fd.iovppandcontainers

KeithBurns

fd.ioFounda2on 1

@alagalah

krb@cisco.com|alagalah@gmail.com

github.com/alagalah

fd.iointro:why,what,how

2

Programmable Data Plane

Evolu8onofProgrammableNetworking

fd.ioFounda2on 3

fd.ioprojects

fd.ioFounda2on 4

Network IO

Packet Processing

VPP

Management Agent

NSH_SFC ONE VPP Sandbox TLDK

Honeycomb

Test

ing/

Per

form

ance

/Sup

port

CS

IT

Legend: - New Projects - Core Projects

deb_

dpdk

VPPFeatureSummaryatlaunch2016-02-11

fd.ioFounda2on 5

14+MPPS,singlecoreMul2millionentryFIBsSourceRPFThousandsofVRFs

Controlledcross-VRFlookupsMul2path–ECMPandUnequalCostMul2plemillionClassifiers–

ArbitraryN-tupleVLANSupport–Single/DoubletagMandatoryInputChecks:

TTLexpira2onheaderchecksumL2length<IPlengthARPresolu2on/snoopingARPproxy

IPv4/IPv6 IPv4

GRE,MPLS-GRE,NSH-GRE,VXLANIPSECDHCPclient/proxyCGNAT

IPv6

NeighbordiscoveryRouterAdver2sementDHCPv6ProxyL2TPv3SegmentRou2ngMAP/LW46–IPv4aasiOAM

MPLS

MPLS-o-Ethernet–Deeplabelstacks

supported

L2

VLANSupportSingle/DoubletagL2forwardingwithEFP/

BridgeDomainconceptsVTR–push/pop/Translate(1:1,1:2,2:1,2:2)MacLearning–defaultlimitof50kaddressesBridging–Split-horizongroupsupport/EFPFilteringProxyArpArptermina2onIRB–BVISupportwithRouterMacassignmentFloodingInputACLsInterfacecross-connect

VPPFeatureSummaryatlaunch2016-02-11

fd.ioFounda2on 6

14+MPPS,singlecoreMul2millionentryFIBsSourceRPFThousandsofVRFs

Controlledcross-VRFlookupsMul2path–ECMPandUnequalCostMul2plemillionClassifiers–

ArbitraryN-tupleVLANSupport–Single/DoubletagMandatoryInputChecks:

TTLexpira2onheaderchecksumL2length<IPlengthARPresolu2on/snoopingARPproxy

IPv4/IPv6 IPv4

GRE,MPLS-GRE,NSH-GRE,VXLANIPSECDHCPclient/proxyCGNAT

IPv6

NeighbordiscoveryRouterAdver2sementDHCPv6ProxyL2TPv3SegmentRou2ngMAP/LW46–IPv4aasiOAM

MPLS

MPLS-o-Ethernet–Deeplabelstacks

supported

L2

VLANSupportSingle/DoubletagL2forwardingwithEFP/

BridgeDomainconceptsVTR–push/pop/Translate(1:1,1:2,2:1,2:2)MacLearning–defaultlimitof50kaddressesBridging–Split-horizongroupsupport/EFPFilteringProxyArpArptermina2onIRB–BVISupportwithRouterMacassignmentFloodingInputACLsInterfacecross-connect

Countersfor

everything!

!!

VPP16.06Release

fd.ioFounda2on 7

•  Enhanced Switching & Routing •  IPv6 Segment Routing multicast support •  LISP xTR support •  VXLAN over IPv6 underlay •  per interface whitelists •  shared adjacencies in FIB

•  Expanded Hardware and Software Support

•  Support for ARM 32 targets •  Support for Raspberry Pi •  Support for DPDK 16.04

•  New and improved interface support •  jumbo frame support for vhost-user •  Netmap interface support •  AF_Packet interface support

•  Programmability •  Python API bindings •  Enhanced JVPP Java API bindings •  Enhanced debugging cli

Released2016-06-17

VPP16.09Release

fd.ioFounda2on 8 Release:2016-09-14

•  Enhanced LISP support for •  L2 overlays •  Multi-tenancy •  Multi-homing •  Re-encapsulating Tunnel Routers (RTR)

support •  Map-Resolver failover algorithm

•  New “in-tree” plugins for •  SNAT •  MagLev-like Load Balancer •  Identifier Locator Addressing (ILA)

•  High performance port range ingress filtering

•  Dynamically ordered subgraphs •  Allows registration of node ‘before’ another node

Honeycomb16.09Release

fd.ioFounda2on 9

•  Infrastructure •  Data processing pipeline •  Extensible translation layer (SPI) •  Configuration and context persistence

•  Yang models exposing VPP features: •  Interfaces:

•  Base interface management – ieft-interface + ietf-ip models

•  vhost-user, Linux tap interface management •  Bridge domain management •  Overlays / Encapsulations

•  VLAN, VXLAN, VXLAN-GPE, GRE management •  NSH_SFC plugin support •  ACLs

•  L2/L3 ACL management – ietf-acl •  LISP – mapping server configuration •  Bit level granularity classifier interface

Release:2016-09-21

NSH_SFC16.09Release

fd.ioFounda2on 10

•  SFF functionality •  NSH Proxy for SF •  Transport:

•  VXLAN-GPE •  GRE

•  API •  Automatically generated jar for java

bindings

•  Integrated with OpenDaylight SFC

Release:2016-09-21

Implementa8onExample:VPPasavRouter/vSwitch

fd.ioFounda2on 11

•  vSwitch/vRouter

•  Including CLI •  Switching

•  Bridge Domains •  BVI interfaces •  Split-Horizon Groups •  Program ARP termination

