SFC

What Is SFC?

SFC plays a crucial role in efficiently managing traffic flow within an NFV network. Apart from traditional network switching equipment within data center networks, supplementary Value-Added Services (VAS) devices like firewalls, load balancers, and intrusion prevention systems (IPS) are strategically positioned to bolster network security and optimize service allocation. Leveraging SFC enables tailored network path configurations to accommodate diverse service traffic needs while concurrently mitigating deployment and maintenance expenses associated with data center networks.

Origin of SFC

In traditional network setups, Value-Added Service (VAS) devices like firewalls, load balancers, and IPS devices are closely integrated with the network's topology and hardware. These devices entail dedicated and intricate deployment processes. Any expansion or alteration in network capacity necessitates a reevaluation and reconfiguration of the network's topology, resulting in escalated deployment and maintenance costs.

However, with the advent of Network Functions Virtualization (NFV) technology, network functions undergo a significant decoupling from hardware. This decoupling facilitates the separation of forwarding and control planes, thereby enhancing the adaptability and flexibility of network control, particularly within data center environments. Within an NFV network, Service Function Chaining (SFC) assumes a critical role in directing traffic to execute network services in a predetermined sequence. Should any service adjustments be necessary, updating the SFC sequence suffices, eliminating the need to modify the network configuration. Consequently, network services can be provisioned with agility.

SFC Architecture

In an SFC architecture, network devices assume distinct roles based on their functionalities. These roles within SFC encompass:

• Service classifier (SC): Positioned at the entry point of an SFC domain, the SC undertakes the crucial task of packet classification upon ingress into the domain. It assigns service identifiers to packets and encapsulates them with service packet headers.

• Service function (SF): SFs encompass devices that deliver value-added services, such as firewalls and load balancers. Depending on their awareness of Network Service Header (NSH) encapsulation, SFs are categorized into NSH-aware and NSH-unaware SFs. NSH-aware SFs possess the capability to identify and process NSH packets, whereas NSH-unaware SFs lack this capability and consequently discard such packets.

• Service function forwarder (SFF): SFFs establish connections with SFs, extract service flow information, and subsequently forward packets based on the identified SF service flow information.

• SFC Proxy: Situated between an SFF and an NSH-unaware SF linked with the SFF, the SFC proxy assumes the responsibility of modifying packet NSH encapsulation information as required. This involves either deleting or adding NSH encapsulation details to packets exchanged with the NSH-unaware SF.

• 

SFC Implementation

Service Function Chaining (SFC) can utilize NSH encapsulation as a method of implementation. In this approach, NSH headers are appended to packets, dictating their forwarding sequence within the SFC based on the information contained within the NSH headers. This NSH encapsulation facilitates communication among nodes along the Service Function Path (SFP), thereby enabling users to dynamically and flexibly process data.

Below outlines the implementation process of Service Function Chaining (SFC) within a VXLAN network. The journey involves packet traversal through SF1 (firewall) and SF2 (load balancer) in a specific sequence, with SF2 being unable to recognize NSH packets.

Initially, the SC classifies incoming user traffic and channels it to the Service Function Path (SFP). The SC then consults the NSH forwarding table using the Service Path Identifier (SPI) or Service Index (SI) within the NSH for packet addition. The subsequent hop is the VTEP IP address of SFF1, with the outbound interface being a VXLAN tunnel. After stripping the Ethernet (ETH) header from the user packet, the SC encapsulates it with NSH, ETH, and VXLAN headers. The SC references the routing table via the destination IP address in the VXLAN header to acquire the outbound interface.

Upon reception of the encapsulated packet, SFF1 eliminates the VXLAN and ETH headers, probing the NSH forwarding table using the SPI or SI within the NSH. The following hop is the interface IP address of SF1. SFF1 then crafts a new ETH header grounded on the ARP information obtained from this IP address.

Upon receipt of the encapsulated packet, SFF1 removes the ETH header, consulting the NSH forwarding table using the SPI or SI within the NSH. The subsequent hop is the VTEP IP address of SFF2. SFF1 then encapsulates the packet with NSH, ETH, and VXLAN headers.

Upon reception of the encapsulated packet, SFF2 eliminates the VXLAN and ETH headers, querying the NSH forwarding table using the SPI or SI within the NSH. The next hop is the interface IP address of the Proxy. SFF2 subsequently fashions a new ETH header based on the ARP information derived from this IP address.

Upon receipt of the packet, the Proxy strips the outer encapsulation, analyzes the packet, and decrements the SI by 1. The Proxy then eliminates the NSH from the packet, forwarding it to SF2. Any packet returning from SF2 is directed to Proxy. The Proxy encapsulates the packet with NSH and ETH headers before forwarding it to SFF2.

Upon reception of the encapsulated packet, SFF2 verifies whether the SI corresponds to the SI of the previous hop. If affirmative, SFF2 eliminates the NSH, encapsulates the packet with an ETH header, and forwards it out of the SFC domain. If negative, SFF2 explores the NSH forwarding table to persist in forwarding the packet within the SFC domain.

SFC Application

In a data center network, the server leaf nodes typically serve as Service Classifiers (SCs), while Value-Added Service (VAS) nodes operate as Service Functions (SFs). Border leaf nodes and service leaf nodes, on the other hand, act as Service Function Forwarders (SFFs).

For east-west traffic—communication between servers of varying security levels—flexible routing through SFs (such as SF1 and SF2) can be established based on security requirements. This approach ensures topology-independent, adaptable, efficient, and secure service processing within the network.

Regarding north-south traffic—the exchange of data between the data center network and external networks—ensuring security is paramount. External access traffic can be dynamically directed to an SF (e.g., SF4) as per the defined Service Function Chain (SFC). This allows for the implementation of essential functions like address translation and security filtering, safeguarding both internal and external networks.、