Slide 1
Software Defined Networks (SDN)/ OpenFlowExperience sharing
Baraki H. AbayNov 04,2011Outline Legacy NetworksSoftware defined networksMotivation ,Architecture, Principles, OpenFlow Principles, ArchitectureOpenFlow Basics- Flow table, controller, protocolHow it worksCentralized vs Distributed, Aggregated vs Flow based, Proactive vs ReactiveNetwork Slicing - FlowVisorHow to get started to play with OpenFlowIndustry trendsDemo screen shoots2Current Networking SchemeFully distributed protocols - hard to add a feature to a networkNetwork is closed for research and innovationNetwork administrators and Researchers can only configure devices
Software is embedded in IndustryData plan and control plan in the same device Routers and switches are lockedPacket forwarding and decision controlled by underlined switched and routers
Packet Forwarding HardwareAppAppAppPacket Forwarding HardwareAppAppAppHardwared Packet ForwardingAppAppAppPacket Forwarding HardwareOperatingSystemOperatingSystemOperatingSystemOperatingSystemAppAppAppClosed SystemMitigation approach Open Development environment for Networking Isolation:regular production Network untouchedVirtualized and Programmable networks Software Defined Networking (SDN) Software Defined Networking(SDN)Network Architecture to remotely control network hardware with softwareTo open the closed networkEnables innovations by researchers, operators, application/service providersManaged by Open Network Foundation (ONF)66SDN Architecture PrinciplesSeparation of data and control planes well defined API/protocol between the twoLogically centralized control plane with an open API for network applications and services Network slicing and virtualization to support experimentation on a production network.Control PathData Path (Hardware)ProtocolAPIControl Path(Software) Packet Forwarding HardwareAppAppAppPacket Forwarding HardwareAppAppAppHardware Packet ForwardingAppAppAppPacket Forwarding HardwareOperatingSystemOperatingSystemOperatingSystemOperatingSystemAppAppAppNetwork Operating SystemAppAppAppSoftware Defined Networking Principles1. Open Interface to HW3. Open API2. Operating System8OpenFlow What is OpenFlow?OpenFlow is an open standardto deploy innovative protocolsin production networks openflow.orgOpenFlow MotivationNetwork changes are sluggish The need for programmable networksGoalUse a centralized controller to determine traffic forwardingPrinciple Separate control plane from data planeOpenFlow SDN protocol(API) that modifies forwarding tables in network switches. Added as a feature to commercial Ethernet switches, routers and wireless access pointsDeveloped by Stanford UniversitySits between a switch and controllerAllows the path of network packets through the network of switches to be determined by software running on a separate server
OpenFlowVendor independent Protocol is open source
Version status OF 1.0 : most widely used versionOF 1.1: multiple tables and countersOF 1.2 : Wire protocol IPv6, basic configurationOF 1.3 : Topology discovery, test processes OF 1.4 : capability discovery , test labs
Classic Switch Vs OpenFlow SwitchClassic Switch/RouterOpenFlow Enabled Switch/RouterData path and control path occur on the same deviceData path- packet forwarding pathControl path- routing decisions
Separates the data path and control pathData path portion still resides on the switch High level routing decisions reside in controller The OpenFlow switch and the controller communicate via the OpenFlow protocol
The control plane runs all the control protocols (including port aggregation, STP, TRILL, MAC address learning and routing protocols) 14OpenFlow Specification BasicsConsists at least three partsFlow Table define how the switch will process each flowSecure Channel to connect to controllerOpenFlow Protocol(API)OpenFlow SwitchFlowTableSecureChannelhwswController
PCOpenFlow Protocol(SSL)Flow table are set up on switchesController talk to the switch via the OpenFlow protocolFlow table EntryFlow table consists of set of entries to compare incoming packets againstEach flow entry consist of match fields, counters, actionsMatching starts at the first flow tableFlow entries match in priority orderMatch found Apply the instructions Match not foundforwarded to the controller over the OpenFlow channel,droppedmay continue to the next flow table
