Service Chaining for Hybrid Network Function

This paper has been accepted for publication in a future issue of TCC. This is an author-reserved pre-publication version. The early version is available under the “Early Access” area on IEEEXplore. Content may change prior to final publication. It may be cited as an article in a future issue by its DOI: 10.1109/TCC.2017.2721401

Service Chaining for Hybrid Network Function Huawei Huang, Song Guo, Jinsong Wu, and Jie Li

F

Abstract—In the Service-Function-Chaining (SFC) enabled networks, various sophisticated policy-aware network functions, such as intrusion detection, access control and unified threat management, can be realized in either physical middleboxes or virtualized network function (VNF) appliances. In this paper, we study the service chaining towards the hybrid SFC clouds, where both physical appliances and VNF appliances provide services collaboratively. In such hybrid SFC networks, the challenge is how to efficiently steer the service chains for traffic demands while matching their individual policy chains concurrently such that a utility associated with the total admitted traffic rate and the induced overheads can be maximized. We find such problem has not been well solved so far. To this end, we devise a Markov Approximation (MA) based algorithm. The approximation property of the proposed algorithm is also proved. Extensive evaluation results show that the proposed MA algorithm can yield near-optimal solutions and outperform other benchmark algorithms significantly.

SDN Controller FW

NAT

LB Content

Clients

A policy-chain.

… Controls all switches

Virtual appliances Physical appliances

Client1

NAT1

FW1

NAT2

LB1

0 100 Mb/s

8 2

7

3

Client2 1

6

120 Mb/s 4

Client3 150 Mb/s

200

LB2

5 DPI1

FW2 DPI2

Fig. 1. An illustrative steering in a hybrid SFC network. Index Terms—Service Function Chaining, Network Function, Middlebox, NFV, SDN, Traffic Steering, Markov Approximation. •

1

I NTRODUCTION

Service-Function-Chaining (SFC) [1], [2] provides simplified configuration and management such that the network service providers may flexibly realize a number of policies on security, traffic engineering, access control, Quality of Service (QoS), packet modification, etc. Normally, a composite service policy associates with an ordered list of network Service Functions (SFs) called policy chain in this paper. The examples of network SF could be the traditional network services such as Firewall (FW), Network Address Translator (NAT), Load Balancer (LB), Deep Packet Inspection (DPI), Intrusion Detection System (IDS), as well as the applicationcustomized functions such as HTTP header manipulation [3]. In the current steering models for service functions, the complexity of managing such policy-aware services is significantly high. Therefore, the software-defined networking (SDN) [4], [5] enabled Network Function Virtualization (NFV) techniques [6]–[8] have been introduced to SFC. Although the rapidly-developed NFV has gained much attention in recent years [9]–[13], the following facts should not be ignored: Huawei Huang is a JSPS research fellow and attached to the University of Aizu, Japan. Email: [email protected] Song Guo (corresponding author) is with the Department of Computing, The Hong Kong Polytechnic University. Email: [email protected] Jinsong Wu is with the Universidad de Chile, Chile. Email: [email protected] Jie Li is with the University of Tsukuba, Japan. Email: [email protected]

•

•

•

•

Nearly half of all network elements (including switches, routers and network function appliances) are still the dedicated hardware-based middleboxes [10]. The hardware-based dedicated middleboxes still play a critical role in today’s networks. For example, the ABI Research [14] forecasted that the global enterprise network and data security market was estimated to exceed USD $ 10 billion by 2016. It covers the secure routers, unified threat management appliances, FWs, virtual private networks (VPNs), intrusion detection/prevention systems, and network access control. During the period of 2016-2020, Technavios analysts [15] have forecast a 11.38% CAGR (compound annual growth rate) for the global security appliance market, where the network security appliances include both dedicated physical products and virtual network appliances used to prevent a computer network from cyber attacks. A latest IHS Markit’s market tracker [16] has revealed that the revenue for data center, carrier appliances and virtual security appliances was USD $2.4 billion in 2015, and it is set to increase 62% to USD $3.9 billion by 2020. The corresponding analysis [17] has shown that the emergence of SDN and NFV as dominant network trends is to stipulate enterprise and service providers to seek the virtual appliances and other software solutions. As further analyzed in a most latest ITProPortal report [18], although a number of major network

2

equipment vendors such as Cisco have already announced both support and platforms for NFV, it is unlikely for us to see a massive wholesale transition to NFV in the near future. The reasons can be partly attributed to: i) many network functions still rely on the dedicated hardware, such as particular interface cards or processors, until the Virtualized Network Function (VNF) appliances running on off-the-shelf ×86 hardware can catch up with the performance of dedicated hardware appliances; ii) currently there have been huge investments in traditional networking with a giant number of specialized hardware appliances in use, making both service providers and end users reluctant to simply leap into totally virtualized environments at all levels of business. Based on the facts shown above, as Sekar et al. mentioned in [1], the foreseeable future will witness the hybrid SFC networks, where the hardware-based physical network function appliances and the VNF appliances coexist. It is likely that it takes time as the NFV becomes dominant in market and the investment in new dedicated hardware platforms declines slowly [18]. Therefore, in this paper, we focus on the steering of service chains for hybrid SFC networks. We will also show that our proposed approach can be easily adapted to the pure NFV network scenarios. In this paper, we call the traffic flow originating from a client user a session. For example, in Fig. 1, three sessions originate from Client1 , Client2 and Client3 , demanding 100 megabits per second (Mb/s), 120 Mb/s and 150 Mb/s, respectively. Further, the flow between an Ingress/Egress switch and an SF, or between two consecutive SFs along a policy chain is called a segment. Typically, a segment transmits through a multi-hop routing path. As illustrated in Fig. 1, the segment that serves Client1 , originates from switch 0, and traverses through links (0,2), (2,3), (3,7) and (7,8), and finally reaches the content server. In the large-scale networks, since the same type of SF is usually deployed with multiple appliances at various network locations, the hardware resources such as CPU and memory cannot be amortized over all sessions easily [1], [6], [19], making the policy-aware appliance-selection and traffic engineering critical issues in the SFC networks. For example, in the context of SDN, the traffic engineering problems have attracted notable research efforts [1], [7], [8], [13], [20]–[28]. However, if the joint scheduling of appliance-decision and traffic planning towards a specified set of segments has not been carefully performed, congestions may occur in the overloaded appliances or bottleneck links, leading to the high packet processing latency and the degradation of admitted traffic rate. Take the scheduling shown in Fig. 1 as an example. According to the shortest path scheme [21], the session originated from Client3 will adopt the VNF appliances FW1 and LB1 via bottleneck link (3,7), thus resulting in congestion in this link. Therefore, in order to improve the total admitted traffic rate over all sessions, the congested bottleneck link (3,7) should be avoided by reassigning this session to the alternative VNF appliance FW2 and physical appliance LB2 via links (3,5) and (5,6) as illustrated by the dash line in Fig. 1. On the other hand, in the hybrid SFC networks, the

physical SF appliances and VNF appliances provide the network services to consumers collaboratively. Note that, in the perspective of service providers, the services provided by VNF appliances can be realized using virtual machines (VMs) either in the isolated proprietary cloud [29], or by renting from NFV market, where the service vendors who own network resources in data center are selling service chains [12]. Since the service providers of SFC networks have invested tremendously on the physical network function appliances, the expenditure to launch and maintain the VNF appliances should be reduced as much as possible. To this end, we are motivated to study a joint SFapplIance Determination and routing orchEstration (SIDE) problem for the hybrid SFC networks. The contributions of our study can be summarized as follows: •

•

•

In the hybrid SFC networks, we study the SIDE problem with the objective to maximize a weighted utility, which positively associates with the total admitted traffic rate over a specified set of target sessions, negatively relates to the penalty of both routing and NFV market budget. We then design a polynomial near-optimal approximation algorithm to solve the SIDE problem using the Markov approximation technique [30]. Simulation results show that our proposed approach yields a close-to-optimal solution in a small-scale network, and outperforms benchmark algorithms significantly in a Fattree datacenter network.

