introduction to openflow / sdn & its effects on the future of internet mohammad moghaddas...

Introduction to OpenFlow /SDN&

its effects on the future of Internet

Mohammad [email protected] www.1cisco.com

2012, July

mailto:[email protected]

http://www.1cisco.com/

Welcome

Goals of this Seminar

By the end, everyone should know:

– Knowledge about OpenFlow/SDN • What these are • How they relate • What’s available now • Where it’s going • How it’s used – OpenFlow/SDN and You • How you can use it • How you can build on top of what’s available • How you can build something completely new

Have fun!

Original Question

How can researchers on college campuses test out new ideas in a real network, at scale?

We like to do new experiments: Mobility management New naming/address schemes Network access control New features of Cloud Computing Virtualization features ….

ProblemMany good research ideas

on college campuses…

No way to test new ideas at scale, on real networks, with real user traffic

Many good research ideas on college campuses…

No way to test new ideas at scale, on real networks, with real user traffic

Consequence: Almost no technology transfer

Consequence: Almost no technology transfer

Research problems

Well known problemsSecurity, mobility, availability

Well known problemsSecurity, mobility, availability

Incremental ideasFixing BGP, multicast, access control,

Mobile IP, data center networks.

Incremental ideasFixing BGP, multicast, access control,

Mobile IP, data center networks.

More radical changesEnergy management, VM mobility, …

More radical changesEnergy management, VM mobility, …

The only test network large enough to evaluate future Internet technologies

at scale, is the Internet itself.

Today’s Networks are Defined by the “Box”

• Hardware, Operating System, and Applications Built Into a “Box”.

• Cannot Mix and Match • Barrier to Entry

Vertically integratedClosed, proprietary

Slow innovationSmall industry

SpecializedOperatingSystem

SpecializedHardware

AppAppAppAppAppAppAppAppAppAppApp

SpecializedApplications

HorizontalOpen interfacesRapid innovation

Huge industry

Microprocessor

Open Interface

Linux MacOS

Windows(OS) or or

Open Interface

Vertically integratedClosed, proprietary

Slow innovation

AppAppAppAppAppAppAppAppAppAppApp

HorizontalOpen interfacesRapid innovation

ControlPlane

ControlPlane

ControlPlane or or

Open Interface

SpecializedControlPlane

SpecializedHardware

SpecializedFeatures

MerchantSwitching Chips

Open Interface

What is SDN?

Specialized Packet Forwarding Hardware

App

App

App


App

App

App


App

App

App


App

App

App


OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

App

App

App

13

Current Internet Closed to Innovations in the Infrastructure

Closed


App

App

App


App

App

App


App

App

App


App

App

App


OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

App

App

App

Network Operating System

App App App

“Software Defined Networking” approachto open it

Software Defined Network (SDN)

Global Network View

Network Virtualization

PacketForwarding

PacketForwarding

PacketForwarding

PacketForwarding

PacketForwarding

Network OS

Abstract Network View

ControlPrograms

ControlPrograms

ControlPrograms


Global Network View


PacketForwarding

PacketForwarding

PacketForwarding

PacketForwarding


ControlPrograms

ControlPrograms

ControlPrograms

firewall.c…

if( pkt->tcp->dport == 22)dropPacket(pkt);

…

firewall.c…

if( pkt->tcp->dport == 22)dropPacket(pkt);

…

PacketForwarding

Network OS1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action>6. …7. …

1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action>6. …7. …









With SDN we will:1. Formally verify that our networks are

behaving correctly.2. Identify bugs, then systematically

track down their root cause.

How do other industries do it?

Making ASICs Work

$10B tool businesssupports a

$250B chip industry


$250B chip industry

SpecificationSpecification

Functional Description (RTL)

Testbench & Vectors

Functional Verification

Logical Synthesis

Static Timing

Place & Route

Design Rule Checking (DRC)

Layout vs Schematic (LVS)

Layout Parasitic Extraction (LPE)

Manufacture& Validate

Making Software Work

Static Code Analysis

Invariant Checker

Interactive Debugger

Model Checking

Run-time Checker

SpecificationSpecification

TestbenchFunctional Description (Code)


$300B S/W industry


$300B S/W industry

Example: New Data Center

Cost200,000 serversFanout of 20 10,000 switches$5k vendor switch = $50M$1k commodity switch = $10M

Savings in 10 data centers = $400M

Making Networks Work (Today)

traceroute, ping, tcpdump, SNMP, Netflow

…. er, that’s about it.

