Control & Data Planes - subjects.ee.unsw.edu.au nForwarding Plane Hardware / Software q Pure versus...
Transcript of Control & Data Planes - subjects.ee.unsw.edu.au nForwarding Plane Hardware / Software q Pure versus...
Overview
n Forwarding Plane Hardware / Softwareq Pure versus hybrid
n Control Plane Softwareq Network “Operating System”; features
n Network Applicationsq Network Policyq Interfaces / APIs / REST (“north-bound”)
6-2Network Performance
Recap: SDN?
6-3
Mng plane
Control plane
Data plane Data plane
Control plane
Mng plane
Data plane Data plane
Control plane
Mng planeSDN controller
The physical separation of the control plane from the forwarding plane
Network Performance
device A device B device A device B
Recap: SDN – open networking
6-4
Mng plane
Control plane
Data plane Data plane
Control plane
Mng planeSDN controller
• Segregation of SW from HW• Choosing SW independent of HW
Network Performance
device A
SW
device A
SW
HW
SW & HW from vendor A SW from vendor X & HW from vendor A
HW
SW
SW
SDN Switches
n Hardware-based SDN-only switches (white-boxes):q Pica8, Noviflow, Corsa, AlliedTelesis, …q No legacy support for:
n MAC learning, routing protocols, SNMPq Suitable for greenfield sites: data-centersq Have space limitation on saving flow table entries
n Software-based OpenFlow Switchesq OpenFlow enabled software switch (runs on x86 commodity computer)q Performance is relatively lowq Store large amount of flow entries with bound (theoretically)q Under active development, support most recent OpenFlow spec
6-5Network Performance
SDN Switches
n Hybrid switches (SDN + legacy):q HP, Cisco, Juniper, …q SDN is treated as “exception”:
n Only selected packets/flows undergo SDN processingq Incremental deployment, based on use-cases
6-6Network Performance
Hardware-basd OpenFlow Switches
6-7
Ciena Coredirector
NEC IP8800
More coming soon...
Juniper MX-series
HP Procurve 5400
Pronto 3240/3290
Noviflow
Allied TelesisNetgear 7324
Network Performance
Pica8
Software-based OpenFlow Switches (1/2)
n OpenvSwitch (OVS)q Overview
n A virtual switch or Virtual Ethernet Bridge (VEB)n User-space: configuration, controln Kernel-space: datapath (included in main Linux kernel from v3.3)
q Featuresn Support OpenFlow protocoln Support multiple tunneling protocols
q VxLAN, Ethernet over GRE, IPsec, GRE over IPsecn Fine-grained QoS
q Main componentsn ovs-vswitchd: a daemon that implements the switchn ovsdb-server: lightweight database server that ovs-vswitch queries ton ovs-vsctl: a utility for querying and updating the config. of ovs-vswitchdn ovs-dpctl: a tool for configuring and monitoring the switch kernel modulen ovs-ofctl: a tool for monitoring and administering OpenFlow switches
6-8Network Performance
Software-based OpenFlow Switches (2/2)
6-9
OpenvSwitch Architecture
Network Performance
#Create an OVS bridge:ovs-vsctl add-br mySDNswitch
#add controller:ovs-vsctl set-controller mySDNswitch tcp:10.0.0.1:6633
#add em1 and em2 to the bridgeovs-vsctl add-port mySDNswitch em1ifconfig em1 0ovs-vsctl add-port mySDNswitch em2ifconfig em2 0
#list flow entries of the bridgeovs-ofctl -O OpenFlow13 dump-flows mySDNswitch
Hybrid OpenFlow Switch (1/3)n Problems of Software-based Switch
q Cannot fully utilize the hardware resourcesn E.g., OVS only exploits single CPU core
q Tightly coupled with the OS kerneln Increase the management complexity
q Low performancen Massive RX interrupts handling for NIC devicen Shared data access between threads à competition makes bottleneck
n Hybrid OpenFlow Switchq Separate the roles of virtual switch into two parties
n Hardware: pure packet processingn Software: switch abstraction (e.g., flow table)
q Data Plane Development Kit (DPDK)n A set of libraries and drivers for fast packet processingn Incorporate with x86 CPUn Fast network I/O in user space
6-10Network Performance
Hybrid OpenFlow Switch (2/3)
6-11
