Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Segment routing incontainer networks
Ben de Graaff
Supervisor: Marijke Kaat (SURFnet/UvA)
RP95
Best path
AB
Background
3
Arbitrary paths
1 2
45
AB
A > 1 > 4 > B
Background
1
4
3
Pure IPv6 (SRv6) Background
1 2
45
AB
2000:1:: 2000:2::
2000:B::
2000:4::
2000:3::
2000:5::
2000:A::
2000:1::2
2000:1::32000:1::A
Container networks BackgroundInternet
Platform independent Background
LXC
Internet
Multi-tenancy BackgroundInternet
Example: load balancer BackgroundInternet
Transit policy
LB
Research
State of segment routing in IPv6
Proof of concept:Container networkingNetwork functions
dst1
3
Network programming
1 2
45
AB
src > 1 > 4 > dst
1
4
dst
4dstsrc
Segment routing header
Extensions
Segment N
Segment 0...
HeaderSegments left
Proof of concept
Validate policy
Apply policy
Multi-tenancy Internet
Segment ID
2000:A::1000:12000:B::1000:22000:C::1000:3
2000:B::1000:12000:B::1000:22000:B::1000:3
2000:C::1000:12000:C::1000:3
Results
Container discovery/mobility
Routing opaque addresses
Results
::1:2:3:4 ::a:b:c:dTopology
1:Inject SRH
3:Deliver
NF2:
Computefinal hop
Implementation
Hardware/software
Results
Linux kernel 4.10+
Basic routing/policy
Limited extension support
Implementation quirks…
Results
Hardware
NCS 5500
Software
Vector Packet Processing
The Fast Data Project
SRv6 availability Results
Technical stuff
Technical implementation
http://www.story-stick.net/event/here-be-dragons
VM
Network function
ContainerContainer
Virtual topology Results
VPPVPP
Container
VPP
VM
eBPF
Latest & greatest
Process directly in kernel
Fast, powerful
Results
myprog.c + LLVM = bytecode
⇓
bpf() syscall
⇓
Kernel network stack
eBPF
eth0
tc filter bpf
bpf_redirectIngress eBPF
EgresseBPF
veth ContainerControl app
Validate policy
Apply policy
✗
✗
Results
Linux do-it-yourself
Tun/tapAF_PACKETip ruleiptables fwmarkPF_RING...
Results
Linux do-it-yourself Results
tun
AF_PACKET
Raw socketIngress app
Egress app
ip rule
Validate policy
Apply policy
eth0 veth Container
Summary Results
Validate policy
Apply policy
Ingress policy enforcement? Discussion
Internet
eth0
Ingress
Egress
veth ContainerFW
Future work
Ingress path control
Linux segment routing Netlink API
Develop useful extensions
Conclusion
Proof of concept: works
SDN easy, at cost of overhead
Hardware not strictly required
Related work
Cisco, Bell Canada, Comcast, et al, technical workshops @ www.segment-routing.net
NFV with SRv6, with SRH unaware hosts (NetSoft 2017, presented today)
Segment routing incontainer networks
Segment routing is effective at enabling SDN and network
functions between containers
However, it is not yet widely supported in hardware, software
RP95
Check out the report for a full list of references
http://rp.delaat.net/2016-2017/p95/report.pdf
Backup slides
Security/RH0
Enforce policy at network edges
SIDs must be explicitly enabled
HMAC: check at ingress
Remove protocols
Remove state
https://xkcd.com/927/
Simplify the network Discussion
3
MPLS Background
1 2
45
AB
101 102
111
104
103
105
110
202
203
210
No LDP, RSVPrequired
Multi-tenancy
Layer 2 and 3cross-connects
Multi-tenancy:Segment ID or extension?
Discussion