control & data planes - subjects.ee.unsw.edu.au nforwarding plane hardware / software q pure...

Control & DataPlanes

TELE4642: Week6

Overview

n Forwarding Plane Hardware / Softwareq Pure versus hybrid

n Control Plane Softwareq Network “Operating System”; features

n Network Applicationsq Network Policyq Interfaces / APIs / REST (“north-bound”)

6-2Network Performance

Recap: SDN?

6-3

Mng plane

Control plane

Data plane Data plane

Control plane

Mng plane


Control plane

Mng planeSDN controller

The physical separation of the control plane from the forwarding plane

Network Performance

device A device B device A device B

Recap: SDN – open networking

6-4

Mng plane

Control plane


Control plane

Mng planeSDN controller

• Segregation of SW from HW• Choosing SW independent of HW

Network Performance

device A

SW

device A

SW

HW

SW & HW from vendor A SW from vendor X & HW from vendor A

HW

SW

SW

SDN Switches

n Hardware-based SDN-only switches (white-boxes):q Pica8, Noviflow, Corsa, AlliedTelesis, …q No legacy support for:

n MAC learning, routing protocols, SNMPq Suitable for greenfield sites: data-centersq Have space limitation on saving flow table entries

n Software-based OpenFlow Switchesq OpenFlow enabled software switch (runs on x86 commodity computer)q Performance is relatively lowq Store large amount of flow entries with bound (theoretically)q Under active development, support most recent OpenFlow spec


SDN Switches

n Hybrid switches (SDN + legacy):q HP, Cisco, Juniper, …q SDN is treated as “exception”:

n Only selected packets/flows undergo SDN processingq Incremental deployment, based on use-cases


Hardware-basd OpenFlow Switches

6-7

Ciena Coredirector

NEC IP8800

More coming soon...

Juniper MX-series

HP Procurve 5400

Pronto 3240/3290

Noviflow

Allied TelesisNetgear 7324

Network Performance

Pica8

Software-based OpenFlow Switches (1/2)

n OpenvSwitch (OVS)q Overview

n A virtual switch or Virtual Ethernet Bridge (VEB)n User-space: configuration, controln Kernel-space: datapath (included in main Linux kernel from v3.3)

q Featuresn Support OpenFlow protocoln Support multiple tunneling protocols

q VxLAN, Ethernet over GRE, IPsec, GRE over IPsecn Fine-grained QoS

q Main componentsn ovs-vswitchd: a daemon that implements the switchn ovsdb-server: lightweight database server that ovs-vswitch queries ton ovs-vsctl: a utility for querying and updating the config. of ovs-vswitchdn ovs-dpctl: a tool for configuring and monitoring the switch kernel modulen ovs-ofctl: a tool for monitoring and administering OpenFlow switches


Software-based OpenFlow Switches (2/2)

6-9

OpenvSwitch Architecture

Network Performance

#Create an OVS bridge:ovs-vsctl add-br mySDNswitch

#add controller:ovs-vsctl set-controller mySDNswitch tcp:10.0.0.1:6633

#add em1 and em2 to the bridgeovs-vsctl add-port mySDNswitch em1ifconfig em1 0ovs-vsctl add-port mySDNswitch em2ifconfig em2 0

#list flow entries of the bridgeovs-ofctl -O OpenFlow13 dump-flows mySDNswitch

http://149.171.189.1:6633/

Hybrid OpenFlow Switch (1/3)n Problems of Software-based Switch

q Cannot fully utilize the hardware resourcesn E.g., OVS only exploits single CPU core

q Tightly coupled with the OS kerneln Increase the management complexity

q Low performancen Massive RX interrupts handling for NIC devicen Shared data access between threads à competition makes bottleneck

n Hybrid OpenFlow Switchq Separate the roles of virtual switch into two parties

n Hardware: pure packet processingn Software: switch abstraction (e.g., flow table)

q Data Plane Development Kit (DPDK)n A set of libraries and drivers for fast packet processingn Incorporate with x86 CPUn Fast network I/O in user space