OF agent
Flow table
Legacy control plane
Legacy table
OF controller
OF agent
Flow table
Legacy control plane
Legacy table
OF controller
Network Performance
Hybrid OpenFlow Switch (3/3)n Packet Processing using Multi Core CPUs
q Exploit many core CPUsq Decouple I/O processing and flow processingq Explicit thread assignment to CPU core
6-12
NIC 3RX
NIC 4 RX
NIC 3 TX
NIC 4 TX
NIC 1 RX
NIC 2 RX
I/O RX CPU0
I/O RX CPU1
NIC 1 TX
NIC 2 TX
I/OTX CPU6
I/O TXCPU7
Flow lookuppacket processing
CPU2
Flow lookup packetprocessing CPU4
Flow lookup packetprocessing CPU3
Flow lookup packetprocessing CPU5
NIC RX buffer Ring buffer NIC TXbuffer
Ring buffer
Network Performance
OpenFlow NORMAL action
6-13
OF agent
Flow tableaction: NORMAL Legacy table
OF controller
Network Performance
•Packet •Packet
Hybrid switch
Control Plane (1/2)n Problem Statement
q New functions require new hardwareq No support for network-wide control or high-level abstractionsq Distributed control reduces the controllability
6-14
…… ControlDatapath
Distributed Control:§ Per-box control§ Config/Mgmt ≠
fine-grained control
HW Functions:§ Inflexible§ Proprietary§ Expensive
Fn…F1
Network Management System (NMS)
Switch 1 Switch n
Management, No Controllability§ Monitor: collect network-wide statistics using CLI,
SNMP, NetConf interfaces§ Control: No real control of packet/flow forwarding§ No much thing to do with monitored data…
Network Performance
Control Plane (2/2)n Solution
q Need a Network Operating System (NOS), provide a uniform and centralized programmatic interface to the entire network
q NOS does not manage the network itself, instead it provides a programmatic interface
6-15
…… Control
Datapath
F1 F2 Fn…F3
External Controller
Switch 1 Switch n
Controllability:§ Fully remove to external
controller§ Centralized control
Network Operating System (NOS)
Application Programming Interface (API)
Network Performance
A basic App: Topology Discovery
6-16
S1
S2 S3
1 2
2
1
1
2
Network Performance
n Purposeq To construct an entire network view
n Methodq Use the Link Layer Discovery Protocol (LLDP)
Topology Discovery: step 1
6-17
S1
S2 S3
1 2
2
1
1
2
ControllerS1: ports 1, 2S2: ports 1,2S3: port3 1,2
match: LLDP,action: CTRL
match: LLDP,action: CTRL
match: LLDP,action: CTRL
Network Performance
Topology Discovery: step 2
6-18
S1
S2 S3
1 2
2
1
1
2
ControllerS1: ports 1, 2S2: ports 1,2S3: port3 1,2
match: LLDP,action: CTRL
match: LLDP,action: CTRL
match: LLDP,action: CTRL
Network Performance
•LLDP
PACKET_OUT to S1action: P1
Topology Discovery: step 3
6-19
S1
S2 S3
1 2
2
1
1
2
ControllerS1: ports 1, 2S2: ports 1,2S3: port3 1,2
match: LLDP,action: CTRL
match: LLDP,action: CTRL
match: LLDP,action: CTRL
Network Performance
•LLDP
PACKET_OUT to S1action: P1
PACKET_IN from S2in_port: P1
Topology Discovery
6-20
S1
S2 S3
1 2
2
1
1
2
ControllerS1: ports 1, 2S2: ports 1,2S3: port3 1,2
match: LLDP,action: CTRL
match: LLDP,action: CTRL
match: LLDP,action: CTRL
Network Performance
•LLDP
PACKET_OUT to S1action: P1
PACKET_IN from S2in_port: P1
After Step3; repeats for each port of switch
Flow Entry Fieldsn Matchn Actionn Countersn Priorityn Timeouts
q hard timeoutq idle timeout
n Cookie
6-21Network Performance
Multi tables and Pipeline
n OpenFlow 1.0q Packet Matches Flow Entry è Perform Action
n OpenFlow 1.1 and later (multiple flow tables)q Packet Matches Flow Entry è Perform Instructionsq Instructions may be Immediate Actionsq Instructions may be Action(s) in action setq Instructions can also change pipeline
n Goto Table entry Xn Goto Table entry Y
6-22Network Performance
Pipeliningn The flow tables of a switch are sequentially numbered,
starting at 0
n A packet is processed sequentially in multiple flow tables If a flow entry is found, the instruction set included in that flow entry is executedq Instructions may explicitly direct the packet to another flow
