Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Project Calico: A Pure Layer 3 Approach to Virtual Networking

Project Calico: A Pure Layer 3 Approach to Virtual Networking

Given @ FOSDEM, this talk acts as an introduction to Project Calico.


Cory Benfield

January 31, 2015


  1. A Pure Layer 3 Approach to Virtual Networking

  2. Who Am I? • Cory Benfield • Experienced open-source contributor:

    • Requests (Core) • urllib3 (Core) • Hyper (Maintainer) • Project Calico (Core) • Software Engineer @ Metaswitch Networks • IETF Participant (HTTPBis)
  3. @lukasa @lukasaoz

  4. * cory.benfield@metaswitch.com cory@lukasa.co.uk

  5. The State Of The Art •Layer 2 Virtualisation •VLAN tags

    or Encapsulation (e.g. VXLAN) •vSwitches (e.g. OVS)
  6. The Good News •This totally works!

  7. The Bad News •…sort of

  8. The Bad News •All have problems at scale •VLAN tags

    are limited •GRE has flooding problems •So does VXLAN •L2 broadcast is tricky •Trouble with geographically distributed sites
  9. What To Do? •Can we extend current solutions? •Maybe –

    but maybe not •What about an alternative?
  10. Initial Question •If data centers are going to be networks

    of thousands/millions of endpoints, why not use the Internet as a model?
  11. Project Calico •Majority of cloud workloads only need IP •Of

    those, almost all don’t care what IP address they have •Use these restrictions to build approach focused on simplicity and scale
  12. Project Calico An (Apache licensed) open source project to enable

    networking of workloads in a data center / cloud environment Objectives: Simple Scale Open Thousands of servers, 100k’s of workloads Don’t demand users to be networking experts Open source and open standards
  13. The Standard Model Virtual L2 segments, implemented in software by

    virtual switch vSwitch vSwitch vSwitch Linux Linux Linux Encap / de-encap (& flooding!) Outer MAC Outer IP Outer UDP VXLAN VM MAC VM IP VM TCP/UDP VM Data Router service required to hop between tenants NAT required for public Internet access On/off-ramp required to get to NAS, etc. Virtual L2 segments, implemented in software by virtual switch
  14. The Calico Model BGP IP App IP App IP App

    Compute Node VMs / LXCs Router Host MAC VM IP VM TCP/UDP VM Data IP App IP App IP App Compute Node VMs / LXCs Router Any capable IP transport fabric (L2, L3, RFC1149…) Router BGP BGP
  15. Core Principles •Highly efficient vRouter built on Linux kernel forwarding

    engine •Propagates reachability via BGP •Includes BGP route reflectors for internet-scale •Policy configured via ACLs
  16. Simple •Packets now accurately reflect source and destination: no encap

    •No need to flood •Routing decisions are simple •Debugging is easy •No new code on the data path •No NAT •Everything is just IP
  17. Scalable •Built like the Internet •Linux kernel handles many routes

    and ACLs quickly •Route reflectors allow BGP scale •Distributed routing is fault tolerant •All L3 fault-tolerance tools work
  18. Freebies •Easy to integrate bare metal •Easy to span DCs

    •Easy to interop (e.g. with LXCs) •Relatively easy to merge multiple orchestration systems
  19. Freebies •IPv6 just works •Even in OpenStack Icehouse(!) •Today. Right

    now •Yes, really •Works well on any IP transport backbone •Can use known L3 technologies: • ECMP • Anycast
  20. Project Status •Open source: available now •Apache 2.0 licensed •Neutron

    ML2 driver available •Open API for extension •Open source Docker PoC
  21. Roadmap •Full control-plane HA •Address-space isolation •ECMP by default •Anycast

    loadbalancing •DPDK integration •Bridging multiple orchestrators •Much more!
  22. Get involved! •http://www.projectcalico.org/ •Mailing list • http://lists.projectcalico.org/listinfo/calico •GitHub: Metaswitch/calico •Docs

    @ GitHub: • Metaswitch/calico-docs/wiki •Twitter (@projectcalico)
  23. None