Base Header Next Protocol . . . . . . . . . . . . 39 15.1. Normative References . . . . . . . . . . . . . . . . . . . 41
17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 40 15.2. Informative References . . . . . . . . . . . . . . . . . . 41
17.1. Normative References . . . . . . . . . . . . . . . . . . . 40 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 43
17.2. Informative References . . . . . . . . . . . . . . . . . . 40
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 42
2. Introduction 2. Introduction
Service functions are widely deployed and essential in many networks. Service functions are widely deployed and essential in many networks.
These service functions provide a range of features such as security, These service functions provide a range of features such as security,
WAN acceleration, and server load balancing. Service functions may WAN acceleration, and server load balancing. Service functions may
be instantiated at different points in the network infrastructure be instantiated at different points in the network infrastructure
such as the wide area network, data center, campus, and so forth. such as the wide area network, data center, campus, and so forth.
The current service function deployment models are relatively static, The current service function deployment models are relatively static,
and bound to topology for insertion and policy selection. and bound to topology for insertion and policy selection.
Furthermore, they do not adapt well to elastic service environments Furthermore, they do not adapt well to elastic service environments
enabled by virtualization. enabled by virtualization.
New data center network and cloud architectures require more flexible New data center network and cloud architectures require more flexible
service function deployment models. Additionally, the transition to service function deployment models. Additionally, the transition to
virtual platforms requires an agile service insertion model that virtual platforms requires an agile service insertion model that
supports elastic service delivery; the movement of service functions supports dynamic and elastic service delivery; the movement of
and application workloads in the network and the ability to easily service functions and application workloads in the network and the
bind service policy to granular information such as per-subscriber ability to easily bind service policy to granular information such as
state are necessary. per-subscriber state and steer traffic to the requisite service
function(s) are necessary.
The approach taken by NSH is composed of the following elements: NSH defines a new dataplane protocol specifically for the creation of
dynamic service chains and is composed of the following elements:
1. Service path identification 1. Service Function Path identification
2. Transport independent per-packet/frame service metadata. 2. Transport independent service function chain
3. Optional variable TLV metadata. 3. Per-packet network and service metadata or optional variable TLV
metadata.
NSH is designed to be easy to implement across a range of devices, NSH is designed to be easy to implement across a range of devices,
both physical and virtual, including hardware platforms. both physical and virtual, including hardware platforms.
An NSH aware control plane is outside the scope of this document. An NSH aware control plane is outside the scope of this document.
The SFC Architecture document [SFC-arch] provides an overview of a The SFC Architecture document [SFC-arch] provides an overview of a
service chaining architecture that clearly defines the roles of the service chaining architecture that clearly defines the roles of the
various elements and the scope of a service function chaining various elements and the scope of a service function chaining
encapsulation. encapsulation. NSH is the SFC encapsulation defined in that draft.
2.1. Definition of Terms 2.1. Definition of Terms
Classification: Locally instantiated matching of traffic flows
Classification: Locally instantiated policy and customer/network/ against policy for subsequent application of the required set of
service profile matching of traffic flows for identification of network service functions. The policy may be customer/network/
appropriate outbound forwarding actions. service specific.
SFC Network Forwarder (NF): SFC network forwarders provide network
connectivity for service functions forwarders and service
functions. SFC network forwarders participate in the network
overlay used for service function chaining as well as in the SFC
encapsulation.
Service Function Forwarder (SFF): A service function forwarder is Service Function Forwarder (SFF): A service function forwarder is
responsible for delivering traffic received from the NF to one or responsible for forwarding traffic to one or more connected
more connected service functions, and from service functions to service functions according to information carried in the NSH, as
the NF. well as handling traffic coming back from the SF. Additionally, a
service function forwarder is responsible for transporting traffic
to another SFF (in the same or different type of overlay), and
terminating the SFP.
Service Function (SF): A function that is responsible for specific Service Function (SF): A function that is responsible for specific
treatment of received packets. A service function can act at the treatment of received packets. A Service Function can act at
network layer or other OSI layers. A service function can be a various layers of a protocol stack (e.g., at the network layer or
virtual instance or be embedded in a physical network element. other OSI layers). As a logical component, a Service Function can
One of multiple service functions can be embedded in the same be realized as a virtual element or be embedded in a physical
network element. Multiple instances of the service function can network element. One or more Service Functions can be embedded in
be enabled in the same administrative domain. the same network element. Multiple occurrences of the Service
Function can exist in the same administrative domain.
Service Node (SN): Physical or virtual element that hosts one or One or more Service Functions can be involved in the delivery of
more service functions and has one or more network locators added-value services. A non-exhaustive list of abstract Service
associated with it for reachability and service delivery. Functions includes: firewalls, WAN and application acceleration,
Deep Packet Inspection (DPI), LI (Lawful Intercept), server load
balancing, NAT44 [RFC3022], NAT64 [RFC6146], NPTv6 [RFC6296],
HOST_ID injection, HTTP Header Enrichment functions, TCP
optimizer.
An SF may be NSH-aware, that is it receives and acts on
information in the NSH. The SF may also be NSH-unaware in which
case data forwarded to the SF does not contain NSH.
Service Function Chain (SFC): A service function chain defines an Service Function Chain (SFC): A service function chain defines an
ordered set of service functions that must be applied to packets ordered set of abstract service functions (SFs) and ordering
and/or frames selected as a result of classification. The implied constraints that must be applied to packets and/or frames and/or
order may not be a linear progression as the architecture allows flows selected as a result of classification. An example of an
for nodes that copy to more than one branch. The term service abstract service function is "a firewall". The implied order may
chain is often used as shorthand for service function chain. not be a linear progression as the architecture allows for SFCs
that copy to more than one branch, and also allows for cases where
there is flexibility in the order in which service functions need
to be applied. The term service chain is often used as shorthand
for service function chain.
Service Function Path (SFP): The instantiation of a SFC in the Service Function Path (SFP): The Service Function Path is a
network. Packets follow a service function path from a classifier constrained specification of where packets assigned to a certain
through the requisite service functions service function path must go. While it may be so constrained as
to identify the exact locations, it can also be less specific.
The SFP provides a level of indirection between the fully abstract
notion of service chain as a sequence of abstract service
functions to be delivered, and the fully specified notion of
exactly which SFF/SFs the packet will visit when it actually
traverses the network. By allowing the control components to
specify this level of indirection, the operator may control the
degree of SFF/SF selection authority that is delegated to the
network.
Network Node/Element: Device that forwards packets or frames based Network Node/Element: Device that forwards packets or frames based
on outer header information. In most cases is not aware of the on outer header information.
presence of NSH.
Network Overlay: Logical network built on top of existing network Network Overlay: Logical network built on top of existing network
(the underlay). Packets are encapsulated or tunneled to create (the underlay). Packets are encapsulated or tunneled to create
the overlay network topology. the overlay network topology.
Network Service Header: Data plane header added to frames/packets. Network Service Header: provides SFP identification, and is used by
The header contains information required for service chaining, as the NSH-aware functions, such as the Classifier, SFF and NSH-aware
well as metadata added and consumed by network nodes and service SFs. In addition to SFP identification, the NSH may carry data
elements. plane metadata.
Service Classifier: Function that performs classification and
imposes an NSH. Creates a service path. Non-initial (i.e.
subsequent) classification can occur as needed and can alter, or
create a new service path.
Service Hop: NSH aware node, akin to an IP hop but in the service Service Classifier: Logical function that performs classification
overlay. and imposes an NSH. The initial classifier imposes the initial
NSH and sends the NSH packet to the first SFF in the path. Non-
initial (i.e. subsequent) classification can occur as needed and
can alter, or create a new service path.
Service Path Segment: A segment of a service path overlay. Network Locator: dataplane address, typically IPv4 or IPv6, used to
send and receive network traffic.
NSH Proxy: Acts as a gateway: removes and inserts NSH on behalf of a NSH Proxy: Removes and inserts NSH on behalf of an NSH-unaware
service function that is not NSH aware. service function. The proxy node removes the NSH header and
delivers the original packet/frame via a local attachment circuit
to the service function. Examples of a local attachment circuit
include, but are not limited to: VLANs, IP in IP, GRE, VXLAN.
When complete, the Service Function returns the packet to the NSH
proxy via the same or different attachment circuit. The NSH
Proxy, in turn, re-imposes NSH on the returned packets. Often, an
SFF will act as an NSH-proxy when required.
2.2. Problem Space 2.2. Problem Space
Network Service Header (NSH) addresses several limitations associated Network Service Header (NSH) addresses several limitations associated
with service function deployments today. with service function deployments today (i.e. prior to use of NSH).
A short reference is included below, RFC 7498 [RFC7498], provides a
more comprehensive review of the SFC Problem Statement.
1. Topological Dependencies: Network service deployments are often 1. Topological Dependencies: Network service deployments are often
coupled to network topology. Such dependency imposes constraints coupled to network topology. Such a dependency imposes
on the service delivery, potentially inhibiting the network constraints on the service delivery, potentially inhibiting the
operator from optimally utilizing service resources, and reduces network operator from optimally utilizing service resources, and
the flexibility. This limits scale, capacity, and redundancy reduces the flexibility. This limits scale, capacity, and
across network resources. redundancy across network resources.