The remaining of the paper is organized as follows. Section 2 reviews related work. Section 3 states the system model and problem definition. The proposed Markov approximation based algorithm is presented in Section 4. Section 5 presents the performance evaluation results. Finally, section 6 concludes this work.

2

R ELATED W ORK

In recent years, the service function chaining has gained much research attention. We classify the related work into three categories. The first category emphasizes on the routing path scheduling with a given set of service chains, e.g., [19], [21], [31]. For instance, given a set of policy-aware traffic flows, Cao et al. [21] designed several steering algorithms mainly finding the routing paths that visit an ordered list of network functions under SDN networks. Then, Huang et al. [31] conducted the traffic scheduling for SDN networks by only considering one type of middlebox in their system model. In contrast, this paper focuses on a more practical problem, i.e., the steering for a hybrid service-functionchaining networks, where each user flow desires a unique policy-chain consisting of a sequence of service functions. The second category assumes that a set of pre-defined routing paths within the network have been determined, and the placement of SF appliances is the primary concern [32]–[36]. For example, Zhang et al. [33] proposed a scalable SDN-based framework named StEERING for dynamically routing traffic flows passing through the desired sequence of network middleboxes. An algorithm that can select the best locations for deploying services has been proposed.

3

Background of SFC

SFC is an emerging architecture under standardization considerations by the Internet Engineering Task Force (IETF). It is viewed as a very useful conceptual tool that will promote industry move toward commercial implementation. The goal of SFC is to develop a set of architectural building blocks which enable network operators to create a service topology and initialize a service function path across the network. Thus, SFC associates the placement of SFs, service chain management, diagnostics and security models [39]. As illustrated in Fig. 2, the SDN based SFC architecture [2] mainly includes three layers: a) Management and Orchestration Layer, b) Virtualization Layer and c) Physical Underlay Network Layer. In layer a), the Policy Chain Descriptor accomplishes the task of enforcing the policy chain, and the central SFC control plane is in charge of communicating with the ingress and egress nodes and locating SF nodes in the network. In layer b), a policy chain is primarily constituted with classifiers and SF nodes. Classifier is to identify and then classify traffic in order to direct flows into a policy chain. SF node provides various network functionalities. Finally, in layer c), the underlay could be any

Control Plane / SDN Controller

… Control Channels

Classifier

SF1

SF2

…

SFn

Classifier

Policy Chain

End Point E

End Point

Switch (SFF)

Any topology

Physical Underlay Network

P ROBLEM S TATEMENT

Policy Chain Descriptor

Virtualization Layer

3 3.1

Management & Orchestration

Later, given the network information and the specified policies, Liu et al. [34] investigated the middlebox placement problem, aiming to decide the optimal locations to place middleboxes such that the end-to-end service delay and bandwidth occupation can be minimized simultaneously. For minimizing the expensive optical-to-electronicto-optical (O/E/O) conversions in the packet/optical datacenter networks while conducting the NFV chaining, Xia et al. [35] proposed a heuristic algorithm that can efficiently find the placement solution for virtualized network functions such that the traversed pods by traffic flows could be reduced. As the third category, a series of most recent work [12], [37], [38] explored the joint optimization towards the deployment of network function appliances and the network resource allocation. For example, for maximizing the total admitted ratio for all user requests, Li et al. [38] implemented a system called NFV-RT, which can dynamically allocate network resources for NFV chaining. Then, a joint optimization problem associated with the appliance placement and traffic routing was studied by Kuo et al. [37] recently. To solve it, an algorithm based on dynamic programming technique was proposed, dealing with traffic demands sequentially. Finally, applying the auction mechanism, Gu et al. [12] designed a mechanism for NFV market, aiming to solve a social welfare maximization problem, where the provisioning of service chains in terms of allocating NFV resources efficiently in data center networks has been carefully studied. Via the classification of related work, we find that the existing studies have devoted efforts to the traffic steering problem on either the pure middlebox based networks or the NFV networks. The service chaining problem towards the hybrid network function clouds has not well been solved so far. To the best of our knowledge, we are the first to study this topic of interest.

Fig. 2. Architecture of SFC under the SDN-enabled cloud.

topology consisted of switch nodes, which are called service function forwarders (SFFs) under SFC architecture. 3.2

System Model

We consider an SDN-enabled SFC cloud network G = (V, E) with the set of SFFs V and the link set E. We denote F the set of all types of SFs in the network. In particular, both the hardware-based dedicated physical middleboxes and the VNF appliances are viewed as SF appliances (also called instances). Typically, we assume that service providers have already deployed multiple appliances for each SF h ∈ F. Then, the set of all appliances of the service function h is represented by Lh , in which the mth appliance of h is denoted by h(m). The set of all given sessions is denoted by D. For each session d ∈ D, network operators need to enforce the predefined service policy chain, which is represented by Yd , by finding each appropriate appliance for each hop of service function. For convenient formulation, we divide the policy chain desired by session d ∈ D into a group of consecutive segments, which is indicated by Gd . For example, if a policy chain is shown as hId , SF1 , SF2 , SF3 , Ed i, where Id and Ed are the ingress SFF and egress SFF of d, respectively, the corresponding policy-chain segment set Gd should be h(Id , SF1 ), (SF1 , SF2 ), (SF2 , SF3 ), (SF3 , Ed )i. Following [40], we assume that controller pre-computes a set of candidate paths for each pair of switches. Since each appliance is connected with a physical/virtuallized switch node in real networks, the candidate paths for a pair of switches are also essentially the candidate paths for the appliance pair connected to such the pair of switches. As Fig. 3 shows, each user flow d corresponds to a unique service policy chain. For each segment (h, k) ∈ Gd , network operator has to find a routing path for each determined SFappliance pair (h(m), k(n)), where h(m) ∈ Lh , k(n) ∈ Lk . We use Pdh(m),k(n) , (h(m)∈Lh ,k(n)∈Lk ,(h,k)∈Gd ,d∈D) to denote the candidate path set for (h(m), k(n)). The major notations used in this paper are aggregated in Table 1. With the information depicted above, we strive to steer the service chains for the specified set of sessions. 3.3

The SIDE Problem

3.3.1 Definition of Variables We first to define xdh(m) to indicate whether session d ∈ D selects the appliance h(m) (∈ Lh ) for the SF h(∈ Yd )

4 Multi-hop link in routing path

One-hop link in policy chain Policy chain for user flow d :

Id

SF1 Instance

SF2

SFn

…

Instance

Instance

Instance

Instance

Instance

SFF

SFF

SFF

Ed Multiple instances for each SF End Point 2

End Point 1

Id

3.3.2 Constraints The first constraint claims that each SF in the policy chain should select at most one SF-appliance for each session d. That is, X xdh(m) ≤ 1, ∀h ∈ Yd , ∀d ∈ D. (1) h(m)∈Lh

Ed

Service chain for flow d

Fig. 3. System model of service chaining.

