Requirements for Service Function
ChainingFrance TelecomRennes35000Francemohamed.boucadair@orange.comFrance TelecomRennes35000Francechristian.jacquenet@orange.comHuawei Technologies Co., Ltd.Bantian, Longgang districtShenzhen 518129,Chinajiangyuanlong@huawei.comAffirmed NetworksActon,MAUSARon_Parker@affirmednetworks.comCisco Systems, Inc.USAcpignata@cisco.comNTTMidori-Cho 3-9-11Musashino-shi, Tokyo 180-8585Japannaito.kengo@lab.ntt.co.jpSFCThis document identifies the requirements for the Service Function
Chaining (SFC).The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.This document identifies the requirements for the Service Function
Chaining (SFC). In particular:Generic requirements are listed in .Service Function Discovery requirements are discussed in .SFC diagnostic requirements are discussed in .Security-specific requirements are listed in .The overall problem space is described in .The reader should be familiar with the terms defined in and .The following set of functional requirements should be considered for
the design of the Service Function Chaining solution:The solution MUST NOT make any assumption on whether Service
Functions (SF) are deployed directly on physical hardware, as one or
more Virtual Machines, or any combination thereof.The solution MUST NOT make any assumption on whether Service
Functions each reside on a separate addressable Network Element, or
as a horizontal scaling of Service Functions, or are co-resident in
a single addressable Network Element, or any combination thereof.
Note: Communications between co-located Service Functions are
considered implementation-specific. These considerations are
therefore out of scope of the SFC specification effort.The solution MUST NOT require any IANA registry for Service
Functions.The solution MUST NOT assume any predefined order of Service
Functions. In particular, the solution MUST NOT require any IANA
registry to store typical Service Function Chains.The identification of instantiated Service Function Chains is
local to each administrative domain; it is policy-based and
deployment-specific.The solution MUST allow multiple instances of a given Service
Function ( i.e., a Service Function can be embedded in multiple
Network Elements).This is used for load-balancing, load-sharing, to minimize
the impact of failures (e.g., by means of a hot or cold standby
protection design), to accommodate planned maintenance
operations, etc.How these multiple devices are involved in the service
delivery is deployment-specific.The solution MUST allow for multiple Service Chains to be
simultaneously enforced within an administrative domain.The solution MUST allow the same Service Function to belong to
multiple Service Function Chains.The solution MUST support the ability to deploy multiple
SFC-enabled domains within the same administrative domain.The solution MUST be able to associate the same or distinct
Service Function Chains for each direction (inbound/outbound) of the
traffic pertaining to a specific service. In particular,
unidirectional Service Function Chains, bi-directional Service
Function Chains, or any combination thereof MUST be supported.Note, the solution must allow to involve distinct SFC
Boundary Nodes for upstream and downstream. Multiple SFC
Boundary Nodes may be deployed within an administrative
domain.The solution MUST be able to dynamically enforce Service Function
Chains. In particular, the solution MUST allow the update or the
withdrawal of existing Service Function Chains, the definition of a
new Service Function Chain, the addition of new Service Functions
without having any impact on other existing Service Functions or
other Service Function Chains.The solution MUST provide means to control the SF-inferred
information to be leaked outside an SFC-enabled domain. In
particular, an administrative entity MUST be able to prevent the
exposure of the Service Function Chaining logic and its related
policies outside the administrative domain.The solution SHOULD minimize fragmentation; in particular, a
minimal set of SFC-specific information should be conveyed in the
data packet.Traffic forwarding on a SFC basis MUST be undertaken without
relying on dedicated resources to treat fragments. In
particular, Out of order fragments MUST be forwarded on a
per-SFC basis without relying on any state.Of course, some SFs (e.g., NAT) may require dedicated
resources (e.g., resources to store fragmented packets) or they
may adopt a specific behavior (e.g, limit the time interval to
accept fragments). The solution MUST NOT interfere with such
practices.The solution MUST NOT make any assumption on how RIBs (Routing
Information Bases) and FIBs (Forwarding Information Bases) are
populated. Particularly, the solution does not make any assumption