2. Service Chain Construction: Service function chains today are 2. Service Chain Construction: Service function chains today are
most typically built through manual configuration processes. most typically built through manual configuration processes.
These are slow and error prone. With the advent of newer service These are slow and error prone. With the advent of newer dynamic
deployment models the control/management planes provide not only service deployment models, the control/management planes provide
connectivity state, but will also be increasingly utilized for not only connectivity state, but will also be increasingly
the creation of network services. Such a control/management utilized for the creation of network services. Such a control/
planes could be centralized, or be distributed. management planes could be centralized, or be distributed.
3. Application of Service Policy: Service functions rely on topology 3. Application of Service Policy: Service functions rely on topology
information such as VLANs or packet (re) classification to information such as VLANs or packet (re) classification to
determine service policy selection, i.e. the service function determine service policy selection, i.e. the service function
specific action taken. Topology information is increasingly less specific action taken. Topology information is increasingly less
viable due to scaling, tenancy and complexity reasons. The viable due to scaling, tenancy and complexity reasons. The
topological information is often stale, providing the operator topological information is often stale, providing the operator
with inaccurate placement that can result in suboptimal resource with inaccurate service Function (SF) placement that can result
utilization. Furthermore topology-centric information often does in suboptimal resource utilization. Furthermore topology-centric
not convey adequate information to the service functions, forcing information often does not convey adequate information to the
functions to individually perform more granular classification. service functions, forcing functions to individually perform more
granular classification.
4. Per-Service (re)Classification: Classification occurs at each 4. Per-Service (re)Classification: Classification occurs at each
service function independent from previously applied service service function independent from previously applied service
functions. More importantly, the classification functionality functions. More importantly, the classification functionality
often differs per service function and service functions may not often differs per service function and service functions may not
leverage the results from other service functions. leverage the results from other service functions.
5. Common Header Format: Various proprietary methods are used to 5. Common Header Format: Various proprietary methods are used to
share metadata and create service paths. An open header provides share metadata and create service paths. A standardized protocol
a common format for all network and service devices. provides a common format for all network and service devices.
6. Limited End-to-End Service Visibility: Troubleshooting service 6. Limited End-to-End Service Visibility: Troubleshooting service
related issues is a complex process that involve both network- related issues is a complex process that involve both network-
specific and service-specific expertise. This is especially the specific and service-specific expertise. This is especially the
case when service function chains span multiple DCs, or across case, when service function chains span multiple DCs, or across
administrative boundaries. Furthermore, the physical and virtual administrative boundaries. Furthermore, physical and virtual
environments (network and service) can be highly divergent in environments (network and service) can be highly divergent in
terms of topology and that topological variance adds to these terms of topology and that topological variance adds to these
challenges. challenges.
7. Transport Dependence: Service functions can and will be deployed 7. Transport Dependence: Service functions can and will be deployed
in networks with a range of transports requiring service in networks with a range of transports requiring service
functions to support and participate in many transports (and functions to support and participate in many transports (and
associated control planes) or for a transport gateway function to associated control planes) or for a transport gateway function to
be present. be present.
Please see the Service Function Chaining Problem Statement [SFC-PS] 2.3. NSH-based Service Chaining
for a more detailed analysis of service function deployment problem
areas. The NSH creates a dedicated service plane, that addresses many of the
limitations highlighted in Section 2.2. More specifically, NSH
enables:
1. Topological Independence: Service forwarding occurs within the
service plane, via a network overlay, the underlying network
topology does not require modification. NSH provides an
identifier used to select the network overlay for network
forwarding.
2. Service Chaining: NSH contains path identification information
needed to realize a service path. Furthermore, NSH provides the
ability to monitor and troubleshoot a service chain, end-to-end
via service-specific OAM messages. The NSH fields can be used by
administrators (via, for example a traffic analyzer) to verify
(account, ensure correct chaining, provide reports, etc.) the
path specifics of packets being forwarded along a service path.
3. NSH provides a mechanism to carry shared metadata between network
devices and service function, and between service functions. The
semantics of the shared metadata is communicated via a control
plane to participating nodes. Examples of metadata include
classification information used for policy enforcement and
network context for forwarding post service delivery.
4. Classification and re-classification: sharing the metadata allows
service functions to share initial and intermediate
classification results with downstream service functions saving
re-classification, where enough information was enclosed.
5. NSH offers a common and standards based header for service
chaining to all network and service nodes.
6. Transport Agnostic: NSH is transport independent and is carried
in an overlay, over existing underlays. If an existing overlay
topology provides the required service path connectivity, that
existing overlay may be used.
3. Network Service Header 3. Network Service Header
A Network Service Header (NSH) contains metadata and service path A Network Service Header (NSH) contains service path information and
information that are added to a packet or frame and used to create a optionally metadata that are added to a packet or frame and used to
service plane. The packets and the NSH are then encapsulated in an create a service plane. The original packets preceded by NSH, are
outer header for transport. then encapsulated in an outer header for transport.
The service header is added by a service classification function - a NSH is added by a Service Classifier. The NSH header is removed by
device or application - that determines which packets require the last SFF in the chain or by a SF that consumes the packet.
servicing, and correspondingly which service path to follow to apply
the appropriate service.
3.1. Network Service Header Format 3.1. Network Service Header Format
An NSH is composed of a 4-byte base header, a 4-byte service path A NSH is composed of a 4-byte Base Header, a 4-byte Service Path
header and context headers, as shown in Figure 1 below. Header and Context Headers, as shown in Figure 1 below.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Base Header | | Base Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Service Path Header | | Service Path Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ Context Headers ~ ~ Context Headers ~
| | | |
skipping to change at page 9, line 6 skipping to change at page 11, line 6
information. information.
3.2. NSH Base Header 3.2. NSH Base Header
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Ver|O|C|R|R|R|R|R|R| Length | MD Type | Next Protocol | |Ver|O|C|R|R|R|R|R|R| Length | MD Type | Next Protocol |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: NSH Base Header Figure 2: NSH Base Header
Base Header Field Descriptions Base Header Field Descriptions:
Version: The version field is used to ensure backward compatibility Version: The version field is used to ensure backward compatibility
going forward with future NSH updates. going forward with future NSH updates. It MUST be set to 0x0 by the
sender, in this first revision of NSH.
O bit: Indicates that this packet is an operations and management O bit: when set to 0x1 indicates that this packet is an operations
(OAM) packet. SFF and SFs nodes MUST examine the payload and take and management (OAM) packet. The receiving SFF and SFs nodes MUST
appropriate action (e.g. return status information). examine the payload and take appropriate action (e.g. return status
information).
OAM message specifics and handling details are outside the scope of OAM message specifics and handling details are outside the scope of
this document. this document.
C bit: Indicates that a critical metadata TLV is present (see Section C bit: Indicates that a critical metadata TLV is present (see Section
3.4.2). This bit acts as an indication for hardware implementers to 3.4.2). This bit acts as an indication for hardware implementers to
decide how to handle the presence of a critical TLV without decide how to handle the presence of a critical TLV without
necessarily needing to parse all TLVs present. The C bit MUST be set necessarily needing to parse all TLVs present. The C bit MUST be set
to 1 if one or more critical TLVs are present. to 0x0 when MD Type= 0x01 and MAY be used with MD Type = 0x2 and MUST
be set to 0x1 if one or more critical TLVs are present.
All other flag fields are reserved. All other flag fields are reserved.
Length: total length, in 4-byte words, of the NSH header, including Length: total length, in 4-byte words, of NSH including the Base
optional variable TLVs. Header, the Service Path Header and the optional variable TLVs. The
Length MUST be of value 0x6 for MD Type = 0x1 and MUST be of value
0x2 or higher for MD Type = 0x2. The NSH header length MUST be an
integer number of 4 bytes.
MD Type: indicates the format of NSH beyond the base header and the MD Type: indicates the format of NSH beyond the mandatory Base Header
type of metadata being carried. This typing is used to describe the and the Service Path Header. MD Type defines the format of the
use for the metadata. A new registry will be requested from IANA for metadata being carried. A new registry will be requested from IANA
the MD Type. for the MD Type.
NSH defines two MD types: NSH defines two MD types:
0x1 which indicates that the format of the header includes fixed 0x1 - which indicates that the format of the header includes fixed
length context headers. length context headers (see Figure 4 below).
0x2 which does not mandate any headers beyond the base header and 0x2 - which does not mandate any headers beyond the Base Header and
service path header, and may contain optional variable length context Service Path Header, and may contain optional variable length context
information. information.
The format of the base header is invariant, and not described by MD The format of the base header and the service path header is
Type. invariant, and not affected by MD Type.
NSH implementations MUST support MD-Type 0x1, and SHOULD support MD- NSH implementations MUST support MD-Type = 0x1, and SHOULD support
Type 0x2. MD- Type = 0x2.
Next Protocol: indicates the protocol type of the original packet. A Next Protocol: indicates the protocol type of the original packet. A
new IANA registry will be created for protocol type. new IANA registry will be created for protocol type.
