Transcription
OpenFlow, Software DefinedNetworking (SDN) and NetworkFunction Virtualization (NFV)SDN Standard Southbound API.SDN Centralization of control planeSDN OpenFlowSDN Separation of Control andData PlanesRaj JainWashington University in Saint LouisSaint Louis, MO 63130, Jain@cse.wustl.eduTutorial at 2014 IEEE 15th International Conference on High PerformanceSwitching and Routing, Vancouver, Canada, July 1, 2014These slides and audio/video recordings of this tutorial are at:http://www.cse.wustl.edu/ jain/tutorials/sd hs14.htmWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm1 2014 Raj Jain
Overview1.OpenFlow and Tools2.Software Defined Networking (SDN)3.Network Function Virtualization (NFV)Washington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm2 2014 Raj Jain
Part I: OpenFlow and Tools Planes of NetworkingOpenFlowOpenFlow Switches including Open vSwitchOpenFlow EvolutionOpenFlow Configuration Protocol (OF-Config)OpenFlow Notification FrameworkOpenFlow ControllersWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm3 2014 Raj Jain
Part II: Software Defined Networking What is SDN?Alternative APIs: XMPP, PCE, ForCES, ALTOOpenDaylight SDN Controller Platform and ToolsWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm4 2014 Raj Jain
Part III: Network Function Virtualization What is NFV?NFV and SDN RelationshipETSI NFV ISG SpecificationsConcepts, Architecture, Requirements, Use casesProof-of-Concepts and TimelineWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm5 2014 Raj Jain
Part I: OpenFlow and Tools Planes of NetworkingOpenFlowOpenFlow OperationOpenFlow EvolutionOpenFlow Configuration Protocol (OF-Config)OpenFlow Notification FrameworkOpenFlow ControllersWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm6 2014 Raj Jain
Planes of Networking Data Plane: All activities involving as well asresulting from data packets sent by the end user, e.g., Forwarding Fragmentation and reassembly Replication for multicastingControl Plane: All activities that are necessary to perform dataplane activities but do not involve end-user data packets Making routing tables Setting packet handling policies (e.g., security) Base station beacons announcing availability of servicesRef: Open Data Center Alliance Usage Model: Software Defined Networking Rev Software Defined Networking Master Usage Model Rev1.0.pdfWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm7 2014 Raj Jain
Planes of Networking (Cont) Management Plane: All activities related toprovisioning and monitoring of the networks Fault, Configuration, Accounting, Performance and Security(FCAPS). Instantiate new devices and protocols (Turn devices on/off) Optional May be handled manually for small networks.Services Plane: Middlebox services to improve performance orsecurity, e.g., Load Balancers, Proxy Service, Intrusion Detection,Firewalls, SSL Off-loaders Optional Not required for small networksWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm8 2014 Raj Jain
Data vs. Control Logic Data plane runs at line rate,e.g., 100 Gbps for 100 Gbps Ethernet Fast Path Typically implemented using special hardware,e.g., Ternary Content Addressable Memories (TCAMs)Some exceptional data plane activities are handled by the CPUin the switch Slow pathe.g., Broadcast, Unknown, and Multicast (BUM) trafficAll control activities are generally handled by CPUControl LogicData LogicWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm9 2014 Raj Jain
OpenFlow: Key Ideas1.2.3.Separation of control and data planesCentralization of controlFlow based controlRef: N. McKeown, et al., OpenFlow: Enabling Innovation in Campus Networks," ACM SIGCOMM CCR,Vol. 38, No. 2, April 2008, pp. 69-74.Washington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm10 2014 Raj Jain
History of OpenFlow 2006: Martin Casado, a PhD student at Stanford and teampropose a clean-slate security architecture (SANE) which defines acentralized control of security (in stead of at the edge as normally done).Ethane generalizes it to all access policies.April 2008: OpenFlow paper in ACM SIGCOMM CCR2009: Stanford publishes OpenFlow V1.0.0 specsJune 2009: Martin Casado co-founds NiciraMarch 2010: Guido Appenzeller, head of clean slate lab at Stanford, cofounds Big Switch NetworksMarch 2011: Open Networking Foundation is formedOct 2011: First Open Networking Summit.Juniper, Cisco announce plans to incorporate.July 2012: VMware buys Nicira for 1.26BNov 6, 2013: Cisco buys Insieme for 838MRef: ONF, “The OpenFlow Timeline,” http://openflownetworks.com/of timeline.phphttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htmWashington University in St. Louis11 2014 Raj Jain
