investigative research for an ip peering service for ... · to date, netherlight can best create a...
TRANSCRIPT
![Page 1: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/1.jpg)
Investigative Research for an IP Peering Service for
NetherLight
Research Project 2 #100Arnold Buntsma
Mar Badias Simó
Assessor: Cees de LaatSupervisors: Gerben van MalensteinMigiel de VosMax Mudde
![Page 2: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/2.jpg)
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik.
NetherLight: open lightpath exchange
● Built and operated by SURFnet
● High bandwidth P2P & multipoint connections for ~70 clients
● Their clients are research and education networks and service providers that want to connect among them
2
![Page 3: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/3.jpg)
NetherLight investigates offering a new service
● Peering Service
● Common layer 2 domain for several clients
● To allow their clients to set up BGP peering
● Similar to an Internet eXchange Point
3
![Page 4: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/4.jpg)
How can NetherLight facilitate a state-of-the-art peering service which is
flexible, secure, manageable and has a uniform setup?
RESEARCH QUESTION
● Requirements
● Options & Best practices
● Protocol behaviour
● On-boarding procedure
4
![Page 5: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/5.jpg)
5
Methodology
1. Set requirements
2. Contact IXPs
3. Study literature
4. Research solutions
5. Compare solutions
6. Recommend
![Page 6: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/6.jpg)
● A detailed explanation of the service
● Uniform onboarding process
● Well-manageable, Secure & Scalable
○ Uniform
○ Spoofing & Hijacking
○ Hundreds of clients
● At least one of the solutions can be implemented on the current platform
Requirements
6
![Page 7: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/7.jpg)
● Most of peering services of IXPs built on top of VPLS, some EVPN
● Broadcast traffic is a problem: ARP storms
● Protect the peering platform: control the types of traffic going on the network
● Prevent propagation of wrong routing information
7
Interviews & Literature
![Page 8: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/8.jpg)
Generic Components for all solutions
Route Server Security IP Space
8
● Scaling
○ BGP sessions
● Manageability
○ Uniform peering relations
○ Ability to block prefixes
● Security
○ Filtered Routes
○ RPKI validation
● MANRS²
● 1 MAC & IP per interface
● Whitelist EtherTypes
² https://www.manrs.org/ixps/
● IPv4 /24 (x2)
● IPv6 /64
![Page 9: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/9.jpg)
SOLUTIONS 1.1 & 1.2: MPLS-EVPN & VXLAN-EVPN
9
![Page 10: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/10.jpg)
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik.
EVPN Solutions
10
● VXLAN-EVPN vs MPLS-EVPN● Quarantine EVI● Single VLAN ● Management via Orchestration and
Automation tools○ Cisco NSO
● Monitoring○ SNMP○ sFlow
● Also includes Generic Components
![Page 11: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/11.jpg)
SOLUTION 2: SDN / OpenFlow
11
![Page 12: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/12.jpg)
OpenFlow
12
![Page 13: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/13.jpg)
Benefits of OpenFlow
13
● Following the directives of Umbrella rule set
● Fine-grained control capabilities, can provide high responsiveness
● Easy network management
● We consider NetherLight an ideal place to innovate
● Offers solutions to peering services known problems
![Page 14: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/14.jpg)
OpenFlow Implementation
14
![Page 15: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/15.jpg)
Testing Faucet on Mininet
15https://github.com/Reseach-Project-2/testfaucet
![Page 16: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/16.jpg)
16
Programming the service
● Programmed based on Umbrella rule set
● A VLAN can be created and retagging frames is possible
● Fine-grained traffic control. Drop anything that does not match the rules
● No quarantine VLAN/EVI needed
● MAC address known in advance: elimination of ARP storms
![Page 17: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/17.jpg)
Peering service with OpenFlow
MonitoringsFlow or
Gauge+Faucet
ManagementAdapting IXP Manager or developing a new tool
ScalabilityTheoretically,
highly scalable
17
![Page 18: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/18.jpg)
18
On- and off-boarding workflow
The client provides:
● Desired bandwidth
● Location
● MAC address(es)
● AS number(s)
➔ Off-boarding procedure is more simple :)
NL Provides:
● VID
● IP addresses
● ASN of RS
● Configuration template
![Page 19: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/19.jpg)
Comparison: EVPN vs OpenFlow
19
![Page 20: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/20.jpg)
20
EVPN vs OpenFlow results
Scalable: At least hundreds of clients. No hard limit.Management: Clients use the service in a uniform way. Configuration errors should be eliminated and minimal management effort needed from the NL team.Security: Clients unable to interfere with connections of other clients by for example MAC/IP spoofing and BGP hijacking.
![Page 21: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/21.jpg)
To date, NetherLight can best create a peering service by adopting the first
solution (MPLS-EVPN).
As a more advanced solution over time, NetherLight should consider
implementing the second solution proposed (OpenFlow) because of less
management effort, fine-grained control of traffic, and vendor independency.
21
Discussion & Conclusion
![Page 22: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/22.jpg)
Future Work
22
● First (small) implementation of MPLS-EVPN solution
● PoC of OpenFlow solution
○ OpenFlow scalability research in production
● Research the ability to use Umbrella rule set in other OpenFlow controllers
![Page 23: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/23.jpg)
To date, NetherLight can best create a peering service by adopting the first solution
(MPLS-EVPN).
As a more advanced solution over time, NetherLight should consider implementing the
second solution proposed (OpenFlow) because of less management effort, fine-grained control of
traffic, and vendor independency.
23
Questions?
![Page 24: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/24.jpg)
Route Servers
● Scaling
○ BGP sessions
● Manageability
○ Uniform peering relations
○ Ability to block prefixes
● Security
○ Filtered Routes
○ RPKI validationFig. 1 Peering options (Richter, P et al. 2014)
24
![Page 25: Investigative Research for an IP Peering Service for ... · To date, NetherLight can best create a peering service by adopting the first solution (MPLS-EVPN). As a more advanced](https://reader036.vdocuments.us/reader036/viewer/2022071215/6044ae2289481320453dd262/html5/thumbnails/25.jpg)
25
Faucet multi table