Embed Size (px)
DESCRIPTION
Evaluation of OpenFlow in RB750GL
Citation preview
Evaluation of OpenFlow in RB750GL
2013.11.19 @ttsubo
- RouterOS 6.6 -
Motivation
2
I want to get the OpenFlow’s lab in minimum cost . So, I am so happy what if it works under the experimental version .
http://wiki.mikrotik.com/wiki/Manual:OpenFlow
Currently RouterOS implements OpenFlow version 1.0.0 required features. Support for newer versions, optional features and switching hardware acceleration are to be added. Current implementation should be considered experimental - NOT production ready and is available for evaluation purposes. Please contact support with feature requests and bug reports. OpenFlow support is available as standalone openflow package. OpenFlow feature overrides regular packet processing functionality - packets that are received on interfaces that are OpenFlow switch ports, will not pass through the regular networking stack unless OpenFlow controller sets up flows that enable this. Due to this care must be taken to not disable access to the device when configuring OpenFlow. Currently only unencrypted TCP is available as the communications channel between RouterOS OpenFlow switch and controller.
3
Test Scenario1: “IP Routing in OpenFlow“
4
PC-A PC-B
ARP Request Packet-inPacket-outARP Reply
ICMP_Echo RequestPacket-out
Drop!!Packet-in
ARP RequestARP Reply
FlowMod
ICMP_Echo Request ICMP_Echo RequestICMP (Echo ReplyICMP (Echo Reply
- ICMP Echo Request from PC-A to PC-B - ICMP Echo Reply from PC-B to PC-A
192.168.0.1 192.168.1.1
OFS OFC
Secure Channel
Test Scenario1: “IP Routing in OpenFlow“
5
PC-B
Packet-outARP Reply
ICMP_Echo RequestPacket-out
Drop!!Packet-in
ARP RequestARP Reply
FlowMod
ICMP_Echo Request ICMP_Echo RequestICMP (Echo ReplyICMP (Echo Reply
192.168.1.1
ARP Request
OFS OFC
Secure Channel
PC-A
192.168.0.1
Test Result : No good !!The OFS doesn’t send ARP Packets to OFC using packet-in messages .
Packet-in
Investigation of the cause
6
Hello
Hello
Set Config
Echo Request
Echo Reply
Features Request
Features Reply
It looks like “Max packets buffered” sets “zero” value .
OFS OFC
Secure Channel
When the secure channel has established, I’ve checked “Features Reply” packet as below .
Reference : Max packets buffered 7
/* Switch features. */ struct ofp_switch_features { struct ofp_header header; }; uint64_t datapath_id; uint32_t n_buffers; uint8_t n_tables; uint8_t auxiliary_id; uint8_t pad[2]; /* Datapath unique ID. The lower 48-bits are for a MAC address, while the upper 16-bits are implementer-defined. */ /* Max packets buffered at once. */ /* Number of tables supported by datapath. */ /* Identify auxiliary connections */ /* Align to 64-bits. */ /* Features. */ uint32_t capabilities; /* Bitmap of support "ofp_capabilities". */ uint32_t reserved; }; OFP_ASSERT(sizeof(struct ofp_switch_features) == 32); The datapath_id field uniquely identifies a datapath. The lower 48 bits are intended for the switch MAC address, while the top 16 bits are up to the implementer. An example use of the top 16 bits would be a VLAN ID to distinguish multiple virtual switch instances on a single physical switch. This field should be treated as an opaque bit string by controllers.
The n_buffers field specifies the maximum number of packets the switch can buffer when sending packets to the controller using packet-in messages (see 6.1.2).
OpenFlow Switch Specification Version 1.3.2 7.3 Controller-to-Switch Messages
Because of “Max packets buffered: zero”, the OFS doesn’t send Packets to OFC using packt-in messages .
Investigation of the cause
8
Test Scenario2: “IP Routing in OpenFlow“ without Packet-in
9
PC-B
ARP Request Packet-inPacket-outARP Reply
ICMP_Echo RequestPacket-out
Drop!!Packet-in
ARP RequestARP Reply
ICMP_Echo Request ICMP_Echo RequestICMP (Echo ReplyICMP (Echo Reply
I’ve rebuilt Test Scenario1 without Packet-in as below .
192.168.1.1
PC-A and PC-B has already done the sequence “ARP resolve” .
