US010097452B2
`
`a2) United States Patent
`Lefebvre et al.
`
`(10) Patent No.:
`
`US 10,097,452 B2
`
`(45) Date of Patent:
`
`Oct. 9, 2018
`
`(54) CHAINING OF INLINE SERVICES USING
`
`8,284,664 B1* 10/2012 Aybay et al. wo 370/235
`
`SOFTWARE DEFINED NETWORKING
`
`(75) Inventors: Geoffrey Lefebvre, Montreal (CA);
`
`Erik Rubow, San Jose, CA (US); Ravi
`
`Manghirmalani, San Jose, CA (US)
`
`(73) Assignee: Telefonaktiebolaget LM Ericsson
`
`2005/0289244 Al 12/2005 Sahu et al.
`
`2009/0259810 Al 10/2009 Baden et al.
`
`2010/0290485 Al = 11/2010 Martini et al.
`
`2010/0303083 Al* 12/2010 Belanger et al... 370/401
`
`2011/0055845 Al 3/2011 Nandagopal et al.
`
`2012/0163180 AL* 6/2012 Goel vocccccccsennnees 370/238
`
`2012/0281540 AL* 11/2012 Khanetal. 370/241
`
`(publ), Stockholm (SE)
`
`FOREIGN PATENT DOCUMENTS
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`
`patent is extended or adjusted under 35
`
`U.S.C. 154(b) by 684 days.
`
`EP 1387553 Al 2/2004
`EP 2226970 Al 9/2010
`WO 2012/047885 Al 4/2012
`
`(21) Appl. No.: 13/556,456
`
`OTHER PUBLICATIONS
`
`(22) Filed; Jul. 24, 2012
`
`International Search Report for PCT/IB2013/053017 dated Sep. 30,
`
`2013; 4 pages.
`
`(65) Prior Publication Data
`
`Openflow 1.1 in Hardware: “I was wrong (again)’; Apr. 29, 2011;
`
`US 2013/0272305 Al Oct. 17, 2013
`
`3 pages.
`
`“A 100 Gig Openflow 1.1 Switch’; Powerpoint slide downloaded
`
`Related U.S. Application Data
`
`from the Internet on Apr. 16, 2013; | page.
`
`Li, Erran et al.: Mosaic: Policy Homomorphic Network Extension;
`
`(60) Provisional application No. 61/624,823, filed on Apr.
`
`May 13, 2010; 15 pages.
`
`16, 2012.
`
`(51) Int. Cl.
`
`HOAL 12/721 (2013.01)
`
`HOAL 12/851 (2013.01)
`
`HOAL 12/725 (2013.01)
`
`(52) U.S. Cl.
`
`* cited by examiner
`
`Primary Examiner — Eric A Myers
`
`(74) Attorney, Agent, or Firm — Ericsson Inc.
`
`CPC veces: HOAL 45/38 (2013.01); HO4L 45/302
`
`(2013.01); HO4L 45/306 (2013.01); HO4L
`
`(57) ABSTRACT
`
`47/24 (2013.01)
`
`(58) Field of Classification Search
`
`A system and method for steering traffic through a set of
`
`CPC .. HO4L 12/56; HO4L 12/5689—12/5692; HO4L
`
`services is provided. A service path or chain is assigned to
`
`12/5695—12/5696; HO4L 47/24-47/2491;
`
`a received packet based on a classification of the packet. A
`
`HO04L 63/1408-63/1425; HO4L 63/306
`
`position and/or a direction of the traffic in the service path
`
`See application file for complete search history.
`
`can be determined based on the previous service performed
`
`(56) References Cited
`
`U.S. PATENT DOCUMENTS
`
`7,860,100 B2
`
`12/2010 Khalid et al.
`
`8,170,038 B2
`
`$/2012 Belanger et al.
`
`on the traffic. A next destination for the traffic can be
`
`assigned in accordance with the assigned service chain and
`
`determined position and direction information.
`
`24 Claims, 9 Drawing Sheets
`
`b Ag
`
`frome
`
`Be
`BA
`
`f a
`HE 206 ad
`RoulerRi || | eae es ‘Radler 28
`
`Sie
`
`& intemal 2-4"
`
`_. en Bae x
`
`[__] Transit port
`
`ies) Upstrearn facing port
`
`[Es Downstream facing port
`
`OT ee,
`& Intemet =
`
`Pag tater
`
`16
`
`We
`
`Ex. 1005
`Juniper Networks, Inc. / Page 1 of 20
`
`

