Slide 1

Software Defined Networks (SDN)/ OpenFlowExperience sharing

Baraki H. AbayNov 04,2011Outline Legacy NetworksSoftware defined networksMotivation ,Architecture, Principles, OpenFlow Principles, ArchitectureOpenFlow Basics- Flow table, controller, protocolHow it worksCentralized vs Distributed, Aggregated vs Flow based, Proactive vs ReactiveNetwork Slicing - FlowVisorHow to get started to play with OpenFlowIndustry trendsDemo screen shoots2Current Networking SchemeFully distributed protocols - hard to add a feature to a networkNetwork is closed for research and innovationNetwork administrators and Researchers can only configure devices

Software is embedded in IndustryData plan and control plan in the same device Routers and switches are lockedPacket forwarding and decision controlled by underlined switched and routers

Packet Forwarding HardwareAppAppAppPacket Forwarding HardwareAppAppAppHardwared Packet ForwardingAppAppAppPacket Forwarding HardwareOperatingSystemOperatingSystemOperatingSystemOperatingSystemAppAppAppClosed SystemMitigation approach Open Development environment for Networking Isolation:regular production Network untouchedVirtualized and Programmable networks Software Defined Networking (SDN) Software Defined Networking(SDN)Network Architecture to remotely control network hardware with softwareTo open the closed networkEnables innovations by researchers, operators, application/service providersManaged by Open Network Foundation (ONF)66SDN Architecture PrinciplesSeparation of data and control planes well defined API/protocol between the twoLogically centralized control plane with an open API for network applications and services Network slicing and virtualization to support experimentation on a production network.Control PathData Path (Hardware)ProtocolAPIControl Path(Software) Packet Forwarding HardwareAppAppAppPacket Forwarding HardwareAppAppAppHardware Packet ForwardingAppAppAppPacket Forwarding HardwareOperatingSystemOperatingSystemOperatingSystemOperatingSystemAppAppAppNetwork Operating SystemAppAppAppSoftware Defined Networking Principles1. Open Interface to HW3. Open API2. Operating System8OpenFlow What is OpenFlow?OpenFlow is an open standardto deploy innovative protocolsin production networks openflow.orgOpenFlow MotivationNetwork changes are sluggish The need for programmable networksGoalUse a centralized controller to determine traffic forwardingPrinciple Separate control plane from data planeOpenFlow SDN protocol(API) that modifies forwarding tables in network switches. Added as a feature to commercial Ethernet switches, routers and wireless access pointsDeveloped by Stanford UniversitySits between a switch and controllerAllows the path of network packets through the network of switches to be determined by software running on a separate server

OpenFlowVendor independent Protocol is open source

Version status OF 1.0 : most widely used versionOF 1.1: multiple tables and countersOF 1.2 : Wire protocol IPv6, basic configurationOF 1.3 : Topology discovery, test processes OF 1.4 : capability discovery , test labs

Classic Switch Vs OpenFlow SwitchClassic Switch/RouterOpenFlow Enabled Switch/RouterData path and control path occur on the same deviceData path- packet forwarding pathControl path- routing decisions

Separates the data path and control pathData path portion still resides on the switch High level routing decisions reside in controller The OpenFlow switch and the controller communicate via the OpenFlow protocol

The control plane runs all the control protocols (including port aggregation, STP, TRILL, MAC address learning and routing protocols) 14OpenFlow Specification BasicsConsists at least three partsFlow Table define how the switch will process each flowSecure Channel to connect to controllerOpenFlow Protocol(API)OpenFlow SwitchFlowTableSecureChannelhwswController

PCOpenFlow Protocol(SSL)Flow table are set up on switchesController talk to the switch via the OpenFlow protocolFlow table EntryFlow table consists of set of entries to compare incoming packets againstEach flow entry consist of match fields, counters, actionsMatching starts at the first flow tableFlow entries match in priority orderMatch found Apply the instructions Match not foundforwarded to the controller over the OpenFlow channel,droppedmay continue to the next flow table