This draft defines the following Next Protocol values: This draft defines the following Next Protocol values:
0x1 : IPv4 0x1 : IPv4
0x2 : IPv6 0x2 : IPv6
0x3 : Ethernet 0x3 : Ethernet
0x253: Experimental
3.3. Service Path Header 3.3. Service Path Header
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Service Path ID | Service Index | | Service Path ID | Service Index |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Service path ID (SPI): 24 bits Service path ID (SPI): 24 bits
Service index (SI): 8 bits Service index (SI): 8 bits
Figure 3: NSH Service Path Header Figure 3: NSH Service Path Header
Service Path Identifier (SPI): identifies a service path. Service Path Identifier (SPI): identifies a service path.
Participating nodes MUST use this identifier for path selection. An Participating nodes MUST use this identifier for Service Function
administrator can use the service path value for reporting and Path selection.
troubleshooting packets along a specific path.
Service Index (SI): provides location within the service path. Service Index (SI): provides location within the SFP. The first
Service index MUST be decremented by service functions or proxy nodes Classifier (i.e. at the boundary of the NSH domain)in the NSH Service
after performing required services. MAY be used in conjunction with Function Path, SHOULD set the SI to 255, however the control plane
service path for path selection. Service Index is also valuable when MAY configure the initial value of SI as appropriate (i.e. taking
troubleshooting/reporting service paths. In addition to location into account the length of the service function path). A Classifier
within a path, SI can be used for loop detection. MUST send the packet to the first SFF in the chain. Service index
MUST be decremented by service functions or proxy nodes after
performing required services and the new decremented SI value MUST be
reflected in the egress NSH packet. SI MAY be used in conjunction
with Service Path ID for Service Function Path selection. Service
Index (SI) is also valuable when troubleshooting/reporting service
paths. In addition to indicating the location within a Service
Function Path, SI can be used for loop detection.
3.4. NSH MD-type 1 3.4. NSH MD-type 1
When the base header specifies MD Type 1, NSH defines four 4-byte When the Base Header specifies MD Type = 0x1, four Context Header,
mandatory context headers, as per Figure 4. These headers must be 4-byte each, MUST be added immediately following the Service Path
present and the format is opaque as depicted in Figure 5. Header, as per Figure 4. Context Headers that carry no metadata MUST
be set to zero.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Ver|O|C|R|R|R|R|R|R| Length | MD-type=0x1 | Next Protocol | |Ver|O|C|R|R|R|R|R|R| Length | MD-type=0x1 | Next Protocol |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Service Path ID | Service Index | | Service Path ID | Service Index |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mandatory Context Header | | Mandatory Context Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mandatory Context Header | | Mandatory Context Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mandatory Context Header | | Mandatory Context Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mandatory Context Header | | Mandatory Context Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: NSH MD-type=0x1 Figure 4: NSH MD-type=0x1
0 1 2 3 Draft-dc [dcalloc] and draft-mobility [moballoc] provide specific
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 examples of how metadata can be allocated.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Context data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Context Header
3.4.1. Mandatory Context Header Allocation Guidelines
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Network Platform Context |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Network Shared Context |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Service Platform Context |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Service Shared Context |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: Context Data Significance
Figure 6, above, and the following examples of context header
allocation are guidelines that illustrate how various forms of
information can be carried and exchanged via NSH.
Network platform context: provides platform-specific metadata shared
between network nodes. Examples include (but are not limited to)
ingress port information, forwarding context and encapsulation type.
Network shared context: metadata relevant to any network node such as
the result of edge classification. For example, application
information, identity information or tenancy information can be
shared using this context header.
Service platform context: provides service platform specific metadata
shared between service functions. This context header is analogous
to the network platform context, enabling service platforms to
exchange platform-centric information such as an identifier used for
load balancing decisions.
Service shared context: metadata relevant to, and shared, between
service functions. As with the shared network context,
classification information such as application type can be conveyed
using this context.
The data center[dcalloc] and mobility[moballoc] context header
allocation drafts provide guidelines for the semantics of NSH fixed
context headers in each respective environment.
3.5. NSH MD-type 2 3.5. NSH MD-type 2
When the base header specifies MD Type 2, NSH defines variable length When the base header specifies MD Type= 0x2, zero or more Variable
only context headers. There may be zero or more of these headers as Length Context Headers MAY be added, immediately following the
per the length field. Service Path Header. Therefore, Length = 0x2, indicates that only
the Base Header followed by the Service Path Header are present. The
optional Variable Length Context Headers MUST be of an integer number
of 4-bytes.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Ver|O|C|R|R|R|R|R|R| Length | MD-type=0x2 | Next Protocol | |Ver|O|C|R|R|R|R|R|R| Length | MD-type=0x2 | Next Protocol |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Service Path ID | Service Index | | Service Path ID | Service Index |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ Optional Variable Length Context Headers ~ ~ Variable Length Context Headers (opt.) ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: NSH MD-type=0x2
Figure 5: NSH MD-type=0x2
3.5.1. Optional Variable Length Metadata 3.5.1. Optional Variable Length Metadata
NSH MD Type 2 MAY contain optional variable length context headers. The format of the optional variable length context headers, is as
The format of these headers is as described below. described below.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV Class | Type |R|R|R| Len | | TLV Class |C| Type |R|R|R| Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Variable Metadata | | Variable Metadata |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 8: Variable Context Headers Figure 6: Variable Context Headers
TLV Class: describes the scope of the "Type" field. In some cases, TLV Class: describes the scope of the "Type" field. In some cases,
the TLV Class will identify a specific vendor, in others, the TLV the TLV Class will identify a specific vendor, in others, the TLV
Class will identify specific standards body allocated types. Class will identify specific standards body allocated types. A new
IANA registry will be created for TLV Class type.
Type: the specific type of information being carried, within the Type: the specific type of information being carried, within the
scope of a given TLV Class. Value allocation is the responsibility scope of a given TLV Class. Value allocation is the responsibility
of the TLV Class owner. of the TLV Class owner.
The most significant bit of the Type field indicates whether the TLV Encoding the criticality of the TLV within the Type field is
is mandatory for the receiver to understand/process. This consistent with IPv6 option types: the most significant bit of the
effectively allocates Type values 0 to 127 for non-critical options Type field indicates whether the TLV is mandatory for the receiver to
and Type values 128 to 255 for critical options. Figure 7 below understand/process. This effectively allocates Type values 0 to 127
illustrates the placement of the Critical bit within the Type field. for non-critical options and Type values 128 to 255 for critical
options. Figure 7 below illustrates the placement of the Critical
bit within the Type field.
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
|C| Type | |C| Type |
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
Figure 9: Critical Bit Placement Within the TLV Type Field Figure 7: Critical Bit Placement Within the TLV Type Field
Encoding the criticality of the TLV within the Type field is
consistent with IPv6 option types.
If a receiver receives an encapsulated packet containing a TLV with If a receiver receives an encapsulated packet containing a TLV with
the Critical bit set in the Type field and it does not understand how the Critical bit set to 0x1 in the Type field and it does not
to process the Type, it MUST drop the packet. Transit devices MUST understand how to process the Type, it MUST drop the packet. Transit
NOT drop packets based on the setting of this bit. devices MUST NOT drop packets based on the setting of this bit.
Reserved bits: three reserved bit are present for future use. The Reserved bits: three reserved bit are present for future use. The
reserved bits MUST be zero. reserved bits MUST be set to 0x0.
Length: Length of the variable metadata, in 4-byte words. Length: Length of the variable metadata, in 4-byte words. A value of
0x0 or higher can be used. A value of 0x0 denotes a TLV header
without a Variable Metadata field.
4. NSH Actions 4. NSH Actions
Service header aware nodes - service classifiers, SFF, SF and NSH NSH-aware nodes are the only nodes that MAY alter the content of the
proxies, have several possible header related actions: NSH headers. NSH-aware nodes include: service classifiers, SFF, SF
and NSH proxies. These nodes have several possible header related
actions:
1. Insert or remove service header: These actions can occur at the 1. Insert or remove NSH: These actions can occur at the start and
start and end respectively of a service path. Packets are end respectively of a service path. Packets are classified, and
classified, and if determined to require servicing, a service if determined to require servicing, NSH will be imposed. A
header imposed. The last node in a service path, an SFF, removes service classifier MUST insert NSH at the start of an SFP. An
the NSH. A service classifier MUST insert an NSH. At the end of imposed NSH MUST contain valid Base Header and Service Path
a service function chain, the last node operating on the service Header. At the end of a service function path, a SFF, MUST be
header MUST remove it. the last node operating on the service header and MUST remove it.
A service function can re-classify data as required and that re- Multiple logical classifiers may exist within a given service
classification might result in a new service path. In this case, path. Non-initial classifiers may re-classify data and that re-
the SF acts as a logical classifier as well. When the logical classification MAY result in a new Service Function Path. When
classifier performs re-classification that results in a change of the logical classifier performs re-classification that results in
service path, it MUST remove the existing NSH and MUST impose a a change of service path, it MUST remove the existing NSH and
new NSH with the base header reflecting the new path. MUST impose a new NSH with the Base Header and Service Path
Header reflecting the new service path information and set the SI
to 255. Metadata MAY be preserved in the new NSH.
2. Select service path: The base header provides service chain 2. Select service path: The Service Path Header provides service
information and is used by SFFs to determine correct service path chain information and is used by SFFs to determine correct
selection. SFFs MUST use the base header for selecting the next service path selection. SFFs MUST use the Service Path Header
service in the service path. for selecting the next SF or SFF in the service path.