`

`pe jeweqy 9i ne
`OT
`!
`yod
`yod ysued) [7]
`Ouse,
`weassdy
`5)
`
`_/ ‘od une) weaysumog EY\ Ld
`
`_LTy Jainoy
`
`.
`
`U.S. Patent
`
`Oct. 9, 2018
`
`Sheet 1 of 9
`
`US 10,097,452 B2
`
`Ex. 1005
`Juniper Networks, Inc. / Page 2 of 20
`
`

`

`U.S. Patent Oct. 9, 2018 Sheet 2 of 9 US 10,097,452 B2
`
`Set direction "24
`
`Ale
`
`: Set service
`set
`é
`Jl6—~ | éi4 _ 1. 4 228
`. - Modify service)
`Sibscrbe Drop set
`: ; 230
`l. | 18 Next TM<
`220 Set service set} Destination >
`. Table ,
`
`2 . .
`
`aed
`
`: Y
`* Forward packet
`
`232
`
`Modify service set]
`
`a4
`
`Ex. 1005
`Juniper Networks, Inc. / Page 3 of 20
`
`

`

`U.S. Patent
`
`Oct. 9, 2018
`
`Sheet 3 of 9
`
`US 10,097,452 B2
`
`. 300
`Configuration Data-—~ a
`
`| Servi=.ces down
`(Services up
`Subscriber IP Address
`Bob 1.2.3.4/32 (51,53) (51,83)
`Joe 1.2.3,5/382 | (82,83) ($3,544)
`
`Service Down-facing MAC Up-facing MAC
`
`1 GOO 0 GUMAS) 0000000085)
`
`82 OOO Gd OG 0As52 10020000: 00:08: :
`
`S3 VOU GU ASS O00: 0000.08:
`
`54 VOMUO UCAS | OU 000U 0008 3
`
`Router Type MAC
`
`RI upstrear ae
`
`R2 downstream OO
`
`Application IP Adress | Protocol/ Port. ic ‘| Down
`
`See al site 4.3.2, 1/4219 80 #§2,°53 | $3
`
`Internal 3.2.1,0/24 17 x “31 “S$
`
`Sturt
`
`Direction Global Service Order
`
`UD Spe So $3 > Sh
`
`Dow §2 -> $3 -> $4 -> 81
`
`Perimeter Switch | Port MAC
`
`PS, OU OG Oh F208
`UGU
`
`&U
`
`a
`
`aUUsa Coro G0 F204
`
`BIRT IHui eal
`
`anni tik F203
`
`QO GGG G0 Pe ld
`
`=
`
`whee b flap Dp Ff Sime
`
`3crap Cre] C73) G49] £99map mop mop pop PS
`
`io
`
`wrt
`
`red
`
`Ex. 1005
`Juniper Networks, Inc. / Page 4 of 20
`
`

`

`U.S. Patent Oct. 9, 2018 Sheet 4 of 9 US 10,097,452 B2
`
`Direction Table ee (Ala pdb
`412--| Ingress Port 7 [Retin
`
`do) dir = down
`
`412°} dir = up
`417" 3 dir = down
`
`Aer t dir = up
`
`iat ee
`
`| 40
`MAC Table —~ (tia (422
`422-\Destination MAC Address “ (Action =
`
`O00 0000 0A 52 set sac = G0:00 0000 F200)
`
`output on port 1
`
`0:00 00:00 08:52 set smac = S080 0000182592
`
`output on port z
`
`O0s00 00 G0 GAs 33 set smac = 00:00 0000s F2203
`
`output on port 3
`
`00:00:00:00:05:33 set smac = G0:00:0000F20
`
`output on port 4
`
`Pic” <b
`
`Ex. 1005
`Juniper Networks, Inc. / Page 5 of 20
`
`

`

`U.S. Patent Oct. 9, 2018 Sheet 5 of 9 US 10,097,452 B2
`
`Subscriber Table A tg22 7 $2b Bec
`432 Direction / \TP Address / Action /
`
`430
`
`LEI
`
` sae : SEG)
`
`down L2.3.4/82 iserv set = (S1,53]
`uD 1.2.3.0/82 serv se get = 82,83)
`down 12.35/82 |Serv_set = ($3,540
`
`og ee
`d4za Application Table Hab ¢ Her H2d p 44le
`442—-\Dir, | 1P Adress Proto Fert Action
`
`down ORTEIL 7 i sery set -= (83)
`
`SDL eer et
`
`fom 13.2,1,0/26)* — ]* [serv set -= (80)
`
`“P xomm perf
`
`| 450
`Path Status Table—“— 74528 7 A52b
`
`4 é : A
`452 Ingress Port Action
`
`4 : bo fet
`| sery set -= 182)
`
`; cary set <= (97)
`a Me wit |
`
`3 sery set = (2,83)
`A myae bh a {ft alanis
`: gery set -= ($1,82,83}
`
`£ wt
`
`Ex. 1005
`Juniper Networks, Inc. / Page 6 of 20
`
`

