IFIP TC6 Advanced Tutorials in Networking. Software Defined Networking! University of Kelaniya Kelaniya, Sri Lanka June 2015

Transcription

1 IFIP TC6 Advanced Tutorials in Networking Software Defined Networking! University of Kelaniya Kelaniya, Sri Lanka June 2015 Marilia Curado University of Coimbra, Portugal (Slides adapted with permission from a presentation by Prof. Torsten Braun, University of Bern, Switzerland)

2 Overview! > Software-Defined Networks (SDN)" Motivation and Introduction" Software Defined Networking Architecture" OpenFlow Protocol" SDN Applications" > Network Function Virtualization (NFV)" Use Cases" Architecture" > Information-Centric Networking (ICN)" Key Principles and Functions" Content-Centric Networking (CCN)" Publish-Subscribe Internet (PSI) Naming" 2

3 Legacy Networking Technology Limitations! > Large set of various protocols, slow standardization" > Buggy equipment software" > Huge network operation costs" > Risk of inconsistent policies and configurations" > Scalability" > Vendor dependence and closed equipment" 3

4 Network Device Architecture! Routing, management, " mobility management, access control, VPNs, " Feature" Operating System" Feature" millions of lines of source code" (based on > 6000 RFCs)" Custom Forwarding Hardware" billions of power-hungry gates" extremely complex" mainframe mentality" very expensive" 4

5 Restructuring Networks! Control Program" Control Program" Network OS" Feature" Feature" Operating" System" Custom Hardware" Feature" Feature" Operating" System" Custom Hardware" Operating System" Custom Hardware" Operating" System" Custom Hardware" Feature" Feature" Feature" Feature" Feature" Feature" Operating" System" Custom Hardware" 5

6 Mainframes! specialized applications App" open interface" specialized operating system specialized hardware Windows" or" Linux" or" open interface" microprocessor" Mac" OS" vertically integrated" closed, proprietary" slow innovation" small industry" horizontal" open interfaces" rapid innovation" huge industry" 6

7 Routers! App" open interface specialized" features" control" plane" specialized" control plane" specialized" hardware" vertically integrated closed, proprietary slow innovation or control" plane" or control" plane" open interface merchant" switching chips" horizontal open interfaces rapid innovation 7

8 Traditional Computer Networks! > Clear separation of " Data plane" Control plane" Management plane" 8

9 Traditional Computer Networks: Data Plane! data plane:" packet handling" forward, filter, buffer, mark, rate-limit, measure packets" 9

10 Traditional Computer Networks: Control Plane! control plane:" distributed algorithms" track topology changes, compute routes, reserve resources, install forwarding rules" 10

11 Traditional Computer Networks: Management Plane! management plane:" human time scale" collect measurements and configure equipment: apply policies" 11

12 Software Defined Networking (SDN)! logically-centralized control" smart," slow" API to data plane" (e.g., OpenFlow)" switches" dumb," fast" 12

13 Architecture! Application Layer" Business Applications" Control Layer" SDN" Control " Software" API" API" API" Network Services" Infrastructure Layer" Network Device" 13

14 Controller: Programmability! Controller Application" Network OS" Events from switches" topology changes" traffic statistics" arriving packets" Commands to switches" (un)install rules" query statistics" send packets" 14!

15 Distributed Controller! Controller " Application" Network OS" partition and replicate state" scalability and reliability" Controller " Application" Network OS" 15!

