OpenFlow: What’s it Good for? Apricot 2016 Pete Moyer [email protected] Principal Solutions Architect
Mar 11, 2018
OpenFlow: What’s it Good for? Apricot 2016
Pete Moyer
Principal Solutions Architect
Agenda
• SDN & OpenFlow Refresher ‒ How we got here
• SDN/OF Deployment Examples • Other practical use cases for SDN/OF … • Conclusion
2 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
OpenFlow & SDN Refresher
“Data center networks are in my way” --James Hamilton
Software Defined Networking Evolving Definition
• “A network in which the Control Plane is physically separated from the Data Plane” ‒ OpenFlow is the enabler
• SDN =? OpenFlow • SDN > OpenFlow • …
5
“Distribute what you must, centralize what you can …”
SDN-OpenFlow
Router
Control Plane (software) Data Plane (hardware)
Router
Data Plane (hardware)
Control Plane (software)
Traditional
Controller
Control Plane (software)
APIs
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
Hybrid
OpenFlow Version History
6 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
• OpenFlow v1.0 (12/2009)
‒ L2 and L3 (IPv4) matching fields ‒ Many actions (including normal)
• OpenFlow v1.1 (02/2011) ‒ MPLS label/EXP matching fields ‒ Multiple flow tables, Group table ‒ Virtual ports
• OpenFlow v1.2 (12/2011) ‒ IPv6 matching fields ‒ Multiple controllers, role change
• OpenFlow v1.3 (4/2012)
‒ QOS Metering ‒ Capabilities & version negotiation
• OpenFlow v1.4 (8/2013) ‒ Improved capability discovery, extensibility
• OpenFlow v1.5 (12/2014) ‒ TCP Flag matching ‒ Egress Tables ‒ Improved metering
• OpenFlow v1.6 (2016?) ‒ Tunneling
• OF v2.0 or NG? (TBD) ‒ TTPs
• P4? ‒ http://www.sigcomm.org/sites/default/files/ccr/papers/2014/
July/0000000-0000004.pdf
OF/SDN Deployment Examples
Google B4 OF/SDN Network
8 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
5/2013
Inter-DC Backbone
4/2014
9 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
• Separate control plane from forwarding plane ‒ Choose HW based on necessary features ‒ Choose SW based on protocol requirements ‒ Decouple HW & SW innovation
• Logically centralize the network control plane ‒ Deterministic ‒ Efficient ‒ Global view
• Allow automation, flexibility and innovation
Google B4 OF/SDN Network Summarized Benefits
Achieved ~99% WAN link utilization
Internet2
10 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
SDN Backbone
7/2012
Internet2 Backbone Routers
11 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION http://routerproxy.grnoc.iu.edu/al2s/
Internet2 OpenFlow flows installed …
12 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION http://routerproxy.grnoc.iu.edu/al2s/
A few more
13 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
SDN Announcements
3/2014
10/2012
12/2015
Other Deployment Examples
Where are they?
14 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
Another POV: “the demise of OpenFlow has been greatly exaggerated”
So … what (else) is OpenFlow good for?
15 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
SDN Use Cases
16
• Volumetric Attack Mitigation • Elephant Flow Management • Firewall Bypass • Policy Based Flow Forwarding • Botnet Attack Mitigation
• SDN Based MPLS Traffic Engineering
• Bandwidth Scheduler • Packet-Optical Integration
• WAN Network Virtualization • Flow Metering • SDN Based Wiretap • VXLAN Monitoring
CONTROL AUTOMATION VISIBILITY
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
Open Daylight
SDN App
L2-L4 DDoS Mitigation Example Network Volumetric Attack Mitigation
17
Incoming Attack Flow Mitigation: Discard Flow
Internet
BGP Border Router (hybrid)
Core Router
Core Router
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
Flow Metering & Accounting Improve network utilization and reliability
Flow Optimizer Shipping Shipping GA in May 2015 GA in May 2015 Committed for v1.1
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
SDN App
Router
WAN or DC network Normal L2/L3
Forwarding
OF rule to Rate Limit
WAN / Internet
sFlow Collector
Flow parameters of interesting traffic
OF based Metering
Campus / DC
Flow Control Analytic
Traditional REN “Science-DMZ” Campus Firewall is a Performance Bottleneck
19
Enterprise Border Router/Firewall
Science DMZ
Switch
Science DMZ
Switch 10G/40G
10G/40G
100 GbE link
10/40 GbE link
WAN
High performance Data Transfer Nodes with high-speed storage
• Traditional Science-DMZ architecture connects science LAN outside FW
• Creates security exposure?
