View
3
Download
0
Category
Preview:
Citation preview
1
Chapter 4: outline4.1 Overview of Network
layer data plane
4.4 Generalized Forwarding and SDN
t h data plane control plane
4.2 What’s inside a
match action OpenFlow examples of
router4.3 IP: Internet Protocol
IP 4 d t m f m t
match-plus-action
IPv4 datagram format fragmentation v4 addressing network address
translation IPv6
4-1Network Layer: Data Plane (SSL)
11/2/2017
2
Network layer d li s s ts f delivers segments from
sending to receiving host sender encapsulates segments
applicationtransportnetworkdata linkphysicalp g
into datagrams Receiver de-encapsulates and
delivers segments to
p y
networkdata linkphysical network
data link
networkdata linkphysical
networkdata link
networkdata linkphysical
transport layer network layer in every host,
every router
physical physical
network
networkdata linkphysical
networkdata linkphysicalevery router
router examines IP header field in every passing d
applicationtransportnetworkdata linkphysical
data linkphysical
networkdata link
networkdata linkphysicalnetwork
datagram (exception: routers running MPLS)
physicalphysicaldata linkphysical
Network Layer: Data Plane (SSL)
4-211/2/2017
3
Key Network-Layer FunctionsKey Network Layer Funct ons forwarding: move a packet from router’s
input interface to an appropriate outputinput interface to an appropriate output interface
routing: determine route taken by packets f m s t d stin ti nfrom source to destination
routing protocols (intra-AS and inter-AS) h AS i f “A t S t ”where AS is acronym for “Autonomous System”
every AS runs the same inter-AS protocol
Network Layer: Data Plane (SSL)
4-311/2/2017
4
Virtual-circuit networks need 3rd function Before datagrams can flow, end hosts and
routers between them establish a virtualrouters between them establish a virtual circuit Routers maintain state info Earlier networks designed initially to compete
with IP:ATM frame relay X 25 (from old to very old)ATM, frame relay, X.25 (from old to very old)
MPLS protocol designed about 10 years ago to provide virtual circuits supported by IP routers (typically within the same AS); it borrows the idea of “labels”(typically within the same AS); it borrows the idea of labels from ATM and frame relay
Today, such virtual circuits may serve as virtual links in Internetvirtual links in Internet
Network Layer: Data Plane (SSL)
4-411/2/2017
5
Network layer service models:y m
NetworkA hit t
ServiceM d l B d idth loss Order Ti i
Congestionf db k
Guarantees?
Architecture
Internet
Model
best effort
Bandwidth
none
loss
no
Order
no
Timing
no
feedback
no (TCP infersvia loss)
ATM
ATM
CBR
VBR
constantrateguaranteed
yes
yes
yes
yes
yes
yes
via loss)nocongestionnoATM
ATM
VBR
ABR
guaranteedrateguaranteed minimum
y
no
y
yes
yes
no
nocongestionyes
ATM UBR none no yes no no
Network Layer: Data Plane (SSL)
4-511/2/2017
6
Origins of datagram and VC Internet (datagram) data exchange between
c mput rs
ATM (VC) evolved from telephony
computers “elastic” service, no strict
timing requirement l k
human conversation: strict timing, loss
requirements many link types
different characteristics uniform service difficult
q need for guaranteed
services “dumb” end systems
“smart” end systems (computers) can adapt, perform
dumb end systems telephones complexity inside
networkcan adapt, performcontrol, error recovery
simplicity inside network, complexity at “edge”
network
Network Layer: Data Plane (SSL)
4-6
mp y g
11/2/2017
7
Network layer: data plane, control plane
Data plane local, per-router
Control planenetwork-wide logic, p
function determines how
