Anees Shaikh IBM TJ Watson Research Center SDN-enhanced Services in Enterprises and Data Centers Collaboration with Mohammad Banikazemi, Salman Baset, Jack Kouloheris, David Olshefski, John Tracey, Guohui Wang
What this talk is about State of the API / network models in SDN controllers ultimately crucial to realize the full promise of SDN Unexplored use cases for SDN in the data center is this considered SDN Research? maybe not, but it should be 2 DIMACS SDN December 2012
Does anyone care about network APIs? Network engineer view Vendors offering APIs to network engineers to help them solve their issues is akin to a an auto manufacturer handing a pile of metal and a welding torch to someone who needs a new car Some vendors believe the best approach is to hand off APIs, under the assumption that the network engineers know what they need and (apparently) have time to learn a programming language. The reality is that network engineers don t have that kind of time -- Why are network engineers sick of hearing about SDN?, Nov 2012, packetpushers.net Application developer view Application developers are primarily just users of the network Little interest or ability to understand details of network operation rely on the network guys DevOps model requires more direct ability to influence the operational network need for network APIs and tools for developers (no good blog quotes yet) 3 DIMACS SDN December 2012
A reference software-defined networking controller platform Enterprise security management Cloud provisioning IT service management multi-tenant virtualization network control applications QoS traffic control storage networking network security enforcement network integration services cloud network provisioning network DR services network control applications and integration points NETWORK ABSTRACTIONS and APIs network system calls NETWORK ORCHESTRATION global network view network runtime state logical network models and application APIs logical physical translation, arbitration, network-wide services OpenFlow controller virtual overlay controller legacy device configuration middlebox / 3 rd party mgmnt interfaces drivers for controlling network devices and capabilities 4 DIMACS SDN December 2012
Where we are multi-tenant virtualization network control applications traffic steering access control load balancing network-level applications with legacy equivalents NETWORK REPRESENTATION representation of the physical network NETWORK STATE LLDP topology counters limited network state, limited orchestration OpenFlow controller virtual overlay controller legacy device configuration middlebox / 3 rd party mgmnt interfaces OpenFlow as the primary driver (fowarding plane) 5 DIMACS SDN December 2012
Current SDN controller APIs Floodlight mostly OF protocol wrappers, with some abstractions query for switch properties, read per-switch and global flow counters insert / delete flow entries {"switch": "00:00:00:00:00:00:00:01", "name":"flow-mod-1", "cookie":"0", "priority":"32768", "ingress-port":"1","active":"true", "actions":"output=2"} ACL rules {"src-ip": "10.0.0.4/32", "nw-proto":"udp", "tp-src":"5010", "action":"deny" } Attach to virtual Quantum network {"attachment": {"id": "NetworkId1", "mac": "00:00:00:00:00:08"}} Trema, NOX/POX, Ryu similar (or fewer) abstractions Frenetic programming simplification on top of a standard OF protocol driver SQL-like queries for collecting network data simplified composition and optimization of application rules abstracted topology views (!) Need APIs that provide alternative models of the network for applications and services 6 DIMACS SDN December 2012
Example abstract network models for SDN applications Single virtual switch policy-based connectivity between physical or virtual machines use switch-level concepts to describe connectivity and policies ports, VLANs, profiles, etc. switch per tenant view or single large switch for global policies attach high-level rules or policies to logical port profiles (ACLs, in/out firewall, traffic marking/policing, etc.) VM VM attach rules to logical port profiles Annotated network graph suitable for running variety of graph algorithms b i internal nodes l i edge nodes (e.g., vnics) example edge annotations: utilization / avail bw, reserved bw, buffer occupancy stats, pkt drop stats represent full or subset of actual topology (e.g., racklevel topology) d i couple with management tooling to collect link or node metrics 7 DIMACS SDN December 2012
Example abstract network models for SDN applications Tenant connectivity model multi-tenant virtual network service service model represents tenant VMs, virtual network segments, middleboxes, connectivity policies requires labeling VMs with tenant ids, access userdefined policies, etc. insert virt middlebox in path VMs belonging to same tenant Security enforcement model provides control points for enforcing security actions model shows applications/os, VMs, hosts, and control points (not full topology) integrates varying levels of application-level visibility (e.g., from provisioning engine) host related VMs / OS types control points 8 DIMACS SDN December 2012
What this talk is about State of the API / network models in SDN controllers ultimately crucial to realize the full promise of SDN Services use cases for SDN in the enterprise data center IT service management processes application connectivity services 9 DIMACS SDN December 2012
SDN progression in the data center SDN enablers SDN applications OpenFlow and centralized control multi-tenant network virtualization network services and network integration industry standard protocol for SDN hardware and software enablement quickly becoming a standard feature on switches more OF controller options 10 DIMACS SDN December 2012 first production use case for SDN solutions with and without OpenFlow ultimately, a universal feature network-level automation application-level network services services on converged networks integration with security, provisioning, disaster recovery, etc.
