Transcription
Introduction toOpenFlow.Raj JainWashington University in Saint LouisSaint Louis, MO 63130Jain@cse.wustl.eduThese slides and audio/video recordings of this class lecture are at:http://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-1 2018 Raj Jain
OverviewPlanes of Networking2. OpenFlow3. OpenFlow Operation4. OpenFlow Switches including Open vSwitch5. OpenFlow Evolution6. Current Limitations and IssuesNote: This is the first module of four modules on OpenFlow,OpenFlow Controllers, SDN and NFV in this course.1.Washington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-2 2018 Raj Jain
Planes of Networking Data Plane: All activities involving as well asresulting from data packets sent by the end user, e.g., Forwarding Fragmentation and reassembly Replication for multicastingControl Plane: All activities that are necessary to perform dataplane activities but do not involve end-user data packets Making routing tables Setting packet handling policies (e.g., security) Base station beacons announcing availability of servicesRef: Open Data Center Alliance Usage Model: Software Defined Networking Rev Software Defined Networking Master Usage Model Rev1.0.pdfWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-3 2018 Raj Jain
Planes of Networking (Cont) Management Plane: All activities related toprovisioning and monitoring of the networks Fault, Configuration, Accounting, Performance and Security(FCAPS). Instantiate new devices and protocols (Turn devices on/off) Optional May be handled manually for small networks.Services Plane: Middlebox services to improve performance orsecurity, e.g., Load Balancers, Proxy Service, Intrusion Detection,Firewalls, SSL Off-loaders Optional Not required for small networksWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-4 2018 Raj Jain
Data vs. Control Logic Data plane runs at line rate,e.g., 100 Gbps for 100 Gbps Ethernet Fast Path Typically implemented using special hardware,e.g., Ternary Content Addressable Memories (TCAMs)Some exceptional data plane activities are handled by the CPUin the switch Slow pathe.g., Broadcast, Unknown, and Multicast (BUM) trafficAll control activities are generally handled by CPUControl LogicData LogicWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-5 2018 Raj Jain
OpenFlow: Key Ideas1.2.3.Separation of control and data planesCentralization of controlFlow based controlRef: N. McKeown, et al., OpenFlow: Enabling Innovation in Campus Networks," ACM SIGCOMM CCR,Vol. 38, No. 2, April 2008, pp. 69-74.Washington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-6 2018 Raj Jain
Separation of Control and Data gElementOpenFlowProtocolSecureChannelFlow Table Control logic is moved to a controllerSwitches only have forwarding elementsOne expensive controller with a lot of cheap switchesOpenFlow is the protocol to send/receive forwarding rulesfrom controller to switchesWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-7 2018 Raj Jain
OpenFlow V1.0 On packet arrival, match the header fields with flow entries in atable, if any entry matches, update the counters indicated in thatentry and perform indicated actionsFlow Table:Header Fields Counters ActionsHeader Fields Counters Actions Header Fields Counters ActionsIngress Ether Ether VLAN VLAN IP IP IPIP Src L4 Dst L4PortSource Dest IDPriority Src Dst Proto ToS PortPortRef: c-v1.0.0.pdfhttp://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis15-8 2018 Raj Jain
Flow Table ExampleCounterActionDst L4 PortICMP CodeSrc L4 PortICMP TypeIP ToSIP ProtoDst IPSrc IPEtherTypePriority VLAN ID Dst MAC Src MACPort****** 0A:C8:* * * * **** * * Port 1*** * * * 192.168.*.*** * * Port 2*** * * **** 21 21 Drop*** * * **0x806 * * * Local*** * * **0x1* * * * Controller1022024204441Idle timeout: Remove entry if no packets received for this timeHard timeout: Remove entry after this timeIf both are set, the entry is removed if either one expires.Ref: S. Azodolmolky, "Software Defined Networking with OpenFlow," Packt Publishing, October 2013, 152 pp.,ISBN:978-1-84969-872-6 (Safari Book)http://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis15-9 2018 Raj Jain
Set Input PortEther SrcEther DstEther TypeSet all others to zeroEtherType 0x8100?NEtherType 0x0806?NEtherType 0x0800?MatchingSet VLAN IDY Set VLAN PriorityUse EtherType in VLAN tagfor next EtherType CheckYSet IP Src, IP DstIP Proto, IP ToSfrom within ARPY Set IP Src, IP DstIP Proto, IP ToSNMatchTable 0?NMatchTable n?NNot IP Y IP ProtoFragment? 6 or 7NYApplyActionsYSend to ControllerYSet Src Port,Dst Port forL4 fieldsNUse ICMP TypeIP Proto Yand code for 1?L4 FieldsPacket lookupNusing assignedheader fieldsWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-10 2018 Raj Jain