16 SDN Architecture! 16

17 Data Plane: Simple Packet Handling! Simple packet-handling rules! > Pattern: match packet header bits" > Actions: drop, forward, modify, send to controller! > Priority: disambiguate overlapping patterns" > Counters: #bytes and #packets (received, transmitted, dropped, erroneous, )" MAC src" MAC dst" IP src" IP dst" TCP dst port" " Action" Count" *" 10:20:." *" *" *" *" Port1" 250" *" *" *" " *" *" Port2" 300" *" *" *" *" 25" *" Drop" 892" *" *" *" 192.*" *" *" Local" 120" *" *" *" *" *" *" Controller" 11" 17

18 Network Devices Functions! > Router" Match: longest destination IP prefix" Action: forward out via a link" > Switch" Match: destination MAC address" Action: forward or flood" > Firewall" Match: IP addresses and TCP/UDP port numbers" Action: permit or deny " > Network Address Translator" Match: IP address and port" Action: rewrite address and port" 18"

19 OpenFlow! > Most Ethernet switches and routers contain flow tables based on content addressable memory running at line-rate to" support QoS" implement firewalls and NATs" collect statistics " > Switches and routers provide similar functionality, but have proprietary flow tables (data path = flow table + actions) " > OpenFlow aims to provide a standard interface to program flow tables. " > OpenFlow switch " 1. Flow / group / meter tables" 2. Secure channel for configuration " 3. OpenFlow protocol" > OpenFlow Controller " adds/changes/removes table entries." OpenFlow" Controller" (secure)" OpenFlow" Channel" Flow" Table" OpenFlow protocol" (SSL/TLS)" Group/ Meter" Table" pipeline" Flow" Table" OpenFlow switch" port" 19"

20 Operation! 20

21 Flow Table! Match Fields" Priority Counters Instructions Timeouts Cookie" Switch" port" MAC" src" MAC" dst" Eth" type" VLAN" ID" VLAN" prio" MPLS" label" MPLS" traffic cl." IP" src" IP" dst" IP" prot" IP " ToS" src" port" dst" port" > Match fields: to match against packets, consisting of ingress port and packet headers" > Priority: matching precedence of flow entry" > Counters: updated when packets are matched" > Instructions: to modify action set or pipeline processing." > Timeouts: maximum amount of time or idle time before flow is expired by switch." > Cookie: opaque data value chosen by controller" 21

22 Instructions! > Each flow table entry contains a set of instructions, which are executed when a packet matches the entry. " > Instructions change packet, action set and/or pipeline processing." > Required instructions" Write-Actions: merges specified action into current action set" Goto-Table: indicates next table in processing pipeline" > Optional instructions" Meter: direct packet to specified meter" Apply-Actions: applies specified actions immediately" Clear-Actions: clear all actions immediately" 22

23 Actions and Action Sets! > Actions" Decrementing/copying TTL values " Pop/push tags (MPLS, VLAN headers)" Set MAC/IP addresses, VLAN IDs, port numbers, IP header bits etc. " Quality-of-service support, e.g., assign queues to packet" Output of packets" > Action Sets" Are empty at the beginning" Flow entry instructions modify action set" Execution of actions at the end of pipeline " " 23

24 Packet Processing! 24

25 Packet Flow! 25

26 Group and Meter Table! > Group Table" Group: list of action buckets and some means to choose one or more buckets per packet" Group table entry" " Group Identifier Group Type Counters Action Buckets" Group Identifier: 32 bit unsigned integer uniquely identifying the group" Group Type: to determine group semantics" All: multicast or flooding" Select: multipath forwarding and load balancing" Indirect: simple indirection" Fast failover" Counters: updated when packets are processed by a group" Action Buckets: an ordered list of action buckets, where each action bucket contains a set of actions to execute and associated parameters" > Meter Table" Quality of Service operation" Rate limiting" Metering" 26"

27 OpenFlow Protocol! > Message types" Controller-to-switch to" request switch features" set and query configuration parameters" add, modify, delete flow / group / meter table entries" read switch statistics" output packets to switch" Asynchronous: Unsolicited messages from switch to controller to" receive packets" indicate flow removal after timeout" indicate port status" Symmetric" Hello messages" Echo messages" Error messages" > Connection setup" TLS/TCP connection" 27"

28 SDN Summary: Key Issues! > Separation of control plane from data plane" > Centralized controller and centralized view of the network" > Open interfaces between devices in the control plane (controllers) and those in data plane (network devices)" > Network programmability by external applications" 28"