According to the policy chain of session d ∈ D, if d can be satisfied with a feasible solution, we have: X X xdh(m) = ξd · |Yd |, ∀d ∈ D, (2) h∈Yd h(m)∈Lh

TABLE 1 Symbols and variables Notations (V, E) F S N Lh D Id /Ed

Description network topology with SFF set V and link set E set of all type of network service functions set of all SF appliances set of all virtualized appliances of all SFs set of (physical & VNF) appliances of SF h ∈ F a set of target sessions ingress/egress SFF of session d ∈ D the predefined policy chain for session d ∈ D, e.g., a policy chain is shown as hId , SF1 , SF2 , SF3 , Ed i set of segments in the policy chain of session d ∈ D the mth appliance of SF h ∈ Lh a set of candidate paths provided for the appliance pair (h(m), k(n)), (h, k) ∈ Gd , h(m) ∈ Lh , k(n) ∈ Lk the demanding traffic rate of session d ∈ D the traffic processing capability of appliance s ∈ S, to physical appliances, it can be the total I/O rate; to VNF appliances, it could indicate the CPU-cycles or power-budget of the cloud servers aggregated traffic rate on link e ∈ E bandwidth capability of link e ∈ E the size of a set within or the hop-number of a path binary variable indicating whether session d ∈ D selects the appliance h(m) (∈ Lh , h ∈ Yd ) binary variable indicating whether the appliance pair (h(m), k(n)) selects the candidate path

Yd Gd h(m) Pdh(m),k(n) λd µs re φe |.| xdh(m) d,p zh(m),k(n)

p ∈ Pdh(m),k(n) , ∀d ∈ D

binary variable indicating whether session d ∈ D is satisfied with a feasible configuration

ξd

where |Yd | indicates the hop-number of SFs as well as Ingress/Egress switches in the policy chain of session d. It can be seen that if the session d is satisfied, i.e., ξP 1, the total number of traversed SF-appliance d = P ( h∈Yd h(m)∈Lh xdh(m) ) should be equal to the number of desired SFs (including Id and Ed ) along the policy chain for d. Next, we shall consider the connection between any two consecutive policy-chain segments along a policy chain with the goal to find a complete end-to-end routing path for each session. We use the following quadratic constraint (3) to achieve it. X X d,p zh(m),k(n) = xdh(m) · xdk(n) , h(m)∈Lh p∈Pd h(m),k(n) k(n)∈Lk

(3)

∀(h, k) ∈ Gd , ∀d ∈ D. By (3), xdh(m) · xdk(n) = 1 indicates that the SF appliances h(m) and k(n) are determined, i.e., the SF-appliance pair (h(m), k(n)) exists. Thus, we need to choose one routing path for this pair from the given candidate path set Pdh(m),k(n) . In the physical data forwarding network, the aggregated traffic rate on each link e ∈ p(p∈Pd ) can be calculated h(m),k(n) as: X X X X d,p re = zh(m),k(n) · λd . (4) d∈D (h,k)∈Gd h(m)∈Lh p∈Pd h(m),k(n) k(n)∈Lk

according to its desired policy chain:

xdh(m) =



1, if the session d selects the appliance h(m); 0, otherwise.

Because every SF-appliance pair needs to select a routing d,p path, we then define another binary variable zh(m),k(n) to denote whether the appliance pair (h(m), k(n)) selects candidate path p ∈ Pdh(m),k(n) as its routing path:

d,p zh(m),k(n) =

  1, 

0,

ξd =

re ≤ φe , ∀e ∈ E. X

xdh(m) · λd ≤ µh(m) , ∀h(m) ∈ Lh , ∀h ∈ F.

(5) (6)

d∈D

if the appliance pair (h(m), k(n)) selects candidate path p for session d; otherwise.

Then, we define the other variable ξd to denote whether session d ∈ D is satisfied with a feasible configuration: 

Finally, the following two constraints specify that the link bandwidth capability and appliance processing capability should not be exceeded. Note that, the formulation and our solution can be extended to versions under considering the multiple dimensional resources allocation, e.g., memory and storage.

1, if a feasible configuration for d is found; 0, otherwise.

3.3.3 Two-Term Penalty We consider a two-term penalty when we conduct the SFC in hybrid NFV networks. Although the adoption of NFV techniques bring the flexible management, the cost to utilize the VNF appliances should be taken into account. Such cost can be measured with the expenditure that is charged by i) the budget for general hardware (such as CPU, memory, storage) and

5

power consumption in the proprietary could servers, or ii) the rental spending from NFV market. We refer this term of penalty to the VNF overhead, when provisioning service chains with the VNF appliances. Without loss of generality, we assume that the VNF overhead is proportional to the required rate of traffic demand. Therefore, we can compute the VNF overhead as the following: X X X ∆= xdh(m) · λd . (7) d∈D h∈Yd h(m)∈N

On the other hand, when conducting the traffic engineering in SDN networks, the forwarding table space is the critical resource due to the limited size in each high speed SDN switch. Thus, the consumption of forwarding table space, as well the configuration cost in SFFs should be also considered in our SDN-based SFC networks. And we call such term of consumption related to SFF the routing cost. Note that, when we find the routing paths for an end-to-end policy chain, the routing cost is naturally assumed proportional to the number of traversed SFFs along the selected routing paths for all segments. Therefore, the second term of penalty can be calculated as: X X X X d,p Ω= · |p|, (8) zh(m),k(n) d∈D (h,k)∈Gd h(m)∈Lh p∈Pd h(m),k(n) k(n)∈Lk

where |p| indicates the hop-number of SFFs in the candidate path p. 3.3.4 Utility Maximization Basically, the SFC network operators always prefer to improve the overall admitted traffic rate by performing traffic engineering techniques [24]. On the other hand, the aforementioned two-term penalty need to be reduced simultaneously. Finally, we formulate the SIDE problem as the following cost-efficient utility maximization problem using Integer Programming with Quadratic Constraints (IPQC), such that the joint utility U associated with admitted traffic rate and the aforementioned two-term penalty is maximized. X λd · ξd − ν · ∆ − ω · Ω SIDE : max U = (9) d∈D s.t. (1), (2), (3), (5) and (6). P Note that, the term d∈D λd · ξd calculates the total admitted traffic rate of all the satisfied sessions. The ν and ω in (9) represent the weight of the VNF overhead ∆ and routing cost Ω, respectively. The two weight parameters can be tuned freely to indicate different penalty scales. Furthermore, as we have mentioned that our formulation can be simply shifted into the version that adapts to the total pure NFV environment just by enforcing S = N.

4 4.1

M ARKOV A PPROXIMATION BASED A LGORITHM Insight of Applying Markov Approximation

Solely the traffic engineering problem with link capacity constraints in the SIDE problem is essentially the multicommodity flow problem [41], which is known as NP-complete [42], [43]. The appliance-selection makes this problem even harder.

Since there is no computationally efficient solution in a centralized manner, we attempt to design a fast polynomial approximation algorithm that solves the problem applying the framework of Markov Approximation (MA) [30], which is a very efficient approach to solve the combinatorial optimization problem. The most important characteristic of such combinatorial optimization problem is that the local individual decisions for each entity in the network compose the global solution of overall system. In our problem, the local decisions for each session include the selections of appliance and routing path, and all local decisions construct a global solution for the entire hybrid SFC network. Therefore, we find that the proposed SIDE problem is essentially a combinatorial optimization problem. In the following, we specify the two steps to design our Markov approximation based algorithm: the design of Markov-chain and its implementation. 4.2

Markov Chain Design

We let fXZ (shorten as f ) denote a feasible configurad,p tion of SIDE problem, i.e., f , {xdh(m) , zh(m),k(n) , ∀p ∈ Pdh(m),k(n) , ∀h(m) ∈ Lh , ∀k(n) ∈ Lk , ∀(h, k) ∈ Gd , ∀d ∈ D}, and let F denote the set of all feasible configurations. Further, we also denote Uf as the system utility corresponding to a given configuration f . To better understand the logsum-exp approximation, we let each configuration f ∈ F associate with a probability pf , which indicates the portion of time that the configuration f is in use. We then use p∗f ∈F to indicate the optimal probability solution for configuration f ∈ F . Then, applying the approximation framework proposed in [30], we have:

p∗f = P

f

0

exp(βUf ) , ∀f ∈ F. ∈F exp(βUf 0 )

(10)

where β is a positive constant and related to approximation performance. Now we design a Markov-Chain (shorten as MC) based approximate algorithm with a state space F of all feasible configurations and a stationary distribution shown as p∗f in (10). In the implemented MC, if the transitions among states can be tuned converging to the desired stationary distribution p∗f , system can achieve near-optimal performance [30]. 4.2.1

State-Space Structure

To construct a time-reversible MC with stationary distribution p∗f , as illustrated in Fig. 4, we first let fXZ ∈ F denote a state in MC. Particularly, when any in-use appliance of any SF is swapped, we say the system configuration transits to fX 0 Z 0 ∈ F from fXZ with the nonnegative transition rate qf f 0 . It should be noticed that, in the transition fXZ → fX 0 Z 0 , the associated two in-use segment routing paths also need to be changed. To each transition, the following two conditions must be ensured: (a) in the constructed MC, any two states are reachable from each other, and (b) the detailed balance equations [44] must be satisfied: p∗f qf f 0 = p∗f 0 qf 0 f , ∀f, f 0 ∈ F , where f denotes fXZ , and f 0 indicates fX 0 Z 0 . Based on the constructed state-space structure, we then specify the transition-matrix design.

