BGP - Optimising the Foundational SDN Technology

Transcription

1 BGP - Optimising the Foundational SDN Technology Gunter Van de Velde Sr Technical Leader 11 June 2014

2 Agenda Some words about SDN BGP-Assisted SDN Use-case 1. WAN Orchestration BGP-LS 2. Flow Steering/Security Policies BGP-FS 3. Peering Diagnostics BMP 4. SLA Policies BGP SLA 2

3 Introduction to SDN Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

4 The network paradigm as we know it 4

5 Control and Data Plane resides within Physical Device 5

6 What is SDN? (per Wikipedia definition) Software defined networking (SDN) is an approach to building computer networks that separates and abstracts elements of these systems 6

7 In other words In the SDN paradigm, not all processing happens inside the same device 7

8 A better definition SDN Definition SDN Benefits Centralization of control of the network via the Separation of control logic to off-device compute, that Enables automation and orchestration of network services via Open programmatic interfaces Efficiency: optimize existing applications, services, and infrastructure Scale: rapidly grow existing applications and services Innovation: create and deliver new types of applications and services and business models 8

9 Different customers, different pain points Research/ Academia Massively Scalable Data Center Cloud Service Providers Enterprise! Experimental OpenFlow/SDN components for production networks! Customize with Programmatic APIs to provide deep insight into network traffic! Automated provisioning and programmable overlay, OpenStack! Policy-based control and analytics to optimize and monetize service delivery! Virtual workloads, VDI, Orchestration of security profiles Network Slicing Network Flow Management Scalable Multi-Tenancy Agile Service Delivery Transport Efficiency Diverse Programmability Requirements Across Segments Most Requirements are for Automation & Programmability Private Cloud Automation 9

10 SDN Hybrid Approach 20+ Years investment in Distributed Control Planes capex, skills and expertise by both vendors and customers Distributed Control Planes designed to survive battlefield conditions with the possibility of multiple failures Leave the distributed control plane in place for normal traffic, use SDN for traffic that needs special handling (routing, bandwidth reservation etc.) In the event of an SDN Controller failure, you still have a network that works, maybe not as optimally Hybrid Control plane: Distributed control combined with central control (through Controllers) for optimized behavior (e.g. optimized performance) Network Middleware Controllers 10

11 About BGP Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

12 Why is BGP successful? Extensible MulB- protocols, AFs Incremental NLRI, PA, Community Capability NegoBaBon Flexible Policy Many Services!! Simple and Scalable Structured (Route Reflector) Divide and Conquer (ConfederaBon) Low protocol overhead Simple FSM Simple Messages HA and Secure Run over TCP NSR PIC, Add- Path MD5 authenbcabon RPKI validabon Driven by PragmaBsm, Not perfect, but good enough - - Yakov Rekhter 12

13 Control-plane Evolution Many of services are moving towards BGP Service/transport In 200X In 201X Market Internet Peering BGP IPv4 BGP IPv4/v6 SP L3VPN BGP IPv4 BGP IPv4/v6 + FRR + Scalability MPLS transport LDP LDP + BGP+Label (Unified MPLS) SP Multicast VPN PIM IPv4 BGP IPv4/v6 Multicast VPN Multicast MPLS transport PIM / mldp BGP signaling for segmented LSM (Mc Unified MPLS) DDOS mitigation PBR, ACL BGP flowspec, BGP RTBH, urpf check SP Security Filters, ACL BGP Sec (RPKI) Network Monitoring SNMP BGP monitoring protocol, BGP YANG SDN BGP YANG/ BGP Link State /BGP SLA /BGP Flow Spec Business & CE L2VPN LDP BGP AD/Sign (VPLS) DCI NG L2VPN/L3VPN BGP AD/Sign (EVPN, PBB-EVPN ) DC / SP Massive Scale DC OSPF/ISIS BGP IPv4/v6 Multipath, BGP EPE Segment Routing SP-DC, Cloud-DC BGP Inter-AS, vpe, vce, L3VPN/EVPN o X Campus L3VPN & mvpn BGP IPv4 (IOS) BGP IPv4/v6 (NX-OS) DC Ent-DC BGP + Fabric Path (LFA), BGP + VxLAN (Future) Massive scale DMVPN NHRP / EIGRP BGP + Path Diversity FlexVPN BGP Enterprise Managed CPE BGP IPv4 BGP IPv4 & IPv6 13

14 Use case #1: WAN Orchestration Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

15 .. not sure why folks keep talking about SDN as a datacenter technology - the value is in the WAN.. Vijay Gill Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