Why debugging networks is hard

Complex interaction – Between multiple protocols on a switch/router.– Between state on different switches/routers.

Multiple uncoordinated writers of state.

Operators can’t…– Observe all state.– Control all state.

Networks are kept working by

“Masters of Complexity”

A handful of booksAlmost no papers

No classes

A handful of booksAlmost no papers

No classes

Philosophy of Making Networks Work

YoYo “You’re On Your Own”

YoYo Ma “You’re On Your Own, Mate”

With SDN we will:1. Formally verify that our networks are

behaving correctly.2. Identify bugs, then systematically

track down their root cause.

Three Methods

Static Checking“Independently checking correctness”

Automatic Testing“Is the datapath behaving correctly?”

Interactive Debugging“Finding bugs, and their root cause, in an operational network”

Static checkingIndependently checking correctness

Peyman Kazemian

Hongyi ‘James’

Zeng

GeorgeVarghese(UCSD)

Motivations

In today’s networks, simple questions are hard to answer:

– Can host A talk to host B?– What are all the packet headers from A that can

reach B?– Are there any loops in the network?– Is Group X provably isolated from Group Y?– What happens if I remove a line in the config file?

29


Global Network View


PacketForwarding

PacketForwarding

PacketForwarding

PacketForwarding


ControlPrograms

ControlPrograms

ControlPrograms

PacketForwarding

Network OS1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …

1. <Match, Action>2. <Match, Action>3. <Match, Action>4. <Match, Action>5. <Match, Action> 6. …7. …

















Static Checker











“A can talk to B”

“Guests can’t reach PatientRecords”

“A can talk to B”

“Guests can’t reach PatientRecords”

Policy

How it works

Header Space Analysis


12

3 4

1

2

3

4

Port ID

A B

Use Cases

• Can host A talk to B?

34

Box 1Box 2

Box 3Box 4

A

B

T1(X,A)

T2(T1(X,A))

T4(T1(X,A))

T3(T2(T1(X,A)) U T3(T4(T1(X,A))

T-13

T-13

T-14

T-12T-1

1

T-11

All Packets sent from A can use to communicate with B

Use Cases• Is there a loop in the network?

– Inject an all-x text packet from every switch-port– Follow the packet until it comes back to injection port

35

Box 1

Box 2

Box 3

Box 4

T1(X,P)T2(T1(X,P))

T3(T2(T1(X,P)))T4(T3(T2(T1(X,P))))

Original HS

Returned HS

T-14

T-13

T-12

T-11

Use Cases

• Is the loop infinite?

36

Finite Loop Infinite Loop ?


Consequences1. Finds all packets from A that can reach B2. Find loops, regardless of protocol or layer3. Can prove that two groups are isolated

Proves if network adheres to policyWorks on existing networks and SDNs

Stanford Backbone

Hassell tool 1. Reads Cisco IOS Configuration 2. Checks reachability, loops and isolation3. 10 mins for Stanford Backbone4. Easily made parallel: 1 sec is feasible

Hassell is available for free, for you to run

Stanford backbone network

39

~750K IP fwd rule.~1.5K ACL rules.

~100 Vlans.Vlan forwarding.

Stanford backbone network• Loop detection test – run time < 10 minutes on a

single laptop.

40

Vlan RED Spanning Tree

Vlan BLUE Spanning Tree

Performance

41

Generating TF Rules ~150 sec

Loop Detection Test (30 ports) ~560 sec

Average Per Port ~18 sec

Min Per Port ~ 8 sec

Max Per Port ~ 135 sec

Reachability Test (Avg) ~13 sec

Performance result for Stanford Backbone Network on a single machine: 4 core, 4GB RAM.

What is OpenFlow?

