Identification of network measurement challenges in OpenFlow-based service chaining

Software-defined networking and Network Function Virtualization (NFV) have simplified the coordination efforts for “service chaining.” Consequently, network services such as firewall, load balancing, etc. may be service chained in the forwarding (data) plane for specific applications and/or traffic. A specific case is for the firewall rules that depend on deep packet inspection for application identification. If a particular application is identified and is “safe,” would it be worthwhile to program the data plane to bypass the FW for the duration of the application session? For such a traffic-steering case, we report measurement challenges on various setups and the related cost analysis based on the network delay. Measurements of the network and processing delay have been performed with virtualized resources, on GENI testbed, and with isolated hardware units. Experiences are also reported on how a commercial firewall virtual appliance has been deployed on the GENI testbed for experimentation. The results illustrate the measurement uncertainties and challenges for DPI-based traffic steering in virtualized environments. In addition, we show that such a service chaining may increase throughput and relieve DPI-based processing overhead on firewall units.