L4-L7 services for SDN and NVF by Youcef Laribi

51
© 2015 Citrix Developing and Deploying L4-L7 services for SDN and NFV environments Youcef Laribi September 2015

Transcript of L4-L7 services for SDN and NVF by Youcef Laribi

© 2015 Citrix

Developing and Deploying L4-L7

services for SDN and NFV

environments

Youcef Laribi

September 2015

© 2015 Citrix

Let’s start with a definition…

© 2015 Citrix

Typical Enterprise L4-L7 Services

Firewall

URL

Filter

Transparent

Caching

ADC

IPS/IDS

WAN

Opt Monitoring

© 2015 Citrix

L4-L7 Services in Telco Networks

© 2015 Citrix

Typical S/Gi-LAN L4-L7 Network Services

CGNAT

DPI

Parental

Control

Video

Optimization

SBC Firewall

URL

Filter

WAP

Gateway

Transparent

Caching

ADC Lawful

Intercept

IP

Reputation

TCP Opt

© 2015 Citrix

Manifestations of an L4-L7 Service

© 2015 Citrix

Devices vs. Services

Service A Service A

Service A

© 2015 Citrix

Software-Defined Networking

© 2015 Citrix

Traditional Definition of SDN

Control Plane

Control Plane Control Plane

Control Plane

Data Plane Data Plane

Data Plane

Data Plane

Data Plane

Data Plane

© 2015 Citrix

Pragmatic Definition of SDN

Control Plane

Control Plane Control Plane

Control Plane

Logically-Central Control Plane

Data Plane Data Plane

Data Plane

© 2015 Citrix

Examples of SDN Platforms

© 2015 Citrix

L4-L7 Services in an SDN Platform

SDN

Controller

Gateway

L4-L7

Appliance

VLANs

Virtual

Networks Virtual

Switch

Data Plane

Control Protocol

SDN

Controller

L4-L7

Appliance

Virtual

Networks Virtual

Switch

VLANs

© 2015 Citrix

Network Function Virtualization

© 2015 Citrix

NFV Mission Statement

Vision:

An open ecosystem for NFV enables rapid service innovation for Network Operators

and Service Providers. Innovation in end-to-end services is enabled by software-based

deployment and operationalization of virtualized network functions on

independently deployed and operated NFV infrastructure platforms.

© 2015 Citrix

NFV Architecture Framework

© 2015 Citrix

NFV Architecture – Simplified View

© 2015 Citrix

Virtualized Infrastructure Manager - VIM

© 2015 Citrix

A VIM suitable for running Network Services

Current VIM

Capabilities

Desired VIM

Capabilities

GAP

- Resource Reservation

- Fault Diagnosis

- High-Availability of VIM

- Sophisticated Placement

- Policy-driven Lifecycle

- Hardware-Accelerated IO

- Unified Security Platform

- QoS for all VIM services

- Service Function Chaining

© 2015 Citrix

Examples of NFV Orchestrators

© 2015 Citrix

VNF Managers

• Control Plane Elements that can: – Reserve Compute/Network/Storage Resources for a VNF

– Instantiate a VNF

– Update the VNF

– (Re)Configure the VNF

– Monitor the VNF

– VNF Scale-up or Scale-out

– Terminate the VNF

• It May be specific to a VNF or responsible for managing multiple VNFs

• Often provided by the VNF Vendor, but can also be part of the NFV Orchestrator

© 2015 Citrix

Accelerating the Data Path

© 2015 Citrix

Problem

VM

vNIC

VM

vNIC

Virtual

Switch

pNIC

Linux networking Stack

Overhead

Overhead

Overhead

© 2015 Citrix

Adding to the Problem

Source: http://people.netfilter.org/hawk/presentations/LCA2015/net_stack_challenges_100G_LCA2015.pdf

Line rate on a 10Gbps NIC => Time to process 64-byte packet: 67.2 nanoseconds!!