29 SDN Summary: Benefits! > Simpler centralized network management and control " increases network reliability and " minimizes inconsistent configuration" > Improved automation and management by common APIs" > Abstraction of underlying network details from orchestration/ provisioning systems and applications" > Rapid innovation independent from network device manufacturers" > Programmability by operators and users" > More fine-granular network control" > Simpler, faster, cheaper network devices" 29"

30 SDN Applications! > Dynamic access control! > Seamless mobility/migration! > Server load balancing! > Network virtualization! > Link failure recovery" > Data center networking " > Multiple wireless access points" > Energy-efficient networking" > Adaptive traffic monitoring" > Denial-of-Service attack detection" > Network management and control" > Virtual networks" > Non-IP networks, Future Internet protocols" > Deep-packet inspection, intrusion detection" 30

31 Dynamic Access Control! > inspect first packet of a connection" > consult access control policy" > install rules to block or route traffic" 31

32 Seamless Mobility/Migration! > see host to send traffic at new location" > modify rules to reroute traffic" 32

33 Server Load Balancing! > Pre-install load-balancing policy" > Split traffic based on source IP" src=0*! src=1*! 33!

34 Load Balancing! > Dynamically allocate flows based in the current network load" > Monitoring of the bandwidth usage per link/flow/path" > Flow management during peak hours " 34

35 Low Latency Services! > Perform path calculation with QoS metrics requirements" > Requires the usage of existing monitoring protocols/tools in the managed devices" > Can be used to support multi-path decisions with SCTP or MPTCP" > Useful for low-latency applications" " VoIP, Online Gaming, Video" And also in data centers" 35

36 Network Virtualization! Controller #1" Controller #2" Controller #3" Partition space of packet headers" 36!

37 From the Classic Approach to Network Function Virtualization (NFV)! 37

38 NFV Use Cases! What can be virtualized? - Base stations - Fixed access - CDNs -. 38

39 NFV Architecture! Operations/Business Support System" Element Management System" Virtual Network Function" Management " & Operation" 39

40 > Mobilie Cloud Networking Project" 40

41 Information-Centric Networking (ICN)! > Today s network traffic is dominated by information retrieval rather than point-to-point communication between machines or humans." > Circuit communication model is not considered as appropriate any more. " > Future communication architecture should focus on information objects instead of nodes. " 41"

42 Traditional Web Retrieval / Web Services! user s end system search engine /" service registry" DNS server web server / web service 42

43 Related Work! > Peer-to-Peer Networks" Construction of overlay networks" Content / service discovery, e.g., using distributed hash tables, flooding, random walks, etc. " > Web Caching" Providing content for local users" > Content Distribution Networks" Routing and redirection of HTTP requests" Cache management" 43

44 Key Principles and Functions! > Naming of content rather than hosts/interfaces" Content independent of devices that store it" Naming is location independent (mobility support!)" > Receivers (subscribers) request content" > Senders (publishers) advertise content" > Receivers and senders do not have to be aware of each other, and are decoupled in time." > Functions needed" Name resolution (rendezvous) to match subscriptions and publications" Routing and path formation" Forwarding content from publisher to subscriber" 44

45 Content Distribution! /unibe.ch/braun/talks/2014/icis

46 Naming Approaches! > Human-readable, hierarchical names" supports aggregation" needs coordination" Example: CCN" > Flat (self-certifying) names" Often based on hashing content name and/or owner s public key" Aggregation more difficult" Example: PSI" 46

47 Name Resolution and Data Transport! > Decoupled" Name resolution and data transport are independent of each other, cf. DNS, with possibly different nodes for resolution and data transport" allows different, possibly already existing transport mechanisms, also multi-path" Example: PSI" > Coupled" Nodes for both name resolution and data transport with inverse data path compared to search path" rather disruptive technology" Local routing procedures advantageous in case of short link disruptions" Variants" 2 phases: mapping of ID to locator, routing to data source " 1 phase: direct ID-based routing to data source" Example: CCN" 47"