Table entrySwitchPortMACsrcMACdstEthtypeVLANIDIPSrcIPDstIPProtTCPsportTCPdportRuleActionStatsForward packet to port(s)Encapsulate and forward to controllerDrop packetSend to normal processing pipelinePacket + byte countersPer tablePer flowPer tablePer table: active entries, packet look ups, packet matchesPer flow : Received packets, Received bytes, durationPer port: Received packets, Transmitted packets, Received bytes, Transmitted bytes, Receive Drops, Transmit Drops, Receive error, transmit errors, collisions

17

Actions:Switching and routingFirewallUsing non-OpenFlow logicSend to controllerSecure channel OpenFlow SwitchFlowTableSecureChannelhwswController

PCOpenFlow Protocol(SSL)SSL Connection, site-specific keyController discovery protocolEncapsulate packets for controllerSend link/port state to controllerOpenFlow Protocol Message TypesController-to-switchTo directly manage or inspect the state of the switchmay or may not require a response from the switchOperations/msg types: features, configuration, Ready-State, Modify-State, barrierAsynchronous To update the controller of network events and changes to the switch state.sent without the controller soliciting them from a switchTo tell controller a packet arrival, switch state change, or error Msg. types: Packet-in ,Flow-Removed , Port-status, ErrorSymmetric Msg. types: Hello , Echo, Experimenter

The OpenFlow controllerRemotely control and manipulate flow table in switchesAvailable open-source controllersNOX BeaconSNACFlowVisor- a special type of controllerAct as a proxy between OpenFlow switches and multiple controllers Slices network resource and delegate controller to eachHow OpenFlow works ?Packet Infrom network Send to controller over secure channelApply ActionsCheck matchingNo matchSwitch Packet In from switch Extract the destination address of the packetDefine a table entry to create a path for the packetSend message to each switch in the path the packet will traverseController Match23

OFS

OFS

OFS

OFS

PCController

10.4.0.2Entry Available?Inst. ruleRuleActionStatisticsRuleActionStatisticsRuleActionStatisticsRuleActionStatisticsInst. ruleInst. rule192.168.0.2

192.168.0.210.4.0.2192.168.0.110.5.0.2192.10.0.2192.10.0.1

192.168.0.210.4.0.210.4.0.2Flow match Examples

Flow Rule(match)ActionController Usage ModelsCentralized vs Distributed controlCentralized ControlDistributed Conrol

OFS

OFS

OFS

OFS

OFS

OFSController

PCController

PCController

PCController

PCFlow Routing vs AggregationFlow-based AggregatedEvery flow is individually set up by controllerExact match flow entriesFlow table contains one entry per flowGood for fine grain control

One flow entry covers large groups of flowsWildcard flow entriesFlow table contains one entry per category of flowsGood for large # of flows

Reactive vs Proactive ReactiveProactiveFirst packet of flow triggers controller to insert flow entries Efficient use of flow tableEvery flow incurs small additional set up timeSwitch has limited utility of connection control is lostController pre-populates flow table in switch Zero additional flow set up timeLoss of control connection doesnt disrupt connectionRequires aggregated rulesOpen ControllersController nameLanguagePlatformNOXC++, PythonLinuxBeaconJavaWin, Mac, Linux, AndroidMaestroJavaWin, Mac, LinuxTremaRuby, CLinuxNetwork Slicing conceptDivide the production network into logical sliceseach slice/service controls its own packet forwarding

Slicing LayerSwitch data planeMultiple controllers (NOS)FlowVisorA tool for slicing OpenFlow Networkscreating multiple isolated and programmable logical networks on the same physical topologyPuts Slicing PoliciesThe policy specifies resource limits for each slice:Link bandwidthMaximum number of forwarding rulesTopologyFraction of switch/router CPU

OFS

OFS

OFS

Flow Visor

PC

PC

PCOpenFlow protocolOpenFlow protocolVirtual networks through FlowVisorResearch 1 controllerProd. nkt controllerResearch 2 controllerFlowSpace: Maps Packetsto SlicesTopology discovery is per sliceOpenFlow gains Increased network controlIncreased Network in flexibilityShared Infrastructure make innovation easierCurrent network infrastructure, LAN and WAN, does not allow for much experimenting. In many cases, it is a production network, there are firmware limitations, or both

