Previous Sangfor Cloud Security Pool (CSP) used policy base routing to implement service function chaining (SFC), but that has some limitations, it can't work without help from a router, it is also not flexible enough to do some field matches, new CSP used OVS DPDK and NSH to implement service function chaining, it fixed the aforementioned limitations, it brings the below benefits to our solution: 1) Support standard NSH (IETF RFC 8300) and doesn't need NSH proxy and VNF can be NSH-unaware; 2) Reduce unnecessary NSH decap & encap to improve performance; 3) OVS DPDK improved performance; 4) Flexible field match to steer the traffic; 5) Cover various user scenarios.
In the presentation, we will introduce the previous CSP and policy based routing. Next is the new CSP with SFC. We will introduce the whole solution, including how we use OVS DPDK, NSH and ONOS. Then coms our design of SFC, how we utilize NSH and some important problems we have solved in ONOS, OVS and NSH. Finally, we will present some results about how new CSP is better than the previous one. And we may have a short video to show how to use the new CSP if time permits.