Separation of Control and Data ElementSecureChannelForwardingElementFlow Table Control logic is moved to a controllerSwitches only have forwarding elementsOne expensive controller with a lot of cheap switchesOpenFlow is the protocol to send/receive forwarding rulesfrom controller to switchesWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm12 2014 Raj Jain
Centralization of Control PlaneCentralized vs. Distributed ConsistencyFast Response to changesEasy management of lots of devicesWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm13 2014 Raj Jain
OpenFlow V1.0 On packet arrival, match the header fields with flow entries in atable, if any entry matches, update the counters indicated in thatentry and perform indicated actionsFlow Table: Header Fields Counters ActionsHeader Fields Counters Actions Header Fields Counters ActionsIngress Ether Ether VLAN VLAN IP IP IPIP Src L4 Dst L4PortSource Dest IDPriority Src Dst Proto ToS PortPortRef: c-v1.0.0.pdfhttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htmWashington University in St. Louis14 2014 Raj Jain
Flow Table ExampleDst L4 PortICMP CodeSrc L4 PortICMP TypeRef: S. Azodolmolky, "Software Defined Networking with OpenFlow," Packt Publishing, October 2013, 152 pp.,ISBN:978-1-84969-872-6 (Safari Book)http://www.cse.wustl.edu/ jain/tutorials/sd hs14.htmWashington University in St. Louis15CounterActionIP ToS Src IPEtherTypeIdle timeout: Remove entry if no packets received for this timeHard timeout: Remove entry after this timeIf both are set, the entry is removed if either one expires.Priority IP ProtoDst IPVLAN IDSrc MAC* 0A:C8:* * * * **** * * Port 1*** * * * 192.168.*.*** * * Port 2*** * * **** 21 21 Drop*** * * **0x806 * * * Local*** * * **0x1* * * * ControllerDst MACPort*****1022024204441 2014 Raj Jain
Set Input PortEther SrcEther DstEther TypeSet all others to zeroMatchingMatchTable 0?Set VLAN IDY Set VLAN PriorityEtherTypeN 0x8100? Tagged Use EtherType in VLAN tagfor next EtherType CheckMatchNTable n?Set IP Src, IP DstEtherType YNIP Proto, IP ToS 0x0806? ARPfrom within ARPNNot IP Y IP Proto YY Set IP Src, IP DstEtherTypeFragment? 6 or 17 0x0800?IP IP Proto, IP ToSTCP/NNNYApplyActionsYUDPSend to ControllerSet Src Port,Dst Port forL4 fieldsUse ICMP TypeIP Proto Yand code for 1?ICMP L4 FieldsPacket lookupNusing assignedheader fieldsWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm16 2014 Raj Jain
CountersPer TableActive EntriesPacket LookupsPacket MatchesPer FlowReceived PacketsReceived BytesDuration (Secs)Per PortReceived PacketsTransmitted PacketsReceived BytesPer QueueTransmit PacketsTransmit BytesTransmit overrunerrorsDuration (nanosecs) Transmitted BytesReceive DropsTransmit DropsReceive ErrorsTransmit ErrorsReceive FrameAlignment ErrorsReceive OverrunerorrsReceive CRCErrorsCollisionsWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm17 2014 Raj Jain
Actions Forward to Physical Port i or to Virtual Port: All: to all interfaces except incoming interface Controller: encapsulate and send to controller Local: send to its local networking stack Table: Perform actions in the flow table In port: Send back to input port Normal: Forward using traditional Ethernet Flood: Send along minimum spanning tree except theincoming interfaceEnqueue: To a particular queue in the port QoSDropModify Field: E.g., add/remove VLAN tags, ToS bits, ChangeTTLWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm18 2014 Raj Jain
Actions (Cont) Masking allows matching only selected fields,e.g., Dest. IP, Dest. MAC, etc.If header matches an entry, corresponding actions are performedand counters are updatedIf no header match, the packet is queued andthe header is sent to the controller, which sends a new rule.Subsequent packets of the flow are handled by this rule.Secure Channel: Between controller and the switch using TLSModern switches already implement flow tables, typically usingTernary Content Addressable Memories (TCAMs)Controller can change the forwarding rules if a client moves Packets for mobile clients are forwarded correctlyController can send flow table entries beforehand (Proactive) orSend on demand (Reactive). OpenFlow allows both models.Washington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm19 2014 Raj Jain
Hardware OpenFlow Switches Arista 7050Brocade MLXe, Brocade CER, Brocade CESExtreme Summit x440, x460, x670Huawei openflow-capable router platformsHP 3500, 3500yl, 5400zl, 6200yl, 6600, and 8200zl (the oldstyle L3 hardware match platform)HP V2 line cards in the 5400zl and 8200zl (the newer L2hardware match platform)IBM 8264Juniper (MX, EX)NEC IP8800, NEC PF5240, NEC PF5820NetGear 7328SO, NetGear 7352SOPronto (3290, 3295, 3780) - runs the shipping pica8 softwareSwitch Light platformWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm20 2014 Raj Jain
