Transcription

Introduction toOpenFlow.OverviewPlanes of Networking2. OpenFlow3. OpenFlow Operation4. OpenFlow Switches including Open vSwitch5. OpenFlow Evolution6. Current Limitations and IssuesNote: This is the first module of four modules on OpenFlow,OpenFlow Controllers, SDN and NFV in this course.1.Raj JainWashington University in Saint LouisSaint Louis, MO [email protected] slides and audio/video recordings of this class lecture are at:http://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/ 2018 Raj JainWashington University in St. Louis15-1 2018 Raj Jain15-2Planes of Networking (Cont)Planes of Networking http://www.cse.wustl.edu/ jain/cse570-18/Data Plane: All activities involving as well asresulting from data packets sent by the end user, e.g.,¾ Forwarding¾ Fragmentation and reassembly¾ Replication for multicastingControl Plane: All activities that are necessary to perform dataplane activities but do not involve end-user data packets¾ Making routing tables¾ Setting packet handling policies (e.g., security)¾ Base station beacons announcing availability of services Management Plane: All activities related toprovisioning and monitoring of the networks¾ Fault, Configuration, Accounting, Performance and Security(FCAPS).¾ Instantiate new devices and protocols (Turn devices on/off)¾ Optional May be handled manually for small networks.Services Plane: Middlebox services to improve performance orsecurity, e.g.,¾ Load Balancers, Proxy Service, Intrusion Detection,Firewalls, SSL Off-loaders¾ Optional Not required for small networksRef: Open Data Center Alliance Usage Model: Software Defined Networking Rev Software Defined Networking Master Usage Model Rev1.0.pdfWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-3 2018 Raj JainWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-4 2018 Raj Jain

Data vs. Control Logic OpenFlow: Key IdeasData plane runs at line rate,e.g., 100 Gbps for 100 Gbps Ethernet Fast Path Typically implemented using special hardware,e.g., Ternary Content Addressable Memories (TCAMs)Some exceptional data plane activities are handled by the CPUin the switch Slow pathe.g., Broadcast, Unknown, and Multicast (BUM) trafficAll control activities are generally handled by CPU1.2.3.Separation of control and data planesCentralization of controlFlow based controlControl LogicData LogicWashington University in St. LouisRef: N. McKeown, et al., OpenFlow: Enabling Innovation in Campus Networks," ACM SIGCOMM CCR,Vol. 38, No. 2, April 2008, pp. 69-74.http://www.cse.wustl.edu/ jain/cse570-18/ 2018 Raj JainWashington University in St. Louis15-5ControlOpenFlow mentOpenFlowProtocolOpenFlowForwardingElement ForwardingElementhttp://www.cse.wustl.edu/ jain/cse570-18/15-7 On packet arrival, match the header fields with flow entries in atable, if any entry matches, update the counters indicated in thatentry and perform indicated actionsFlow Table:Header Fields Counters ActionsSecureChannelHeader Fields Counters Actions Flow TableHeader Fields Counters ActionsControl logic is moved to a controllerSwitches only have forwarding elementsOne expensive controller with a lot of cheap switchesOpenFlow is the protocol to send/receive forwarding rulesfrom controller to switchesWashington University in St. Louis 2018 Raj Jain15-6Separation of Control and Data PlaneDatahttp://www.cse.wustl.edu/ jain/cse570-18/ 2018 Raj JainIngress Ether Ether VLAN VLAN IP IP IPIP Src L4 Dst L4PortSource Dest IDPriority Src Dst Proto ToS PortPortRef: c-v1.0.0.pdfhttp://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis15-8 2018 Raj Jain

