[SFC-115] SF and SFF "dictionary" mismatch not validated or checked, misconfiguration allowed Created: 14/Oct/15  Updated: 25/May/18  Resolved: 25/May/18

Status: Verified
Project: sfc
Component/s: General
Affects Version/s: unspecified
Fix Version/s: None

Type: Bug
Reporter: Keith Burns Assignee: Keith Burns
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

External issue ID: 4471
Priority: Normal

 Description   

SF:
{
"service-functions": {
"service-function": [
{
"name": "firewall-72",
"ip-mgmt-address": "192.168.50.72",
"type": "service-function-type:firewall",
"nsh-aware": true,
"sf-data-plane-locator": [

{ "name": "2", "port": 6633, "ip": "192.168.50.72", "transport": "service-locator:vxlan-gpe", "service-function-forwarder": "SFF1" }

]
},
{
"name": "dpi-74",
"ip-mgmt-address": "192.168.50.74",
"type": "service-function-type:dpi",
"nsh-aware": true,
"sf-data-plane-locator": [

{ "name": "3", "port": 6633, "ip": "192.168.50.74", "transport": "service-locator:vxlan-gpe", "service-function-forwarder": "SFF1" }

]
}
]
}
}

SFF:
{
"service-function-forwarders": {
"service-function-forwarder": [
{
"name": "SFF1",
"service-node": "OVSDB2",
"service-function-forwarder-ovs:ovs-bridge":

{ "bridge-name": "sw2" }

,
"service-function-dictionary": [
{
"name": "firewall-72",
"type": "service-function-type:firewall",
"sff-sf-data-plane-locator":

{ "port": 6633, "ip": "192.168.50.71", "transport": "service-locator:vxlan-gpe" }

}
],
"sff-data-plane-locator": [
{
"name": "sfc-tun2",
"data-plane-locator":

{ "transport": "service-locator:vxlan-gpe", "port": 6633, "ip": "192.168.50.71" }

,
"service-function-forwarder-ovs:ovs-options":

{ "remote-ip": "flow", "dst-port": "6633", "key": "flow", "nsp": "flow", "nsi": "flow", "nshc1": "flow", "nshc2": "flow", "nshc3": "flow", "nshc4": "flow" }

}
]
},
{
"name": "SFF2",
"service-node": "OVSDB2",
"service-function-forwarder-ovs:ovs-bridge":

{ "bridge-name": "sw4" }

,
"service-function-dictionary": [
{
"name": "dpi-74",
"type": "service-function-type:dpi",
"sff-sf-data-plane-locator":

{ "port": 6633, "ip": "192.168.50.73", "transport": "service-locator:vxlan-gpe" }

}
],
"sff-data-plane-locator": [
{
"name": "sfc-tun4",
"data-plane-locator":

{ "transport": "service-locator:vxlan-gpe", "port": 6633, "ip": "192.168.50.73" }

,
"service-function-forwarder-ovs:ovs-options":

{ "remote-ip": "flow", "dst-port": "6633", "key": "flow", "nsp": "flow", "nsi": "flow", "nshc1": "flow", "nshc2": "flow", "nshc3": "flow", "nshc4": "flow" }

}
]
}
]
}
}

SFC:
{
"service-function-chains": {
"service-function-chain": [
{
"name": "SFCGBP",
"symmetric": false,
"sfc-service-function": [

{ "name": "firewall-abstract1", "type": "service-function-type:firewall" }

,

{ "name": "dpi-abstract1", "type": "service-function-type:dpi" }

]
}
]
}
}

SFP:
{
"service-function-paths": {
"service-function-path": [

{ "name": "SFCGBP-Path", "service-chain-name": "SFCGBP", "starting-index": 255, "symmetric": false }

]
}
}

RSP:
{
"input":

{ "name": "SFCGBP-Path-RSP", "parent-service-function-path": "SFCGBP-Path", "symmetric": false }

}

RSP goes into OPER and SFCOFL2 gets notification:
{
"rendered-service-paths": {
"rendered-service-path": [
{
"name": "SFCGBP-Path-RSP",
"parent-service-function-path": "SFCGBP-Path",
"rendered-service-path-hop": [

{ "hop-number": 0, "service-index": 255, "service-function-forwarder-locator": "sfc-tun2", "service-function-name": "firewall-72", "service-function-forwarder": "SFF1" }

,

{ "hop-number": 1, "service-index": 254, "service-function-forwarder-locator": "sfc-tun2", "service-function-name": "dpi-74", "service-function-forwarder": "SFF1" }

],
"service-chain-name": "SFCGBP",
"path-id": 36,
"starting-index": 255,
"transport-type": "service-locator:vxlan-gpe"
}
]
}
}

RESULT:

Partial config, SFF1 creates flows for SF1 but not SF2, SFF2 does nothing. Error in log.

Suggested fix: remove all individual references in:

  • SF model to SFF
  • SFF model to SF

SF model can have multiple DPLs as can SFF.

This should be kept in a separate map, where it can be configured as SF-DPL <-> SFF-DPL relationship or it can be discovered.

This can also be validated to ensure that transport/DPL type between SF and SFF matches. service-function-mapping.yang doesn't appear in use anywhere, so I'd like to modify it for this purpose.

 Comments   
Comment by Brady Johnson [ 10/Feb/16 ]

I submit this patch (merged Dec 1, 2015) to address the problem:

https://git.opendaylight.org/gerrit/#/c/29303/

Comment by Brady Johnson [ 11/Feb/16 ]

This has been improved with the patch provided, but validation is still not performed. Moving this to Boron.

Comment by Brady Johnson [ 25/May/18 ]

This was fixed in Lithium. The SFF.service-function-dictionary.sff-sf-data-plane-locator now has only 2 fields: sf-dpl-name and sff-dpl-name, as follows. As such, the SF DPL info is no longer duplicated.

{{{}}
{{ "service-function-forwarders": {}}
{{ "service-function-forwarder": [}}
{{ {}}
{{ "name": "sff1",}}
{{ "service-function-forwarder-ovs:ovs-bridge": {}}
{{ "bridge-name": "br-int"}}
{{ },}}
{{ "sff-data-plane-locator": [}}
{{ {}}
{{ "name": "vxgpe",}}
{{ "data-plane-locator": {}}
{{ "ip": "192.168.86.36",}}
{{ "port": 6633,}}
{{ "transport": "service-locator:vxlan-gpe"}}
{{ },}}
{{ "service-function-forwarder-ovs:ovs-options": {}}
{{ "key": "flow",}}
{{ "dst-port": "6633",}}
{{ "remote-ip": "flow",}}
{{ "exts" : "gpe"}}
{{ }}}
{{ }}}
{{ ],}}
{{ "service-function-dictionary": [}}
{{ {}}
{{ "name": "sf1",}}
{{ "sff-sf-data-plane-locator": {}}
{{ "sf-dpl-name": "sff1",}}
{{ "sff-dpl-name": "vxgpe"}}
{{ }}}
{{ }}}
{{ ]}}
{{ }}}
{{ ]}}
{{ }}}
}

 

Generated at Wed Feb 07 20:38:40 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.