SDN实战团分享(十二):Service Function Chain
我今天主要介绍一下SFC,主要内容是英文的,用中文做解释,大概介绍一些SFC的概念,主要的时间会放在demo上。 What's SFC Service Function Chaining provides the ability to define an ordered list of a network services (e.g. firewalls, load balancers). These service are then "stitched" together in the network to create a service chain. This project provides the infrastructure (chaining logic, APIs) needed for ODL to provision a service chain in the network and an end-user application for defining such chains.
SFC DC Usage
SFC Mobility Usage
SFC Project This OpenDaylight project provides a sfc function that resides within the controller platform and presents service chaining functionality to external user-centric applications via the ODL Northbound REST APIs. Using this ODL service, network operators may create, update, and delete service chains, as well as specify the exchange of opaque metadata with network and service nodes in a service path. When applicable, APIs will allow specification of the selection criteria to be used by the sfc function to determine the service path for traffic incident upon the chain.
Service chain: defines “intent” and is, in essence, a list of required service functions (e.g. FW ? SLB ? IPS)
Service path: instantiation of a service chain. Specific instances of a service type are selected and connectivity established between instances. (e.g. FW1@1.1.1.1 ? SLB3@2.2.2.2 ? IPS34@3.3.3.3)
NSH encapsulation
SFC Demo 103
1. source code is in sfc/sfc-demo/sfc103 2. demo topology
Reference
- https://wiki.opendaylight.org/view/Service_Function_Chaining:Main
2. https://github.com/opendaylight/sfc.git
3. https://datatracker.ietf.org/wg/sfc/documents/
Q&A
Q1:ovs里面有流表吗?如果有,贴出来看看,对ovs来实现SFC比较迷茫 A1:
vagrant@classifier1:~$ sudo ovs-ofctl dump-flows -OOpenflow13 br-sfc
OFPST_FLOW reply (OF1.3) (xid=0x2):
cookie=0x0, duration=126598.327s, table=0, n_packets=25, n_bytes=2130, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=80 actions=load:0xc0a80114->NXM_NX_TUN_IPV4_DST[],set_nsp:0x14,set_nsi:255,set_nshc1:0x1,set_nshc2:0x2,set_nshc3:0x3,set_nshc4:0x4,output:2
cookie=0x0, duration=126598.587s, table=0, n_packets=25, n_bytes=8352, priority=1000,nsp=8388628,nsi=253 actions=output:1
cookie=0x14, duration=126599.520s, table=0, n_packets=0, n_bytes=0, priority=5 actions=goto_table:1
vagrant@sff1:~$ sudo ovs-ofctl dump-flows -OOpenflow13 br-sfc
OFPST_FLOW reply (OF1.3) (xid=0x2):
cookie=0x14, duration=126636.987s, table=0, n_packets=75, n_bytes=12612, priority=5 actions=goto_table:1