d t i i
gdetermines how datagram is
routed among routers along end-end path from sourcedatagram arriving on an
input port is forwardedto an output port
end end path from source host to destination hostmain approach: routing protocols routing protocols
implemented in routers new approach
f d fi d
values in arriving packet header
software-defined networking (SDN): implemented in logically
t li d s (s)
1
23
0111
centralized server(s)
4-7Network Layer: Data Plane (SSL)
11/2/2017
8
Per-router control plane (more in Chapter 5)
Individual routing process in every router. They interact by exchanging routing protocol messages
RoutingRoutingAlgorithm
datal
controlplane
plane
1
2
0111
values in arriving packet header
4-8Network Layer: Data Plane (SSL)
23
11/2/2017
9
Logically centralized control plane(more in Chapter 5)
A distinct (typically remote) controller interacts with local control agents (CAs). The controller computes
troutes.Remote Controller
datapl n
controlplane
plane
CA
CA CA CA CACA CA CA CA
10111
values in arriving packet header
4-9Network Layer: Data Plane (SSL)
1
2
0111
311/2/2017
10
Chapter 4: outline4.1 Overview of Network
layer data plane
4.4 Generalized Forwarding and SDN
t h data plane control plane
4.2 What’s inside a
match action OpenFlow examples of
router 4.3 IP: Internet Protocol
d t m f m t
match-plus-action
datagram format fragmentation v4 addressing network address
translation IPv6
4-10Network Layer: Data Plane (SSL)
11/2/2017
11
Router architecture overview
routing processor
routing, managementcontrol plane (software)
forwarding tables computed, then pushed to input ports p
forwarding d t l
n r p n ( f w )to input ports
input ports output portshigh-speed
switchingfabric
data plane (hardware)
fabric
Physical layer Link
layer
buffering and table lookup
queueing and packet
h d li
Link layer
Physical layer
Network Layer: Data Plane (SSL) 4-11
layer lookup scheduling
11/2/2017
12
IPv4 addressing: CIDRClassful addressing (now obsolete): fixed-length subnet portion of 8, 16 or 24 bits
CIDR: Classless InterDomain Routing
p f ,
m subnet portion of address of variable lengthm address format: a.b.c.d/x, where x is # bits in
subnet portion of addresssubnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
11001000 00010111 00010000 00000000
200.23.16.0/23
Network Layer: Data Plane (SSL)
4-1211/2/2017
13
Datagram networks IP 4 IPv4 no network-level concept of “connection” or “flow” each packet forwarded independently using each packet forwarded independently using
destination host address packets between same source-dest pair may take
diff t thdifferent paths
application lapplicationtransportnetworkdata link
applicationtransportnetworkdata link
1. Send data 2. Receive dataphysical data link
physical. c ata
Network Layer: Data Plane (SSL)
4-1311/2/2017
14
Forwarding table 4 billion possible entriesp
Destination Address Range Link Interface
11001000 00010111 00010000 00000000through 0
11001000 00010111 00010111 11111111
11001000 00010111 00011000 00000000through 1
11001000 00010111 00011000 1111111111001000 00010111 00011000 11111111
11001000 00010111 00011000 00000000through 2through 2
11001000 00010111 00011111 11111111
otherwise 3
Network Layer: Data Plane (SSL)
4-1411/2/2017
15
Longest prefix matchPrefix Link Interface
11001000 00010111 00010 0
11001000 00010111 00011000 111001000 00010111 00011000 1
11001000 00010111 00011 2
otherwise 3
DA: 11001000 00010111 00010110 10100001
otherwise 3Examples
Which interface?
DA: 11001000 00010111 00011000 10101010
DA: 11001000 00010111 00010110 10100001 f
Which interface?