CountersPer TableActive EntriesPacket LookupsPacket MatchesPer FlowReceived PacketsReceived BytesDuration (Secs)Per PortReceived PacketsTransmitted PacketsReceived BytesDuration (nanosecs) Transmitted BytesReceive DropsTransmit DropsReceive ErrorsTransmit ErrorsReceive FrameAlignment ErrorsReceive OverrunerorrsReceive CRCErrorsCollisionsWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-11Per QueueTransmit PacketsTransmit BytesTransmit overrunerrors 2018 Raj Jain
Actions Forward to Physical Port i or to Virtual Port: All: to all interfaces except incoming interface Controller: encapsulate and send to controller Local: send to its local networking stack Table: Perform actions in the flow table In port: Send back to input port Normal: Forward using traditional Ethernet Flood: Send along minimum spanning tree except theincoming interfaceEnqueue: To a particular queue in the port QoSDropModify Field: E.g., add/remove VLAN tags, ToS bits, ChangeTTLWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-12 2018 Raj Jain
Actions (Cont) Masking allows matching only selected fields,e.g., Dest. IP, Dest. MAC, etc.If header matches an entry, corresponding actions are performedand counters are updatedIf no header match, the packet is queued andthe header is sent to the controller, which sends a new rule.Subsequent packets of the flow are handled by this rule.Secure Channel: Between controller and the switch using TLSModern switches already implement flow tables, typically usingTernary Content Addressable Memories (TCAMs)Controller can change the forwarding rules if a client moves Packets for mobile clients are forwarded correctlyController can send flow table entries beforehand (Proactive) orSend on demand (Reactive). OpenFlow allows both models.Washington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-13 2018 Raj Jain
Open vSwitch Open Source Virtual SwitchNicira ConceptCan Run as a stand alone hypervisor switch or as a distributedswitch across multiple physical serversDefault switch in XenServer 6.0, Xen Cloud Platform andsupports Proxmox VE, VirtualBox, Xen KVMIntegrated into many cloud management systems includingOpenStack, openQRM, OpenNebula, and oVirtDistributed with Ubuntu, Debian, Fedora Linux. Also FreeBSDIntel has an accelerated version of Open vSwitch in its ownData Plane Development Kit (DPDK)Ref: http://openvswitch.org/Washington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-14 2018 Raj Jain
Open vSwitch Features Inter-VM communication monitoring via: NetFlow: Cisco protocol for sampling and collecting trafficstatistics (RFC 3954) sFlow: Similar to NetFlow by sflow.org (RFC 3176) Jflow: Juniper’s version of NetFlow NetStream: Huawei’s version of NetFlow IPFIX: IP Flow Information Export Protocol (RFC 7011) IETF standard for NetFlow SPAN, RSPAN: Remote Switch Port Analyzer – portmirroring by sending a copy of all packets to a monitor port GRE-tunneled mirrors: Monitoring device is remotelyconnected to the switch via a GRE tunnelWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-15 2018 Raj Jain
Open vSwitch Features (Cont) Link Aggregation Control Protocol (LACP)IEEE 802.1Q VLANIEEE 802.1ag Connectivity Fault Management (CFM)Bidirectional Forwarding Detection (BFD) to detect link faults(RFC 5880)IEEE 802.1D-1998 Spanning Tree Protocol (STP)Per-VM traffic policingOpenFlowMulti-table forwarding pipelineIPv6GRE, VXLAN, IPSec tunnelingKernel and user-space forwarding engine optionsWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-16 2018 Raj Jain
OVSDB Open vSwitch Database Management Protocol (OVSDB)Monitoring capability using publish-subscribe mechanismsStores both provisioning and operational stateJava Script Object Notation (JSON) used for schema formatand for JSON-RPC over TCP for wire protocol (RFC 4627)Control and Mgmt Cluster database-schema OVSDBOpenFlow“name”: id OVSDB Server ovs-vswitchd“version”: version Forwarding Path“tables”: { id : table-schema , }RPC Methods: List databases, Get Schema, Update, Lock, Open vSwitch project includes open source OVSDB client andserver implementationsRef: B. Pfaff and B. Davie, “The Open vSwitch Database Management Protocol,” IETF draft, Oct proto-04http://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis15-17 2018 Raj Jain