`

`U.S. Patent
`
`Oct. 9, 2018
`
`Sheet 6 of 9
`
`US 10,097,452 B2
`
`Table
`Next Dest
`$623
`ee
`Service Sat
`462-1 Dir,
`poe
`Cf
`
`+
`
`ination
`
`aN
`
`ae
`
`£24
`
`460<jE
`“| Retion
`“Gened eed$5 cree
`
`ang
`
`-_*
`
`~~ *
`
`rtbeC
`
`* ~
`
`*
`
`<—
`
`i>
`
`haan)
`
`ees
`
`if
`
`-_ m
`
`hf
`
`toe
`
`Ht
`
`ne
`
`-—*
`
`~*
`
`oan
`
`omac
`Vaauitk
`
`~ A
`
`testmac
`
`a
`
`f ot
`
`xEke
`
`Gee
`
`at)
`
`Cs
`
`wrce
`
`5oS
`
`Art
`
`* *
`
`-_—
`
`im
`
`~*~ m.
`apood
`
`ee
`
`Fear
`og
`
`anes
`
`eS eo
`
`ne co
`
`~~ - ns «
`
`ih oct>
`
`es ee
`
`i. **
`
`2 - ee
`
`Rot OLHOW
`ae CN
`Ce LDi
`ce £nQue I>
`RO ONESea
`te ID
`Cae
`Cll ELI
`**a SS
`COI CI aT
`onrod
`cb)ary
`wht
`7%
`ohaeeco
`ce
`aKataachemoA
`ole OeITs Te
`Ry
`
`<>
`Clor'gC
`aro
`het
`denne?oe
`“4ae
`Co eo
`
`
`
`Se CS ly ON Cle CI ove OLELog OS+eed i]Frat-_
`
`F
`bone
`*
`“*
`~
`it
`eGerseTtfoe
`CL
`ir
`eo Flay- >
`eal oA)
`oD aoCC eI
`i ww
`wage OS
`Ly
`+s « *
`Cy
`cy OFF H
`co
`A FSea
`iiCo OD
`Co) -A
`ie Oe SD
`oyone oe
`{Ls G> OS
`-_ -_*
`EG
`SIN os II NEey OoCi Cte feCe
`whet4ie
`60 oncome Rang“a * i oe
`Con SELeo oS
`ce ESee SI
`ey
`ote CS
`_ >
`- - -
`+“ +
`109 SD+| ox onjem CawLd “ *
`{ccs enoHOU
`jes
`jaca <p~~ ome
`pe et
`exe ome
`facta airy
`POC oT
`Cy wot
`cle eo
`“7s + +
`aad _
`3Viets¢
`Lsaro
`afd
`ot
`, is OD
`
`wacepaof}4<$5o>afdo
`acm Tans-*- - e
`Cate os
`a~—+* me
`Sia ac
`ao eS
`cla eo
`SL
`ST ee
`ey
`an CID WI
`w>echme 03a
`“+ * +
`ft oF
`“Eo a ES
`sff
`eeFok
`ey
`hy @oS
`en aes
`Lyors
`ee So
`one eo
`LI QT CI
`tT
`Ni RES A AAGSe Cox 7 oo *
`es erHo
`aden adtaf
`co
`ie Te
`
`2 A f
`
`A u
`
`Hy
`
`3 a
`be ft
`AA LANA
`Peed ae ryt
`+
`3
`Ve
`i
`Vaal
`Va¥
`iy,
`fA
`vane
`re Ah
`Ria
`wail
`
`t
`
`Pa)
`
`ids
`
`ere
`
`£2.
`
`Co?
`
`zo
`
`aoo
`
`Ex. 1005
`Juniper Networks, Inc. / Page 7 of 20
`
`

`

`U.S. Patent Oct. 9, 2018 Sheet 7 of 9 US 10,097,452 B2
`
`| Receive a packeth-—~s
`
`L
`
`Classify the packet and assign a service chain
`, | a. 19
`In accordance with the classification
`
`Determine a position of the packet
`| | a . eee’)
`on the assigned service chain
`
`¥
`Forward packet to a next service
`
`on the service chain in accordance | ~s30
`
`with the determined position
`
`vat 1 awl
`
`Ex. 1005
`Juniper Networks, Inc. / Page 8 of 20
`
`