A forwarding table in an Internet core router has more than 400,000 IP prefixes (from 2014 data)
Fast implementation uses Ternary Content
Network Layer: Data Plane (SSL)
4-1511/2/2017
Fast implementation uses Ternary Content Addressable Memory (TCAM), prefixes sorted in decreasing order (in length)
16
Virtual circuits: signaling protocolsg g p used to set up, maintain, tear down VC not used in Internet’s network layer but may be not used in Internet s network layer, but may be
used underneath the IP layer to provide a virtual link (e.g., MPLS tunnel)
applicationt nsp t application5 D t fl b i s 6 Receive datatransportnetworkdata linkphysical
appl cat ontransportnetworkdata link
1. Initiate call 2. incoming call3. Accept call4. Call connected
5. Data flow begins 6. Receive data
physical physical
Network Layer: Data Plane (SSL)
4-1611/2/2017
17
Virtual circuit (VC) call setup, teardown for each call before data can
flowflow each packet carries a VC identifier which
is fixed length and short only needs to be unique for a link is carried in an additional header inserted between link and
network layer headers (called layer 2½)y y
every router on source-dest path maintains state information for each passing VCinformation for each passing VC incoming and outgoing VC identifiers, resources allocated to VC (bandwidth, buffers)
Network Layer: Data Plane (SSL)
4-1711/2/2017
18
VC Forwarding table12 22 32
VC number
12 22 321 2
3
Forwarding table in interfacenumber
Incoming interface Incoming VC # Outgoing interface Outgoing VC #
gnorthwest router:
1 12 3 222 63 1 18 3 7 2 173 7 2 171 97 3 87… … … …
Forwarding is fast because short fixed-length VC numbers are Forwarding is fast because short fixed length VC numbers are used vs. IP forwarding table with variable-length prefixes. (This is not forwarding in IP layer but it is considered to be in data plane.)
Network Layer: Data Plane (SSL)
4-1811/2/2017
May have additional state information about service guarantees
19
Chapter 4: outline4.1 Overview of Network
layer data plane
4.4 Generalized Forwarding and SDN
t h data plane control plane
4.2 What’s inside a
match action OpenFlow examples of
router 4.3 IP: Internet Protocol
d t m f m t
match-plus-action
datagram format fragmentation v4 addressing network address
translation IPv6
4-19Network Layer: Data Plane (SSL)
11/2/2017
20
The Internet Network layerHost, router network layer functions:
Routing protocols IP protocol
Transport layer: TCP, UDP
f di
Routing protocols•path selection•RIP, OSPF, BGP
p•addressing conventions•datagram format•packet handling conventionsNetwork
layer forwardingtable ICMP protocol
•error reporting•router “signaling”
layer
Link layer
physical layer
Network Layer: Data Plane (SSL)
4-2011/2/2017
21
IP datagram format32 bitIP protocol version
l d
ver length
32 bitspnumber
header lengthfor
total datagramlength (bytes)head.
lentype ofservice
fragment16-bit identifier
headerchecksum
time tolivemax number
remaining hops
fragmentation/reassembly
“type” of data flgsfragment
offsetupperlayer
32 bit source IP addressremaining hops
(decremented at each router) 32 bit destination IP address
E idata
(variable length,upper layer protocolto deliver payload to
Options (if any) E.g. timestamp,record routetaken, specifylist of routersg
typically a TCP or UDP segment)
p y list of routers to visit.
