and Network Virtualization Sándor Laki Slides by YehChing Chung Software defined network Introduction Motivation Concept Open Flow Virtual Switch Million of lines of source code ID: 807533
Download The PPT/PDF document "Software Defined Network" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Software Defined Networkand Network Virtualization
Sándor Laki
(
Slides
by
Yeh-Ching
Chung
)
Slide2Software defined network
Introduction
Motivation
Concept
Open Flow
Virtual Switch
Slide3Million of lines
of source code
5400 RFCs
Barrier to entry
500M gates
10Gbytes RAM
Bloated
Power Hungry
Many complex functions baked into the infrastructure
OSPF, BGP, multicast, differentiated services,
Traffic Engineering, NAT, firewalls, MPLS, redundant layers, …
An industry with a “mainframe-mentality”
We have lost our way
Specialized Packet Forwarding Hardware
Operating
System
App
App
App
Routing, management, mobility management,
access control, VPNs, …
Slide4Operating System
Reality
App
App
App
Specialized Packet Forwarding Hardware
Specialized Packet Forwarding Hardware
Operating
System
App
App
App
Lack of competition means glacial innovation
Closed architecture means blurry, closed interfaces
Vertically integrated, complex, closed, proprietary
Not suitable for experimental ideas
Not good for network owners & users Not good for researchers
Slide5Glacial process of innovation made worse by captive standards process
Deployment
Idea
Standardize
Wait 10 years
Driven by vendors
Consumers largely locked out
Lowest common denominator features
Glacial innovation
Slide6Software defined network
Introduction
Motivation
Concept
Open Flow
Virtual Switch
Slide7Windows
(OS)
Windows
(OS)
Linux
Mac
OS
x86
(Computer)Windows(OS)AppApp
Linux
LinuxMacOSMac
OSVirtualization layerApp
Controller 1
AppAppController2
Virtualization or “Slicing”App
OpenFlow
Controller 1
NOX
(Network OS)
Controller
2
Network OS
Trend
Computer Industry
Network Industry
Slide8Specialized Packet Forwarding Hardware
App
App
App
Specialized Packet Forwarding Hardware
App
App
App
Specialized Packet Forwarding Hardware
App
App
App
Specialized Packet Forwarding Hardware
App
App
App
Specialized Packet Forwarding Hardware
Operating
System
Operating
System
Operating
System
Operating
System
Operating
System
App
App
App
Network Operating System
App
App
App
The “Software-defined Network”
Slide9App
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware
App
App
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware
Network Operating System
1. Open interface to hardware
3. Well-defined open API
2. At least one good operating system
Extensible, possibly open-source
The “Software-defined Network”
Slide10Simple Packet
Forwarding Hardware
Network Operating System 1
Open interface to hardware
Virtualization or “Slicing” Layer
Network Operating System 2
Network Operating System 3
Network Operating System 4
App
App
App
App
App
AppAppApp
Many operating systems, orMany versions
Open interface to hardware
Isolated “slices”
Simple Packet
Forwarding Hardware
Simple Packet
Forwarding Hardware
Simple Packet
Forwarding Hardware
Simple Packet
Forwarding Hardware
Slide11ConsequencesMore innovation in network services
Owners, operators, 3
rd
party developers, researchers can improve the network
E.g. energy management, data center management, policy routing, access control, denial of service, mobility
Lower barrier to entry for competitionHealthier market place, new players
Slide12Software defined network
Introduction
Motivation
Concept
Open Flow
Virtual Switch
Slide13Traditional network node: RouterRouter can be partitioned into control and data plane
Management plane/ configuration
Control
plane / Decision: OSPF (Open Shortest Path First)
Data plane / Forwarding
Adjacent Router
Router
Management/Policy plane
Configuration / CLI / GUI
Static routes
Control plane
OSPF
Neighbor table
Link state database
IP routing table
Forwarding table
Data plane
Data plane
Control plane
OSPF
Adjacent Router
Data plane
Control plane
OSPF
Routing
Switching
Slide14Traditional network node: SwitchTypical Networking SoftwareManagement plane
Control Plane – The brain/decision maker
Data Plane – Packet forwarder
Slide15SDN Concept
Separate Control plane and Data plane entities