3. Update a service header: NSH aware service functions MUST 3. Update a Service Path Header: NSH aware service functions (SF)
decrement the service index. A service index = 0 indicates that MUST decrement the service index. A service index = 0x0
a packet MUST be dropped by the SFF performing NSH-based indicates that a packet MUST be dropped by the SFF.
forwarding.
Service functions MAY update context headers if new/updated Classifier(s) MAY update Context Headers if new/updated context
context is available. is available.
If an NSH proxy (see Section 7) is in use (acting on behalf of a If an NSH proxy (see Section 7) is in use (acting on behalf of a
non-NSH-aware service function for NSH actions), then the proxy non-NSH-aware service function for NSH actions), then the proxy
MUST update service index and MAY update contexts. When an NSH MUST update Service Index and MAY update contexts. When an NSH
proxy receives an NSH-encapsulated packet, it removes the NSH proxy receives an NSH-encapsulated packet, it MUST remove the NSH
before forwarding it to an NSH unaware SF. When it receives a headers before forwarding it to an NSH unaware SF. When the NSH
packet back from an NSH unaware SF, it re-encapsulates it with Proxy receives a packet back from an NSH unaware SF, it MUST re-
the NSH, decrementing the service index. encapsulate it with the correct NSH, and MUST also decrement the
Service Index.
4. Service policy selection: Service function instances derive 4. Service policy selection: Service Function instances derive
policy selection from the service header. Context shared in the policy (i.e. service actions such as permit or deny) selection
and enforcement from the service header. Metadata shared in the
service header can provide a range of service-relevant service header can provide a range of service-relevant
information such as traffic classification. Service functions information such as traffic classification. Service functions
SHOULD use NSH to select local service policy. SHOULD use NSH to select local service policy.
Figure 10 maps each of the four actions above to the components in Figure 8 maps each of the four actions above to the components in the
the SFC architecture that can perform it. SFC architecture that can perform it.
+----------------+--------------------+-------+---------------+-------+ +---------------+------------------+-------+----------------+---------+
| | Insert or remove |Select | Update a |Service| | | Insert |Select | Update |Service |
| | service header |service|service header |Policy | | | or remove NSH |Service| NSH |policy |
| +------+------+------+ path +---------------+Select-| | | |Function| |selection|
| |Insert|Remove|Remove| | Dec. |Update |ion | | Component +--------+--------+Path +----------------+ |
| | | | and | |Service|Context| | | | | | | Dec. |Update | |
| Component | | |Insert| | Index |Header | | | | Insert | Remove | |Service |Context| |
+----------------+------+------+------+-------+-------+-------+-------+ | | | | | Index |Header | |
|Service Classif-| + | | | | | + | | +----------------+--------+--------+-------+--------+-------+---------+
|ication Function| | | | | | | | | | + | + | | | + | |
+ -------------- + ---- + ---- + ---- + ----- + ----- + ----- + ----- + |Classifier | | | | | | |
|Service Function| | + | | + | | + | | +--------------- +--------+--------+-------+--------+-------+---------+
|Forwarder(SFF) | | | | | | | | |Service Function| | + | + | | | |
+ -------------- + ---- + ---- + ---- + ----- + ----- + ----- + ----- + |Forwarder(SFF) | | | | | | |
|Service | | | | | + | + | + | +--------------- +--------+--------+-------+--------+-------+---------+
|Function (SF) | | | | | | | | |Service | | | | + | | + |
+ -------------- + ---- + ---- + ---- + ----- + ----- + ----- + ----- + |Function (SF) | | | | | | |
|NSH Proxy | + | + | | | + | + | | +--------------- +--------+--------+-------+--------+-------+---------+
+----------------+------+------+------+-------+-------+-------+-------+ |NSH Proxy | + | + | | + | | |
+----------------+--------+--------+-------+--------+-------+---------+
Figure 10: NSH Action and Role Mapping Figure 8: NSH Action and Role Mapping
5. NSH Encapsulation 5. NSH Encapsulation
Once NSH is added to a packet, an outer encapsulation is used to Once NSH is added to a packet, an outer encapsulation is used to
forward the original packet and the associated metadata to the start forward the original packet and the associated metadata to the start
of a service chain. The encapsulation serves two purposes: of a service chain. The encapsulation serves two purposes:
1. Creates a topologically independent services plane. Packets are 1. Creates a topologically independent services plane. Packets are
forwarded to the required services without changing the forwarded to the required services without changing the
underlying network topology. underlying network topology
2. Transit network nodes simply forward the encapsulated packets as 2. Transit network nodes simply forward the encapsulated packets as
is. is.
The service header is independent of the encapsulation used and is The service header is independent of the encapsulation used and is
encapsulated in existing transports. The presence of NSH is encapsulated in existing transports. The presence of NSH is
indicated via protocol type or other indicator in the outer indicated via protocol type or other indicator in the outer
encapsulation. encapsulation.
See Section 11 for NSH encapsulation examples. See Section 9 for NSH encapsulation examples.
6. NSH Usage
The NSH creates a dedicated service plane, that addresses many of the
limitations highlighted in Section 2.2. More specifically, NSH
enables:
1. Topological Independence: Service forwarding occurs within the
service plane, via a network overlay, the underlying network
topology does not require modification. Service functions have
one or more network locators (e.g. IP address) to receive/send
data within the service plane, the NSH contains an identifier
that is used to uniquely identify a service path and the services
within that path.
2. Service Chaining: NSH contains path identification information
needed to realize a service path. Furthermore, NSH provides the
ability to monitor and troubleshoot a service chain, end-to-end
via service-specific OAM messages. The NSH fields can be used by
administrators (via, for example a traffic analyzer) to verify
(account, ensure correct chaining, provide reports, etc.) the
path specifics of packets being forwarded along a service path.
3. Metadata Sharing: NSH provides a mechanism to carry shared
metadata between network devices and service function, and
between service functions. The semantics of the shared metadata
is communicated via a control plane to participating nodes.
Examples of metadata include classification information used for
policy enforcement and network context for forwarding post
service delivery.
4. Transport Agnostic: NSH is transport independent and is carried
in an overlay, over existing underlays. If an existing overlay
topology provides the required service path connectivity, that
existing overlay may be used.
7. NSH Proxy Nodes
In order to support NSH-unaware service functions, an NSH proxy is
used. The proxy node removes the NSH header and delivers the
original packet/frame via a local attachment circuit to the service
function. Examples of a local attachment circuit include, but are
not limited to: VLANs, IP in IP, GRE, VXLAN. When complete, the
service function returns the packet to the NSH proxy via the same or
different attachment circuit.
NSH is re-imposed on packets returned to the proxy from the non-NSH-
aware service.
Typically, an SFF will act as an NSH-proxy when required.
An NSH proxy MUST perform NSH actions as described in Section 4.
8. Fragmentation Considerations 6. Fragmentation Considerations
Work in progress Work in progress: discussion of jumbo frames and PMTUD implications.
9. Service Path Forwarding with NSH 7. Service Path Forwarding with NSH
9.1. SFFs and Overlay Selection 7.1. SFFs and Overlay Selection
As described above, NSH contains a service path identifier (SPI) and As described above, NSH contains a Service Path Identifier (SPI) and
a service index (SI). The SPI is, as per its name, an identifier. a Service Index (SI). The SPI is, as per its name, an identifier.
The SPI alone cannot be used to forward packets along a service path. The SPI alone cannot be used to forward packets along a service path.
Rather the SPI provide a level of indirection between the service Rather the SPI provide a level of indirection between the service
path/topology and the network transport. Furthermore, there is no path/topology and the network transport. Furthermore, there is no
requirement, or expectation of an SPI being bound to a pre-determined requirement, or expectation of an SPI being bound to a pre-determined
or static network path. or static network path.
The service index provides an indication of location within a service The Service Index provides an indication of location within a service
path. The combination of SPI and SI provides the identification and path. The combination of SPI and SI provides the identification of a
location of a logical SF (locator and order). The logical SF may be logical SF and its order within the service plane, and is used to
a single SF, or a set of SFs that are equivalent. In the latter select the appropriate network locator(s) for overlay forwarding.
case, the SFF provides load distribution amongst the collection of The logical SF may be a single SF, or a set of SFs that are
SFs as needed. SI may also serve as a mechanism for loop detection equivalent. In the latter case, the SFF provides load distribution
with in a service path since each SF in the path decrements the amongst the collection of SFs as needed. SI may also serve as a
index; an index of 0 indicates that a loop occurred and packet must mechanism for loop detection within a service path since each SF in
be discarded. the path decrements the index; an Service Index of 0 indicates that a
loop occurred and packet must be discarded.
This indirection -- path ID to overlay -- creates a true service This indirection -- path ID to overlay -- creates a true service
plane. That is the SFF/SF topology is constructed without impacting plane. That is the SFF/SF topology is constructed without impacting
the network topology but more importantly service plane only the network topology but more importantly service plane only
participants (i.e. most SFs) need not be part of the network overlay participants (i.e. most SFs) need not be part of the network overlay
topology and its associated infrastructure (e.g. control plane, topology and its associated infrastructure (e.g. control plane,
routing tables, etc.). As mentioned above, an existing overlay routing tables, etc.). As mentioned above, an existing overlay
topology may be used provided it offers the requisite connectivity. topology may be used provided it offers the requisite connectivity.