cookie=0x0, duration=126635.524s, table=0, n_packets=25, n_bytes=8352, priority=1000,nsp=8388628,nsi=253 actions=load:0xc0a8010a->NXM_NX_TUN_IPV4_DST[],move:NXM_NX_NSP[]->NXM_NX_NSP[],move:NXM_NX_NSI[]->NXM_NX_NSI[],move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],IN_PORT
cookie=0x14, duration=126636.987s, table=1, n_packets=0, n_bytes=0, priority=5 actions=drop
cookie=0x14, duration=126636.240s, table=1, n_packets=50, n_bytes=4260, priority=250,nsp=20 actions=goto_table:4
cookie=0x14, duration=126635.392s, table=1, n_packets=25, n_bytes=8352, priority=250,nsp=8388628 actions=goto_table:4
cookie=0x14, duration=126636.987s, table=2, n_packets=0, n_bytes=0, priority=5 actions=goto_table:3
cookie=0x14, duration=126636.987s, table=3, n_packets=0, n_bytes=0, priority=5 actions=goto_table:4
cookie=0x14, duration=126636.987s, table=4, n_packets=0, n_bytes=0, priority=5 actions=goto_table:10
cookie=0x14, duration=126636.133s, table=4, n_packets=25, n_bytes=2130, priority=550,nsp=20,nsi=255 actions=load:0xc0a8011e->NXM_NX_TUN_IPV4_DST[],goto_table:10
cookie=0x14, duration=126635.655s, table=4, n_packets=25, n_bytes=2130, priority=550,nsp=20,nsi=254 actions=load:0xc0a80132->NXM_NX_TUN_IPV4_DST[],goto_table:10
cookie=0x14, duration=126635.369s, table=4, n_packets=25, n_bytes=8352, priority=550,nsp=8388628,nsi=254 actions=load:0xc0a8011e->NXM_NX_TUN_IPV4_DST[],goto_table:10
cookie=0x14, duration=126636.987s, table=10, n_packets=0, n_bytes=0, priority=5 actions=drop
cookie=0xba5eba11ba5eba11, duration=126635.869s, table=10, n_packets=25, n_bytes=2130, priority=650,nsp=20,nsi=255 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT
cookie=0xba5eba11ba5eba11, duration=126635.619s, table=10, n_packets=25, n_bytes=2130, priority=650,nsp=20,nsi=254 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT
cookie=0xba5eba11ba5eba11, duration=126635.294s, table=10, n_packets=25, n_bytes=8352, priority=650,nsp=8388628,nsi=254 actions=move:NXM_NX_NSH_C1[]->NXM_NX_NSH_C1[],move:NXM_NX_NSH_C2[]->NXM_NX_NSH_C2[],move:NXM_NX_TUN_ID[0..31]->NXM_NX_TUN_ID[0..31],IN_PORT
cookie=0xba5eba11ba5eba11, duration=126635.245s, table=10, n_packets=0, n_bytes=0, priority=650,nsp=8388628,nsi=253 actions=move:NXM_NX_NSI[]->NXM_NX_NSI[],move:NXM_NX_NSP[]->NXM_NX_NSP[],move:NXM_NX_NSH_C1[]->NXM_NX_TUN_IPV4_DST[],move:NXM_NX_NSH_C2[]->NXM_NX_TUN_ID[0..31],IN_PORT
cookie=0xba5eba11ba5eba11, duration=126635.259s, table=10, n_packets=0, n_bytes=0, priority=660,nsp=8388628,nsi=253,nshc1=0 actions=IN_PORT
vagrant@sff1:~$
Q2:
请问这个图是摘自某个draft或者rfc么? A2:是的,NSH encapsulation是最重要的
Q3:我想请问一下, 我看到了你使用ODL建立了两条sfc并分别证明了通过的middlebox, 但是这些middlebox在物理层是怎么引入ODL的呢?或者说怎么向ODL import这些middlebox呢? 就是fw, dpi, firewall这些function. A3:用户配置的,我可以摘抄一些configuration