Network intelligence and state are logically centralized
The underlying network infrastructure is abstracted from the applications
Execute or run Control plane software on general purpose hardware
Decouple from specific networking hardwareUse commodity serversHave programmable data planesMaintain, control and program data plane state from a central entityAn architecture to control not just a networking device but an entire network
Slide16Control ProgramControl program operates on view of network
Input
: global network view (graph/database)
Output
: configuration of each network device
Control program is not a distributed systemAbstraction hides details of distributed state
Slide17Software-Defined Network with key Abstractions in the Control Plane
Network Operating System
Routing
Traffic Engineering
Other Applications
Well-defined API
Network Map
Abstraction
Forwarding
Forwarding
Forwarding
Forwarding
Separation of Data
and Control Plane
Network
Virtualization
Slide18Forwarding Abstraction
Purpose: Abstract away forwarding hardware
Flexible
Behavior specified by control plane
Built from basic set of forwarding primitives
MinimalStreamlined for speed and low-powerControl program not vendor-specificOpenFlow is an example of such an abstraction
Slide19OpenFlow Protocol
Data Path (Hardware)
Control Path
OpenFlow
Ethernet Switch
Network OS
Control Program A
Control Program B
OpenFlow Basics
Slide20Control Program A
Control Program B
Network OS
OpenFlow Basics
Packet
Forwarding
Packet
Forwarding
Packet
Forwarding
Flow
Table(s)
“If header =
p
, send to port 4”
“If header =
?
, send to me”“If header =
q, overwrite header with r, add header s, and send to ports 5,6”
Slide21Plumbing Primitives<Match, Action>
Match
arbitrary bits in headers:
Match on any header, or new header
Allows any flow granularity
ActionForward to port(s), drop, send to controllerOverwrite header with mask, push or popForward at specific bit-rate
21HeaderDataMatch: 1000x01xx0101001x
Slide22General Forwarding Abstraction
Small set of primitives
“Forwarding instruction set”
Protocol independent
Backward compatible
Switches, routers,
WiFi APs, basestations, TDM/WDM
Slide23Software defined network
Introduction
Motivation
Concept
Open
FlowVirtual Switch
Slide24What is OpenFlowOpenFlow is similar to an x86 instruction set for the network
Provide open interface to “black box” networking node
(ie. Routers, L2/L3 switch) to enable visibility and openness in network
Separation of control plane and data plane.
The datapath of an OpenFlow Switch consists of a
Flow Table, and an action associated with each flow entryThe control path consists of a controller which programs the flow entry in the flow tableOpenFlow is based on an Ethernet switch, with an internal flow-table, and a standardized interface to add and remove flow entries
Slide25OpenFlow Consortium
http://OpenFlowSwitch.org
Goal
Evangelize OpenFlow to vendors
Free membership for all researchers
Whitepaper, OpenFlow Switch Specification, Reference DesignsLicensing: Free for research and commercial use
Slide26OpenFlow building blocks
Controller
NOX
Slicing
Software
FlowVisor
FlowVisor
Console
26
Applications
LAVI
ENVI (GUI)
Expedient
n-Casting
NetFPGA
Software
Ref. Switch
Broadcom
Ref. Switch
OpenWRT
PCEngine
WiFi AP
Commercial Switches
Stanford Provided
OpenFlow
Switches
ONIX
Stanford Provided
Monitoring/
debugging tools
oflops
oftrace
openseer
Open
vSwitch
HP, NEC, Pronto, Juniper.. and many more
Beacon
Trema
Maestro
Slide27Components of OpenFlow Network
Controller
OpenFlow protocol messages
Controlled channel
Processing
Pipeline ProcessingPacket MatchingInstructions & Action SetOpenFlow switchSecure Channel (SC)Flow TableFlow entry
Slide28OpenFlow Controllers
28
Name
Lang
Platform(s)
License
Original
Author
Notes
OpenFlow Reference
C
Linux
OpenFlow License
Stanford/Nicira
not designed for extensibility
NOX
Python, C++
Linux
GPL
Nicira
actively developed
Beacon
Java
Win, Mac, Linux, Android
GPL (core), FOSS Licenses for your code
David Erickson (Stanford)
runtime modular, web UI framework, regression test framework
Maestro
Java
Win, Mac, Linux
LGPL
Zheng Cai (Rice)
Trema
Ruby, C
Linux
GPL
NEC
includes emulator, regression test framework
OpenDaylight
Java
Linux
?
