L4-L7 services for SDN and NVF by Youcef Laribi
-
Upload
buildacloud -
Category
Technology
-
view
1.032 -
download
0
Transcript of L4-L7 services for SDN and NVF by Youcef Laribi
© 2015 Citrix
Developing and Deploying L4-L7
services for SDN and NFV
environments
Youcef Laribi
September 2015
© 2015 Citrix
Typical Enterprise L4-L7 Services
Firewall
URL
Filter
Transparent
Caching
ADC
IPS/IDS
WAN
Opt Monitoring
© 2015 Citrix
Typical S/Gi-LAN L4-L7 Network Services
CGNAT
DPI
Parental
Control
Video
Optimization
SBC Firewall
URL
Filter
WAP
Gateway
Transparent
Caching
ADC Lawful
Intercept
IP
Reputation
TCP Opt
© 2015 Citrix
Traditional Definition of SDN
Control Plane
Control Plane Control Plane
Control Plane
Data Plane Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
© 2015 Citrix
Pragmatic Definition of SDN
Source: http://blog.ipspace.net/2015/08/sdn-onf-is-moving-to-logically.html
© 2015 Citrix
Pragmatic Definition of SDN
Control Plane
Control Plane Control Plane
Control Plane
Logically-Central Control Plane
Data Plane Data Plane
Data Plane
© 2015 Citrix
Protocols supported in OpenDaylight Lithium release
Source: http://www.slideshare.net/CiscoDevNet/devnet-1175-open-daylight-service-function-chaining
© 2015 Citrix
L4-L7 Services in an SDN Platform
SDN
Controller
Gateway
L4-L7
Appliance
VLANs
Virtual
Networks Virtual
Switch
Data Plane
Control Protocol
SDN
Controller
L4-L7
Appliance
Virtual
Networks Virtual
Switch
VLANs
© 2015 Citrix
NFV Mission Statement
Vision:
An open ecosystem for NFV enables rapid service innovation for Network Operators
and Service Providers. Innovation in end-to-end services is enabled by software-based
deployment and operationalization of virtualized network functions on
independently deployed and operated NFV infrastructure platforms.
© 2015 Citrix
SDN vs NFV
Source: https://www.sdxcentral.com/articles/contributed/nfv-and-sdn-whats-the-difference/2013/03/
© 2015 Citrix
A VIM suitable for running Network Services
Current VIM
Capabilities
Desired VIM
Capabilities
GAP
- Resource Reservation
- Fault Diagnosis
- High-Availability of VIM
- Sophisticated Placement
- Policy-driven Lifecycle
- Hardware-Accelerated IO
- Unified Security Platform
- QoS for all VIM services
- Service Function Chaining
© 2015 Citrix
Source: https://www.opnfv.org/software/technical-overview
© 2015 Citrix
VNF Managers
• Control Plane Elements that can: – Reserve Compute/Network/Storage Resources for a VNF
– Instantiate a VNF
– Update the VNF
– (Re)Configure the VNF
– Monitor the VNF
– VNF Scale-up or Scale-out
– Terminate the VNF
• It May be specific to a VNF or responsible for managing multiple VNFs
• Often provided by the VNF Vendor, but can also be part of the NFV Orchestrator
© 2015 Citrix
Problem
VM
vNIC
VM
vNIC
Virtual
Switch
pNIC
Linux networking Stack
Overhead
Overhead
Overhead
© 2015 Citrix
Open vSwitch Performance
0
2,500,000
5,000,000
7,500,000
10,000,000
12,500,000
15,000,000
0 256 512 768 1024 1280 1536
Pac
kets
/se
con
d
Packet Size
Open vSwitch Phy-Phy Throughput
PPS Line Rate PPS OVS Kernel
Source: http://openvswitch.org/support/ovscon2014/17/1630-accelerating-with-dpdk.pptx
© 2015 Citrix
Adding to the Problem
Source: http://people.netfilter.org/hawk/presentations/LCA2015/net_stack_challenges_100G_LCA2015.pdf
Line rate on a 10Gbps NIC => Time to process 64-byte packet: 67.2 nanoseconds!!
