PPJ-08

Transcript

1. PPJ #8 Virtualization & Software Defined Networking http://eueung.github.io/EL5244/ Dr.-Ing. Eueung

   Mulyana | 2015H2

2. This material is mainly a derivative and remix work. Most

   of the texts and illustrations are taken from the talks/lectures given by the referenced networking professors/gurus/ninjas (Credits at the end of the Slide).

3. OpenFlow Short Review

4. OpenFlow • Speed, Scale, Fidelity of Vendor Hardware • Flexibility

   and Control of Software and Simulation • Vendors don’t need to expose implementation • Leverages hardware inside most switches today (ACL tables)

5. Ethernet Switch

6. Data Path (Hardware) Control Path

7. Data Path (Hardware) Control Path OpenFlow OpenFlow Controller OpenFlow Protocol

   (SSL/TCP)

8. OF Basics Ethernet Switch

9. OF Basics Data Path (Hardware) Control Path OpenFlow OpenFlow Protocol

   Network OS Control Program A Control Program B

10. OpenFlow Simple, Open Data-Plane API

11. Controller PC Hardware Layer Software Layer Flow Table MAC src

    MAC dst IP Src IP Dst TCP sport TCP dport Action OpenFlow Client * * 5.6.7.8 * * * port 1 port 4 port 3 port 2 port 1 1.2.3.4 5.6.7.8

12. Flow Table Entries Switch Port MAC src MAC dst Eth

    type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action Stats 1. Forward packet to zero or more ports 2. Encapsulate and forward to controller 3. Send to normal processing pipeline 4. Modify Fields 5. Any extensions you add! + mask what fields to match Packet + byte counters VLAN pcp IP ToS

13. OF Basics Prioritized list of rules • Pattern: match packet

    header bits • Actions: drop, forward, modify, send to controller • Priority: disambiguate overlapping patterns • Counters: #bytes and #packets 1. src=1.2.*.*, dest=3.4.5.*  drop 2. src = *.*.*.*, dest=3.4.*.*  forward(2) 3. src=10.1.2.3, dest=*.*.*.*  send to controller

14. Primitives <Match, Action> Match arbitrary bits in headers: • Match

    on any header, or new header • Allows any flow granularity Action: • Forward to port(s), drop, send to controller • Overwrite header with mask, push or pop • Forward at specific bit-rate Header Data Match: 1000x01xx0101001x

15. OF Basics Control Program A Control Program B Network OS

    Packet Forwarding Packet Forwarding Packet Forwarding Flow Table(s) “If header = p, send to port 4” “If header = ?, send to me” “If header = q, overwrite header with r, add header s, and send to ports 5,6”

16. [More Sophisticated] Flow Identification

17. IP Flow

18. Custom Flow

19. Application Level Flow

20. Flow Identification Examples Switching * Switch Port MAC src MAC

    dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action * 00:1f:.. * * * * * * * port6 Flow Switching port3 Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action 00:20.. 00:1f.. 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port6 Firewall * Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action * * * * * * * * 22 drop

21. Flow Identification Examples Routing * Switch Port MAC src MAC

    dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action * * * * * 5.6.7.8 * * * port6 VLAN Switching * Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action * * vlan1 * * * * * port6, port7, port9 00:1f..

22. Possibilities

23. Centralized vs. Distributed Control Centralized Control OpenFlow Switch OpenFlow Switch

    OpenFlow Switch Controller Distributed Control OpenFlow Switch OpenFlow Switch OpenFlow Switch Controller Controller Controller

24. Flow-Based vs. Aggregated Routing Flow-Based • Every flow is individually

    set up by controller • Exact-match flow entries • Flow table contains one entry per flow • Good for fine grain control, e.g. campus networks Aggregated • One flow entry covers large groups of flows • Wildcard flow entries • Flow table contains one entry per category of flows • Good for large number of flows, e.g. backbone

25. Reactive vs. Proactive Reactive • First packet of flow triggers

    controller to insert flow entries • Efficient use of flow table • Every flow incurs small additional flow setup time • If control connection lost, switch has limited utility Proactive (Pre-Populated) • Controller pre-populates flow table in switch • Zero additional flow setup time • Loss of control connection does not disrupt traffic • Essentially requires aggregated (wildcard) rules