Set Input PortEther SrcEther DstEther TypeSet all others to zeroFlow Table ExampleCounterActionDst L4 PortICMP CodeSrc L4 PortICMP TypeIP ToSIP ProtoDst IPSrc IPEtherTypePriority VLAN ID Dst MAC Src MACPort*****EtherType 0x8100?N* 0A:C8:* * * * **** * * Port 1*** * * * 192.168.*.*** * * Port 2*** * * **** 21 21 Drop*** * * **0x806 * * * Local*** * * **0x1* * * * Controller1022024204441EtherType 0x0806?NEtherType 0x0800? 2018 Raj JainSet VLAN IDY Set VLAN PriorityUse EtherType in VLAN tagfor next EtherType CheckYSet IP Src, IP DstIP Proto, IP ToSfrom within ARPY Set IP Src, IP DstIP Proto, IP ToSNIdle timeout: Remove entry if no packets received for this timeHard timeout: Remove entry after this timeIf both are set, the entry is removed if either one expires.Ref: S. Azodolmolky, "Software Defined Networking with OpenFlow," Packt Publishing, October 2013, 152 pp.,ISBN:978-1-84969-872-6 (Safari Book)http://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. LouisMatchingPer PortReceived PacketsTransmitted PacketsReceived Byteshttp://www.cse.wustl.edu/ jain/cse570-18/15-11Not IP Y IP ProtoFragment? 6 or 7YSend to ControllerYSet Src Port,Dst Port forL4 fieldsNWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/ 2018 Raj JainActions Per QueueTransmit PacketsTransmit BytesTransmit overrunerrorsDuration (nanosecs) Transmitted BytesReceive DropsTransmit DropsReceive ErrorsTransmit ErrorsReceive FrameAlignment ErrorsReceive OverrunerorrsReceive CRCErrorsCollisionsWashington University in St. LouisMatchTable n?ApplyActions15-10CountersPer FlowReceived PacketsReceived BytesDuration (Secs)NNNYUse ICMP TypeIP Proto Yand code for 1?L4 FieldsPacket lookupNusing assignedheader fields15-9Per TableActive EntriesPacket LookupsPacket MatchesMatchTable 0? 2018 Raj JainForward to Physical Port i or to Virtual Port:¾ All: to all interfaces except incoming interface¾ Controller: encapsulate and send to controller¾ Local: send to its local networking stack¾ Table: Perform actions in the flow table¾ In port: Send back to input port¾ Normal: Forward using traditional Ethernet¾ Flood: Send along minimum spanning tree except theincoming interfaceEnqueue: To a particular queue in the port QoSDropModify Field: E.g., add/remove VLAN tags, ToS bits, ChangeTTLWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-12 2018 Raj Jain

Actions (Cont) Open vSwitchMasking allows matching only selected fields,e.g., Dest. IP, Dest. MAC, etc.If header matches an entry, corresponding actions are performedand counters are updatedIf no header match, the packet is queued andthe header is sent to the controller, which sends a new rule.Subsequent packets of the flow are handled by this rule.Secure Channel: Between controller and the switch using TLSModern switches already implement flow tables, typically usingTernary Content Addressable Memories (TCAMs)Controller can change the forwarding rules if a client moves Packets for mobile clients are forwarded correctlyController can send flow table entries beforehand (Proactive) orSend on demand (Reactive). OpenFlow allows both models.Washington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/ 2018 Raj Jain Open Source Virtual SwitchNicira ConceptCan Run as a stand alone hypervisor switch or as a distributedswitch across multiple physical serversDefault switch in XenServer 6.0, Xen Cloud Platform andsupports Proxmox VE, VirtualBox, Xen KVMIntegrated into many cloud management systems includingOpenStack, openQRM, OpenNebula, and oVirtDistributed with Ubuntu, Debian, Fedora Linux. Also FreeBSDIntel has an accelerated version of Open vSwitch in its ownData Plane Development Kit (DPDK)Ref: http://openvswitch.org/Washington University in St. Louis15-13Open vSwitch Features (Cont)Inter-VM communication monitoring via:¾ NetFlow: Cisco protocol for sampling and collecting trafficstatistics (RFC 3954)¾ sFlow: Similar to NetFlow by sflow.org (RFC 3176)¾ Jflow: Juniper’s version of NetFlow¾ NetStream: Huawei’s version of NetFlow¾ IPFIX: IP Flow Information Export Protocol (RFC 7011) IETF standard for NetFlow¾ SPAN, RSPAN: Remote Switch Port Analyzer – portmirroring by sending a copy of all packets to a monitor port¾ GRE-tunneled mirrors: Monitoring device is remotelyconnected to the switch via a GRE tunnelWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-15 2018 Raj Jain15-14Open vSwitch Features http://www.cse.wustl.edu/ jain/cse570-18/ 2018 Raj Jain Link Aggregation Control Protocol (LACP)IEEE 802.1Q VLANIEEE 802.1ag Connectivity Fault Management (CFM)Bidirectional Forwarding Detection (BFD) to detect link faults(RFC 5880)IEEE 802.1D-1998 Spanning Tree Protocol (STP)Per-VM traffic policingOpenFlowMulti-table forwarding pipelineIPv6GRE, VXLAN, IPSec tunnelingKernel and user-space forwarding engine optionsWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-16 2018 Raj Jain