`

`U.S. Patent Oct. 9, 2018 Sheet 8 of 9 US 10,097,452 B2
`
`Receive a packet
`
`Determine a direction the packet is heading }-—~s70
`
`L
`
`| Associate the packet with a service set L~au
`
`hi
`Determine a position of the packet
`
`on the service set
`
`630
`
`| Select a next service on the service set L640
`
`Assign a new destination to the packet in
`
`accordance with the selected next service
`
`B50
`
`| Forward the packet to the new destination |---~660
`
`LE A Py i A A A
`
`Be cece ee ee te ee ete ate ae ott tat at at att tat ta Rate ate ty ott tat ae att att tat tat at nee ett tet st att ah
`
`Ex. 1005
`Juniper Networks, Inc. / Page 9 of 20
`
`

`

`U.S. Patent
`
`Oct. 9, 2018 Sheet 9 of 9
`
`US 10,097,452 B2
`
`700~
`
`06 a Processor
`
`$a 0S
`
`Ex. 1005
`Juniper Networks, Inc. / Page 10 of 20
`
`

`

`US 10,097,452 B2
`
`1
`
`2
`
`CHAINING OF INLINE SERVICES USING
`
`service vendors must port their applications to the software
`
`SOFTWARE DEFINED NETWORKING
`
`and hardware configuration supported by the router or
`
`This application claims the benefit of priority to previ-
`
`issue as the number of services and the aggregated band-
`
`ously filed U.S. Provisional Patent Application No. 61/624,
`
`width is limited by the router’s capacity.
`
`823 entitled “CHAINING OF INLINE SERVICES USING
`
`The second approach does not support the definition of
`
`SOFTWARE DEFINED NETWORKING?” and filed on Apr.
`
`policies in a centralized manner and instead requires that
`
`16, 2012, the contents of which are incorporated herein by
`
`each service be configured to classify and steer traffic to the
`
`gateway. This solution potentially suffers from a scalability
`
`reference.
`
`appropriate next service. This approach requires a large
`
`10
`
`amount of service specific configuration and can be error
`
`TECHNICAL FIELD
`
`prone. The second approach also lacks flexibility as it does
`
`not support the steering of traffic on a per subscriber-basis
`
`This invention relates generally to systems and methods
`
`and limits the different service chains that can be configured.
`
`for steering traffic through a chain of inline services using
`
`Getting around these limitations would require additional
`
`Software Defined Networking.
`
`15
`
`configuration on each service to classify and steer traffic and
`
`BACKGROUND
`
`subscribers connect to the network.
`
`automated ways to push these configurations dynamically as
`
`The third approach also suffers from scalability issues as
`
`Mobile and fixed network operators use various types of
`
`traffic is forced through the router after every service. The
`
`middleboxes or inline services to inspect and alter network
`
`20
`
`router must be able to handle N times the incoming traflic
`
`traffic transiting through their network. These middleboxes,
`
`line rate to support a chain with N-1 services.
`
`which will be referred to as services in this document, are
`
`Therefore, it would be desirable to provide a system and
`
`transparent to the end users and provide functionality such
`
`method that obviate or mitigate the above described prob-
`
`as transparent caching, virus scanning, and deep packet
`
`lems.
`
`inspection. These services are usually packaged and sold as
`
`25
`
`dedicated appliances (either physical or virtual) and are
`
`SUMMARY
`
`often expensive.
`
`Operators are facing a sharp increase in traffic demand
`
`Tt is an object of the present invention to obviate or
`
`and continue looking at new ways to monetize their network.
`
`mitigate at least one disadvantage of the prior art.
`
`Due to the high cost of service appliances, operators want to
`
`30
`
`In a first aspect of the present invention, there is provided
`
`avoid matching the capacity of these services with this
`
`a method for steering packet traffic, comprising receiving a
`
`growth. Operators would rather have the ability to selec-
`
`packet and determining a direction the received packet is
`
`tively direct traffic to specific set of services instead of
`