The mapping of SPI to transport occurs on an SFF. The SFF consults The mapping of SPI to transport occurs on an SFF (as discussed above,
the SPI/ID values to determine the appropriate overlay transport the first SFF in the path gets a NSH encapsulated packet from the
protocol (several may be used within a given network) and next hop Classifier). The SFF consults the SPI/ID values to determine the
for the requisite SF. Figure 10 below depicts an SPI/SI to network appropriate overlay transport protocol (several may be used within a
overlay mapping. given network) and next hop for the requisite SF. Figure 9 below
depicts a simple, single next-hop SPI/SI to network overlay network
locator mapping.
+-------------------------------------------------------+ +-------------------------------------------------------+
| SPI | SI | NH | Transport | | SPI | SI | NH | Transport |
+-------------------------------------------------------+ +-------------------------------------------------------+
| 10 | 3 | 1.1.1.1 | VXLAN-gpe | | 10 | 255 | 1.1.1.1 | VXLAN-gpe |
| 10 | 2 | 2.2.2.2 | nvGRE | | 10 | 254 | 2.2.2.2 | nvGRE |
| 245 | 12 | 192.168.45.3 | VXLAN-gpe | | 10 | 251 | 10.1.2.3 | GRE |
| 10 | 9 | 10.1.2.3 | GRE | | 40 | 251 | 10.1.2.3 | GRE |
| 40 | 9 | 10.1.2.3 | GRE | | 50 | 200 | 01:23:45:67:89:ab | Ethernet |
| 50 | 7 | 01:23:45:67:89:ab | Ethernet | | 15 | 212 | Null (end of path) | None |
| 15 | 1 | Null (end of path) | None | +-------------------------------------------------------+
+-------------------------------------------------------+
Figure 11: SFF NSH Mapping Example Figure 9: SFF NSH Mapping Example
Additionally, further indirection is possible: the resolution of the Additionally, further indirection is possible: the resolution of the
required SF function locator may be a localized resolution on an required SF network locator may be a localized resolution on an SFF,
SFF,rather than a service function chain control plane rather than a service function chain control plane responsibility, as
responsibility, as per figures 11 and 12 below. per figures 10 and 11 below.
+-------------------+ +-------------------+
| SPI | SI | NH | | SPI | SI | NH |
+-------------------+ +-------------------+
| 10 | 3 | SF2 | | 10 | 3 | SF2 |
| 245 | 12 | SF34 | | 245 | 12 | SF34 |
| 40 | 9 | SF9 | | 40 | 9 | SF9 |
+-------------------+ +-------------------+
Figure 12: NSH to SF Mapping Example Figure 10: NSH to SF Mapping Example
+-----------------------------------+ +-----------------------------------+
| SF | NH | Transport | | SF | NH | Transport |
+-----------------------------------| +-----------------------------------|
| SF2 | 10.1.1.1 | VXLAN-gpe | | SF2 | 10.1.1.1 | VXLAN-gpe |
| SF34| 192.168.1.1 | UDP | | SF34| 192.168.1.1 | UDP |
| SF9 | 1.1.1.1 | GRE | | SF9 | 1.1.1.1 | GRE |
+-----------------------------------+ +-----------------------------------+
Figure 13: SF Locator Mapping Example Figure 11: SF Locator Mapping Example
Since the SPI is a representation of the service path, the lookup may Since the SPI is a representation of the service path, the lookup may
return more than one possible next-hop within a service path for a return more than one possible next-hop within a service path for a
given SF, essentially a series of weighted (equally or otherwise) given SF, essentially a series of weighted (equally or otherwise)
overlay links to be used (for load distribution, redundancy or overlay links to be used (for load distribution, redundancy or
policy), see Figure 13. The metric depicted in Figure 13 is an policy), see Figure 12. The metric depicted in Figure 12 is an
example to help illustrated weighing SFs. In a real network, the example to help illustrated weighing SFs. In a real network, the
metric will range from a simple preference (similar to routing next- metric will range from a simple preference (similar to routing next-
hop), to a true dynamic composite metric based on some service hop), to a true dynamic composite metric based on some service
function-centric state (including load, sessions sate, capacity, function-centric state (including load, sessions state, capacity,
etc.) etc.)
+----------------------------------+
| SPI | SI | NH | Metric | +----------------------------------+
+----------------------------------+ | SPI | SI | NH | Metric |
| 10 | 3 | 10.1.1.1 | 1 | +----------------------------------+
| | | 10.1.1.2 | 1 | | 10 | 3 | 10.1.1.1 | 1 |
| | | | | | | | 10.1.1.2 | 1 |
| 20 | 12 | 192.168.1.1 | 1 | | | | | |
| | | 10.2.2.2 | 1 | | 20 | 12 | 192.168.1.1 | 1 |
| | | | | | | | 10.2.2.2 | 1 |
| 30 | 7 | 10.2.2.3 | 10 | | | | | |
| | | 10.3.3.3 | 5 | | 30 | 7 | 10.2.2.3 | 10 |
+----------------------------------+ | | | 10.3.3.3 | 5 |
+----------------------------------+
(encap type omitted for formatting) (encap type omitted for formatting)
Figure 14: NSH Weighted Service Path Figure 12: NSH Weighted Service Path
9.2. Mapping NSH to Network Overlay 7.2. Mapping NSH to Network Overlay
As described above, the mapping of SPI to network topology may result As described above, the mapping of SPI to network topology may result
in a single overlay path, or it might result in a more complex in a single overlay path, or it might result in a more complex
topology. Furthermore, the SPIx to overlay mapping occurs at each topology. Furthermore, the SPIx to overlay mapping occurs at each
SFF independently. Any combination of topology selection is SFF independently. Any combination of topology selection is
possible. possible. Please note, there is no requirement to create a new
overlay topology if a suitable one already existing. NSH packets can
use any (new or existing) overlay provided the requisite connectivity
requirements are satisfied.
Examples of mapping for a topology: Examples of mapping for a topology:
1. Next SF is located at SFFb with locator 10.1.1.1 1. Next SF is located at SFFb with locator 10.1.1.1
SFFa mapping: SPI=10 --> VXLAN-gpe, dst-ip: 10.1.1.1 SFFa mapping: SPI=10 --> VXLAN-gpe, dst-ip: 10.1.1.1
2. Next SF is located at SFFc with multiple locator for load 2. Next SF is located at SFFc with multiple network locators for
distribution purposes: load distribution purposes:
SFFb mapping: SPI=10 --> VXLAN-gpe, dst_ip:10.2.2.1, 10.2.2.2, SFFb mapping: SPI=10 --> VXLAN-gpe, dst_ip:10.2.2.1, 10.2.2.2,
10.2.2.3, equal cost 10.2.2.3, equal cost
3. Next SF is located at SFFd with two path to SFFc, one for 3. Next SF is located at SFFd with two paths to SFFc, one for
redundancy: redundancy:
SFFc mapping: SPI=10 --> VXLAN-gpe, dst_ip:10.1.1.1 cost=10, SFFc mapping: SPI=10 --> VXLAN-gpe, dst_ip:10.1.1.1 cost=10,
10.1.1.2, cost=20 10.1.1.2, cost=20
In the above example, each SFF makes an independent decision about In the above example, each SFF makes an independent decision about
the network overlay path and policy for that path. In other words, the network overlay path and policy for that path. In other words,
there is no a priori mandate about how to forward packets in the there is no a priori mandate about how to forward packets in the
network (only the order of services that must be traversed). network (only the order of services that must be traversed).
The network operator retains the ability to engineer the overlay The network operator retains the ability to engineer the overlay
paths as required. For example, the overlay path between service paths as required. For example, the overlay path between service
functions forwarders may utilize traffic engineering, QoS marking, or functions forwarders may utilize traffic engineering, QoS marking, or
ECMP, without requiring complex configuration and network protocol ECMP, without requiring complex configuration and network protocol
support to be extended to the service path explicitly. In other support to be extended to the service path explicitly. In other
words, the network operates as expected, and evolves as required, as words, the network operates as expected, and evolves as required, as
does the service function plane. does the service function plane.
9.3. Service Plane Visibility 7.3. Service Plane Visibility
The SPI and SI serve an important function for visibility into the The SPI and SI serve an important function for visibility into the
service topology. An operator can determine what service path a service topology. An operator can determine what service path a
packet is "on", and its location within that path simply by viewing packet is "on", and its location within that path simply by viewing
the NSH information (packet capture, IPFIX, etc.). The information the NSH information (packet capture, IPFIX, etc.). The information
can be used for service scheduling and placement decisions, can be used for service scheduling and placement decisions,
troubleshooting and compliance verification. troubleshooting and compliance verification.
9.4. Service Graphs 7.4. Service Graphs
In some cases, a service path is exactly that -- a linear list of In some cases, a service path is exactly that -- a linear list of
service functions that must be traversed. However, increasingly, the service functions that must be traversed. However, the "path" is
"path" is actually a true directed graph. Furthermore, within a actually a directed graph. Furthermore, within a given service
given service topology several directed graphs may exist with packets topology several directed graphs may exist with packets moving
moving between graphs based on non-initial classification (usually between graphs based on non-initial classification (in Figure 13, co-
performed by a service function). Note: strictly speaking a path is located with the SFs).
a form of graph; the intent is to distinguish between a directed
graph and a path.
