Topology Service Injection using Dragonflow & Kuryr Eshed Gal-Or, Huawei

Everyone wants to deploy Cloud

But it’s tough…

Especially, Network Services

Topology Service Injection What is it?

Service Function Chaining Characteristics

Compute Node 1

EP 1

OVS LB FW

Compute Node 2

EP 2

OVS IPS DPI NAT

classifier for entry point

static or dynamic

nsh, mpls, appports, …

vms, containers, physical devices, user-space apps

Topology Service Injection

Logical Router

Logical Switch Logical Switch

VM 1 VM 2 VM 3

DPI

VM 1 VM 2

Topology Service Injection

Logical Router

Logical Switch Logical Switch

VM 3

DPI DSCP

Marking

VM 1 VM 2 VM 3

DSCP Marking

DPI

Topology Service Injection

Logical Router

Logical Switch Logical Switch

Distributed Load

Balancing

VM 3 VM 1 VM 2

Distributed Load

Balancing

DSCP Marking

DPI

Topology Service Injection

Logical Router

Logical Switch Logical Switch

Compute Node

OVS

Pipeline Service Injection

VM 1 VM 2

Table 0 Table 1 Table N …

External

App

Compute Node

OVS

Pipeline Service Injection

VM 1 VM 2

Table 0 Table 1 Table N …

External

App

External App

Table

OpenFlow / Other API

Example Intrusion Prevention Service (IPS)

Deployment Challenges

In-line (data path, bandwidth, DoS)

Dynamic Topology (close to the target)

Transparent (“under the hood”)

Cloud Automation (infra vs. workload)

Host

VM

Out-of-line Deployment

App

vSwitch

Ingress is replicated by a TAP and sent to both the target and the offline IPS

appliance

IPS

Switch w/ TAP

Rep

licated

ingress FW

Some IPS will actively close malicious flows

by adding specific rules to the perimeter

firewall

Host

VM

In-line Deployment

App

vSwitch

IPS device is deployed in-line, using slow-path for classification, and a fast-path for forwarding

IPS Device ingress

Slow Path

Fast Path

If the device becomes overwhelmed with too much traffic, it switches to “allow all”, to refrain

from complete DoS

Service Function Chaining OpenStack Neutron SFC

VM

App

VM

IPS IPS service function is

deployed as a VM on the App tenant virtual network

vSwitch

vSwitch overlay network (tunnel)

Port chain is created with neutron sfc

ingress

Host

VM

Topology Injected SDN Application Dragonflow and Kuryr

App

vSwitch ingress

Docker

IPS

DF

DF API (based on OpenFlow or P4)

The IPS App can register as a SDN Application on Dragonflow, and operate either in “Reactive” (first frame) or “Proactive” (set a private pipeline in the

vSwitch)

Host

Host

VM

Distributed SDN Application Attack Flow

App

vSwitch

Docker

IPS

vSwitch

Host

VM

App

vSwitch

DF

The IPS App can even be deployed on a different host than its protected

VM and inject itself into the datapath, and then terminate an offending

VM directly at the source

1

2

3

Host

Host

VM

Distributed SDN Application Normal Flow

App

vSwitch

Docker

IPS

vSwitch

Host

VM

App

vSwitch

DF

If the traffic is cleared to go through, the IPS App can create a direct flow

from the originating host to the target host.

1

2

3

What is it, anyway?

What is Dragonflow?

Native Distributed SDN for OpenStack Neutron

Light, Simple, Scalable, 100% Open Source

Advanced Virtual Network Services L2, L3, DHCP, Security Groups, Multicast

Active community under OpenStack “Big Tent”

Dragonflow Distributed SDN

Neutron-Server

Dragonflow Plugin

DB

OVS

Dragonflow

DB Driver

Compute Node

OVS

Dragonflow

DB Driver

Compute Node

OVS

Dragonflow

DB Driver

Compute Node

OVS

Dragonflow

DB Driver

Compute Node

DB

VM VM ..

