【编者的话】本文系SDN实战团微信群组织的线上技术分享整理而成，本次由英特尔公司的郭瑞景给我们带来关于Service Function Chain的分享。

嘉宾介绍
--------------------------------------------------------------------------

郭瑞景，01年研究生毕业后 从事媒体网关开发两年 后加入intel做linux方面的 open source两年 后来加入思科做信令路由五年 后来加入emc做存储大数据研发 最近在,intel做odl opnfv 研发

分享正文
--------------------------------------------------------------------------
我今天主要介绍一下SFC，主要内容是英文的，用中文做解释，大概介绍一些SFC的概念，主要的时间会放在demo上。
What's SFC
Service Function Chaining provides the ability to define an ordered list of a network services (e.g. firewalls, load balancers). These service are then "stitched" together in the network to create a service chain. This project provides the infrastructure (chaining logic, APIs) needed for ODL to provision a service chain in the network and an end-user application for defining such chains.

SFC DC Usage

SFC Mobility Usage

SFC Project
This OpenDaylight project provides a sfc function that resides within the controller platform and presents service chaining functionality to external user-centric applications via the ODL Northbound REST APIs. Using this ODL service, network operators may create, update, and delete service chains, as well as specify the exchange of opaque metadata with network and service nodes in a service path. When applicable, APIs will allow specification of the selection criteria to be used by the sfc function to determine the service path for traffic incident upon the chain.

Service chain: defines “intent” and is, in essence, a list of required service functions (e.g. FW ? SLB ? IPS)

Service path: instantiation of a service chain. Specific instances of a service type are selected and connectivity established between instances. (e.g. FW1@1.1.1.1 ? SLB3@2.2.2.2 ? IPS34@3.3.3.3)

