openflow: what’s it good for? - apnic · pdf fileopenflow: what’s it good for?...

OpenFlow: What’s it Good for? Apricot 2016

Pete Moyer

[email protected]

Principal Solutions Architect

Agenda

•  SDN & OpenFlow Refresher ‒ How we got here

•  SDN/OF Deployment Examples •  Other practical use cases for SDN/OF … •  Conclusion

2 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION

OpenFlow & SDN Refresher

“Data center networks are in my way” --James Hamilton

Software Defined Networking Evolving Definition

•  “A network in which the Control Plane is physically separated from the Data Plane” ‒ OpenFlow is the enabler

•  SDN =? OpenFlow •  SDN > OpenFlow • …

5

“Distribute what you must, centralize what you can …”

SDN-OpenFlow

Router

Control Plane (software) Data Plane (hardware)

Router

Data Plane (hardware)

Control Plane (software)

Traditional

Controller

Control Plane (software)

APIs

© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION

Hybrid

OpenFlow Version History


•  OpenFlow v1.0 (12/2009)

‒  L2 and L3 (IPv4) matching fields ‒  Many actions (including normal)

•  OpenFlow v1.1 (02/2011) ‒  MPLS label/EXP matching fields ‒  Multiple flow tables, Group table ‒  Virtual ports

•  OpenFlow v1.2 (12/2011) ‒  IPv6 matching fields ‒  Multiple controllers, role change

•  OpenFlow v1.3 (4/2012)

‒  QOS Metering ‒  Capabilities & version negotiation

•  OpenFlow v1.4 (8/2013) ‒  Improved capability discovery, extensibility

•  OpenFlow v1.5 (12/2014) ‒  TCP Flag matching ‒  Egress Tables ‒  Improved metering

•  OpenFlow v1.6 (2016?) ‒  Tunneling

•  OF v2.0 or NG? (TBD) ‒  TTPs

•  P4? ‒  http://www.sigcomm.org/sites/default/files/ccr/papers/2014/

July/0000000-0000004.pdf

OF/SDN Deployment Examples

Google B4 OF/SDN Network


5/2013

Inter-DC Backbone

4/2014


•  Separate control plane from forwarding plane ‒ Choose HW based on necessary features ‒ Choose SW based on protocol requirements ‒ Decouple HW & SW innovation

•  Logically centralize the network control plane ‒ Deterministic ‒  Efficient ‒ Global view

•  Allow automation, flexibility and innovation

Google B4 OF/SDN Network Summarized Benefits

Achieved ~99% WAN link utilization

Internet2


SDN Backbone

7/2012

Internet2 Backbone Routers

11 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION http://routerproxy.grnoc.iu.edu/al2s/

Internet2 OpenFlow flows installed …

12 © 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION http://routerproxy.grnoc.iu.edu/al2s/

A few more


SDN Announcements

3/2014

10/2012

12/2015

Other Deployment Examples

Where are they?


Another POV: “the demise of OpenFlow has been greatly exaggerated”

So … what (else) is OpenFlow good for?


SDN Use Cases

16

•  Volumetric Attack Mitigation •  Elephant Flow Management •  Firewall Bypass •  Policy Based Flow Forwarding •  Botnet Attack Mitigation

•  SDN Based MPLS Traffic Engineering

•  Bandwidth Scheduler •  Packet-Optical Integration

•  WAN Network Virtualization •  Flow Metering •  SDN Based Wiretap •  VXLAN Monitoring

CONTROL AUTOMATION VISIBILITY


Open Daylight

SDN App

L2-L4 DDoS Mitigation Example Network Volumetric Attack Mitigation

17

Incoming Attack Flow Mitigation: Discard Flow

Internet

BGP Border Router (hybrid)

Core Router

Core Router


Flow Metering & Accounting Improve network utilization and reliability

Flow Optimizer Shipping Shipping GA in May 2015 GA in May 2015 Committed for v1.1


SDN App

Router

WAN or DC network Normal L2/L3

Forwarding

OF rule to Rate Limit

WAN / Internet

sFlow Collector

Flow parameters of interesting traffic

OF based Metering

Campus / DC

Flow Control Analytic

Traditional REN “Science-DMZ” Campus Firewall is a Performance Bottleneck

19

Enterprise Border Router/Firewall

Science DMZ

Switch

Science DMZ

Switch 10G/40G

10G/40G

100 GbE link

10/40 GbE link

WAN

High performance Data Transfer Nodes with high-speed storage

•  Traditional Science-DMZ architecture connects science LAN outside FW

•  Creates security exposure?

