Re: [ovs-discuss] NSH related questions

[Ashish Varma]

Appreciate your response to the questions Yi Yang. These are very helpful.

Would definitely going to try the ODL SFC demo as shown below (and maybe more 
queries around this..)


-Ashish


________________________________
From: Yang, Yi Y <yi.y.y...@intel.com>
Sent: Tuesday, April 24, 2018 5:52:11 PM
To: Ashish Varma; ovs-discuss@openvswitch.org; jan.scheur...@ericsson.com
Cc: Brady Johnson; Justin Pettit; Pierluigi Rolando; Raju Koganty; Kantesh 
Mundaragi; Niaz Khan
Subject: RE: NSH related questions


Also cc Brady Johnson who is Opendaylight SFC project lead, he can add more 
comments about your questions.



From: Yang, Yi Y
Sent: Wednesday, April 25, 2018 8:45 AM
To: 'Ashish Varma' <ava...@vmware.com>; ovs-discuss@openvswitch.org; 
jan.scheur...@ericsson.com
Cc: Justin Pettit <jpet...@vmware.com>; Pierluigi Rolando 
<prola...@vmware.com>; Raju Koganty <rkoga...@vmware.com>; Kantesh Mundaragi 
<kmundar...@vmware.com>; Niaz Khan <niazk...@vmware.com>
Subject: RE: NSH related questions



Sorry for late response, I’m busy doing other thing, so don’t check ovs mailing 
list. Replies inline.



From: Ashish Varma [mailto:ava...@vmware.com]
Sent: Tuesday, April 17, 2018 3:28 AM
To: ovs-discuss@openvswitch.org<mailto:ovs-discuss@openvswitch.org>; 
jan.scheur...@ericsson.com<mailto:jan.scheur...@ericsson.com>; Yang, Yi Y 
<yi.y.y...@intel.com<mailto:yi.y.y...@intel.com>>
Cc: Justin Pettit <jpet...@vmware.com<mailto:jpet...@vmware.com>>; Pierluigi 
Rolando <prola...@vmware.com<mailto:prola...@vmware.com>>; Raju Koganty 
<rkoga...@vmware.com<mailto:rkoga...@vmware.com>>; Kantesh Mundaragi 
<kmundar...@vmware.com<mailto:kmundar...@vmware.com>>; Niaz Khan 
<niazk...@vmware.com<mailto:niazk...@vmware.com>>
Subject: NSH related questions



Hi Jan / Yi Yang,



We, at VMware, are working on integrating partner services on NSX using NSH 
support on OVS. It would be very helpful to understand the current NSH/SFC 
adaptation trend and deployment scenarios happening in the industry.

Regarding this, we have few questions and it would be very helpful to get any 
insight on these:



1. When the classifier classifies a packet (stream) to follow a particular 
Service Function Path, the path may consist of going to multiple Service 
Function Forwarders (e.g. to cover all the Service Functions which may be 
spread across the network or data center) The last SFF could be far from the 
classifier (assuming there is only one in this SFP) where the NSH header was 
added to the original packet.

How do packets generally go back on its original path? Are they sent back to 
the original classifier or there are cases where you see last SFF intelligent 
enough to know the next hop of the packet outside the SFC overlay?



[Yi] In Opendaylight SFC, we have ingress classifier and egress classifier for 
end-to-end traffic, we have two SFPs (called RSP rendered service path in ODL 
sfc) for an end-to-end traffic, a forward RSP, a reverse RSP, usually they are 
symmetric, it is also if they are asymmetric. We also have some tricky way to 
avoid egress classifier by openflow rules, in that case, NSH metadata (C1 to C4 
will save reverse SFP ID and original classifier source IP). Maybe written 
explanation is not enough to you, you can try Opendaylight SFC 103 and 104 demo 
(https://git.opendaylight.org/gerrit/gitweb?p=sfc.git;a=tree;f=sfc-demo;h=d8ff2d575b8eedb5e42b9696d9869303bad0be95;hb=HEAD<https://urldefense.proofpoint.com/v2/url?u=https-3A__git.opendaylight.org_gerrit_gitweb-3Fp-3Dsfc.git-3Ba-3Dtree-3Bf-3Dsfc-2Ddemo-3Bh-3Dd8ff2d575b8eedb5e42b9696d9869303bad0be95-3Bhb-3DHEAD&d=DwMGaQ&c=uilaK90D4TOVoH58JNXRgQ&r=SGhQ6bX33B7hpGisRbaQ-Wz_MXRMc8e6GSrxAcF71_Q&m=pXyDl8V_aM4KH_8UjiVu0sRTzA8M5t8jWObdopK5Q_k&s=SUXg33YJZAqEwLQPLDbNNSIWfXg60yZSKvX1eA1qLFs&e=>
 ), you can dump flow tables once you run it successfully, those tables can 
help you understand how the traffic is steered to correct classifier and 
forwarders.



2. In your experience, have you seen SFC being deployed on an existing overlay 
network. e.g SFC on top of OVN where now there is an SFC overlay network over 
tunnel based OVN overlay network. Have you encountered any challenges with 
this? (e.g. increase in packet size)



[Yi] In China, Sangfor (an information security product vendor) is developing a 
product for security resources pool by using sfc to go through security 
services in resource pool, this is very typical solution in cloud environment, 
some other vendors are also doing similar thing.



3. Are there any third party Virtual Network Functions which are NSH/SFC 
compliant?



[Yi] F5 has such VNF, but I’m not sure how it handles NSH.



4. SFC proxy is supposed to de-capsulate the NSH header when sending the packet 
to Service Function and encapsulate NSH header back when sending back to SFF. 
The NSH header information (SPI/SI, context headers etc.) needs to be put back 
on the packet when going back to SFF. If this is to be done using OVS flows 
(without sending the packets to Controller which can remember the information), 
we will have to come up with some kind of ‘learn’ flow to dynamically put the 
header back.

What are your thoughts on this?



[Yi] It will be very complicated if let OVS use openflow to do NSH proxy 
because you have to maintain a map between (SPI, SI) and inner traffic. A 
better way is to has a special NSH proxy to handle this or VNF handles it by 
itself. Sangfor uses OVS openflow rules to handle this.





Thanks,



Ashish Varma





_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss