Login
- Released At: 18-12-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
SRv6 SFC Technology White Paper
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
This article contains general technical information, some of which may not be applicable to the product you purchased.
Overview
Technical background
To meet service security and stability requirements, you can steer data packets to pass through various service nodes as orchestrated in the network. For example, steer data packets to pass through firewalls, IPSs, application accelerators, and NAT devices. SRv6 service function chaining (SFC) is a technology that can meet the requirements. This technology adds SRv6 path information to the original packets to steer the packets to pass through application service devices as orchestrated. The path orchestrated by SRv6 SFC is called an SRv6 service chain.
Benefits
The SRv6 SFC technology has the following advantages:
· Flexible network orchestration
The design of SRv6 SFC is based on SDN, bridging the gap between applications and networks, thus better implementing the Application-Driven Network (AD-NET). When deploying different services or adjusting services, you only need to change the service chain order without changing the network element configuration, enabling flexible initiation and rapid deployment of network services.
· The network is programmable, making it easy to meet new service requirements.
SRv6 SFC utilizes various types of SRv6 SIDs to indicate different forwarding actions. By operating different SIDs, it can meet the requirements of various service scenarios.
In the future, users can define new SID types as needed, featuring excellent scalability.
SRv6 service chain basic concepts
Figure 1 SRv6 service chain network diagram
As shown in Figure 1, business data enters the SRv6 SFC service chain network from the customer network and is processed sequentially by the application service nodes SF 1 and SF 2. Finally, the business data is forwarded back to the customer network at the destination. The SRv6 service chain network contains the following components:
· Service classifier (SC)—Source node of the SRv6 service chain, which is located at the edge of the SRv6 service chain network. The SC can use multiple methods to steer service data to an SRv6 TE policy tunnel.
· Service function (SF)—Node that provides specific application services for data traffic. An application service node that cannot recognize SRv6 packets is called an SRv6-unaware SF. An application service node that can recognize SRv6 packets is called an SRv6-aware SF.
· Service function forwarder (SFF)—Node that acts as a service chain proxy for SFs. Based on the SRv6 decapsulation information of received packets, the SFF forwards the packets to the SFs associated with the SFF. The SFs process the packets, and then return the packets back to the SFF. The SFF determines whether to continue forwarding the packets.
SRv6 SFC supports the following two proxy modes:
· Static proxy mode
· Masquerading mode
Static proxy mode
About static proxy mode
Use this mode if SRv6-unaware SFs are attached to SFFs. Because the SFs cannot recognize SRv6 packets, the SFFs must decapsulate SRv6 packets and deliver the original packets from the user network to the SFs. After the SFs process the original packets, they forward the packets back to the SFFs. The SFFs determine whether to continue forwarding the packets in the SRv6 service chain network. If the SFFs continue forwarding the packets in the SRv6 service chain network, they reencapsulate the packets with SRv6 headers based on the manually configured SID list.
This mode supports dualhoming protection and bypass protection.
End.AS SIDs are used by an SRv6 service chain to forward packets in static proxy mode. An End.AS SID identifies an SF. The functions of an End.AS SID are as follows:
· For packets delivered from an SFF to an SF, the SFF performs the following operations:
a. Decapsulates the packets.
b. Forwards the packets out of the interface associated with the End.AS SID.
· For packets delivered from an SF to an SFF, the SFF reencapsulates the packets according to one of the following configurations:
¡ The End.AS SID configuration associated with the input interface of the packets.
¡ The End.AS SID configuration associated with the input interface and inbound VLANs of the packets.
Traffic forwarding process
As shown in Figure 2, packets pass through an SRv6 service chain in static proxy mode as follows in an IPv4 L3VPN over SRv6-TE network:
1. After the SC (source node) receives IPv4 packets from the user network, it steers the packets to an SRv6 TE policy. Then, the SC adds an SRH and outer IPv6 header to the packets according to the SRv6 TE policy. The destination address of the SRv6 packets is the End.AS SID of the SFF. The SRH includes path information in the SRv6 TE policy and the End.DT4 SID of the tail node.
2. When the SFF receives the SRv6 packets, it looks up the local SID forwarding table and finds that the destination address of the packets is the local End.AS SID. Then, the SFF records the SL value in the packets and performs the following operations:
a. Removes the outer IPv6 header and SRH from the packets.
b. Forwards the original packets to the SF through the specified output interface.
3. After the SF processes the packets, it forwards the packets back to the SFF.
4. The SFF searches for SID list configuration based on the input interface of the packets or the input interface and inbound VLANs of the packets. Then, the SFF performs the following operations:
a. Reencapsulates the packets as SRv6 packets according to the configured SID list. The SID list in the SRH must be the same as the path in the SRv6 TE policy on the source node (SC). In addition, the SL value in the SRH decreases by 1 based on the SL value recorded in step 2. The destination address of the SRv6 packets is the SID next to the local End.AS SID, which is the End SID of Device C.
b. Looks up the IPv6 routing table for a route that can reach the destination IPv6 address in the packets and forwards the packets.
5. When Device C receives the packets, it looks up the local SID forwarding table and finds that the destination address is the local End SID. Then, Device C processes the packets as follows:
a. Replaces the destination address with D1 (End SID of the tail node).
b. Decreases the SL value by 1.
c. Looks up the IPv6 routing table to forward the packets.
6. After the tail node receives the packets, it looks up the local SID forwarding table and finds that the destination address is D1 (the local End SID). Then, the tail node performs the following operations:
a. Replaces the destination address with D2 (End.DT4 SID of the tail node) and decreases the SL value by 1. The SL value changes to 0.
b. Executes the function of the End.DT4 SID, which is decapsulating the SRv6 packets and forwards the original packets to the public network or the destination VPN instance.
Figure 2 SRv6 service chain traffic forwarding in static proxy mode
High availability
High availability for SRv6 service chains in static proxy mode
As shown in Figure 3, when the SF is unreachable, the SFF discards the packets that should be forwarded to the SF. These packets cannot bypass the SF to reach Device C.
For high availability, the SFF supports dualhoming protection and bypass protection.
· Dualhoming protection—An SF is dualhomed to two SFFs, one SFF is the primary SFF and the other is the backup SFF. When the primary SFF cannot reach the SF, it forwards service traffic to the backup SFF.
· Bypass protection—When an SF fails, packets can bypass the SF to reach the next hop.
Figure 3 Packet forwarding failure caused by unreachable SF
SRv6 service chain traffic forwarding with dualhoming protection
As shown in Figure 4, the SF is dualhomed to SFF 1 and SFF 2. Bypass protection is not configured.
For high availability, perform the following tasks on both SFF 1 and SFF 2:
· Specify the End SID of one SFF as the backup peer SID of the other SFF.
· Use the same locator to allocate the primary and backup End.AS SIDs.
· Configure the same primary and backup End.AS SIDs.
As shown in Figure 4, dualhoming protection acts as follows in packet forwarding:
1. When SFF 1 detects that it cannot reach the SF, it removes the outer IPv6 header and SRH from packets.
2. SFF 1 searches the local configuration and reencapsulates an SRH and IPv6 header to the packets. In the SRH, the SID list includes the backup End.AS SID (X2) and the End SID of SFF 2 (C). In the IPv6 header, the destination address is C.
3. SFF 1 looks up the routing table to forward the packets to the backup SFF SFF 2.
4. When the packets reach SFF 2, SFF 2 detects whether it can reach the SF.
¡ If SFF 2 can reach the SF, it forwards the packets to the SF as in a standard SRv6 service chain traffic forwarding process in static proxy mode.
¡ If SFF 2 cannot reach the SF, it discards the packets.
Figure 4 SRv6 service chain traffic forwarding with dualhoming protection in static proxy mode
SRv6 service chain traffic forwarding with bypass protection
As shown in Figure 5, in the SRv6 service chain network, SF 1 has a bypass protection node, which is SF 2. SF 1 is single-homed to SFF 1 and the bypass protection node SF 2 is single-homed to SFF 2.
To implement bypass protection, enable bypass protection and specify a bypass End.AS SID on SFF 1.
With a bypass End.AS SID specified, bypass protection acts as follows in packet forwarding:
1. When SFF 1 detects that it cannot reach SF 1, it removes the outer IPv6 header and SRH from packets.
2. SFF 1 searches the local configuration and reencapsulates an IPv6 header to the packets. In the IPv6 header, the destination address is C.
3. SFF 1 looks up the routing table to forward the packets to SFF 2.
4. After SFF 2 receives the packets, it forwards the packets as in a standard SRv6 service chain traffic forwarding process in static proxy mode.
Without a bypass End.AS SID specified, SFF 1 skips the End.AS SID of SF 1 when it cannot reach SF 1. The SFF uses the End SID of Device D as the next hop destination address. The packets are forwarded to the tail node according to the SRH.
Figure 5 SRv6 service chain traffic forwarding with bypass protection
SRv6 service chain traffic forwarding with dualhoming and bypass protection
As shown in Figure 6, in the SRv6 service chain network, SF 1 has a bypass protection node, which is SF 2. SF 1 is dualhomed to SFF 1 and SFF 2 and the bypass protection node SF 2 is single-homed to SFF 3. Dualhoming protection takes precedence over bypass protection. When dualhoming protection is not available or fails, bypass protection applies.
To implement dualhoming protection and bypass protection, perform the following tasks on the SFFs:
On SFF 1 and SFF 2, specify the End SID of one SFF as the backup peer SID of the other SFF.
· On SFF 1 and SFF 2, use the same locator to allocate the primary and backup End.AS SIDs.
· On SFF 1 and SFF 2, configure the same primary and backup End.AS SIDs.
· On SFF 1 and SFF 2, enable bypass and specify a bypass End.AS SID.
As shown in Figure 6, dualhoming protection and bypass protection act as follows in packet forwarding:
1. SFF 1 forwards packets according to whether it can reach SF 1.
¡ If SFF 1 can reach SF 1, it processes the packets as in a standard SRv6 service chain traffic forwarding process in static proxy mode.
¡ If SFF 1 cannot reach SF 1, it removes the outer IPv6 header and SRH from the packets. Then, SFF 1 reencapsulates an SRH and IPv6 header to the packets according to the local configuration. In the SRH, the SID list contains the backup End.AS SID (X2) and the End SID of SFF 2 (C). In the IPv6 header, the destination address is C. Finally, SFF 1 looks up the routing table to forward the packets to SFF 2.
2. When SFF 2 receives the packets, it processes the packets according to whether it can reach SF 1.
¡ If SFF 2 can reach SF 1, it forwards the packets as in a standard SRv6 service chain traffic forwarding process in static proxy mode.
¡ If SFF 2 cannot reach SF 1, it starts the bypass protection forwarding process. SFF 2 removes the outer IPv6 header and SRH from the packets. According to the local configuration, SFF 2 reencapsulates an SRH and IPv6 header to the packets. In the SRH, the SID list only contains the bypass End.AS SID (D). In the IPv6 header, the destination address is D. Then, SFF 2 looks up the routing table to forward the packets to SFF 3.
3. When SFF 3 receives the packets, it processes the packets according to whether it can reach the bypass protection node SF 2.
¡ If SFF 3 can reach SF 2, it processes the packets as in a standard SRv6 service chain traffic forwarding process in static proxy mode.
¡ If SFF 3 cannot reach SF 2, it discards the packets.
Figure 6 SRv6 service chain traffic forwarding with dualhoming and bypass protection
Masquerading mode
About masquerading mode
Use this mode if SRv6-aware SFs are attached to SFFs. Because the SFs can recognize SRv6 packets, the SFFs directly deliver SRv6 packets to the SFs. The SFs process the SRv6 packets without modifying the SRH, and they forward the packets back to the SFFs. The, the SFFs process the packets according to the standard SRv6 traffic forwarding process. This mode supports IPv4, IPv6, and Ethernet inner packets and does not support dualhoming protection or bypass protection.