Network Layer: Data Plane (SSL)
4-2111/2/2017
22
IP Fragmentation & Reassembly MTU (max.transfer size)
different link types, different MTUsdifferent MTUs
Support MTU of at least 576 bytes
fragmentation: in: one large datagramout: 3 smaller datagrams
too large IP datagram “fragmented” within net
ss bl d l t fi l reassembly reassembled only at final destination host
IP header bits used to id ntif d l t didentify, order related fragments
Network Layer: Data Plane (SSL)
4-2211/2/2017
23
IP Fragmentation and Reassembly
ID=x
offset=0
fragflag=0
length=4000Ex mple
3980 bytes of data=x =0=0=4000
One large datagram becomesseveral smaller datagrams
Example 4000 byte
datagramMTU 1500 b
ID=x
offset=0
fragflag=1
length=1500
MTU = 1500 bytes
1480 bytes inID=x
offset=185
fragflag=1
length=1500
1480 bytes in data field
offset =ID=x
offset=370
fragflag=0
length=1040
1480/8
Network Layer: Data Plane (SSL)
4-2311/2/2017
24
Chapter 4: outline4.1 Overview of Network
layer data plane
4.4 Generalized Forwarding and SDN
t h data plane control plane
4.2 What’s inside a
match action OpenFlow examples of
router 4.3 IP: Internet Protocol
d t m f m t
match-plus-action
datagram format fragmentation v4 addressing network address
translation IPv6
4-24Network Layer: Data Plane (SSL)
11/2/2017
25
IP Addressing: introduction IP address: 32-bit
identifier for an f
223.1.1.1
223 1 2 1interface interface: connection
between host/router
223.1.1.2223.1.1.4 223.1.2.9
223 1 2 2
223.1.2.1
between host/router and physical link (wired or wireless)
ll h
223.1.1.3223.1.2.2
223.1.3.27
a router typically has multiple interfaces
a host typically has one f
223.1.3.2223.1.3.1
interface223.1.1.1 = 11011111 00000001 00000001 00000001Dotted decimal notation
Network Layer: Data Plane (SSL)
4-25
223 1 11
11/2/2017
26
Subnets IP address: IP address:
subnet part (high order bits)
223.1.1.1
223 1 2 1 host part (low order
bits) What’s a subnet ?
223.1.1.2223.1.1.4 223.1.2.9
223.1.2.2
223.1.2.1
What s a subnet ? device interfaces
with same subnet
223.1.1.3223.1.2.2
223.1.3.27
subnet
part of IP address can physically reach
h th ith t
223.1.3.2223.1.3.1
each other without a router network consisting of 3 subnets
A layer-2 switch is considered part of a link
Network Layer: Data Plane (SSL)
4-2611/2/2017
ay r sw tch s cons r part of a n
27
Subnets 223.1.1.0/24 223.1.2.0/24
Recipe To determine the
subnets, detach each interface from its host or routerhost or router, creating islands of isolated networks. E h i l d k
223.1.3.0/24
Each isolated network is a subnet.
Subnet mask: /24Note: There are also virtual LANs (VLANs) –see Chapter 6
Network Layer: Data Plane (SSL)
4-2711/2/2017
see Chapter 6
28
Subnets 223.1.1.2SubnetsHow many? 223.1.1.1 223.1.1.4
223.1.1.3
223.1.7.0223.1.9.0
223 1 2 6 223 1 3 27
223.1.7.1223.1.8.0223.1.8.1
223.1.9.1
223.1.2.2223.1.2.1
223.1.2.6
223.1.3.2223.1.3.1
223.1.3.27
Network Layer: Data Plane (SSL)
4-2811/2/2017
29
IP addresses: how to get one?g
Q: How does host get IP address?Q g
hard-coded by system admin in a filey y
DHCP: Dynamic Host Configuration Protocol: d i ll t dd fdynamically get address from a server “plug-and-play”
Network Layer: Data Plane (SSL)
4-2911/2/2017
30
DHCP client-server scenario
223.1.1.1 223.1.2.1A DHCPserver
223.1.1.2223.1.1.4 223.1.2.9
B223.1.1.3
223.1.2.2
223.1.3.2223.1.3.1
223.1.3.27 E arriving DHCP client needsaddress in thisaddress in thisnetwork
A router may act as a relay agent
Network Layer: Data Plane (SSL)
4-3011/2/2017
31
DHCP client-server scenarioDHCP 223 1 2 5 i iDHCP server: 223.1.2.5 arriving
clientDHCP discoversrc : 0.0.0.0, 68 dest.: 255.255.255.255,67yiaddr: 0.0.0.0transaction ID: 654DHCP offer
src: 223.1.2.5, 67 dest: 255.255.255.255, 68yiaddr: 223.1.2.4transaction ID: 654Lifetime: 3600 secsDHCP request
time