NSH encapsulation

SFC Demo 103

1. source code is in sfc/sfc-demo/sfc103
2. demo topology

Reference

1. https://wiki.opendaylight.org/view/Service_Function_Chaining:Main

2. https://github.com/opendaylight/sfc.git

3. https://datatracker.ietf.org/wg/sfc/documents/

Q&A

Q1：ovs里面有流表吗？如果有，贴出来看看，对ovs来实现SFC比较迷茫
A1：

Shell

vagrant@classifier1:~$ sudo ovs-ofctl dump-flows -OOpenflow13 br-sfc OFPST_FLOW reply (OF1.3) (xid=0x2): cookie=0x0, duration=126598.327s, table=0, n_packets=25, n_bytes=2130, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=80 actions=load:0xc0a80114->NXM_NX_TUN_IPV4_DST[],set_nsp:0x14,set_nsi:255,set_nshc1:0x1,set_nshc2:0x2,set_nshc3:0x3,set_nshc4:0x4,output:2 cookie=0x0, duration=126598.587s, table=0, n_packets=25, n_bytes=8352, priority=1000,nsp=8388628,nsi=253 actions=output:1 cookie=0x14, duration=126599.520s, table=0, n_packets=0, n_bytes=0, priority=5 actions=goto_table:1 vagrant@sff1:~$ sudo ovs-ofctl dump-flows -OOpenflow13 br-sfc OFPST_FLOW reply (OF1.3) (xid=0x2): cookie=0x14, duration=126636.987s, table=0, n_packets=75, n_bytes=12612, priority=5 actions=goto_table:1 cookie=0x0, duration=126635.524s, table=0, n_packets=25, n_bytes=8352, priority=1000,nsp=8388628,nsi=253 actions=load:0xc0a8010a->NXM_NX_TUN_IPV4_DST[],move:NXM_NX_NSP[]->NXM_NX_NSP[],move:NXM_NX_NSI[]->NXM_NX_NSI[],move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],IN_PORT cookie=0x14, duration=126636.987s, table=1, n_packets=0, n_bytes=0, priority=5 actions=drop cookie=0x14, duration=126636.240s, table=1, n_packets=50, n_bytes=4260, priority=250,nsp=20 actions=goto_table:4 cookie=0x14, duration=126635.392s, table=1, n_packets=25, n_bytes=8352, priority=250,nsp=8388628 actions=goto_table:4 cookie=0x14, duration=126636.987s, table=2, n_packets=0, n_bytes=0, priority=5 actions=goto_table:3 cookie=0x14, duration=126636.987s, table=3, n_packets=0, n_bytes=0, priority=5 actions=goto_table:4 cookie=0x14, duration=126636.987s, table=4, n_packets=0, n_bytes=0, priority=5 actions=goto_table:10 cookie=0x14, duration=126636.133s, table=4, n_packets=25, n_bytes=2130, priority=550,nsp=20,nsi=255 actions=load:0xc0a8011e->NXM_NX_TUN_IPV4_DST[],goto_table:10 cookie=0x14, duration=126635.655s, table=4, n_packets=25, n_bytes=2130, priority=550,nsp=20,nsi=254 actions=load:0xc0a80132->NXM_NX_TUN_IPV4_DST[],goto_table:10 cookie=0x14, duration=126635.369s, table=4, n_packets=25, n_bytes=8352, priority=550,nsp=8388628,nsi=254 actions=load:0xc0a8011e->NXM_NX_TUN_IPV4_DST[],goto_table:10 cookie=0x14, duration=126636.987s, table=10, n_packets=0, n_bytes=0, priority=5 actions=drop cookie=0xba5eba11ba5eba11, duration=126635.869s, table=10, n_packets=25, n_bytes=2130, priority=650,nsp=20,nsi=255 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT cookie=0xba5eba11ba5eba11, duration=126635.619s, table=10, n_packets=25, n_bytes=2130, priority=650,nsp=20,nsi=254 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT cookie=0xba5eba11ba5eba11, duration=126635.294s, table=10, n_packets=25, n_bytes=8352, priority=650,nsp=8388628,nsi=254 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT cookie=0xba5eba11ba5eba11, duration=126635.245s, table=10, n_packets=0, n_bytes=0, priority=650,nsp=8388628,nsi=253 actions=move:NXM_NX_NSI[]->NXM_NX_NSI[],move:NXM_NX_NSP[]->NXM_NX_NSP[],move:NXM_NX_NSH_C1[]->NXM_NX_TUN_IPV4_DST[],move:NXM_NX_NSH_C2[]->NXM_NX_TUN_ID[0..31],IN_PORT cookie=0xba5eba11ba5eba11, duration=126635.259s, table=10, n_packets=0, n_bytes=0, priority=660,nsp=8388628,nsi=253,nshc1=0 actions=IN_PORT vagrant@sff1:~$