© 2015 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY: USE WITH PERMISISION https://fasterdata.es.net/science-dmz/

SDN for Policy-Based Firewall Insertion / Bypass

Enterprise Datacenter 1 One-armed Firewall

Trusted Traffic Flow

WAN

Inline Firewall

Enterprise Datacenter 2

Default Traffic Flow SDN

Controller

SDN App

Internet

Operator driven or sFlow threshold driven policy enforcement for large trusted flows


Elephant Flow Management Dynamic and Programmatic Action for Efficient Network

Target for v1.2


SDN App App

Router

Normal Forwarding WAN / Cloud

sFlow Collector matched flow

parameters, action

OF Matching Campus / DC

Flow Policy Monitor

Regular Traffic

Dedicated paths for Elephants

Re-direct

Programmable / Scheduled via Northbound API

Re-mark Critical

Or keep doing this?


route-map <name> permit 50 match ip address 50 set ip next-hop 172.16.10.10 route-map <name> permit 51 match ip address 51 set ip next-hop 172.16.11.11 route-map test permit 101 rule-name <name> match ip address <ipv4-prefix-list> match ipv6 address <ipv6-prefix-list> set next-hop-flood-vlan 1013 set interface null0 route-map <name> permit 102 rule-name <name> match ip address <ipv4-prefix-list> match ipv6 address <ipv6-prefix-list> set next-hop-flood-vlan 1123 set interface null0

ip access-list extended <name> permit ip any host 10.250.64.2 permit ip any host 10.250.120.0 permit ip any host 10.110.65.6 permit ip any host 10.2333.120.4 deny udp any host 10.223.98.8 eq 2152 deny udp any host 10.223.98.5 eq 2152 deny udp any host 10.223.98.3 eq 2152 deny udp any eq 2152 host 10.223.98.8 deny udp any eq 2152 host 10.223.98.5 deny udp any eq 2152 host 10.223.98.3 permit ip any host 10.119.65.7 permit ip any host 10.119.65.11access-list 10 permit any access-list 50 permit 10.100.64.0 0.0.0.255 access-list 165 permit ip host 10.142.64.31 10.196.48.0 0.0.0.255 access-list 165 permit ip 10.62.64.0 0.0.0.255 host 10.79.213.25 access-list 165 permit ip host 10.72.64.2 host 10.79.213.11 ip access-list extended <name> permit vlan 1250 ip any any permit vlan 1251 ip any any

What about OpenFlow with MPLS?

23

MPLS WAN

• Different LSPs for application/traffic prioritization and traffic-engineering • Classification at ingress into appropriate TE’d LSP (aka: flow-based forwarding)

• OF granularity for classification • May also provide ingress policing/metering (eg. CAC function)

Multiple RSVP-signaled LSPs (Gold, Silver, Bronze, etc)

LER1 LER3

Data Center Data Center

SDN App

• OpenFlow rules for per-Application classification (and metering) applied at ingress LER. • Redirect action into MPLS LSP


But … there’s more! How do you get packet captures?

Current Network Visibility Mode of Operation

•  Problem 1 ‒ Obtaining data plane traffic visibility in production networks is *very*

challenging ‒ Network probes are commonly deployed; or a dedicated out-of-band

visibility network is deployed •  Both approaches increase CAPEX •  Both approaches limit the visibility of traffic to specific aggregation points in

the network. Either due to where the probes are deployed or where the network is tapped to send flows to the visibility fabric

•  Problem 2 ‒ Provisioning and operating a dynamic visibility solution is not efficient,

nor in real-time •  Hampers ability to troubleshoot real-time performance problems


Current Network Visibility Mode of Operation

•  Problem 3 ‒ Networking devices have many limitations in terms of providing

specific data traffic to be monitored ‒ Switch/Router SPAN/RSPAN mirrors *all* traffic from one port to

another port ‒ ACL-based port mirroring can provide traffic granularity; however …

•  At the expense of very complex CLI configurations •  Lacks an efficient & dynamic update capability •  Has scalability limitations •  No central repository of these distributed, network wide ACL-based port

mirroring configurations


•  No network taps or probes

•  Per-flow “in-line” visibility

•  Surgical mirroring

•  Centralized control

•  No complex router configurations (ACL, PBR, SPAN, etc)

SDN-based Inline Packet Capture Example

27

No separate Visibility network required

Normal Forwarding

Pipeline

SDN FlowTap

DC or Campus network

Tool(s) Analytics Network

Ingress Port

SDN App

Flow parameters

Committed for v1.1

Router


Conclusions •  OF-based SDN is here. Deployed … ‒ A few examples provided ‒ OF-based forwarding of normal traffic; network transport ‒ Centralized control plane


•  OF-based SDN can solve many other problems ‒ As a tool for programmatic control of policy ‒ Centrally managed ACL & PBR replacement ‒ OF-based exception handling of interesting traffic; network services

•  Normal traffic forwarded normally

‒ Solves various operational use cases

openflow: what’s it good for? - apnic · pdf fileopenflow: what’s it good for?...

Documents