draft-ietf-sfc-nsh-17.txt   draft-ietf-sfc-nsh-18.txt 
Service Function Chaining P. Quinn, Ed. Service Function Chaining P. Quinn, Ed.
Internet-Draft Cisco Internet-Draft Cisco
Intended status: Standards Track U. Elzur, Ed. Intended status: Standards Track U. Elzur, Ed.
Expires: January 26, 2018 Intel Expires: January 26, 2018 Intel
C. Pignataro, Ed. C. Pignataro, Ed.
Cisco Cisco
July 25, 2017 July 25, 2017
Network Service Header (NSH) Network Service Header (NSH)
draft-ietf-sfc-nsh-17 draft-ietf-sfc-nsh-18
Abstract Abstract
This document describes a Network Service Header (NSH) inserted onto This document describes a Network Service Header (NSH) inserted onto
packets or frames to realize service function paths. NSH also packets or frames to realize service function paths. NSH also
provides a mechanism for metadata exchange along the instantiated provides a mechanism for metadata exchange along the instantiated
service paths. NSH is the SFC encapsulation required to support the service paths. NSH is the SFC encapsulation required to support the
Service Function Chaining (SFC) architecture (defined in RFC7665). Service Function Chaining (SFC) architecture (defined in RFC7665).
Status of This Memo Status of This Memo
skipping to change at page 15, line 41 skipping to change at page 15, line 41
or static network path. or static network path.
The Service Index provides an indication of location within a service The Service Index provides an indication of location within a service
path. The combination of SPI and SI provides the identification of a path. The combination of SPI and SI provides the identification of a
logical SF and its order within the service plane, and is used to logical SF and its order within the service plane, and is used to
select the appropriate network locator(s) for overlay forwarding. select the appropriate network locator(s) for overlay forwarding.
The logical SF may be a single SF, or a set of eligible SFs that are The logical SF may be a single SF, or a set of eligible SFs that are
equivalent. In the latter case, the SFF provides load distribution equivalent. In the latter case, the SFF provides load distribution
amongst the collection of SFs as needed. amongst the collection of SFs as needed.
SI serves as a mechanism for detecting invalid service function path. SI serves as a mechanism for detecting invalid service function
In particular, an SI value of zero indicates that forwarding is paths. In particular, an SI value of zero indicates that forwarding
incorrect and the packet must be discarded is incorrect and the packet must be discarded.
This indirection -- SPI to overlay -- creates a true service plane. This indirection -- SPI to overlay -- creates a true service plane.
That is the SFF/SF topology is constructed without impacting the That is the SFF/SF topology is constructed without impacting the
network topology but more importantly service plane only participants network topology but more importantly service plane only participants
(i.e., most SFs) need not be part of the network overlay topology and (i.e., most SFs) need not be part of the network overlay topology and
its associated infrastructure (e.g., control plane, routing tables, its associated infrastructure (e.g., control plane, routing tables,
etc.) SFs need to be able to return a packet to an appropriate SFF etc.) SFs need to be able to return a packet to an appropriate SFF
(i.e., has the requisite NSH information) when service processing is (i.e., has the requisite NSH information) when service processing is
complete. This can be via the over or underlay and in some case complete. This can be via the over or underlay and in some case
require additional configuration on the SF. As mentioned above, an require additional configuration on the SF. As mentioned above, an
skipping to change at page 21, line 37 skipping to change at page 21, line 37
did not need to perform re-classification, rather they rely on a did not need to perform re-classification, rather they rely on a
antecedent classification for local policy enforcement. antecedent classification for local policy enforcement.
Depending on the information carried in the metadata, data privacy Depending on the information carried in the metadata, data privacy
considerations may need to be considered. For example, if the considerations may need to be considered. For example, if the
metadata conveys tenant information, that information may need to be metadata conveys tenant information, that information may need to be
authenticated and/or encrypted between the originator and the authenticated and/or encrypted between the originator and the
intended recipients (which may include intended SFs only) . NSH intended recipients (which may include intended SFs only) . NSH
itself does not provide privacy functions, rather it relies on the itself does not provide privacy functions, rather it relies on the
transport/overlay layer. An operator can select the appropriate transport/overlay layer. An operator can select the appropriate
transport to ensure the confidentially (and other security) transport to ensure confidentially (and other security)
considerations are met. Metadata privacy and security considerations considerations are met. Metadata privacy and security considerations
are a matter for the documents that define metadata format. are a matter for the documents that define metadata format.
