Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sangfor Cloud Security Pool, The First-ever NSH Use Case

Published byἸωνᾶς Ρόκας Modified over 5 years ago

Similar presentations

Presentation on theme: "Sangfor Cloud Security Pool, The First-ever NSH Use Case"— Presentation transcript:

1 Sangfor Cloud Security Pool, The First-ever NSH Use Case
in Service Function Chaining Product XiaoFan Chen, Sangfor, Senior Technical Expert on SDN/NFV. Yi Yang, Inspur and Intel Make IT more simple, safe and valuable

2 Content Background Solution
Sangfor Cloud Security Pool and Traffic Steering PBR v.s. SDN based SFC Solution Deployment Framework & Workflow Flow Table Design Realization and Optimization of SFC proxy Some Patches and Test Results NSH

3 Cloud Security Pool (CSP)
CSP: clusters of VNFs (Virtual Network Function). CSSP: Cloud Security Service Platform, i.e. the Management UI for Sangfor CSP. The VNFs in Sangfor CSP are as follows: vNGAF: Firewall, vSSL: SSL/IPSec VPN, vAC: Internet Access Management, vAD: Application Delivery, vWOC: WAN Optimization, vDAS: DB audit, virtual fortress machine, virtual honeypot. vNGAF: virtual next generation firewall vSSL: virtaul SSL/IPSec VPN vAC: virtaul access control vAD: virtual application delivery vWOC: virtual WAN optimization vDAS:virtual database auditor.

4 Service Function Chaining (SFC)
Definition of SFC in Sangfor CSP: Steer the selected traffic passing through some VNFs in order. One example of SFC is show in the figure on the left: a) Traffic is generated from a VM of client; b) Traffic is steered to CSP in the PCR; c) Traffic is steered by SFC in CSP, and the traffic passes through vNGAF, vAC and vAD in order. d) Traffic is steered back to the PCR, and then is routed to the outside network.

5 Policy Based Routing (PBR)

6 PBR v.s. SDN based SFC PR: physical router
CR: core router for all tenants PS: physical switch ER: edge router for each tenant PBR a) More hops; b) Throughput and latency is not good enough; c) Flexibility is bad. SDN based SFC with OVS+DPDK a) Less hops; b) Better throughput and latency; c) More Flexible in traffic steering and flow entry management.

7 Deployment of SFC CSP deployed in transparent mode.
Traffic from outside network to inside. a) Traffic comes into CSP by WAN port, b) pass through all VNFs within the SFC, c) leaves CSP by LAN port, d) and comes into the client network. The SFC is vNGAF -> vAC -> vAD. No NSH for VNFs at the same host. E.x. vNGAF -> vAC. NSH only for VNFs at different hosts. E.x. vAC -> vAD. Flow classifier Five tuple + VLAN ID Different flow matches different SFC. Configuer: from ONOS to OVS by ovsdb Flow entry: from ONOS to OVS by openflow. CSP deployed in transparent mode. The traffic in the figure is from outside network to inside. The traffic comes into CSP by WAN port, pass through all NFVs within the SFC, leaves CSP by LAN port, and comes into the client network. The SFC is vNGAF -> vAC -> vAD. There is no NSH encap & decap if the next NFV is at the same host as the current NFV. This operation can reduce unnecessary cost of encap & decap. E.x. vNGAF -> vAC. If the next NFV is at other host, NSH will be used. E.x. vAC -> vAD. We used the five tuple, i.e. source ip, destination ip, source port, destination port and protocol, and VLAN ID as the flow classifier. It decides the SFC for each different flow. The SDN controller, ONOS, configures OVS by ovsdb and sends flow enties to OVS by openflow.

8 Sangfor SFC Framework User Management Plane UI Sangfor CSSP REST API
Sangfor SDN controller Control Plane L2/L3 network fuction and SFC SFC APP ovsdb/openflow Data Plane support the newest standard NSH Sangfor dataplane

9 SFC APP workflow

10 Flow Table Design

11 SFC Proxy vNGAF proxy dataplane port 2 port 1 Function of SFC Proxy:
Decap and Record: packet with nsh from port 1 -> NSH decap -> record the mapping of five tuple + VLAN ID and NSH (SPI, SI) in a hash table (2) Check and Encap: packet from port 2 -> hash(five tuple + VLAN ID) -> check the hash table -> find NSH (SPI, SI), and SI = SI – 1 -> NSH encap Realization of SFC Proxy: Way 1: Coding the function into OVS to maintain the hash table. Way 2: By flow entry. When controller generates flow entry, it knows the mapping of five tuple + VLAN ID + ingress port and NSH (SPI, SI) . vNGAF port 2 proxy port 1 dataplane

12 Different Ways to Realize SFC Proxy
Advantage Disadvantage By coding OVS a) Classify the flow only once. b) Dataplane is responsible of the management of NSH. c) The generation of flow entry is easier and the flow entry is more simple. a) The stability and performance of proxy function. If proxy crashes, the dataplane doesn’t work. b) The solution rely on OVS with proxy function. c) The process of packet handling has to be change and it may not be merged into the open source code of OVS. By flow entry a) No need to coding OVS. b) If SFC APP in controller crashes, the SFC path in dataplane is still working. a) SFC flow entries are more hard to generate and complex. b) The performance may not as good as proxy function. c) Packets has to re-enter flow classifier when it arrive at OVS.