OpenFlow V1.1 V1: Perform action on a match. Ethernet/IP only. Single PathDid not cover MPLS, Q-in-Q, ECMP, and efficient MulticastV1.1 Introduced Table chaining, Group Tables, and addedMPLS Label and MPLS traffic class to match fields.Table Chaining: On a match, instruction may be ControllerOpenFlow Immediate actions: modify packet,update match fields and/orSecureGroupChannelTable Update action set, and/orFlowFlow Send match data and action set to Table n,TableTable Go to Group Table entry nTable 1Action Set {}Washington University in St. LouisTable 2Table 3Table nAction Set {1}http://www.cse.wustl.edu/ jain/cse570-18/15-18Group TableAction Set {1,3,6, } 2018 Raj Jain
OpenFlow V1.1 (Cont)Packet InStart at Table 0Match inTable n?NoUpdate CountersYes Execute InstructionsUpdate Action setUpdate Packet/Match Set fieldsUpdate MetadataTable-MissFlow EntryExists?YesGotoTable n?NoExecuteAction SetYesNoDrop PacketSource: OpenFlow Switch Specification, V1.4.1Washington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-19 2018 Raj Jain
OpenFlow V1.1 (Cont) On a miss, the instruction may be to send packet to controlleror continue processing with the sequentially next tableGroup Tables: each entry has a variable number of buckets All: Execute each bucket. Used for Broadcast, Multicast. Select: Execute one switch selected bucket. Used for portmirroring. Selection may be done by hashing some fields. Indirect: Execute one predefined bucket. Fast Failover: Execute the first live bucket Live portNew Features supported: Multipath: A flow can be sent over one of several paths MPLS: multiple labels, traffic class, TTL, push/pop labels Q-in-Q: Multiple VLAN tags, push/pop VLAN headers Tunnels: via virtual portsRef: c-v1.1.0.pdfhttp://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis15-20 2018 Raj Jain
OpenFlow V1.21.2.3.IPv6 Support: Matching fields include IPv6 source address,destination address, protocol number, traffic class. ICMPv6type, ICMPv6 code, IPv6 neighbor discovery header fields,and IPv6 flow labels.Extensible Matches: Type-Length-Value (TLV) structure.Previously the order and length of match fields was fixed.Experimenter extensions through dedicated fields and codepoints assigned by ONFRef: enflow-spec-v1.2.pdfhttp://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain15-21
OpenFlow 1.3 IPv6 extension headers: Can check if Hop-by-hop, Router,Fragmentation, Destination options, Authentication, EncryptedSecurity Payload (ESP), unknown extension headers arepresentMPLS Bottom-of-Stack bit matchingMAC-in-MAC encapsulationTunnel ID meta data: Support for tunnels (VxLAN, )Per-Connection Event Filtering: Better filtering ofconnections to multiple controllersMany auxiliary connections to the controller allow to exploitparallelismBetter capability negotiation: Requests can span multiplemessagesMore general experimenter capabilities allowedA separate flow entry for table miss actionsRef: enflow-spec-v1.3.0.pdfhttp://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain15-22
OpenFlow V1.3 (Cont) Cookies: A cookie field with policy identifier is added tomessages containing new packets sent to the controller. Thishelps controller process the messages faster than if it had tosearch its entire database.Duration: Duration field has been added to most stats. Helpscompute rates.Per-flow counters can be disabled to improve performancePer Flow Meters and meter bandsMeter: Switch element that can measure and control the rate ofpackets/bytes. Meter Band: If the packet/byte rate exceeds a pre-definedthreshold the meter has triggered the bandBand 2Band 1 A meter may have multiple bandsTimeWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-23 2018 Raj Jain
OpenFlow V1.3 (Cont) If on triggering a band the meter drops the packet, it iscalled rate limiter.Other QoS and policing mechanisms can be designed usingthese metersPer-Flow QoS: Meters are attached to a flow entry not to aqueue or a port.Multiple flow entries can all point to the same meter.Match Fields Priority Counters Instructions Timeouts Timeouts CookieNew Instruction: Meter Meter IDMeter ID Meter Bands CountersBand Type Rate Counters Type Specific Arguments1. Drop2. Remark DSCPWashington University in St. Louiskb/sBursthttp://www.cse.wustl.edu/ jain/cse570-18/15-24 2018 Raj Jain
OpenFlow V1.4 Optical ports: Configure and monitor transmit and receivefrequencies of lasers and their powerImproved Extensibility: Type-Length-Value (TLV) encodingsat most places Easy to add new features in futureExtended Experimenter Extension API: Can easily addports, tables, queues, instructions, actions, etc.More information when a packet is sent to controller, e.g., nomatch, invalid TTL, matching group bucket, matching action, .Controllers can select a subset of flow tables for monitoringSwitches can evict entries of lower importance if table fullSwitches can notify controller if table is getting fullAtomic execution of a bundle of instructionsRef: enflow-spec-v1.4.0.pdfhttp://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain15-25