7.2. Updating/Augmenting Metadata 7.2. Updating/Augmenting Metadata
Post-initial metadata imposition (typically performed during initial Post-initial metadata imposition (typically performed during initial
service path determination), metadata may be augmented or updated: service path determination), metadata may be augmented or updated:
1. Metadata Augmentation: Information may be added to NSH's existing 1. Metadata Augmentation: Information may be added to NSH's existing
metadata, as depicted in Figure 10. For example, if the initial metadata, as depicted in Figure 10. For example, if the initial
skipping to change at page 24, line 16 skipping to change at page 24, line 16
when required, existing security protocols that provide authenticity when required, existing security protocols that provide authenticity
(e.g., [RFC6071]) can be used. Similarly, if confidentiality is (e.g., [RFC6071]) can be used. Similarly, if confidentiality is
required, existing encryption protocols can be used in conjunction required, existing encryption protocols can be used in conjunction
with encapsulated NSH. with encapsulated NSH.
Further, existing best practices, such as [BCP38] should be deployed Further, existing best practices, such as [BCP38] should be deployed
at the network layer to ensure that traffic entering the service path at the network layer to ensure that traffic entering the service path
is indeed "valid". [I-D.ietf-rtgwg-dt-encap] provides additional is indeed "valid". [I-D.ietf-rtgwg-dt-encap] provides additional
transport encapsulation considerations. transport encapsulation considerations.
NSH metadata authenticity and confidentially must be considered as NSH metadata authenticity and confidentiality must be considered as
well. In order to protect the metadata, an operator can leverage the well. In order to protect the metadata, an operator can leverage the
aforementioned mechanisms provided the transport layer, authenticity aforementioned mechanisms provided the transport layer, authenticity
and/or confidentiality. An operator MUST carefully select the and/or confidentiality. An operator MUST carefully select the
transport/underlay services to ensure end to end security services, transport/underlay services to ensure end to end security services,
when those are sought after. For example, if [RFC6071] is used, the when those are sought after. For example, if [RFC6071] is used, the
operator MUST ensure it can be supported by the transport/underlay of operator MUST ensure it can be supported by the transport/underlay of
all relevant network segments as well as SFF and SFs. Further, as all relevant network segments as well as SFF and SFs. Further, as
described in Section 8.1, operators can and should use indirect described in Section 8.1, operators can and should use indirect
identification for personally identifying information, thus identification for personally identifying information, thus
significantly mitigating the risk of privacy violation. Means to significantly mitigating the risk of privacy violation. Means to
skipping to change at page 27, line 12 skipping to change at page 27, line 12
invaluable ideas and contributions which are reflected throughout invaluable ideas and contributions which are reflected throughout
this document. this document.
Loa Andersson provided a thorough review and valuable comments, we Loa Andersson provided a thorough review and valuable comments, we
thank him for that. thank him for that.
Reinaldo Penno deserves a particular thank you for his architecture Reinaldo Penno deserves a particular thank you for his architecture
and implementation work that helped guide the protocol concepts and and implementation work that helped guide the protocol concepts and
design. design.
The editors also acknowledge a comprehensive review and respective The editors also acknowledge comprehensive reviews and respective
suggestions by Med Boucadair. suggestions by Med Boucadair and Adrian Farrel.
Lastly, David Dolson has provides significant review, feedback and Lastly, David Dolson has provides significant review, feedback and
suggestions throughout the evolution of this document. His suggestions throughout the evolution of this document. His
contributions are very much appreciated. contributions are very much appreciated.
11. IANA Considerations 11. IANA Considerations
11.1. NSH EtherType 11.1. NSH EtherType
An IEEE EtherType, 0x894F, has been allocated for NSH. An IEEE EtherType, 0x894F, has been allocated for NSH.
 End of changes. 5 change blocks. 
8 lines changed or deleted 8 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/