Short Story: OpenFlow is an API

• Control how packets are forwarded• Implementable on COTS hardware• Make deployed networks programmable

– not just configurable• Makes innovation easier• Goal (experimenter’s perspective):

– No more special purpose test-beds– Validate your experiments on deployed hardware

with real traffic at full line speed

OpenFlow: a pragmatic compromise

• + Speed, scale, fidelity of vendor hardware• + Flexibility and control• Leverages hardware inside most switches

today• Vendors don’t need to expose implementation

Put an open platform in hands of researchers/students to test new ideas at scale through production networks.

An open development environment for all researchers

Give access to flow tables in switches: - lookup tables, access control list, etc.. - Control packet forwarding in routers and switches.

How Does OpenFlow Work?

Ethernet Switch

Data Path (Hardware)

Control PathControl Path (Software)

Data Path (Hardware)

Control Path OpenFlow

OpenFlow Controller

OpenFlow Protocol (SSL/TCP)

Controller

PC

HardwareLayer

SoftwareLayer

Flow Table

MACsrc

MACdst

IPSrc

IPDst

TCPsport

TCPdport Action

OpenFlow Firmware

**5.6.7.8*** port 1

port 4port 3port 2port 1

1.2.3.45.6.7.8

OpenFlow Flow Table Abstraction

OpenFlow BasicsFlow Table Entries

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport

Rule Action Stats

1. Forward packet to port(s)2. Encapsulate and forward to controller3. Drop packet4. Send to normal processing pipeline5. Modify Fields

Packet + byte counters

ExamplesSwitching

*

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport Action

* 00:1f:.. * * * * * * * port6

Flow Switching

port3

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport Action

00:20.. 00:1f.. 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port6

Firewall

*

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport Forward

* * * * * * * * 22 drop

ExamplesRouting

*

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport Action

* * * * * 5.6.7.8 * * * port6

VLAN Switching

*

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport Action

* * vlan1 * * * * *

port6, port7,port9

00:1f..

http://geni.net

GENI OpenFlow deployment (2010)

83 Universities/Research centers & 2 National Backbones

http://groups.geni.net/geni/wiki/ProtoGENIFlashClient

Switches

• Linux based Software Switch

• Release concurrently with specification

• Kernel and User Space implementations

• Note: no v1.0 kernel-space implementation

• Limited by host PC, typically 4x 1Gb/s

• Not targeted for real-world deployments

• Useful for development, testing

• Starting point for other implementations

• Available under the OpenFlow License (BSD Style) at http://www.openflowswitch.org

Stanford Reference Implementation

Wireless Access Points

• Two Flavors:– OpenWRT based (Busybox Linux)

• v0.8.9 only

– Vanilla Software (Full Linux)• Only runs on PC Engines Hardware• Debian disk image

• Available from Stanford

• Both implementations are software only.

NetFPGA

• NetFPGA-based implementation – Requires PC and NetFPGA card– Hardware accelerated– 4 x 1 Gb/s throughput

• Maintained by Stanford University• $500 for academics• $1000 for industry• Available at http://www.netfpga.org

• Linux-based Software Switch

• Released after specification

• Not just an OpenFlow switch; also supports VLAN trunks, GRE tunnels, etc

• Kernel and User Space implementations

• Limited by host PC, typically 4x 1Gb/s

• Available under the Apache License (BSD Style) at http://www.openvswitch.org

Open vSwitch

OpenFlow Vendor Hardware

more to follow...

NEC IP8800

HP ProCurve 5400

Juniper MX-seriesCisco Catalyst 6kCore

EnterpriseCampus/DC

CircuitSwitch

Wireless

Pronto

Prototype Product

Ciena CoreDirector

WiMAX (NEC)

Cisco Cat3750 Arista 7100 series

(Q4 2010)

63

HP ProCurve 5400 Series

Praveen Yalagandula

Jean Tourrilhes

SujataBanerjee

Rick McGeer

CharlesClark

• Chassis switch with up to 288 ports of 1G or 48x10G (+ other interfaces available)

• Line-rate support for OpenFlow

• Deployed in 23 wiring closets at Stanford

• Limited availability for Campus Trials

• Contact HP for support details

NEC IP8800• 24x/48x 1GE + 2x 10 GE

• Line-rate support for OpenFlow

• Deployed at Stanford

• Available for Campus Trials

• Supported as a product

• Contact NEC for details:

• Don Clark ([email protected])

• Atsushi Iwata ([email protected])

HideyukiShimonishi

JunSuzuki

MasanoriTakashima

NobuyukiEnomoto

PhilavongMinaxay

ShuichiSaito

TatsuyaYabe

YoshihikoKanaumi

(NEC/NICT)

AtsushiIwata

(NEC/NICT)



Umesh Krishnaswamy

MichaelaMezo

ParagBajaria

JamesKelly

BobbyVandalore

Juniper MX Series• Up to 24-ports 10GE or 240-ports 1GE

• OpenFlow added via Junos SDK

• Hardware forwarding

• Deployed in Internet2 in NY and at Stanford

• Prototype

• Availability TBD

FlavioBonomi

SaileshKumar

PereMonclus

• Various configurations available

• Software forwarding only

• Limited deployment as part of demos

• Availability TBD

Work on other Cisco models in progress

Cisco 6500 Series

– The individual controllers and the FlowVisor are applications on commodity PCs (not shown)

Demo Infrastructure with Slicing

Flows

OpenFlow switches

WiMax

Packet processors

WiFi APs

Be sure to check out the demos in www.openflow.org

OpenFlow Demonstration Overview

Network Virtualization FlowVisor

Hardware Prototyping OpenPipes

Load Balancing PlugNServe

Energy Savings ElasticTree

Mobility MobileVMs

Traffic Engineering Aggregation

Wireless Video OpenRoads

Topic Demo

FlowVisor Creates Virtual Networks

OpenFlow Switch

OpenFlow Switch

OpenFlow Switch

OpenFlowProtocol

FlowVisor

OpenPipesDemo

OpenRoadsDemo

OpenFlowProtocol

PlugNServeLoad-balancer

OpenPipesPolicy

FlowVisor slices OpenFlow networks, creating multiple isolated and programmable

logical networks on the same physical topology.

Each demo described here runs in an isolated slice of Stanford’s production network.

•Plumbing with OpenFlow to build hardware systemsOpenPipes

Partition hardware designs

TestMix

resources

Goal: Load-balancing requests in unstructured networks

Plug-n-Serve: Load-Balancing Web Traffic using OpenFlow

OpenFlow means…

Complete control over traffic within the networkVisibility into network conditionsAbility to use existing commodity hardware

What we are showing

OpenFlow-based distributed load-balancer Smart load-balancing based on network and server

load Allows incremental deployment of additional resources

This demo runs on top of the FlowVisor, sharing the same physical network with other experiments and production traffic.

ElasticTree: Reducing Energy in Data Center Networks

• The demo:• Hardware-based 16-node

Fat Tree• Your choice of traffic

pattern, bandwidth, optimization strategy

• Graph shows live power and latency variation

• Shuts off links and switches to reduce data center power• Choice of optimizers to balance power, fault tolerance, and BW• OpenFlow provides network routes and port statistics

• Available at http://NOXrepo.org

• Open Source (GPL)

• Modular design, programmable in C++ or Python

• High-performance (usually switches are the limit)

• Deployed as main controller in Stanford

NOX Controller

MartinCasado

ScottShenker

TeemuKoponen

NatashaGude

JustinPettit

http://noxrepo.org/

• www.geni.net

• www.openflow.org

• www.openflowswitch.org

• www.noxrepo.org

• www.opennetworking.org

• www.cisco.com/go/one

• onrc.stanford.edu

• www.usenix.org

• http://www.techrepublic.com

References

http://www.geni.net/

http://www.openflow.org/

http://www.openflowswitch.org/

http://noxrepo.org/

http://www.opennetworking.org/

http://www.cisco.com/go/one

http://www.onrc.stanford.edu/

http://www.usenix.org/

http://www.techrepublic.com/

Thank you!

introduction to openflow / sdn & its effects on the future of internet mohammad moghaddas...

Documents

box hardware

entry slide

welcome slide

new ideas

chips open interface

infrastructure closed

technology transfer

real networks