OVSDB OpenFlow V1.1Open vSwitch Database Management Protocol (OVSDB)Monitoring capability using publish-subscribe mechanismsStores both provisioning and operational stateJava Script Object Notation (JSON) used for schema formatand for JSON-RPC over TCP for wire protocol (RFC 4627)Control and Mgmt Cluster database-schema OVSDBOpenFlow“name”: id OVSDB Server ovs-vswitchd“version”: version Forwarding Path“tables”: { id : table-schema , }RPC Methods: List databases, Get Schema, Update, Lock, Open vSwitch project includes open source OVSDB client andserver implementationsRef: B. Pfaff and B. Davie, “The Open vSwitch Database Management Protocol,” IETF draft, Oct proto-04http://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain Table 1Start at Table 0 YesGotoTable n?NoExecuteAction SetYesNoDrop PacketSource: OpenFlow Switch Specification, V1.4.1Washington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-19Group TableAction Set {1,3,6, }http://www.cse.wustl.edu/ jain/cse570-18/ 2018 Raj JainOpenFlow V1.1 (Cont) Table-MissFlow EntryExists?Table n15-18Packet InNoTable 3Action Set {1}Washington University in St. LouisOpenFlow V1.1 (Cont)Match inTable n?Table 2Action Set {}15-17Update CountersYes Execute InstructionsUpdate Action setUpdate Packet/Match Set fieldsUpdate MetadataV1: Perform action on a match. Ethernet/IP only. Single PathDid not cover MPLS, Q-in-Q, ECMP, and efficient MulticastV1.1 Introduced Table chaining, Group Tables, and addedMPLS Label and MPLS traffic class to match fields.Table Chaining: On a match, instruction may be ControllerOpenFlow¾ Immediate actions: modify packet,update match fields and/orSecureGroupChannelTable¾ Update action set, and/orFlowFlow¾ Send match data and action set to Table n,TableTable¾ Go to Group Table entry n 2018 Raj Jain On a miss, the instruction may be to send packet to controlleror continue processing with the sequentially next tableGroup Tables: each entry has a variable number of buckets¾ All: Execute each bucket. Used for Broadcast, Multicast.¾ Select: Execute one switch selected bucket. Used for portmirroring. Selection may be done by hashing some fields.¾ Indirect: Execute one predefined bucket.¾ Fast Failover: Execute the first live bucket Live portNew Features supported:¾ Multipath: A flow can be sent over one of several paths¾ MPLS: multiple labels, traffic class, TTL, push/pop labels¾ Q-in-Q: Multiple VLAN tags, push/pop VLAN headers¾ Tunnels: via virtual portsRef: c-v1.1.0.pdfhttp://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis15-20 2018 Raj Jain

