Software-Defined Network (SDN) & Network Function Virtualization (NFV) Po-Ching Lin Dept. CSIE, National Chung Cheng University

Software-Defined Network (SDN) & Network Function Virtualization (NFV) Po-Ching Lin Dept. CSIE, National Chung Cheng University

Transition to NFV Cost of deploying network functions: Operating expense (OPEX) Capital expense (CAPEX) With the maturity of virtualization technology [NFV white paper, 2012] Benefits of using NFV Flexible network function deployment Efficient resource allocation Scale-up/down rapidly Encourage new network functions, particularly by software implementation Fast deployment of service innovation 2

SDN Architecture and OpenFlow OpenFlow standardizes communications between controller and switches. The controller can control the switches through the OpenFlow switch protocol. [D. Kreutz et al., 2015] 3

Pipeline of Flow Tables Matching performed through a pipeline of flow tables Flow entries match packets in a priority order in each table. If a matching entry is found, the instructions associated with that flow entry are executed. If no match is found, the action will depend on the table-miss flow entry. May be forwarded to controller, be dropped, or continue to the next table 4

Relation between SDN and NFV NFV not depend on SDN, but SDN can redirect traffic to desired virtual functions plan the service chain dynamically NFV supports SDN for Providing the infrastructure dealing with complicated packet processing [NFV white paper, 2012] NFV: specified by European Telecommunications Standards Institute (ETSI) SDN: specified by Open Networking Foundation 5

Relation between SDN and NFV (cont.) traffic classifier from http://www.neovise.com/ NFV 6

NFV specification Specified by European Telecommunications Standards Institute (ETSI) Public spec in http://www.etsi.org/technologiesclusters/technologies/nfv Network Functions Virtualisation (NFV); Infrastructure Overview Network Functions Virtualisation (NFV); Infrastructure; Hypervisor Domain Network Functions Virtualisation (NFV); Resiliency Requirements Network Functions Virtualisation (NFV); Architectural Framework Network Functions Virtualisation (NFV); Terminology for Main Concepts in NFV Network Functions Virtualisation (NFV); Infrastructure; Compute Domain Network Functions Virtualisation (NFV); Infrastructure; Network Domain 7

NFV specification (cont.) Public spec (cont.) Network Functions Virtualisation (NFV); Service Quality Metrics Network Functions Virtualisation (NFV); Management and Orchestration Network Functions Virtualisation (NFV); Virtual Network Functions Architecture Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance Network Functions Virtualisation (NFV); NFV Performance & Portability Best Practises Network Functions Virtualisation (NFV); Proofs of Concept; Framework Network Functions Virtualisation (NFV); Infrastructure; Methodology to describe Interfaces and Abstractions Network Functions Virtualisation (NFV); NFV Security; Problem Statement Network Functions Virtualisation (NFV); Use Cases 8

SDN+NFV side by side [Szabó et al., 2015] NFV framework VNF: virtualized network function NFVI: NFV infrastructure MANO: NFV management and orchestration SDN+NFV VIM talks to an SDN controller to orchestrate the virtualized network in the NFV infrastructure 9

Functional blocks in NFV framework VNF: virtualized network function a virtualization instance of a network function in a legacy nonvirtualized network (deployed on one or more VMs) firewall, IDS, load balancer, network elements in EPC identical interfaces for physical and virtualized ones deployed on one or multiple VMs EM: element management performs the typical management functionality for one or several VNFs (e.g., configuration, fault management, accounting) 10

NFV infrastructure NFVI all hardware and software components which build up the environment for VNFs including hardware resources, virtualization layer and virtualized resources Virtualization layer to decouple VNFs from hardware resources techniques of network virtualization: VLAN, VxLAN, VPLS, NVGRE, etc. 11

NFV management and orchestration VIM: Virtualized Infrastructure Manager Resource management (allocate virtualization enablers, increase resources to VMs, ) Operations for performance analysis and fault information collection capacity planning, monitoring and optimization NFV orchestrator orchestration and realization of network services on NFVI VNF manager VNF lifecycle management (instantiation, update, query, scaling, 12 termination)

VNF with hardware acceleration [Bronstein et al., 2015] *VNFC = VNF component 13

L2 connectivity model 14

L3 connectivity model 15

VNFC to VNFC communications shared memory 16

VNF load balancing models VNF-internal load balancer VNF-external load balancer VNFO launches the VNFs and the balancer stateless vs. stateful VNFC? 17