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

vagrant@classifier1:~$ sudo ovs-ofctl dump-flows  -OOpenflow13 br-sfc OFPST_FLOW reply (OF1.3) (xid=0x2): cookie=0x0, duration=126598.327s, table=0, n_packets=25, n_bytes=2130, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=80 actions=load:0xc0a80114->NXM_NX_TUN_IPV4_DST[],set_nsp:0x14,set_nsi:255,set_nshc1:0x1,set_nshc2:0x2,set_nshc3:0x3,set_nshc4:0x4,output:2 cookie=0x0, duration=126598.587s, table=0, n_packets=25, n_bytes=8352, priority=1000,nsp=8388628,nsi=253 actions=output:1 cookie=0x14, duration=126599.520s, table=0, n_packets=0, n_bytes=0, priority=5 actions=goto_table:1   vagrant@sff1:~$ sudo ovs-ofctl dump-flows -OOpenflow13 br-sfc OFPST_FLOW reply (OF1.3) (xid=0x2): cookie=0x14, duration=126636.987s, table=0, n_packets=75, n_bytes=12612, priority=5 actions=goto_table:1 cookie=0x0, duration=126635.524s, table=0, n_packets=25, n_bytes=8352, priority=1000,nsp=8388628,nsi=253 actions=load:0xc0a8010a->NXM_NX_TUN_IPV4_DST[],move:NXM_NX_NSP[]->NXM_NX_NSP[],move:NXM_NX_NSI[]->NXM_NX_NSI[],move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],IN_PORT cookie=0x14, duration=126636.987s, table=1, n_packets=0, n_bytes=0, priority=5 actions=drop cookie=0x14, duration=126636.240s, table=1, n_packets=50, n_bytes=4260, priority=250,nsp=20 actions=goto_table:4 cookie=0x14, duration=126635.392s, table=1, n_packets=25, n_bytes=8352, priority=250,nsp=8388628 actions=goto_table:4 cookie=0x14, duration=126636.987s, table=2, n_packets=0, n_bytes=0, priority=5 actions=goto_table:3 cookie=0x14, duration=126636.987s, table=3, n_packets=0, n_bytes=0, priority=5 actions=goto_table:4 cookie=0x14, duration=126636.987s, table=4, n_packets=0, n_bytes=0, priority=5 actions=goto_table:10 cookie=0x14, duration=126636.133s, table=4, n_packets=25, n_bytes=2130, priority=550,nsp=20,nsi=255 actions=load:0xc0a8011e->NXM_NX_TUN_IPV4_DST[],goto_table:10 cookie=0x14, duration=126635.655s, table=4, n_packets=25, n_bytes=2130, priority=550,nsp=20,nsi=254 actions=load:0xc0a80132->NXM_NX_TUN_IPV4_DST[],goto_table:10 cookie=0x14, duration=126635.369s, table=4, n_packets=25, n_bytes=8352, priority=550,nsp=8388628,nsi=254 actions=load:0xc0a8011e->NXM_NX_TUN_IPV4_DST[],goto_table:10 cookie=0x14, duration=126636.987s, table=10, n_packets=0, n_bytes=0, priority=5 actions=drop cookie=0xba5eba11ba5eba11, duration=126635.869s, table=10, n_packets=25, n_bytes=2130, priority=650,nsp=20,nsi=255 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT cookie=0xba5eba11ba5eba11, duration=126635.619s, table=10, n_packets=25, n_bytes=2130, priority=650,nsp=20,nsi=254 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT cookie=0xba5eba11ba5eba11, duration=126635.294s, table=10, n_packets=25, n_bytes=8352, priority=650,nsp=8388628,nsi=254 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT cookie=0xba5eba11ba5eba11, duration=126635.245s, table=10, n_packets=0, n_bytes=0, priority=650,nsp=8388628,nsi=253 actions=move:NXM_NX_NSI[]->NXM_NX_NSI[],move:NXM_NX_NSP[]->NXM_NX_NSP[],move:NXM_NX_NSH_C1[]->NXM_NX_TUN_IPV4_DST[],move:NXM_NX_NSH_C2[]->NXM_NX_TUN_ID[0..31],IN_PORT cookie=0xba5eba11ba5eba11, duration=126635.259s, table=10, n_packets=0, n_bytes=0, priority=660,nsp=8388628,nsi=253,nshc1=0 actions=IN_PORT vagrant@sff1:~$

Q2:
请问这个图是摘自某个draft或者rfc么？
A2：是的，NSH encapsulation是最重要的

Q3：我想请问一下, 我看到了你使用ODL建立了两条sfc并分别证明了通过的middlebox, 但是这些middlebox在物理层是怎么引入ODL的呢?或者说怎么向ODL import这些middlebox呢? 就是fw, dpi, firewall这些function.
A3：用户配置的，我可以摘抄一些configuration

Shell

"service-nodes": { "service-node": [ { "name": "node0", "service-function": [ ], "ip-mgmt-address": "192.168.1.10" }, { "name": "node1", "service-function": [ ], "ip-mgmt-address": "192.168.1.20" }, { "name": "node2", "service-function": [ "dpi-1" ], "ip-mgmt-address": "192.168.1.30" }, { "name": "dpi-1", "ip-mgmt-address": "192.168.1.30", "rest-uri": "http://192.168.1.30:5000", "type": "dpi", "nsh-aware": "true", "sf-data-plane-locator": [ { "name": "sf1-dpl", "port": 6633, "ip": "192.168.1.30", "transport": "service-locator:vxlan-gpe", "service-function-forwarder": "SFF1" } ] },