Migration and workload consolidation Firewall rule: allow 7.6.*.* 7.1.3.8 DNS 7.9.3.4 7.2.3.4 7.2.3.5 Web Server Web Server LDAP 7.8.3.4 Firewall rule: allow 7.2.3.4, 7.2.3.5 7.3.3.4 network configuration capture deploy configuration onto target App Svr App Svr 7.3.2.4 7.3.2.5 7.3.5.4 Firewall rule: allow 7.3.2.4, 7.3.2.5 7.5.2.3 DB2 11 DIMACS SDN December 2012
Migration and consolidation IT process view (service transition) SDN-enhanced process application component discovery testing and cutover sandbox creation traffic mirroring access control re-integration in prod prepare / virtualize application standardize application for cloud image remediation and fixups register app components in cloud network renumbering overlap checking VLAN recreation middlebox traversal firewall rules network installation connectivity testing ext service reachability 12 DIMACS SDN December 2012
Security: Closed-loop network reconfiguration Determine optimal security policies in response to anomalies detected or workload observed abstract model shows applications/os, VMs, hosts, and control points (not full topology) Security Analytics Events from VM / host firewalls (iptables, ebtables) Events from VPN, IPS/IDS appliances Integrity management information from hosts and guests reconfiguration actions event data from network devices additional events, scan results, patch releases Network Security Manager collaboration with IBM CRL, Security Research Dept. at Watson host related VMs / app control points 13 DIMACS SDN December 2012
Security management IT process view (service operations) monitor and detect security violations SDN-enhanced process document security violation security event detected event management (qualify event) incident diagnosis / escalation incident resolution (e.g., network support) redirect flows for further analysis deploy additional analysis tools (e.g., honeypots) tighten access control quarantine to VLAN notify patch system 14 DIMACS SDN December 2012
Application connectivity patterns IPS Web FW App FW DB broadcast LB disjoint storage array cluster 15 Princeton / CS November 2012
Connectivity services for enterprises Enterprises often have organizational silos between application and network teams information / requirements exchanged through tickets, email, etc. iterative process for complex applications Traditional application teams have little understanding of connectivity, security, or network performance requirements for their applications SDN-based connectivity service should not place burden of specifying network details on application deployers contrast to self-service cloud model SDN connectivity service interface should mimic the application network team information exchange SDN controller and apps assist network team through automation and consistent operations SDN connectivity application must be populated with semantics and policy information to perform correct configurations Q: What is the interface for populating this knowledge? Who provides it? 16 DIMACS SDN December 2012
Example: enterprise connectivity service abstractions app pattern type: 3-tier webapp endpoint MAC, IP, other props inherited from group app-layer connection group properties: inet-facing, load-balanced org: cust service tier: 1 group properties: load-balanced org: cust service tier: 2 group properties: HADR org: cust service storevol: volumeid tier: 3 17 DIMACS SDN December 2012
Summary: SDN consumption models SDN promises more seamless integration of the network with IT processes but, SDN APIs and abstractions are primarily geared for low-level network control more work needed to develop the application interface of the SDN stack discussed some examples in various states of experimentation SDN use cases that matter to non-network experts maybe more important than solving problems of correctness, reliability, scalability in SDN protocols and devices needs research (this isn t a marketing problem) 18 DIMACS SDN December 2012
Thank you 19 DIMACS SDN December 2012