topology service injection using dragonflow & kuryr
TRANSCRIPT
Topology Service Injection using Dragonflow & Kuryr Eshed Gal-Or, Huawei
Everyone wants to deploy Cloud
But it’s tough…
Especially, Network Services
Topology Service Injection What is it?
Service Function Chaining Characteristics
Compute Node 1
EP 1
OVS LB FW
Compute Node 2
EP 2
OVS IPS DPI NAT
classifier for entry point
static or dynamic
nsh, mpls, appports, …
vms, containers, physical devices, user-space apps
Topology Service Injection
Logical Router
Logical Switch Logical Switch
VM 1 VM 2 VM 3
DPI
VM 1 VM 2
Topology Service Injection
Logical Router
Logical Switch Logical Switch
VM 3
DPI DSCP
Marking
VM 1 VM 2 VM 3
DSCP Marking
DPI
Topology Service Injection
Logical Router
Logical Switch Logical Switch
Distributed Load
Balancing
VM 3 VM 1 VM 2
Distributed Load
Balancing
DSCP Marking
DPI
Topology Service Injection
Logical Router
Logical Switch Logical Switch
Compute Node
OVS
Pipeline Service Injection
VM 1 VM 2
Table 0 Table 1 Table N …
External
App
Compute Node
OVS
Pipeline Service Injection
VM 1 VM 2
Table 0 Table 1 Table N …
External
App
External App
Table
OpenFlow / Other API
Example Intrusion Prevention Service (IPS)
Deployment Challenges
In-line (data path, bandwidth, DoS)
Dynamic Topology (close to the target)
Transparent (“under the hood”)
Cloud Automation (infra vs. workload)
Host
VM
Out-of-line Deployment
App
vSwitch
Ingress is replicated by a TAP and sent to both the target and the offline IPS
appliance
IPS
Switch w/ TAP
Rep
licated
ingress FW
Some IPS will actively close malicious flows
by adding specific rules to the perimeter
firewall
Host
VM
In-line Deployment
App
vSwitch
IPS device is deployed in-line, using slow-path for classification, and a fast-path for forwarding
IPS Device ingress
Slow Path
Fast Path
If the device becomes overwhelmed with too much traffic, it switches to “allow all”, to refrain
from complete DoS
Service Function Chaining OpenStack Neutron SFC
VM
App
VM
IPS IPS service function is
deployed as a VM on the App tenant virtual network
vSwitch
vSwitch overlay network (tunnel)
Port chain is created with neutron sfc
ingress
Host
VM
Topology Injected SDN Application Dragonflow and Kuryr
App
vSwitch ingress
Docker
IPS
DF
DF API (based on OpenFlow or P4)
The IPS App can register as a SDN Application on Dragonflow, and operate either in “Reactive” (first frame) or “Proactive” (set a private pipeline in the
vSwitch)
Host
Host
VM
Distributed SDN Application Attack Flow
App
vSwitch
Docker
IPS
vSwitch
Host
VM
App
vSwitch
DF
The IPS App can even be deployed on a different host than its protected
VM and inject itself into the datapath, and then terminate an offending
VM directly at the source
1
2
3
Host
Host
VM
Distributed SDN Application Normal Flow
App
vSwitch
Docker
IPS
vSwitch
Host
VM
App
vSwitch
DF
If the traffic is cleared to go through, the IPS App can create a direct flow
from the originating host to the target host.
1
2
3
What is it, anyway?
What is Dragonflow?
Native Distributed SDN for OpenStack Neutron
Light, Simple, Scalable, 100% Open Source
Advanced Virtual Network Services L2, L3, DHCP, Security Groups, Multicast
Active community under OpenStack “Big Tent”
Dragonflow Distributed SDN
Neutron-Server
Dragonflow Plugin
DB
OVS
Dragonflow
DB Driver
Compute Node
OVS
Dragonflow
DB Driver
Compute Node
OVS
Dragonflow
DB Driver
Compute Node
OVS
Dragonflow
DB Driver
Compute Node
DB
VM VM ..
