Network Function Virtualization (NFV) is reshaping the way in which telecommunication networks and services are designed and operated. Traditional network functions are being transformed into Virtual Network Functions (VNFs) implemented as software modules. NFV promises a big capital expenditure (CAPEX) saving by replacing dedicated physical appliances with VNFs that can run on any commodity hardware. It also promises more flexibility as VNFs can be augmented with new features via simple software updates. Service function chaining (SFC) denotes the process of forwarding packets through a sequence of network functions. It allows creating end-to-end services by composing several network functions. In traditional “pre-NFV” approaches, network functions were placed en-route, i.e. along the path of the flows. In NFV scenarios, VNFs can be arbitrarily located in the distributed virtualization infrastructure. Hence, SFC requires a steering method to force traffic to go through the chain of VNFs. Segment Routing (SR) is a new network architecture based on source routing. It allows a node to steer packets through a set of network nodes in a specific order. In SR networks, a list of instructions, called segments, is attached to the packet to define such forwarding path. The SR architecture can be implemented with MPLS and IPv6 data plane. In this thesis, we only focus on the SR implementation based on IPv6 data plane, denoted as SRv6. In this thesis, we leverage the SRv6 capabilities to design a scalable SRv6-based SFC archi- tecture. We define the design principles of the architecture and discuss the challenges. We also propose the solutions to these challenges. Moreover, we study both the functional and non-functional properties of the architecture. More specifically, the contributions of this thesis are as follows: Abstract ii • Design of a scalable SFC architecture based on SRv6. SFC is one of the most challenging use-cases in telecommunication networks. Tra- ditional SFC solutions require maintaining per-chain state information in the network fabric to forward packets to VNFs. In the first part of Chapter 3, we propose a scalable SRv6-based SFC architecture. In the proposed architecture, each VNF is assigned a segment identifier (SID) and SFC is achieved by attaching a list of SIDs to the packets. Being SRv6-based, our approach does not need to maintain per-chain state information in the network fabric. Our solution is thus more scalable than the traditional alternatives. We define both data and control planes aspects of our proposed architecture. We also explain how to implement such architecture in a Linux environment. • Design and implementation of a solution to integrate legacy network functions into the SRv6-based SFC architecture. In SRv6-based SFC, VNFs can be categorized into SRv6-aware and SRv6-unaware VNFs based on their ability to process SRv6 information in received packets. SRv6- unaware VNFs are legacy VNFs that can not process SRv6 packets. They might drop the packet or perform erroneous action. However, these SRv6-unaware VNFs have been in use since long time and network operators have spent a lot of efforts to automate their deployment and operations. In the second part of Chapter 3, we provide a solution to re-use such legacy SRv6-unaware VNFs within SRv6-based SFC architecture. To that end, we provide an SRv6-proxy that processes the SRv6 information on behalf of the SRv6-unaware VNFs. The proxy delivers plain IP packets to the VNFs with no SRv6 information. It restores the SRv6 information after the packets are processed by the VNF. The SRv6-proxy supports static, dynamic and masquerading behaviors to address the various types of VNFs. We provide an open source implementation for those proxy behaviors in Linux. We evaluate the processing overhead introduced by our SRv6-proxy implementation with respect to plain IP forwarding. The results are reported in Chap- ter 5 and show that our implementation provides a forwarding rate that can match the bandwidth requirements of VNFs. • Design and implementation of native SRv6-aware network functions. With SRv6, the SR architecture has been evolving from the simple steering of pack- ets across nodes to a general network programming approach. The idea is to encode instructions and not only locations in a segment list. In order to exploit such SRv6 “network programming” capabilities in SFC, network functions have to be SRv6-aware. Abstract iii In Chapter 4, we design and implement several SRv6-aware network functions: SERA, SR-Snort, SR-nftables and SR-tcpdump. SERA is an SRv6-aware firewall capable of ap- plying normal firewall behavior to packets with SRv6 information. It can also perform stateless SRv6-specific actions on packets. SERA is implemented as an extension to the commonly used iptables firewall. To the best of our knowledge, SERA is the