480 likes | 806 Views
Tutorial: OpenFlow in GENI. GENI Project Office. “The current Internet is at an impasse because new architecture cannot be deployed or even adequately evaluated” [PST04].
E N D
Tutorial: OpenFlow in GENI GENI Project Office
“The current Internet is at an impasse because new architecture cannot be deployed or even adequately evaluated” [PST04] [PST04]: Overcoming the Internet Impasse through Virtualization, Larry Peterson, Scott Shenker, Jonothan Turner Hotnets 2004 Modified slide from: http://cenic2012.cenic.org/program/slides/CenicOpenFlow-3-9-12-submit.pdf
OpenFlow… • Enables innovation in networking • Changes practice of networking Google’s SDN WAN
OpenFlow basics How OpenFlow works … (1.0) Hand’s on tutorial OpenFlow basics
OpenFlow is an API • Control how packets are forwarded • Implementable on COTS hardware • Make deployed networks programmable • not just configurable • Makes innovation easier Modified slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt
Network Devices DHCP access point router DNS proxy VPN gateway firewall NAT switch software Any network device can be OpenFlow enabled
SDN and NFV Slide from: http://docbox.etsi.org/Workshop/2013/201304_FNTWORKSHOP/S07_NFV/BT_REID.pdf
OpenFlow benefits [1] • External control • Enables network Apps • General-purpose computers (Moore’s Law) • Deeper integration • Network hardware becomes a commodity • Centralized control • One place for apps to interact (authentication, auth, etc) • Simplifies algorithms • Global Optimization and planning [1]: OpenFlow: A radical New idea in Networking, Thomas A. LimoncelliCACM 08/12 (Vol 55 No. 8)
Network Types Campus Multiple buildings, heterogeneous IT, groups of users, campus backbone Enterprise Data Centers Security, various sizes, storage, WAN optimizations Data Centers – Clouds Multi-tenant, virutalization, disaster recovery, VM mobility WAN Diversity, multiple domains/carriers/users
Deployment Stories Google global private WAN [1] Connects dozens of datacenters worldwide with a long-term average of 70% utilization over all links Stanford Campus deployment Part of Stanford campus migrated to OpenFlow NTT’s BGP Free Edge Internet 2 - AL2S Can build Layer 2 circuits between any Internet 2 end-points https://www.ntt-review.jp/archive/ntttechnical.php?contents=ntr201310fa3.html [1] B4: Experience with a Globally-Deployed Software Defined WAN, SIGCOMM’13, Jain et al.
GENI and OpenFlow deployment • Key GENI concept: slices & deep programmability • Internet: open innovation in application programs • GENI: open innovation deep into the network OpenFlow switches one of the ways GENI is providing deep programmability Good old Internet Slice 0 Slice 1 Slice 1 Slice 2 Slice 3 Slice 4
GENI OpenFlow Deployment OpenFlow-enabled hardwareswitch at: • Each GENI Rack • Backbone and regional networks
GENI OpenFlow Experiments VDC: real-time load-balancing functionality deep into the network to improve QoE Prasad Calyam, Missouri MobilityFirst: A new architecture for the Internet designed for emerging mobile/wireless service requirements at scale Dipankar (Ray) Raychaudhuri, Rutgers, leads MobilityFirst ActiveCDN: Program content distribution services deep into the network Jae Woo Lee, Columbia
OpenFlow basics Hand’s on tutorial How OpenFlow works … (1.0)
OpenFlow versions (‘11) Open Networking Foundation (ONF) formed to shepherd standards (‘12/’13) OpenFlow 1.3.x Complex & support in progress (Dec ’09) OpenFlow 1.0.0 Simple & widely supported (Oct ‘13) OpenFlow 1.4 (Feb ‘11) OpenFlow 1.1.0 Not implemented by HW vendors (Oct‘13) OpenFlow 1.0.2 Under ratification (Dec ‘11) OpenFlow 1.2 First ONF standard
OpenFlow controllers • Open source controller frameworks • NoX/PoX • Open Daylight (driven by Cisco) • FloodLight (BigSwitch) • Trema (NEC) • Maestro • Ryu • Production controllers • Mostly customized solutions based on Open Source frameworks • ProgrammableFlow - NEC
OpenFlow • The controller is responsible for populating forwarding table of the switch • In a table miss the switch asks the controller Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP) Switch Control Path OpenFlow Data Path (Hardware) Modified slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt
OpenFlow in action • Host1 sends a packet • If there are no rules about handling this packet • Forward packet to the controller • Controller installs a flow • Subsequent packets do not go through the controller Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP) Switch Control Path OpenFlow Data Path (Hardware) host2 host1 Modified slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt
OpenFlowBasics(1.0) Rule Action Stats Packet + byte counters • Forward packet to port(s) • Encapsulate and forward to controller • Drop packet • Send to normal processing pipeline • Modify Fields Eth type VLAN PCP Switch Port IP Prot IP Src IP Dst TCP sport TCP dport IP ToS VLAN ID MAC src MAC dst + mask what fields to match slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt
Use Flow Mods • Going through the controller on every packet is inefficient • Installing Flows either proactively or reactively is the right thing to do • A Flow Mod consists of : • A match on any of the 12 supported fields • A rule about what to do matched packets • Timeouts about the rules: • Hard timeouts • Idle timeouts • The packet id in reactive controllers
OpenFlow common PitFalls • Controller is responsible for all traffic, not just your application! • ARPs, DHCP, LLDP • Reactive controllers • Cause additional latency on some packets • UDP – many packets queued to your controller by time flow is set up • Performance in hardware switches • Not all actions are supported in hardware • No STP to prevent broadcast storms
Multiplexing ControllersFlowVisor Any Host Any Host Any Host • Only one controller per switch • FlowVisor is a proxy controller that can support multiple controllers FlowSpacedescribes packet flows : • Layer 1: Incoming port on switch • Layer 2: Ethernet src/dstaddr, type, vlanid, vlanpcp • Layer 3: IP src/dstaddr, protocol, ToS • Layer 4: TCP/UDP src/dst port FlowVisor OpenFlow Controller OpenFlow Controller OpenFlow Protocol (SSL/TCP) Switch OpenFlow Protocol (SSL/TCP) Control Path OpenFlow Data Path (Hardware)
OpenFlow basics How OpenFlow works … (1.0) Hand’s on tutorial Hands on tutorial
OpenFlow Experiments Debugging OpenFlow experiments is hard: • Network configuration debugging requires coordination • Many networking elements in play • No console access to the switch Before deploying your OpenFlow experiment test your controller. http://mininet.github.com/ http://openvswitch.org/
Run an OpenFlow experiment 1 host as OVS switch 3 VMs connected to OVS • Setup OVS • Write simple controllers • e.g. diverge traffic to a different server • use python controller PoX Host2 Host1 OVS Host3
To Save Time … • Slices have been created for you: • Slice name: ofNN • Resources have been added to your slice: • 1 Xen VM running OVS • 3 OpenVZ VMs that act as traffic sources & sinks • Resources are from various InstaGENI racks • Download your private SSH key https://portal.geni.net/secure/profile.php#ssh • Download key and put in a standard place: $ mv ~/Downloads/id_geni_ssh_rsa ~/.ssh/. $ chmod 0600 ~/.ssh/id_geni_ssh_rsa • Add the key to your ssh-agent: $ ssh-add ~/.ssh/id_geni_ssh_rsa
Finding your login information • Browse to this page https://portal.geni.net/secure/slices.php • Click on the slice name (there should be only one) • Scroll down to the Slice Status section • Find the row for the aggregate listed on your worksheet • Click the "Details" button for this row • keep this window open throughout the tutorial • Find your Login information for each of the four nodes used in this exercise (OVS, host1, host2, host3)
Part I: Design/Setup • Obtain Resources • What is OpenFlow, what can I do with Openflow? • Part II: Execute • Configure and Initialize Services • Execute Experiment • Part III: Finish • Teardown Experiment
Configure OVS OVS is a virtual switch running on a xen VM • The interfaces of the node are the ports of the switch • Configure an ethernet bridge • add all dataplane ports to the switch • Can be an OpenFlow switch • Need to specify the controller (for convenience run on the same host but it can be anywhere) • Userspace OVS for this exercise
Configure and Initialize OVS • Log in to OVS host and configure software switch: $ ifconfig $ sudoifconfig eth1 0 $ sudoifconfig eth2 0 $ sudoifconfig eth3 0 $ sudoovs-vsctl add-port br0 eth1 $ sudoovs-vsctl add-port br0 eth2 $ sudoovs-vsctl add-port br0 eth3 $ sudoovs-vsctl list-ports br0 $ sudoovs-vsctl set-controller br0 tcp:127.0.0.1:6633 $ sudoovs-vsctl set-fail-mode br0 secure $ sudoovs-vsctl show Host2 Host1 eth2 eth1 OVS eth3 Host3
Part I: Design/Setup • Obtain Resources • What is OpenFlow, what can I do with Openflow? • Part II: Execute • Configure and Initialize Services • Execute Experiment • Part III: Finish • Teardown Experiment
Experiments (1/4) • Use a Learning Switch Controller: • See the traffic flow changes between hosts as the controller is started or stopped. • Soft versus hard timeouts for traffic flows.