48 Content-Centric Networking (CCN)! > Combination of content lookup and message routing" > Idea: describe the users interests in the message header, but not where to get it. " > Messages (using XML encoding)" Interest: content name, selector" Data: content name, signature (info), data" > Hierarchical content names" Example: /unibe.ch/braun/talks/2014/icis" > Related Projects" NDN = Named Data Networking, " CCNx = Open Source Core Software Project for Content-Centric Networking, 48"

49 IP Model! FIB FIB: Forwarding Information Base 49

50 Messages! Interest Message" Data Message" 50

51 Interest Message Processing! 1. Longest prefix match on content name in Content Store (CS): returning data and discarding Interest" 2. Pending Interest Table (PIT) match: adding request to PIT and discarding Interest" 3. Forwarding Information Base (FIB) match: forwarding of Interest towards data" FIB population by announcements of content availability)" 51"

52 Match in Content Store! CS FIB Name Data PIT Name CS: Content Store FIB: Forwarding Information Base PIT: Pending Interest Table 52

53 Match in Forwarding Information Base! CS FIB PIT Name 53

54 Match in Pending Interest Table! Name CS FIB PIT x 54

55 Naming! > Any kind of names are possible flexible naming" > Examples" /unibe.ch/braun/talks/2014/icis /unibe.ch/e8/room103/projector" > Support for simple operations" %C1.org.ccnx.frobnicate~1~37" command in the namespace org.ccnx" operation is frobnicate, which takes 1 and 37 as arguments" > Naming resolution approach: coupled with 1 phase" 55"

56 Routing! > Longest Prefix Match Routing (as in IP)" > But: different FIB entry semantics" IP: IP address prefix will be reached via an outgoing interface for an existing FIB entry. " CCN: Content name prefix might be reached via an outgoing interface for an existing FIB entry. " > FIB entries should be populated proactively for known content." > Alternatively, searching for content, e.g., using broadcasting" 56"

57 Transport! > Stateless operation with receiver control" > Pipelining: multiple outstanding Interest messages" > Reliability by local retransmissions in strategy layer" > Hop-by-hop flow control" > Sequence numbers in names" 57

58 Security! > Signing of names and data in each packet" > Denial-of-Service attacks are difficult: Combination of multiple Interests and only 1 data packet per Interest" 58

59 CCN Discussion! > Advantages" Automatic content distribution" Latency < 1 round-trip-time" Minimization of latency" Minimization of bandwidth" Local congestion control" Built-in security" > Drawbacks and problems" Routing " Hierarchical naming" Source mobility" 59

60 Publish-Subscribe Internet (PSI) Naming! > Information items = files, streams, services" > Each information item has its own name. " > Names are unique (SID,RID) pairs" Rendezvous Identifier (RID)" Fixed-length, (flat) bit string" produced by application specific function, e.g., hashing" Scope Identifier (SID)" Containers for information items" Basis for access control" Sequence of RID-like strings" Each item may belong to one or more scopes." RId 5" SId 1" SId 3" SId 2" SId 4" SId 5" > Scope hierarchy with information belonging to different scopes. " SId 6" RId 6" RId 7" RId 8" RId 4" RId 1" RId 2" RId 3" 60"

61 PSI Network Primitives! > Subscribe" used to express interest in information items" Users can subscribe to information items or scopes. (SID/RID) must be known. " > Publish" used to announce information items or scopes" 61

62 PSI Operation! > Information producer publishes information item to rendezvous system consisting of rendezvous points." > Rendezvous points are responsible for certain scopes." > Information consumer subscribes to information item." > Rendezvous system " matches announcements and subscriptions" triggers delivery from information producer to information consumer, e.g. using OpenFlow " > Various caching strategies: on-path, off-path, replication" publication" Path establishment" subscription" 62

63 PSI Operation! 63

64 Summary! > SDN allows better programmability of network functions and services. " > NFV with huge potential for future (mobile communication) networks, e.g., " > ICN as hot research topic, but gradual deployment unsure" > ICN in IoT?" > Let s see tomorrow!" 64