VM VM ..
VM VM .. VM VM
..
Dragonflow “Under The Hood”
Compute Node Compute Node Compute Node
Dragonflow
Network DB
OVS
Neutron Server
OVSDB
OVSDB-Server
ETCD RethinkDB RAMCloud
Kernel Datapath Module
NIC
User Space
Kernel Space
Dragonflow DB Drivers
OVSDB ETCD RethinkDB RMC
Future
Dragonflow Plugin
Route Core API
SG
vswitchd
Container
VM Dragonflow Controller
Abstraction Layer
L2 App L3 App DHCP App
Fault Detection
IGMP App
LBaaS SG FWaaS
…
Pluggable DB Layer
NB
DB
Dri
vers
SB DB Drivers
smartNIC OVSDB
OVSDB
ETCD
RMC
RethinkDB
OpenFlow
Dragonflow Apps
DF Controller
OVS
OVS Bridge
Openflow Switch ingress egress
DF Plugin
Match-Action
Openflow rules
Dragonflow “Pipeline”
DF App
SDN App
Op
enFlo
w
Op
enFlo
w DF APIs
External App
Ap
p p
ort
Example Dragonflow Distributed DHCP Application
Network Node
DHCP namespace
DHCP namespace
DHCP namespace
DHCP namespace
OpenStack Neutron DHCP Implementation
DHCP namespace
dnsmasq
DHCP Agent
Neutron Server
Message Queue
Example • 100 Tenants • 3 vNet / tenant = 300 DHCP Servers
1 VM Send DHCP_DISCOVER
2 Classify Flow as DHCP, Forward to Controller
3 DHCP App sends DHCP_OFFER back to VM
4 VM Send DHCP_REQUEST
5 Classify Flow as DHCP, Forward to Controller
6 DHCP App populates DHCP_OPTIONS from DB/CFG and send DHCP_ACK
7 VM receives the DHCP_ACP and applies the configuration
Dragonflow Distributed DHCP
VM DHCP SERVER
1
3 4
6 7
Compute Node
Dragonflow
VM
OVS
VM
1 2
br-int qvoXXX qvoXXX
OpenFlow
1
4
2 5
7
Dragonflow Controller
Abstraction Layer
L2 App
L3 App
DHCP App
SG
3 6
Pluggable DB Layer
DB
Kuryr Dragonflow and Containers Network
Similar Concepts
Docker C1 Docker C2 Docker C3
libNetwork
Endpoint Endpoint Endpoint Endpoint
Frontend
Network
Backend
Network
Network Sandbox Network Sandbox Network Sandbox
VM2
192.168.1.7
192.168.5.2
VM1
Tenant A Net1
192.168.1.0/0
Tenant A Net2
192.168.5.0/0
192.168.1.5
Neutron
Compute Node
Nested Containers (Overlay)2 Problem
VM
BR-INT
BR-TUN
Docker0
Compute Node
VM
BR-INT
BR-TUN
Docker0
Flannel Overlay
Neutron Overlay
as the production-ready networking abstraction containers need
Kuryr Overview
Configuration Management Docker libNetwork
Remote Driver
Docker libNetwork IPAM Driver
K8S CNI Driver
Authentication
Neutron Client
Generic VIF Binding
Docker Swarm
Midonet Dragonflow
OVN Any other
Neutron
Mixed OpenStack Environments
Neutron network 1 Neutron network 2 Neutron network 3
Compute Node
VM
Dragonflow OVS (Controller: Dragonflow)
IPVLAN / OVS
VM
Inherited Network Features from Neutron
− Security Groups − Subnet Pools − NAT (SNAT / DNAT – Floating IP) − Port Security (ARP Spoofing) − QoS − Quota Management − Neutron pluggable IPAM − Provide well-integrated COE Load balancing through
Neutron − FWaaS for Containers − Many more as Neutron progress…
Thanks