OpenFlow V1.21.2.3.OpenFlow 1.3IPv6 Support: Matching fields include IPv6 source address,destination address, protocol number, traffic class. ICMPv6type, ICMPv6 code, IPv6 neighbor discovery header fields,and IPv6 flow labels.Extensible Matches: Type-Length-Value (TLV) structure.Previously the order and length of match fields was fixed.Experimenter extensions through dedicated fields and codepoints assigned by ONF Ref: enflow-spec-v1.2.pdfhttp://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj JainIPv6 extension headers: Can check if Hop-by-hop, Router,Fragmentation, Destination options, Authentication, EncryptedSecurity Payload (ESP), unknown extension headers arepresentMPLS Bottom-of-Stack bit matchingMAC-in-MAC encapsulationTunnel ID meta data: Support for tunnels (VxLAN, )Per-Connection Event Filtering: Better filtering ofconnections to multiple controllersMany auxiliary connections to the controller allow to exploitparallelismBetter capability negotiation: Requests can span multiplemessagesMore general experimenter capabilities allowedA separate flow entry for table miss actionsRef: enflow-spec-v1.3.0.pdfhttp://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain15-2115-22OpenFlow V1.3 (Cont)OpenFlow V1.3 (Cont) ¾Cookies: A cookie field with policy identifier is added tomessages containing new packets sent to the controller. Thishelps controller process the messages faster than if it had tosearch its entire database.Duration: Duration field has been added to most stats. Helpscompute rates.Per-flow counters can be disabled to improve performancePer Flow Meters and meter bandsMeter: Switch element that can measure and control the rate ofpackets/bytes.¾ Meter Band: If the packet/byte rate exceeds a pre-definedthreshold the meter has triggered the bandBand 2Band 1¾ A meter may have multiple bandsTimeWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-23 2018 Raj Jain¾¾¾If on triggering a band the meter drops the packet, it iscalled rate limiter.Other QoS and policing mechanisms can be designed usingthese metersPer-Flow QoS: Meters are attached to a flow entry not to aqueue or a port.Multiple flow entries can all point to the same meter.Match Fields Priority Counters Instructions Timeouts Timeouts CookieNew Instruction: Meter Meter IDMeter ID Meter Bands CountersBand Type Rate Counters Type Specific Arguments1. Drop2. Remark DSCPWashington University in St. Louiskb/sBursthttp://www.cse.wustl.edu/ jain/cse570-18/15-24 2018 Raj Jain

OpenFlow V1.4 OpenFlow V1.4.1Optical ports: Configure and monitor transmit and receivefrequencies of lasers and their powerImproved Extensibility: Type-Length-Value (TLV) encodingsat most places Easy to add new features in futureExtended Experimenter Extension API: Can easily addports, tables, queues, instructions, actions, etc.More information when a packet is sent to controller, e.g., nomatch, invalid TTL, matching group bucket, matching action, .Controllers can select a subset of flow tables for monitoringSwitches can evict entries of lower importance if table fullSwitches can notify controller if table is getting fullAtomic execution of a bundle of instructionsRef: enflow-spec-v1.4.0.pdfhttp://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain1.2.1.Bundle: Atomic Instruction Group¾A group of instructions from the controller that are eitherall executed or all not executed¾A bundle may be sent to many switches and then appliedat approximately same time on commit request from thecontroller2. Flow Table Monitoring: Synchronization in a multicontroller system¾ Notify a controller if a set of flow table entries is modifiedby another controller3. Bug fixesRef: OpenFlow Switch Specification, V 1.4.1, March 26, 2015http://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain15-2515-26OpenFlow V1.5OpenFlow Evolution SummaryEgress Tables: actions toControllerControllerbe done when exitingthrough a port (encapsulateOFOFGroup Meteror decapsulate a packet,Channel Channel Table Tabletunnels)PortPortFlowFlowPacket Type: Can nowTableTablePortPorthandle non-Ethernetpackets, e.g., IP packetsTCP Flags Matching: Syn, Ack, and Fin may be used to detectbeginning and end of a TCP connectionOpenFlow V1.5.1: Bug Fixes, March 2015MPLS, Q-in-QEfficient multicastECMP Multiple TablesDec 2009 Feb 2011 Dec 2011 Apr 2012 Jun 2012V1.0V1.1V1.2V1.3V1.3.13.Ref: OpenFlow Switch Specification, V 1.5.1, March 26, cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis15-27 2018 Raj JainMAC-in-MACMultiple channelsbetween switchand controllerSingle Flow TableEthernet/IPv4Washington University in St. LouisIPv6TLV matchingMultiple controllersSep 2012 Sep 2013V1.3.2V1.3.3Bug Fixhttp://www.cse.wustl.edu/ jain/cse570-18/15-28Bug FixIANATCPPort6653 2018 Raj Jain

