A Pure Layer 3 Approach to Virtual Networking 

Who Am I? • Cory Benfield • Experienced open-source contributor: • Requests (Core) • urllib3 (Core) • Hyper (Maintainer) • Project Calico (Core) • Software Engineer @ Metaswitch Networks • IETF Participant (HTTPBis) 

@lukasa @lukasaoz 

* [email protected] [email protected] 

The State Of The Art •Layer 2 Virtualisation •VLAN tags or Encapsulation (e.g. VXLAN) •vSwitches (e.g. OVS) 

The Good News •This totally works! 

The Bad News •…sort of 

The Bad News •All have problems at scale •VLAN tags are limited •GRE has flooding problems •So does VXLAN •L2 broadcast is tricky •Trouble with geographically distributed sites 

What To Do? •Can we extend current solutions? •Maybe – but maybe not •What about an alternative? 

Initial Question •If data centers are going to be networks of thousands/millions of endpoints, why not use the Internet as a model? 

Project Calico •Majority of cloud workloads only need IP •Of those, almost all don’t care what IP address they have •Use these restrictions to build approach focused on simplicity and scale 

Project Calico An (Apache licensed) open source project to enable networking of workloads in a data center / cloud environment Objectives: Simple Scale Open Thousands of servers, 100k’s of workloads Don’t demand users to be networking experts Open source and open standards 

The Standard Model Virtual L2 segments, implemented in software by virtual switch vSwitch vSwitch vSwitch Linux Linux Linux Encap / de-encap (& flooding!) Outer MAC Outer IP Outer UDP VXLAN VM MAC VM IP VM TCP/UDP VM Data Router service required to hop between tenants NAT required for public Internet access On/off-ramp required to get to NAS, etc. Virtual L2 segments, implemented in software by virtual switch 

The Calico Model BGP IP App IP App IP App Compute Node VMs / LXCs Router Host MAC VM IP VM TCP/UDP VM Data IP App IP App IP App Compute Node VMs / LXCs Router Any capable IP transport fabric (L2, L3, RFC1149…) Router BGP BGP 

Core Principles •Highly efficient vRouter built on Linux kernel forwarding engine •Propagates reachability via BGP •Includes BGP route reflectors for internet-scale •Policy configured via ACLs 

Simple •Packets now accurately reflect source and destination: no encap •No need to flood •Routing decisions are simple •Debugging is easy •No new code on the data path •No NAT •Everything is just IP 

Scalable •Built like the Internet •Linux kernel handles many routes and ACLs quickly •Route reflectors allow BGP scale •Distributed routing is fault tolerant •All L3 fault-tolerance tools work 

Freebies •Easy to integrate bare metal •Easy to span DCs •Easy to interop (e.g. with LXCs) •Relatively easy to merge multiple orchestration systems 

Freebies •IPv6 just works •Even in OpenStack Icehouse(!) •Today. Right now •Yes, really •Works well on any IP transport backbone •Can use known L3 technologies: • ECMP • Anycast 

Project Status •Open source: available now •Apache 2.0 licensed •Neutron ML2 driver available •Open API for extension •Open source Docker PoC 

Roadmap •Full control-plane HA •Address-space isolation •ECMP by default •Anycast loadbalancing •DPDK integration •Bridging multiple orchestrators •Much more! 

Get involved! •http://www.projectcalico.org/ •Mailing list • http://lists.projectcalico.org/listinfo/calico •GitHub: Metaswitch/calico •Docs @ GitHub: • Metaswitch/calico-docs/wiki •Twitter (@projectcalico) 

No content