Introduction to SDN & OpenFlow Based on Tutorials from: Srini Seetharaman, Deutsche Telekom Innovation Center FloodLight Open Flow Controller, floodlight.openflowhub.org.

Introduction to SDN & OpenFlow

Based on Tutorials from:Srini Seetharaman, Deutsche Telekom Innovation Center

FloodLight Open Flow Controller, floodlight.openflowhub.org

Million of linesof source code

6000+ RFCs Barrier to entry

Billions of gates Bloated Power Hungry

Many complex functions baked into the infrastructureOSPF, BGP, multicast, differentiated services,Traffic Engineering, NAT, firewalls, MPLS, redundant layers, …

An industry with a “mainframe-mentality”

The Ossified Network

Specialized Packet Forwarding Hardware

OperatingSystem

Feature Feature

Routing, management, mobility management, access control, VPNs, …

2

Specialized Packet Forwarding Hardware

App App App

Specialized Packet Forwarding Hardware

App App App

Specialized Packet Forwarding Hardware

App App App

Specialized Packet Forwarding Hardware

App App App

Specialized Packet Forwarding Hardware

OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

App App App

3

Current Internet Closed to Innovations in the Infrastructure

Closed

Specialized Packet Forwarding Hardware

App App App

Specialized Packet Forwarding Hardware

App App App

Specialized Packet Forwarding Hardware

App App App

Specialized Packet Forwarding Hardware

App App App

Specialized Packet Forwarding Hardware

OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

App App App

Network Operating System

App App App

“Software Defined Networking” approachto open it

App

Simple Packet Forwarding Hardware

Simple Packet Forwarding Hardware

Simple Packet Forwarding Hardware

App App

Simple Packet Forwarding Hardware Simple Packet

Forwarding Hardware

Network Operating System

1. Open interface to hardware

3. Well-defined open API2. At least one good operating system

Extensible, possibly open-source

The “Software-defined Network”

SDN System View

Application tier

Controller tier

Data plane tier

OF Switch

OF Switch

OF Switch

OF Switch

OF Switch

SDN Controller

App

licatio

n

App

licatio

n

App

licatio

n

App

licatio

n

App

licatio

n

Software Defined Networking decouples data, control, and application planes, creating a programmable network

OpenFlow and SDN

OpenFlow-based SDN Controller

App

licatio

n

App

licatio

n

App

licatio

n

App

licatio

n

Northbound API

Southbound API - OpenFlow

App

licatio

n

OF Switch

OF Switch

OF Switch

OF Switch

OF Switch

How does OpenFlow work?

8

Ethernet Switch

9

Data Path (Hardware)

Control PathControl Path (Software)

10

Data Path (Hardware)

Control Path OpenFlow

OpenFlow Controller

OpenFlow Protocol (SSL/TCP)

11

Controller

PC

OpenFlow usage

OpenFlow Switch

OpenFlow Switch

OpenFlow Switch

Alice’s code

Decision?OpenFlowProtocol

Alice’s Rule

Alice’s Rule

Alice’s Rule

OpenFlow offloads control intelligence to a remote software

Controller

PC

HardwareLayer

SoftwareLayer

Flow Table

MACsrc

MACdst

IPSrc

IPDst

TCPsport

TCPdport Action

OpenFlow Client

**5.6.7.8*** port 1

port 4port 3port 2port 1

1.2.3.45.6.7.8

OpenFlow Example

13

OpenFlow Basics Flow Table Entries

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

L4sport

L4dport

Rule Action Stats

1. Forward packet to zero or more ports2. Encapsulate and forward to controller3. Send to normal processing pipeline4. Modify Fields5. Any extensions you add!

+ mask what fields to match

Packet + byte counters

14

VLANpcp

IPToS

OpenFlow: a pragmatic compromise

• + Speed, scale, fidelity of vendor hardware• + Flexibility and control of software and

simulation• Vendors don’t need to expose implementation• Leverages hardware inside most switches

today (ACL tables)

15

ExamplesSwitching

*

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport Action

* 00:1f:.. * * * * * * * port6

Flow Switching

port3

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport Action

00:20.. 00:1f.. 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port6

Firewall

*

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport Action

* * * * * * * * 22 drop

16

ExamplesRouting

*

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport Action

* * * * * 5.6.7.8 * * * port6

VLAN Switching

*

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport Action

* * vlan1 * * * * *

port6, port7,port9

00:1f..

17

Centralized vs Distributed ControlBoth models are possible with OpenFlow

Centralized Control

OpenFlow Switch

OpenFlow Switch

OpenFlow Switch

Controller

Distributed Control

OpenFlow Switch

OpenFlow Switch

OpenFlow Switch

Controller

Controller

Controller

18

Flow Routing vs. AggregationBoth models are possible with OpenFlow

Flow-Based

• Every flow is individually set up by controller

• Exact-match flow entries• Flow table contains one

entry per flow• Good for fine grain

control, e.g. campus networks

Aggregated

• One flow entry covers large groups of flows

• Wildcard flow entries• Flow table contains one

entry per category of flows• Good for large number of

flows, e.g. backbone

19

Reactive vs. Proactive (pre-populated)Both models are possible with OpenFlow

Reactive

• First packet of flow triggers controller to insert flow entries

• Efficient use of flow table• Every flow incurs small

additional flow setup time• If control connection lost,

switch has limited utility

Proactive

• Controller pre-populates flow table in switch

• Zero additional flow setup time

• Loss of control connection does not disrupt traffic

• Essentially requires aggregated (wildcard) rules

20

OpenFlow

• Controller to Switch Communication

x86 style instruction set

Based on Ethernet Switch with: OF software client

Hardware flow table

Control channel between switch and controller

TCP / SSL

OpenFlow-based SDN Controller

OpenFlow Client

**5.6.7.8*** port 1

Non-OF Control Path

ActionMAC src

MAC dst

IP Src

IP Dst

TCP sport

TCP dport

Flow table

22

OpenFlow Protocol (1)

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

L4sport

L4dport

Match Fields Action(s) Stats

1. Forward packet to zero or more ports2. Encapsulate and forward to controller3. Modify Fields4. Vendor specific extensions

+ mask what fields to match

Packet + byte counters

VLANpcp

IPToS

©2012 – Big Switch Networks Inc.

