While working on key security use-cases for service chaining, certain traffic can be cloned (or mirrored). Examples of such use cases include:
DDOS behavioral detector needs to perform analytics on cloned traffic to detect DDOS attack and signal the DOTS server in the DDoS mitigation service provider network to mitigate the attack.
Snort in intrusion detection system (IDS) mode needs to process cloned traffic to detect attacks and generate alerts.
Sandboxing technique used by Cisco AMP and Fireye to detect APT threats, traffic is cloned to multiple virtual machines (with different OS versions, browsers etc.) to detect if any of the VM get infected.
DDOS behavioral detection, Snort, Sandboxing etc. can be performed by different service functions in a SFC domain. SFC needs a mechanism to steer cloned traffic to be processed by multiple service functions in the service function path.
At the same time, SFC currently has no concept of cloned or mirrored traffic, and no mechanism to steering such cloned traffic and correlate it.