on protocols and mechanisms used to build these tables.The solution MUST be transport independent.The Service Function Chaining should operate regardless of
the network transport used by the administrative entity. In
particular, the solution can be used whatever the switching
technologies deployed in the underlying transport
infrastructure.Techniques such as MPLS are neither required nor
excluded.The solution MUST allow for chaining logics where involved
Service Functions are not within the same layer 3 subnet.The solution MUST NOT exclude Service Functions to be within the
same IP subnet (because this is deployment-specific).The solution MUST NOT make any assumption on how the traffic is
to be bound to a given chaining policy. In other words,
classification rules are deployment-specific and policy-based. For
instance, classification can rely on a subset of the information
carried in a received packet such as 5-tuple classification.The solution MUST support traffic classification capabilities
according to the Service Function Chains supported within the SFC
domain.The solution MUST NOT require every Service Function to be
co-located with a SFC Classifier; this is a deployment-specific
decision.The solution MAY allow traffic re-classification at the level of
Service Functions (i.e., a Service Function can also be co-located
with a classifier). The configuration of classification rules in
such context are the responsibility of the administrative entity
that operates the SFC-enabled domain.The solution MUST be able to forward traffic between two Service
Functions (involved in the same Service Function Chain) without
relying upon the destination address field of the a data packet.The solution MUST allow for the association of a context with the
data packets. In particular:The solution MUST support the ability to invoke
differentiated sets of policies for a Service Function (such
sets of policies are called Profiles). A profile denotes a set
of policies configured to a local Service Function (e.g.,
content-filter-child, content-filter-adult).Few profiles should be assumed per Service Function to
accommodate the need for scalable solutions.A finer granularity of profiles may be configured
directly to each Service Function; there is indeed no need
to overload the design of Service Function Chains with
policies of low-level granularity.The solution MUST allow for Operations, Administration, and
Maintenance (OAM) features . In
particular, the solution MUST:Support means to verify the completion of the forwarding
actions until the SFC Border Node is reached (see Section 3.4.1
of ).Support means to ensure coherent classification rules are
installed in and enforced by all the Classifiers of the SFC
domain.Support means to correlate classification policies with
observed forwarding actions.Support in-band liveliness and functionality checking
mechanisms for the instantiated Service Function Chains and the
Service Functions that belong to these chains.The solution MUST prevent the same Service Function to be invoked
multiple times within the context of the same Service Function Chain
(at the risk of generating Service Function Loop).The solution MUST allow for load-balancing.Load-balancing may be provided by legacy technologies or
protocols (e.g., make use of load-balancers)Load-balancing may be part of the Service Function
itself.Load-balancer may be considered as a Service Function
element.Because of the possible complications, load balancing SHOULD
NOT be driven by the SFC Classifier.The solution MUST separate SF-specific policy
provisioning-related aspects from the actual handling of packets
(including forwarding decisions).The solution SHOULD support means to detect the liveliness of
involved Service Functions.Means to dynamically discover Service Functions SHOULD be
supported.Service Functions may be reachable using IPv4 and/or IPv6. The
administrative domain entity MUST be able to define and enforce
policies with regards to the address family to be used when invoking
a Service Function. A SF Map may be composed of IPv4 addresses, IPv6 addresses,
or a mix of both IPv4 and IPv6 addresses.Multiple Service Functions can be reachable using the same IP
address. Each of these Service Functions is unambiguously
identified with a Service Function Identifier.The solution MUST allow for gradual deployment in legacy
infrastructures, and therefore coexist with legacy technologies that
cannot support SFC-specific capabilities, such as SFC Map
interpretation and processing. The solution MUST be able to work in
a domain that may be partly composed of opaque elements, i.e.,
elements that do not support SFC-specific capabilities.The solution MUST be able to provide different SLAs (Service
Level Agreements, ).