first SRv6- aware network function ever realized. In SR-Snort, we extend the widely deployed open source IDS/IPS (Snort) to be SRv6-aware. SR-nftables, is another SRv6-aware network function which extends the next generation Linux firewall (nftables). SR-tcpdump is a tool that allows analyzing and debugging SRv6 traffic. It extends the tcpdump tool with a dissector for SRv6. The different SRv6-aware network functions developed for this thesis allow to build a fully automated SRv6-based SFC architecture. We contributed our implementations of SRv6-aware network functions to several open source projects to be used by network operators as well as other researchers. Several part of these im- plementations are currently integrated into the mainline of the Linux kernel, the iptables and nftables components and the tcpdump tool. • Design a performance evaluation framework for SRv6 implementations. The SRv6 data plane implementations have been supported in many different routers implementations including: open source software routers such as the Linux kernel and the Vector Packet Processing (VPP) platform, as well as hardware implementations from different network vendors. Since then, SRv6 has been deployed both in service providers networks and data centers. It is therefore critical to assess some of the non-functional properties such as scalability and fault tolerance. In Chapter 5, we present SRPerf, a performance evaluation framework for SRv6 data plane implementations. The design of such framework is a very challenging task. As packets are required to be forwarded at an extremely high rate using a limited CPU budget to process each of them. We have used SRPerf to evaluate the performance of the SRv6 implementation in the Linux kernel and VPP. The framework allows us to identify some performance issues of the SRv6 implementation which we have fixed in new revisions. Finally, we would like to highlight the tutorial on Linux kernel networking and SRv6 imple- mentations provided in Appendix A. It could help other researchers to get started with these topics. In this respect, We also would like to mention our contribution to a survey and tutorial paper on Segment Routing that has been submitted.
Service Function Chaining with Segment Routing / Abdelsalam, AHMED MOHAMED AHMED. - (2020 Sep 22).
Service Function Chaining with Segment Routing
ABDELSALAM, AHMED MOHAMED AHMED
2020-09-22
Abstract
Network Function Virtualization (NFV) is reshaping the way in which telecommunication networks and services are designed and operated. Traditional network functions are being transformed into Virtual Network Functions (VNFs) implemented as software modules. NFV promises a big capital expenditure (CAPEX) saving by replacing dedicated physical appliances with VNFs that can run on any commodity hardware. It also promises more flexibility as VNFs can be augmented with new features via simple software updates. Service function chaining (SFC) denotes the process of forwarding packets through a sequence of network functions. It allows creating end-to-end services by composing several network functions. In traditional “pre-NFV” approaches, network functions were placed en-route, i.e. along the path of the flows. In NFV scenarios, VNFs can be arbitrarily located in the distributed virtualization infrastructure. Hence, SFC requires a steering method to force traffic to go through the chain of VNFs. Segment Routing (SR) is a new network architecture based on source routing. It allows a node to steer packets through a set of network nodes in a specific order. In SR networks, a list of instructions, called segments, is attached to the packet to define such forwarding path. The SR architecture can be implemented with MPLS and IPv6 data plane. In this thesis, we only focus on the SR implementation based on IPv6 data plane, denoted as SRv6. In this thesis, we leverage the SRv6 capabilities to design a scalable SRv6-based SFC archi- tecture. We define the design principles of the architecture and discuss the challenges. We also propose the solutions to these challenges. Moreover, we study both the functional and non-functional properties of the architecture. More specifically, the contributions of this thesis are as follows: Abstract ii • Design of a scalable SFC architecture based on SRv6. SFC is one of the most challenging use-cases in telecommunication networks. Tra- ditional SFC solutions require maintaining per-chain state information in the network fabric to forward packets to VNFs. In the first part of Chapter 3, we propose a scalable SRv6-based SFC architecture. In the proposed architecture, each VNF is assigned a segment identifier (SID) and SFC is achieved by attaching a list of SIDs to the packets. Being SRv6-based, our approach does not need to maintain per-chain state information in the network fabric. Our solution is thus more