A Business Process for Deploying an SDN Enterprise Network

Simeon Miteff, LBNL17-October 2017

Context for SDN + the FAUCET OpenFlow controllerMy narrow definition of SDN: we “define” by low-level control of forwarding plane. FAUCET = the simplest possible deployable OpenFlow controller for LANs.

https://github.com/faucetsdn/faucet/tree/master/docs/presentations

Part oneWhere I convince you of the technical merit of the idea.

Wiring-closet level deployment scenario

↳

How is this a good thing?● Alternative route to a common network abstraction for automation:

○ Switch control-plane is not like a Linux box (e.g., EOS, IOS-XE, ~JunOS), it is a Linux box.○ Leverage existing toolset to manage clusters of hosts running services (DevOps).○ No bickering about which API is best: configuration is a YAML file!

● Hardware vendor independence (like stacking, but better).● Consistent forwarding-plane behavior (think L2 security).

○ NETCONF+YANG is not a solution for this.

● Implement novel (not RFC-constrained) forwarding with FAUCET ACLs.● Local CPU is no longer an underpowered cost-optimised MIPS/ARM SOC:

○ Ideal for adding virtual network functions at the edge.

Part twoWhere I talk about the business mumbo-jumbo that reality imposes on us.

How did I get here?● 2013: Work on academic problem using OpenFlow for MSc thesis (NFShunt)● 2014: Hang out in New Zealand for a month (SDN is a thing down there!)● 2015: Treehouse link SANReN↔ESNet (Vandervecken/Routeflow testbed)● 2016: FAUCET pilot at SANReN (doing it the wrong way)● 2016: Apply for job at LBNL (pitch FAUCET in the interview!)● 2017 Spring:

○ Co-host FAUCET plugfest @ LBNL with ESNet and Google○ Run FAUCET in home LAN (passes the “mission-critical Netflix test”)

● 2017 Fall:○ Commit to doing a FAUCET pilot at LBNL in I2 techex proposal submission.○ Use pilot deployment to run network for FAUCETCon 2017 @ LBNL (starts tomorrow!)

Taking a step back: business drivers at LBLNet● Artifacts of the Federal budget cycle.● Engineering person-hours are almost always our constraining factor.● Desire to spend less time on:

○ Drudgery of manual configuration and provisioning.○ Fighting vendor software bugs.○ Troubleshooting fragile technology (Ethernet switching sucks).

So do we invest multiple person-years building an invented-here control plane?

The Snore Slide: change management● Rapid retraining and forklift replacement of tools will be counter-productive.● Idea: Concurrent Engineering/Agile development breaks serial dependencies.● Lessons from CE in aerospace (SDN with cheap iterations).

By Mdkoch84 - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=5802627

The proposed business process● Choosing a good open source controller: FAUCET● Gap analysis

○ Features for interoperation with L2 and L3 aggregation layer: LAGs, loop protection.○ Edge “port security” and snooping features.○ Minimum-viable telemetry: counters, states, environment.

● Build development/test environment, add more switches.● Piloting approach: fishfood → dogfood → production.● Re-architect network management to be ready for SDN.

● Hardware timeline:○ Existing non-OF capable switch lifecycle 3-5 years.○ Careful timing of vendor OpenFlow agent maturity and gNMI support.

The SDNMS: configuration management● Step 1: network data model and single-source of truth DB● Step 2: generate existing NMS config (replace hand-crafted config)● Step 3: generate new non-SDN configuration from templates● Step 4: generate non-SDN switch configuration changes (ACLs, etc)● Step 5: switch to fully managed non-SDN switch configuration● Step 6: switch to fully-managed FAUCET configuration for production network

Optional: depend on timing of SDN

The SDNMS: monitoring (fault, perf, security, auth)● Evaluate and select modern tools for managing infrastructure at scale

○ Possible shortcut: start with tools already supported by FAUCET

Phasing new tools into production:

● Phase 1: Existing frontend → Adapter → SDNMS backend → FAUCET● Phase 1: New front-end → SDNMS backend → FAUCET● Phase 2: New front-end → SDNMS backend → Adapter → Legacy network

Part threeWhere I talk about what we’ve done so far.

Layer 8 engineering objectives● Have a plan to solve real problems (beware the SDN cargo cult)● Consider the whole problem: design, hardware, software, operations.● Incremental approach (boiling a smaller ocean).● “Person doing this is not me” - my personal challenge.● Inspiration versus instruction (engineers self-select the assignment).

How have we done so far?

FAUCET pilot status● Set it up in the break room/wiring closet.● Gained experience:

○ Docker on controller host for FAUCET and GAUGE.○ Moving around images from dev/test system to pilot controller.○ Crafting faucet.yaml to do basic VLANs and trunks.○ Setting up Prometheus + Grafana for metrics.○ Two switch vendors (HPE Aruba and Allied Telesis).

● Ran two workstation hosts in NOC office.● Set up prometheus/grafana system.● Tore it down, set it back up at conference venue.

What we’ve learned● Prioritizing non-urgent+important work (on a 3-5 year horizon) is hard:

○ Desperate measure: work to externally imposed deadline.

● Invalid assumptions of our security design for network control plane:○ FAUCET+Linux is not like traditional switch firmware.

● OpenFlow is not dead, agent maturity is still variable.● Vendors are weird:

○ Engineering is building the cool OpenFlow product.○ Sales, completely unaware, continues the OpenFlow FUD campaign.

Part fourWhere I talk about the future.

Things we hope to learn● Discover more about deployable hardware

○ Next stop: gNMI for switch provisioning and telemetry

● Find FAUCET deficiencies and bugs● Gain operational experience (more hosts; features; tools).● Change our thinking about segmentation, security, BUM traffic, etc.

(and eventually)

● Run a “Cyber RFP”:○ Realistic: hardware unit tests verify functionality○ My dream: the booth at the gate

● Experiment with CI/CD into our operations

Thanks!Ben Coleman; Nat Stoddard; Ashwin Selvarajan; Josh Bailey; Stephen Stuart; Brad Cowie; Inder Monga; Craig Leres; Allied Telesis and HP Enterprise/Aruba.

If you can drop by, in Berkeley, check out the FAUCET conference (18-20 Oct):

http://conference.faucet.nz/