6

f

f’

...

: Transition by swapping any SF-instance. qf f ’ ... fX’Z’ f XZ

Fig. 4. Transition between two adjacent states. If a RESET signal is received. Initialization

Sets & triggers a timer mer

Timer counts down to 0. Transits & sends sen RESET signal

Algorithm 1 Markov-Chain based Algorithm to solve SIDE 1: execute Initialization (Alg. 2) for the entire system 2: for ∀h ∈ Yd − {Id , Ed }, ∀d ∈ D do 3: SetTimer(h) by invoking Alg. 3 4: end for 5: while system is running do 6: /*Procedure Transition*/ 7: if Thd expires then d 8: xdh(m) b ← 0, xh(m0 ) ← 1 0

9:

d,p d,p zg(l),h( b ← 0, zg(l),h(m0 ) ← 1 m) 00

Jumps back Fig. 5. The state machine of each session demonstrated for understanding algorithm 1.

4.2.2 Transition-Matrix Design In our design, with respect to variable xdh(m) , i.e., the SFappliance decision, we let the transition rate qf f 0 be positively correlated to the difference of system utilities under configurations fXZ and fX 0 Z 0 . That is:

1 qf f 0 = exp( β(UfX 0 Z 0 − UfXZ ) − τ ), (11) 2 where τ is a conditional non-negative constant. We can observe that when UfX 0 Z 0 − UfXZ > 0, meaning that the performance gap between fX 0 Z 0 and fXZ increases, the transition rate qf f 0 will grow, and vice versa. Therefore, such transition rate designed in (11) is likely to lead the system to a configuration with higher system utility. 4.3

Implementation of MC Guided Algorithm

The implementation based on our designed MC is shown as Alg. 1. Before execute Alg. 1, controller initializes a dedicated computing thread for each session. Each thread follows a general state machine shown as Fig. 5. Note that, all computing threads can execute on an SDN controller or on multiple logically centralized controllers. In particular, Alg. 1 is the main frame, which invokes two other supporting algorithms, i.e., Alg. 2 and Alg. 3. The procedures of Alg. 1, and the supporting algorithms as well are explained as follows. Initialization (Algorithm 2): If never find an appliance for an SF h ∈ Yd , in line 3, computing thread randomly selects a feasible appliance h(m) that satisfies resource constraints (such as processing capability) from Lh . Then, as shown in line 8, a feasible routing path p is randomly picked up from the candidate path set Pdh(m),k(n) for the appliance pair (h(m), k(n)). b is the in-use SetTimer (Algorithm 3): Suppose that m appliance-index of SF h ∈ Yd . Firstly, thread checks the number of feasible not-in-use appliances for h, i.e., |σhd |. If there is at least one feasible not-in-use appliance for h, the computing thread randomly selects a feasible one, the index of which is denoted by m0 . Then, computing thread need to find two new paths if the appliance indicated by m0 is adopted. As shown in line 5 and line 7, two set of not-in-use candidate paths for the target appliance pair (g(l), h(m0 )) and (h(m0 ), k(n)) are found, respectively. If at

e d,p d,p zh( ← 0, zh(m 0 ),k(n) ← 1 b m),k(n) repeat SetTimer(h) invoking Alg. 3 send RESET(UfX 0 Z 0 , d, h) signal to controller end if /*Procedure RESET*/ ¯h ¯ ) signal is received then if a RESET(Uf 0 , d, UfX 0 Z 0 ← Uf 0 ¯ ∀h ∈ refresh and start other timers Thd (∀d ∈ D\{d}, ¯ Yd \{Id , Ed , h}) by invoking (12) 18: end if 19: end while

10: 11: 12: 13: 14: 15: 16: 17:

Algorithm 2 Initialization Input: Pdh(m),k(n) |∀h(m)∈Lh ,∀k(n)∈Lk ,∀d∈D d,p

Output: xdh(m) , zh(m),k(n) |∀h(m)∈Lh ,∀k(n)∈Lk ,∀(h,k)∈Gd ,∀d∈D 1: for ∀h ∈ Yd , ∀d ∈ D do 2: if never find an appliance for SF h then 3: xdh(m) ← 1, h(m) is randomly selected from Lh 4: end if 5: end for 6: for ∀(h, k) ∈ Gd , ∀d ∈ D do 7: if xdh(m) = 1 and xdk(n) = 1 then d,p zh(m),k(n) ← 1, where the feasible p is randomly chosen from Pdh(m),k(n) 9: end if 10: end for

8:

least one candidate path is available in the two path sets (%dg(l),h(m0 ) and %dh(m0 ),k(n) ) simultaneously, two new paths p0 and p00 will be randomly picked up, respectively. Next, line 12 computes the current system utility UfXZ , while line 13 calculates the “next” system utility UfX 0 Z 0 if the newly selected appliance as well as the routing paths are adopted b ← m0 , p ← p0 , pe ← p00 . After this, an exponentially as m distributed random timer is generated independently with a mean value equal to (12), and begins to count down. Transition: When the timer Thd expires, the dedicated computing thread adopts the scheduled “next” appliance and the associated two paths that connect to the new appliance, according to line 7 to line 10. Next, the computing thread sets a timer for SF h again. Then, sends RESET(UfX 0 Z 0 , d, h) signal to controller for notifying such swapping event with the updated system utility UfX 0 Z 0 . ¯h ¯ ) sigRESET: When controller receives a RESET(Uf 0 , d, ¯ ¯ nal (line 15), which indicates SF h of session d has just swapped an appliance and yielded the new system utility Uf 0 . Then, as shown from line 16 to line 17, controller ¯ ∀h ∈ Yd \{Id , Ed , h} ¯ ) refreshes the timers Thd (∀d ∈ D\{d},

7

Algorithm 3 SetTimer for an SF Input: h|h∈Yd \{Id ,Ed },d∈D b m0 , g(l), p, p0 , k(n), pe, p00 Output: Thd , m, b ← current in-use appliance-index for SF h ∈ Yd 1: m d ← feasible not-in-use appliance-indices for h 2: σh d 3: if |σh | ≥ 1 then 0 4: m ← one appliance-index randomly selected from σdh 5: %dg(l),h(m0 ) ← all feasible not-in-use candidate paths for appliance pair (g(l), h(m0 )) from Pdg(l),h(m0 ) , where d g(l) ← arg(zg(l),h( b = 1), (g, h) ∈ Gd , g(l) ∈ Lg m) b 6: p ← current in-use path for (g(l), h(m)) 7: %dh(m0 ),k(n) ← all feasible not-in-use candidate paths for appliance pair (h(m0 ), k(n)) from Pdh(m0 ),k(n) , d where k(n) ← arg(zh( = 1), (h, k) ∈ b m),k(n) Gd , k(n) ∈ Lk b k(n)) 8: pe ← current in-use path for (h(m), 9: if |%dg(l),h(m0 ) | ≥ 1 and |%dh(m0 ),k(n) | ≥ 1 then 10: randomly select p0 ∈ %dg(l),h(m0 ) 11: randomly select p00 ∈ %dh(m0 ),k(n) 12: UfXZ ← U |m,p, b e p 0 ,p←p0 ,p 13: UfX 0 Z 0 ← U |m←m b e←p00 14: generate a random exponentially distributed timer Thd for h with mean equal to

1 1 exp(τ − β(UfX 0 Z 0 − UfXZ )), 2 |σhd |

(12)

and begin to count down 15: end if 16: end if

according to (12) with the updated Uf 0 and begins counting them down. Since Algorithm 1 contains several auxiliary algorithms, we can know its overall computing complexity if that of each supporting procedure or auxiliary algorithm is given. We then have the following results on the computing complexity of Algorithm 1.

