Upgrade to Pro — share decks privately, control downloads, hide ads and more …

LINE Data Center Networking with SRv6

53850955f15249a1a9dc49df6113e400?s=47 LINE Developers
PRO
September 20, 2019
Programming
7
2.4k

LINE Data Center Networking with SRv6

53850955f15249a1a9dc49df6113e400?s=128

LINE Developers
PRO

September 20, 2019
Tweet

More Decks by LINE Developers

See All by LINE Developers
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
1
430
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
2.3k
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
210
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
38
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
280
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
160
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
12
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
42
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
28

Other Decks in Programming

See All in Programming
527c1db50811ca320e8de57c79a3e15c?s=48 shugostr
0
400
7a0892afffbcbd35fd84d46508b3a914?s=48 dropout009
2
750
0f50b010cc99988fba8a73008b21f353?s=48 e10dokup
0
230
72a2082c6a4dd79ad68befb3db911616?s=48 mraible
PRO
2
950
4ce0d60e368cef89450f1d9dfdcb493f?s=48 n8ebel
1
200
52c76fb01bb5d1908f91b0231a44a7b5?s=48 boriswilhelms
0
130
D63b0683b8fdd02c71c802691f97c04c?s=48 jogannaoki
0
1.3k
5d138ccf47c8d79aa8f0d29900f9e07b?s=48 rollbear
0
140
98df8bb11748bb59fef1aa1e474e8e02?s=48 komofr
0
120
B3b2139e4f2c0eca4efe2379fcebc1c5?s=48 afilina
PRO
1
490
F21d69109b1c03921abf7d12f0fb6654?s=48 dscs
0
110
4c0c2a5a353b06c9d0238373872822bb?s=48 jason13f
1
3.8k

Featured

See All Featured
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
224
15k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
224
15k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
152
6.9k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
778
200k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
253
11k
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
37
4.9k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
277
17k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
298
39k
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
99
5.7k
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
302
40k
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
260
24k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
20k

Transcript

  1. LINE Data Center Networking with SRv6 Hirofumi Ichihara co-author: Toshiki

    Tsuchiya LINE corporation

  2. About Me • Hirofumi Ichihara • LINE Corporation ◦ Network

    Development Team • Network Software Developer ◦ SDN/NFV ◦ OpenStack Neutron ◦ Docker ◦ Kubernetes

  3. LINE Services and Networks Full L3 CLOS Network* • Single

    tenant network • LINE message service and related services running Exclusive Network for Services • Service with specific requirements running • Building specific network for each service * Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet fully redundant https://www.slideshare.net/linecorp/excitingly-simple-m ultipath-openstack- network ing- lagless- l2less-yet-fully- redundant ・ ・ ・ Other: Fintech Business Many fragment underlay networks Many works to design and build Management cost increases

  4. Multi tenant network • Sharing underlay network decrease management cost

    • Achieve policy for each service(tenant) on overly network Simple L3 underlay network Flexibly scale overlay network Security individual tenant Service Chaining

  5. VXLAN Pros • More information • Many network devices support

    Cons • Lose advances of full-L3 • Need additional protocol to achieve service IPv6 Segment Routing (SRv6) Pros • IPv6 forwarding only on underlay • Support segregation and service chaining with Segment ID Cons • No information about DC use case • No network device support + SRv6 future Adopted SRv6 Multi tenancy

  6. SRv6 Segment ID (SID) • 128bit number(IPv6 address) • Locator:

    Information for routing to SRv6 node(parent node). It must be unique whitin a SR domain • Function: Information to identify the action to be performed on the parent node Segment Routing Header (SRH) • IPv6 extension header • Including a Segment List, Segment Left points out current point of Segment List and so on Locator Function Function examples • T.Encaps(Encap): Encapsulation packet with IPv6 header and SRH • End.DX4(Decap): Remove IPv6 header and SRH from packet and then forward next hop • End.DT4(Decap): Remove IPv6 header and SRH from packet and then lookup routing table and forward (DT4 is not implemented in Linux Kernel so we used DX4 although DT4 is better) 128bit