Software OpenFlow Switches Indigo: Open source implementation that runs onphysical switches and uses features of the ASICs to run OpenFlowLINC: Open source implementation that runs on Linux, Solaris,Windows, MacOS, and FreeBSDPantou: Turns a commercial wireless router/access point to anOpenFlow enabled switch. OpenFlow runs on OpenWRT. Supportsgeneric Broadcom and some models of LinkSys and TP-Link accesspoints with Broadcom and Atheros chipsets.Of13softswitch: User-space software switch based on EricssonTrafficLab 1.1 softswitchXORPlus: Open source switching software to drive high-performanceASICs. Supports STP/RSTP/MSTP, LCAP, QoS, VLAN, LLDP, ACL,OSPF/ECMP, RIP, IGMP, IPv6, PIM-SMOpen vSwitchRef: http://www.openvswitch.org/, http://www.projectfloodlight.org/indigo/, //github.com/CPqD/openflow-openwrt, http://cpqd.github.io/ofsoftswitch13/, cse.wustl.edu/ jain/tutorials/sd hs14.htmWashington University in St. Louis 2014 Raj Jain21
Open vSwitch Open Source Virtual SwitchNicira ConceptCan Run as a stand alone hypervisor switch or as a distributedswitch across multiple physical serversDefault switch in XenServer 6.0, Xen Cloud Platform andsupports Proxmox VE, VirtualBox, Xen KVMIntegrated into many cloud management systems includingOpenStack, openQRM, OpenNebula, and oVirtDistributed with Ubuntu, Debian, Fedora Linux. Also FreeBSDIntel has an accelerated version of Open vSwitch in its ownData Plane Development Kit (DPDK)Ref: http://openvswitch.org/Washington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm22 2014 Raj Jain
Open vSwitch Features Inter-VM communication monitoring via: NetFlow: Cisco protocol for sampling and collecting trafficstatistics (RFC 3954) sFlow: Similar to NetFlow by sflow.org (RFC 3176) Jflow: Juniper’s version of NetFlow NetStream: Huawei’s version of NetFlow IPFIX: IP Flow Information Export Protocol (RFC 7011) IETF standard for NetFlow SPAN, RSPAN: Remote Switch Port Analyzer – portmirroring by sending a copy of all packets to a monitor port GRE-tunneled mirrors: Monitoring device is remotelyconnected to the switch via a GRE tunnelWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm23 2014 Raj Jain
Open vSwitch Features (Cont) Link Aggregation Control Protocol (LACP)IEEE 802.1Q VLANIEEE 802.1ag Connectivity Fault Management (CFM)Bidirectional Forwarding Detection (BFD) to detect link faults(RFC 5880)IEEE 802.1D-1998 Spanning Tree Protocol (STP)Per-VM traffic policingOpenFlowMulti-table forwarding pipelineIPv6GRE, VXLAN, IPSec tunnelingKernel and user-space forwarding engine optionsWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm24 2014 Raj Jain
OVSDB Open vSwitch Database Management Protocol (OVSDB)Monitoring capability using publish-subscribe mechanismsStores both provisioning and operational stateJava Script Object Notation (JSON) used for schema formatand for JSON-RPC over TCP for wire protocol (RFC 4627)Control and Mgmt Cluster database-schema OVSDBOpenFlow“name”: id OVSDB Server ovs-vswitchd“version”: version Forwarding Path“tables”: { id : table-schema , }RPC Methods: List databases, Get Schema, Update, Lock, Open vSwitch project includes open source OVSDB client andserver implementationsRef: B. Pfaff and B. Davie, “The Open vSwitch Database Management Protocol,” IETF draft, Oct proto-04http://www.cse.wustl.edu/ jain/tutorials/sd hs14.htmWashington University in St. Louis25 2014 Raj Jain
OpenFlow V1.1 V1: Perform action on a match. Ethernet/IP only. Single PathDid not cover MPLS, Q-in-Q, ECMP, and efficient MulticastV1.1 Introduced Table chaining, Group Tables, and addedMPLS Label and MPLS traffic class to match fields.Table Chaining: On a match, instruction may be ControllerOpenFlow Immediate actions: modify packet,update match fields and/orSecureGroupChannelTable Update action set, and/orFlowFlow Send match data and action set to Table n,TableTable Go to Group Table entry nTable 1Action Set {}Washington University in St. LouisTable 2Table 3Action Set {1}Table nGroup TableAction Set {1,3,6, }http://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm26 2014 Raj Jain
OpenFlow V1.1 (Cont) On a miss, the instruction may be to send packet to controlleror continue processing with the sequentially next tableGroup Tables: each entry has a variable number of buckets All: Execute each bucket. Used for Broadcast, Multicast. Select: Execute one switch selected bucket. Used for portmirroring. Selection may be done by hashing some fields. Indirect: Execute one predefined bucket. Fast Failover: Execute the first live bucket Live portNew Features supported: Multipath: A flow can be sent over one of several paths MPLS: multiple labels, traffic class, TTL, push/pop labels Q-in-Q: Multiple VLAN tags, push/pop VLAN headers Tunnels: via virtual portsRef: c-v1.1.0.pdfhttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htmWashington University in St. Louis27 2014 Raj Jain