OpenDaylight
Community
Linux
Foundation
Effort
is
supported
by
large
vendors
Slide29Secure Channel (SC)SC is the
interface
that connects each OpenFlow switch to controller
A
controller
configures and manages the switch via this interface.Receives events from the switch Send packets out the switch SC establishes and terminates the connection between OpneFlow Switch and the controller using the proceduresConnection Setup Connection Interrupt
The SC connection is a TLS connection. Switch and controller mutually authenticate by exchanging certificates signed by a site-specific private key.
Slide30Flow Table
Rule
(exact & wildcard)
Action
Statistics
Rule
(exact & wildcard)
Action
Statistics
Rule
(exact & wildcard)
Action
Statistics
Rule
(exact & wildcard)
Default Action
Statistics
Flow table in switches, routers, and chipsets
Flow 1.
Flow 2.
Flow 3.
Flow N.
Slide31Flow EntryA flow entry consists of
Match fields
Match against packets
Action
Modify the action set or pipeline processing
Stats Update the matching packets
Match Fields
Stats
Action
In Port
Src MAC
Dst MAC
Eth Type
Vlan Id
IP Tos
IP Proto
IP Src
IP Dst
TCP Src Port
TCP Dst Port
Layer 2
Layer 3
Layer 4
Forward packet to port(s)
Encapsulate and forward to controller
Drop packet
Send to normal processing pipeline
1. Packet
2. Byte counters
Slide32Examples
Switching
*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Action
*
00:1f:..
*
*
*
*
*
*
*
port6
Flow Switching
port3
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Action
00:20..
00:1f..
0800
vlan1
1.2.3.4
5.6.7.8
4
17264
80
port6
Firewall
*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Action
*
*
*
*
*
*
*
*
22
drop
32
Slide33Examples
Routing
*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Action
*
*
*
*
*
5.6.7.8
*
*
*
port6
VLAN Switching
*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Action
*
*
vlan1
*
*
*
*
*
port6,
port7,
port9
00:1f..
33
Slide34OpenFlowSwitch.org
Controller
OpenFlow
Switch
PC
OpenFlow Usage
OpenFlow
Switch
OpenFlow
Switch
OpenFlow
Protocol
Peter’s code
Rule
Action
Statistics
Rule
Action
Statistics
Rule
Action
Statistics
Peter
Slide35Usage examples
Peter’s code:
Static “VLANs”
His own new routing protocol: unicast, multicast, multipath, load-balancing
Network access control
Home network managerMobility managerEnergy managerPacket processor (in controller)IPvPeterNetwork measurement and visualization…
Slide36Separate VLANs for Production and Research Traffic
Normal L2/L3 Processing
Flow Table
Production VLANs
Research VLANs
Controller
Slide37Dynamic Flow Aggregation on an OpenFlow Network
Scope
Different Networks want different flow granularity (ISP, Backbone,…)
Switch resources are limited (flow entries, memory)
Network management is hard
Current Solutions : MPLS, IP aggregation
Slide38Dynamic Flow Aggregation on an OpenFlow Network
How do
OpenFlow
Help?