`traveling. The received packet is associated with a service
`
`forcing all traffic through every service. This ability would
`
`set and a position of the packet on the associated service set
`
`allow an operator to steer video traflic, which is a source of
`
`35
`
`is determined. A next service on the associated service set is
`
`the recent traffic explosion, away from expensive services
`
`selected in accordance with the determined direction and
`
`such as deep packet inspection, thus reducing the need for
`
`position of the packet. A new destination is assigned to the
`
`investing in new service appliances.
`
`packet in accordance with the selected next service.
`
`The ability to steer particular classes of traffic through
`
`In an embodiment of the first aspect of the present
`
`predefined sets of services can also be used to enable new
`
`40
`
`invention, the direction the received packet is traveling can
`
`streams of revenue for operators. An operator could offer
`
`be determined in accordance with an ingress port the packet
`
`services such as virus scanning or content filtering to cus-
`
`was received on. The direction can be determined to be
`
`tomers who elect to pay for such services.
`
`upstream or downstream.
`
`A service chain, or path, is an ordered set of services.
`
`In another embodiment, the step of associating the
`
`Traffic steering is the action of classifying traffic and direct-
`
`45
`
`received packet with the service set can include assigning an
`
`ing the different classes of traffic through specific service
`
`ordered list of services to be applied to the received packet.
`
`chains. Three broad classes of solutions are used today to
`
`Optionally, the received packet can be associated with the
`
`implement some form of traffic steering and service chain-
`
`service set in accordance with the determined direction and
`
`ing.
`
`a first header field of the packet. The first header field can be
`
`The first approach is to integrate the services as part of an
`
`30
`
`selected from a group consisting of a source address, a
`
`extensible router or gateway. An operator can add new
`
`destination address, a source port, a destination port and a
`
`services by adding additional service cards to its router or
`
`protocol.
`
`gateway.
`
`In another embodiment, the step of associating the
`
`The second approach is to configure one or more static
`
`received packet with the service set can include assigning a
`
`service chains where each service is configured to send
`
`35
`
`default service to the recetved packet in accordance with an
`
`traffic to the next service in its chain. A router using Policy
`
`address associated with a subscriber. The address associated
`
`Based Routing (PBR) classifies the incoming traffic and
`
`with the subscriber can be selected from a source address or
`
`forwards it to services at the head of each chain based on the
`
`a destination address of the recetved packet, in accordance
`
`result of the classification.
`
`with the determined direction. Optionally, the default service
`
`A third approach is to use a router using PBR, and for each
`
`60
`
`set can be modified in accordance with a second header field
`
`service to be configured, to return traffic back to the router
`
`of the received packet. The second header field can be
`
`after processing it. The router classifies traflic after each
`
`selected from a group consisting of a source address, a
`
`service hop and forwards it to the appropriate service based
`
`destination address, a source port, a destination port and a
`
`on the result of the classification.
`
`protocol.
`
`All three classes of solutions have drawbacks. The first
`
`65
`
`In another embodiment, the position of the packet on the
`
`approach does not support the integration of existing third
`
`associated service set can be determined in accordance with
`
`party service appliances. This solution is proprietary and
`
`an ingress port the packet was received on. Optionally, the
`
`Ex. 1005
`Juniper Networks, Inc. / Page 11 of 20
`
`

