SFC WG G. Mirsky
Internet-Draft ZTE Corp.
Intended status: Standards Track W. Meng
Expires: March 25, 2018 ZTE Corporation
B. Khasnabish
ZTE TX, Inc.
C. Wang
September 21, 2017

Multi-Layer Active OAM for Service Function Chains in Networks
draft-wang-sfc-multi-layer-oam-10

Abstract

A multi-layer approach to the task of Operation, Administration and Maintenance (OAM) of Service Function Chains (SFCs) in networks is presented. Based on the requirements towards active OAM for SFC, a multi-layer model is introduced. A mechanism to detect and localize defects using the multi-layer model is also described.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on March 25, 2018.

Copyright Notice

Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

[RFC7665] defines components necessary to implement Service Function Chain (SFC). These include a classifier which performs classification of incoming packets. A Service Function Forwarder (SFF) is responsible for forwarding traffic to one or more connected Service Functions (SFs) according to the information carried in the SFC encapsulation. SFF also handles traffic coming back from the SF and transports the data packets to the next SFF. And the SFF serves as termination element of the Service Function Path (SFP). SF is responsible for specific treatment of received packets.

Resulting from that SFC is constructed by a number of these components, there are different views from different levels of the SFC. One is the SFC, fully abstract entity, that defines an ordered set of SFs that must be applied to packets selected as a result of classification. But SFC doesn't define exact mapping between SFFs and SFs. Thus there exists another semi-abstract entity referred as SFP. SFP is the instantiation of the SFC in the network and provides a level of indirection between the fully abstract SFC and a fully specified ordered list of SFFs and SFs identities that the packet will visit when it traverses the SFC. The latter entity is being referred as Rendered Service Path (RSP). The main difference between SFP and RSP is that in the former the authority to select the SFF/SF has been delegated to the network.

This document proposes the multi-layer model of SFC active Operation, Administration and Maintenance (OAM), per [RFC7799] definition of active OAM, lists requirements to improve the troubleshooting efficiency and defines SFC Echo request and Echo reply that enables on-demand Continuity Check, Connectivity Verification among other operations over SFC in networks.

2. Conventions

2.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2.2. Terminology

Unless explicitly specified in this document, active OAM in SFC and SFC OAM are being used interchangeably.

e2e: End-to-End

FM: Fault Management

NSH: Network Service Header

OAM: Operations, Administration, and Maintenance

RDI: Remote Defect Indication

RSP: Rendered Service Path

SF: Service Function

SFC: Service Function Chain

SFF: Service Function Forwarder

SFP: Service Function Path

3. Multi-layer Model of SFC OAM

As described in [I-D.ietf-sfc-oam-framework], multiple layers come into play to realize the SFC, including the Service layer, the underlying Network layer, as well as the Link layer, which are depicted in Figure 1:

         
                   +---+  +---+   +---+  +---+     +---+
                   |SF1|  |SF2|   |SF3|  |SF4|     |SF5|
                   +---+  +---+   +---+  +---+     +---+
                      \    /          \  /           |     
   +----------+       +----+         +----+        +----+    
   |Classifier|-------|SFF1|---------|SFF2|--------|SFF3|
   +----------+       +----+         +----+        +----+         
       0---------------------------------------------0  Service layer 
       0----------------0--------------0-------------0  Network layer
       0-------------0------0-------0------0---------0  Link layer      
 
       

Figure 1: SFC OAM Multi-Layer model

4. Requirements for Multi-layer Model of Active OAM

To perform the OAM task of fault management (FM) in an SFC, that includes failure detection, defect characterization and localization, this document defines the multi-layer model of OAM, presented in Section 3, and set of requirements towards active OAM mechanisms to be used on an SFC.

In example presented in Figure 1 the service SFP1 may be realized through two RSPs, RSP1(SF1--SF3--SF5) and RSP2(SF2--SF4--SF6). To perform end-to-end (e2e) FM SFC OAM:

The egress, SFF3 in example in Figure 1, is the entity that detects the failure of the SFC. It must be able to signal the new defect state to the ingress, i.e. SFF1. Hence the following requirement:

Once the SFF1 detects the defect objective of OAM switches from failure detection to defect characterization and localization.