VM VM ..

VM VM .. VM VM

..

Dragonflow “Under The Hood”

Compute Node Compute Node Compute Node

Dragonflow

Network DB

OVS

Neutron Server

OVSDB

OVSDB-Server

ETCD RethinkDB RAMCloud

Kernel Datapath Module

NIC

User Space

Kernel Space

Dragonflow DB Drivers

OVSDB ETCD RethinkDB RMC

Future

Dragonflow Plugin

Route Core API

SG

vswitchd

Container

VM Dragonflow Controller

Abstraction Layer

L2 App L3 App DHCP App

Fault Detection

IGMP App

LBaaS SG FWaaS

…

Pluggable DB Layer

NB

DB

Dri

vers

SB DB Drivers

smartNIC OVSDB

OVSDB

ETCD

RMC

RethinkDB

OpenFlow

Dragonflow Apps

DF Controller

OVS

OVS Bridge

Openflow Switch ingress egress

DF Plugin

Match-Action

Openflow rules

Dragonflow “Pipeline”

DF App

SDN App

Op

enFlo

w

Op

enFlo

w DF APIs

External App

Ap

p p

ort

Example Dragonflow Distributed DHCP Application

Network Node

DHCP namespace

DHCP namespace

DHCP namespace

DHCP namespace

OpenStack Neutron DHCP Implementation

DHCP namespace

dnsmasq

DHCP Agent

Neutron Server

Message Queue

Example • 100 Tenants • 3 vNet / tenant = 300 DHCP Servers

1 VM Send DHCP_DISCOVER

2 Classify Flow as DHCP, Forward to Controller

3 DHCP App sends DHCP_OFFER back to VM

4 VM Send DHCP_REQUEST

5 Classify Flow as DHCP, Forward to Controller

6 DHCP App populates DHCP_OPTIONS from DB/CFG and send DHCP_ACK

7 VM receives the DHCP_ACP and applies the configuration

Dragonflow Distributed DHCP

VM DHCP SERVER

1

3 4

6 7

Compute Node

Dragonflow

VM

OVS

VM

1 2

br-int qvoXXX qvoXXX

OpenFlow

1

4

2 5

7

Dragonflow Controller

Abstraction Layer

L2 App

L3 App

DHCP App

SG

3 6

Pluggable DB Layer

DB

Kuryr Dragonflow and Containers Network

Similar Concepts

Docker C1 Docker C2 Docker C3

libNetwork

Endpoint Endpoint Endpoint Endpoint

Frontend

Network

Backend

Network

Network Sandbox Network Sandbox Network Sandbox

VM2

192.168.1.7

192.168.5.2

VM1

Tenant A Net1

192.168.1.0/0

Tenant A Net2

192.168.5.0/0

192.168.1.5

Neutron

Compute Node

Nested Containers (Overlay)2 Problem

VM

BR-INT

BR-TUN

Docker0

Compute Node

VM

BR-INT

BR-TUN

Docker0

Flannel Overlay

Neutron Overlay

as the production-ready networking abstraction containers need

Kuryr Overview

Configuration Management Docker libNetwork

Remote Driver

Docker libNetwork IPAM Driver

K8S CNI Driver

Authentication

Neutron Client

Generic VIF Binding

Docker Swarm

Midonet Dragonflow

OVN Any other

Neutron

Mixed OpenStack Environments

Neutron network 1 Neutron network 2 Neutron network 3

Compute Node

VM

Dragonflow OVS (Controller: Dragonflow)

IPVLAN / OVS

VM

Inherited Network Features from Neutron

− Security Groups − Subnet Pools − NAT (SNAT / DNAT – Floating IP) − Port Security (ARP Spoofing) − QoS − Quota Management − Neutron pluggable IPAM − Provide well-integrated COE Load balancing through

Neutron − FWaaS for Containers − Many more as Neutron progress…

Thanks