Hybrid OpenFlow Switch (2/3)

6-11

OF agent

Flow table

Legacy control plane

Legacy table

OF controller

OF agent

Flow table

Legacy control plane

Legacy table

OF controller

Network Performance

Hybrid OpenFlow Switch (3/3)n Packet Processing using Multi Core CPUs

q Exploit many core CPUsq Decouple I/O processing and flow processingq Explicit thread assignment to CPU core

6-12

NIC 3RX

NIC 4 RX

NIC 3 TX

NIC 4 TX

NIC 1 RX

NIC 2 RX

I/O RX CPU0

I/O RX CPU1

NIC 1 TX

NIC 2 TX

I/OTX CPU6

I/O TXCPU7

Flow lookuppacket processing

CPU2

Flow lookup packetprocessing CPU4



NIC RX buffer Ring buffer NIC TXbuffer

Ring buffer

Network Performance

OpenFlow NORMAL action

6-13

OF agent

Flow tableaction: NORMAL Legacy table

OF controller

Network Performance

•Packet •Packet

Hybrid switch

Control Plane (1/2)n Problem Statement

q New functions require new hardwareq No support for network-wide control or high-level abstractionsq Distributed control reduces the controllability

6-14

…… ControlDatapath

Distributed Control:§ Per-box control§ Config/Mgmt ≠

fine-grained control

HW Functions:§ Inflexible§ Proprietary§ Expensive

Fn…F1

Network Management System (NMS)

Switch 1 Switch n

Management, No Controllability§ Monitor: collect network-wide statistics using CLI,

SNMP, NetConf interfaces§ Control: No real control of packet/flow forwarding§ No much thing to do with monitored data…

Network Performance

Control Plane (2/2)n Solution

q Need a Network Operating System (NOS), provide a uniform and centralized programmatic interface to the entire network

q NOS does not manage the network itself, instead it provides a programmatic interface

6-15

…… Control

Datapath

F1 F2 Fn…F3

External Controller

Switch 1 Switch n

Controllability:§ Fully remove to external

controller§ Centralized control

Network Operating System (NOS)

Application Programming Interface (API)

Network Performance

A basic App: Topology Discovery

6-16

S1

S2 S3

1 2

2

1

1

2

Network Performance

n Purposeq To construct an entire network view

n Methodq Use the Link Layer Discovery Protocol (LLDP)

Topology Discovery: step 1

6-17

S1

S2 S3

1 2

2

1

1

2

ControllerS1: ports 1, 2S2: ports 1,2S3: port3 1,2

match: LLDP,action: CTRL



Network Performance


6-18

S1

S2 S3

1 2

2

1

1

2





Network Performance

•LLDP

PACKET_OUT to S1action: P1


6-19

S1

S2 S3

1 2

2

1

1

2





Network Performance

•LLDP


PACKET_IN from S2in_port: P1

Topology Discovery

6-20

S1

S2 S3

1 2

2

1

1

2





Network Performance

•LLDP


PACKET_IN from S2in_port: P1

After Step3; repeats for each port of switch

Flow Entry Fieldsn Matchn Actionn Countersn Priorityn Timeouts

q hard timeoutq idle timeout

n Cookie


Multi tables and Pipeline

n OpenFlow 1.0q Packet Matches Flow Entry è Perform Action

n OpenFlow 1.1 and later (multiple flow tables)q Packet Matches Flow Entry è Perform Instructionsq Instructions may be Immediate Actionsq Instructions may be Action(s) in action setq Instructions can also change pipeline

n Goto Table entry Xn Goto Table entry Y


Pipeliningn The flow tables of a switch are sequentially numbered,

starting at 0

n A packet is processed sequentially in multiple flow tables If a flow entry is found, the instruction set included in that flow entry is executedq Instructions may explicitly direct the packet to another flow