Experiments (1/4) • Login host1 and start ping host2 $ ping 10.10.1.2 • Start learning switch controller: $ cd /local/pox $ ./pox.py --verbose forwarding.l2_learning • Look at ping… now works. • Kill controller (Ctrl-c) • Look at ping… still running,
Experiments (2/4) • Write and run a Traffic Duplication Controller: • Controller will duplicate traffic to a different port on the OVS switch. • Use tcpdump to see the packet duplication.
Experiments (2/4) • Open 2 windows on OVS host • Start tcpdump for on OVS:if1and OVS:if2 • Run duplication controller on OVS:if2 $ cd /local/pox $ ./pox.py --verbose myDuplicateTraffic --duplicate_port=<data_interface_name> • Look at ping from host1 to host2. • Kill controller (Ctrl-c)
Experiments (3/4) • Write and run a port forwarding controller: • Controller will do port forwarding on your OVS Switch to port specified. • Use two netcat servers on host2 to see traffic delivery.
Experiments (3/4) • Two windows on host2 run the following: $ nc -l 5000 $ nc-l 6000 • Start learningswitchcontroller: • On host1: $ nc 10.10.1.2 5000 • Seewhathappens to traffic • Killcontroller(Ctrl-c) • Retrywith port forwardingcontroller and seewhathappens to traffic, and killwhendone.
Experiments (4/4) 4. Write and run a server proxy controller • To redirect packets to a proxy: • What fields do you need to overwrite? • Which packets needs special handling? • Use netcat to see the deflection
Experiments (4/4) • On host 3: $ nc –l 7000 • Run proxy controller: $ cd /local/pox $ ./pox.py --verbose myProxy • On host1: $ nc 10.10.1.2 5000 • Look at host3 window, shouldnowbegettingnctraffic.
Part I: Design/Setup • Obtain Resources • What is OpenFlow, what can I do with Openflow? • Demo: Using OpenFlow in GENI • Part II: Execute • Configure and Initialize Services • Execute Experiment • Part III: Finish • Teardown Experiment
Part III: Finish Experiment When your experiment is done, you should always release your resources. • Normally this is when you would archive your data • Delete your slivers at each aggregate sliver credentials sliver project RSpec resource user AM API aggregate certificate slice
Core Networks NLR committed to 2013 meso-scale expansion following reorganization Internet2 adding 10GbE paths to Advanced Layer 2 Services (AL2S) at 4 of 5 OpenFlow meso-scale/ProtoGENI Pops GENI Aggregate Manager in Internet2 AL2S and dynamic stitching with GENI coming in Spiral 5 Internet2 SDN networks
FOAM • An OpenFlow Aggregate Manager • It’s a GENI compliant reservation service • Helps experimenters reserve flowspace in the FlowVisor • Speaks AM API v1 • Rspecs GENI v3, openflow v3 extension
Racks and Campuses • GENI Rack projects are expanding available GENI infrastructure in the US. • Racks provide reservable, sliceable compute and network resources using Aggregate Managers. • GENI AM API compliance