"service-nodes": {
"service-node": [
{
"name": "node0",
"service-function": [
],
"ip-mgmt-address": "192.168.1.10"
},
{
"name": "node1",
"service-function": [
],
"ip-mgmt-address": "192.168.1.20"
},
{
"name": "node2",
"service-function": [
"dpi-1"
],
"ip-mgmt-address": "192.168.1.30"
},
{
"name": "dpi-1",
"ip-mgmt-address": "192.168.1.30",
"rest-uri": "http://192.168.1.30:5000",
"type": "dpi",
"nsh-aware": "true",
"sf-data-plane-locator": [
{
"name": "sf1-dpl",
"port": 6633,
"ip": "192.168.1.30",
"transport": "service-locator:vxlan-gpe",
"service-function-forwarder": "SFF1"
}
]
},
所有的脚本,我都commit到sfc/sfc-demo下面了
Q4:目前ODL实现用的OVS是私有版本吗?主线版本还不支持NSH吧 A4:对的,目前的SFC有两类:一个是基于NSH,一个不基于NSH的 openstack的SFC不支持NSH,ODL SFC支持NSH,NSH目前还没有进入OVS,所以属于私有patch,sfc-demo下面有安装OVS +NSH的脚本 curl https://raw.githubusercontent.com/priteshk/ovs/nsh-v8/third-party/start-ovs-deb.sh | bash 如果不基于NSH,只能象管道一样的,一节一节连起来,基于NSH,可以根据包来foward
Q5:脚本里面设置dp的端口是6633,这个端口好像是odl的隧道端口,是不是有意设置成6633的?换成其他的行吗? A5:6633这个端口是可以改的,原来的vxlan-gpe有一个缺省的端口,我需要确认一下是不是就是这个
Q6:做SF的image ,有相关资源么?最近也在玩这个,苦于找不到合适image ,ODL的SFC现在做到什么程度了,是处在迭代中还是已经可以demo了? A6:如果是基于NSH的SF image,目前还没有,我们最近在开发这个 NSH aware + DPDK 的 SF image
Q7:你说的这个image是指vagrant的box文件吗? A7:这个image不是vagrant box,这个image应该是openstack glance能管理的image,Tacker + OpenStack + ODL (netvirt + SFC) 是整个解决方案,SF image需要由OpenStack glance来管理,这个SF应该属于NSH Aware
Q8:如果是基于NSH的话,SF image是不是也要支持NSH? A8:是的,legecy的SF, 需要有一个NSH aware 的proxy
Q9:demo中的网络,是不是不能和我的宿主网络同一个网段?vagrant up 的时候,提示的意思是192.168.1.x和我的网络不能通一个网络,我的wifi是192.168.1网段的 A9:你可以全替代192.168.1 到192.168.2
Q10:如果用了nsh的方案,nsh的头是在classify上加上的然后在sff里面去掉吗 A10:NSH的方案,ingress classifier 加头,egress classifer 减头,SFF保持头不变,SF会把service index --这样SFF就只怎么forward这个包,传统的DPI没有能力理解NSH的头的,所以要proxy,NSH 可以理解成带有meta data 的MPLS
- WebView 的 input 上传照片的兼容问题
- 在 Linux 上搭建Jekyll静态博客
- 基于Metronic的Bootstrap开发框架经验总结(5)--Bootstrap文件上传插件File Input的使用
- 网易严选 App 感受 Weex 开发
- MBR勒索木马再度来袭:GoldenEye分析
- Docker Compose 1.18.0 之服务编排详解
- 基于Metronic的Bootstrap开发框架经验总结(6)--对话框及提示框的处理和优化
- 基于Metronic的Bootstrap开发框架经验总结(7)--数据的导入、导出及附件的查看处理
- Ubuntu 17.04 x64 安装 Docker CE
- 这是一篇清晰易懂的 Rxjava 入门教程
- 可能是最详细的部署:Docker Registry企业级私有镜像仓库Harbor管理WEB UI
- 简单好用的阴影库 ShadowLayout
- 【项目管理和构建】——Maven下载、安装和配置(二)
- 打印机安全研究(一):不容乐观的网络打印机安全状况
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- 【C++简明教程】C++简介与环境配置
- PDF 的各种操作,我用 Python 来实现(附网站和操作指导)
- Python中map()函数用法
- 谈谈不同思路下造就的不同产品与公司形态
- OpenCV 处理中文路径、绘制中文文字的烦恼,这里通通帮你解决!
- 如何快速分析大型系统架构?
- Linux小技巧、文件查找、修改、读取
- 我在赏金计划中发现的RACE条件漏洞
- 哦!数组还能这么用,学到了!
- 【C++简明教程】随机数生成
- Pytest标记预期失败得测试用例@pytest.mark.xfail()
- IAT HOOK
- 形式化分析工具(六):HLPSL Tutorial
- 推荐一款技术人必备的接口测试神器:Apifox
- GO 文档笔记