16 The SP Challenge Traffic! Traffic continues to increase, while revenue declines! On top of SPs minds: Increase efficiency of existing assets Create new revenue opportunities, and be faster at it Revenue! SDN efforts in SP attempt to help with the above! 16

17 WAN BW optimization Today WAN-Ochestration SDN WAN controller WAN BW optimization: 90% - Distributed optimization - Full Mesh Auto BW RSVP-TE tunnels - HIGH OPEX (complex) - Cust A>50K tunnels - Cust B>100K tunnels - Generate Network Oscillation (instability) WAN BW, Latency, QoS optimization: 95% - Centralized optimization - SDN PCE controller driven WAN optimization - Adequate Segment Routing TE tunnel - Low OPEX (simple) - Cust A <10 tunnels - Cust B<20 tunnels 17

18 SDN WAN Orchestration End-to-End Workflow Orchestration/Apps Customer SDN APIs APPS APPS DC SDN SDN WAN Customers Viz & Analytics Collector Application Engine Programming DC/Cloud Providers BGP LS PCE-P State NGN WAN Control Multi- Layer 18

19 Gathering up-to-date WAN network state To do its job SDN WAN Controller requires up-to-date network visibility information, primarily about Load/Capacity Viz & Analytics SDN WAN Application Engine " SNMP, NetFlow, NETCONF/YANG Collector Programming Topology " IGP (OSPF/ISIS) information, direct link/passive, or better: BGP State NGN WAN Multi- Layer 19

20 High Level perspective of BGP-LinkState (BGP-LS) BGP may be used to advertise link state and link state TE database of a network (BGP-LS) PCE Provides a familiar operational model to easily aggregate topology information across domains TED New link-state address family Support for distribution of OSPF and IS-IS link state databases Topology information distributed from IGP into BGP (only if changed) Support introduced in IOS XR BGP-LS Domain 0 RR BGP-LS BGP-LS Domain 1 Domain 2 20

21 BGP Link State Configuration Cisco IOS XR router isis DEFAULT is-type level-2-only net distribute bgp-ls level 2 address-family ipv4 unicast metric-style wide mpls traffic-eng level-2-only mpls traffic-eng router-id Loopback0! [ ]!!! router bgp address-family link-state link-state! neighbor description Controller remote-as update-source Loopback0 address-family link-state link-state!!! Distribute level-2 link state database into BGP-LS Enable link-state addresses and specify BGP-LS peer 21

22 Use case #2: Controlling Flows via BGP Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

23 Introduction BGP (like any other routing protocol) influences destination-based routing BGP routing information can be injected from a central place ( SDN controller ) Why not use it for more than just giving a destination address to route packets to? Flow Specification Rules Application aware Filtering/redirect/mirroring Dynamic and adaptive technology Simple to configure 23

24 Use case 1: Security DDoS mitigation Security Controller BGP flowspec Match: DDOS flow Action: redirect to DDOS scruber Scan Netflow data To detect DDOS signature DDOS Analyser Flexible Netflow SP Description:The goal is to push policies to match on certain flows under DDoS attacks and drop/rate limit or redirect traffic to DDoS scrubber to protect peering / enterprise customers Business:SP to sale DDoS mitigation services to enterprise customers, generating add value to IP transit services DDOS scrubber 24

25 Use case 2: Redirection to DC/NfV Description: The goal to redirect certain flows from IP NGN or Internet transit network to DC and NfV appliances BGP flowspec Match: HTTP flows Action: redirect to DC/NfV Business: SP to sale NfV appliance services to enterprise customers, generating add value to IP NGN and IP transit services ddos SBC Firewall NAT VM VM VM VM ddos SBC Firewall NAT VM VM VM VM ddos SBC Firewall NAT VM VM VM VM ddos SBC Firewall NAT VM VM VM VM default HTTP 25

26 Cisco BGP flowspec is Standard supported BGP flowspec: RFC5575 XR June 2014 IPv6 support: draft-ietf-idr-flow-spec-v6-05 IP Next Hop redirection options: draft-ietf-idr-flowspec-redirect-ip-01 Origin check relax: draft-ietf-idr-bgp-flowspec-oid-02 Optimized flow based forwarding plane. Controller, Route Reflection and Client. Tested with exabgp (IPv4 controller), Arbor (IPv4 controller), Juniper (IPv4 client) and Alcatel (IPv4 & IPv6 client) 26

27 BGP flowspec infrastructure Phase 2 Phase 1 CLI XR XML YANG BGP BGP Flowspec Manager BGP flowspec Policy Infrastructure (E-PBR) Platform hardware 27