In particular,The solution MUST allow for different levels of service to be
provided for different traffic streams (e.g., configure Classes
of Service (CoSes)).The solution MUST be able to work properly within a Diffserv
domain .The solution SHOULD support the two modes defined in .ECN re-marking, when required, MUST be performed according to
.This section lists the set of requirements for the Service Function
Discovery procedure (denoted hereafter as "the solution").The solution MUST use the Service Function Identifier as a unique
identifier that unambiguously distinguishes a Service Function among
the set of Service Functions enabled in a given SFC domain.The solution MUST NOT make any assumption on how a Service
Function Identifier is configured and associated to a given Service
Function.The solution MUST allow for the dynamic discovery of all
locations where a given Service Function may reside and be invoked
for a given SF chain. Particularly, the solution MUST allow for the
dynamic discovery of both IPv4 and IPv6 locators of a Service
Function instance.The solution SHOULD allow the dynamic discovery of additional
information characterizing a Service Function, including:The capabilities of the Service Function.The capacity of the Service Function. For example, this
information can refer to the maximum number of binding entries
that can be supported by a NAT function, the maximum number of
IP-in-IP tunnels that can be established, the maximum link
capacity, etc.The current load of the Service Function. This information
may be used for load-balancing purposes for instance. This
parameter may reflect the amount of active NAT entries, the
number of active IP-in-IP tunnel, the link capacity usage,
etc.The solution MUST support means to protect the SFC domain as a
whole against attacks that would lead to the discovery of an
illegitimate Service Function. For example, a Service Function that
cannot be invoked for a specific SF chain.The solution MUST support means to dynamically detect that a
Service Function instance is out of service and notify the relevant
elements accordingly (PDP and classifiers, for one).The solution MUST allow a Service Function instance to
dynamically announce scheduled periods of unavailability (for
maintenance purposes, for example). The support of this capability
is useful for instance to migrate traffic to another instance of the
same Service Function so as to minimize service disruption. Note
also that operational teams proceed to regular reboots of
operational devices (for major software upgrades, for example).
Dynamically advertising such events to inform the PDP that a Service
Function instance will not be available during the reboot of the
device, would be useful. Means to indicate whether the Service
Function will be available immediately after the reboot or not are
RECOMMENDED. Indeed, such information will be used as an input to
the decision-making process of the PDP to avoid any subsequent
traffic forwarding policy changes at the risk of service
disruption.The solution MAY allow for a Service Function to dynamically
discover its PDP.This section lists the set of requirements for the SFC Diagnosis
& Troubleshooting procedure (denoted hereafter as "the
solution").The solution MUST allow to assess the status of the
serviceability of a Service Function (i.e., the Service Function
that provides the service(s) it is configured for).The solution MUST NOT rely only on IP reachability to assess
whether a Service Function is up and running.The solution MUST allow to diagnose the availability of a Service
Function Chain.The solution MUST support the correlation between a Service
Function Chain and the actual forwarding path followed by a packet
matching that SFC.The solution MUST allow to diagnose the availability of a segment
of a Service Function Chain, i.e., a subset of service functions
that belong to the said chain.The solution MUST be able to analyze the outcomes of the
processing of a test packet when presented to a given Service
Function for diagnosis purposes.The solution MUST support the unsolicited notification of signals
as a means to notify the PDPs whenever some events occur (for
example, a malfunctioning service function instance).The solution MUST allow for local diagnostic procedures specific
to each Service Function.The solution MUST allow to make use of local diagnostic
procedures (e.g., regular checks using built-in diagnostic
procedures).The solution MUST allow for customized service diagnostic. For
example, the solution should be able to generate a test packet as
per a customer's request who may have observed some service
degradation.Designing the SFC solution to accommodate per-subscriber SFCs rather
than SFCs on a per group of subscribers basis, should be conditioned by
the outcomes of assessing the validity of use cases requiring such
per-subscriber SFC feature. Note, instantiating per-subscriber SFCs
would mean that millions of SFCs would need be to handled within an
SFC-enabled domain!Authors of this document do not require any action from IANA.Below are listed some security-related requirements to be taken into
account when designing the Service Function Chaining solution:The solution MUST provide means to prevent any information
leaking that would be used as a hint to guess internal engineering
practices (e.g., network topology, service infrastructure topology,
hints on the enabled mechanisms to protect internal service
infrastructures, etc.).In particular, topology hiding means MUST be supported to
avoid the exposure of the SFC-enabled domain topology (including
the set of the service function chains supported within the
domain and the corresponding Service Functions that belong to
these chains).The solution MUST support means to protect the SFC-enabled domain
against any kind of denial-of-service and theft of service (e.g.,
illegitimate access to the service) attack. For example, a user should not be granted access to
connectivity services he/she didn't subscribe to (including
direct access to some SFs), at the risk of providing
illegitimate access to network resources.The solution MUST NOT interfere with IPsec (in particular IPsec integrity checks).The following individuals contributed text to the document:Many thanks to K. Gray, N. Takaya, H. Kitada, and H. Kojima for their
comments.