Dynamically define flow granularity by wildcarding arbitrary header fields
Granularity is on the switch flow entries, no packet rewrite or encapsulationCreate meaningful bundles and manage them using your own software (reroute, monitor)
Slide39Virtualizing OpenFlowNetwork operators “Delegate” control of subsets of network hardware and/or traffic to other network operators or users
Multiple controllers can talk to the same set of switches
Imagine a
hypervisor
for network equipments
Allow experiments to be run on the network in isolation of each other and production traffic
Slide40Switch Based Virtualization
Exists for NEC, HP switches but not flexible enough
Normal L2/L3 Processing
Flow Table
Production VLANs
Research VLAN 1
Controller
Research VLAN 2
Flow Table
Controller
40
Slide41FlowVisor A network hypervisor developed by Stanford
A software proxy between the forwarding and control planes of network devices
Slide42FlowVisor-based Virtualization
OpenFlow
Switch
OpenFlow
Protocol
OpenFlow FlowVisor
& Policy Control
Craig’s
Controller
Heidi’s
Controller
Aaron’s
Controller
OpenFlow
Protocol
OpenFlow
Switch
OpenFlow
Switch
42
Topology discovery is per slice
Slide43OpenFlow
Protocol
OpenFlow
FlowVisor & Policy Control
Broadcast
Multicast
OpenFlow
Protocol
http
Load-balancer
FlowVisor
-based Virtualization
OpenFlow
Switch
OpenFlow
Switch
OpenFlow
Switch
43
Separation not only
by VLANs, but any
L1-L4 pattern
dl_dst
=FFFFFFFFFFFF
tp_src=80, or
tp_dst=80
Slide44FlowVisor SlicingSlices are defined using a slice definition
policy
The policy language specifies the slice’s
resource limits, flowspace, and controller’s location in terms of IP and TCP port-pair
FlowVisor enforces
transparency and isolation between slices by inspecting, rewriting, and policing OpenFlow messages as they pass
Slide45FlowVisor Resource LimitsFV assigns hardware resources to “Slices”
Topology
Network Device or Openflow Instance (DPID)
Physical Ports
Bandwidth
Each slice can be assigned a per port queue with a fraction of the total bandwidthCPUEmploys Course Rate Limiting techniques to keep new flow events from one slice from overrunning the CPUForwarding TablesEach slice has a finite quota of forwarding rules per device
Slide46Slicing
Slide47FlowVisor FlowSpaceFlowSpace is defined by a collection of packet headers and assigned to “Slices”
Source/Destination MAC address
VLAN ID
Ethertype
IP protocol
Source/Destination IP addressToS/DSCPSource/Destination port number
Slide48FlowSpace: Maps Packets to Slices
Slide49FlowVisor Slicing PolicyFV intercepts OF messages from devices FV only sends control plane messages to the Slice controller if the source device is in the Slice topology.
Rewrites OF feature negotiation messages so the slice controller only sees the ports in it’s slice
Port up/down messages are pruned and only forwarded to affected slices
Slide50FlowVisor Slicing PolicyFV intercepts OF messages from controllers
Rewrites flow insertion, deletion & modification rules so they don’t violate the slice definition
Flow definition – ex. Limit Control to HTTP traffic only
Actions – ex. Limit forwarding to only ports in the slice
Expand Flow rules into multiple rules to fit policy
Flow definition – ex. If there is a policy for John’s HTTP traffic and another for Uwe’s HTTP traffic, FV would expand a single rule intended to control all HTTP traffic into 2 rules.Actions – ex. Rule action is send out all ports. FV will create one rule for each port in the slice.Returns “action is invalid” error if trying to control a port outside of the slice
Slide51FlowVisor Message Handling
OpenFlow
Firmware
Data Path
Alice
Controller
Bob
Controller
Cathy
Controller
FlowVisor
OpenFlow
OpenFlow
Packet
Exception
Policy Check:
Is this rule allowed?
Policy Check:
Who controls this packet?
Full Line Rate
Forwarding
Rule
Packet
Slide52Software defined network
Introduction
Motivation
Concept
Open Flow
Virtual Switch
Slide53INTRODUCTIONDue to the cloud computing service, the number of virtual switches begins to expand dramatically
Management complexity, security issues and even performance degradation
Software/hardware based virtual switches as well as integration of open-source hypervisor with virtual switch technology is exhibited
53
Slide54Software-Based Virtual Switch
The hypervisors implement
vSwitch
Each VM has at least one virtual network interface cards (
vNICs
) and shared physical network interface cards (pNICs) on the physical host through vSwitchAdministrators don’t have effective solution to separate packets from different VM usersFor VMs reside in the same physical machine, their traffic visibility is a big issue
54
Slide55Issues of Traditional vSwitchThe traditional vSwitches lack of advanced networking features such as VLAN, port mirror, port channel, etc.