OpenFlow V1.4.11.Bundle: Atomic Instruction Group A group of instructions from the controller that are eitherall executed or all not executed A bundle may be sent to many switches and then appliedat approximately same time on commit request from thecontroller2. Flow Table Monitoring: Synchronization in a multicontroller system Notify a controller if a set of flow table entries is modifiedby another controller3. Bug fixesRef: OpenFlow Switch Specification, V 1.4.1, March 26, 2015http://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis15-26 2018 Raj Jain
OpenFlow V1.51.2.Egress Tables: actions toControllerControllerbe done when exitingthrough a port (encapsulateOFOFGroup Meteror decapsulate a packet,Channel Channel Table Tabletunnels)PortPortFlowFlowPacket Type: Can nowTableTablePortPorthandle non-Ethernetpackets, e.g., IP packetsTCP Flags Matching: Syn, Ack, and Fin may be used to detectbeginning and end of a TCP connectionOpenFlow V1.5.1: Bug Fixes, March 20153.Ref: OpenFlow Switch Specification, V 1.5.1, March 26, cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis15-27 2018 Raj Jain
OpenFlow Evolution SummaryMPLS, Q-in-QEfficient multicastECMP Multiple TablesMAC-in-MACMultiple channelsbetween switchand controllerDec 2009 Feb 2011 Dec 2011 Apr 2012 Jun 2012V1.0V1.1V1.2V1.3V1.3.1Single Flow TableEthernet/IPv4Washington University in St. LouisIPv6TLV matchingMultiple controllersSep 2012 Sep 2013V1.3.2V1.3.3Bug Fixhttp://www.cse.wustl.edu/ jain/cse570-18/15-28Bug FixIANATCPPort6653 2018 Raj Jain
OpenFlow Evolution Summary (Cont)MinorChangesOTNExperimentersBundlesTable fullEgress TablesNon-Ethernet PacketsTCP Flags MatchingMar 2014 Mar 2015 Oct 2013 Mar 2015 Dec 2014 Mar Washington University in St. LouisInstruction BundlesFlow Table MonitoringMultiple controllershttp://www.cse.wustl.edu/ jain/cse570-18/15-29Bug Fix 2018 Raj Jain
Bootstrapping Switches require initial configuration: Switch IP address,Controller IP address, Default gatewaySwitches connect to the controllerSwitch provides configuration information about portsController installs a rule to forward LLDP packets to controllerand then sends, one by one, LLDP packets to be sent out to porti (i 1, 2, , n) which are forwarded to respective neighbors.The neighbors send the packets back to controller.Controller determines the topology from LLDP packetsLLDP is a one-way protocol to advertise the capabilities atfixed intervals.Ref: S. Sharma, et al., “Automatic Bootstrapping of OpenFlow Networks,” 19th IEEE Workshop on LANMAN, 2013, pp. 1-6,http://ieeexplore.ieee.org/stamp/stamp.jsp?tp &arnumber 6528283 (Available to subscribers only)http://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain15-31
OpenFlow Configuration Protocol(OF-Config) OpenFlow Control Point: Entity that configures OpenFlowswitchesOF-Config: Protocol used for configuration and managementof OpenFlow Switches.Assignment of OF controllers so that switches can initiateconnections to them: IP address of controllerOpenFlowOpenFlow Port number at the controllerConfigurationController Transport protocol:PointOpenFlowTLS or TCPOF-ConfigProtocol Configuration of queues(min/max rates) and portsOpenFlow Enable/disable receive/forwardSwitchOperational Contextspeed, media on portsRef: Cisco, “An Introduction to OpenFlow,” Feb n network environment/docs/cisco one webcastan introduction to openflowfebruary142013.pdfWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-32 2018 Raj Jain
OF-Config (Cont) A physical switch one or more logical switcheseach controlled by an OF ControllerOF-Config allows configuration of logical lerOpenFlowProtocolOF-ConfigOF Capable SwitchOF LogicalSwitch OF LogicalSwitchRef: ONF, “OpenFlow Management and Configuration Protocol (OF-Config 1.1.1),” March 23, edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain15-33
OF-Config Concepts OF Capable Switch: Physical OF switch.Can contain one or more OF logical switches.OpenFlow Configuration Point: configuration serviceOF Controller: Controls logical switch via OF protocolOperational Co
OpenFlow 3. OpenFlow Operation 4. OpenFlow Switches including Open vSwitch 5. OpenFlow Evolution 6. Current Limitations and Issues Note: This is the first module of four modules on OpenFlow, OpenFlow Controllers, SDN and NFV in this course.
