Topology Service Injection using Dragonflow & Kuryr

Topology Service Injection using Dragonflow & Kuryr Eshed Gal-Or, Huawei

Everyone wants to deploy Cloud

But it’s tough…

Especially, Network Services

Topology Service Injection What is it?

Service Function Chaining Characteristics

Compute Node 1

OVS LB FW

Compute Node 2

OVS IPS DPI NAT

classifier for entry point

static or dynamic

nsh, mpls, appports, …

vms, containers, physical devices, user-space apps

Topology Service Injection

Logical Router

Logical Switch Logical Switch

VM 1 VM 2 VM 3

VM 1 VM 2

Logical Router

DPI DSCP

Marking

VM 1 VM 2 VM 3

DSCP Marking

Logical Router

Distributed Load

Balancing

VM 3 VM 1 VM 2

Distributed Load

Balancing

DSCP Marking

Logical Router

Compute Node

Pipeline Service Injection

VM 1 VM 2

Table 0 Table 1 Table N …

External

Compute Node

Pipeline Service Injection

VM 1 VM 2

Table 0 Table 1 Table N …

External

External App

OpenFlow / Other API

Example Intrusion Prevention Service (IPS)

Deployment Challenges

In-line (data path, bandwidth, DoS)

Dynamic Topology (close to the target)

Transparent (“under the hood”)

Cloud Automation (infra vs. workload)

Out-of-line Deployment

vSwitch

Ingress is replicated by a TAP and sent to both the target and the offline IPS

appliance

Switch w/ TAP

licated

ingress FW

Some IPS will actively close malicious flows

by adding specific rules to the perimeter

firewall

In-line Deployment

vSwitch

IPS device is deployed in-line, using slow-path for classification, and a fast-path for forwarding

IPS Device ingress

Slow Path

Fast Path

If the device becomes overwhelmed with too much traffic, it switches to “allow all”, to refrain

from complete DoS

Service Function Chaining OpenStack Neutron SFC

IPS IPS service function is

deployed as a VM on the App tenant virtual network

vSwitch

vSwitch overlay network (tunnel)

Port chain is created with neutron sfc

ingress

Topology Injected SDN Application Dragonflow and Kuryr

vSwitch ingress

Docker

DF API (based on OpenFlow or P4)

The IPS App can register as a SDN Application on Dragonflow, and operate either in “Reactive” (first frame) or “Proactive” (set a private pipeline in the

vSwitch)

Distributed SDN Application Attack Flow

vSwitch

Docker

vSwitch

The IPS App can even be deployed on a different host than its protected

VM and inject itself into the datapath, and then terminate an offending

VM directly at the source

Distributed SDN Application Normal Flow

vSwitch

Docker

vSwitch

If the traffic is cleared to go through, the IPS App can create a direct flow

from the originating host to the target host.

What is it, anyway?

What is Dragonflow?

Native Distributed SDN for OpenStack Neutron

Light, Simple, Scalable, 100% Open Source

Advanced Virtual Network Services L2, L3, DHCP, Security Groups, Multicast

Active community under OpenStack “Big Tent”

Dragonflow Distributed SDN

Neutron-Server

Dragonflow Plugin

Dragonflow

DB Driver

Compute Node

Dragonflow

DB Driver

Compute Node

Dragonflow

DB Driver

Compute Node

Dragonflow

DB Driver

Compute Node

VM VM ..

VM VM .. VM VM

Dragonflow “Under The Hood”

Compute Node Compute Node Compute Node

Dragonflow

Network DB

Neutron Server

OVSDB-Server

ETCD RethinkDB RAMCloud

Kernel Datapath Module

User Space

Kernel Space

Dragonflow DB Drivers

OVSDB ETCD RethinkDB RMC

Future

Dragonflow Plugin

Route Core API

vswitchd

Container

VM Dragonflow Controller

Abstraction Layer

L2 App L3 App DHCP App

Fault Detection

IGMP App

LBaaS SG FWaaS

Pluggable DB Layer

SB DB Drivers

smartNIC OVSDB

RethinkDB

OpenFlow

Dragonflow Apps

DF Controller

OVS Bridge

Openflow Switch ingress egress

DF Plugin

Match-Action

Openflow rules

Dragonflow “Pipeline”