Some hypervisor vSwitch vendors provide technologies to fix the above problems
OpenvSwitch may be superior in quality for the reasons
55
Slide56Open vSwitchA software-based solution
Resolve the problems of network separation and traffic visibility, so the cloud users can be assigned VMs with elastic and secure network configurations
Flexible Controller in User-Space
Fast Datapath in Kernel
Server
Open vSwitch Datapath
Open vSwitch Controller
Slide57Open vSwitch Concepts
Multiple ports to physical switches
A port may have one or more interfaces
Bonding allows more than once interface per port
Packets are forwarded by flow
Visibility NetFlowsFlowMirroring (SPAN/RSPAN/ERSPAN)IEEE 802.1Q SupportEnable virtual LAN functionBy attaching VLAN ID to Linux virtual interfaces, each user will have its own LAN environment separated from other users
Slide58Open vSwitch ConceptsFine-grained ACLs and QoS policies
L2-‐L4 matching
Actions to forward, drop, modify, and queue
HTB and HFSC queuing disciplines
Centralized control through OpenFlow
Works on Linux-based hypervisors: XenXenServerKVMVirtualBox
Slide59Open vSwitch Contributors(Partial)
Slide60Packets are Managed as Flows
A flow may be identied by any combination of
Input port
VLAN ID (802.1Q)
Ethernet Source MAC address
Ethernet Destination MAC addressIP Source MAC addressIP Destination MAC addressTCP/UDP/... Source PortTCP/UDP/... Destination Port
Slide61Packets are Managed as Flows
The 1st packet of a flow is sent to the controller
The controller programs the datapath's actions for a flow
Usually one, but may be a list
Actions include:
Forward to a port or portsmirrorEncapsulate and forward to controllerDropAnd returns the packet to the datapathSubsequent packets are handled directly by the datapath
Slide62MigrationKVM and Xen provide Live MigrationWith bridging, IP address migration must occur with in the same L2 network
Open vSwitch avoids this problem using GRE tunnels
Slide63Hardware-Based Virtual Switch
Why hardware-based?
Software virtual switches consume CPU and memory usage
Possible inconsistence of network and server configurations may cause errors and is very hard to troubleshooting and maintenance
Hardware-based virtual switch solution emerges for better resource utilization and configuration consistency
63
Slide64Virtual Ethernet Port Aggregator
A standard led by HP, Extreme, IBM, Brocade, Juniper, etc.
An emerging technology as part of IEEE 802.1Qbg Edge Virtual Bridge (EVB) standard
The main goal of VEPA is to allow traffic of VMs to exit and re-enter the same server physical port to enable switching among VMs
64
Slide65Virtual Ethernet Port Aggregator
VEPA software update is required for host servers in order to force packets to be transmitted to external switches
An external VEPA enabled switch is required for communications between VMs in the same server
VEPA supports “hairpin” mode which allows traffic to “hairpin” back out the same port it just received it from--- requires firmware update to existing switches
65
Slide66Pros. and Cons. for VEPA
Pros
Minor software/firmware update, network configuration maintained by external switches
Cons
VEPA still consumes server resources in order to perform forwarding table lookup
66
Slide67References"OpenFlow: Enabling Innovation in Campus Networks“ N. McKeown, T. Andershnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turneron, H. Balakris ACM Computer Communication Review, Vol. 38, Issue 2, pp. 69-74 April 2008
OpenFlow Switch Specication V 1.1.0.
Richard Wang, Dana Butnariu, and Jennifer Rexford OpenFlow-based server load balancing gone wild, Workshop on Hot Topics in Management of Internet, Cloud, and Enterprise 66 IP Infusion Proprietary and Confidential, released under Customer NDA , Roadmap items subject to change without notice © 2011 IP Infusion Inc. gone wild, Workshop on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services (Hot-ICE), Boston, MA, March 2011.
Saurav Das, Guru Parulkar, Preeti Singh, Daniel Getachew, Lyndon Ong, Nick McKeown, Packet and Circuit Network Convergence with OpenFlow, Optical Fiber Conference (OFC/NFOEC'10), San Diego, March 2010
Nikhil Handigol, Srini Seetharaman, Mario Flajslik, Nick McKeown, Ramesh Johari, Plug-n-Serve: Load-Balancing Web Traffic using OpenFlow, ACM SIGCOMM Demo, Aug 2009.
NOX: Towards an Operating System for Networkshttps://sites.google.com/site/routeflow/homehttp://www.openflow.org/http://www.opennetsummit.org/https://www.opennetworking.org/
http://conferences.sigcomm.org/sigcomm/2010/papers/sigcomm/p195.pdfhttp://searchnetworking.techtarget.com/
Slide68References
Network Virtualization with Cloud Virtual Switch
S.