OpenFlow V1.21.2.3.IPv6 Support: Matching fields include IPv6 source address,destination address, protocol number, traffic class. ICMPv6type, ICMPv6 code, IPv6 neighbor discovery header fields,and IPv6 flow labels.Extensible Matches: Type-Length-Value (TLV) structure.Previously the order and length of match fields was fixed.Experimenter extensions through dedicated fields and codepoints assigned by ONFRef: enflow-spec-v1.2.pdfhttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htmWashington University in St. Louis 2014 Raj Jain28
OpenFlow 1.3 IPv6 extension headers: Can check if Hop-by-hop, Router,Fragmentation, Destination options, Authentication, EncryptedSecurity Payload (ESP), unknown extension headers arepresentMPLS Bottom-of-Stack bit matchingMAC-in-MAC encapsulationTunnel ID meta data: Support for tunnels (VxLAN, )Per-Connection Event Filtering: Better filtering ofconnections to multiple controllersMany auxiliary connections to the controller allow to exploitparallelismBetter capability negotiation: Requests can span multiplemessagesMore general experimenter capabilities allowedA separate flow entry for table miss actionsRef: enflow-spec-v1.3.0.pdfhttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htmWashington University in St. Louis 2014 Raj Jain29
OpenFlow V1.3 (Cont) Cookies: A cookie field is added to messages containing newpackets sent to the controller. This helps controller process themessages faster than if it had to search its entire database.Duration: Duration field has been added to most stats. Helpscompute rates.Per-flow counters can be disabled to improve performancePer Flow Meters and meter bandsMeter: Switch element that can measure and control the rate ofpackets/bytes. Meter Band: If the packet/byte rate exceeds a pre-definedBand 2threshold the meter has triggered the bandBand 1 A meter may have multiple bandsTimeWashington University in St. Louishttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm30 2014 Raj Jain
OpenFlow V1.3 (Cont) If on triggering a band the meter drops the packet, it iscalled rate limiter.Other QoS and policing mechanisms can be designed usingthese metersMeters are attached to a flow entry not to a queue or a port.Multiple flow entries can all point to the same meter.Match Fields Priority Counters Instructions Timeouts Timeouts CookieNew Instruction: Meter Meter IDMeter ID Meter Bands CountersBand Type Rate Counters Type Specific Arguments1. Drop2. Remark DSCPWashington University in St. Louiskb/sBursthttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm31 2014 Raj Jain
OpenFlow V1.4 Optical ports: Configure and monitor transmit and receivefrequencies of lasers and their powerImproved Extensibility: Type-Length-Value (TLV) encodingsat most places Easy to add new features in futureExtended Experimenter Extension API: Can easily addports, tables, queues, instructions, actions, etc.More information when a packet is sent to controller, e.g., nomatch, invalid TTL, matching group bucket, matching action, .Controllers can select a subset of flow tables for monitoringSwitches can evict entries of lower importance if table fullSwitches can notify controller if table is getting fullAtomic execution of a bundle of instructionsRef: enflow-spec-v1.4.0.pdfhttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htmWashington University in St. Louis 2014 Raj Jain32
OpenFlow Evolution SummaryMPLS, Q-in-QEfficient multicastECMP Multiple TablesMAC-in-MACMultiple channelsbetween switchand controllerDec 2009 Feb 2011 Dec 2011 Apr 2012 Jun 2012V1.0V1.1V1.2V1.3V1.3.1Single Flow TableEthernet/IPv4Washington University in St. LouisIPv6TLV matchingMultiple controllersBug FixSep 2012 Oct 2013V1.3.2V1.4Bug Fixhttp://www.cse.wustl.edu/ jain/tutorials/sd hs14.htm33OTNExperimentersBundlesTable full 2014 Raj Jain
Bootstrapping Switches require initial configuration: Switch IP address,Controller IP address, Default gatewaySwitches connect to the controllerSwitch provides configuration information about portsController installs a rule to forward LLDP pa
Software OpenFlow Switches Indigo: Open source implementation that runs on physical switches and uses features of the ASICs to run OpenFlow LINC: Open source implementation that runs on Linux, Solaris, Windows, MacOS, and FreeBSD Pantou: Turns a commercial wireless router/access point to an OpenFlow enabled switch. OpenFlow runs on OpenWRT .File Size: 1MBPage Count: 102
