Using SDN-OpenFlow for High-level Services Nabil Damouny Sr. Director, Strategic Marketing Netronome Vice Chair, Marketing Education, ONF ndamouny@netronome.com Open Server Summit, Networking Applications October 22, 2013 - Santa Clara, CA October 2013 1
Agenda SDN Critical properties What are L4-L7 services? Challenges catering to L4-L7 service in SDN-OpenFlow Possible deployment models Taking advantage of L7 intelligence Integration with NFV Next steps. October 2013 2
ONF s SDN Architecture. Opportunities for API Standards Applications Network Controller and Network Admin 1 2 App s Explicit Requirements SDN-enabled Application Network Statistics, Hints and Events Network Controller Provides network stats up to Apps Translates requirements down to Devices Configures Network Policy Monitors Performance Opportunity to Standardize Network Devices 3 Router Switch Firewall Switch Standardized API/Protocol Enforced Behavior Low-level Control Capability Discovery Statistics and Faults Host X Server Y October 2013 3
Critical Properties of SDN Architecture 1. Applications are network-aware: SDN-enabled Applications Communicate their requirements/polices to the network Can monitor network state and adapt accordingly 2. Network is logically centralized: SDN Network Controller Controller translates from app requirement to low-level rules Controller summarizes the network state for applications 3. Well-understood driver-like model for devices: SDN Datapath Programmatic low-level control of all forwarding and configuration API for capabilities advertisement and publishing statistics No resource contention with other entities Controller owns this device, subject to capabilities advertisement/negotiation October 2013 4
What are L4-L7 Services? Layer 2 / Layer 3 Switching Routing Packet forwarding OpenFlow Architectures optimized to process individual packets. Layer 4 through 7 Security Load balancing WAN optimization Architectures optimized to process flows and content Categorized by depth of Layer 4-7 inspection No Flow Inspection Partial Flow Inspection Flow Monitoring Full Flow Inspection OpenFlow switch Load balancer Next-generation firewall WAN optimization Web application firewall Test and measurement Policing and metering Quality of Service (QoS) Traffic analysis Anti-virus / anti-spam Intrusion prevention system (IPS) SSL inspection VPN October 2013 5
Challenges with L4-L7 Service in SDN-OpenFlow Envornment Inefficient use of network bandwidth and compute resources, due to lack of L4-L7 visibility Bottlenecks and lack of coverage due to inability to rapidly respond to new networking and application requirements Hosting on controllers results in reduced throughput, increased latency and limited scalability of the network, due to limited compute resources Lack of feedback from L4-L7 services, which could potentially reprogram network paths, based on L4-L7 analysis October 2013 6
Many Deployment Models 1. Running as applications on the controller Controller programs SDN switch on per-flow basis Application Layer Applications Northbound APIs Layer 4-7 Services 1 2. Standalone network appliance Inline OF-based appliance Traffic directed to legacy appliance either based on static policy, or dynamically driven by controller Or just in-line 3. Full L4-L7 network services running on intelligent switch Intelligent switch becomes L2-L7 device Control Layer Infrastructure Layer Network Device Network Controller SDN Control Software Southbound API Layer 4 through 7 Appliance Network Device Intelligent Switch with Layer 4-7 2 3 Network Device October 2013 7
Use Case Example: Advanced Traffic Analysis Applicati on Layer Control Layer Northbound APIs SDN Control Software Applications Network Services Data Plane Traffic Layer 4-7: Protocol and Application Identification Web Video IM VoIP Email P2P Traffic Steering Video Optimization QoS / QoE Analytics GGSN Content Filtering Southbound API Other Infrastru cture Layer Layer 7 Network Service Device Network Device Network Device Layer 7 Network Service Device Layer 4-7 Network Device Embedded DPI feeds network intelligence to services on Layer 7 network service devices. Application flows forwarded directly to specialized service processing. Requires Layer 4 through 7 intelligence embedded directly in switches October 2013 8
Integrating SDN-OpenFlow in NFV Architecture Framework October 2013 9
Netronome Integrates SDN & NFV vlan -to- MPLS Gateway SDN OpenFlow Controller Multi-tenant Private DC OF1.3 MPLS WAN OF1.3 Public DC OpenFlow Gateway October 2013 Netronome SDN/NFV gateway combines the advantages of both worlds NFV is ideal for L4-L7 devices SDN is ideal for network-aware applications Gateway hosts VNF applications Under OF1.3 control 10
Next Steps Define phases of OpenFlow enhancement Traffic steering Adding Stateful inspection Is it possible to extend OpenFlow to cater to L4-L7 without making it more complex? Controlling L4-L7 devices Integration with NFV architecture model October 2013 11