`

`US 10,097,452 B2
`
`3
`
`4
`
`method can include the step of modifying the associated
`
`FIG. 1 is a block diagram of an embodiment of a Service
`
`service set in accordance with the determined direction and
`
`Network;
`
`position of the packet, to remove services already applied to
`
`FIG. 2 is a flow chart of an exemplary data path method;
`
`the received packet.
`
`FIG. 3 is a configuration data example;
`
`In another embodiment, the step of assigning a new
`
`FIG. 4a is an exemplary direction table;
`
`destination to the packet can include rewriting a destination
`
`address of the packet. The method can optionally include the
`
`step of forwarding the packet to the assigned new destina-
`
`tion. The step of forwarding can include selecting a port
`
`associated with the assigned new destination address, and
`
`transmitting the packet on the selected port.
`
`In a second aspect of the present invention, there is
`
`provided a switch comprising a plurality of ports operatively
`
`connected to a processor. Each of the plurality of ports is for
`
`receiving and transmitting packets. The processor is for
`
`associating a packet received on a first port with a service
`
`set, for detecting a position of the received packet on the
`
`FIG. 46 is an exemplary MAC table;
`
`FIG. 4c is an exemplary subscriber table;
`
`FIG. 4d is an exemplary application table;
`
`FIG. 4e 1s an exemplary path status table;
`
`FIG. 4f'is an exemplary next destination table;
`
`FIG. 5 is a flow chart illustrating an embodiment of the
`
`present invention;
`
`FIG. 6 is a flow chart illustrating another embodiment of
`
`the present invention; and
`
`FIG. 7 is a block diagram of an example switch.
`
`DETAILED DESCRIPTION
`
`associated service set, for determining a next service on the
`
`The present invention is directed to a system and method
`
`associated service set in accordance with the detected posi-
`
`for steering traffic through a set of services.
`
`tion, for selecting a second port from the plurality of ports
`
`Reference may be made below to specific elements,
`
`and for transmitting the packet to the determined next
`
`numbered in accordance with the attached figures. The
`
`service on the selected second port.
`
`discussion below should be taken to be exemplary in nature,
`
`In an embodiment of the second aspect of the present
`
`and not as limiting of the scope of the present invention. The
`
`invention, the selected second port can be associated with
`
`25
`
`scope of the present invention is defined in the claims, and
`
`the determined next service. Optionally, the plurality of
`
`should not be considered as limited by the implementation
`
`ports can include an upstream-facing port for receiving
`
`details described below, which as one skilled in the art will
`
`packets traveling downstream from a service node and for
`
`appreciate, can be modified by replacing elements with
`
`transmitting packets travelling upstream to the service node,
`
`equivalent functional elements.
`
`and a downstream-facing port for recetving packets travel-
`
`Some embodiments of the present disclosure will be
`
`ing upstream from the service node and for transmitting
`
`discussed as using the OpenFlow protocol, but could be
`
`packets travelling downstream to the service node.
`
`implemented with other types of Software Defined Network-
`
`In another embodiment, the processor can determine the
`
`ing (SDN). OpenFlow is a communications protocol that
`
`direction the received packet is traveling in accordance with
`
`gives access to the forwarding plane of a network switch or
`
`the first port. Optionally, the processor can associate the
`
`35
`
`router over the network. OpenFlow 1.1 supports multiple
`
`received packet with the service set in accordance with the
`
`tables and a metadata field to exchange information between
`
`determined direction and a first header field of the received
`
`tables. The present disclosure takes advantage of these
`
`packet.
`
`features to reduce the number of rules by avoiding cross-
`
`Tn another embodiment, the processor can assign a default
`
`products that occur when flattening multi-step classifica-
`
`service set to the received packet in accordance with an
`
`40
`
`tions.
`
`address associated with a subscriber. The address associated
`
`In a service network, an operator is able to define service
`
`with the subscriber can be one of a source address or a
`
`policies that specify traffic classes and the chain of services
`
`destination address of the received packet. Optionally, the
`
`that each class must traverse. These policies are translated
`
`processor can modify the default service set in accordance
`
`by the controller into rules that are programmed on the
`
`with a second header field of the received packet.
`
`45
`
`switches in the service network. These rules steer the
`
`In another embodiment, the processor can determine the
`
`network traffic through the ordered chain of services as
`
`position of the received packet on the associated service set
`
`specified by the policies.
`
`in accordance with the first port.
`
`Embodiments of the present invention provide flexibility
`
`In another embodiment, the processor can assign a new
`
`as they support the integration of existing and third party
`
`destination to the received packet in accordance with the
`
`services with no modifications. Service instances can be
`
`determined next service.
`
`located and chained in an arbitrary fashion by the operator,
`
`In another embodiment, the switch can further comprise
`
`and each service instance can be part of multiple service
`
`a transit port for receiving a packet with no associated
`
`chains. The ability to steer traffic at the granularity of
`
`direction. The processor can forward the packet with no
`
`subscribers and traflic types is also provided.
`
`associated direction solely in accordance with its destination
`
`35
`
`The approach as discussed herein provides scalability in
`
`address.
`
`three distinct manners. First, it reduces the number of rules
`
`Other aspects and features of the present invention will
`
`required to be stored in a switch by avoiding rule cross-
`
`become apparent to those ordinarily skilled in the art upon
`
`product and, instead, using multiple tables combined with
`
`review of the following description of specific embodiments
`
`metadata to communicate information between tables. Sec-
`
`of the invention in conjunction with the accompanying
`
`ond, the load is distributed across a network of switches
`
`figures.
`
`instead of using a single, centralized router or load balancer,
`
`while still maintaining central control. Third, expensive
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`forwarding operations such as classification and header
`
`rewriting are pushed to the perimeter of the service network,
`
`Embodiments of the present invention will now be
`
`which can be beneficial in many ways. These operations
`
`described, by way of example only, with reference to the
`
`need to be performed only once between services, regardless
`
`attached Figures, wherein:
`
`of the number of switch hops between them. Additionally,
`
`Ex. 1005
`Juniper Networks, Inc. / Page 12 of 20
`
`