  7. SRv6 Data Center Network Data Plane

  8. DataCenter SRv6 Domain CLOS Network Network Node- A (SRv6 Node)

    Network Node- A (SRv6 Node) Router Switch Switch Switch Switch Switch Switch Hypervisor (SRv6 Node) Hypervisor (SRv6 Node) Hypervisor (SRv6 Node) VM Tenant A VM Tenant B VM Tenant A VM Tenant B VM Tenant A VM Tenant B NFV (FW, IDS, ...) Transit Node IPv6 forwarding only without process for SRH Hypervisor (HV) • From VM → Encap • To VM → Decap Network Node (NN) • Legacy network/Internet/Tenants Data Plane - Architecture Network Node- B (SRv6 Node) SRv6 unaware device

  9. DC SRv6 Domain Router Hypervisor1 C2::/96 NFV VRF Tenant A

    SID: C2::A VM A1 C1::/96 Network Node2 C1::/96 Network Node1 VRF Tenant A SID: C1::A Data Plane - SID, Routing • Create VRF (l3master device) for each tenant on NetworkNode, Hypervisor • Assign IPv6 address /96 block (Locator) to nodes(NetworkNode, Hypervisor) • Add identifier for each tenant to the Locator as Function (LINE uses specific address from 169.254.0.0/16 each tenant) • Advertise /96 IPv6 address(Locator) via BGP VRF Tenant B SID: C2::B VM B1 Hypervisor2 C3::/96 VRF Tenant A SID: C3::A VM A2 VRF Tenant B SID: C3::B VM B2 VRF Tenant B SID: C1::B VRF Tenant A SID: C1::A VRF Tenant B SID: C1::B Route Advertise(BGP)

  10. Data Plane - Packet flow in a tenant DC SRv6

    Domain Router Hypervisor1 C2::/96 NFV VRF Tenant A SID: C2::A VM A1 C1::/96 Network Node2 C1::/96 Network Node1 VRF Tenant A SID: C1::A VRF Tenant B SID: C2::B VM B1 Hypervisor2 C3::/96 VRF Tenant A SID: C3::A VM A2 VRF Tenant B SID: C3::B VM B2 VRF Tenant B SID: C1::B VRF Tenant A SID: C1::A VRF Tenant B SID: C1::B T.Encaps dst = C3::A End.DX4 arrive VM A2 VM A1 (HV1 TenantA) → VM A2 (HV2 TenantA)

  11. DC SRv6 Domain Router Hypervisor1 C2::/96 NFV VRF Tenant A

    SID: C2::A VM A1 C1::/96 Network Node2 C1::/96 Network Node1 VRF Tenant A SID: C1::A VRF Tenant B SID: C2::B VM B1 Hypervisor2 C3::/96 VRF Tenant A SID: C3::A VM A2 VRF Tenant B SID: C3::B VM B2 VRF Tenant B SID: C1::B VRF Tenant A SID: C1::A VRF Tenant B SID: C1::B Data Plane - Packet flow between tenants VM A1 (HV1 TenantA) → VM B2 (HV2 Tenant B) T.Encaps dst = C1::A End.DX4 forward to NFV T.Encaps dst = C3::B End.DX4 arrive VM B2