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION https://fasterdata.es.net/science-dmz/
SDN for Policy-Based Firewall Insertion / Bypass
Enterprise Datacenter 1 One-armed Firewall
Trusted Traffic Flow
WAN
Inline Firewall
Enterprise Datacenter 2
Default Traffic Flow SDN
Controller
SDN App
Internet
Operator driven or sFlow threshold driven policy enforcement for large trusted flows
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
Elephant Flow Management Dynamic and Programmatic Action for Efficient Network
Target for v1.2
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
SDN App App
Router
Normal Forwarding WAN / Cloud
sFlow Collector matched flow
parameters, action
OF Matching Campus / DC
Flow Policy Monitor
Regular Traffic
Dedicated paths for Elephants
Re-direct
Programmable / Scheduled via Northbound API
Re-mark Critical
Or keep doing this?
22 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
route-map <name> permit 50 match ip address 50 set ip next-hop 172.16.10.10 route-map <name> permit 51 match ip address 51 set ip next-hop 172.16.11.11 route-map test permit 101 rule-name <name> match ip address <ipv4-prefix-list> match ipv6 address <ipv6-prefix-list> set next-hop-flood-vlan 1013 set interface null0 route-map <name> permit 102 rule-name <name> match ip address <ipv4-prefix-list> match ipv6 address <ipv6-prefix-list> set next-hop-flood-vlan 1123 set interface null0
ip access-list extended <name> permit ip any host 10.250.64.2 permit ip any host 10.250.120.0 permit ip any host 10.110.65.6 permit ip any host 10.2333.120.4 deny udp any host 10.223.98.8 eq 2152 deny udp any host 10.223.98.5 eq 2152 deny udp any host 10.223.98.3 eq 2152 deny udp any eq 2152 host 10.223.98.8 deny udp any eq 2152 host 10.223.98.5 deny udp any eq 2152 host 10.223.98.3 permit ip any host 10.119.65.7 permit ip any host 10.119.65.11access-list 10 permit any access-list 50 permit 10.100.64.0 0.0.0.255 access-list 165 permit ip host 10.142.64.31 10.196.48.0 0.0.0.255 access-list 165 permit ip 10.62.64.0 0.0.0.255 host 10.79.213.25 access-list 165 permit ip host 10.72.64.2 host 10.79.213.11 ip access-list extended <name> permit vlan 1250 ip any any permit vlan 1251 ip any any
What about OpenFlow with MPLS?
23
MPLS WAN
• Different LSPs for application/traffic prioritization and traffic-engineering • Classification at ingress into appropriate TE’d LSP (aka: flow-based forwarding)
• OF granularity for classification • May also provide ingress policing/metering (eg. CAC function)
Multiple RSVP-signaled LSPs (Gold, Silver, Bronze, etc)
LER1 LER3
Data Center Data Center
SDN App
• OpenFlow rules for per-Application classification (and metering) applied at ingress LER. • Redirect action into MPLS LSP
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
But … there’s more! How do you get packet captures?
Current Network Visibility Mode of Operation
• Problem 1 ‒ Obtaining data plane traffic visibility in production networks is *very*
challenging ‒ Network probes are commonly deployed; or a dedicated out-of-band
visibility network is deployed • Both approaches increase CAPEX • Both approaches limit the visibility of traffic to specific aggregation points in
the network. Either due to where the probes are deployed or where the network is tapped to send flows to the visibility fabric
• Problem 2 ‒ Provisioning and operating a dynamic visibility solution is not efficient,
nor in real-time • Hampers ability to troubleshoot real-time performance problems
25 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
Current Network Visibility Mode of Operation
• Problem 3 ‒ Networking devices have many limitations in terms of providing
specific data traffic to be monitored ‒ Switch/Router SPAN/RSPAN mirrors *all* traffic from one port to
another port ‒ ACL-based port mirroring can provide traffic granularity; however …
• At the expense of very complex CLI configurations • Lacks an efficient & dynamic update capability • Has scalability limitations • No central repository of these distributed, network wide ACL-based port
mirroring configurations
26 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
• No network taps or probes
• Per-flow “in-line” visibility
• Surgical mirroring
• Centralized control
• No complex router configurations (ACL, PBR, SPAN, etc)
SDN-based Inline Packet Capture Example
27
No separate Visibility network required
Normal Forwarding
Pipeline
SDN FlowTap
DC or Campus network
Tool(s) Analytics Network
Ingress Port
SDN App
Flow parameters
Committed for v1.1
Router
© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
Conclusions • OF-based SDN is here. Deployed … ‒ A few examples provided ‒ OF-based forwarding of normal traffic; network transport ‒ Centralized control plane
28 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION
• OF-based SDN can solve many other problems ‒ As a tool for programmatic control of policy ‒ Centrally managed ACL & PBR replacement ‒ OF-based exception handling of interesting traffic; network services
• Normal traffic forwarded normally
‒ Solves various operational use cases