OpenFlow as a datapath programming standard http zoocsyaleedu classescs43 4 Geng Li 01 23 2017 1 CS43 4 53 4 Topics in Networked Networking Systems Basic ID: 583158
Download Presentation The PPT/PDF document "Basic network flows;" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Basic network flows; OpenFlow as a datapath programming standardhttp://zoo.cs.yale.edu/classes/cs434/
Geng Li01/23/2017
1Slide2
CS434/534: Topics in Networked (Networking) SystemsBasic
Network Workflows; OpenFlow as a Datapath
Programming
S
tandard
Geng
Li
Computer
Science Department
Yale University
205 Watson
Email:
geng.li@yale.edu
http://
zoo.cs.yale.edu
/classes/cs434/Slide3
CS434/534: Topics in Networked (Networking) SystemsHigh-Level Language
for Programmable Networkshttp://zoo.cs.yale.edu/classes/cs43
4/
Y. Richard Yang
01
/25/2017Slide4
OutlineWhat is the data structure used in current systems?How is the data structure programmed currently?SDN and OpenFlow: abstraction and extension of current data structuresa new way to program itHow can the more general OF model be implemented efficiently?
4Slide5
Background: Current ModelWhat happens when you visit mail.google.com5Slide6
DNS: Domain Name SystemTranslates domain names to the numerical IP addressesDNS cache in Web browserchrome://net-internals/#dnsDNS cache in hosts file or the operating systemhosts: %
systemroot%\system32\drivers\etc (Windows)hosts: /etc/hosts (Linux)pconfig /displaydns (Windows)DNS servers
6Slide7
Domain Name SpaceQuery servers7
Root zone
.org zone
.com zone
.
cn
zone
others.com
zone
google.com
zone
others.google.com
mail.google.com
…Slide8
After getting IP addressTCP connectionTransport layer (4)HTTP accessApplication layer (7)8Slide9
Datapath: Example 1 (same network): A->BLook up dest address in routing tablefind dest is on same netHand datagram to link
layer to send inside a link-layer frame9Slide10
Datapath: Example 2 (Different Networks): A-> ELook up dst address in routing tablerouting table: next hop router to dest is 223.1.1.4
Hand datagram to link layer to send to router 223.1.1.4 inside a link-layer frame10Slide11
Look Inside a RouterTwo key router functions:run routing algorithms/protocol (RIP, OSPF, BGP)switching datagrams from incoming to outgoing ports
11Slide12
Input Port Functions12Slide13
Output PortsBuffering required when datagrams arrive from fabric faster than the transmission rateQueueing (delay) and loss due to output port buffer overflow !
Scheduling and queue/buffer management choose among queued datagrams for transmission13Slide14
Datapath: Example 2 (Different Networks): A-> Elook up dest address in router’s forwarding tableE on same network as router’s interface 223.1.2.9
link layer sends datagram to 223.1.2.3 inside link-layer frame via interface 223.1.2.914Slide15
Link Layer ServicesFramingencapsulate datagram into frame, adding header, trailer and error detection/correctionMultiplexing/demultiplexingframe headers to identify src, destMedia
access controlForwarding/switching with a link-layer (Layer 2) domainin most link-layer, each adapter has a unique link layer address (also called MAC address)Reliable delivery between adjacent nodeswe learned how to do this already !seldom used on low bit error link (fiber, some twisted pair)
common
for wireless links: high error rates
15Slide16
Comparison of IP Address and MAC AddressIP address is locatoraddress depends on network to which an interface is attachedintroduces features for routing scalabilityIP address needs to be globally
unique (if no NAT)MAC address is an identifierdedicated to a deviceflatMAC address does not need to be globally unique
, but the
current assignment ensures uniqueness
16Slide17
ARP: Address Resolution ProtocolARP Table: IP/MAC address mappingsARP is “plug-and-play”:nodes create their ARP tables without intervention from net administratorA broadcast protocol:source broadcasts query frame, containing queried
IP addressall machines on LAN receive ARP querydestination D receives ARP frame, repliesframe sent to A’s MAC address (unicast)17Slide18
Recall Earlier Routing DiscussionStarting at A, given IP datagram addressed to E:
look up net. address of E, find Clink layer sends datagram to C inside link-layer frame; the dest. address should be C’s MAC address
18Slide19
Router vs. Switch
19
Layer 3 routing
: Match on IP
Prefix
Layer 2 switching:
Match on MACSlide20
OutlineWhat are the data structure used in current systems?20Slide21