26. OF Versions

27. OF v1.0 – Limitations Non-Flow-Based (Per-Packet) Networking • ex. Per-packet

    next-hop selection (in wireless mesh) • Yes, this is a fundamental limitation • BUT OF can provide the plumbing to connect these systems Use all tables on switch chips • Yes, a major limitation (cross-product issue) • BUT OpenFlow 1.3 version will expose these

28. OF v1.0 – Limitations New Forwarding Primitives • BUT provides

    a nice way to integrate them through extensions New Packet Formats/Field Definitions • BUT a generalized OpenFlow (2.0) is on the horizon Optical Circuits • BUT efforts underway to apply OpenFlow model to circuits Low-Setup-Time of Individual Flows • BUT can push down flows proactively to avoid delays

29. Beyond OF v1.0 OF v1.3 • Multiple tables: leverage additional

    tables • Tags and tunnels • Multipath forwarding • Per flow meters OF v2+ • Generalized matching and actions: protocol independent forwarding

30. Switches & Controllers

31. OF Building Blocks Controller POX Slicing Software FlowVisor FlowVisor Console

    31 Applications Traffic Engineering Firewall Mobility Load Balancing NetFPGA Broadcom Ref. Switch OpenWRT Commercial Switches Software switches and experimental platforms OpenFlow Switches ONOS Monitoring/ debugging tools oflops ndb OpenVSwitch HP, NEC, Pronto, Juniper.. and many more Floodlight OpenDayLight Ryu Frenetic

32. Current SDN Hardware Ciena Coredirector NEC IP8800 More to come

    ... Juniper MX-series HP Procurve 5400 Pronto 3240/3290 WiMax (NEC) PC Engines Netgear 7324

33. Commercial Switch Vendors (ex.) Model Virtualize Notes HP Procurve 5400zl

    or 6600 1 OF instance per VLAN -LACP, VLAN and STP processing before OpenFlow -Wildcard rules or non-IP pkts processed in s/w -Header rewriting in s/w -CPU protects mgmt during loop NEC IP8800 1 OF instance per VLAN -OpenFlow takes precedence -Most actions processed in hardware -MAC header rewriting in h/w Pronto 3240 or 3290 with Pica8 or Indigo firmware 1 OF instance per switch -No legacy protocols (like VLAN and STP) -Most actions processed in hardware -MAC header rewriting in h/w

34. Controllers • TBA

35. Switches How Switching Chips are Evolving

36. Today: Fixed Function Switches Combine In Queues Data Out ACL

    Stage L3 Stage L2 Stage Parser …

37. Today: Fixed Function Switches Combine In Queues Data Out ACL

    Stage L3 Stage L2 Stage Parser … Action: set L2D Stage 1 L2 Table L2: 128k x 48 Exact match

38. Today: Fixed Function Switches Combine In Queues Data Out ACL

    Stage L3 Stage L2 Stage Parser … Action: set L2D Stage 1 L2 Table L2: 128k x 48 Exact match Action: set L2D, dec TTL Stage 2 L3 Table L3: 16k x 32 Longest prefix match

39. Today: Fixed Function Switches Combine In Queues Data Out ACL

    Stage L3 Stage L2 Stage Parser … Action: set L2D Stage 1 L2 Table L2: 128k x 48 Exact match Action: set L2D, dec TTL Stage 2 L3 Table L3: 16k x 32 Longest prefix match Stage 3 ACL: 4k Ternary match Action: permit/deny ACL Table

40. Today: Fixed Function Switches Combine In Queues Data Out ACL

    Stage L3 Stage L2 Stage Parser … Action: set L2D Stage 1 L2 Table L2: 128k x 48 Exact match Action: set L2D, dec TTL Stage 2 L3 Table L3: 16k x 32 Longest prefix match Stage 3 ACL: 4k Ternary match Action: permit/deny ACL Table Action Stage 16 Match Etc.

41. Today: Fixed Function Switches Combine In Queues Data Out ACL

    Stage L3 Stage L2 Stage Parser … Action: set L2D Stage 1 L2 Table L2: 128k x 48 Exact match Action: set L2D, dec TTL Stage 2 L3 Table L3: 16k x 32 Longest prefix match Stage 3 ACL: 4k Ternary match Action: permit/deny ACL Table Action Stage 16 Match Etc. Header Data

42. Today: Fixed Function Switches Combine In Queues Data Out ACL

    Stage L3 Stage L2 Stage Parser … Action: set L2D Stage 1 L2 Table L2: 128k x 48 Exact match Action: set L2D, dec TTL Stage 2 L3 Table L3: 16k x 32 Longest prefix match Stage 3 ACL: 4k Ternary match Action: permit/deny ACL Table Action Stage 16 Match Etc. Data Header