,---. ,---. ,---. ,---. ,---. ,---.
/ \ / \ / \ / \ / \ / \
( SF2 ) ( SF7 ) ( SF3 ) ( SF2 +------+ SF7 +--------+ SF3 )
,------\ +. \ / \ / ,------\ / \ / /-+ /
; |---' `-. `---'\ `-+-' ; |---' `---'\ / `-+-'
| : : \ ; | : \ /
| \ | : ; | \ /---:---
,-+-. `. ,+--. : | ,-+-. `. ,---. / :
/ \ '---+ \ \ ; / \ '---+ \/ \
( SF1 ) ( SF6 ) \ / ( SF1 ) ( SF6 ) \
\ / \ +--. : / \ / \ +--. :
`---' `---' `-. ,-+-. / `---' `---' `-. ,-+-.
`+ +' `+ \
( SF4 ) ( SF4 )
\ / \ /
`---' `---'
Figure 15: Service Graph Example Figure 13: Service Graph Example
The SPI/SI combination provides a simple representation of a directed The SPI/SI combination provides a simple representation of a directed
graph, the SPI represents a graph ID; and the SI a node ID. The graph, the SPI represents a graph ID; and the SI a node ID. The
service topology formed by SPI/SI support cycles, weighting, and service topology formed by SPI/SI support cycles, weighting, and
alternate topology selection, all within the service plane. The alternate topology selection, all within the service plane. The
realization of the network topology occurs as described above: SPI/ID realization of the network topology occurs as described above: SPI/ID
mapping to an appropriate transport and associated next network hops. mapping to an appropriate transport and associated next network hops.
NSH-aware services receive the entire header, including the SPI/SI. NSH-aware services receive the entire header, including the SPI/SI.
An SF can now, based on local policy, alter the SPI, which in turn An non-initial logical classifier (in many deployment, this
effects both the service graph, and in turn the selection of overlay classifier will be co-resident with a SF) can now, based on local
at the SFF. The figure below depicts the policy associated with the policy, alter the SPI, which in turn effects both the service graph,
graph in Figure 14 above. Note: this illustrates multiple graphs and and in turn the selection of overlay at the SFF. The figure below
their representation; it does not depict the use of metadata within a depicts the policy associated with the graph in Figure 13 above.
single service function graph. Note: this illustrates multiple graphs and their representation; it
does not depict the use of metadata within a single service function
graph.
+---------------------------------------------------------------------+ SF1:
| SPI: 21 Bob: SF7 | SPI: 10
| SPI: 20 Bad : SF2 --> SF6 --> SF4 | NH: SF2
|SPI: 10 SF1 --> SF2 --> SF6 SPI: 22 Alice: SF3 | SF2:
| SPI: 30 Good: SF4 | Class: Bad
| SPI:31 Bob: SF7 | SPI: 20
| SPI:32 Alice: SF3 | NH: SF6
+---------------------------------------------------------------------+ Class: Good
SPI: 30
NH: SF7
SF6:
Class: Employee
SPI: 21
NH: SF4
Class: Guest
SPI: 22
NH: SF3
SF7:
Class: Employee
SPI: 31
NH: SF4
Class: Guest
SPI: 32
NH: SF3
Figure 16: Service Graphs Using SPI Figure 14: Service Graphs Using SPI
This example above does not show the mapping of the service topology This example above does not show the mapping of the service topology
to the network overlay topology. As discussed in the sections above, to the network overlay topology. As discussed in the sections above,
the overlay selection occurs as per network policy. the overlay selection occurs as per network policy.
10. Policy Enforcement with NSH 8. Policy Enforcement with NSH
10.1. NSH Metadata and Policy Enforcement 8.1. NSH Metadata and Policy Enforcement
As described in Section 3, NSH provides the ability to carry metadata As described in Section 3, NSH provides the ability to carry metadata
along a service path. This metadata may be derived from several along a service path. This metadata may be derived from several
sources, common examples include: sources, common examples include:
Network nodes: Information provided by network nodes can indicate Network nodes/devices: Information provided by network nodes can
network-centric information (such as VRF or tenant) that may be indicate network-centric information (such as VRF or tenant) that
used by service functions, or conveyed to another network node may be used by service functions, or conveyed to another network
post-service pathing. node post service path egress.
External (to the network) systems: External systems, such as External (to the network) systems: External systems, such as
orchestration systems, often contain information that is valuable orchestration systems, often contain information that is valuable
for service function policy decisions. In most cases, this for service function policy decisions. In most cases, this
information cannot be deduced by network nodes. For example, a information cannot be deduced by network nodes. For example, a
cloud orchestration platform placing workloads "knows" what cloud orchestration platform placing workloads "knows" what
application is being instantiated and can communicate this application is being instantiated and can communicate this
information to all NSH nodes via metadata. information to all NSH nodes via metadata carried in the context
header(s).
Service functions: Service functions often perform very detailed Service Functions: A classifier co-resident with Service Functions
and valuable classification. In some cases they may terminate, often perform very detailed and valuable classification. In some
and be able to inspect encrypted traffic. SFs may update, alter cases they may terminate, and be able to inspect encrypted
or impose metadata information. traffic.
Regardless of the source, metadata reflects the "result" of Regardless of the source, metadata reflects the "result" of
classification. The granularity of classification may vary. For classification. The granularity of classification may vary. For
example, a network switch might only be able to classify based on a example, a network switch, acting as a classifier, might only be able
5-tuple, whereas, a service function may be able to inspect to classify based on a 5-tuple, whereas, a service function may be
application information. Regardless of granularity, the able to inspect application information. Regardless of granularity,
classification information can be represented in NSH. the classification information can be represented in NSH.
Once the data is added to NSH, it is carried along the service path, Once the data is added to NSH, it is carried along the service path,
NSH-aware SFs receive the metadata, and can use that metadata for NSH-aware SFs receive the metadata, and can use that metadata for
local decisions and policy enforcement. The following two examples local decisions and policy enforcement. The following two examples
highlight the relationship between metadata and policy: highlight the relationship between metadata and policy:
+-------------------------------------------------+ +-------+ +-------+ +-------+
| ,---. ,---. ,---. | | SFF )------->( SFF |------->| SFF |
| / \ / \ / \ | +---^---+ +---|---+ +---|---+
| ( SCL )-------->( SF1 )--------->( SF2 ) | ,-|-. ,-|-. ,-|-.
| \ / \ / \ / | / \ / \ / \
| `---' `---' `---' | ( Class ) SF1 ) ( SF2 )
|5-tuple: Permit Inspect | \ ify / \ / \ /
|Tenant A Tenant A AppY | `---' `---' `---'
|AppY | 5-tuple: Permit Inspect
+-------------------------------------------------+ Tenant A Tenant A AppY
AppY
Figure 17: Metadata and Policy Figure 15: Metadata and Policy
+-------------------------------------------------+ +-----+ +-----+ +-----+
| ,---. ,---. ,---. | | SFF |---------> | SFF |----------> | SFF |
| / \ / \ / \ | +--+--+ +--+--+ +--+--+
| ( SCL )-------->( SF1 )--------->( SF2 ) | ^ | |
| \ / \ / \ / | ,-+-. ,-+-. ,-+-.
| `-+-' `---' `---' | / \ / \ / \
| | Permit Deny AppZ | ( Class ) ( SF1 ) ( SF2 )
| +---+---+ employees | \ ify / \ / \ /
| | | | `-+-' `---' `---'
| +-------+ | | Permit Deny AppZ
| external | +---+---+ employees
| system: | | |
| Employee | +-------+
| App Z | external
+-------------------------------------------------+ system:
Employee
AppZ
Figure 18: External Metadata and Policy Figure 16: External Metadata and Policy
In both of the examples above, the service functions perform policy In both of the examples above, the service functions perform policy
decisions based on the result of the initial classification: the SFs decisions based on the result of the initial classification: the SFs
did not need to perform re-classification, rather they relied on a did not need to perform re-classification, rather they rely on a
antecedent classification for local policy enforcement. antecedent classification for local policy enforcement.
10.2. Updating/Augmenting Metadata 8.2. Updating/Augmenting Metadata
Post-initial metadata imposition (typically performed during initial Post-initial metadata imposition (typically performed during initial
service path determination), metadata may be augmented or updated: service path determination), metadata may be augmented or updated:
1. Metadata Augmentation: Information may be added to NSH's existing 1. Metadata Augmentation: Information may be added to NSH's existing
metadata, as depicted in Figure 18. For example, if the initial metadata, as depicted in Figure 17. For example, if the initial
classification returns the tenant information, a secondary classification returns the tenant information, a secondary
classification (perhaps a DPI or SLB) may augment the tenant classification (perhaps co-resident with DPI or SLB) may augment
classification with application information. The tenant the tenant classification with application information, and
impose that new information in the NSH metadata. The tenant
classification is still valid and present, but additional classification is still valid and present, but additional
information has been added to it. information has been added to it.
2. Metadata Update: Subsequent classifiers may update the initial 2. Metadata Update: Subsequent classifiers may update the initial
classification if it is determined to be incorrect or not classification if it is determined to be incorrect or not
descriptive enough. For example, the initial classifier adds descriptive enough. For example, the initial classifier adds
metadata that describes the trafic as "internet" but a security metadata that describes the traffic as "internet" but a security
service function determines that the traffic is really "attack". service function determines that the traffic is really "attack".