Horman
, “
An Introduction to Open vSwitch,” LinuxCon Japan, Yokohama, Jun. 2, 2011.J. Pettit, J. Gross “Open vSwitch Overview,” Linux Collaboration Summit, San Francisco, Apr. 7, 2011.J. Pettit, “Open vSwitch: A Whirlwind Tour,” Mar. 3, 2011.Access Layer Network Virtualization: VN-Tag and VEPAOpenFlow
Tutorial
Slide69Network Virtualization
Slide70Network Design Rules
Hierarchical approach
Traffic is aggregated hierarchically from an access layer into a layer of distribution switches and finally onto the network core.
A hierarchical approach to network design has proven to deliver the best results in terms of optimizing scalability, improving manageability, and maximizing network availability.
Slide71Network Virtualization
What
is network virtualization ?
71
Slide72Network VirtualizationWhat is network virtualization ?In computing, network v
irtualization is the process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network.
Two categories :
External network virtualization
Combine many networks, or parts of networks, into a virtual unit.
Internal network virtualizationProvide network-like functionality to the software containers on a single system.
Slide73Network VirtualizationDesirable properties of network virtualization :Scalability
Easy to extend resources in need
Administrator can dynamically create or delete virtual network connection
Resilience
Recover from the failures
Virtual network will automatically redirect packets by redundant linksSecurityIncreased path isolation and user segmentationVirtual network should work with firewall softwareAvailabilityAccess network resource anytime73
Slide74Network VirtualizationExternal network virtualization in different layers :Layer 1
Seldom virtualization implement in this physical data transmission layer.
Layer 2
Use some tags in MAC address packet to provide virtualization.
Example, VLAN.
Layer 3Use some tunnel techniques to form a virtual network.Example, VPN.Layer 4 or higherBuild up some overlay network for some application.Example, P2P.
Slide75Network VirtualizationInternal network virtualization in different layers :Layer 1
Hypervisor usually do not need to emulate the physical layer.
Layer 2
Implement virtual L2 network devices, such as switch, in hypervisor.
Example, Linux TAP driver + Linux bridge.
Layer 3Implement virtual L3 network devices, such as router, in hypervisor.Example, Linux TUN driver + Linux bridge + iptables.Layer 4 or higherLayer 4 or higher layers virtualization is usually implemented in guest OS.Applications should make their own choice.
Slide76Network virtualizationIntroductionExternal network virtualizationInternal network virtualization
Slide77Network VirtualizationTwo virtualization components :Device virtualization
Virtualize
physical devices in the network
Data path virtualization
Virtualize
communication path between network access points77RouterSwitch
Data Path
Slide78Network VirtualizationDevice virtualizationLayer 2 solution
Divide physical switch into multiple logical switches.
Layer 3 solution 3
VRF technique
( Virtual Routing and Forwarding )
Emulate isolated routing tables within one physical router
.78
Slide79Network VirtualizationData path virtualizationHop-to-hop case
Consider the virtualization applied on a single hop data-path.
Hop-to-cloud case
Consider the virtualization tunnels allow multi-hop data-path.
79
Slide80Network VirtualizationProtocol approachProtocols usually use for data-path virtualization.
Three implementations
802.1Q
– implement hop to hop data-path virtualization
MPLS ( Multiprotocol Label Switch )
– implement router and switch layer virtualizationGRE (Generic Routing Encapsulation ) – implement virtualization among wide variety of networks with tunneling technique.80
Slide81Network Virtualization802.1QStandard by IEEE 802.1
Not encapsulate the original frame
Add a 32-bit field between
MAC address
and
EtherTypes fieldETYPE(2B): Protocol identifierDot1Q Tag(2B): VLAN number, Priority code81
CE: Customer Edge routerPE: Provider Edge router
Slide82Network Virtualization82
Physical Network
VN 1
VN 2
Source
destination
destination
Source
Example of 802.1Q
Slide83Network VirtualizationMPLS ( Multiprotocol Label Switch )Also classified as layer 2.5 virtualization
Add one or more labels into package
Need Label Switch Router(LSR) to read MPLS header
83
Slide84Packet Traversing a Label-Switched Path
Slide85Network Virtualization85
Physical Network
VN 1
VN 2
4
4
57892
CELER
LSRLERLERCECELSR92
5
7Example of MPLS
Slide86Network VirtualizationGRE ( Generic Routing Encapsulation )GRE is a tunnel protocol developed by CISCO
Encapsulate a wide variety of network layer
protocols inside virtual point-to-point links over an Internet Protocol internetwork
Stateless property
This means end-point doesn't keep information about the state
86
Built Tunnel
Slide87Network virtualizationIntroductionExternal network virtualizationInternal network virtualization
Slide88Internal Network VirtualizationInternal network virtualizationA single system is configured with containers, such as the
Xen
domain, combined with hypervisor control programs or pseudo-interfaces such as the VNIC, to create a “network in a box”.
