closedflow: openflow-like control over proprietary devices ryan hand, eric keller 1

1

ClosedFlow: OpenFlow-like Control over Proprietary Devices

Ryan Hand, Eric Keller

2

Introduction

•SDN provides centralized control of network to administrator

•Easy addition of networked services like seamless mobility, web-server load balancing

•Services run on centralized controller using standard API such as OpenFlow

3

Problem

•Huge capital invested in existing network infrastructure

•Cannot simply throw away existing network devices

•Cost of transition

4

Problem: Abrupt Transition To SDN

5

Alternate Solution

•Panopticon ▫ SDN switches on the edge ▫legacy switch as a tunnel

•Problem:▫ requires addition of new hardware▫ specialized configuration for legacy switch

6

Solution: Smooth Transition To SDN

7

Contributions

•ClosedFlow for smooth transition•Allows SDN control over existing legacy

hardware•Architecture mimics OpenFlow but on

existing hardware•Evaluate the system with 10 year old

cisco switches•Illustration of functionalities if not limited

to OpenFlow

8

Background Detail• OpenFlow

▫Decoupling of control and data plane▫Standardized interface to add & remove flow enteries▫Allows running experimental protocols

• Ethane:▫The immediate predecessor to OpenFlow introduced in

2006▫ defined a new architecture for enterprise networks▫Focus: using a centralized controller to manage policy

and security in a network▫Similar to SDN two components

a controller to decide if a packet should be forwarded Ethane switch consisting of a flow table

9

ClosedFlow• Allow Layers on top of

OpenFlow• But use network devices

without OpenFlow support• Learn about OpenFlow in

the process

10

ClosedFlow

•More focus on OpenFlow: well-defined and open interface

•But how closely related to OpenFlow?•Four characteristics:

▫Communication channel between central controller and each switch

▫Topology discovery▫Packet matching and Applying Actions▫Handling Packet-in events

11

ClosedFlow





12

Controller Switch Control Channel•Ability of the central controller to

communicate with each switch•No need of physical (direct) connectivity •Use of Spanning Tree Protocol in Ethane:

discover and calculate path•Challenge: switch to operate over layer 3

interfaces•Solution: OSPF routing protocol

13

Controller Switch Control Channel• New Switch Addition?• Minimum configuration:

▫Set IP address for interface Loopback 0▫Configure ‘routed’ interfaces for switch-to-

switch links▫Configure OSPF instance and set Router-ID to

loopback 0 IP▫Advertise Loopback & point-to-point networks

(OSPF)▫Set up remote access (SSH or Telnet)▫Set enable mode password

14

ClosedFlow





15

Topology Discovery

•Controller have Network wide view•ClosedFlow: Two approaches

▫Ethane approach: switch periodically send link state information to controller; remote logging from switch

▫OSPF link state advertisements

16

ClosedFlow





17

Packet Matching and Applying Actions

•Ability to control the flows•Legacy switches use combination of

▫Access-control lists▫Route Map▫Interface mapping to route map

•OpenFlow Example:

18

Packet Matching and Applying Actions

•ClosedFlow Example:

19

ClosedFlow





20

Handling Packet-In Events

•Special action “send to controller” to enable reactive network

•OpenFlow:

Packet Arrival

Match a flow entry &take action

If no match found; send to controller

21


•ClosedFlow: ▫Remote Logging on explicit deny▫Send Entire Packet to Controller

22



23

Remote Logging on Explicit Deny•Packet do no match access control criteria

in route map•‘explicit deny’ access control entry (ACE)•Keyword ‘log-input’ for syslog entry on

explicit deny match•Logging discriminator using regular

expression matching; suppress excessive logging with threshold limits until flow rule installed

•Header send to controller, packet dropped

24

Remote Logging on Explicit Deny

25



26

Send Entire Packet to Controller•Forward-to-controller action applied•Example:

27

Prototype

•2 Independent programs to integrate CISCO configuration backend with SDN controller▫Constantly running topology discovery

application which uses the info received from the remote logs to display the current adjacencies

▫Python program equivalent to static flow pusher which allows flow modification to be specified

28

Experiment Setup• Cisco 3550 multi-layer switches; IOS 12.2 (44)SE• Cisco 3560 MLS with IOS 12.2 (55)SE for Cisco

Embedded Event Manager & Tool Command Line scripting features

• Configure SDM Template▫Reformat TCAM table using switch database manager▫Optimize for policy based routing and TCAM ACL

entries▫Template options: Access, Default, Routing, VLAN▫Access: maximize resources for ACL functionality; ACL

entries on layer 3 & 4 are majority configuration▫‘extended-match’ keyword with SDM template used to

enable policy based routing

29

Experiment Setup

•Enable IP Routing and Cisco Express Forwarding▫To match layer 3 & 4 packet fields▫Interface forwarding behavior with policy

based routing▫CEF uses Forward Information Base and

Adjacency tables performing fast IP switching with PBR route maps

30

Evaluation/Results

•Direct co-relation between installed flow rules and TCAM storage

•3 flow rule datasets used▫Realistic enterprise sampling with realistic

IP ranges, port ranges, layer 3&4 matching▫Completely random source/destination IP

and source/destination port combination

31

Evaluation/Results

32

Evaluation/Results

33

OpenFlow Extensions

•Use of legacy switches allow to go beyond OpenFlow capabilities

•OpenFlow caused limitation in terms of security and monitoring with triggered events

34

Equipment Dependency• Identical functionality of Cisco 3550 3560

present in other vendors• Tested HP and Juniper• Rich functionality in Cisco newer models• Some models have added packet classification

granularity with NBAR (Network Based Application Recognition) allowing deep packet inspection to classify traffic

• Use of Link Layer Discovery Protocol or logging Cisco Discovery Protocol adjacency changes aids in avoiding OSPF

35

Conclusion

•ClosedFlow is layer providing OpenFlow like programmability to legacy network configs.▫Giving some insight into

commonalities/differences•Eliminates the barrier of transition and

costly upgrades•Provides custom control applications

36

Limitations• Topology Discovery

▫Remote Login considered easy and simple over OSPF; OSPF method not tested

• Handling Packet-in events▫Remote Log-in on explicit deny: header

forwarded but packet dropped unlike openflow▫Send entire packet to controller: overhead for

reactive networks• Prototype not implemented; only

functionalities assuming would provide full functionality as proposed

37

Questions?

38

References•ClosedFlow: OpenFlow-like Control over

Proprietary Devices▫Ryan Hand, Eric Keller

•A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks▫Bruno Nunes Astuto, Marc Mendon¸ca, Xuan

Nam Nguyen, Katia Obraczka, Thierry Turletti

closedflow: openflow-like control over proprietary devices ryan hand, eric keller 1

Documents