n this paper we consider the use of IPv6 Segment Routing (SRv6) for Service Function Chaining(SFC) in an NFV infrastructure. We first analyze the issues of deploying Virtual Network Functions (VNFs) based on SR-unaware applications, which require the introduction of SR proxies in the NFV infrastructure, leading to high complexity in the configuration and in the packet processing. Then we consider the advantages of SR-aware applications, focusing on a firewall application. We present the design and implementation of the SERA (SEgment Routing Aware) firewall, which extends the Linux iptables firewall. In its basic mode the SERA firewall works like the legacy iptables firewall (it can reuse an identical set of rules), but with the great advantage that it can operate on the SR encapsulated packets with no need of an SR proxy. Moreover we define an advanced mode, in which the SERA firewall can inspect all the fields of an SR encapsulated packet and can perform SR-specific actions. In the advanced mode the SERA firewall can fully exploit the features of the IPv6 Segment Routing network programming model. A performance evaluation of the SERA firewall is discussed, based on its result a further optimized prototype has been implemented and evaluated.
Abdelsalam, A., Salsano, S., Clad, F., Camarillo, P., Filsfils, C. (2018). SERA: SEgment Routing Aware Firewall for Service Function Chaining scenarios. In 2018 IFIP NETWORKING CONFERENCE (IFIP NETWORKING) AND WORKSHOPS (pp.46-54). IEEE [10.23919/IFIPNetworking.2018.8697021].
SERA: SEgment Routing Aware Firewall for Service Function Chaining scenarios
Salsano S.;
2018-01-01
Abstract
n this paper we consider the use of IPv6 Segment Routing (SRv6) for Service Function Chaining(SFC) in an NFV infrastructure. We first analyze the issues of deploying Virtual Network Functions (VNFs) based on SR-unaware applications, which require the introduction of SR proxies in the NFV infrastructure, leading to high complexity in the configuration and in the packet processing. Then we consider the advantages of SR-aware applications, focusing on a firewall application. We present the design and implementation of the SERA (SEgment Routing Aware) firewall, which extends the Linux iptables firewall. In its basic mode the SERA firewall works like the legacy iptables firewall (it can reuse an identical set of rules), but with the great advantage that it can operate on the SR encapsulated packets with no need of an SR proxy. Moreover we define an advanced mode, in which the SERA firewall can inspect all the fields of an SR encapsulated packet and can perform SR-specific actions. In the advanced mode the SERA firewall can fully exploit the features of the IPv6 Segment Routing network programming model. A performance evaluation of the SERA firewall is discussed, based on its result a further optimized prototype has been implemented and evaluated.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