any adjacent states compose a homogeneous continuoustime Markov chain. 0 Let P rf →f 0 (f, f ∈ F ) denote the probability that 0 system will transit to the state f when any timer Thd counts down to zero. We also define Sf to represent the set of neighbouring states with one-hop transition to the state f ∈ F . In order to compute P rf →f 0 , we have to know the size of Sf , which is derived corresponding to the transition. From the timer setting in Algorithm 3, we know that the next state of the current configuration f has equal probability to 0 be any state f ∈ Sf based on the following fact: when the computing thread selects the next feasible not-in-use appliance for the SF h ∈ Yd , there are |σhd |(d∈D) choices. In consequence, we can calculate the size of state space Sf as: X X |Sf | = |σhd |. d∈D h∈Yd

Now, we can compute the probability P rf →f 0 in the way: 0 1 P rf →f 0 = , ∀f ∈ F, ∀f ∈ Sf . |Sf | In the next step, we show that the state transition rate 0 0 from f to f , i.e., qf f 0 , satisfies (11) when f denotes fX 0 Z 0 . Given a current state fXZ , according to (12), each timer Thd (∀h ∈ Yd , d ∈ D) counts down with a rate:

1 ρdh = |σhd | exp( β(UfX 0 Z 0 − UfXZ ) − τ ). (13) 2 Therefore, system leaves state fXZ then enters to state fX 0 Z 0 with the rate: X X ρfXZ ,fX 0 Z 0 = ρdh . (14) d∈D h∈Yd

With probability P rf →f 0 , system transits to a one-hop 0 connected neighbouring configuration f when leaving the current configuration f . Therefore, we compute the transi0 tion rate from f to f as follows:

qf,f 0 |(f =fXZ ,f 0 =fX 0 Z 0 ) = ρf,f 0 × P rf →f 0 X X 1 = |σhd | exp( β(UfX 0 Z 0 − UfXZ ) − τ ) 2 d∈D h∈Y

Remark 1. In Algorithm 1, the computing complexity of Initialization (Alg. 2), SetTimer P P(Alg. 3), Procedure PRESET is O( d∈D (|Yd | + |Gd |)), O( d∈D |Yd |), and O( d∈D |Yd |), respectively. Theorem 1. If there is no approximation error, Algorithm 1 realizes a time-reversible Markov chain with the stationary distribution shown in (10). Proof: By the two conditions for constructing the state space of the designed Markov chain, we see that all configurations can reach each other within a finite number of transitions in terms of swapping in-use appliances. Therefore, the constructed MC is an ergodic Markov chain. In the following proof, we show that the stationary distribution of the constructed Markov chain exactly follows equation (10). By (12), we know that the waiting time of each configuration is exponentially distributed and the transition probability between different configurations is independent of time. Therefore, the states space that is represented by the transition, and the corresponding transition rate between

d

·P

d∈D

1 P

(15)

d h∈Yd |σh |

1 = exp( β(UfX 0 Z 0 − UfXZ ) − τ ). 2 Finally, via combining (15) and (10), we can obtain that 0 p∗f qf f 0 = p∗f 0 qf 0 f , ∀f, f ∈ F , i.e., the detailed balance equations hold in our designed MC. According to [44], the constructed Markov chain is time-reversible and its stationary distribution follows (10).

5

P ERFORMANCE E VALUATION

To evaluate the performance of the proposed algorithm, this section presents the numerical simulations, which are conducted by a simulator implemented in Python. All algorithms are also realized in Python and executed on a Windows 64-bit computer with 8 Gigabytes (GB) RAM.

8

180 400

160 Routing cost

Utility

800 Optimal MA MA(z)

600 400

Optimal MA MA(z)

140 120

VNF overhead

1000

100 80 60 40

200 0

1 Logical time (seconds)

2

0

1 Logical time (seconds)

−4

x 10

(a) System utility

2 x 10

300 200

Optimal MA MA(z)

100 0 0

−4

(b) Routing cost

1 Logical time (seconds)

2 −4

x 10

(c) VNF overhead

Fig. 6. Performance comparison between the MA-based algorithms and the optimal solution under the Internet2 topology, where 6 physical and 6 VNF appliances are deployed, φe∈E =2000 Mb/s, ν =1, ω =0.2, µs∈S =1000 Mb/s, 617 candidate paths are provided, with 9 traffic demands requiring a 3-hop service policy chain each.

1

6

3

2

7

10

11

14

4

15

18

Core switches

5

19

22

23 Aggregation switches

8

9

12

13

16

17

20

21

24

25

…

…

…

…

…

…

…

…

…

…

Hosts, SF-appliances

Fig. 7. The Fat-tree topology used in the second group of simulations, where in total 900 candidate paths are provided for segment routing.

5.1 5.1.1

Simulation Settings Settings for the first group of simulations

To show how close of performance of our proposed MA algorithm to that of the optimal solution, a set of small-scale simulations are first studied under the Internet2 topology [45], which is also shown in Fig. 1. In this suite of simulations, three types of SFs, i.e., NAT, FW and LB, are deployed in such network with 2 physical and 2 virtualized appliances for each type. In particular, the virtualized-appliance pairs (NAT1 , LB1 ), (NAT4 , FW4 ) and (LB3 , FW3 ) simultaneously connect to switches 2, 3 and 5, respectively. For routing, in total 617 candidate paths are provided for connecting segments. In addition, denoted by Optimal, the optimal solutions are solved using the Gurobi 6.0 optimizer [46], which embeds in many classical solvers including linear programming solver, quadratically constrained programming solver and mixed-integer linear programming solver. The solvers in the Gurobi Optimizer are designed from the ground up to exploit modern architectures and multi-core processors, using the most advanced implementations of the latest algorithms. It is worth noting that, the optimal solutions can be only obtained in a small-scale simulation due to the high computing complexity of SIDE problem. 5.1.2

Settings for the second group of simulations

Then, another set of simulations are conducted using a Fattree topology (shown as Fig. 7), which consists of 25 nodes and 45 bidirectional links. As shown in Fig. 7, the set of aggregation switches with IDs 8, 9, 12, 13, 16, 17, 20, 21, 24 and 25, serve as the ingress/Egress switches, which

directly connect to a number of hosts and SF-appliances (in either physical or virtualized). We specify five types of SF: NAT, FW, LB, DPI and IDS, to construct the individual policy chain for each session. Without loss of generalities, the sequence of such 5 SFs in each policy chain is randomly generated. For each type of SF, 10 physical and 10 virtualized appliances are launched. Finally, 100 SF-appliances are averagely distributed in the bottom of this topology. The traffic processing capability of each appliance is set to 1000 Mb/s by default. We then generate several suites of traffic demand trace with the rate of each session normalized to 100 Mb/s. On the other hand, we provide each pair of ingress/Egress switches with 10 different candidate paths. Thus, 900 candidate paths in total are provided for the segment routing. 5.1.3

Metrics considered

To evaluate the performance of algorithms, we collect multiple system metrics including the numerical system utility, routing cost, VNF overhead, Admitted Traffic Rate (ATR), and admission ratio as well in simulations. 5.2 Representative Executions comparing with Optimal We first to study the optimality-approximation property of the proposed algorithm via demonstrating the representative executions under the aforementioned Internet2 topology. We also realize another version of MA algorithm as a benchmark, in which the transition is only triggered by the path-swapping, i.e., the change of varid,p able zh(m),k(n) (∀d, p, h(m), k(n)). We denote this version by MA(z). In the first group of simulations, the link capacity and the processing capability of appliances are set to 2000 Mb/s and 1000 Mb/s, respectively. For Alg. 1, ν , ω , β and τ are set to 1, 0.2, 10 and 0, respectively. We then execute algorithms in 200 iterations, each of which consumes 1 microsecond (1e-6 second) in logical time. Therefore, the total observation duration is 0.2 millisecond. In Fig. 6, 6(a), 6(b) and 6(c) show the performance in terms of utility, routing cost and VNF overhead, respectively. It can be observed that MA quickly converges to the Optimal at the 41 µs in terms of all metrics. Interestingly, although MA outperforms MA(z) significantly with respect to both utility and VNF overhead, its performance in terms of routing