13 Optimization of SFC Proxy
NSH encap & decap at the same time for local VNF vNGAF before optimization 6 5 NSH decap 1 Flow Classifier VxLan-GPE tunnel 4 2 7 Local VNF 9 3 NSH encap 8 remote VNF

14 Optimization of SFC Proxy
Cut the unnecessary NSH encap & decap for VNFs at the same host vNGAF After optimization 4 3 VxLan-GPE tunnel 1 Flow Classifier 2 local VNF 7 Remote VNF 6 NSH encap 5

15 Changes on ONOS and OVS+DPDK
ONOS 1.12 and OVS 2.8 do not work together: The change on ONOS: The match and set operation on NSH (spi, si) Make group table to support openflow 1.5 Change NSH actions from push/pop to encap/decap Fix the bug in packet_type supporting The change on OVS: Fix the bug of openflow 1.5 unsupporting on OVS Fix the bug of encaping NSH header twice The change on openflow: Code ONOS-loxi to make openflow to support the latest standard NSH, including actions and match fields Keep the OXM structure of NSH in OVS 2.8 unchange

16 Test Results ONOS 1.12, OVS 2.8 + DPDK 17.08.
3 physical hosts, > 6 NFVs, > 2 SFC chains. DPDK pktgen, iperf, netperf. Performance: ONOS + OVS + DPDK v.s. Original Item Result HA (High Availability) of VNFs It works, and the switch time is 1s~3s Dynamic change of SFC Chain The recovery time is in seconds Latency Reduced by 67%~79% Throughput 2.45 times of the original Cost of NSH (Throughput) Reduced by 28%~40%

17 Network Service Header (NSH)
RFC 8300: NSH encap & decap decrease about 20% performance. Only used for service function chains across compute nodes Overlay: VxLAN-GPE Overlay packet format UDP header Outer IP header Outer MAC header NSH VxLAN-GPE Header payload Inner Inner MAC header cloud.inspur.com

18 cloud.inspur.com Header Format VxLAN-GPE header: NSH MD type 1 header:
VXLAN header VXLAN-gpe header cloud.inspur.com

19 cloud.inspur.com SPI and SI in NSH SF1: SPI = 10, SI = 255

20 NSH match fields and actions
nsh_flags, nsh_ttl, nsh_mdtype, nsh_np, nsh_spi, nsh_si,nsh_c1, nsh_c2, nsh_c3, nsh_c4 dec_nsh_ttl encap(nsh(md_type=1)) encap(nsh(md_type=1)),set_field:0x1234->nsh_spi,set_field:0x >nsh_c1 encap(ethernet),set_field:11:22:33:44:55:66->dl_dst encap(nsh(md_type=2,tlv(0x1000,10,0x ),tlv(0x2000,20,0xfedcba ))) decap() Notes: You can’t match inner fields before decap NSH header cloud.inspur.com

21 cloud.inspur.com Known NSH issues in OVS
Encap is done twice in group table (FIXED by Jan Scheurich) Performance issue (to be improved) VNFs can’t support NSH, NSH proxy will result in more performance loss VXLAN-gpe can’t work normally in some Linux versions (in-kernel vxlan and udp tunnel modules are used per OVS autoconfig but they are old and can’t handle VXLAN-gpe, to be fixed) Packet checksum issue when inner packet size is 1500 and overlay interface MTU is 1500. NSH MD type 2 support (TBD): if more metadata is needed. networking-sfc in openstack doesn’t support NSH yet. cloud.inspur.com

22 The End Thank You!

Download ppt "Sangfor Cloud Security Pool, The First-ever NSH Use Case"

Similar presentations

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
L3 + VXLAN Made Practical

L3 + VXLAN Made Practical
L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

L. Alchaal & al. Page Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.
DOT – Distributed OpenFlow Testbed

DOT – Distributed OpenFlow Testbed
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Outlines Backgrounds Goals Implementation Performance Evaluation

Outlines Backgrounds Goals Implementation Performance Evaluation
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.

Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.
Keith Wiles Keith.Wiles@Intel.com DPACC vNF Overview and Proposed methods Keith Wiles Keith.Wiles@Intel.com 2015.04.03 – v0.5.

Keith Wiles DPACC vNF Overview and Proposed methods Keith Wiles – v0.5.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
A Survey of Network Orchestration in Cloud

A Survey of Network Orchestration in Cloud
Connecting LANs, Backbone Networks, and Virtual LANs

Connecting LANs, Backbone Networks, and Virtual LANs
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.

DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.
Data Center Network Redesign using SDN

Data Center Network Redesign using SDN
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Networking in the cloud: An SDN primer Ben Cherian Chief Strategy Midokura.

Networking in the cloud: An SDN primer Ben Cherian Chief Strategy Midokura.
Chapter 4: Managing LAN Traffic

Chapter 4: Managing LAN Traffic
IEEE 802.1q - VLANs Nick Poorman.

IEEE 802.1q - VLANs Nick Poorman.

Similar presentations

Ads by Google