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

"service-nodes": {         "service-node": [             {                 "name": "node0",                 "service-function": [                 ],                 "ip-mgmt-address": "192.168.1.10"             },             {                 "name": "node1",                 "service-function": [                 ],                 "ip-mgmt-address": "192.168.1.20"             },             {                 "name": "node2",                 "service-function": [                     "dpi-1"                 ],                 "ip-mgmt-address": "192.168.1.30"             }, {                 "name": "dpi-1",                 "ip-mgmt-address": "192.168.1.30",                 "rest-uri": "http://192.168.1.30:5000",                 "type": "dpi",                 "nsh-aware": "true",                 "sf-data-plane-locator": [                     {                         "name": "sf1-dpl",                         "port": 6633,                         "ip": "192.168.1.30",                         "transport": "service-locator:vxlan-gpe",                         "service-function-forwarder": "SFF1"                     }                 ]             },

所有的脚本，我都commit到sfc/sfc-demo下面了

Q4：目前ODL实现用的OVS是私有版本吗？主线版本还不支持NSH吧
A4：对的，目前的SFC有两类：一个是基于NSH，一个不基于NSH的
openstack的SFC不支持NSH，ODL SFC支持NSH，NSH目前还没有进入OVS,所以属于私有patch，sfc-demo下面有安装OVS +NSH的脚本
curl https://raw.githubusercontent.com/priteshk/ovs/nsh-v8/third-party/start-ovs-deb.sh | bash 如果不基于NSH，只能象管道一样的，一节一节连起来，基于NSH，可以根据包来foward

Q5：脚本里面设置dp的端口是6633，这个端口好像是odl的隧道端口，是不是有意设置成6633的？换成其他的行吗？
A5：6633这个端口是可以改的，原来的vxlan-gpe有一个缺省的端口，我需要确认一下是不是就是这个

Q6：做SF的image ，有相关资源么？最近也在玩这个，苦于找不到合适image ，ODL的SFC现在做到什么程度了，是处在迭代中还是已经可以demo了？
A6：如果是基于NSH的SF image,目前还没有，我们最近在开发这个 NSH aware + DPDK 的 SF image

Q7：你说的这个image是指vagrant的box文件吗？
A7：这个image不是vagrant box,这个image应该是openstack glance能管理的image，Tacker + OpenStack + ODL (netvirt + SFC) 是整个解决方案，SF image需要由OpenStack glance来管理,这个SF应该属于NSH Aware

Q8：如果是基于NSH的话，SF image是不是也要支持NSH？
A8：是的，legecy的SF, 需要有一个NSH aware 的proxy

Q9：demo中的网络，是不是不能和我的宿主网络同一个网段？vagrant up 的时候，提示的意思是192.168.1.x和我的网络不能通一个网络，我的wifi是192.168.1网段的
A9：你可以全替代192.168.1 到192.168.2

Q10：如果用了nsh的方案，nsh的头是在classify上加上的然后在sff里面去掉吗
A10：NSH的方案，ingress classifier 加头，egress classifer 减头，SFF保持头不变，SF会把service index --这样SFF就只怎么forward这个包，传统的DPI没有能力理解NSH的头的，所以要proxy，NSH 可以理解成带有meta data 的MPLS

--------------------------------------------------------------------------
SDN实战团微信群由Brocade中国区CTO张宇峰领衔组织创立，携手SDN Lab以及海内外SDN/NFV/云计算产学研生态系统相关领域实战技术牛，每周都会组织定向的技术及业界动态分享，欢迎感兴趣的同学加微信：eigenswing，进群参与，您有想听的话题可以给我们留言。