Network Working Group L. Fourie
Internet-Draft H. Zhang
Intended Status: Proposed Standard F. Sunavala
Expires: February 19, 2017 Huawei
J. McDowall
Palo Alto Networks
August 18, 2016
NSH Encapsulation in Geneve
draft-fourie-nvo3-nsh-geneve-encap-00
Abstract
This document describes how the Network Server Header (NSH) used for
service chaining is encapsulated in Geneve tunnel TLV metadata.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Copyright and License Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Fourie, et al Expires February 19, 2017 [Page 1]
�
Internet-Draft NSH Encapsulation in Geneve August 18, 2016
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions used in this document . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. NSH Encapsulation in Geneve. . . . . . . . . . . . . . . . . . 4
5.1 Geneve Encapsulation Headers . . . . . . . . . . . . . . . . 4
5.2 Geneve NSH Service Path TLV . . . . . . . . . . . . . . . . 5
5.3 Geneve NSH MD Type-1 Context TLV . . . . . . . . . . . . . . 5
5.4 Geneve NSH MD Type-2 Context TLV . . . . . . . . . . . . . . 6
5.5 Example Geneve Header . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1 Normative References . . . . . . . . . . . . . . . . . . . 7
8.2 Informative References . . . . . . . . . . . . . . . . . . 7
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
Fourie, et al Expires February 19, 2017 [Page 2]
�
Internet-Draft NSH Encapsulation in Geneve August 18, 2016
1. Introduction
Network Service Header (NSH) [SFC-NSH] is a protocol used to create of
Service Function Chains (SFC) [RFC7665]. As such, NSH provides Service
Function Path identification and the transport of metadata between
Service Functions.
NSH is independent of the underlying transport mechanism and may be
encapsulated in a number of different transports. The presence of NSH in
the outer transport is indicated by a protocol type or other indicator
in the outer encapsulation.
An example of NSH encapsulation in GRE from the NSH specification [SFC-
NSH] is shown here.
+----------+--------------------+--------------------+
|L2 header | L3 header, proto=47|GRE header,PT=0x894F|
+----------+--------------------+--------------------+
-------------+----------------+
NSH, NP=0x1 |Original packet |
-------------+----------------+
Figure 1: NSH in GRE Encapsulation
Geneve [GENEVE] is an IP-based transport tunnel protocol between
hypervisors and other devices used in network virtualization
environments such as the modern data center. One of the primary
characteristics of Geneve is its ability to carry a large amount of
metadata within the packet header in a flexible manner through the use
of Type-Length-Value (TLV) elements.
One example of a system using Geneve is Open Virtual Networking (OVN)
[OVN]. OVN is an open source network virtualization project which uses
Geneve TLVs to carry information between hypervisors to compose a
network. Current uses of the data include logical ingress and egress
ports but this will likely continue to evolve in the future.
There is currently no mechanism defined to transport NSH over Geneve.
This document describes a scheme to encapsulate NSH in Geneve TLV
metadata.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Terminology
Fourie, et al Expires February 19, 2017 [Page 3]
�
Internet-Draft NSH Encapsulation in Geneve August 18, 2016
The terminology used in this document is from [RFC7665], [GENEVE] and
[OVN] and is summarized here for convenience:
Metadata: Provides contextual information about data packets.
Service Function (SF): A network function that provides a value-added
service to packet flows. Service functions include: firewall, DPI
(Deep Packet Inspection), NAT, HTTP Header Enrichment function,
TCP optimizer, load-balancer, etc.
Service Function (SF) Chain: An ordered list of Service Function
instances.
SFC-enabled domain: Denotes a network (or a region thereof) that
implements SFC.
TLV: Type-Length-Value data structure. This is a variable length
structure used to transport optional Geneve metadata.
VNI: Virtual Network Identifier.
5. NSH Encapsulation in Geneve.
The NSH can be be transported in a number of Geneve TLVs. The following
Geneve TLVs must be used to transport the NSH:
1. NSH Service Path (NSH-SP) TLV
2. NSH MD Type-1 Context (NSH-MD1) TLV
3. NSH MD Type-2 Context (NSH-MD2) TLV
The fixed length NSH MD Type-1 Context field is mapped to the Geneve MD
Type-1 TLV. Each NSH MD Type-2 TLV present in the NSH is mapped to a
separate Geneve MD Type-2 TLV. There is no need to transport the NSH
Base header as its information is already present in the Geneve header.
5.1 Geneve Encapsulation Headers
The Geneve encapsulation headers are shown below. The Geneve header is
followed by various NSH TLVs described in the following sections.
+----------+----------+----------------------+--------------+
|L2 header |L3 header |UDP header dport=6081 |Geneve header |
+----------+----------+----------------------+--------------+
---------+----------------+----------------+
NSH TLVs |Inner L2 header |Original packet |
---------+----------------+----------------+
Fourie, et al Expires February 19, 2017 [Page 4]
�
Internet-Draft NSH Encapsulation in Geneve August 18, 2016
Figure 2: NSH in Geneve Encapsulation
5.2 Geneve NSH Service Path TLV
The Geneve NSH Service Path TLV is shown below. The Geneve NSH-SP TLV
Class is defined in the section on IANA Considerations.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Geneve NSH-SP TLV Class | Type=0 |R|R|R| Len=1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Service Path ID | Service Index |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Geneve NSH Service Path TLV
The Service Path ID and the Service Index are mapped directly from the
NSH Service Path header.