OpenFlow Evolution Summary (Cont)Bootstrapping MinorChangesOTNExperimentersBundlesTable fullEgress TablesNon-Ethernet PacketsTCP Flags Matching Mar 2014 Mar 2015 Oct 2013 Mar 2015 Dec 2014 Mar 2015V1.3.4V1.3.5V1.4V1.4.1V1.5.0V1.5.1 Instruction BundlesFlow Table MonitoringMultiple controllersMinorChangesWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/ Bug Fix 2018 Raj JainSwitches require initial configuration: Switch IP address,Controller IP address, Default gatewaySwitches connect to the controllerSwitch provides configuration information about portsController installs a rule to forward LLDP packets to controllerand then sends, one by one, LLDP packets to be sent out to porti (i 1, 2, , n) which are forwarded to respective neighbors.The neighbors send the packets back to controller.Controller determines the topology from LLDP packetsLLDP is a one-way protocol to advertise the capabilities atfixed intervals.Ref: S. Sharma, et al., “Automatic Bootstrapping of OpenFlow Networks,” 19th IEEE Workshop on LANMAN, 2013, pp. 1-6,http://ieeexplore.ieee.org/stamp/stamp.jsp?tp &arnumber 6528283 (Available to subscribers only)http://www.cse.wustl.edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain15-2915-31OpenFlow Configuration Protocol(OF-Config) OF-Config (Cont)OpenFlow Control Point: Entity that configures OpenFlowswitchesOF-Config: Protocol used for configuration and managementof OpenFlow Switches.Assignment of OF controllers so that switches can initiateconnections to them:¾ IP address of controllerOpenFlowOpenFlow¾ Port number at the controllerConfigurationController¾ Transport protocol:PointOpenFlowTLS or TCPOF-ConfigProtocol¾ Configuration of queues(min/max rates) and portsOpenFlow¾ Enable/disable receive/forwardSwitchOperational Contextspeed, media on portsRef: Cisco, “An Introduction to OpenFlow,” Feb n network environment/docs/cisco one webcastan introduction to openflowfebruary142013.pdfWashington University in St. Louishttp://www.cse.wustl.edu/ jain/cse570-18/15-32 2018 Raj Jain A physical switch one or more logical switcheseach controlled by an OF ControllerOF-Config allows configuration of logical lerOpenFlowProtocolOF-ConfigOF Capable SwitchOF LogicalSwitch OF LogicalSwitchRef: ONF, “OpenFlow Management and Configuration Protocol (OF-Config 1.1.1),” March 23, edu/ jain/cse570-18/Washington University in St. Louis 2018 Raj Jain15-33

OF-Config Concepts OF-Config EvolutionOF Capable Switch: Physical OF switch.Can contain one or more OF logical switches.OpenFlow Configuration Point: configuration serviceOF Controller: Controls logical switch via OF protocolOperational Context: OF logical switchOF Queue: Queues of packets waiting for forwardingOF Port: forwarding interface. May be physical or l