scalable than the traditional alternatives. We define both data and control planes aspects of our proposed architecture. We also explain how to implement such architecture in a Linux environment. • Design and implementation of a solution to integrate legacy network functions into the SRv6-based SFC architecture. In SRv6-based SFC, VNFs can be categorized into SRv6-aware and SRv6-unaware VNFs based on their ability to process SRv6 information in received packets. SRv6- unaware VNFs are legacy VNFs that can not process SRv6 packets. They might drop the packet or perform erroneous action. However, these SRv6-unaware VNFs have been in use since long time and network operators have spent a lot of efforts to automate their deployment and operations. In the second part of Chapter 3, we provide a solution to re-use such legacy SRv6-unaware VNFs within SRv6-based SFC architecture. To that end, we provide an SRv6-proxy that processes the SRv6 information on behalf of the SRv6-unaware VNFs. The proxy delivers plain IP packets to the VNFs with no SRv6 information. It restores the SRv6 information after the packets are processed by the VNF. The SRv6-proxy supports static, dynamic and masquerading behaviors to address the various types of VNFs. We provide an open source implementation for those proxy behaviors in Linux. We evaluate the processing overhead introduced by our SRv6-proxy implementation with respect to plain IP forwarding. The results are reported in Chap- ter 5 and show that our implementation provides a forwarding rate that can match the bandwidth requirements of VNFs. • Design and implementation of native SRv6-aware network functions. With SRv6, the SR architecture has been evolving from the simple steering of pack- ets across nodes to a general network programming approach. The idea is to encode instructions and not only locations in a segment list. In order to exploit such SRv6 “network programming” capabilities in SFC, network functions have to be SRv6-aware. Abstract iii In Chapter 4, we design and implement several SRv6-aware network functions: SERA, SR-Snort, SR-nftables and SR-tcpdump. SERA is an SRv6-aware firewall capable of ap- plying normal firewall behavior to packets with SRv6 information. It can also perform stateless SRv6-specific actions on packets. SERA is implemented as an extension to the commonly used iptables firewall. To the best of our knowledge, SERA is the first SRv6- aware network function ever realized. In SR-Snort, we extend the widely deployed open source IDS/IPS (Snort) to be SRv6-aware. SR-nftables, is another SRv6-aware network function which extends the next generation Linux firewall (nftables). SR-tcpdump is a tool that allows analyzing and debugging SRv6 traffic. It extends the tcpdump tool with a dissector for SRv6. The different SRv6-aware network functions developed for this thesis allow to build a fully automated SRv6-based SFC architecture. We contributed our implementations of SRv6-aware network functions to several open source projects to be used by network operators as well as other researchers. Several part of these im- plementations are currently integrated into the mainline of the Linux kernel, the iptables and nftables components and the tcpdump tool. • Design a performance evaluation framework for SRv6 implementations. The SRv6 data plane implementations have been supported in many different routers implementations including: open source software routers such as the Linux kernel and the Vector Packet Processing (VPP) platform, as well as hardware implementations from different network vendors. Since then, SRv6 has been deployed both in service providers networks and data centers. It is therefore critical to assess some of the non-functional properties such as scalability and fault tolerance. In Chapter 5, we present SRPerf, a performance evaluation framework for SRv6 data plane implementations. The design of such framework is a very challenging task. As packets are required to be forwarded at an extremely high rate using a limited CPU budget to process each of them. We have used SRPerf to evaluate the performance of the SRv6 implementation in the Linux kernel and VPP. The framework allows us to identify some performance issues of the SRv6 implementation which we have fixed in new revisions. Finally, we would like to highlight the tutorial on Linux kernel networking and SRv6 imple- mentations provided in Appendix A. It could help other researchers to get started with these topics. In this respect, We also would like to mention our contribution to a survey and tutorial paper on Segment Routing that has been submitted.File | Dimensione | Formato | |
---|---|---|---|
2020_PhDThesis_Abdelsalam.pdf
accesso aperto
Tipologia:
Tesi di dottorato
Licenza:
Accesso gratuito
Dimensione
2.3 MB
Formato
Adobe PDF
|
2.3 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.