src: 0.0.0.0, 68 dest:: 255.255.255.255, 67yiaddr: 223.1.2.4transaction ID: 655Lifetime: 3600 secsLifetime: 3600 secs
DHCP acksrc: 223.1.2.5, 67 dest: 255.255.255.255, 68yiaddr: 223 1 2 4
Discover & offer messages are optional
Network Layer: Data Plane (SSL)
4-31
yiaddr: 223.1.2.4transaction ID: 655Lifetime: 3600 secs11/2/2017
messages are optional
32
DHCP: more than IP addressDHCP more than IP address
DHCP can return more than just an allocatedDHCP can return more than just an allocated IP address on subnet: address of first-hop router for clientp name and IP address of DNS server network mask (indicating subnet portion of
dd )address)
Network Layer: Data Plane (SSL)
4-3211/2/2017
33
IP addresses: how to get them? ICANN (Internet Corporation for Assigned Names
and Numbers)/IANA (Internet Assigned Numbers A th it )Authority) allocates IP address blocks (IPv4 address exhaustion on
1/31/2011, IPv6), ) oversees DNS
root name servers, top level domain name servers (domain name registries)name registries)
domain name registrars, resolves disputes
Regional, national, and local Internet registries, and ISPs End-user organization can be assigned IP address space from
Network Layer: Data Plane (SSL)
4-33
End user organization can be assigned IP address space from one of the above
11/2/2017
34
IP address prefix: how to get one?p f g
A: Typically a customer network gets allocatedA: Typically, a customer network gets allocated a portion of its provider ISP’s address space
ISP's block 11001000 00010111 00010000 00000000 200.23.16.0/20
Organization 0 11001000 00010111 00010000 00000000 200 23 16 0/23Organization 0 11001000 00010111 00010000 00000000 200.23.16.0/23 Organization 1 11001000 00010111 00010010 00000000 200.23.18.0/23 Organization 2 11001000 00010111 00010100 00000000 200.23.20.0/23
... ….. …. ….Organization 7 11001000 00010111 00011110 00000000 200.23.30.0/23
Network Layer: Data Plane (SSL)
4-3411/2/2017
35
Hierarchical addressing: route aggregationallows efficient advertisement of routing information
“Send me anythingwith address beginning
200.23.16.0/23Organization 0
Organization 1 g g200.23.16.0/20 ”200.23.18.0/23
Fly-By-Night-ISP
Organization 1
200.23.20.0/23Organization 2
..
200.23.30.0/23Organization 7
Internet
“Send me anything
.....
ISPs-R-Us Send me anythingwith address beginning 199 31 0 0/16 ”
Network Layer: Data Plane (SSL)
4-35
199.31.0.0/16
11/2/2017
36
Hierarchical addressing: more specific routesISPs-R-Us has a more specific route to Organization 1 Hole(s) in a block of addresses <- reason for longest
fi t hprefix match
“Send me anything200.23.16.0/23Organization 0
y gwith address beginning 200.23.16.0/20 ”
Fly-By-Night-ISP200 23 20 0/23Organization 2
.
200.23.30.0/23
Fly-By-Night-ISP
Organization 7Internet
200.23.20.0/23...
...
200.23.18.0/23Organization 1
ISPs-R-Us “Send me anythingwith addressbeginning 199.31.0.0/16or 200.23.18.0/23 ”
Network Layer: Data Plane (SSL)
4-3611/2/2017
37
NAT: Network Address Translation
local networkrest of
10.0.0.1
10 0 0 4
10.0.0/24Internet
10.0.0.210.0.0.4
138.76.29.7
10.0.0.3
Datagrams with source or destination within network
All datagrams leaving localnetwork have same single source destination within network
have 10.0.0/24 addresses for source, destination
network have same single source NAT IP address: 138.76.29.7,different source port numbers
Network Layer: Data Plane (SSL)
4-3711/2/2017
38
NAT: Network Address Translation
Motivation: local network uses just one IP address as f id ld i dfar as outside world is concerned
h dd f d i i l l t k can change addresses of devices in local network without notifying outside world
can change ISP without changing addresses of can change ISP without changing addresses of devices in local network
devices inside local net not explicitly dd bl / i ibl b t id ld ( it l )addressable/visible by outside world (a security plus).