Building an alternative network is likely to be expensive. The sharing of resources is one of the inherent features of OpenFlow. If deployed across a production network, it is possible to delegate a slice of the that network's resources to research, effectively sharing the infrastructure.34Some OpenFlow applicationsWireless mobility/migrationRedirect specific application traffic to remote siteNetwork VirtualizationPower managementLoad balancingTraffic engineeringSecurity ApplicationsLoad balancing Firewall

Current version OpenFlow limitationsNon-flow-based(per-packet) networkingUse all tables on switch chipsNew forwarding primitivesNew packet formats/field definitionsLow-setup time individual flowsBut can push flows proactivelyforce all of a flow's packets to pass through a controllereasy to implementpoor performancecan be used to test the functionality of a new protocol,

36Industry support Many vendors implemented OpenFlow in their devices

How to get started with OpenFlowSwitchSoftware switches Linux User-space SwitchReference Linux Kernel-space SwitchOpen vSwitchHardware switchesOpenFlow enabled commercial switches ex. prontoControllerReference Learning Switch ControllerNOX, Beacon, SNACReference Linux User-space Switch. This implementation runs on the widest variety of systems and is easy to port. It is also the slowest, as it cannot take advantage of multiple CPUs and requires kernel-to-user-space transitions. It supports as many ports as you can fit in a PC (8+), including wired and wireless ports.Reference Linux Kernel-space Switch. This switch offers more control and debug options, plus more speed, than the User-space Switch. It supports as many ports as you can fit in a PC (8+), including wired and wireless ports.NetFPGA Switch. This switch offers line-rate performance for 4 Gigabit ports, regardless of packet size, via hardware acceleration. It requires the purchase of a NetFPGA card, which is $500 for researchers and $1000 for industry. More NetFPGA details are available at www.netfpga.org.Open vSwitch. Open vSwitch is a multilayer virtual switch, licensed under the open source Apache 2 license, with OpenFlow support. Open vSwitch currently supports multiple virtualization technologies including Xen/XenServer, KVM, and VirtualBox. More details are available at openvswitch.orgSNAC is an OpenFlow controller, which uses a web-based policy manager to manage the network.Simple network access control38What can we do with OpenFlowWrite- configure deploy Experimenting our networks Develop network applications on top of existing controllers (ex. NOX, Beacon)Customize controllersExtend existing controllersDeveloping our own controllerExample Developing on NOXBasics components and eventsDevelop components that handle eventsComponents can be developed usingC++Python or Combination of themNOX built-in component Core apps Network apps Web apps Third-part y extensions Example a component

Events Drives execution in NOXCore eventsData_path_join event, Packet_in_eventApplication eventsHost_in event, flow_in event etc

post events for other applications to handle Register for packet_in eventOpenFlow PracticeUsing virtual machines Required softwaresVirtualization software (Virtual box)X server - (windows Xming , max X11, linux X server installed)Development tools Mininet Wireshark Benchmark Controller w/iperf

What can we do in the tutorialCreate learning switch NOX controller (Python, C++)Beacon (java)Control a Slice of a real Network Creating router Creating Firewall

Some DemosDynamic Flow Aggregation on an OpenFlow Network

Dynamically define flow granularity by wildcarding arbitrary Header fieldsGranularity is on the switch flow entries, no packet rewrite or encapsulationElastic Tree: reducing energy in data centers

Shuts off links and switches to reduce data center powerOpenFlow provides network routes and port statisticsSome OpenFlow Demos

Aster*x: Load-Balancing Web Traffic over Wide-Area Networks load balancing system for services hosted in different services considers network congestion and server load handles the dynamical adding and removing of resourcesBy Stanford

test facility for network experiments based on OpenFlowallows the dynamic creation of virtual machines to be used as sources, sinks, and controllers for OpenFlow switches

OFELIA - Pan-European Test Facility for OpenFlow Experimentation

flexible definitions of virtual networks, dynamic scaling of the virtual networks, and isolation of the virtual networks from physical network changes.

Network Virtualization using EXOS OpenFlow

Industry trendIncreased interest In Data centers Service providersFor example to slice their networks based on bandwidthEnterprise networksQuestions?Referenceshttp://www.openflow.org/http://opennetsummit.org/Openflow white paperhttp://noxrepo.org/wp/Slides fromBrandon Heller (stanford)SriniSeetharaman Martin CasadoInternet2 Joint Techs ClemsonOpen Network Summit 2011 talks and slides