This solution improves overall efficiency of a single system by isolating applications to separate containers and/or pseudo interfaces.
Virtual machine and virtual switch :
The VMs are connected logically to each other so that they can send data to and receive data from each other.Each virtual network is serviced by a single virtual switch.A virtual network can be connected to a physical network by associating one or more network adapters (uplink adapters) with the virtual switch.
Slide89Internal Network Virtualization
Properties of virtual switch
A virtual switch works much like a physical Ethernet switch.
It detects which VMs are logically connected to each of its virtual ports and uses that information to forward traffic to the correct virtual machines.
Typical virtual network configuration
Communication networkConnect VMs on different hostsStorage networkConnect VMs to remote storage systemManagement networkIndividual links for system administration
Slide90Internal Network Virtualization
Network virtualization example form VMware
Slide91KVM ApproachIn KVM systemKVM focuses on CPU and memory virtualization, so IO virtualization framework is completed by QEMU.
In QEMU, network interface of virtual machines connect to host by TUN/TAP driver and Linux bridge.
Virtual machines connect to host by a virtual network adapter, which is implemented by TUN/TAP driver.
Virtual adapters will connect to Linux bridges, which play the role of virtual switch.
Slide92KVM ApproachTUN/TAP driverTUN and TAP are virtual network kernel drivers :TAP (as in network tap) simulates an Ethernet device and operates with layer 2 packets such as Ethernet frames.
TUN (as in network
TUNnel
) simulates a network layer device and operates with layer 3 packets such as IP.
Data flow of TUN/TAP driver
Packets sent by an operating system via a TUN/TAP device are delivered to a user-space program that attaches itself to the device.A user-space program may pass packets into a TUN/TAP device. TUN/TAP device delivers (or "injects") these packets to the operating system network stack thus emulating their reception from an external source.
Slide93KVM Approach
Slide94KVM Approach
Linux bridge
Bridging is a forwarding technique used in packet-switched computer networks.
Unlike routing, bridging makes no assumptions about where in a network a particular address is located.
Bridging depends on flooding and examination of source addresses in received packet headers to locate unknown devices.
Bridging connects multiple networksegments at the data link layer(Layer 2) of the OSI model.
Slide95KVM Approach
TAP/TUN driver + Linux Bridge
Slide96Xen Approach
In
Xen
system
Since implemented by
para-virtualization, guest OS loads modified network interface drivers.Modified network interface drivers, which act as TAP in KVM approach, communicate with virtual switches in Dom0.Virtual switch in Xen can beimplemented by Linux bridgeor work with other approaches.
Slide97Network Virtualization SummaryVirtualization in layersUsually in Layer 2 and Layer 3External network virtualization
Layer 2
802.1q
Layer 3
MPLS, GRE
Internal network virtualizationTraditional approachTAP/TUN + Linux bridgeNew techniqueVirtual switch
Slide98ReferenceBooks :Kumar Reddy & Victor Moreno, Network Virtualization
, Cisco Press 2006
Web resources :
Linux Bridge
http://www.ibm.com/developerworks/cn/linux/l-tuntap/index.html
Xen networking http://wiki.xensource.com/xenwiki/XenNetworkingVMware Virtual Networking Concepts http://www.vmware.com/files/pdf/virtual_networking_concepts.pdfTUN/TAP wiki http://en.wikipedia.org/wiki/TUN/TAPNetwork Virtualization wiki http://en.wikipedia.org/wiki/Network_virtualizationPapers :A. Menon, A. Cox, and W. Zwaenepoel. Optimizing Network Virtualization in Xen. Proc. USENIX Annual Technical Conference (USENIX 2006), pages 15–28, 2006.