Table, Table, TableVarious of tablesFast-forwarding table5-tuple to identify a flow (source IP address/port number, destination IP address/port number and the protocol)…Look upForward, switch, route…
21Slide22
OutlineWhat is the data structure used in current systems?How is the data structure programmed currently?22Slide23
How the tables are computed?Routing algorithms/protocolsDistance vector protocolsRIP…Link state protocolsOSPF…
23
1M
1M
5
M
5
M
5
M
5
M
5
M
5
MSlide24
Distributed Computing Distributed computing is hard, e.g.,FLP Impossibility TheoremArrow’s Impossibility TheoremNeighborsNetwork changes
Interact with each otherBy relayShare local information24Slide25
An Evolution View of Intradomain Routing Toward SDN25
Distance Vector
Datapath
Distributed Bellman
Ford
Distributed
Link State
Dijkstra
Logically Central Link State
Control
Datapath
Distributed Bellman
Ford
Datapath
Distributed Bellman
Ford
Distributed
Link State
Distributed
Link State
Dijkstra
Dijkstra
Link State
SDN
notification/
management/
control
protocolSlide26
OutlineWhat is the data structure used in current systems?How is the data structure programmed currently?SDN and OpenFlow: abstraction and extension of current data structuresa new way to program it26Slide27
Software-Defined Networking (SDN)Directly programmable AgileCentrally managedProgrammatically configuredOpen standards-based and vendor-neutral
27https://www.opennetworking.org/sdn-resources/sdn-definitionSlide28
SDN: Separation of data and control planes
Datapath
Control
Datapath
Control
Datapath
Control
Traditional
Datapath
Datapath
Control
Datapath
SDN
s
tandard
control
protocol
28Slide29
SDN: Programmable NetworkEasy to generate, add, modify and remove the table in hardwareNow just defining a centralized control functionConfiguration = Function(view)
29
Source:
Xinjie
Chen, Pinging LabSlide30
What is OpenFlow?The first standard communications protocol defined between controller and switch.
30OpenFlow Controller
Software
Hardware
OpenFlow
ProtocolSlide31
How does it work? – Matching and ActionController installs packet-forwarding rulesDatapath performs forwardingPacket comingMatchingAction
31?
?
?
?
?Slide32
OpenFlow: Flow tablecontains a set of flow entries to apply to matching packets32
?
?
?
?
Flow TableSlide33
OpenFlow: Flow entry/rule33match fields
: to match against packets. These consist of the ingress port and packet headers, and optionally other pipeline fields such as metadata specified by a previous table.priority: matching precedence of the flow entry.counters: updated when packets are matched.instructions: to modify the action set or pipeline processing.timeouts: maximum amount of time or idle time before flow is expired by the switch.cookie: opaque data value chosen by the controller. May be used by the controller to filter flow entries affected by flow statistics, flow modification and flow deletion requests. Not used when processing packets.
flags
: flags alter the way flow entries are managed, for example the flag
OFPFF_SEND_FLOW_REM
triggers flow removed messages for that flow entry.Slide34
OpenFlow: Match Fields34
SwitchPort
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
L4
sport
L4
dport
Match Fields
Action
Stats
+
mask what
fields to match
VLAN
pcp
IP
ToS
Source: Scott
Shenker
, UC BerkeleySlide35
Examples35
Switching*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Action
*
00:1f:..
*
*
*
*
*
*
*
port6
Flow Switching
port3
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Action
00:20..
00:1f..
0800
vlan1
1.2.3.4
5.6.7.8
4
17264
80
port6
Firewall
*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Action
*
*
*
*
*
*
*
*
22
drop
Source: Scott
Shenker
, UC BerkeleySlide36
Examples36
Routing*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Action
*
*
*
*
*
5.6.7.8
*
*
*
port6
VLAN Switching
*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Action
*
*
vlan1
*
*
*
*
*
port6,
port7,
port9
00:1f..
Source: Scott
Shenker
, UC BerkeleySlide37
OpenFlow: Flow entry/rule“Open” is real; “Flow” is fakeFloware broadly definedare limited only by the capabilities of the particular implementation of the Flow Table
37Slide38
OpenFlow: Action38
SwitchPort
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
L4
sport
L4
dport
Match Fields
Action
Stats
Forward packet to zero or more ports
Encapsulate and forward to controller
Send to normal processing pipeline
Modify Fields
Any extensions you add!