  12. Data Plane - Real config on Network Node [NetworkNode]# ip

    route show table 12 10.122.12.113 encap seg6 mode encap segs 1 [ 2400:dcc0::a7a:4d8d:a9fe:108 ] dev vrf5c0594737b87 scope link 10.122.12.114 encap seg6 mode encap segs 1 [ 2400:dcc0::a7a:4d8e:a9fe:108 ] dev vrf5c0594737b87 scope link 10.122.12.115 encap seg6 mode encap segs 1 [ 2400:dcc0::a7a:4d8f:a9fe:108 ] dev vrf5c0594737b87 scope link Locator(HV Address) Function (IPv4 address to identify each tenant) Encap [NetworkNode]# ip -6 route show table local local 2400:dcc0::a7a:4d87:a9fe:102 encap seg6local action End.DX4 nh4 169.254.1.2 dev vrf01b1db9dd10f metric 1024 pref medium local 2400:dcc0::a7a:4d87:a9fe:104 encap seg6local action End.DX4 nh4 169.254.1.4 dev vrf01b1db7f5d2b metric 1024 pref medium local 2400:dcc0::a7a:4d87:a9fe:108 encap seg6local action End.DX4 nh4 169.254.1.8 dev vrf5c0594737b87 metric 1024 pref medium ... Decap Locator(HV Address) Function (Tenant identifier) IPv4 address to identify each tenant. They are assigned to VRF IF (That is magic to lookup VRF with End.DX4) Destination IPv4 address of VM Segment List They are same

  13. Data Plane - Real behavior Hypervisor1 C2::/96 VRF Tenant A

    SID: C2::A VM A1 Hypervisor2 C3::/96 VRF Tenant A SID: C3::A VM A2 IP: 10.122.12.36 IP: 10.122.12.35 CLOS NW [VM-A1]$ ping 10.122.12.35 -c 10 PING 10.122.12.35 (10.122.12.35) 56(84) bytes of data. 64 bytes from 10.122.12.35: icmp_seq=1 ttl=63 time=0.356 ms 64 bytes from 10.122.12.35: icmp_seq=2 ttl=63 time=0.461 ms ... 64 bytes from 10.122.12.35: icmp_seq=10 ttl=63 time=0.415 ms --- 10.122.12.35 ping statistics --- 10 packets transmitted, 10 received, 0% packet loss, time 9000ms HV1: Encap HV2: Decap Insert IPv6, SR header Remove IPv6, SR header

  14. SRv6 Data Center Network Control Plane

  15. SRv6 Control Plane Choices • ISIS • OSPF • BGP

    • SDN Controller LINE uses OpenStack as Private Cloud Controller so adopted SDN Controller

  16. OpenStack • Cloud Operating system • Support Multi Hypervisor •

    Support various SDN controllers and Storage appliances
  17. None

  18. Neutron SRv6 Plugin - networking-sr • ML2 mechanism/type driver and

    agent • Gateway agent on network nodes • Service plugin for new API to add SRv6 encap rule Controller (Neutron) type driver srv6 mechanism driver mech_sr Service Plugin srv6_encap_network Compute ml2 agent sr-agent Network node srgw-agent

  19. ML2 mechanism/type driver and agent SRv6 Data Center Network Control

    Plane

  20. Nova, Neutron Behavior - VM create Controller Neutron Compute nova-compute

    Nova neutron-agent 1. Create Network 2. Create VM 3. VM Info VM 4. Run VM tap 5. Create tap

  21. Nova, Neutron Behavior - Network configuration Controller Neutron Compute nova-compute

    Nova 6. Detect tap VM tap 7. Get/Update port Info neutron-agent 8. Config tap VRF 9. Create VRF 10. Set SRv6 encap/decap rules

  22. Packets for VM encap/decap on VRF Controller Neutron Compute nova-compute

    Nova VM tap neutron-agent SRv6 Packet IPv4 Packet VRF IPv4 Packet SRv6 Packet IPv4 Packet IPv4 Packet

  23. How does sr-agent get VRF info? Controller Neutron Compute nova-compute

    Nova neutron-agent Virtual Machine Configuration 1. Create network 2. Create VM 3. Notify VM info 4. Run VM 5. Create tap Network Configuration 6. Detect tap 7. Update/Get port info 8. Config tap 9. Create VRF 10. Set SRv6 encap/decap rules 7. Get/Update port Info