VNF load balancing models (cont.) End-to-end load balancer VNFO launches only the VNFs Infrastructure Network Load Balancer a load balancer in the NFVI 18

VNF scaling model Auto scaling triggered by VNF manager On-demand scaling Requested from VNF or EM 19

VNF scaling model (cont.) Scaling based on a management request Manually triggered scaling by administrators or OSS 20

VNF component reuse Suppose B1 and B2 provide the same function VNF X&Y disappear B becomes an independent VNF 21

VNF fault management VNF faults In the virtualized resources allocated and consumed by a VNF whole NFVI down backup virtualized resources unavailable fault in virtualization layer/hypervisor VM malfunctioning Connectivity failure between VNFs Within the VNF itself software bugs communications failures among VNFC configuration errors 22

NFV security NFV-specific threats = Generic virtualization threats Generic networking threats Key issues Topology validation and enforcement Availability of management support infrastructure Secured boot Secure crash Performance isolation 23

NFV security (cont.) Key issues (cont.) User/tenant authentication, authorization and accountability Authenticated time service Private keys within cloned images Backdoors via virtualized test & monitoring functions Multi-administrator isolation 24

VNF forwarding graphs Define the logical connectivity between VNFs [ETSI GS NFV 001] 25

Physical view of VNF forwarding graph [ETSI GS NFV 001] 26

Service chain: an example Set up the service chain 1. Uploading network service VM images into orchestration tool 2. Creating network service chain and adding network services 3. Creating rules Rule 1: for web traffic, Firewall IPS WAF Rule 2: for non-web traffic, Firewall DDoS IPS DPI 4. Attaching the network service chain to a virtual network 5. instantiate network service VMs 6. Programming controller with the above configuration 27

Traffic steering for service chaining Step 1: ask controller for traffic steering Step 2: controller configures virtual switches with rules to redirect traffic Step 3: All packets in the flow are passed through the network service VMs 28

Network service header Still an IETF draft (latest update: 2015-03-24) Network service header (NSH) added by a service classification function contains metadata and service path information header format base header service path header information about the service header and the payload protocol path identification and location within a path context header opaque metadata and variable length encoded information 29

Service path header Two fields to specify service path service path identifier (SPI): 24 bits service index (SI): 8 bits SPI SI Participating nodes uses SPI for path selection provides location within the service path decremented by service functions after performing required services (mark the end of service chain; also for loop detection) 30

Example of NSH 0 16 31 Ver O C Reserved NSH Length MD-type=1 or 2 Next protocol Service path identifier Service index Mandatory context header (network platform context, e.g., ingress port) Mandatory context header (network shared context, e.g., tenancy info) Mandatory context header (service platform context, e.g., service platform id) Mandatory context header (service shared context, e.g., application type) Optional variable length context data 31

NSH actions Insert or remove service header Insert when packets needs services after classified Remove at the end of service chain Exception: when packets are re-classified Select service path Determine correct service chain Update a service header Decrease SI by one by each service function Update context header is newer one is available Service policy selection Policy derived from service header; context header provides relevant info 32

Service function forwarding SPI SI NH Transport 10 3 1.1.1.1 VxLAN-GPE 10 2 2.2.2.2 nvgre 245 12 192.168.45.3 VxLAN-GPE 10 9 10.1.2.3 GRE 40 9 10.1.2.3 GRE 50 7 01:23:45:67:89:ab Ethernet 15 1 Null (end of path) None 33

Service function forwarding (cont.) For load balance, redundancy or policy encapsulation SPI SI NH Metric 10 3 10.1.1.1 1 10.1.1.2 1 20 12 192.168.1.1 1 10.2.2.2 1 30 7 10.2.2.3 10 10.3.3.3 5 outer Ethernet header, type=0x894f NSH original IP packet can be VxLAN-GPE, GRE, etc. 34

Path selection and forwarding 35

NSH metadata & policy 36

Conclusion Network function virtualization An evolution to shift from proprietary devices to flexible virtual functions Open the chance of innovations Still full of design and research issues References & useful resources ETSI official site http://www.etsi.org/technologies-clusters/technologies/nfv IEEE Network Magazine May/June 2015: NFV special issue 37