Table entrySwitchPortMACsrcMACdstEthtypeVLANIDIPSrcIPDstIPProtTCPsportTCPdportRuleActionStatsForward packet to port(s)Encapsulate and forward to controllerDrop packetSend to normal processing pipelinePacket + byte countersPer tablePer flowPer tablePer table: active entries, packet look ups, packet matchesPer flow : Received packets, Received bytes, durationPer port: Received packets, Transmitted packets, Received bytes, Transmitted bytes, Receive Drops, Transmit Drops, Receive error, transmit errors, collisions
17
Actions:Switching and routingFirewallUsing non-OpenFlow logicSend to controllerSecure channel OpenFlow SwitchFlowTableSecureChannelhwswController
PCOpenFlow Protocol(SSL)SSL Connection, site-specific keyController discovery protocolEncapsulate packets for controllerSend link/port state to controllerOpenFlow Protocol Message TypesController-to-switchTo directly manage or inspect the state of the switchmay or may not require a response from the switchOperations/msg types: features, configuration, Ready-State, Modify-State, barrierAsynchronous To update the controller of network events and changes to the switch state.sent without the controller soliciting them from a switchTo tell controller a packet arrival, switch state change, or error Msg. types: Packet-in ,Flow-Removed , Port-status, ErrorSymmetric Msg. types: Hello , Echo, Experimenter
The OpenFlow controllerRemotely control and manipulate flow table in switchesAvailable open-source controllersNOX BeaconSNACFlowVisor- a special type of controllerAct as a proxy between OpenFlow switches and multiple controllers Slices network resource and delegate controller to eachHow OpenFlow works ?Packet Infrom network Send to controller over secure channelApply ActionsCheck matchingNo matchSwitch Packet In from switch Extract the destination address of the packetDefine a table entry to create a path for the packetSend message to each switch in the path the packet will traverseController Match23
OFS
OFS
OFS
OFS
PCController
10.4.0.2Entry Available?Inst. ruleRuleActionStatisticsRuleActionStatisticsRuleActionStatisticsRuleActionStatisticsInst. ruleInst. rule192.168.0.2
192.168.0.210.4.0.2192.168.0.110.5.0.2192.10.0.2192.10.0.1
192.168.0.210.4.0.210.4.0.2Flow match Examples
Flow Rule(match)ActionController Usage ModelsCentralized vs Distributed controlCentralized ControlDistributed Conrol
OFS
OFS
OFS
OFS
OFS
OFSController
PCController
PCController
PCController
PCFlow Routing vs AggregationFlow-based AggregatedEvery flow is individually set up by controllerExact match flow entriesFlow table contains one entry per flowGood for fine grain control
One flow entry covers large groups of flowsWildcard flow entriesFlow table contains one entry per category of flowsGood for large # of flows
Reactive vs Proactive ReactiveProactiveFirst packet of flow triggers controller to insert flow entries Efficient use of flow tableEvery flow incurs small additional set up timeSwitch has limited utility of connection control is lostController pre-populates flow table in switch Zero additional flow set up timeLoss of control connection doesnt disrupt connectionRequires aggregated rulesOpen ControllersController nameLanguagePlatformNOXC++, PythonLinuxBeaconJavaWin, Mac, Linux, AndroidMaestroJavaWin, Mac, LinuxTremaRuby, CLinuxNetwork Slicing conceptDivide the production network into logical sliceseach slice/service controls its own packet forwarding
Slicing LayerSwitch data planeMultiple controllers (NOS)FlowVisorA tool for slicing OpenFlow Networkscreating multiple isolated and programmable logical networks on the same physical topologyPuts Slicing PoliciesThe policy specifies resource limits for each slice:Link bandwidthMaximum number of forwarding rulesTopologyFraction of switch/router CPU
OFS
OFS
OFS
Flow Visor
PC
PC
PCOpenFlow protocolOpenFlow protocolVirtual networks through FlowVisorResearch 1 controllerProd. nkt controllerResearch 2 controllerFlowSpace: Maps Packetsto SlicesTopology discovery is per sliceOpenFlow gains Increased network controlIncreased Network in flexibilityShared Infrastructure make innovation easierCurrent network infrastructure, LAN and WAN, does not allow for much experimenting. In many cases, it is a production network, there are firmware limitations, or both
Building an alternative network is likely to be expensive. The sharing of resources is one of the inherent features of OpenFlow. If deployed across a production network, it is possible to delegate a slice of the that network's resources to research, effectively sharing the infrastructure.34Some OpenFlow applicationsWireless mobility/migrationRedirect specific application traffic to remote siteNetwork VirtualizationPower managementLoad balancingTraffic engineeringSecurity ApplicationsLoad balancing Firewall