(to put this in perspective: A single cache-miss on an Intel Xeon E5-2650 CPU costs 32 nanoseconds)

© 2015 Citrix

SR-IOV

© 2015 Citrix

SR-IOV

• Drawbacks

– VM dependence on Hardware

(must use a specific NIC driver)

– Prevents VM Migration

– Bypasses Hypervisor security

features

© 2015 Citrix

Various out-of-tree Linux Kernel Bypass techniques

• NETMAP

• PF_RING

• PacketShader

• OpenONLoad (SolarFlare)

• DPDK (Intel)

© 2015 Citrix

Intel DPDK (Data Plane Driver Kit)

• All in User Space

• Fixed-Size Buffers

• Poll-Mode NIC drivers (PMDs) for Intel NICs

• Efficient Flow Classification based on Intel SSE

• Lockless Queues

• Huge Pages (up to 1GB)

• Run to completion mode

© 2015 Citrix

DPDK with OVS

NIC

PMD

DPDK

netdev

OVS kernel module kernel packet processing

User Space Forwarding

socket TAP

netdev

User Space

qemu

VM

virtio

IVSHEM vHost

qemu

VM

shmem

DPDK

Tunnels

Kernel Space

DPDK

Libraries

ovs-switchd

© 2015 Citrix

Other tricks to squeeze out performance

• CPU Socket Affinity: Placing all the vCPUs of a VM on the same physical CPU

socket.

• CPU Pinning: Pinning a VM vCPU to a physical core.

• NUMA-aware Scheduling: Associates the VM with the same NUMA nodes as the

PCIe devices passed to the VM

Source: https://networkbuilders.intel.com/docs/openStack_Kilo_wp_v2.pdf

© 2015 Citrix

Performance Numbers

Source: https://networkbuilders.intel.com/docs/Network_Builders_RA_DPDK_vSwitch_Final.pdf

No packet processing – just forwarding Traffic

Generator

© 2015 Citrix

Extension of Intel DPDK with 6Wind

• Poll Mode Drivers (PMDs) for non-Intel

NICs

• Performance accleleration for vNICs:

– Fast vNIC PMD

– vNIC VMXNET3 PMD

– vNIC virtio PMD

• Crypto-Acceleration Modules for:

– Cavium Nitro

– Intel Multi Buffer Crypto for IPSec

– Intel QuickAssist

© 2015 Citrix

Scale-up and Scale-out Solutions

© 2015 Citrix

Stitching Network Services

© 2015 Citrix

Static Service Chaining

• Service chain ordering or addition of new services requires network topology changes

• All traffic flows through all services regardless of need

• Tied to the transport protocol

Source: http://www.flat-planet.net/blog/?p=205

© 2015 Citrix

Dynamic Service Chaining

FE FE

NS1 NS2 NS3 NS4

Chain 1

Chain 2 Classifier

© 2015 Citrix

NSH encapsulated in a VxLAN-GPE transport

Original

Packet/Frame

NSH Header

Transport

Encap

© 2015 Citrix

SFC Components

• Service Function (SF): A function that is responsible for specific treatment of

received packets (e.g. Firewall, DPI, NAT, LB, etc.)

• Service Function Forwarder (SFF): Responsible for forwarding traffic to one or

more connected service functions according to information carried in the SFC

encapsulation.

• Service Function Proxy: Removes and inserts SFC Encapsulation on behalf of

an SFC-unaware service function.

• Classifier: An element in the data plane that performs classification

Source: https://tools.ietf.org/html/draft-ietf-sfc-architecture-11

© 2015 Citrix

NSH Header

Transport Encap (e.g. VxLAN-GPE, MPLS, LISP)

Example of an NSH-based service chain

Source Destination

Data Plane

© 2015 Citrix

OpenDaylight SFC with NSH on OpenVSwitch

© 2015 Citrix

OpenDaylight SFC Control Plane Elements

© 2015 Citrix

ODL Controller

OpenVSwitch

VNF

VM1

VNF

VM2

OpenVSwitch

VNF

VM3

VNF

VM4

OpenVSwitch

Client

VM

OpenVSwitch

Server

VM

Compute Host Compute Host Compute Host Compute Host

OpenDaylight SFC Control Plane Elements

© 2015 Citrix

Summary

• Take-aways:

– Ways to accelerate the data path to your service for scale

– Work on integrating your service into SDN Fabric Control Planes

– Track and Support service chaining standards like NSH

– Provide a management layer in an NFV environment for your services

© 2015 Citrix

Work better. Live better. Work better. Live better.