43. Packet Forwarding Speeds 0.1 1 10 100 1000 10000 100000

    1990 1995 2000 2005 2010 2015 2020 Switch Chip Gbps (per chip) 3.2Tbps

44. Packet Forwarding Speeds Gbps (per chip) 0.1 1 10 100

    1000 10000 100000 1990 1995 2000 2005 2010 2015 2020 Switch Chip CPU 50x 3.2Tbps

45. Why the Difference Packet processing is inherently parallel • Packets

    from different interfaces can be processed at same time • Deep pipelines Switching chips are dominated by I/O • 3.2Tbps = 128 x 25Gbps serial I/O

46. Switch Chips • About 50% of area on serial I/O

    • 25% on memory • everything else is wire and logic Memory (match tables and packet buffers) Lots of Serial I/O (10Gbps or 25Gbps) Wires (pipeline busses) Logic (everything else)

47. Problems: Fixed Function Switching Chips Slow Innovation • Several years

    to add a new feature or protocol Inefficient • Match tables hard-wired to specific purpose Complicated • Switch implements superset of all features Leads to Bottom-Up Design • Frustrating for programmers

48. Bottom-Up Design “This is how I process packets” (Datasheet) Fixed-Function

    ASIC Run-time API Switch OS

49. Software Defined Everything App CPU Computers Compiler GPU Graphics App

    Compiler DSP Cellular Base Stations App Compiler Networks ? App Compiler

50. Top-Down Design “This is how the switch must process packets”

    (Program) Programmable switch Run-time API Switch OS

51. Top-Down Design “This is how the switch must process packets”

    (Program) Programmable switch Run-time API Switch OS The P4 Programming Language (www.p4.org)

52. The RMT Architecture Ingress Match+Action Egress Match+Action Queues Parser Protocol

    independence Initially, switch chip is unprogrammed. It does not know any protocols. It does not know how to forward packets.

53. Ingress Match+Action Egress Match+Action Queues Parser Parser Protocol Authoring 1

    Compiler Compile 2 Configure 3 dc.p4 (P4 code)

54. Ingress Match+Action Egress Match+Action Queues Parser Parser Protocol Authoring 1

    Compiler Compile 2 Configure 3 dc.p4 (P4 code) TCP New IPv4 IPv6 VLAN Eth

55. Ingress Match+Action Egress Match+Action Queues Parser Parser Protocol Authoring 1

    Compiler Compile 2 Configure 3 dc.p4 (P4 code) TCP New IPv4 IPv6 VLAN Eth

56. Ingress Match+Action Egress Match+Action Queues Parser Parser Protocol Authoring 1

    Compiler Compile 2 Configure 3 dc.p4 (P4 code) TCP New IPv4 IPv6 VLAN Eth Run! 4 Add/delete table rules Switch OS Run-time API

57. Switch Chips: Observations • Chip design dominated by: (1) I/O,

    (2) Memory, (3) Wire. • There is no power, performance or area penalty for programmability • The fastest switching chips will be programmable • In private networks, “standard protocols” will be replaced by “programs”

58. Floodlight Controller

59. Floodlight Architecture • Floodlight is a collection of modules •

    Some modules (not all) export services • All modules in Java • Rich, extensible REST API DeviceManager (IDeviceService) FloodlightProvider (IFloodlightProviderService) TopologyManager (ITopologyManagerService) RestServer (IRestApiService) StorageSource (IStorageSourceService) Forwarding StaticFlowPusher (IStaticFlowPusherService) LinkDiscovery (ILinkDiscoveryService) VirtualNetworkFilter (IVirtualNetworkFilterService)

60. Floodlight Architecture DeviceManager (IDeviceService) FloodlightProvider (IFloodlightProviderService) TopologyManager (ITopologyManagerService) RestServer (IRestApiService)

    StorageSource (IStorageSourceService) Forwarding StaticFlowPusher (IStaticFlowPusherService) LinkDiscovery (ILinkDiscoveryService) VirtualNetworkFilter (IVirtualNetworkFilterService) DB style storage (queries, etc) Modules can access all data and subscribe to changes Computes shortest path using Dijsktra Keeps switch to cluster mappings Installs flow mods for end-to-end routing Handles island routing Tracks hosts on the network MAC -> switch,port, MAC->IP, IP->MAC Implements via Restlets (restlet.org) Modules export RestletRoutable Supports the insertion and removal of static flows REST-based API Maintains state of links in network Sends out LLDPs Create layer 2 domain defined by MAC address Used for OpenStack / Quantum Translates OF messages to Floodlight events Managing connections to switches via Netty

