OpenStack in 2019: Steady Progress and New Directions
by Curtis Collicutt on May 28, 2019
Predictions for Edge Computing in 2019
by Curtis Collicutt on March 12, 2019
Kubernetes Persistent Volumes with NetApp Trident
by Curtis Collicutt on February 11, 2019
Layer 1 SFC with BigSwitch
by Curtis Collicutt on February 4, 2019
100,000 Carrier Clouds Coming Online
by Curtis Collicutt on January 28, 2019
In the last post we introduced the concept of Service Function Chaining (SFC). In that post we suggested that SFC occurs at the virtual port layer, somewhere around layer 1 of the OSI model. We can debate whether it is truly layer 1 or not, in part because SFC is usually performed by a Software Defined Network (SDN) of some arbitrary design. However, regardless of the underlying technology, certainly as far as a virtual machine that is part of the chain is concerned, we are connecting a virtual port directly to another virtual port.
Many organizations will choose not to do “pure” SFC and instead deploy service chains at the layer 3 level, essentially looking like the hop-by-hop networking we are all used to, with default gateways, routers, virtual IPs, and the like.
When we build chains of devices at the layer 3 level we are doing so (usually) because:
IaaS systems like OpenStack provide the ability to create all manner of virtualized network components. When deploying virtual network functions (VNFs, basically virtual machines, example: a virtual firewall) into IaaS we have much control over what their networking looks like.
For example, we can use OpenStack APIs to create virtual networks and virtual routers, and inject specific static routes, add ports to virtual networks, and also alter the network configuration of the actual VNF in at least three major ways:
Using the aforementioned methods, we can build a virtual chain of devices that receive packets to forward through normal layer 3 methods.
For example, say we want to build a chain that consists of a load balancer, a web application firewall, a standard firewall, and then finally a web server, but we don’t have an SDN integrated with our OpenStack system that can provide layer 1 SFC.
We can certainly build that via standard automation using almost any provisioning and configuration management tools and IaaS APIs. We can build virtual networks and routers, provision virtual machines, and once they are running, configure them to use standard layer 3 concepts to connect in a chain. If desired we can also use concepts like “allowed address pairs” in OpenStack to configure virtual IPs between multiple VNF instances.
The reason we use the word “fake” in this post is because there actually has been a lot of thought put into how creating SFC will be done.
In the field of Network Function Virtualization (NFV) we also have the concept of the VNF Forwarding Graph (VNFFG). VNFFGs are out of the scope of this blog post but suffice it to say most systems that can generate them are currently assuming a standard port-pair SFC model, not a layer 3 one. For example, the OpenStack Tacker VNF Manager project requires the OpenStack networking-sfc system in order to enact VNFFGs. In other words, stopping short of “pure” SFC could mean not being able to take advantage of some advanced automation tooling, though, of course, this is all relatively new technology and certainly things will change.
Ultimately the more technically interesting version of SFC is the layer 1 port-to-port model where packets magically appear on VNF interfaces to be processed and forwarded. But that adds a fair amount of complexity because it usually requires some kind of SDN (though the OpenStack networking-sfc project will reduce that requirement), and, until tools catch up, makes troubleshooting more difficult. Many organizations may simply prefer to create “fake” chains using automation, IaaS APIs, and layer 3 networking. This is completely valid, as the point of the chain is to provide some kind of automatable, customizable, and alterable product that can be sold as a service. Further, not every chain can and will be made up of only non-layer 3 functions.