Dear WGs: The applicability of Service Function Chaining with metadata in the SRv6 Network Programming model is obvious.
This document describes a scalable firewall use-case, that decreases the number of rules by one to two orders of magnitude by leveraging source and destination class information in the SRH TLV. The TLV is populated by the head-end node and a lookup is triggered by the firewall's service SID function. Any other intermediate SR endpoint simply ignores the TLV, such that its presence in the SRH has no impact on the packet processing behavior or performance. The draft builds on the network programmability capability of SRv6. Specifically, the ability for an intermediate SRv6 endpoint to determine whether to process or ignore some specific SRH TLVs based on the SID function. This allows service and underlay instructions to be combined in the same segment list without restrictions on the service capabilities or performance degradation in the routers processing underlay instructions. This document is supported by PoC implementation in FD.io VPP and the iptables-based SERA firewall . Thanks! -----Original Message----- From: I-D-Announce [mailto:[email protected]] On Behalf Of [email protected] Sent: Monday, March 25, 2019 10:42 AM To: [email protected] Subject: I-D Action: draft-guichard-spring-srv6-simplified-firewall-00.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Simplifying Firewall Rules with Network Programming and SRH Metadata Authors : James N Guichard Clarence Filsfils Daniel Bernier Zhenbin Li Francois Clad Pablo Camarillo Ahmed AbdelSalam Filename : draft-guichard-spring-srv6-simplified-firewall-00.txt Pages : 7 Date : 2019-03-25 Abstract: A clear application of the SRv6 Network Programming model consists in steering, in a stateless manner, packets through a Service Function Chain (SFC). Each Service Function (SF) is identified by a segment. Each SF can enrich its operation thanks to metadata present in the SRH. This document describes a practical use-case where the SF is a firewall and the metadata helps to drastically decrease the number of rules that need to be maintained by the operation team. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-guichard-spring-srv6-simplified-firewall/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-guichard-spring-srv6-simplified-firewall-00 https://datatracker.ietf.org/doc/html/draft-guichard-spring-srv6-simplified-firewall-00 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ I-D-Announce mailing list [email protected] https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt _______________________________________________ spring mailing list [email protected] https://www.ietf.org/mailman/listinfo/spring