Current version OpenFlow limitationsNon-flow-based(per-packet) networkingUse all tables on switch chipsNew forwarding primitivesNew packet formats/field definitionsLow-setup time individual flowsBut can push flows proactivelyforce all of a flow's packets to pass through a controllereasy to implementpoor performancecan be used to test the functionality of a new protocol,
36Industry support Many vendors implemented OpenFlow in their devices
How to get started with OpenFlowSwitchSoftware switches Linux User-space SwitchReference Linux Kernel-space SwitchOpen vSwitchHardware switchesOpenFlow enabled commercial switches ex. prontoControllerReference Learning Switch ControllerNOX, Beacon, SNACReference Linux User-space Switch. This implementation runs on the widest variety of systems and is easy to port. It is also the slowest, as it cannot take advantage of multiple CPUs and requires kernel-to-user-space transitions. It supports as many ports as you can fit in a PC (8+), including wired and wireless ports.Reference Linux Kernel-space Switch. This switch offers more control and debug options, plus more speed, than the User-space Switch. It supports as many ports as you can fit in a PC (8+), including wired and wireless ports.NetFPGA Switch. This switch offers line-rate performance for 4 Gigabit ports, regardless of packet size, via hardware acceleration. It requires the purchase of a NetFPGA card, which is $500 for researchers and $1000 for industry. More NetFPGA details are available at www.netfpga.org.Open vSwitch. Open vSwitch is a multilayer virtual switch, licensed under the open source Apache 2 license, with OpenFlow support. Open vSwitch currently supports multiple virtualization technologies including Xen/XenServer, KVM, and VirtualBox. More details are available at openvswitch.orgSNAC is an OpenFlow controller, which uses a web-based policy manager to manage the network.Simple network access control38What can we do with OpenFlowWrite- configure deploy Experimenting our networks Develop network applications on top of existing controllers (ex. NOX, Beacon)Customize controllersExtend existing controllersDeveloping our own controllerExample Developing on NOXBasics components and eventsDevelop components that handle eventsComponents can be developed usingC++Python or Combination of themNOX built-in component Core apps Network apps Web apps Third-part y extensions Example a component
Events Drives execution in NOXCore eventsData_path_join event, Packet_in_eventApplication eventsHost_in event, flow_in event etc
post events for other applications to handle Register for packet_in eventOpenFlow PracticeUsing virtual machines Required softwaresVirtualization software (Virtual box)X server - (windows Xming , max X11, linux X server installed)Development tools Mininet Wireshark Benchmark Controller w/iperf
What can we do in the tutorialCreate learning switch NOX controller (Python, C++)Beacon (java)Control a Slice of a real Network Creating router Creating Firewall
Some DemosDynamic Flow Aggregation on an OpenFlow Network
Dynamically define flow granularity by wildcarding arbitrary Header fieldsGranularity is on the switch flow entries, no packet rewrite or encapsulationElastic Tree: reducing energy in data centers
Shuts off links and switches to reduce data center powerOpenFlow provides network routes and port statisticsSome OpenFlow Demos
Aster*x: Load-Balancing Web Traffic over Wide-Area Networks load balancing system for services hosted in different services considers network congestion and server load handles the dynamical adding and removing of resourcesBy Stanford
test facility for network experiments based on OpenFlowallows the dynamic creation of virtual machines to be used as sources, sinks, and controllers for OpenFlow switches
OFELIA - Pan-European Test Facility for OpenFlow Experimentation
flexible definitions of virtual networks, dynamic scaling of the virtual networks, and isolation of the virtual networks from physical network changes.
Network Virtualization using EXOS OpenFlow
Industry trendIncreased interest In Data centers Service providersFor example to slice their networks based on bandwidthEnterprise networksQuestions?Referenceshttp://www.openflow.org/http://opennetsummit.org/Openflow white paperhttp://noxrepo.org/wp/Slides fromBrandon Heller (stanford)SriniSeetharaman Martin CasadoInternet2 Joint Techs ClemsonOpen Network Summit 2011 talks and slides