Network Layer: Data Plane (SSL)
4-3811/2/2017
39
NAT: Network Address Translation
1: host 10.0.0.1 s nds d t m ith
NAT translation tableWAN side addr LAN side addr2: NAT router
sends datagram withport number 3345
WAN side addr LAN side addr138.76.29.7, 5001 10.0.0.1, 3345…… ……
changes datagram’ssource addr and portnumber
10.0.0.1
S: 10.0.0.1, 3345D: 128.119.40.186, 80
110 0 0 4
S: 138.76.29.7, 5001210.0.0.2
10.0.0.4
138.76.29.7 S: 128.119.40.186, 80 D: 10.0.0.1, 3345 4
D: 128.119.40.186, 802
S: 128 119 40 186 80 3 10.0.0.3S: 128.119.40.186, 80 D: 138.76.29.7, 5001 33: Reply arrives for138.76.29.7, 5001
4: NAT routerchanges datagram’sdest addr and port number
Network Layer: Data Plane (SSL)
4-39
to 10.0.0.1, 334511/2/2017
40
NAT: Network Address Translation
16-bit port-number field: 60 000 i lt ti ith i l 60,000+ simultaneous connections with a single IP address
NAT is controversial:NAT is controversial: routers should only process up to layer 3
o violates “end-to-end argument” NAT possibility must be taken into account by
app designers, e.g., P2P, IPsec applications, etc.dd h t h ld i t d b l d b address shortage should instead be solved by
IPv6
Network Layer: Data Plane (SSL)
4-4011/2/2017
41
NAT traversal problem client wants to connect to
server with address 10.0.0.1 only one externally visible IPonly one externally visible IP
address: 138.76.29.7
configure NAT to forward
10.0.0.1Client ?
configure NAT to forward incoming connection requests at given port to server e g (123 76 29 7 port 2500)
10.0.0.4
NAT t
138.76.29.7 e.g., (123.76.29.7, port 2500)
always forwarded to 10.0.0.1 port 2500
router
Network Layer: Data Plane (SSL)
4-4111/2/2017
42
NAT traversal problem solution used in original Skype (note:current Skype is no
longer P2P)ith h l f ( ) l with help of a super peer (server) as relay
1. connection to2. connectionClient B
Cli t A
10.0.0.1
relay initiatedby client B
2. connection to relay initiatedby client A 3. Relay provides
138.76.29.7Client A
NAT router
y 3. Relay provides A’s address to B, which can then open a direct
B h h b b hi d NAT
pconnection to A
Network Layer: Data Plane (SSL)
4-42
Both hosts may be behind NATs11/2/2017
43
Chapter 4: outline4.1 Overview of Network
layer data plane
4.4 Generalized Forwarding and SDN
t h data plane control plane
4.2 What’s inside a
match action OpenFlow examples of
router4.3 IP: Internet Protocol
d t m f m t
match-plus-action
datagram format fragmentation v4 addressing network address
translation IPv6
4-43
Network Layer: Data Plane (SSL)
11/2/2017
44
IPv6IPv6 Initial motivation: 32-bit address space soon
l l ll dto be completely allocated. Additional motivation:
simpler header format to speed up processing/forwarding
header change to facilitate QoS header change to facilitate QoS IPv6 datagram format:
fixed-length 40 byte header fixed length 40 byte header no fragmentation allowed
Network Layer: Data Plane (SSL)
4-4411/2/2017
45
IPv6 Header (Cont)P ( b ) d f f d h flPriority (8 bits): identify priority of datagrams within flow
or in different appsFlow Label (20 bits): identify datagrams in same “flow.” ( ) fy g f
(concept of “flow” not defined).Next header: identify upper layer protocol for data
Network Layer: Data Plane (SSL)
4-4511/2/2017
46
Other Changes from IPv4Other Changes from IPv4
Checksum: removed entirely to reduce Checksum: removed entirely to reduce processing time at each hop
Options: allowed, but outside of header, p , f ,indicated by “Next Header” field
ICMPv6: new version of ICMP additional message types, e.g. “Packet Too Big” including multicast group management functions
Network Layer: Data Plane (SSL)
4-4611/2/2017
47
Transition From IPv4 To IPv6Trans t on From IPv4 To IPv6
Not all routers can be upgraded simultaneouslyNot all routers can be upgraded simultaneously no “flag day” How will the network operate with mixed IPv4 and p
IPv6 routers?