23

OpenFlow Protocol (2)

Switch port

MAC src

MAC dst

Eth type

VLAN ID

IP Src IP Prot TCP sport

TCP dport

Action

Switching * * 00:1f:..

* * * * * * Port6

Flow switching

Port3 00:20..

00:1f..

0800 Vlan1 1.2.3.4 5.6.7.8 4 17264 Port6

Firewall * * * * * * * * 22 Drop

Routing * * * * * * 5.6.7.8 * * Port6

VLAN switching

* * 00:1f..

* Vlan1 * * * * Port6,port7, port8

©2012 – Big Switch Networks Inc.

OpenFlow in Action

SDN Controller

App

licatio

n

App

licatio

n

App

licatio

n

App

licatio

n

App

licatio

n

OF Switch

Rule Action Stats

OF Switch

OF Switch

Rule Action Stats Rule Action Stats

0101001010

Usage examples• Alice’s code:

– Simple learning switch – Per Flow switching– Network access

control/firewall– Static “VLANs”– Her own new routing protocol:

unicast, multicast, multipath– Home network manager– Packet processor (in

controller)– IPvAlice

Stanford demonstrated– VM migration– Server Load balancing– Mobility manager– Power management– Network monitoring

and visualization– Network debugging– Network slicing

… and much more you can create!

OpenFlow Implementations(Switch and Controller)

26

Ciena Coredirector

NEC IP8800

Current SDN hardwareJuniper MX-series

HP Procurve 5400

Pronto 3240/3290

WiMax (NEC)

PC EnginesNetgear 7324

27

Commercial Switch VendorsModel Virtualize Notes

HP Procurve 5400zl or 6600

1 OF instance per VLAN

-LACP, VLAN and STP processing before OpenFlow-Wildcard rules or non-IP pkts processed in s/w-Header rewriting in s/w-CPU protects mgmt during loop

NEC IP8800 1 OF instance per VLAN

-OpenFlow takes precedence-Most actions processed in hardware-MAC header rewriting in h/w

Pronto 3240 or 3290 with Pica8 or Indigo firmware

1 OF instance per switch

-No legacy protocols (like VLAN and STP)-Most actions processed in hardware-MAC header rewriting in h/w

28

Controller VendorsVendor Notes

Nicira’s NOX

•Open-source GPL•C++ and Python•Researcher friendly

Nicira’s ONIX

•Closed-source•Datacenter networks

SNAC •Open-source GPL•Code based on NOX0.4•Enterprise network•C++, Python and Javascript•Currently used by campuses

Vendor Notes

Stanford’s Beacon

•Open-source•Researcher friendly•Java-based

BigSwitch controller

•Closed source•Based on Beacon•Enterprise network

Maestro (from Rice Univ)

•Open-source•Based on Java

NEC’s Helios •Open-source•Written in C

29

Virtualizing OpenFlow

30

Windows(OS)

Windows(OS)

Linux MacOS

x86(Computer)

Windows(OS)

AppApp

LinuxLinuxMacOS

MacOS

Virtualization layer

App

Controller 1

AppApp

Controller2

Virtualization or “Slicing”

App

OpenFlow

Controller 1NOX(Network OS)

Controller2Network OS

Trend

Computer Industry Network Industry

Simple Packet Forwarding Hardware

Network Operating System 1

Open interface to hardware

Virtualization or “Slicing” Layer

Network Operating System 2

Network Operating System 3

Network Operating System 4

App App App App App App App App

Many operating systems, orMany versions

Open interface to hardware

Isolated “slices”

Simple Packet Forwarding Hardware

Simple Packet Forwarding Hardware

Simple Packet Forwarding Hardware

Simple Packet Forwarding Hardware

32

Switch Based VirtualizationExists for NEC, HP switches but not flexible enough

Normal L2/L3 Processing

Flow Table

Production VLANs

Research VLAN 1

Controller

Research VLAN 2

Flow Table

Controller

33

FlowVisor-based Virtualization

OpenFlow Switch

OpenFlowProtocol

OpenFlow FlowVisor & Policy Control

Craig’sController

Heidi’sControllerAaron’s

Controller

OpenFlowProtocol

OpenFlow Switch

OpenFlow Switch

34

Topology discovery is

per slice

OpenFlowProtocol

OpenFlowFlowVisor & Policy Control

Broadcast Multicast

OpenFlowProtocol

httpLoad-balancer

FlowVisor-based Virtualization

OpenFlow Switch

OpenFlow Switch

OpenFlow Switch

35

Separation not onlyby VLANs, but any

L1-L4 pattern

dl_dst=FFFFFFFFFFFF tp_src=80, ortp_dst=80

FlowSpace: Maps Packets to Slices

FlowVisor Message Handling

OpenFlowFirmware

Data Path

AliceController

BobController

CathyController

FlowVisor

OpenFlow

OpenFlow

Packet

Exception

Policy Check:Is this rule allowed?

Policy Check:Who controls this packet?

Full Line RateForwarding

Rule

Packet