9

1500 1000 500 0

500

0

50

100

1400 1200 1000 1000

800

0

200

400 600 800 Iteration number

1000

500 0

400 0

1200

GA, CR=0.3, MR=0.01 GA, CR=0.5, MR=0.05 GA, CR=0.8, MR=0.1 MA

1000

500

1000 500

600

0

VNF overhead

1500 1000

1500 GA, CR=0.3, MR=0.01 GA, CR=0.5, MR=0.05 GA, CR=0.8, MR=0.1 MA

1600 Routing cost

2000 Utility

1800

GA, CR=0.3, MR=0.01 GA, CR=0.5, MR=0.05 GA, CR=0.8, MR=0.1 MA

2500

(a) System utility

50

200

100

400 600 800 Iteration number

0 0

1000

0 0

1200

(b) Routing cost

50

200

100

400 600 800 Iteration number

1000

1200

(c) VNF overhead

Fig. 8. Representative execution of algorithms under the Fattree topology, where φe∈E =20000 Mb/s, ν =1, ω =0.25, µs∈S =1000 Mb/s, 900 candidate paths are provided, with 20 traffic demands requiring a 4-hop service policy chain each.

0

2000 1000 0

500

3500 3000 3500 3000 2500 2000 1500 0

2500 2000 1500

−1000 0

−5000 0

GA, CR=0.3, MR=0.01 GA, CR=0.5, MR=0.05 GA, CR=0.8, MR=0.1 MA

4000

50

50

3500

1000 1500 Iteration number

2000

0

500

(a) System utility

1000 1500 Iteration number

2500 2000 1500 1000 500

100

1000

100

GA, CR=0.3, MR=0.01 GA, CR=0.5, MR=0.05 GA, CR=0.8, MR=0.1 MA

3000 VNF overhead

4500 GA, CR=0.3, MR=0.01 GA, CR=0.5, MR=0.05 GA, CR=0.8, MR=0.1 MA

Routing cost

Utility

5000

0 0

2000

(b) Routing cost

2500 2000 1500 1000 0

500

50

100

1000 1500 Iteration number

2000

(c) VNF overhead

Fig. 9. Representative execution of algorithms under the Fattree topology, where φe∈E =20000 Mb/s, ν =1, ω =0.25, µs∈S =1000 Mb/s, 900 candidate paths are provided, with 50 traffic demands requiring a 4-hop service policy chain each.

0 2000 1000

−5000

8000 Routing cost

Utility

5000

6000 6000

4000

5000

0 −1000 0

−10000 0

GA, CR=0.3, MR=0.01 GA, CR=0.5, MR=0.05 GA, CR=0.8, MR=0.1 MA

1000

20

40

60

80

2000 3000 4000 Iteration number

2000

100

5000

(a) System utility

0

4000 0

1000

50

GA, CR=0.3, MR=0.01 GA, CR=0.5, MR=0.05 GA, CR=0.8, MR=0.1 MA

6000 4000

6000 5000

2000

4000 3000 0

100

2000 3000 4000 Iteration number

(b) Routing cost

8000

VNF overhead

10000 GA, CR=0.3, MR=0.01 GA, CR=0.5, MR=0.05 GA, CR=0.8, MR=0.1 MA

5000

0 0

1000

50

2000 3000 Iteration number

100

4000

5000

(c) VNF overhead

Fig. 10. Representative execution of algorithms under the Fattree topology, where φe∈E =20000 Mb/s, ν =1, ω =0.25, µs∈S =1000 Mb/s, 900 candidate paths are provided, with 100 traffic demands requiring a 4-hop service policy chain each.

cost shows similar to that of MA(z). Thus we can infer that during the decision of SF-appliance in Alg. 1, the candidate paths inducing lower routing cost are also preferred to be selected automatically. However, MA(z) only swaps routing path rather than SF-appliance, the VNF overhead does not change at all time. Because the traffic processing capability of physical appliances is sufficient, the VNF overhead of MA algorithm approaches to 0, same as Optimal shows. 5.3

Comparison with Genetic Algorithm

With the Fattree topology (Fig. 7), we then compare the performance of the proposed MA algorithm with Geneticbased Algorithm (shorten as GA), which has been adopt by [9], [11], [32] to deploy service chains in NFV networks. In particular, the framework of the conventional GA is expressed with Algorithm 4.

5.3.1

The framework of conventional genetic algorithm

In line 1 of Algorithm 4, we first to generate a group of initial population, which is consisted of N random chromosomes. In the while loop, as shown in lines 4-6, algorithm conducts the crossover operations on two chromosomes Ca and Cb randomly selected from the population. As a result, two new b 0 and C b 0 are generated. chromosomes C a b Then, in lines 8-10, algorithm performs mutation operb 0 and C b 0 , and yields two other new chromoations over C a b 00 00 somes Ca and Cb . In each crossover or mutation operation, algorithm will adopt the new chromosome if it indicates higher fitness value (utility). After several rounds of execution, the update towards the holistic population will produce a group of chromosomes that are with high fitness values.

10

1

1 |policy chain| =3 |policy chain| =4 |policy chain| =5

0.8

0.4 0.2 0

0.8

0.6

CDF

0.6

CDF

CDF

0.8

1 |policy chain| =3 |policy chain| =4 |policy chain| =5

0.4 0.2

3300

3600

4000 Utility

4300

0.4

|policy chain| =3 |policy chain| =4 |policy chain| =5

0.2

0 200

4600

0.6

400

600 800 Routing cost

1000

0 0

1200

50

100 150 200 VNF overhead

250

300

(a) CDF of utility in the final converged (b) CDF of routing cost in the final con- (c) CDF of VNF overhead in the final solutions verged solutions converged solutions Fig. 11. CDF of metrics in the final converged solutions of the proposed algorithm, while varying Policy-Chain Length under the Fattree topology, where φe∈E =20000 Mb/s, ν =1, ω =0.25, µs∈S =1000 Mb/s, 900 candidate paths are provided, with 100 traffic demands requiring a {3,4,5}-hop service policy chain each.

|policy chain| =3 |policy chain| =4 |policy chain| =5

0.6

CDF

CDF

0.8

0.4 0.2 0

1

1

0.8

0.8

0.6

CDF

1

|policy chain| =3 |policy chain| =4 |policy chain| =5

0.4 0.2

−1000

(a) CDF iterations

0

of

2000 Utility

utility

4000

during

0

0.6 |policy chain| =3 |policy chain| =4 |policy chain| =5

0.4 0.2

500 1000

2000 3000 Routing cost

4000

0

0

1000 2000 VNF overhead

3000

1500- (b) CDF of routing cost during 1500- (c) CDF of VNF overhead during iterations 1500-iterations

Fig. 12. CDF of metrics during the first 1500-iterations execution of the proposed algorithm while varying Policy-Chain Length under the Fattree topology.