It is practical, as presented in Figure 1, that several SFs share the same SFF. In such case SFP1 may be realized over two RSPs, RSP1(SF1--SF3--SF5) and RSP2(SF2--SF4--SF6).

In process of localizing the SFC failure separating SFC OAM layers is very attractive and efficient approach. To achieve that continuity among SFFs that are part of the same SFP should be verified. Once SFFs reachability along the particular SFP has been confirmed task of defect localization may focus on SF reachability verification. Because reachability of SFFs has already been verified, SFF local to the SF may be used as source.

5. Active OAM Identification in SFC NSH

The multi-layer model OAM that confirms to the above listed requirements enables active OAM protocols that are capable to perform efficient defect localization on an SFC. [I-D.ietf-sfc-nsh] does not provide definition for identification of an SFC active OAM packet. This document defines that active OAM packet on SFC MUST have OAM bit set and MUST have the value on the Next Protocol field set to OAM (TBA1) according to Section 9.1.

It is very unlikely that a single protocol will address all the requirements listed in Section 4. Protocols may be identified by destination UDP port number if IP/UDP encapsulation used. But extra IP/UDP headers, especially in case of IPv6, add noticeable overhead. This document defines Active OAM Header Figure 2 to demultiplex active OAM protocols on an SFC.

    
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| V | Msg Type  |     Flags     |          Length               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~              SFC Active OAM Control Packet                    ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 2: SFC Active OAM Header

6. SFC OAM multi-layer model

Figure 3 presents a use case of applying the proposed SFC OAM multi-layer model. In this scenario operator needs to discover SFFs and SFs of the same SFC. The Layer 1 includes the SFFs that are part of the SFP. The Layer 2 - the SFs along the RSP. When trying to do SFC OAM, classifier or service nodes select and confirm which SFC OAM layering they plan to do, then encapsulate the layering information in the SFC OAM packets, and send the SFC OAM packets along the service function paths to the destination. When receiving the SFC OAM packets, service nodes analyze the layering information and then decide whether sending these packets to next SFFs directly without being processed by SFs for Layer 1 process or sending to SFs for Layer 2 process.

         
         +---+ +---+  +----+ +----+  +-----+ +-----+  +------+ +------+
         |SF1|.|SFn|  |SF1'|.|SFn'|  |SF1''|.|SFn''|  |SF1'''|.|SFn'''|
         +---+ +---+  +----+ +----+  +-----+ +-----+  +------+ +------+
             \   /        \   /  |      \     /           \    /   |   
 +------+   +----+       +----+  |      +-----+           +-----+  |      
 |Class.|---|SFF1|  ...  |SFFn|  |      |SFF1'|   ...     |SFFn'|  |       
 +------+   +----+       +----+  |      +-----+           +-----+  |      
                            |    |                            |    |              
                            |    |                            |    |         
                            |----|------Layer 1---------------|    |
                                 |                                 |   
                                 |-------------Layer 2-------------|     
                                                                                                                        
 
      

Figure 3: SFC OAM multi-layering model

7. Echo Request/Echo Reply for SFC in Networks

    
       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |         Version Number        |         Global Flags          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Message Type  |   Reply mode  |  Return Code  | Return S.code |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                        Sender's Handle                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Sequence Number                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                              TLVs                             ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
          

Figure 4: SFC Echo Request/Reply format

Echo Request/Reply is well-known active OAM mechanism that is extensively used to detect inconsistencies between states in control plane and data plane, localize defects in the data plane. The format of the Echo request/Echo reply control packet is to support ping and traceroute functionality in SFC in networks Figure 4 resembles the format of MPLS LSP Ping [RFC8029] with some exceptions.

The interpretation of the fields is as following:

7.1. SFC Echo Request Transmission

SFC echo request control packet MUST use the appropriate encapsulation of the monitored SFP. If Network Service Header (NSH) is used, echo request MUST set O bit, as defined in [I-D.ietf-sfc-nsh]. SFC NSH MUST be immediately followed by the SFC Active OAM Header defined in Section 5. Message Type field in the SFC Active OAM Header MUST be set to SFC Echo Request/Echo Reply value (TBA2) per Section 9.2.