Figure 19 illustrates an example of updating metadata. Figure 18 illustrates an example of updating metadata.
+-------------------------------------------------+ +-----+ +-----+ +-----+
| ,---. ,---. ,---. | | SFF |---------> | SFF |----------> | SFF |
| / \ / \ / \ | +--+--+ +--+--+ +--+--+
| ( SCL )-------->( SF1 )--------->( SF2 ) | ^ | |
| \ / \ / \ / | ,---. ,---. ,---.
| `-+-' `---' `---' | / \ / \ / \
| | Inspect Deny | ( Class ) ( SF1 ) ( SF2 )
| +---+---+ employees employee+ | \ / \ / \ /
| | | Class=AppZ appZ | `-+-' `---' `---'
| +-------+ | | Inspect Deny
| external | +---+---+ employees employee+
| system: | | | Class=AppZ appZ
| Employee | +-------+
| | external
+-------------------------------------------------+ system:
Employee
Figure 19: Metadata Augmentation Figure 17: Metadata Augmentation
+-------------------------------------------------+ +-----+ +-----+ +-----+
| ,---. ,---. ,---. | | SFF |---------> | SFF |----------> | SFF |
| / \ / \ / \ | +--+--+ +--+--+ +--+--+
| ( SCL )-------->( SF1 )--------->( SF2 ) | ^ | |
| \ / \ / \ / | ,---. ,---. ,---.
| `---' `---' `---' | / \ / \ / \
|5-tuple: Inspect Deny | ( Class ) ( SF1 ) ( SF2 )
|Tenant A Tenant A attack | \ / \ / \ /
| --> attack | `---' `---' `---'
+-------------------------------------------------+ 5-tuple: Inspect Deny
Tenant A Tenant A attack
--> attack
Figure 20: Metadata Update Figure 18: Metadata Update
10.3. Service Path ID and Metadata 8.3. Service Path ID and Metadata
Metadata information may influence the service path selection since Metadata information may influence the service path selection since
the service path identifier can represent the result of the Service Path Identifier can represent the result of
classification. A given SPI can represent all or some of the classification. A given SPI can represent all or some of the
metadata, and be updated based on metadata classification results. metadata, and be updated based on metadata classification results.
This relationship provides the ability to create a dynamic services This relationship provides the ability to create a dynamic services
plane based on complex classification without requiring each node to plane based on complex classification without requiring each node to
be capable of such classification, or requiring a coupling to the be capable of such classification, or requiring a coupling to the
network topology. This yields service graph functionality as network topology. This yields service graph functionality as
described in Section 9.4. Figure 20 illustrates an example of this described in Section 7.4. Figure 19 illustrates an example of this
behavior. behavior.
+----------------------------------------------------+ +-----+ +-----+ +-----+
| ,---. ,---. ,---. | | SFF |---------> | SFF |------+---> | SFF |
| / \ / \ / \ | +--+--+ +--+--+ | +--+--+
| ( SCL )-------->( SF1 )--------->( SF2 ) | | | | |
| \ / \ / \ / | ,---. ,---. | ,---.
| `---' `---' \ `---' | / \ / \ | / \
|5-tuple: Inspect \ Original | ( SCL ) ( SF1 ) | ( SF2 )
|Tenant A Tenant A \ next SF | \ / \ / | \ /
| --> DoS \ | `---' `---' +-----+ `---'
| \ | 5-tuple: Inspect | SFF | Original
| ,---. | Tenant A Tenant A +--+--+ next SF
| / \ | --> DoS |
| ( SF10 ) | V
| \ / | ,-+-.
| `---' | / \
| DoS | ( SF10 )
| "Scrubber" | \ /
+----------------------------------------------------+ `---'
DoS
"Scrubber"
Figure 21: Path ID and Metadata Figure 19: Path ID and Metadata
Specific algorithms for mapping metadata to an SPI are outside the Specific algorithms for mapping metadata to an SPI are outside the
scope of this draft. scope of this draft.
11. NSH Encapsulation Examples 9. NSH Encapsulation Examples
11.1. GRE + NSH 9.1. GRE + NSH
IPv4 Packet: IPv4 Packet:
+----------+--------------------+--------------------+ +----------+--------------------+--------------------+
|L2 header | L3 header, proto=47|GRE header,PT=0x894F| |L2 header | L3 header, proto=47|GRE header,PT=0x894F|
+----------+--------------------+--------------------+ +----------+--------------------+--------------------+
--------------+----------------+ --------------+----------------+
NSH, NP=0x1 |original packet | NSH, NP=0x1 |original packet |
--------------+----------------+ --------------+----------------+
L2 Frame: L2 Frame:
+----------+--------------------+--------------------+ +----------+--------------------+--------------------+
|L2 header | L3 header, proto=47|GRE header,PT=0x894F| |L2 header | L3 header, proto=47|GRE header,PT=0x894F|
+----------+--------------------+--------------------+ +----------+--------------------+--------------------+
---------------+---------------+ ---------------+---------------+
NSH, NP=0x3 |original frame | NSH, NP=0x3 |original frame |
---------------+---------------+ ---------------+---------------+
Figure 22: GRE + NSH Figure 20: GRE + NSH
11.2. VXLAN-gpe + NSH 9.2. VXLAN-gpe + NSH
IPv4 Packet: IPv4 Packet:
+----------+------------------------+---------------------+ +----------+------------------------+---------------------+
|L2 header | IP + UDP dst port=4790 |VXLAN-gpe NP=0x4(NSH)| |L2 header | IP + UDP dst port=4790 |VXLAN-gpe NP=0x4(NSH)|
+----------+------------------------+---------------------+ +----------+------------------------+---------------------+
--------------+----------------+ --------------+----------------+
NSH, NP=0x1 |original packet | NSH, NP=0x1 |original packet |
--------------+----------------+ --------------+----------------+
L2 Frame: L2 Frame:
+----------+------------------------+---------------------+ +----------+------------------------+---------------------+
|L2 header | IP + UDP dst port=4790 |VXLAN-gpe NP=0x4(NSH)| |L2 header | IP + UDP dst port=4790 |VXLAN-gpe NP=0x4(NSH)|
+----------+------------------------+---------------------+ +----------+------------------------+---------------------+
---------------+---------------+ ---------------+---------------+
NSH,NP=0x3 |original frame | NSH,NP=0x3 |original frame |
---------------+---------------+ ---------------+---------------+
Figure 23: VXLAN-gpe + NSH Figure 21: VXLAN-gpe + NSH
11.3. Ethernet + NSH 9.3. Ethernet + NSH
IPv4 Packet: IPv4 Packet:
+-------------------------------+---------------+--------------------+ +-------------------------------+---------------+--------------------+
|Outer Ethernet, ET=0x894F | NSH, NP = 0x1 | original IP Packet | |Outer Ethernet, ET=0x894F | NSH, NP = 0x1 | original IP Packet |
+-------------------------------+---------------+--------------------+ +-------------------------------+---------------+--------------------+
L2 Frame: L2 Frame:
+-------------------------------+---------------+----------------+ +-------------------------------+---------------+----------------+
|Outer Ethernet, ET=0x894F | NSH, NP = 0x3 | original frame | |Outer Ethernet, ET=0x894F | NSH, NP = 0x3 | original frame |
+-------------------------------+---------------+----------------+ +-------------------------------+---------------+----------------+
Figure 24: Ethernet + NSH Figure 22: Ethernet + NSH
12. Security Considerations 10. Security Considerations
As with many other protocols, NSH data can be spoofed or otherwise As with many other protocols, NSH data can be spoofed or otherwise
modified. In many deployments, NSH will be used in a controlled modified. In many deployments, NSH will be used in a controlled
environment, with trusted devices (e.g. a data center) thus environment, with trusted devices (e.g. a data center) thus
mitigating the risk of unauthorized header manipulation. mitigating the risk of unauthorized header manipulation.
NSH is always encapsulated in a transport protocol and therefore, NSH is always encapsulated in a transport protocol and therefore,
when required, existing security protocols that provide authenticity when required, existing security protocols that provide authenticity
(e.g. RFC 2119 [RFC6071]) can be used. (e.g. RFC 2119 [RFC6071]) can be used.
Similarly if confidentiality is required, existing encryption Similarly if confidentiality is required, existing encryption
protocols can be used in conjunction with encapsulated NSH. protocols can be used in conjunction with encapsulated NSH.
13. Open Items for WG Discussion 11. Open Items for WG Discussion
1. MD type 1 metadata semantics specifics 1. MD type 1 metadata semantics specifics
2. Bypass bit in NSH. 2. Bypass bit in NSH.
3. Rendered Service Path ID (RSPID). 3. Rendered Service Path ID (RSPID).
14. Contributors 12. Contributors
This WG document originated as draft-quinn-sfc-nsh and had the This WG document originated as draft-quinn-sfc-nsh and had the
following co-authors and contributors. The editors of this document following co-authors and contributors. The editors of this document
would like to thank and recognize them and their contributions. would like to thank and recognize them and their contributions.
