11 SDN 101 May 29 th 2013 . 22 The Problem Networks are at an Inflection Point Network Challenges: – Networks have become too complex.

11

SDN 101

May 29th 2013

www.noviflow.com

22

The ProblemNetworks are at an Inflection Point

• Network Challenges:– Networks have become too complex after 40+ years of

internet evolution: • Then: L2=Ethernet and L3=IP• Now: ACLs, VLANs, VPN, DiffServ, IPSec, IPv6, NAT, Firewall,

MPLS, middle boxes and much more…– Networks need to be more deterministic:

• Allow more efficient use of network resources– Networks are too hard to manage:

• Manual and error prone CLI based configuration of network elements

• No economies of scale– Network Operators faced with flat revenues coupled with

massive traffic growth and more complex applications:• IP traffic will quadruple by 20161

• Only 17% of Data Center traffic goes to users1

• Proliferation of virtualization, connected devices and cloud computing

• Networks cannot continue on the same path– More and more expensive to build and operate – Slower and slower to evolve– … a new protocol for every problem is NOT the solution

2Note 1: Cisco Global Cloud Index, 2012

Source: Cisco Global Cloud Index 2012

3

The SolutionSDN and OpenFlow

44

OpenFlow Protocol:Controller

Maintains comm. channelDistribute flows (rules)Maintains local state graph

Distributed switchingpSwitchesvSwitches

The OpenFlow StandardArchitecture

5

The OpenFlow StandardFlow Tables – Pipeline Processing

66

Flow Composition:Match Fields: To match against packets. These consist of the ingress port and packet headers, and optionally metadata specified by the previous table.Priority: Matching precedence of the flow entry.Counters: To update for matching packets.Instructions: To modify the action set or pipeline processingTimeouts: Maximum amount of time or idle time before flow is expired by the switch.Cookie: Opaque data value chosen by the controller. May be used by the controller to filter flow statistics, flow modification and flow deletion, not used when processing packets.

The OpenFlow StandardFlow Tables & Flows

Tablej

77

Flow Switching

Firewall

The OpenFlow StandardFlow & Packet Processing Samples

Switch Port

MAC src

MAC dst

Eth type

VLAN ID

IP src

IP dst

IPprot

TCPsport

TCPdport

Action

* * 00:1f:… * * * * * * * port6

Switching

Switch Port

MAC src

MAC dst

Eth type

VLAN ID

IP src

IP dst

IPprot

TCPsport

TCPdport

Action

Port3 00:20… 00:1f… 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port6

Switch Port

MAC src

MAC dst

Eth type

VLAN ID

IP src

IP dst

IPprot

TCPsport

TCPdport

Action

* * * * * * * * * 22 drop

88

VLAN Switching

The OpenFlow StandardFlow & Packet Processing Samples

Switch Port

MAC src

MAC dst

Eth type

VLAN ID

IP src

IP dst

IPprot

TCPsport

TCPdport

Action

* * * * * * 5.6.7.8 * * * port6

Routing

Switch Port

MAC src

MAC dst

Eth type

VLAN ID

IP src

IP dst

IPprot

TCPsport

TCPdport

Action

* * 00:1f… * vlan1 * * * * * Port6,Port7,Port8

9

The OpenFlow StandardMessages

• Controller-to-Switch– Feature Request: Query the switch about what

features it supports– Configuration Request: Configure the switch– Modify-State: Add/delete/modify flows and set

port properties– Read-State: Collect statistics– Send-Packet: Send enclosed packet through a

specific port– Barrier: Request/reply messages for operation

completion

• Asynchronous (Switch initiated):– Packet-In: No match or match with send to

controller action– Flow-Removed: Idle timeout or hard timeout– Port-Status: Switch port changed status– Error: Switch notifies controller of problems

• Symmetric:– Hello: Exchanged between switch and controller

upon initial connection– Echo: Initiated by either the switch or controller– Vendor: Vendor specific messages to support

vendor specific functionality

1010

The OpenFlow StandardMessages

• Controller-to-Switch– Feature Request: Query the switch

about what features it supports– Configuration Request: Configure the

switch– Modify-State: Add/delete/modify

flows and set port properties– Read-State: Collect statistics– Send-Packet: Send enclosed packet

through a specific port– Barrier: Request/reply messages for

operation completion

• Asynchronous (Switch initiated):– Packet-In: No match or match with

send to controller action– Flow-Removed: Idle timeout or hard

timeout– Port-Status: Switch port changed

status– Error: Switch notifies controller of

problems• Symmetric:

– Hello: Exchanged between switch and controller upon initial connection

– Echo: Initiated by either the switch or controller

– Vendor: Vendor specific messages to support vendor specific functionality

11

The OpenFlow StandardReleases

Features OF 1.1 OF 1.2 OF 1.3

Multiple Tables ✓

Groups ✓

Tags: MPLS & VLAN ✓

Virtual ports ✓

Extensible match support ✓

Extensible ‘set field’ packet rewriting support ✓

Extensible context expression in ‘packet-in’ ✓

Extensible Error messages via experimenter error ✓

IPv6 support added ✓

Controller role change mechanism ✓

IPv6 Extension Header handling support ✓

Per flow meters ✓

Per connection event filtering ✓

Auxiliary connections ✓

MPLS BoS matching ✓

Provider Backbone Bridging tagging ✓

Tunnel-ID metadata ✓

Cookies in packet-in ✓

Duration for stats ✓

On demand flow counters ✓

12

Sample OpenFlow ControllerFloodlight Architecture

• Floodlight Controller:– OpenFlow Controller– Apache-Licensed Open source– Java-based: 85 kLOC– Used by Big Switch Networks