T li IP 6 i d l d i IP 4 Tunneling: IPv6 carried as payload in IPv4 datagram among IPv4 routers (also vice versa)
Network Layer: Data Plane (SSL)
4-4711/2/2017
48
TunnelinggA B E F
IPv6 IPv6 IPv6 IPv6
tunnelLogical view:IPv6 IPv6 IPv6 IPv6
Physical view:A B E F
P 6 PIPv6 IPv6 IPv6 IPv6IPv4 IPv4
Network Layer: Data Plane (SSL)
4-4811/2/2017
49
TunnelingA B E FA B E F
IPv6 IPv6 IPv6 IPv6
tunnelLogical view:
Physical view:A B E F
IPv6 IPv6/v4 IPv6/v4 IPv6
C D
IPv4 IPv4
Flow: XSrc: ADest: F
Flow: XSrc: ADest: F
Flow: XS A
Src:BDest: E
Flow: XS A
Src:BDest: E
Routers B and Ehave dual stacks.
In this exampledata data
Src: ADest: F
data
Src: ADest: F
data
In this example, B encapsulates v6 packet in v4 packet.
B-to-C:IPv6 inside
D-to-E:IP 6 i id
A-to-B:IPv6
E-to-F:IPv6
p
E extracts v6 packet from v4 packet.
Network Layer: Data Plane (SSL)
4-49
IPv6 insideIPv4
IPv6 insideIPv4
11/2/2017
50
Concept – Tunnel as a virtual link
Many possibilities:
IPv6 in IPv4 tunnel (previous example)
IPv4 in IPv6 tunnel
IPv4 in IPv4 tunnel (new routing path) IPv4 in IPv4 tunnel (new routing path)
IPv4 in MPLS tunnel (virtual circuit)
…
11/2/2017Network Layer: Data Plane
(SSL)4-50
51
Chapter 4: outline4.1 Overview of Network
layer data plane
4.4 Generalized Forwarding and SDN
t h data plane control plane
4.2 What’s inside a
match action OpenFlow examples of
router4.3 IP: Internet Protocol
d t m f m t
match-plus-action
datagram format fragmentation v4 addressing network address
translation IPv6
4-51Network Layer: Data Plane (SSL)
11/2/2017
52
Generalized Forwarding and SDNEach router contains a flow table that is computed andEach router contains a flow table that is computed and distributed by a logically centralized routing controller
logically-centralized routing controller
t l lcontrol plane
data planelocal flow table headers for
link networkheaders counters actions link, network, transport layers
230100 1101
1
23
values in arrivingPacket’s header 4-52Network Layer: Data Plane
(SSL)
11/2/2017
53
OpenFlow abstractionh i ifi diff ki d f d i
Router (layer3)t h l t
Firewallt h IP dd
match+action: unifies different kinds of devices
• match: longest destination IP prefix
• action: forward to
• match: IP addresses and protocol field, TCP/UDP port
one or more ports
Switch (layer 2)
pnumbers
• action: permit or deny Switch (layer 2)
• match: destination MAC address
ti f d t
deny NAT
• match: IP address d t• action: forward to
port or floodand port
• action: rewrite address and portp
4-53Network Layer: Data Plane (SSL)
11/2/2017
54
OpenFlow data plane abstraction fl d fi d b h d fi ld (f li k k flow: defined by header fields (for link, network, transport
layers - with wildcards) generalized forwardingg g
Flow entry: match fields, priority, counters Actions: for matched packet - forward (to 1 or more
) d dif h k d iports), drop, modify the packet, or send it to controller
Flow table in a router/packet switch (computed and distributed by controller) defines router’s match+action rulesby controller) defines router s match+action rules