  24. VRF info in Port binding:profile { "port":{ "binding:profile": { "segment_node_id":

    "2400:dcc0::a7a:4d8e", # Locator(Hypervisor address) where VM with the port running "vrf": "vrf644606a29039", # VRF IF name for the port. The name is combined by "vrf" + tenant_id + network_id "vrf_cidr": "169.254.1.0/24", # IP CIDR of VRF for the port "vrf_ip": "169.254.1.44" # IP Address of VRF for the port } } }

  25. Set encap rule from Port info of each VM Compute3

    nova-compute VM5 tap neutron-agent VRF1 Set SRv6 encap/decap rule Compute2 neutron-agent VRF1 VM4 VM3 Compute1 neutron-agent VRF1 VM2 VM1 Set encap rule for packets to VM5 on VRF1 of Compute3 Set encap rule for packets to VM5 on VRF1 of Compute3 - Set encap rule for packets to VM1, VM2 on VRF1 of Compute1 - Set encap rule for packets to VM3, VM4 on VRF1 of Compute2

  26. Gateway agent on network nodes SRv6 Data Center Network Control

    Plane

  27. Network Node Requirements: Scale Compute VRF VM VM Compute VRF

    VM VM Compute VRF VM VM Network 1 Network N VRF Network 2 ・・・ VRF VRF VRF VRF VRF VRF VRF VRF

  28. Network Node Requirements: Multi clusters Network 1 Network N cluster

    1 vrf 1 Network 2 ・・・ cluster 2 vrf 1 cluster N vrf 1 OpenStack Cluster 1 OpenStack Cluster 2 OpenStack Cluster N ・・・ cluster 1 vrf 1 cluster 2 vrf 1 cluster N vrf 1 cluster 1 vrf 1 cluster 2 vrf 1 cluster N vrf 1

  29. Etcd + Agent Model Network 1 Network N cluster 1

    vrf 1 Network 2 ・・・ cluster 2 vrf 1 cluster N vrf 1 OpenStack Cluster 1 OpenStack Cluster 2 OpenStack Cluster N ・・・ cluster 1 vrf 1 cluster 2 vrf 1 cluster N vrf 1 cluster 1 vrf 1 cluster 2 vrf 1 cluster N vrf 1 agent agent agent etcd

  30. Notify New Encap/Decap Rule via Etcd Controller Neutron Nova etcd

    11. Put port info Network agent VRF 12. Get changes 13. Create VRF and Set SRv6 encap/decap rules Compute nova-compute 6. Detect tap VM tap 7. Get/Update port Info neutron-agent 8. Config tap VRF 9. Create VRF 10. Set SRv6 encap/decap rules

  31. Service plugin for new API to add SRv6 encap rule

    SRv6 Data Center Network Control Plane

  32. srv6_encap_network API

  33. srv6_encap_network resource • id: Identifier for resource • tenant_id/project_id: Identifier

    for project/tenant of resource • network_id: Identifier of network which resource is assigned • encap_rules: SRv6 encap rule list ◦ destination: IPv4 address for specific destination of packet ◦ nexthop: SID packets should be encaped

  34. NFV(LBaaS) and networking-sr with new API Controller Neutron Compute nova-compute

    VM1 tap neutron-agent VRF1 4. Set SRv6 encap rule Network agent VRF1 LBaaS 1. Create VIP Add encap rule for VIP by srv6_encap_netowrk API Notify encap rule 2. 3. tenant_id: Tenant User belongs network_id: Network VM connects encap_rules: destination is VIP, nexthop is SID of VRF1 on Network node VIP encap seg6 mode encap segs NetworkNode_VRF1_SID

  35. Summary • SRv6 network for data center use case ◦

    Multi tenant networks • Data plane architecture ◦ SRv6 Encap/Decap support on Hypervisors and Network nodes ◦ End.DX4 + Routing to VRF (Kernel doesn’t have End.DT4) • Control plane architecture ◦ OpenStack Neutron SRv6 plugin networking-sr ◦ Gateway agent with etcd for large scale ◦ New API to add SRv6 encap rule