DF App

SDN App

w DF APIs

External App

Example Dragonflow Distributed DHCP Application

Network Node

DHCP namespace

OpenStack Neutron DHCP Implementation

DHCP namespace

dnsmasq

DHCP Agent

Neutron Server

Message Queue

Example • 100 Tenants • 3 vNet / tenant = 300 DHCP Servers

1 VM Send DHCP_DISCOVER

2 Classify Flow as DHCP, Forward to Controller

3 DHCP App sends DHCP_OFFER back to VM

4 VM Send DHCP_REQUEST

5 Classify Flow as DHCP, Forward to Controller

6 DHCP App populates DHCP_OPTIONS from DB/CFG and send DHCP_ACK

7 VM receives the DHCP_ACP and applies the configuration

Dragonflow Distributed DHCP

VM DHCP SERVER

Compute Node

Dragonflow

br-int qvoXXX qvoXXX

OpenFlow

Dragonflow Controller

Abstraction Layer

L2 App

L3 App

DHCP App

Pluggable DB Layer

Kuryr Dragonflow and Containers Network

Similar Concepts

Docker C1 Docker C2 Docker C3

libNetwork

Endpoint Endpoint Endpoint Endpoint

Frontend

Network

Backend

Network

Network Sandbox Network Sandbox Network Sandbox

192.168.1.7

192.168.5.2

Tenant A Net1

192.168.1.0/0

Tenant A Net2

192.168.5.0/0

192.168.1.5

Neutron

Compute Node

Nested Containers (Overlay)2 Problem

BR-INT

BR-TUN

Docker0

Compute Node

BR-INT

BR-TUN

Docker0

Flannel Overlay

Neutron Overlay

as the production-ready networking abstraction containers need

Kuryr Overview

Configuration Management Docker libNetwork

Remote Driver

Docker libNetwork IPAM Driver

K8S CNI Driver

Authentication

Neutron Client

Generic VIF Binding

Docker Swarm

Midonet Dragonflow

OVN Any other

Neutron

Mixed OpenStack Environments

Neutron network 1 Neutron network 2 Neutron network 3

Compute Node

Dragonflow OVS (Controller: Dragonflow)

IPVLAN / OVS

Inherited Network Features from Neutron

− Security Groups − Subnet Pools − NAT (SNAT / DNAT – Floating IP) − Port Security (ARP Spoofing) − QoS − Quota Management − Neutron pluggable IPAM − Provide well-integrated COE Load balancing through

Neutron − FWaaS for Containers − Many more as Neutron progress…

Thanks

Topology Service Injection using Dragonflow & Kuryr

Technology

Transcript of Topology Service Injection using Dragonflow & Kuryr

Physical Topology Logical Topology Authentication Licensing.

Dragonflow SDN Other cool networking stuff in …openstackgdl.org/presentations/OpenStackGDL_Meetup_October_17.pdfOther cool networking stuff in OpenStack October 17, ... Flat networking

Topology Discovery - Correlating different network topology layers

Project kuryr returns: Docker delivered, Kubernetes Next

Intuitive Chemical Topology Concepts. / In: Chemical Topology ...

Topology for Computing - Directory UMMdirectory.umm.ac.id/Networking Manual/Topology for Computing.pdf · to Computational Topology at Stanford University, ... and Topology for Computing

TOPOLOGY: NOTES AND PROBLEMS Contents 1. Topology of ...

Topology Without Tears by Sidney A. Morris. Topology book ...Topology Without Tears by Sidney A. Morris. Topology book ...

Topology in the Geodatabase – an Introduction...ArcGIS Topology defined • Validating a topology • Editing a topology • Geoprocessing tools • Ephemeral topologies • Data

OpenShift on OpenStack with Kuryr

Topology optimization of laminated composite plates … · Topology optimization of laminated composite plates ... topology optimization of the MBB-beam is ... Topology optimization

Topology - cisco.com · Topology •Topology,onpage1 Topology TheTopologywindowdisplayscolor-encodednodesandlinksthatcorrespondtovariousnetworkelements, includingswitches,links ...

Topology Topology Different types of topology Different types of topology bus topologybus topology ring topologyring topology star topologystar.

Project Kuryr - openstack.org

Dragonflow Austin Summit Talk

History of Topology - NUI Galwayhamilton.nuigalway.ie/teachingWeb/Topology/ONE/topone.pdf · History of Topology Semester I, 2009-10 ... What is Topology? Topology is the study of

Container Orchestration Integration: OpenStack Kuryr

OpenStack Dragonflow shenzhen and Hangzhou meetups

Project Kuryr

Gradient Topology: A Generalized Super-Peer Topology