+ mask what fields to match
Packet + byte counters
VLAN
pcp
IP
ToS
Source: Scott
Shenker
, UC BerkeleySlide39
OpenFlow: Table-miss No match is found???A table-miss flow entry to process table missesMay send packets to the controller, drop packets or direct packets to a subsequent table.
39Slide40
OpenFlow: Flow entry/rule40
Reactive
First packet of flow triggers controller to insert flow entries
Efficient use of flow table
Every flow incurs small additional flow setup time
If control connection lost, switch has limited utility
Proactive
Controller pre-populates flow table in switch
Zero additional flow setup time
Loss of control connection does not disrupt traffic
Essentially requires aggregated (wildcard) rulesSlide41
OpenFlow: Group tableEnables additional methods of forwardingAdvancedBut required41
?
?
?
Flow TableSlide42
OpenFlow: Group tableA group table consists of group entriesA group entry may consist of zero or more bucketsA bucket typically contains actions that modify the packet and an output action that forwards it to a port
42Slide43
OpenFlow: Group tableThere are 4 group typesAll (Required)43Slide44
OpenFlow: Group tableThere are 4 group typesAll (Required)Select (Optional)
44Slide45
OpenFlow: Group tableThere are 4 group typesAll (Required)Select (Optional)Fast failover (Optional)
45Slide46
OpenFlow: Group tableThere are 4 group typesAll (Required)Select (Optional)Fast failover (Optional)Indirect (Required)
46Slide47
OpenFlow: Meter TableEnables OpenFlow to implement rate-limitingEach meter may have one or more meter bands. The bands define the behavior of the meters
on packets for various ranges rate.47
?
?
Flow TableSlide48
OpenFlow: Multiple Flow TablesPipelineMatching starts at the first flow table may continue to additional flow tablesWhy?48
?
?Slide49
OpenFlow: Multiple Flow TablesExample: Cross product49
ethSrc
ethDst
Action
a
1
a
1
p
1
a
1
a
2
p
2
..
…
…
a
n
a
n
p
n2
n
2
entries
ethSrc
ethDst
a
1
p
1
a
1
p
n
a
n
ethDst
p
a
1
p
n2
a
n
One Table DesignSlide50
OpenFlow: Multiple Flow Tables50
Table 2
ethSrc
Action
a
1
reg
srcCond
=y
1
jump 2
a
2
reg
srcCond
=y
2
jump 2
..
…
a
n
reg
srcCond
=
y
k
jump 2
otherwise
drop
regs
rcSw
ethDst
Action
y
1
a
1
p
1,1
y
1
a
2
p
1,2
..
…
…
y
k
a
n
p
k,n
otherwise
drop
n +
kn
entries
Example: Cross product
Table 2
Table 1Slide51
OpenFlow: ProtocolOpenFlow channel the interface that connects Switch to ControllerOpenFlow protocol supports three message typescontroller-to-switch
asynchronoussymmetric51Slide52
OpenFlow in the Real WorldCommercial OpenFlow switch – PhysicalOpen vSwitch – Virtual52Slide53
OpenFlow in the Real WorldCommercial OpenFlow switch – PhysicalOpen vSwitch – Virtual53Slide54
Open vSwitchOverviewfollow the same thought and idea of OpenFlow54Slide55
Linux Bridge DesignSimple forwardingMatches destination MAC address and forwardsPacket never leaves kernel
55Source: Dean Pemberton, University of OregonSlide56
Open vSwitch DesignDecision about how to process packet made in userspaceFirst packet of new flow goes to ovsvswitchd, following packets hit
cached entry in kernel56Source: Dean Pemberton, University of OregonSlide57
ovs-vswitchd in UserspaceCore component in the system:Communicates with outside world using OpenFlowCommunicates with ovsdb-server using OVSDB protocolCommunicates with kernel module over
netlinkCommunicates with the system through netdev abstract interfaceSupports multiple independent datapaths (bridges)Packet classifier supports efficient flow lookup with wildcards and “explodes” these (possibly) wildcard rules for fast processing by the datapathImplements mirroring, bonding, and VLANs through modifications
of the
same flow table exposed through
OpenFlow
Checks
datapath
flow counters to handle flow expiration and
stats requests
Tools
:
ovs-ofctl
,
ovs-appctl
57Slide58
OVS Kernel ModuleKernel module that handles switching and tunnelingFast cache of non-overlapping flowsDesigned to be fast and simplePacket comes in, if found, associated actions executed andcounters updated. Otherwise, sent to userspaceDoes no flow expirationKnows