Value of the Reply Mode field MAY be set to:

7.2. SFC Echo Request Reception

7.3. SFC Echo Reply Transmission

The Reply Mode field directs whether and how the echo reply message should be sent. The sender of the echo request MAY use TLVs to request that corresponding echo reply be sent using the specified path. Value TBA3 is referred as "Do not reply" mode and suppresses transmission of echo reply packet. Default value (TBA6) for the Reply mode field requests the responder to send the echo reply packet out-of-band as IPv4 or IPv6 UDP packet.

Responder to the SFC echo request sends the echo reply over IP network if the Reply mode is Reply via an IPv4/IPv6 UDP Packet. Because SFC NSH does not identify the ingress of the SFP the echo request MUST include this information that to be used as IP destination address for IP/UDP encapsulation of the SFC echo reply. Sender of the SFC echo request MUST include SFC Source TLV Figure 5.

    
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |   SFC OAM Source ID Type    |           Length              |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                           Value                             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 5: SFC Source TLV

The UDP destination port for SFC Echo Reply TBA10 will be allocated by IANA Section 9.7.

7.4. Overlay Echo Reply Reception

8. Security Considerations

Overlay Echo Request/Reply operates withing the domain of the overlay network and thus inherits any security considerations that apply to the use of that overlay technology and, consequently, underlay data plane. Also, the security needs for SFC echo request/reply are similar to those of ICMP ping [RFC0792], [RFC4443] and MPLS LSP ping [RFC8029].

There are at least three approaches of attacking a node in the overlay network using the mechanisms defined in the document. One is a Denial-of-Service attack, by sending SFC ping to overload an element of the SFC. The second may use spoofing, hijacking, replying, or otherwise tampering with SFC echo requests and/or replies to misrepresent, alter operator's view of the state of the SFC. The third is an unauthorized source using an SFC echo request/reply to obtain information about the SFC and/or its elements, e.g. SFF or SF.

To mitigate potential Denial-of-Service attacks, it is RECOMMENDED that implementations throttle the SFC ping traffic going to the control plane.

Reply and spoofing attacks involving faking or replying SFC echo reply messages would have to match the Sender's Handle and Sequence Number of an outstanding SFC echo request message which is highly unlikely. Thus the non-matching reply would be discarded.

To protect against unauthorized sources trying to obtain information about the overlay and/or underlay an implementation MAY check that the source of the echo request is indeed part of the SFP.

9. IANA Considerations

9.1. SFC Active OAM Protocol

IANA is requested to assign new type from the SFC Next Protocol registry as follows:

SFC Active OAM Protocol
Value Description Reference
TBA1 SFC Active OAM This document

9.2. SFC Active OAM Message Type

IANA is requested to create new registry called "SFC Active OAM Message Type". All code points in the range 1 through 32767 in this registry shall be allocated according to the "IETF Review" procedure as specified in [RFC8126] . Remaining code points are allocated according to the table Table 2:

SFC Active OAM Message Type
Value Description Reference
0 Reserved
1 - 32767 Reserved IETF Consensus
32768 - 65530 Reserved First Come First Served
65531 - 65534 Reserved Private Use
65535 Reserved

IANA is requested to assign new type from the SFC Active OAM Message Type registry as follows:

SFC Echo Request/Echo Reply Type
Value Description Reference
TBA2 SFC Echo Request/Echo Reply This document

9.3. SFC Echo Request/Echo Reply Parameters

IANA is requested to create new SFC Echo Request/Echo Reply Parameters registry.