28 Router acting as BGP flowspec client Phase 2 Phase 1 BGP Flowspec Match X Action Y CLI XR XML YANG BGP BGP Flowspec Manager BGP flowspec Policy Infrastructure (E-PBR) Platform hardware 28

29 Router acting as BGP flowspec server BGP Flowspec Match X Action Y Phase 2 Phase 1 CLI XR XML YANG BGP BGP Flowspec Manager BGP flowspec Policy Infrastructure (E-PBR) Platform hardware 29

30

31

32 Use case #3: Routing Visibility Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

33 Optimizing Routing towards the Internet When your network is multi-homed to multiple SPs, balancing the traffic across the potential exit points can become a cumbersome task: 1. Baseline the situation 2. Tweak BGP attributes (MED, local preference, AS-path) to shift traffic to other exits 3. Watch the result 4. If not happy, go back to 2 How about letting software do this for you? It knows the topology (via BGP-LS, see earlier) It knows the traffic/matrix (via NetFlow, LSP stats, interface load) It misses information about the BGP routing table and its attributes 33

34 Achieving Routing Visibility As a routing protocol, it can also be used to update the controller with granular routing information Easy. Really? ibgp Controller Transit1 PE Internet Transit2 34

35 BGP RIBs BGP speaker maintains multiple Routing Tables: Adj-RIB-in (per neighbor) These are the updates as received by the peer Incoming route policy is applied, attributes are changed Updates which are dropped by the incoming route-policy are discarded, to save on memory soft-reconfiguration inbound keeps them, paths flagged with received-only in show bgp Loc-RIB (or Local RIB) BGP calculates best path among eligible paths in Adj-RIB in and places them into Loc-RIB provides a view of all entries kept by the BGP router to forward traffic 35

36 BGP Monitor Protocol We saw one case where we want to know exactly what the neighbor sent us (original attributes) For troubleshooting/monitoring, a record of prefixes received by neighbors (even those we configured to ignore) can be valuable tool Adj-RIB-in Loc-RIB BMP collector Loc-RIB Adj-RIB-in (before filter) ebgp Inbound filtering Inbound filtering ebgp 36

37 What is BMP? BMP is intended to be used for monitoring BGP sessions BMP is intended to provide a more convenient interface for obtaining route views Design goals Simplicity Easy to use Minimal service affecting BMP is not impacting the routing decision process and is only used to provide monitoring information BMP provides access to the Adj-RIB-In of a BGP peer on an ongoing basis and provide s a periodic dump of statistical information. A monitoring station can use this for further analysis (AKA BMPv3) (ExaBGP BMP code) 37

38 Deployment Models Deployment Model 1 Peering diagnostics and analytics Deployment Model 2 Internal diagnostics and analytics IGP 5 AS#4567 IGP 5 AS#4567 IGP 3 BMP Session IGP 2 IGP 1 IGP 4 BMP Session Analyser AS#1234 IGP 3 IGP 2 BMP Session IGP 4 IGP 1 BMP Session BMP Session Analyser AS#

39 Configuration XR November 2014 router bgp <asn> neighbor <ip-address> BMP monitor all / server 1 server 2 bmp server <1-32> activate address <ipv4/6 address> port-number <num> update-source <interface> description <string> failure-retry-delay <seconds> flapping-delay <seconds> initial-delay <seconds> set ip dscp value <1-7> stats-reporting-period <seconds> bmp buffer-size <megabytes> bmp initial-refresh {delay <seconds> skip } 39

40 Use case #4: Controlling SLA via BGP Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

41 Introduction BGP (like any other routing protocol) influences destination-based routing BGP routing information can be injected from a central place ( SDN controller ) Why not use it for more than just giving a destination address to route packets to? SLA Rules Application aware QoS Dynamic and adaptive technology Simple to configure 41

42 Controlling SLA via BGP Future Customer Portal Change SLA to - 25% Gold - 25% Silver - 50% BE 1 2 SLA SDN Controller BGP SLA - VPN Green - 25% Gold - 25% Silver - 50% BE 3 Customer Managed CPE Unmanaged CPE draft-ietf-idr-sla-exchange DEMO is available 42

43 Wrapping Up Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

44 Summary Flexibility: SDN enhances the way we re doing networking, automates tasks, introduces new possibilities through open APIs Investment Protection: SDN can co-exist with traditional networking protocols, it even leverages them. Rich implementation: BGP provides a couple of essential tools in the toolbox for topology and routing distribution and flow control / SLA control Cost Effective: We hope you will make use of them to make your network infrastructure more agile and cost-effective 44

45 Questions? Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45

46 Thank you.