Algorithm 4 Framework of Conventional GA Input: Φ (the maximum number of execution rounds) 1: initialize a population G = {C1 , C2 , ..., CN }, which is composed of N chromosomes; round = 0; 2: while round ≤ Φ do 3: randomly choose two chromosomes Ca and Cb ; 4: conduct crossover over Ca and Cb , and generate two new chromosomes Ca0 and Cb0 ; 5: compute the fitness of the new chromosomes; 6: replace Ca (Cb ) with Ca0 (Cb0 ), if the new one returns a larger fitness value; b0 , C b 0 ← two remaining chromosomes after perform7: C a b ing crossovers; b 0 and C b 0 , and generate other 8: conduct mutation for C a b 00 00 two new ones Ca and Cb ; 9: compute the fitness of the two new chromosomes; b 0 (C b 0 ) with C 00 (C 00 ), if the new one has a 10: replace C a a b b larger fitness value; 11: round++; 12: end while

5.3.2

Parameter settings for GA

In our implementation of such GA, each chromosome indicates the appliance selection solution for all traffic demands. Varying the combination of Crossing Rate (CR) and Mutation Rate (MR) of chromosomes in GA within the set {(CR, MR): (0.3, 0.01); (0.5, 0.05); (0.8, 0.1)}, we evaluate the

performance of GA with a population consisting of N =50 chromosomes. Similar to our proposed MA algorithm, each iteration in GA indicates a random number of applianceswapping towards any traffic demand with equal probability. The routing path for any segment is also chosen randomly from the given candidate path set, once a pair of appliances has been determined. 5.3.3 Discussion of simulation results By fixing φe∈E =20000 Mb/s, µs∈S =1000 Mb/s, ν = 1 and ω = 0.25, Figs. 8, 9 and 10 demonstrate the representative execution results of GA and MA algorithm under the number of traffic demand varying from {20, 50, 100}, respectively. We can see that the utilities of all versions of GA and MA algorithm have an improvement in the first few iterations. Correspondingly, both routing cost and VNF overhead reduce quickly during the initial stage. Although GA performs better than MA algorithm in the first 10-20 iterations, it illustrates a very slow improvement after that. On the contrary, the performance of MA outperforms that of GA in a very fast pace and achieves convergence eventually. For example, the utility of MA i) grows higher than that of the versions of GA at the 12nd , 20th and 15th iterations, and ii) converges at the 310th , 880th and 2800th iterations, in the executions with 20, 50 and 100 traffic demands, respectively. We can further observe that the execution with more traffic demands yields a longer convergence. Note that, the logical execution time of MA algorithm is still fixed to 1 µs. Therefore, even if with 100 traffic demands,

11

2500

3000 2000

MA, µs = 5000

MA, µs = 500

MA, µs = 2000

MA, µs = 400

1000

MA, µs = 300

0 0

Routing cost

Utility

4000

2000

1000 0

0

100

500 1000 Iteration number

200

1500

MA, µs = 5000

MA, µs = 500

MA, µs = 2000

MA, µs = 400

ATR

(b) Routing cost

1000

MA, µs = 300 MA, µs = 200

500

500 1000 Iteration number

1500

(c) VNF overhead

5000 4000 3000 2000

Admission ratio

VNF overhead

2000

1500

1500

1500

0

MA, µs = 200

MA, µs = 400

(a) Utility

2000

MA, µs = 300

MA, µs = 500

1000

MA, µs = 200

500 1000 Iteration number

MA, µs = 5000 MA, µs = 2000

200

300

400

200

300

400

µs

500

2000

5000

500

2000

5000

1 0.5 0

µs

(d) Average admitted traffic rate (Mb/s) and Admission ratio

Fig. 13. Representative executions of algorithms under the Fattree topology, with 50 traffic demands requiring a 3-hop policy chain each.

the logical convergence time of MA algorithm is only 2.8 ms. On the other hand, the metrics in terms of routing cost and VNF overhead show the similar-converging but converse performance comparing with utility under all algorithms. 5.4 Effect of Policy-Chain Length Under the almost same parameter settings with the suite of simulations shown in Fig. 9, we study the effect of the length of policy chain, by varying it for all traffic demands within {3, 4, 5}. Particularly, we conduct 20 execution cases, each of which lasts for 1500 iteration under each setting. With the traced final converged solutions, we let Figs. 11(a), 11(b) and 11(c) show the cumulative distribution function (CDF) of metrics in terms of utility, routing cost and VNF overhead, respectively. It can be apparently observed that the utility shows as a decreasing function versus the length of policy chain, because the two terms of cost/overhead are increasing functions versus the policy-chain length. For example, as Fig. 11 shows, only 10% of all recorded utilities are lower than 4000 when the policy-chain length is 4. However, the percentages with policy-chain length 3 and 5 are 100% and 5%, respectively. The reasons behind this are apparent: longer policy chain makes each traffic demand require more SF-appliances, and consume more bandwidth resource in the network links, thus resulting in higher VNF overheads and routing costs. As shown in 11(b) and 11(c), we observe that the CDFs of the two terms of cost/overhead illustrate the similar but converse performance comparing with utility.

Then, Fig. 12 demonstrates the CDFs of all recorded metrics over all the 1500 iterations traced, and shows the similar performance of the three metrics as Fig. 11 has shown. The explanation is also same and thus omitted here. 5.5

Effect of the Capability of SF-appliance

Note that, we do not show the performance of ATR and admission ratio of each algorithm in the previous groups of simulation, because the capacity of both appliance and network link are sufficient. In this group of simulation, we evaluate the effect of the capacity of SF-appliance by varying it within the range {200, 300, 400, 500, 2000, 5000} Mb/s. Under the almost same parameter settings with previous simulations but with 50 traffic demands, each of which desires a 3-hop policy-chain, we study all the metrics during the 1500-iteration executions. Under varying settings of appliance capability, Fig. 13(a), 13(b) and 13(c) still demonstrate the corresponding utilities, routing costs and VNF overheads, respectively. In particular, Fig. 13(d) shows the average ATR and admission ratio performance under each appliance capability. From this suite of figures, we can clearly observe that i) higher appliance capability induces higher utility, ATR and admission ratio, and lower VNF overhead; ii) the performance under the sufficient appliance capability settings shows similar; iii) the performance under the insufficient appliance capability settings is hard to converge. For example, the executions when µs is equal to or higher than 500 Mb/s

12

have the similar outstanding performance in terms of all metrics. But the other cases exhibit more severe fluctuations with respect to utility and VNF overhead, when µs varies from 400 to 200. Interestingly, as 13(b) shows, the routing costs under sufficient settings of appliance capability perform almost the same. But, the cases under µs =300 and µs =200 are exceptions. The reason can be attributed to that the admission ratio under such two cases are very low, leading to lower requirement of network link resources. As a result, the final routing cost can be quickly converged, especially when µs = 200, comparing with other cases.

6

C ONCLUSION AND F UTURE W ORK

In this paper, we have studied a service chain steering problem for hybrid SFC networks, where the traffic demands are provisioned by both physical and virtualized network function appliances. Then, a utility-maximization problem has been formulated. To solve it, we have designed an approximation algorithm using the Markov approximation technique. The approximation property of the proposed algorithm also has been proved. Extensive numerical simulation results have revealed that the proposed MA algorithm could yield close-to-optimal solutions and outperform other benchmark algorithms significantly in terms of utility. Since the hybrid SFC networks have intensive correlation with data processing [47]–[49] in the era of big data, we plan to apply the proposed approach to meaningful big data based service provisions in our future work.

R EFERENCES [1]

V. Sekar, N. Egi, S. Ratnasamy, M. K. Reiter, and G. Shi, “Design and implementation of a consolidated middlebox architecture,” in Proceedings of the 9th USENIX conference on NSDI, 2012, pp. 24–24. [2] J. Halpern and C. Pignataro, “Service function chaining (sfc) architecture,” IETF, Tech. Rep., 2015. [3] H. Hata, “A study of requirements for sdn switch platform,” in International Symposium on Intelligent Signal Processing and Communications Systems (ISPACS), 2013, pp. 79–84. [4] H. Huang, S. Guo, W. Liang, K. Li, B. Ye, and W. Zhuang, “Nearoptimal routing protection for in-band software-defined heterogeneous networks,” IEEE Journal on Selected Areas in Communications, vol. 34, no. 11, pp. 2918–2934, 2016. [5] H. Huang, S. Guo, P. Li, W. Liang, and A. Y. Zomaya, “Cost minimization for rule caching in software defined networking,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 4, pp. 1007–1016, 2016. [6] Z. Xu, W. Liang, H. Meitian, J. Mike, and S. Guo, “Approximation and online algorithms for nfv-enabled multicasting in sdns,” in IEEE International Conference on Distributed Computing Systems (ICDCS), June 2017. [7] M. Huang, W. Liang, Z. Xu, M. Jia, and S. Guo, “Throughput maximization in software-defined networks with consolidated middleboxes,” in IEEE 41st Conference on Local Computer Networks (LCN), 2016, pp. 298–306. [8] M. Huang, W. Liang, Z. Xu, W. Xu, S. Guo, and Y. Xu, “Dynamic routing for network throughput maximization in software-defined networks,” in 35th Annual IEEE International Conference on Computer Communications (INFOCOM), 2016. [9] M. Yoshida, W. Shen, T. Kawabata, K. Minato, and W. Imajuku, “Morsa: A multi-objective resource scheduling algorithm for nfv infrastructure,” in 16th Asia-Pacific Network Operations and Management Symposium (APNOMS), 2014, pp. 1–6. [10] M. Bari, S. R. Chowdhury, R. Ahmed, R. Boutaba et al., “On orchestrating virtual network functions in nfv,” arXiv preprint arXiv:1503.06377, 2015. [11] F. Carpio, S. Dhahri, and A. Jukan, “Vnf placement with replication for load balancing in nfv networks,” arXiv preprint arXiv:1610.08266, 2016.