5.3 Geneve NSH MD Type-1 Context TLV
The fixed length Geneve NSH MD-Type-1 Context TLV is shown below. The
Geneve NSH-MD1 TLV Class is defined in the section on IANA
Considerations.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Geneve NSH-MD1 TLV Class | Type |R|R|R| Len=4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mandatory Context Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mandatory Context Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mandatory Context Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mandatory Context Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Geneve NSH MD Type-1 Context TLV
The Type field is used to identify the different content allocations for
various usage scenarios described in [CTX-DC], [CTX-BB] and [CTX-NS].
These are listed below.
Fourie, et al Expires February 19, 2017 [Page 5]
�
Internet-Draft NSH Encapsulation in Geneve August 18, 2016
+----------------+--------------------------------------+
| Type | Description |
+----------------+--------------------------------------+
| 0 | NSH MD Type-1 TLV - Data Center |
| 1 | NSH MD Type-1 TLV - Broadband |
| 2 | NSH MD Type-1 TLV - Network Security |
+----------------+--------------------------------------+
Other NSH Context header allocations may be introduced in the future and
new Type values will be assigned for them.
5.4 Geneve NSH MD Type-2 Context TLV
The variable length Geneve NSH MD Type-2 Context TLV is shown below. The
contents of this Geneve NSH MD Type-2 TLV is a NSH MD Type-2 TLV [SFC-
NSH], including the NSH TLV Class, Type, and Len fields followed by its
variable length contents. The Geneve NSH-MD2 TLV Class is defined in the
section on IANA Considerations.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Geneve NSH MD-2 TLV Class | Type=0 |R|R|R| Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NSH TLV Class |C| Type |R|R|R| Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Variable Length TLV Contents ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Geneve NSH MD Type-2 Context TLV
5.5 Example Geneve Header
An example of the Geneve header with the NSH Service Path TLV and the
NSH MD Type-2 Context TLV is shown below.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Ver| Opt Len |O|C| Rsvd. | Protocol Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Virtual Network Identifier (VNI) | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Geneve NSH-SP TLV Class | Type=0 |R|R|R| Len=1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Service Path ID | Service Index |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Geneve NSH-MD2 TLV Class | Type=0 |R|R|R| Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NSH TLV Class |C| Type |R|R|R| Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Variable Length TLV Contents ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fourie, et al Expires February 19, 2017 [Page 6]
�
Internet-Draft NSH Encapsulation in Geneve August 18, 2016
Figure 6: Geneve Header with NSH-SP TLV and NSH-MD2 TLV
6. Security Considerations
Existing security protocols IPSec [RFC6071] may be used to encrypt the
content of a packet that includes the NSH. Existing security protocols
that provide authenticity and authorization can be used.
If possible, the NSH should be used in a controlled network with trusted
devices, for example, a data center or a Gi-LAN network, thus reducing
the risk of unauthorized header manipulation.
7. IANA Considerations
IANA is requested to assign additional Geneve Option Class values to
identify NSH TLVs as listed below.
Initially, the Experimental Geneve Option Class values 0xfffd-0xffff
will be used to identify NSH TLVs until the IANA assignment is granted.
+----------------+--------------------------------------+
| Option Class | Description |
+----------------+--------------------------------------+
| 0xfffd | NSH Service Path TLV |
| 0xfffe | NSH MD Type-1 Context TLV |
| 0xffff | NSH MD Type-2 Context TLV |
+----------------+--------------------------------------+
8. References
8.1 Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and
Internet Key Exchange (IKE) Document Roadmap", RFC 6071,
February 2011.
[RFC7665] Halpern, J. and Pignataro, C., Service Function Chaining
(SFC) Architecture.
8.2 Informative References
Fourie, et al Expires February 19, 2017 [Page 7]
�
Internet-Draft NSH Encapsulation in Geneve August 18, 2016
[GENEVE] Gross, J. and Ganga, I., Geneve: Generic Network
Virtualization Encapsulation
.
[OVN] Open Virtual Network Architecture
.
[SFC-NSH] Quinn, P. and Elzur, U., Network Service Header
.
[NSH-TLV] Quinn, P. et al, Network Service Header TLVs
.
[CTX-DC] Guichard, J. et al, Network Service Header (NSH) Context
Header Allocation (Data Center)
.
[CTX-BB] Meng, W. and Wang, C., NSH Context Header - Broadband
.
[CTX-NS] Wang, E. and Leung, K. Network Service Header (NSH)
Context Header Allocation (Network Security)
.
10. Acknowledgments
The authors would like to thank Jesse Gross and Russell Bryant for their
review, comments and contributions.
Authors' Addresses
Louis Fourie
Huawei US R&D
EMail: louis.fourie@huawei.com
Hong (Cathy) Zhang
Huawei US R&D
EMail: cathy.h.zhang@huawei.com
Fourie, et al Expires February 19, 2017 [Page 8]
�
Internet-Draft NSH Encapsulation in Geneve August 18, 2016
Farhad Sunvala
Huawei US R&D
EMail: farhad.sunavala@huawei.com
John McDowall
Palo Alto Networks
Email: jmcdowall@paloaltonetworks.com
Fourie, et al Expires February 19, 2017 [Page 9]