table (“goto-table”)q Pipeline processing can only go forward and not backward
n Useful to manage complicated processingq E.g., table 1 for VLAN processing, table 2 for multicast group
processing
6-23Network Performance
Pipeline example
6-24
Flow Table 0
flow entry – priority 100GOTO Table 1
flow entry – priority 50
flow entry – priority 0
Flow Table 1
flow entry – priority 750Change dst_MACPush MPLS labelGroup entry 30
flow entry – priority 500
flow entry – priority 50
Flow Table N
flow entry …
flow entry …
flow entry …
Group Tablegroup entry 10
Action bucket – send out ports 2,4,5,10group entry 30
Action bucket – send out port 2
OpenFlowchannel
Network Performance
Pedigree Chart of OpenFlowControllers
6-26
TremaFull-stack OpenFlow
Framework in Ruby and C
(Proprietary)Big NetworkController
(Proprietary)
ETRIController
NOX Classic: C++/PythonNOX: C++
CiscoController
(Proprietary)
Network Performance
NOX & POX
n Original OpenFlow controller, developed along side with openflow
n Developed by Nicira Networksn Introduced to community in 2009n 3 Main Variants
q NOX Classic (Older NOX)q NOX (C++)q POX (Python)
n NOX (OF 1.0 & 1.3)n POX (OF 1.0)n Widely used initially but no longer active
6-28Network Performance
NOX/POX Overview
6-29
NOX Controller – Network OS§ Provide system-wide abstractions
Network Application Services§ New functions as software services
Northbound API§ Provide interface to network applications§ Not yet standardized
Southbound API§ Standardized OpenFlow protocol
Controller
…
TopologyDiscovery
VLANTagging
ScanDetection…
Northbound API
…
Network Performance
NOX/POX Architecture
6-30
Component API
CooperativeThreading
EventHarness
OpenFlowAPI
OpenRoadsL2_MultiL3_learning
Core
Common
Packet_dump
MAC_blocker Authenticator
L2_learning
HostTrackingRouting
Spanning_tree
WebServices
TopologyDiscovery
Network Performance
Floodlight
n An Apache licensed OpenFlow Controllerq developed by Big Switch Networkq Free and open sourceq http://www.projectfloodlight.org/floodlight/
n Easy-to-use, extensible Java development environmentn Enterprise graden Floodlight v1.2 (released in Feb 2016)
q full support for OpenFlow 1.0 and 1.3 along with experimental support for OpenFlow 1.1, 1.2, and 1.4
n Adopters:q University researchq Networking vendorsq Developers / startups
6-32Network Performance
Floodlight Programming Modeln IFloodlightModule
q Java module that runs as part of Floodlight
q Consumes services and events exported by other modulesn OpenFlow (e.g., Packet-in, Packet-
out…)n Switch add / removen Device add / remove / moven Link discovery
n External Applicationq Communicates with Floodlight via
RESTn Static Flow Pusher
q Add flow, delete flow, list flows, removeAll flows
n Normalized network stateq List hosts, list links, list switches,
getStats, getCounters
6-33
vSwitch
vSwitch
vSwitch
vSwitch
IfloodlightModule
External Application
REST
Floodlight Controller
Northbound APIs
Network Performance
Module Description
6-34
TopologyManager
FloodlightProvider
LinkDiscovery
Forwarding
DeviceManager
StorageSource
RestServer
StaticFlowPusher
Maintains the topology information for the controllerReceives information from LinkDiscovery module
Maintains state of links in networkUses LLDP message
Basic reactive packet forwarding module
Manage the end-host (device) location information(mac, IP …)
DB style storage for Topology and LinkDiscoverydata
Implements via Restlets (restlet.org)REST API modules must implement RestletRoutable
Supports the insertion and removal of static flows
Network Performance
Introduction to Ryu
6-36
Oriental Dragon;A god of water
Network Performance
n Developed by NTTq Free and open sourceq https://osrg.github.io/ryu/
n RYU in Japanese is “Flow”n Supports OF 1.0, 1.2, 1.3, 1.4 & 1.5,
OF-Config, Netconf, SNMP
Ryu Architecturen Follow Standard SDN Architecture
6-37
OpenFlow switch OpenFlow switch
SDN appsWell defined API(REST, RPC...)