nothing of OpenFlowImplements tunnelsTools: ovs-dpctl58Slide59
Userspace ProcessingPacket received from kernelGiven to the classifier to look for matching flows accumulates actionsIf “normal” action included, accumulates actions from “normal” processing, such as L2 forwarding and bondingActions accumulated from configured modules, such as mirroringPrior to 1.11, an exact match flow is generated with
the accumulated actions and pushed down to the kernel module (along with the packet)59Slide60
Kernel ProcessingPacket arrives and header fields extractedHeader fields are hashed and used as an index into a set of large hash tablesIf entry found, actions applied to packet and counters are updatedIf entry is not found, packet sent to userspace and miss counter incremented
60Slide61
MininetMachine-local virtual networkgreat dev/testing toolUses linux virtual network featuresCheaper than VMsArbitrary topologies, nodes61Slide62
MininetRapidly prototype, develop and testInterestingly-sized networks (16-100 nodes) start up in secondsNo lengthy lab reconfiguration or rebooting requiredAlways-accessible network resources, in any topology, at essentially no costDesigns that work on Mininet transfer seamlessly to hardware for full speed operation62Slide63
MininetRepeatably test, analyze, and predict network behaviorEasy replication of experimental and test resultsExamine effects of code or network changes before testing/deploying on hardwareAllows automated system-level tests and experimentsRecreate real-world network and test cases for a variety of topologies and configurations63Slide64
MininetQuickly get up and runningFree and permissively licensed (BSD)Minimal hardware requirementsAccessible to novices thanks to simple CLISmooth learning curve thanks to walkthrough, tutorial, examples and API documentationStrong users and support community64Slide65
MininetDownload: http://mininet.org/download/Tutorial: https://github.com/mininet/openflow-tutorial/wiki65Slide66
Some Commandssudo mn --topo single,3 --mac --switch ovsk
--controller remotesh ovs-ofctl dump-flows s1sh ovs-ofctl add-flow s1 in_port
=1,actions=output:2
sh
ovs-ofctl
add-flow s1
in_port
=2,actions=output:1
sh
ovs-ofctl
del-flows s1
sh
ovs-ofctl
add-flow s1
"
priority
=0,action=
normal
"sh ovs-ofctl add-flow s1 "priority=100,eth_type=0x800,ip_dst=10.0.0.1,action=drop”sh
ovs-ofctl add-flow s1 "priority=100,eth_type=0x806,dl_dst=00:00:00:00:00:02,action=drop"66Slide67
MininetBasic commands:Display an xterm for switch s1mininet> xterm s1 Inspect flow tables at switch xtermdpctl dump-flows tcp:127.0.0.1:6634To view OpenFlow protocol messages, at
mininet-VM xterm:sudo wireshark &Capture the interface to controllerIn wireshark filter box, enter filter to filter OpenFlow messages: of
67Slide68
MininetBasic commands:Create a network consists of one OpenvSwitch, three hosts and is controlled by a remote controller with IP address 192.168.56.1sudo mn --topo single,3 --controller remote,ip=192.168.56.1 --switch ovskmininet> helpmininet
> dump nodesmininet> h1 ping h268Slide69
OutlineWhat is the data structure used in current systems?How is the data structure programmed currently?SDN and OpenFlow: abstraction and extension of current data structuresa new way to program itHow can the more general OF model be implemented efficiently?
69Slide70
Pipeline SpecializationDivide a single table into a pipeline, with specialization of typesExact match >> lpm >> ternanry70
Molnár L, Pongrácz G, Enyedi G, et al. Dataplane Specialization for High-performance OpenFlow Software Switching[C]//Proceedings of the 2016 conference on ACM SIGCOMM 2016 Conference. ACM, 2016: 539-552.Slide71
OpenFlow building blocks
Controller
P
OX
Applications
Traffic Engineering
Firewall
Mobility
Load Balancing
NetFPGA
Broadcom
Ref. Switch
OpenWRT
Commercial Switches
Software switches and experimental platforms
OpenFlow
Switches
ONOS
Monitoring/
debugging tools
oflops
ndb
OpenVSwitch
HP, NEC, Pronto, Juniper.. and many more
Floodlight
OpenDayLight
Ryu
Frenetic
71
OpenFlow