4-54Network Layer: Data Plane (SSL)
11/2/2017
55
OpenFlow data plane abstraction flow: defined by header fields flow: defined by header fields generalized forwarding
Flow entry: match fields, priority, counters Actions: for matched packet – forward (to 1 or more ports), drop, modify p ( p ), p, y
the packet, or send it to controller
Flow entry examples:
1. src=1.2.*.*, dest=3.4.5.* drop * : wildcard
2. src = *.*.*.*, dest=3.4.*.* forward(2)
3. src=10.1.2.3, dest=*.*.*.* send to controller
: wildcard
3. src 10.1.2.3, dest . . . send to controller
4-5511/2/2017
Network Layer: Data Plane (SSL)
56
Destination-based layer-3 forwarding:Examples
y g
*
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt S port D port Action
* * * * * 51.6.0.* * * * port65 .6.0. port6forward IP datagrams with destination IP address 51.6.0.* to router
output port 6 Firewall:
*
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt S port D port Action
* * * * * * 17 * * dropdrop all IP datagrams containing UDP segments
Switch MAC MAC Eth VLAN IP IP IP A ti
*
Port src dst type ID Src Dst Prot S port D port Action
* * * * * * * 35601 dropdrop all IP datagrams that match src 128.119.1.* and D port 35601
128.119.1.*p g p
4-5611/2/2017
Network Layer: Data Plane (SSL)
57
Examples (cont.)
Destination-based layer 2 (switch) forwarding:Switch MAC MAC Eth VLAN IP IP IP S port Action
*
Port src dst type ID Src Dst Prot S port D port Action
* * * * * * * port3
forward layer 2 frames destined for MAC address
22:A7:23:11:E1:02*
forward layer 2 frames destined for MAC address 22:A7:23:11:E1:02 to output port 3
4-57
Network Layer: Data Plane (SSL)
11/2/2017
58
OpenFlow example Example: datagrams from hosts h5 and h6should be sent to h3 or
IP Src = 10.3.*.*IP Dst 10 2 * * forward(3)
match action
Host h6
should be sent to h3 or h4, via s1 and from there to s2 (avoiding s3-s2 link)IP Dst = 10.2.*.* f ( )
s312
3 4
10.3.0.6controller
)
Allow rules that cannot be
Host h510.3.0.5
3accomplished by IP forwarding
Host h110 1 0 1
Host h410.2.0.4
s1 s212
34
12
34
ingress port = 2IP Dst = 10 2 0 3 forward(3)
match action
ingress port = 1match action
10.1.0.1Host h210.1.0.2
Host h310.2.0.3 IP Dst = 10.2.0.3
ingress port = 2IP Dst = 10.2.0.4 forward(4)
ingress port = 1IP Src = 10.3.*.*IP Dst = 10.2.*.*
forward(4). . .
4-5811/2/2017 Network Layer: Data Plane (SSL)
59
Chapter 4Chapter 44.1 Overview of Network
layer: data plane and t l l
4.4 Generalized Forward and SDN
m t h pl s ti ncontrol plane4.2 What’s inside a
router
• match plus action• OpenFlow examples
Question: how are forwarding tables (destinati n based
4.3 IP: Internet Protocol• datagram format• fragmentation tables (destination-based
forwarding) or flow tables (generalized forwarding)
fragmentation• v4 addressing• NAT
P computed?Answer: by the control plane (next chapter)
• IPv6
(next chapter)
4-59Network Layer: Data Plane (SSL)
11/2/2017
60
End of Chapter 4End of Chapter 4
Recommended