• OpenFlow interface:– Currently supports OF 1.0– Plans for OF 1.2/1.3 in March

2013

• REST API:– Northbound interface towards

OpenFlow applications

• Java API:– High bandwidth interface

towards OpenFlow applications

---------------- OpenFlow Interface ----------------

13

Sample OpenFlow ControllerFloodlight Modules

FloodlightProvider: Handles connections to switches and turns OpenFlow messages into Floodlight events. Transmits messages to switches on behalf of modules. Decides the order in which specific incoming OpenFlow messages (i.e. PacketIn, FlowRemoved, PortStatus, etc.) are dispatched to the modules that listen for the messages. TopologyManager: Maintains the network topology information. Computes shortest path using Dijkstra’s algorithm – a graph search algorithm used by link-state routing protocols such as OSPF and IS-IS.LinkDiscoveryManager: Responsible for discovering and maintaining the status of links in the OpenFlow network. Sends out Link Layer Discovery Protocol (LLDP) messages.Forwarding: Installs flow mods for end to end routing. Handles island routing.DeviceManager: Tracks hosts on the network: MAC to switch port, MAC to IP, IP to MAC mapping. Defines the destination device for a new flow.MemoryStorageSource: An in-memory NoSQL data base accessible by the modules. Supports change notifications.RestApiServer: Allows modules to expose REST APIs over HTTP.ThreadPool: Schedules tasks to run at specific times or periodically.FlowCache: Maintains a record of all active flows in all switches. [Not implemented but needed.]PacketStreamer: Selectively streams OpenFlow messages exchanged between any switch and the controller to an observer.Testing Modules: Codes for validating the functionality of the various modules of the controller (14 kLOC)

14

Sample OpenFlow ControllerFloodlight Northbound REST API

• Representational State Transfer Application Protocol Interface (REST API)– Exposes resources that may be read and/or manipulated by applications– Common stateless Client-Server protocol used on the WWW:

• HTTP GET, POST, PUT, DELETE Methods• Calls consists of a “Base URI” & “JSON media type”• Sample JSON media type: {"src-ip": "10.0.0.4/32", "dl-type":"ARP"}

• Examples of Floodlight REST API calls:– List all devices tracked by the controller:

Curl http://localhost:8080/wm/device/

– Retrieve aggregate port statistics across all switches:Curl http://localhost:8080/wm/core/switch/all/port/json

– Retrieve per switch traffic counter:Curl http://localhost:8080/wm/core/counter/switchID/statType/json

– List all inter-switch links:Curl http://localhost:8080/wm/topology/links/json

15

Sample OpenFlow ApplicationStaticFlowEntryPusher Application

• Functionality:– Allows the user to manipulate flows entries in switches through an

exposed REST API– Implemented as a Java module: 1,553 LOC

• Examples of REST API calls:– List all flows for a switch:

Curl http://localhost:8080/wm/staticflowentrypusher/list/switchID/json

– Clear all flows for a switch:Curl http://localhost:8080/wm/staticflowentrypusher/clear/switchID/json

– Add a flow to a switch:Curl -X POST -d '{“switch": “00:00:00:00:00:00:00:01", “name":“flow_mod_1", “priority”:”32768”, “ingress-port”:”1”, “active”:”true”, “actions”:”output=2” }' http://localhost:8080/wm/staticflow entrypusher/json

– Delete a flow from a switch:Curl -X DELETE -d '{“name": “flow_mod_1" }' http://localhost:8080/wm/staticflowentrypusher/json

16

Sample OpenFlow Application CircuitPusher Application

• Functionality:– Creates a bi-directional circuit with two IP end points – Implemented as Python module: 200 LOC

• Examples how to use it:– List all flows for a switch:

Curl http://localhost:8080/wm/staticflowentrypusher/list/switchID/json

– Clear all flows for a switch:Curl http://localhost:8080/wm/staticflowentrypusher/clear/switchID/json

– Add a flow to a switch:Curl -X POST -d '{“switch": “00:00:00:00:00:00:00:01", “name":“flow_mod_1", “priority”:”32768”, “ingress-port”:”1”, “active”:”true”, “actions”:”output=2” }' http://localhost:8080/wm/staticflow entrypusher/json

17

Sample OpenFlow Application Firewall Application

• Functionality:– Create firewall rules: switch_id, src/dst-MAC, src/dst-IP, network protocol

(TCP, UDP, ICMP), TCP/UDP port-src/dst, dl-type (ARP, IPv4), priority, and action (ALLOW or DENY)

– Implemented as Java module: 1,576 LOC– Using REST API calls, enable/disable firewall and create/delete firewall

rules that are pushed to the identified OpenFlow switch

• Examples of Firewall REST API calls:– Check Firewall status:

Curl http://localhost:8080/wm/firewall/module/status/json

– Enable Firewall:Curl http://localhost:8080/wm/firewall/module/enable/json

– Add rule to Firewall:• Curl -X POST -d '{"src-ip": "10.0.0.4/32", "nw-proto":"UDP", "tp-src":"5010",

"action":"DENY" }' http://localhost:8080/wm/firewall/rules/json