Packet-outARP Reply
FlowMod
Packet-out ARP Reply
OFS OFC
Secure Channel
PC-A
192.168.0.1
Test Scenario2: “IP Routing in OpenFlow w/o Packet-in”
10
PC-A PC-B
ARP Reply
ICMP_Echo Request ICMP_Echo Request
192.168.0.1 192.168.1.1
Packet-outARP Reply
FlowMod
Packet-out
No received !!
PC-A hasn’t received ICMP_Echo_Reply .
ICMP (Echo ReplyICMP (Echo Reply
OFS OFC
Secure Channel
Test Result : No good !!
11
PC-A PC-B
ARP Reply
ICMP_Echo Request ICMP_Echo Request
192.168.0.1 192.168.1.1
Packet-outARP Reply
FlowMod
Packet-out
OFS OFC
Secure Channel
[admin@MikroTik] > openflow flow print detail Flags: I - inactive 0 switch=oflow1 version=1 match="inport:1 dlsrc:7C:C3:A1:87:8F:65 dldst:00:00:00:00:00:01 dltype:0x800 nwdst:192.168.1.1/32" actions="set_dl_src:00:00:00:00:00:02, set_dl_dst:00:1A:80:0A:9E:D4, output:2" info="priority 255, idletimeout 0, hardtimeout 0, cookie 0, removenotify 1" ! 1 switch=oflow1 version=1 match="inport:2 dlsrc:00:1A:80:0A:9E:D4 dldst:00:00:00:00:00:02 dltype:0x800 nwdst:192.168.0.1/32" actions="set_dl_src:00:00:00:00:00:01, set_dl_dst:7C:C3:A1:87:8F:65, output:1" info="priority 255, idletimeout 0, hardtimeout 0, cookie 0, removenotify 1"
OFC has set to the FlowMod in properly
Investigation of the cause
12
PC-B
ARP Reply
ICMP_Echo Request ICMP_Echo Request
192.168.1.1
Packet-outARP Reply
FlowMod
Packet-out
A Flow statistic hasn’t counted up . So, the FlowEntry doesn’t work in properly .
[admin@MikroTik] > openflow flow print stats Flags: I - inactive # SWITCH MATCH BYTES PACKETS DURATION 0 oflow1 inpor... 0 0 3m38s830ms 1 oflow1 inpor... 0 0 3m38s830ms
OFS OFC
Secure Channel
PC-A
192.168.0.1
Investigation of the cause
13
PC-B
ARP Reply
ICMP_Echo Request ICMP_Echo Request
192.168.1.1
Packet-outARP Reply
FlowMod
Packet-out
When PC-B has received ICMP_Echo_Request from PC-A, PC-B hasn’t sended ICMP_Echo_Reply
OFS OFC
Secure Channel
PC-A
192.168.0.1
Investigation of the cause
14
This packet is ICMP_Echo_Request in PC-A
PC-A
OFSPC-B
ICMP_Echo Request
192.168.0.1 (7C:C3:A1:87:8F:65)
192.168.1.1 (00:1A:80:0A:9E:D4)The OFS doesn’t
replace mac_address fields in spite of storing FlowTable .192.168.0.10
(00:00:00:00:00:01)
Investigation of the cause
15
Hello
Hello
Set Config
Echo Request
Echo Reply
Features Request
Features Reply
OFS OFCSecure Channel
OFS in RouterBOARD can’t replace L2/L3 header field .
When the secure channel has established, I’ve checked “Features Reply” packet as below, again .
Investigation of the cause
Conclusion:
16
PC-A PC-BFlow Table
FlowMod : it works
Packet-out : it works
Packet-in : it doesn’t work
Forwarding : it doesn’t work
The latest OpenFlow code under the experimental version doesn’t work in properly as below in RB750GL. I’m looking forward to releasing the product version .
SecureChannel : it works
OFS
OFC
referense : OpenFlow in Open-WRT
17
OFS OFCPC-B
ARP Request
Secure Channel
Packet-inPacket-outARP Reply
ICMP_Echo RequestPacket-out
Drop!!Packet-in
ARP RequestARP Reply
FlowMod
ICMP_Echo Request ICMP_Echo RequestICMP (Echo ReplyICMP (Echo Reply
192.168.1.1
It works in Test Scenario1: “IP Routing in OpenFlow“ !!
PC-A
192.168.0.1