These co-authors and contributors provided invaluable concepts and These co-authors and contributors provided invaluable concepts and
content for this document's creation. content for this document's creation.
Surendra Kumar Surendra Kumar
Cisco Systems Cisco Systems
smkumar@cisco.com smkumar@cisco.com
skipping to change at page 37, line 5 skipping to change at page 38, line 5
louis.fourie@huawei.com louis.fourie@huawei.com
Ron Parker Ron Parker
Affirmed Networks Affirmed Networks
ron_parker@affirmednetworks.com ron_parker@affirmednetworks.com
Myo Zarny Myo Zarny
Goldman Sachs Goldman Sachs
myo.zarny@gs.com myo.zarny@gs.com
15. Acknowledgments 13. Acknowledgments
The authors would like to thank Nagaraj Bagepalli, Abhijit Patra, The authors would like to thank Nagaraj Bagepalli, Abhijit Patra,
Peter Bosch, Darrel Lewis, Pritesh Kothari, Tal Mizrahi and Ken Gray Peter Bosch, Darrel Lewis, Pritesh Kothari, Tal Mizrahi and Ken Gray
for their detailed review, comments and contributions. for their detailed review, comments and contributions.
A special thank you goes to David Ward and Tom Edsall for their A special thank you goes to David Ward and Tom Edsall for their
guidance and feedback. guidance and feedback.
Additionally the authors would like to thank Carlos Pignataro and Additionally the authors would like to thank Carlos Pignataro and
Larry Kreeger for their invaluable ideas and contributions which are Larry Kreeger for their invaluable ideas and contributions which are
reflected throughout this draft. reflected throughout this draft.
Lastly, Reinaldo Penno deserves a particular thank you for his Lastly, Reinaldo Penno deserves a particular thank you for his
architecture and implementation work that helped guide the protocol architecture and implementation work that helped guide the protocol
concepts and design. concepts and design.
16. IANA Considerations 14. IANA Considerations
16.1. NSH EtherType 14.1. NSH EtherType
An IEEE EtherType, 0x894F, has been allocated for NSH. An IEEE EtherType, 0x894F, has been allocated for NSH.
16.2. Network Service Header (NSH) Parameters 14.2. Network Service Header (NSH) Parameters
IANA is requested to create a new "Network Service Header (NSH) IANA is requested to create a new "Network Service Header (NSH)
Parameters" registry. The following sub-sections request new Parameters" registry. The following sub-sections request new
registries within the "Network Service Header (NSH) Parameters " registries within the "Network Service Header (NSH) Parameters "
registry. registry.
16.2.1. NSH Base Header Reserved Bits 14.2.1. NSH Base Header Reserved Bits
There are ten bits at the beginning of the NSH Base Header. New bits There are ten bits at the beginning of the NSH Base Header. New bits
are assigned via Standards Action [RFC5226]. are assigned via Standards Action [RFC5226].
Bits 0-1 - Version Bits 0-1 - Version
Bit 2 - OAM (O bit) Bit 2 - OAM (O bit)
Bits 2-9 - Reserved Bits 2-9 - Reserved
16.2.2. MD Type Registry 14.2.2. MD Type Registry
IANA is requested to set up a registry of "MD Types". These are IANA is requested to set up a registry of "MD Types". These are
8-bit values. MD Type values 0, 1, 2, 254, and 255 are specified in 8-bit values. MD Type values 0, 1, 2, 254, and 255 are specified in
this document. Registry entries are assigned by using the "IETF this document. Registry entries are assigned by using the "IETF
Review" policy defined in RFC 5226 [RFC5226]. Review" policy defined in RFC 5226 [RFC5226].
+---------+--------------+---------------+ +---------+--------------+---------------+
| MD Type | Description | Reference | | MD Type | Description | Reference |
+---------+--------------+---------------+ +---------+--------------+---------------+
| 0 | Reserved | This document | | 0 | Reserved | This document |
skipping to change at page 39, line 5 skipping to change at page 40, line 5
| | | | | | | |
| 3..253 | Unassigned | | | 3..253 | Unassigned | |
| | | | | | | |
| 254 | Experiment 1 | This document | | 254 | Experiment 1 | This document |
| | | | | | | |
| 255 | Experiment 2 | This document | | 255 | Experiment 2 | This document |
+---------+--------------+---------------+ +---------+--------------+---------------+
Table 1 Table 1
16.2.3. TLV Class Registry 14.2.3. TLV Class Registry
IANA is requested to set up a registry of "TLV Types". These are 16- IANA is requested to set up a registry of "TLV Types". These are 16-
bit values. Registry entries are assigned by using the "IETF Review" bit values. Registry entries are assigned by using the "IETF Review"
policy defined in RFC 5226 [RFC5226]. policy defined in RFC 5226 [RFC5226].
16.2.4. NSH Base Header Next Protocol 14.2.4. NSH Base Header Next Protocol
IANA is requested to set up a registry of "Next Protocol". These are IANA is requested to set up a registry of "Next Protocol". These are
8-bit values. Next Protocol values 0, 1, 2 and 3 are defined in this 8-bit values. Next Protocol values 0, 1, 2 and 3 are defined in this
draft. New values are assigned via Standards Action [RFC5226]. draft. New values are assigned via Standards Action [RFC5226].
+---------------+-------------+---------------+ +---------------+-------------+---------------+
| Next Protocol | Description | Reference | | Next Protocol | Description | Reference |
+---------------+-------------+---------------+ +---------------+-------------+---------------+
| 0 | Reserved | This document | | 0 | Reserved | This document |
| | | | | | | |
skipping to change at page 40, line 5 skipping to change at page 41, line 5
| | | | | | | |
| 2 | IPv6 | This document | | 2 | IPv6 | This document |
| | | | | | | |
| 3 | Ethernet | This document | | 3 | Ethernet | This document |
| | | | | | | |
| 4..253 | Unassigned | | | 4..253 | Unassigned | |
+---------------+-------------+---------------+ +---------------+-------------+---------------+
Table 2 Table 2
17. References 15. References
17.1. Normative References 15.1. Normative References
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
September 1981. DOI 10.17487/RFC0791, September 1981,
<http://www.rfc-editor.org/info/rfc791>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
17.2. Informative References 15.2. Informative References
[RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P.
Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, Traina, "Generic Routing Encapsulation (GRE)", RFC 2784,
March 2000. DOI 10.17487/RFC2784, March 2000,
<http://www.rfc-editor.org/info/rfc2784>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and
Internet Key Exchange (IKE) Document Roadmap", RFC 6071, Internet Key Exchange (IKE) Document Roadmap", RFC 6071,
February 2011. DOI 10.17487/RFC6071, February 2011,
<http://www.rfc-editor.org/info/rfc6071>.
[SFC-PS] Quinn, P., Ed. and T. Nadeau, Ed., "Service Function [RFC7498] Quinn, P., Ed. and T. Nadeau, Ed., "Problem Statement for
Chaining Problem Statement", 2014, <http:// Service Function Chaining", RFC 7498, DOI 10.17487/
datatracker.ietf.org/doc/ RFC7498, April 2015,
draft-ietf-sfc-problem-statement/>. <http://www.rfc-editor.org/info/rfc7498>.
[SFC-arch] [SFC-arch]
Quinn, P., Ed. and J. Halpern, Ed., "Service Function Quinn, P., Ed. and J. Halpern, Ed., "Service Function
Chaining (SFC) Architecture", 2014, Chaining (SFC) Architecture", 2014,
<http://datatracker.ietf.org/doc/draft-quinn-sfc-arch>. <http://datatracker.ietf.org/doc/draft-quinn-sfc-arch>.
[VXLAN-gpe] [VXLAN-gpe]
Quinn, P., Agarwal, P., Kreeger, L., Lewis, D., Maino, F., Quinn, P., Manur, R., Agarwal, P., Kreeger, L., Lewis, D.,
Yong, L., Xu, X., Elzur, U., and P. Garg, "Generic Maino, F., Smith, M., Yong, L., Xu, X., Elzur, U., Garg,
Protocol Extension for VXLAN", P., and D. Melman, "Generic Protocol Extension for VXLAN",
<https://datatracker.ietf.org/doc/draft-quinn-vxlan-gpe/>. <https://datatracker.ietf.org/doc/
draft-ietf-nvo3-vxlan-gpe/>.
[dcalloc] Guichard, J., Smith, M., and S. Kumar, "Network Service [dcalloc] Guichard, J., Smith, M., and S. Kumar, "Network Service
Header (NSH) Context Header Allocation (Data Center)", Header (NSH) Context Header Allocation (Data Center)",
2014, <https://datatracker.ietf.org/doc/ 2014, <https://datatracker.ietf.org/doc/
draft-guichard-sfc-nsh-dc-allocation/>. draft-guichard-sfc-nsh-dc-allocation/>.
[moballoc] [moballoc]
Napper, J. and S. Kumar, "NSH Context Header Allocation -- Napper, J. and S. Kumar, "NSH Context Header Allocation --
Mobility", 2014, <https://datatracker.ietf.org/doc/ Mobility", 2014, <https://datatracker.ietf.org/doc/
draft-napper-sfc-nsh-mobility-allocation/>. draft-napper-sfc-nsh-mobility-allocation/>.
 End of changes. 152 change blocks. 
599 lines changed or deleted 628 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/