table (“goto-table”)q Pipeline processing can only go forward and not backward

n Useful to manage complicated processingq E.g., table 1 for VLAN processing, table 2 for multicast group

processing


Pipeline example

6-24

Flow Table 0

flow entry – priority 100GOTO Table 1

flow entry – priority 50


Flow Table 1

flow entry – priority 750Change dst_MACPush MPLS labelGroup entry 30



Flow Table N

flow entry …

flow entry …

flow entry …

Group Tablegroup entry 10

Action bucket – send out ports 2,4,5,10group entry 30

Action bucket – send out port 2

OpenFlowchannel

Network Performance

Pedigree Chart of OpenFlowControllers

6-26

TremaFull-stack OpenFlow

Framework in Ruby and C

(Proprietary)Big NetworkController

(Proprietary)

ETRIController

NOX Classic: C++/PythonNOX: C++

CiscoController

(Proprietary)

Network Performance

NOX & POX

n Original OpenFlow controller, developed along side with openflow

n Developed by Nicira Networksn Introduced to community in 2009n 3 Main Variants

q NOX Classic (Older NOX)q NOX (C++)q POX (Python)

n NOX (OF 1.0 & 1.3)n POX (OF 1.0)n Widely used initially but no longer active


NOX/POX Overview

6-29

NOX Controller – Network OS§ Provide system-wide abstractions

Network Application Services§ New functions as software services

Northbound API§ Provide interface to network applications§ Not yet standardized

Southbound API§ Standardized OpenFlow protocol

Controller

…

TopologyDiscovery

VLANTagging

ScanDetection…

Northbound API

…

Network Performance

NOX/POX Architecture

6-30

Component API

CooperativeThreading

EventHarness

OpenFlowAPI

OpenRoadsL2_MultiL3_learning

Core

Common

Packet_dump

MAC_blocker Authenticator

L2_learning

HostTrackingRouting

Spanning_tree

WebServices

TopologyDiscovery

Network Performance

Floodlight

n An Apache licensed OpenFlow Controllerq developed by Big Switch Networkq Free and open sourceq http://www.projectfloodlight.org/floodlight/

n Easy-to-use, extensible Java development environmentn Enterprise graden Floodlight v1.2 (released in Feb 2016)

q full support for OpenFlow 1.0 and 1.3 along with experimental support for OpenFlow 1.1, 1.2, and 1.4

n Adopters:q University researchq Networking vendorsq Developers / startups


http://www.projectfloodlight.org/floodlight/

Floodlight Programming Modeln IFloodlightModule

q Java module that runs as part of Floodlight

q Consumes services and events exported by other modulesn OpenFlow (e.g., Packet-in, Packet-

out…)n Switch add / removen Device add / remove / moven Link discovery

n External Applicationq Communicates with Floodlight via

RESTn Static Flow Pusher

q Add flow, delete flow, list flows, removeAll flows

n Normalized network stateq List hosts, list links, list switches,

getStats, getCounters

6-33

vSwitch

vSwitch

vSwitch

vSwitch

IfloodlightModule

External Application

REST

Floodlight Controller

Northbound APIs

Network Performance

Module Description

6-34

TopologyManager

FloodlightProvider

LinkDiscovery

Forwarding

DeviceManager

StorageSource

RestServer

StaticFlowPusher

Maintains the topology information for the controllerReceives information from LinkDiscovery module

Maintains state of links in networkUses LLDP message

Basic reactive packet forwarding module

Manage the end-host (device) location information(mac, IP …)

DB style storage for Topology and LinkDiscoverydata

Implements via Restlets (restlet.org)REST API modules must implement RestletRoutable

Supports the insertion and removal of static flows

Network Performance

Introduction to Ryu

6-36

Oriental Dragon;A god of water

Network Performance

n Developed by NTTq Free and open sourceq https://osrg.github.io/ryu/

n RYU in Japanese is “Flow”n Supports OF 1.0, 1.2, 1.3, 1.4 & 1.5,

OF-Config, Netconf, SNMP

https://osrg.github.io/ryu/

Ryu Architecturen Follow Standard SDN Architecture

6-37

OpenFlow switch OpenFlow switch

SDN appsWell defined API(REST, RPC...)

