Packet-based data networks continue to grow in importance, and it is often desirable to process network traffic associated with these packet-based networks through a series of packet processing devices. Each of these packet processing devices can be configured to provide similar or different packet processing, and the series of packet processing devices is often called a service chain. One environment that uses service chain packet processing is packet-based voice networks, such as cellular telephone networks that communicate voice and data information in part through network communication systems, such as the Internet.
FIG. 1 (Prior Art) is a block diagram of an example embodiment 100 for service chain processing of network packets as they travel to and from an end point device 104 with respect to a communication network 114, such as the Internet, through a number of service chain devices 106, 108, 110, and 112. The network packets can be communicated within one or more packet flows as indicated by packet flows 102. For the example embodiment 100, packets are processed by four different packet processing devices within a service chain including service chain devices 106, 108, 110, and 112. Each of the service chain devices 106, 108, 110, and 112 represent one or more devices that are configured to process the network packets. As one example, this service chain can represent packets being processed by a telephone communications network, as indicated above. Example service chain devices include, for example, network firewall devices, intrusion detection service (IDS) devices, load balancers, encryption offload processors, packet caches, and/or other packet processing devices.
Certain network communication systems include virtualized processing environments, such as virtual machines (VMs) operating within a virtualization layer hosted by one or more processing devices. For example, network cloud resources made available to network-connected systems are often virtualized such that processing devices associated with a server processing platform (e.g., server blade) and/or combinations of such server processing platforms are used to provide processing instances or virtual machines within cloud server processing systems. A virtual machine (VM) is an emulation of a processing system that is created within software being executed on a VM host hardware system. By creating and operating VMs within a VM host hardware system, the processing resources of that VM host hardware system can often be more efficiently utilized.
FIG. 2 (Prior Art) is a block diagram of an example embodiment 200 of service chain devices within a virtual processing environment. A virtual machine (VM) server 202 includes virtual machines (VMs) 104 and 106 that operate within a virtualization layer formed by hypervisor 204 operating on an operating system (OS) 206 which in turn is operating on computer hardware 208. The VM 104 is configured to operate as an end point device, and VM 106 is configured to operate as a first service chain device. Similarly, a virtual machine (VM) server 212 includes virtual machines (VMs) 110 and 112 that operate within a virtualization layer formed by hypervisor 214 operating on an operating system (OS) 216 which in turn is operating on computer hardware 218. The VM 110 is configured to operate as a third service chain device, and VM 112 is configured to operate as a fourth service chain device. A second service chain device 108 is configured as a stand-alone processing device separate from the VM servers 202 and 212. Further, the VM server 202, the VM server 212, and the second service chain device 108 are configured to communicate network packets through one or more network communication paths 220. The network communication paths 220 can be wired or wireless network communication paths or a combination of wired and wireless communication paths and can include one or more intervening network communication devices.
For the service chain path, packets sent or received by end point VM 104 with respect to a communication network 114, such as the Internet, are communicated through service chain VMs 106, 108, 110, and 112. For example, a transmit packet from end point VM 104 is first communicated to the first service chain VM 106 as represented by dashed arrow 222. To provide this communication, however, a copy of the packet is communicated from end point VM 104 to the hypervisor 204, and then a copy of the packet is communicated from the hypervisor 104 to the first service chain VM 106. The transmit packet is then communicated from the first service chain VM 106 to the second service chain device 108 as represented by dashed arrows 224 and 226. To provide this communication, however, a copy of the packet is communicated from the first service chain VM 106 through the hypervisor 204, operating system 206, and computer hardware 208 to the second service chain device 108 and back. The transmit packet is then communicated from the first service chain VM 106 to the third service chain VM 110 as represented by dashed arrow 228. To provide this communication, however, a copy of the packet is communicated from the first service chain VM 106 through the hypervisor 204, operating system 206, and computer hardware 208 to the third service chain device 110 through the computer hardware 218, operating system 216, and hypervisor 214 for the VM server 212. The transmit packet is then communicated from the third service chain VM 110 to the fourth service chain VM 112 as represented by dashed arrow 230. To provide this communication, however, a copy of the packet is communicated from the third service chain VM 110 to the hypervisor 212, and a copy of the packet is then communicated from the hypervisor 214 to the fourth service chain VM 112. A copy of the transmit packet is then communicated from the fourth service chain VM 112 to the communication network 114 through the hypervisor 214, the operating system 216, and the computer hardware 218. A receive packet from communication network 114 to the end point VM 104 will travel through the service chain in the opposite direction.
Thus, a large number of packet copies to and from the hypervisors 204/214 are required to be communicated to provide the service chain processing within the virtual environment shown with respect to embodiment 200. Further, this copying of packet data typically includes copying packet data into and out of hypervisor memory, into and out of memory for the VMs 104/106/110/112, and/or into and out of memory for physical NICs for the service chain devices. These copies and communications associated with the hypervisors 204/214 and the VMs 104/106/110/112 create significant problems in service chain processing as service chain components can apply packet modifications that cause the hypervisors 204/214 to become confused about which service chain components the packets have visited and which ones the packets have not visited. These packet modifications can include, for example, changing packet data for the network packet, adding network address translation (NAT) addresses to the packet data, applying modifications to the packet data based upon DPI (deep packet inspection) based QoS (quality of service) assessments, terminating packet flows, caching packet data, applying WAN (wide area network) acceleration to the packet flows, and/or modifying packets in other ways that potentially interfere with the tracking of packets for service chain processing within a virtual environment.
Because packets are not tagged in embodiment 200 of FIG. 2 (Prior Art) by the various virtual network functions (VNFs) provided by VMs 104, 106, 110, and 112 that process a packet as it traverses the service chain, the hypervisors 204/214 will have difficulties tracking or be unable to track the state of the packets. For example, if the same packet travels the same direction across a link between a service chain VM 104/106/110/112 and a hypervisor 204/214 two or more times and the VNFs are transparent, the hypervisor 204/214 will typically be unable to distinguish the position of the packet within the service chain. Further, if the VNFs implemented by the service chain VMs 104/106/110/112 alter the packets or terminate the packet flows, the hypervisors 204/214 will typically be unable to handle these modifications as they lack information as to how each component alters the packet. Further, the copying of packet data into and out of hypervisor memory, into and out of memory for the VMs 104/106/110/112, and/or into and out of memory for physical NICs for the service chain devices is time consuming and can add significant system latency. In short, service chain processing is problematic for service chain components that are incorporated as VNFs within a virtual processing environment.