[12] S. Gu, Z. Li, C. Wu, and C. Huang, “An efficient auction mechanism for service chains in the nfv market,” in Proc. IEEE International Conference on Computer Communications (INFOCOM), 2016. [13] Z. Xu, W. Liang, A. Galis, and Y. Ma, “Throughput maximization and resource optimization in nfv-enabled networks,” in IEEE International Conference on Communications (ICC), May 2017. [14] “Enterprise network and data security spending shows remarkable resilience, says abi research,” https://www.abiresearch.com. [15] T.-I. Research, “Global security appliance market 2016-2020,” https://www.bharatbook.com, Apr. 2016. [16] “Network security appliances & software market tracker - regional - q3 2016,” https://technology.ihs.com, Sep. 2016. [17] J. Wilson, “Research note - network security a $10.8 billion market in 2020,” https://technology.ihs.com, Oct. 2016. [18] I. Barker, “Network function virtualisation (nfv): What businesses need to know,” http://www.itproportal.com, Nov. 2016. [19] S. K. Fayazbakhsh, V. Sekar, M. Yu, and J. C. Mogul, “Flowtags: enforcing network-wide policies in the presence of dynamic middlebox actions,” in Proceedings of the second ACM SIGCOMM workshop on HotSDN. ACM, 2013, pp. 19–24. [20] H. Huang, P. Li, S. Guo, and B. Ye, “The joint optimization of rules allocation and traffic engineering in software defined network,” in IEEE 22nd International Symposium of Quality of Service (IWQoS), 2014, pp. 141–146. [21] Z. Cao, M. Kodialam, and T. Lakshman, “Traffic steering in software defined networks: planning and online routing,” in Proceedings of the 2014 ACM SIGCOMM workshop on Distributed cloud computing. ACM, 2014, pp. 65–70. [22] H. Huang, P. Li, S. Guo, and W. Zhuang, “Software-defined wireless mesh networks: architecture and traffic orchestration,” IEEE Network, vol. 29, no. 4, pp. 24–30, 2015. [23] M. Dong, H. Li, K. Ota, and J. Xiao, “Rule caching in sdn-enabled mobile access networks,” IEEE Network, vol. 29, no. 4, pp. 40–45, 2015. [24] H. Huang, S. Guo, P. Li, B. Ye, and I. Stojmenovic, “Joint optimization of rule placement and traffic engineering for qos provisioning in software defined network,” IEEE Transactions on Computers, vol. 64, no. 12, pp. 3488–3499, 2015. [25] H. Li, M. Dong, and K. Ota, “Radio access network virtualization for the social internet of things,” IEEE Cloud Computing, vol. 2, no. 6, pp. 42–50, 2015. [26] H. Huang, S. Guo, J. Wu, and J. Li, “Green datapath for tcambased software-defined networks,” IEEE Communications Magazine, vol. 54, no. 11, pp. 194–201, 2016. [27] H. Huang, P. Li, and S. Guo, “Traffic scheduling for deep packet inspection in software-defined networks,” Concurrency and Computation: Practice and Experience, 2016. [28] K. Wang, Y. Wang, D. Zeng, and S. Guo, “An sdn-based architecture for next-generation wireless networks,” IEEE Wireless Communications, vol. 24, no. 1, pp. 25–31, 2017. [29] M. Baldi, R. Bonafiglia, F. Risso, and A. Sapio, “Modeling native software components as virtual network functions,” in Proc. of the ACM SIGCOMM 2016 Conference. ACM, 2016, pp. 605–606. [30] M. Chen, S. C. Liew, Z. Shao, and C. Kai, “Markov approximation for combinatorial network optimization,” IEEE Transactions on Information Theory, vol. 59, no. 10, pp. 6301–6327, 2013. [31] H. Huang, S. Guo, J. Wu, and J. Li, “Joint middlebox selection and routing for software-defined networking,” in IEEE International Conference on Communications (ICC), 2016. [32] M. Bouet, J. Leguay, and V. Conan, “Cost-based placement of virtualized deep packet inspection functions in sdn,” in Proc. Military Communications Conference (MILCOM), 2013, pp. 992–997. [33] Y. Zhang, N. Beheshti, L. Beliveau, G. Lefebvre, R. Manghirmalani, R. Mishra, R. Patneyt, M. Shirazipour, R. Subrahmaniam, C. Truchan et al., “Steering: A software-defined networking for inline service chaining,” in Proc. IEEE International Conference on Network Protocols (ICNP), 2013, pp. 1–10. [34] J. Liu, Y. Li, Y. Zhang, L. Su, and D. Jin, “Improve service chaining performance with optimized middlebox placement,” IEEE Transactions on Services Computing, vol. PP, no. 99, 2015. [35] M. Xia, M. Shirazipour, Y. Zhang, H. Green, and A. Takacs, “Network function placement for nfv chaining in packet/optical datacenters,” Journal of Lightwave Technology, vol. 33, no. 8, pp. 1565–1570, 2015. [36] R. Cohen, L. Lewin-Eytan, J. S. Naor, and D. Raz, “Near optimal placement of virtual network functions,” in Proc. IEEE Conference on Computer Communications (INFOCOM), 2015, pp. 1346–1354.

13

[37] T. Kuo, B. Liou, K. C. Lin, and T. MingJer, “Deploying chains of virtual network functions on the relation between link and server usage,” in Proc. IEEE International Conference on Computer Communications (INFOCOM), 2016. [38] Y. Li, L. Phan, and B. T. Loo, “Network functions virtualization with soft real-time guarantees,” in Proc. IEEE Conference on Computer Communications (INFOCOM), 2016. [39] P. Quinn and T. Nadeau, “Problem statement for service function chaining,” IETF, Tech. Rep., 2015. [40] R. Cohen, L. Lewin-Eytan, J. S. Naor, and D. Raz, “On the effect of forwarding table size on sdn network utilization,” in Proceedings of IEEE International Conference on Computer Communications (INFOCOM), 2014, pp. 1734–1742. [41] K. A. Ravindra, T. L. Magnanti, and J. B. Orlin, “Network flows: Theory, algorithms, and applications,” 1993. [42] Z. Wang and J. Crowcroft, “Qos routing for supporting resource reservation,” IEEE JSAC, September, 1996. [43] X. Yuan, “Heuristic algorithms for multi-constrained quality-ofservice routing,” IEEE/ACM Transactions on Networking, vol. 10, no. 2, pp. 244–256, 2002. [44] F. P. Kelly, Reversibility and stochastic networks. Cambridge University Press, 2011. [45] “Network topologies,” http://www.av.it.pt/anp/on/refnet2.html. [46] G. Optimization, http://www.gurobi.com/. [47] K. Wang, Y. Shao, L. Shu, G. Han, and C. Zhu, “Ldpa: a local data processing architecture in ambient assisted living communications,” IEEE Communications Magazine, vol. 53, no. 1, pp. 56–63, 2015. [48] K. Wang, Y. Shao, L. Shu, C. Zhu, and Y. Zhang, “Mobile big data fault-tolerant processing for ehealth networks,” IEEE Network, vol. 30, no. 1, pp. 36–42, 2016. [49] J. Wu, S. Guo, J. Li, and D. Zeng, “Big data meet green challenges: Greening big data,” IEEE Systems Journal, vol. 10, no. 3, pp. 873– 887, 2016.