`

`US 10,097,452 B2
`
`5
`
`6
`
`the need for aggregated throughput is often less at the
`
`fore be implemented with plain Ethernet switches. Option-
`
`perimeter of the network where the traflic has been distrib-
`
`ally, there can be advantages to using OpenFlow switches in
`
`uted onto a plurality of switches. The present invention,
`
`the inner service network 100 to enable features such as
`
`combined with the use of virtual appliances running on
`
`multi-path support.
`
`commodity servers, enables pushing all expensive opera-
`
`Incoming traffic, either coming in from a gateway node
`
`tions onto the software switch running on the virtual
`
`(such as routers R1 116 and R2 118), or coming back from
`
`machine monitor.
`
`a service, always enters the service network 100 via a
`
`A forwarding plane can be designed that uses multiple
`
`perimeter switch and through a node port. Packets arriving
`
`tables to reduce the total number of rules needed to support
`
`through node ports are processed and steered towards the
`
`a given set of service policies.
`
`10
`
`next node (which can be a service or a gateway) in their
`
`An encoding of the service path in a metadata field can be
`
`assigned service paths. Packets arriving on transit ports are
`
`designed that supports a large number of service chains and
`
`simply forwarded using their destination MAC address.
`
`supports multiple instances per service. The encoding can be
`
`Router 116 can connect the service network 100 to user
`
`flexible and allow each service to be scaled independently.
`
`equipment 120 and 122. Router 118 can connect the service
`
`A network organization can be provided so that expensive
`
`network 100 to an internal network 124 and/or the Internet
`
`operations such as classification and header rewriting only
`
`126.
`
`need to be done once between services, regardless of the
`
`At a high level, traffic steering can be described a two step
`
`number of switch hops between them.
`
`process. The first step classifies incoming packets and
`
`The traffic steering mechanism as described herein makes
`
`assigns them a service path based on predefined policies.
`
`the following assumptions about the configuration of the
`
`20
`
`The second step forwards packets to a “next” service based
`
`network and the type of traffic that traverses it. 1) Every
`
`on its current position along its assigned service path. This
`
`service 1s connected to a switch using two ports. Similar to
`
`two-step traffic steering process only needs to be performed
`
`routers and bridges, inline services are by definition tra-
`
`once between any two nodes (service or router), regardless
`
`versed by traffic so this is a natural requirement. The services
`
`of the number of switches between them, when a packet
`
`need to have a clear notion of upstream and downstream
`
`25
`
`arrives on a node port.
`
`trafic and require the use of two ports. 2) The Service
`
`The traffic steering process described herein supports
`
`Network is bounded by a single gateway on each end. A
`
`three types of service policies: subscriber-based policies,
`
`single router connects the access network to the Service
`
`application-based policies, and flow-based policies. These
`
`Network and a single router connects the Service Network
`
`policies can be specified by the operator and pushed to the
`
`to the Internet. 3) All services are addressable at the Ethernet
`
`relevant switches by a centralized controller (not shown in
`
`layer. Some services may behave like bridges and may
`
`FIG, 1).
`
`violate this assumption. 4) All traffic going through the
`
`Subscriber-based policies are policies that are defined on
`
`Service Network is subscriber traffic. 5) Terminating ser-
`
`a per subscriber basis. These policies specify the IP address
`
`vices such as Internet Protocol Security (IPSec) gateways
`
`of the subscriber and the set of services that each particular
`
`and Content Delivery Network (CDN) servers, which are
`
`35
`
`subscriber’s traffic should traverse.
`
`communication endpoints, are located on a separate subnet
`
`An application represents an end-user Internet application
`
`connected to one of the gateway nodes.
`
`such as YoutubeTM, a type of traffic such as Hypertext
`
`Referring now to FIG. 1, an example service network 100
`
`Transfer Protocol (HTTP), or a combination of both. These
`
`comprises perimeter switches PS1 102, PS2 104, and PS3
`
`types of policies are defined either in terms of an IP address
`
`106 at the perimeter of the network, and an inner switch
`
`40
`
`block and/or a User Datagram Protocol (UDP)/Transmission
`
`SW1 108 at the interior of the network. Perimeter switches
`
`Control Protocol (TCP) port. They are specified on a per
`
`102, 104, 106 can be implemented with OpenF low switches,
`
`application basis and apply to all subscribers. Application-
`
`while the inner switch 108 can be implemented with either
`
`based policies refine subscriber-based policies by adding or
`
`an OpenFlow switch or a plain Ethernet switch. Services
`
`removing services from the set of services specified in the
`
`(such as service nodes $1 109, $2 110, 83 112, S4 114) and
`
`45
`
`subscriber-based policies.
`
`routers (such as R1 116, R2 118) are all connected to the
`
`Flow-based policies are policies specific to a single flow
`
`perimeter of the service network 100. The entire steering
`
`or IP 5-tuple (i.e. source IP address, destination IP address,
`
`network is a single Layer 2 domain. There can be multiple
`
`protocol, source port, destination port). They are used to
`
`instances of a service, and each service instance has two
`
`dynamically override subscriber and application policies for
`
`communication interfaces connected to the service network
`
`30
`
`specific flows. The forwarding rules derived from these
`
`100 (potentially on different switches), one for each traffic
`
`policies can be pushed dynamically by the controller, even
`
`direction. Service instances with more than two interfaces
`
`mid-flow, effectively re-steering a flow towards a different
`
`are also supported by the proposed traflic steering mecha-
`
`set of services.
`
`nism.
`
`Additionally, service ordering policies can be supported.
`
`Perimeter switches 102, 104, 106 can have two types of
`
`35
`
`Service ordering policies are different than the three types of
`
`input/output ports: node ports and transit ports. Services and
`
`service policies described above. They do not specify a
`
`routers are connected to node ports. Transit ports connect to
`
`mapping between traffic and services but instead specify the
`
`other perimeter switches or to inner switches. In the exem-
`
`relative ordering between services for each traffic direction
`
`plary service network 100, each perimeter switch 102, 104,
`
`(upstream and downstream). The controller can transform
`
`106 has at least one upstream facing node port, at least one
`
`these relative orderings into a global ordering and can use
`
`downstream facing node port and at least one transit port.
`
`this ordering to convert the sets of services specified in the
`
`Each service node $1 109, S2 110, S3 112, and S4 114 is
`
`service policies into ordered service chains.
`
`connected to a perimeter switch. Perimeter switches 102,
`
`The datapath that implements the steering mechanism of
`
`104, 106 are connected via inner switch 108.
`
`embodiments of the present invention involves a number of
`
`Inner switches, such as 108, solely consist of transit ports
`
`table lookups. Forwarding decisions can be made based on
`
`and simply forward trafic based on their destination Media
`
`the Layer 2-Layer 4 contents of a packet, as well as the
`
`Access Control (MAC) address. These switches could there-
`
`ingress port that the packet was received on. In one imple-
`
`Ex. 1005
`Juniper Networks, Inc. / Page 13 of 20
`
`