End.AM SIDs are used by an SRv6 service chain to forward packets in masquerading mode. An End.AM SID identifies an SF. The functions of an End.AM SID are as follows:
· For packets delivered from an SFF to an SF, the SFF performs the following operations:
a. Replaces the destination IP address of the packets with the first SID value in the SRH (SRH[0]).
b. Forwards the packets out of the interface associated with the End.AM SID.
· For packets delivered from an SF to an SFF, the SFF performs the following operations:
a. Restores the destination IP address of the packets to the SID pointed by the SL field in the SRH.
b. Forwards the packets according to the standard SRv6 traffic forwarding process.
Traffic forwarding process
As shown in Figure 7, packets pass through an SRv6 service chain in masquerading mode as follows in an IPv4 L3VPN over SRv6-TE network:
1. After the SC (source node) receives IPv4 packets from the user network, it steers the packets to an SRv6 TE policy. Then, the SC adds an SRH and outer IPv6 header to the packets according to the SRv6 TE policy. The destination address of the SRv6 packets is the End.AM SID of the SFF. The SRH includes path information in the SRv6 TE policy and the End.DT4 SID of the tail node.
2. When the SFF receives the SRv6 packets, it looks up the local SID forwarding table and finds that the destination address of the packets is the local End.AM SID. Then, the SFF performs the following operations:
a. Replaces the destination IP address of the SRv6 packets with the last SID in the SID list of the SRH. The last SID is the End.DT4 SID of the tail node.
b. Decreases the SL value by 1.
c. Forwards the packets from the output interface bound to the End.AM SID to the SF.
3. The SF processes the packets without modifying the SRv6 packet headers and forwards the packets back to the SFF.
4. The packets return back to the SFF. If an End.AM SID is bound to the input interface or both the input interface and VLAN of the packets, the SFF replaces the destination address of the SRv6 packets according to the SL value in the SRH. The SL value is 2, so the SFF replaces the destination address of the SRv6 packets with C (the next SID of the local End.AM SID, which is the End SID of Device C). The SFF looks up the IPv6 routing table to forward the packets according to the destination IPv6 address.
5. When Device C receives the packets, it looks up the local SID forwarding table and finds that the packet destination address is the local End SID. Then, Device C forwards the packets according to the standard SRv6 traffic forwarding process as follows:
a. Replaces the packet destination address with D1 (the End SID of the tail node).
b. Decreases the SL value by 1.
c. Looks up the IPv6 routing table to forward the packets.
6. When the tail node receives the packets, it looks up the local SID forwarding table and finds that packet destination address D1 is the local End SID. Then, the tail node replaces the destination address with D2 (the End.DT4 SID of the tail node) and decreases the SL value by 1. The SL value changes to 0. Finally, the tail node executes the function of the End.DT4 SID as follows:
a. Decapsulates the SRv6 packets.
b. Forwards the original packets to the matching VPN instance or to the public network.
Figure 7 SRv6 service chain traffic forwarding in masquerading mode
Typical network applications
As shown in Figure 8, both enterprise and home user services in the metropolitan area network (MAN) converge to the OLTs, then to the aggregation layer devices of the MAN. The controller flexibly orchestrates traffic forwarding paths based on the service requirements, and these paths are deployed to the aggregation devices, acting as SCs. The SCs classify various services and forward the traffic according to the service requirements. In the MAN, the SFC device forwards the service traffic to the corresponding application service nodes in sequence based on the carried End.AS/End.AM SID. For example, the enterprise private line traffic needs to pass through the SFC to the FW and vBRAS for processing, before being forwarded to the backbone network CR device. The home user traffic needs to pass through the SFC to the vBRAS and CGN for processing, before being forwarded to the backbone network CR device.
Figure 8 Deploying SRv6 SFC in a MAN
Related documentation
Service Programming with Segment Routing: IETF Draft on SPRING-SR-Service-Programming-05.