Open protocols (OpenFlow,OF-config,NETConfig, OVSDB)

SDN apps SDN apps

Ryu SDN framework

OpenFlow Parser/serializer

Event dispatcher

Ryu built-in app (Tenant Isolation,

Topology Discovery, Firewall …)

Ryu App

libraries

Protocol support (OVSDB, VRRP, ...)

Ryu App

...Control layer

Application layer

Network device

Network Performance

OpenDaylight

n Open-source project under Linux Foundationq https://www.opendaylight.org/q initial release supported OF 1.0 and 1.3

n Members: Cisco, Juniper, IBM, Brocade, Microsoft, Redhat, NEC, VMware, …

n Aiming to build an evolvable SDN platform capable of handling diverse use-cases and implementation approaches

n Main architectural feature: service abstractionq Provides Multi-Protocol Southbound supportq Abstracts/hides southbound protocol specifics from the applications


https://www.opendaylight.org/

OpenDaylight Scope and Projects


ONOS

n By ON.Lab in 2014q http://onosproject.org/

n Distributed OpenFlow OS for service provider networksq Large networks require distributed network OS with scale-

out, high performance and high availabilityn 500K ~ 1M paths setups / second, 3-6M network state

operations / secondn 500GB ~ 1TB of network state datan 10-100ms latency

n 8-10 instances in a clusterq Each Instance responsible for a part of a network


http://onosproject.org/

ONOS Scale-Out

6-43

Distributed Network OS Instance 2 Instance 3Instance 1

Network GraphGlobal network view

Data plane

An instance is responsible for maintaining a part of network graph

Control capacity can grow with network size or application need

Network Performance

Network Applications

n Add functionality to networkn Automate existing functionalityn Examples:

q Security: Malware, DDoS, …n DNS inspection, DPI-based IPS

q Performance: video calls, elephant limitingn Quota enforcement, prioritising/throttling flows

q Service chaining: dynamic determination of servicesn Firewall, IPS, load-balancer, NAT, …


Network Policies

n Each application specifies network policiesq High-level (declarative) policy language

n E.g.: “quarantine infected hosts”q Policy conflicts need to be resolved

n E.g.: performance applications wants to boost a flow while security application wants to throttle it

q Policies compiled into low-level network rulesn Pushed out to switches using e.g. OpenFlow

n Application needs to react to:q Network resource changesq Other application dynamics


REST APIs

n REST: REpresentational State Transfern Allows requesting systems to access and manipulate textual

representations of Web resources using a uniform and predefined set of stateless operationsq Used by Amazon, Twitter, …

n Contains verb + noun + syntax

6-47

GET

POST

PUT

DELETE

/network

/switch

/device

JSON Syntax:{

"switch":"00:00:f8:d1:11:39:4a:76", "name":"e4:90:7e:0a:55:96-dl", "priority":”1000", "eth_dst":"e4:90:7e:0a:55:96", "active":"true", "actions":"output=4"

}Header:

Content-Type: Application/JSON

Network PerformanceA quick demo!!

Current SDN Debate

n SDN control plane not necessarily centralizedq Distributed solutions may be required for legacy equipment

and for fail-safe operation.n Complete removal of control plane may be harmful

q Exact division of control plane between centralized controller and distributed forwarders is yet to be worked out

n SDN may require a diversity of southbound protocols, not just OpenFlowq Fact of life: different people like different protocolsq There are no standard operating systems, processors,

routers, or Ethernet switches.n SDN disrupts current operational models:

q Lack of software skills in networking


control & data planes - subjects.ee.unsw.edu.au nforwarding plane hardware / software q pure...

Documents