`

`US 10,097,452 B2
`
`7
`
`8
`
`mentation, a single Ternary Content Addressable Memory
`
`If there is no exact match in the microflow table 212, the
`
`(TCAM) like table could be used to specify the required
`
`next table to be consulted is the subscriber table 216. The
`
`functionality, as in policy-based routing. However, this
`
`subscriber table 216 is used to get a subscriber’s default
`
`would not be a scalable solution as it would involve the
`
`service set for the current direction. The key for this table is
`
`cross-product of subscribers, applications, and ports in the
`
`the direction bit together with the subscriber’s IP address.
`
`same table. Using packet direction and multiple tables, this
`
`The subscriber’s IP address comes from one of either the
`
`can be separated into multiple steps, resulting in a linear
`
`source or destination IP address fields, depending on the
`
`scaling of each table. There are multiple ways to separate the
`
`direction of the packet. For example, if the direction of the
`
`functionality across tables. Some tables may be combined
`
`packet is “upstream”, the subscriber’s IP address is deter-
`
`when it does not introduce scalability problems.
`
`10
`
`mined to be the source IP address of the packet. This table
`
`Intermediate results from one table can be communicated
`
`can be a longest-prefix match (LPM) lookup table. If there
`
`to other tables using metadata, which can be used as part of
`
`is a miss in the subscriber table 216, the default action is to
`
`a subsequent lookup key or be further modified. One impor-
`
`drop the packet in step 218. If there is a match in the
`
`tant piece of metadata is the direction of traffic. All packets
`
`subscriber table 216, the service set metadata is set with the
`
`15
`
`traversing a service network are considered to be traveling
`
`subscriber’s default services in 220.
`
`either upstream or downstream. Each node port in the
`
`Following the subscriber table 216 is the application table
`
`steering network is either facing upstream or facing down-
`
`222. In this context, “application” refers to the remote
`
`stream. Referring back to FIG. 1, an example of perimeter
`
`communication endpoint, as identified by the IP address
`
`switches 102, 104, 106 with both downstream-facing ports
`
`20
`
`and/or protocol and/or port number. It is used to modify the
`
`and upstream-facing ports are shown. All packets that arrive
`
`subscriber’s default service set according to any static Layer
`
`on a downstream-facing port are traveling upstream, and
`
`3-Layer 4 application policies. Similar to as described for
`
`vice versa. Packets arriving on transit ports may be traveling
`
`the subscriber table 216, the application IP address can be
`
`in either direction. Their directi