(to put this in perspective: A single cache-miss on an Intel Xeon E5-2650 CPU costs 32 nanoseconds)
© 2015 Citrix
SR-IOV
• Drawbacks
– VM dependence on Hardware
(must use a specific NIC driver)
– Prevents VM Migration
– Bypasses Hypervisor security
features
© 2015 Citrix
Various out-of-tree Linux Kernel Bypass techniques
• NETMAP
• PF_RING
• PacketShader
• OpenONLoad (SolarFlare)
• DPDK (Intel)
© 2015 Citrix
Intel DPDK (Data Plane Driver Kit)
• All in User Space
• Fixed-Size Buffers
• Poll-Mode NIC drivers (PMDs) for Intel NICs
• Efficient Flow Classification based on Intel SSE
• Lockless Queues
• Huge Pages (up to 1GB)
• Run to completion mode
© 2015 Citrix
DPDK with OVS
NIC
PMD
DPDK
netdev
OVS kernel module kernel packet processing
User Space Forwarding
socket TAP
netdev
User Space
qemu
VM
virtio
IVSHEM vHost
qemu
VM
shmem
DPDK
Tunnels
Kernel Space
DPDK
Libraries
ovs-switchd
© 2015 Citrix
Other tricks to squeeze out performance
• CPU Socket Affinity: Placing all the vCPUs of a VM on the same physical CPU
socket.
• CPU Pinning: Pinning a VM vCPU to a physical core.
• NUMA-aware Scheduling: Associates the VM with the same NUMA nodes as the
PCIe devices passed to the VM
Source: https://networkbuilders.intel.com/docs/openStack_Kilo_wp_v2.pdf
© 2015 Citrix
Performance Numbers
Source: https://networkbuilders.intel.com/docs/Network_Builders_RA_DPDK_vSwitch_Final.pdf
No packet processing – just forwarding Traffic
Generator
© 2015 Citrix
Extension of Intel DPDK with 6Wind
• Poll Mode Drivers (PMDs) for non-Intel
NICs
• Performance accleleration for vNICs:
– Fast vNIC PMD
– vNIC VMXNET3 PMD
– vNIC virtio PMD
• Crypto-Acceleration Modules for:
– Cavium Nitro
– Intel Multi Buffer Crypto for IPSec
– Intel QuickAssist
© 2015 Citrix
Static Service Chaining
• Service chain ordering or addition of new services requires network topology changes
• All traffic flows through all services regardless of need
• Tied to the transport protocol
Source: http://www.flat-planet.net/blog/?p=205
© 2015 Citrix
NFV Forwarding Graphs
Source: http://www.etsi.org/deliver/etsi_gs/nfv/001_099/002/01.02.01_60/gs_nfv002v010201p.pdf
© 2015 Citrix
NSH as an emerging IETF Standard
• IETF Draft: https://datatracker.ietf.org/doc/draft-ietf-sfc-nsh/
• Goals: – Transport Agnostic
– Carry Service Chain Information
– Ability to reclassify traffic mid-stream
– Ability to share Metadata
© 2015 Citrix
NSH Header Format
Source: http://www.slideshare.net/mestery/lisp-and-nsh-in-open-vswitch
© 2015 Citrix
NSH encapsulated in a VxLAN-GPE transport
Original
Packet/Frame
NSH Header
Transport
Encap
© 2015 Citrix
SFC Components
• Service Function (SF): A function that is responsible for specific treatment of
received packets (e.g. Firewall, DPI, NAT, LB, etc.)
• Service Function Forwarder (SFF): Responsible for forwarding traffic to one or
more connected service functions according to information carried in the SFC
encapsulation.
• Service Function Proxy: Removes and inserts SFC Encapsulation on behalf of
an SFC-unaware service function.
• Classifier: An element in the data plane that performs classification
Source: https://tools.ietf.org/html/draft-ietf-sfc-architecture-11
© 2015 Citrix
NSH Header
Transport Encap (e.g. VxLAN-GPE, MPLS, LISP)
Example of an NSH-based service chain
Source Destination
Data Plane
© 2015 Citrix
ODL Controller
OpenVSwitch
VNF
VM1
VNF
VM2
OpenVSwitch
VNF
VM3
VNF
VM4
OpenVSwitch
Client
VM
OpenVSwitch
Server
VM
Compute Host Compute Host Compute Host Compute Host
OpenDaylight SFC Control Plane Elements
© 2015 Citrix
Summary
• Take-aways:
– Ways to accelerate the data path to your service for scale
– Work on integrating your service into SDN Fabric Control Planes
– Track and Support service chaining standards like NSH
– Provide a management layer in an NFV environment for your services