9.4. SFC Echo Request/Echo Reply Message Types

IANA is requested to create in the SFC Echo Request/Echo Reply Parameters registry the new sub-registry Message Types. All code points in the range 1 through 191 in this registry shall be allocated according to the "IETF Review" procedure as specified in [RFC8126] and assign values as follows:

SFC Echo Request/Echo Reply Message Types
Value Description Reference
0 Reserved
TBA3 SFC Echo Request This document
TBA4 SFC Echo Reply This document
TBA4+1-191 Unassigned IETF Review
192-251 Unassigned First Come First Served
252-254 Unassigned Private Use
255 Reserved

9.5. SFC Echo Reply Modes

IANA is requested to create in the SFC Echo Request/Echo Reply Parameters registry the new sub-registry Reply Modes All code points in the range 1 through 191 in this registry shall be allocated according to the "IETF Review" procedure as specified in [RFC8126] and assign values as follows:

SFC Echo Reply Modes
Value Description Reference
0 Reserved
TBA5 Do Not Reply This document
TBA6 Reply via an IPv4/IPv6 UDP Packet This document
TBA7 Reply via Application Level Control Channel This document
TBA8 Reply via Specified Path This document
TBA8+1-191 Unassigned IETF Review
192-251 Unassigned First Come First Served
252-254 Unassigned Private Use
255 Reserved

9.6. SFC TLV Type

IANA is requested to create SFC OAM TLV Type registry. All code points in the range 1 through 32759 in this registry shall be allocated according to the "IETF Review" procedure as specified in [RFC8126]. Code points in the range 32760 through 65279 in this registry shall be allocated according to the "First Come First Served" procedure as specified in [RFC8126]. Remaining code points are allocated according to the Table 6:

SFC TLV Type Registry
Value Description Reference
0 Reserved This document
1- 32759 Unassigned IETF Review
32760 - 65279 Unassigned First Come First Served
65280 - 65519 Experimental This document
65520 - 65534 Private Use This document
65535 Reserved This document

This document defines the following new value in SFC OAM TLV Type registry:

SFC OAM Source IP Address Type
Value Description Reference
TBA9 Source IP Address This document

9.7. SFC OAM UDP Port

IANA is requested to allocate UDP port number according to

SFC OAM Port
Service Name  Port Number  Transport Protocol  Description  Semantics Definition  Reference 
SFC OAM TBA10 UDP SFC OAM Section 7.3 This document

10. References

10.1. Normative References

[I-D.ietf-sfc-nsh] Quinn, P., Elzur, U. and C. Pignataro, "Network Service Header (NSH)", Internet-Draft draft-ietf-sfc-nsh-21, September 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017.

10.2. Informative References

[I-D.ietf-sfc-oam-framework] Aldrin, S., Pignataro, C., Kumar, N., Akiya, N., Krishnan, R. and A. Ghanwani, "Service Function Chaining (SFC) Operation, Administration and Maintenance (OAM) Framework", Internet-Draft draft-ietf-sfc-oam-framework-03, September 2017.
[RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, DOI 10.17487/RFC0792, September 1981.
[RFC4443] Conta, A., Deering, S. and M. Gupta, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", STD 89, RFC 4443, DOI 10.17487/RFC4443, March 2006.
[RFC7665] Halpern, J. and C. Pignataro, "Service Function Chaining (SFC) Architecture", RFC 7665, DOI 10.17487/RFC7665, October 2015.
[RFC7799] Morton, A., "Active and Passive Metrics and Methods (with Hybrid Types In-Between)", RFC 7799, DOI 10.17487/RFC7799, May 2016.
[RFC8029] Kompella, K., Swallow, G., Pignataro, C., Kumar, N., Aldrin, S. and M. Chen, "Detecting Multiprotocol Label Switched (MPLS) Data-Plane Failures", RFC 8029, DOI 10.17487/RFC8029, March 2017.
[RFC8126] Cotton, M., Leiba, B. and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017.

Authors' Addresses

Greg Mirsky ZTE Corp. EMail: gregimirsky@gmail.com
Wei Meng ZTE Corporation No.50 Software Avenue, Yuhuatai District Nanjing China EMail: meng.wei2@zte.com.cn,vally.meng@gmail.com
Bhumip Khasnabish ZTE TX, Inc. 55 Madison Avenue, Suite 160 Morristown, New Jersey 07960 USA EMail: bhumip.khasnabish@ztetx.com
Cui Wang EMail: lindawangjoy@gmail.com