•  Routing •  VRFs (FIBs) - thousands •  IPv4 / IPv6 routes – millions •  700K updates per second

Linux Host

Kernel

DPDK

VPP App

Switch-1

Switch-2

VRF-1

VRF-2

VPPArchitecture

•  Instruction/Data cache efficiency

•  Graph composed at runtime

•  Easy to create and incorporate new features

•  All in user space

ethernet-input

ip6-input ip4input mpls-ethernet-input

arp-input llc-input

… ip6-lookup

ip6-rewrite-transmit ip6-local

…

Packet vector

Plug-in to create new nodes

Custom-A Custom-B

Plugins•  First-class graph node citizens

•  Introduce new graph nodes •  Graph composed at runtime, nodes discovered

•  Rearrange packet processing graph •  Can be built independently of VPP source tree •  Ability to take advantage of diverse hardware when present

ethernet-input

ip6-input ip4input mpls-ethernet-input

arp-input llc-input

… ip6-lookup

ip6-rewrite-transmit ip6-local

…

Packet vector

Plug-in to create new nodes

Custom-A Custom-B

Plug-in to enable new HW input

Nodes

VPPvRouter/vSwitch:LocalProgrammability

fd.ioFounda2on 14

Linux Host

Kernel

DPDK

VPP App External App

Low Level API •  Complete •  Feature Rich •  High Performance

•  Example: 900k routes/s •  Shared memory/message queue •  Box local •  All CLI tasks can be done via API

Generated Low Level Bindings - existing today

•  C, Java and Python API bindings •  Others can be done

Containers

15

August27,2015,TVTechnology

16

Chunkycase-videoUncompresseddatarate=colordepths*ver8calresolu8on*horizontalresolu8on*refreshfrequency

“Encoding in multiple formats in parallel including raw uncompressed per camera”

-  BBC: IP Studio project

… “Destination-timed switching is probably the simplest way to switch video on commodity Ethernet switches, but it generally requires twice the bandwidth of a single video signal to be reserved.”

-  Thomas Edwards of Fox, June 10, 2015, TVTechnology.com

“Compute is going to everywhere, … ... compute will be distributed from end points and in layers of networks before data is even shipped back into the datacenter... ..there could be as much processing outside the “server” and the “datacenter” as inside of it. These terms could become somewhat meaningless.”

- Peak X86, The Next Platform, Sep 15, 2016

Deathbyathousandcutscase-distributed

Implica8onsofreality...

100GbpsNICsarereality

Usecasesexisttodayfor100Gbpsperworkload

3DXPointandMemristortechnologyisreality

Machinelearningalgorithmsbeingheldbackbylackofreal-2mestreaminginstrumenta2on

Implica8onsofcontainers

Containersaresmall

Implica8onsofcontainers

Containersaresmall

Quickertostart/stopondemand

Canaffordtohavemoreofthem

Easiertodevelopwith

Implica8onsofcontainers

Quickertostart/stopondemand

Canaffordtohavemoreofthem

Easiertodevelopwith

Newwaysofdesigningapplica2ons

Newdeploymentmodels

Implica8onsofcontainers

Newwaysofdesigningapplica2ons

Newdeploymentmodels

Implica8onsofcontainers

Newwaysofdesigningapplica2ons

Newdeploymentmodels

Microservices

Implica8onsofcontainers

Newwaysofdesigningapplica2ons

Newdeploymentmodels

Microservices

SimplerAPI-REST

Applica2oncomponentsruninownprocess

Implica8onsofcontainers

Newwaysofdesigningapplica2ons

Newdeploymentmodels

Implica8onsofcontainers

Newwaysofdesigningapplica2ons

Newdeploymentmodels

Horizontallyscaled

Describedbycontainermetadata

http://blog.kubernetes.io/2016/07/kubernetes-updates-to-performance-and-scalability-in-1.3.html

Kubernetes1.3-2,000node60,000podclusters

29

Implica8onsofcontainers

Lotsofindividuallyaddressedelementstomanage

Lotsofsessionstoscale

Predictableperformanceunderload

Instrumenta2on-Doyouknowwhoistalkingtowho?Howmuch?

IfRESTisthenewSOAP….

…TCPandIPCbecomesevenmoreimportant.

Howiscontainernetworkingdonetoday?

Howiscontainernetworkingdonetoday?

Whynotthis?

controlplane

35

ProjectCalico–keyPrinciples

IP !  Perform layer 3 forwarding at each compute node

BGP !  Distribute routes using proven Border Gateway Protocol*, with route reflectors for scale

!  Separate policy decisions from routing information !  Translate global policy into distributed firewall on each

host, enabling tenant isolation & more

HowdoIprovisionit?

HowdoIprovisionit?

calicoctl pool add 192.168.0.0/16

docker run --net=none --name workload-A -tid

busybox

sudo calicoctl container add workload-A 192.168.0.1

calicoctl profile add PROF_A

calicoctl container workload-A profile append

PROF_A

CalicoNetworkPolicy

Workload

… Endpoint Endpoint

… Profile Profile

… Tag Tag Rules

Workload

Endpoint

Profile

container, VM, bare metal

(virtual) network interface

reusable policy

Pucngitalltogether

40

NextSteps–GetInvolvedWeinviteyoutoPar2cipateinfd.io

• GettheCode,BuildtheCode,RuntheCode• Trythevppuserdemo• Installvppfrombinarypackages(yum/apt)

• Read/WatchtheTutorials

• JointheMailingLists• JointheIRCChannels• Explorethewiki• Joinfd.ioasamember

fd.ioFounda2on 43

Thanks.KeithBurns

44

@alagalah

github.com/alagalah

krb@cisco.com|alagalah@gmail.com