61. Programming Model – NBI IFloodlightModule • Java module that runs

    as part of Floodlight • Consumes services and events exported by other modules – OpenFlow (ie. Packet-in) – Switch add / remove – Device add /remove / move – Link discovery Switch Switch vSwitch Switch IFloodlight- Module External Application REST Floodlight Controller

62. Programming Model – NBI External Application • Communicates with Floodlight

    via REST – Quantum/Neutron / Virtual networks – Normalized network state – Static flows Switch Switch vSwitch Switch IFloodlight- Module External Application REST Floodlight Controller

63. REST API Reference Network State List Hosts List Links List

    Switches GetStats (DPID) GetCounters (OFType…) Static Flows Add Flow Delete Flow List Flows RemoveAll Flows Virtual Network Create Network Delete Network Add Host Remove Host User Extensions … Floodlight Controller Switch Switch vSwitch Switch

64. Programming Floodlight – API • Fine-grained ability to push flows

    over REST • Access to normalized topology and device state • Extensible access to add new APIs

65. Programming Floodlight – New Modules • Handle OpenFlow messages directly

    (ie. PacketIn) • Expose services to other modules • Add new REST APIs

66. OF-CONFIG

67. OF Conf. & Management Protocol Bootstrap OpenFlow network • Switch

    connects to controller • Controller(s) to connect to must be configured at switches Allocate resources within switches • Ports • Queues • . . . controller switch switch switch switch controller

68. OF-CONFIG – Reference Model OpenFlow Capable Switch resources (ports, queues)

    OF Logical Switch OF Logical Switch Configuration Point Configuration Point OF-CONFIG Configuration Point OpenFlow Controller Configuration Point OpenFlow Controller OpenFlow OpenFlow using IETF Netconf & XML data models

69. OF-CONFIG – Reference Model Configuration Point • Source of switch

    configuration OpenFlow Capable Switch • Hosts one or more logical switches OpenFlow Controller OpenFlow Logical Switch • Instance of an OpenFlow Switch

70. OF-CONFIG – Scope & Releases WG established in Sep 2011

    OF-CONFIG 1.0 (Jan 2012) based on OpenFlow 1.2 • Assigning controllers to logical switches • Retrieving assignment of resources to logical switches • Configuring some properties of ports and queues OF-CONFIG 1.1 (Apr 2012) based on OpenFlow 1.3 • Added controller certificates and resource type "table" • Retrieving logical switch capabilities signaled to controller • Configuring of tunnel endpoints

71. OF-CONFIG – Scope & Releases OF-CONFIG 1.1.1 (Aug 2012) based

    on OpenFlow 1.3.1 • Consolidation of version 1.1, fixing small inconsistencies OF-CONFIG 1.2 (early 2013) based on OpenFlow 1.3.1 • Features still under discussion, candidates include • Retrieving capable switch capabilities, configuring logical switch capab. • Assigning resources to logical switches • Simple topology detection • Event notification

72. OF-CONFIG – Reference Model OpenFlow Capable Switch resources (ports, queues)

    OF Logical Switch OF Logical Switch Configuration Point Configuration Point OF-CONFIG Configuration Point OpenFlow Controller Configuration Point OpenFlow Controller OpenFlow OpenFlow using IETF Netconf & XML data models

73. Netconf & Yang Netconf was chosen as management protocol •

    Not necessarily accepted as ideal solution • Still discussing alternatives XML schema was chosen as modeling language • Yang is also used, but XML is normative • Normative XML schema generated from Yang code So far, the focus has been on configuration • Bootstrap of an OpenFlow network is the obvious first thing to do

74. Credit • Scott Shenker, The Future of Networking and the

    Past of Protocols • Nick McKeown, Stanford University, Many Talks/Articles • Jennifer Rexford, COS 597E, Princeton University • Mike Freedman, COS 461, Princeton University • Nick Feamster, https://www.coursera.org/course/sdn • Li Erran Li, COMS 6998-10, Univ. of Columbia • Marco Cello, SDN Talk @ CNR, Univ. Genova • Guido Appenzeller, Network Virtualization in Multi- tenant Datacenters, VMware