Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Airborne Networking wikipedia , lookup
Distributed firewall wikipedia , lookup
Towards Truly Open And Commoditized SDN In OpenStack Jun Park (Ph.D.) Senior Systems Architect EIG/Bluehost OpenStack Summit 2013 at Hong Kong • OpenStack Meets Software-Defined-Networking • Why Does OpenStack need SDN? • Why Does SDN need OpenStack? EIG/Bluehost 2 L2 Fabric VM1 Keep Public IP Address, Rack MAC Address VM2 Rack QoS, Isolation, ACL, Firewall Tenant isolated networks Rack VM3 Rack This is exactly a killer app of SDN! EIG/Bluehost 3 Key Points of L2 Fabric Simple Data Forwarding No L3 Agent, No NAT No Unknown Traffic Plane Avoid Performance Overhead Seamless & Straightforward VM Migration EIG/Bluehost High Entropy in Packets : Desired for multipath 4 # neutron port-list For 20,000 ports EIG/Bluehost 5 Now 3 Seconds With Optimization EIG/Bluehost 6 SDN Controller When Something Closed… NOX/POX NEC 3? BigSwitch Onix Ryu Nicira 4? FloodLight OpenDayLight EIG/Bluehost 7 General SDN Architecture • Open Flow rules – Forwarding plane – No Src MAC learning • Timing – Reactive vs. Proactive • Transition – Traditional ports -> Open Flow ports – Pure Open Flow vs. Hybrid port • Max # of Open Flow rules – 4K – 120K, more or less – How many rules bundled up EIG/Bluehost External Entity Northbound API SDN Controllers SDN Application Control Logic Network Topology • Distributed vs. Single Southbound API OpenFlow Switch 8 Current OpenStack SDN Approach 1. Request to create a virtual interface (vif) Neutron-server SDN Controller(s) 3. Call rest api to SDN controller 2. Create a vif in DB Neutron DB • Intended to be minimal functionality on agent • SDN controllers own control logic • No RPC from Neutron server to agent • Who creates OVS vif and externalids? Answer: Nova-compute, why? EIG/Bluehost SDN Application Network Info Base (NIB) 4. Deploy OpenFlow Rules Compute node Openvswitch (OVS) Neutron agent 0. Agent prepares basic OVS structure 9 Current OpenStack SDN Approach 1. Request to create a vif 3. Call rest api to SDN controller Neutron-server SDN Controller(s) SDN Application Network Info Base (NIB) 2. Create a vif in DB Neutron DB Doesn’t Scale! node node node node Compute node Node > 18,000 OpenvSwitch EIG/Bluehost Hundreds of TOR physical switches TOR switches TOR switches TOR switches TOR switches TOR switches TOR TORswitches switches 10 OK, Questions We Got! Q: What is a truly scalable SDN solution now? Q: Can you use a different approach? A: Not yet, but will be. A: Nope. Q: When? Q: Why not? A: Who knows! A: Vendors working on it. EIG/Bluehost 11 Edge vs. Fabric § Separation of Control: “The fabric is responsible for packet transport across the network, while the edge is responsible for providing more semantically rich services such as network security, isolation, and mobility.” HotSDN’12, “Fabric: A Retrospective on Evolving SDN” Martín Casado, Teemu Koponen, Scott Shenker, Amin Tootoonchian EIG/Bluehost 12 Bluehost OpenStack SDN Approach 1. Request to create a vif 3. Call rest api to SDN controller Neutron-server 2. Create a vif in DB Neutron DB Compute node Openvswitch 4. Deploy OpenFlow rules Neutron agent SDN Controller(s) SDN Application Network Info Base (NIB) Hundreds of TOR physical switches TOR switches TOR switches TOR switches TOR switches TOR switches TOR TORswitches switches 4. SDN controllers deploy OpenFlow rules on physical switches. 3. Agent receives RPC calls EIG/Bluehost 13 Key Services Achieved Via Neutron Only Tenant3 Tenant1 Tenant2 Isolated on flat network vif1 Firewall Rules 11.22.33.8 11.22.33.4 11.22.33.5 vif2 vif3 QoS: Bandwidth EIG/Bluehost 11.22.33.7 Multiple IPs per vif 11.22.33.6 Anti-IP spoofing per vif 14 Under The Hood QoS, Anti-IP Spoofing, VM-to-VM • Deploy QoS for • DMAC matching for incoming outgoing packets packets • TPA matching in ARP query VM1 vif1 br-int-eth0 10 Mbps For VM1, VM2, … VMn, src_mac, dst_mac -> VM vif => O(n^2) pair of veth • Anti-IP spoofing: SRC IP matching for outgoing packets phy-br-eth0 Public Networks br-int br-eth0 eth0 50 Mbps VM2 EIG/Bluehost vif2 15 Reduce OpenFlow Rules For VM-to-VM Traffic VM1 vif1 br-int-eth0 10 Mbps pair of veth phy-br-eth0 Public Networks br-int vif2 eth0 dst_mac -> phy-loopback => O(n) 50 Mbps VM2 br-eth0 Int-loopback pair of veth phy-loopback dst_mac -> VM vif => O(n) EIG/Bluehost 16 Firewall Rules ~= Security Group • • • Firewall Rules for Incoming packets • Protocol (TCP, UDP, ICMP) & Ports VM1 vif1 br-int-eth0 pair of veth br-int Firewall Rules for outgoing packets Protocol (TCP, UDP, ICMP) & Ports phy-br-eth0 br-eth0 eth0 Public Networks VM2 EIG/Bluehost vif2 Int-loopback pair of veth phy-loopback 17 Tenant Networks Unicast: AMAC <-> PMAC External SDN Controller(s) Bundle Up PMAC Core Switches Only See PMAC Only See PMAC ToR Switches L2 Fabric ToR Switches Neutron Actual MAC -> Neutron PMAC -> AMAC Positional MAC Agent Agent Host Host Open vSwitch ARP Proxy or Not? VM VM Open vSwitch EIG/Bluehost Path Determination 18 Tenant Networks Unicast: Overlay Networks External SDN Controller(s) Core Switches See Normal UDP/TCP ToR Switches L2 or L3 Fabric Neutron Overlay Network Agent Tunnels Host VM Open vSwitch EIG/Bluehost See Normal UDP/TCP ToR Switches Overlay Network Neutron Tunnels Agent Host Open vSwitch VM VXLAN, STT, GRE 19 Tenant Networks Multicast/Broadcast Core Switches ToR Switches ToR Switches ToR Switches VM VM EIG/Bluehost VM VM 20 Tenant Networks Multicast/Broadcast Core Switches ToR Switches ToR Switches Generate Multiple Unicast Packets VM ToR Switches VM VM VM EIG/Bluehost 21 We Need Truly Open, Commoditized SDN Solutions! EIG/Bluehost Willing To Contribute! EIG/Bluehost 22 Thanks! • Design Summit for Neutron – http://summit.openstack.org/cfp/details/311 EIG/Bluehost 23