Open protocols (OpenFlow,OF-config,NETConfig, OVSDB)
SDN apps SDN apps
Ryu SDN framework
OpenFlow Parser/serializer
Event dispatcher
Ryu built-in app (Tenant Isolation,
Topology Discovery, Firewall …)
Ryu App
libraries
Protocol support (OVSDB, VRRP, ...)
Ryu App
...Control layer
Application layer
Network device
Network Performance
OpenDaylight
n Open-source project under Linux Foundationq https://www.opendaylight.org/q initial release supported OF 1.0 and 1.3
n Members: Cisco, Juniper, IBM, Brocade, Microsoft, Redhat, NEC, VMware, …
n Aiming to build an evolvable SDN platform capable of handling diverse use-cases and implementation approaches
n Main architectural feature: service abstractionq Provides Multi-Protocol Southbound supportq Abstracts/hides southbound protocol specifics from the applications
6-39Network Performance
ONOS
n By ON.Lab in 2014q http://onosproject.org/
n Distributed OpenFlow OS for service provider networksq Large networks require distributed network OS with scale-
out, high performance and high availabilityn 500K ~ 1M paths setups / second, 3-6M network state
operations / secondn 500GB ~ 1TB of network state datan 10-100ms latency
n 8-10 instances in a clusterq Each Instance responsible for a part of a network
6-42Network Performance
ONOS Scale-Out
6-43
Distributed Network OS Instance 2 Instance 3Instance 1
Network GraphGlobal network view
Data plane
An instance is responsible for maintaining a part of network graph
Control capacity can grow with network size or application need
Network Performance
Network Applications
n Add functionality to networkn Automate existing functionalityn Examples:
q Security: Malware, DDoS, …n DNS inspection, DPI-based IPS
q Performance: video calls, elephant limitingn Quota enforcement, prioritising/throttling flows
q Service chaining: dynamic determination of servicesn Firewall, IPS, load-balancer, NAT, …
6-45Network Performance
Network Policies
n Each application specifies network policiesq High-level (declarative) policy language
n E.g.: “quarantine infected hosts”q Policy conflicts need to be resolved
n E.g.: performance applications wants to boost a flow while security application wants to throttle it
q Policies compiled into low-level network rulesn Pushed out to switches using e.g. OpenFlow
n Application needs to react to:q Network resource changesq Other application dynamics
6-46Network Performance
REST APIs
n REST: REpresentational State Transfern Allows requesting systems to access and manipulate textual
representations of Web resources using a uniform and predefined set of stateless operationsq Used by Amazon, Twitter, …
n Contains verb + noun + syntax
6-47
GET
POST
PUT
DELETE
/network
/switch
/device
JSON Syntax:{
"switch":"00:00:f8:d1:11:39:4a:76", "name":"e4:90:7e:0a:55:96-dl", "priority":”1000", "eth_dst":"e4:90:7e:0a:55:96", "active":"true", "actions":"output=4"
}Header:
Content-Type: Application/JSON
Network PerformanceA quick demo!!
Current SDN Debate
n SDN control plane not necessarily centralizedq Distributed solutions may be required for legacy equipment
and for fail-safe operation.n Complete removal of control plane may be harmful
q Exact division of control plane between centralized controller and distributed forwarders is yet to be worked out
n SDN may require a diversity of southbound protocols, not just OpenFlowq Fact of life: different people like different protocolsq There are no standard operating systems, processors,
routers, or Ethernet switches.n SDN disrupts current operational models:
q Lack of software skills in networking
6-48Network Performance