3.6 Software-Defined Networks and OpenFlow 3.6.1 Software-defined Networking SDN (Software-defined networking) is a new network architecture for the Internet that makes it easier to program networks. with the core idea that software controls network hardware in a distributed system.* *) I thank Professor Dr. David Hausheer for letting me use some of his transparencies.
Increasing Number of Network Protocols and Standards These diverse requirements have led to a large number of protocols and standards in 30+ years Ref: http://www.tehowners.com/info/Internet%20&%20Communication/Network%20Protocol.gif
Problem: Limited Flexibility (1) Switches and routers are closed “black” boxes. They support standard protocols and proprietary protocols of a manufacturer. No easy changes without support of manufacturer Network protocols seem to be “hard-coded“
Problem: Limited Flexibility (2) And even if the switch/router hardware and software was open: Adding new network protocols and functions is hard. Have you ever written a Linux kernel module? Compare this to programming a user-space application Have you ever used VERILOG? Compare this to C/C++, Java, Python, … WRT54L NetFPGA
Traditional Network of Switches and/or Routers
Traditional Control Mechanisms A distributed algorithm runs between neighbors Closed Boxes
A Software-Defined Network (SDN) e.g. routing, access control Control Program Global Network View Network OS Project 2 would have been trivial: Dijkstra on a graph.
Benefits of SDN (1) Software defined-networking leverages increased flexibility. Easy modification of the network control logic From “hard-coded” logic to exchangeable software API to program the network Software (application) “defines” the network High-level programming languages For the implementation of logic Can easily benefit from powerful integrated developing environments Reduced switch complexity Remove control logic from switch and host it on dedicated servers Preserve the same forwarding performance! The packet forwarding hardware still supports efficient forwarding.
Benefits of SDN (2) Integrated system: application and network Global view onto the system Reducing the complexity of implementing the control logic Distribution transparency
Architecture of an SDN System Control Logic Control Logic Control Logic Northbound Interface Controller Southbound Interface
Control Plane and Data Plane Separation Control plane: defines routes, manages network graph Data plane: forwards packets Control Logic Control Logic Control Logic Control Plane Data Plane Data Plane Data Plane Data Plane Data Plane
A Logically Centralized Controller Control Logic Control Logic Control Logic Control Plane logically centralized physically distributed Data Plane Data Plane Data Plane Data Plane Data Plane
Network OS Network OS: a distributed system that creates a consistent, up-to-date network view. The network OS runs on all servers (controllers) in the network uses an open protocol to get state information from forwarding elements give control directives to forwarding elements.
Logically Centralized Routing Centralized optimization is easy. Faster convergence higher resource utilization Simpler routing algorithm on the global view Converges to the new optimum in one step 10 5 5 S1 10 5 5 S2
3.6.2 The OpenFlow Protocol: Overview OpenFlow is the de facto standard for the “southbound” interface. Defined by the Open Networking Foundation Major vendors (Cisco, IBM, NEC, HP, Alcatel-Lucent, VMWare, …) Interface to a single packet forwarding hardware No aspects of control plane distribution defined Basic functionality Modification of flow tables (adding, removing, modifying entries) Injecting packets Events for receiving packets (reactive routing) Querying traffic statistics (counters)
Southbound Interface: The OpenFlow Protocol Control Logic Control Logic Control Logic Northbound Interface Controller Southbound Interface OpenFlow
Control Path vs. Data Path Control Path (Software) Data Path (Hardware)
OpenFlow Controller Control Path OpenFlow Data Path (Hardware) OpenFlow Protocol OpenFlow Controller OpenFlow Protocol (SSL/TCP) Control Path OpenFlow Data Path (Hardware)
OpenFlow Protocol Example PC OpenFlow Client Software Layer Controller Flow Table MAC src dst IP Src Dst TCP sport dport Action Hardware Layer * 5.6.7.8 port 1 port 1 port 2 port 3 port 4 5.6.7.8 1.2.3.4
OpenFlow Basics: Flow Table Entries Rule Action Statistics packet + byte counters Forward packet to zero or more ports Encapsulate and forward to the controller Send to the normal processing pipeline Modify fields any extensions you may add! Now I’ll describe the API that tries to meet these goals. Switch Port VLAN ID VLAN pcp MAC src MAC dst Eth type IP Src IP Dst IP ToS IP Prot TCP sport TCP dport
Flow Tables and Flow Entries Flow tables consist of a list of flow entries. Flow entry (slightly simplified): Match field: Defines matching packets Priority: Precedence if multiple entries match Counters: Counts matching packets Instructions: Modification and forwarding of a packet Timeout: Removes the entry after a certain (idle) time
Examples (1) Switching Switch Port MAC src dst Eth type VLAN ID IP Src Prot TCP sport dport Action * * 00:1f:.. * * * * * * * port4 Flow Switching Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action port3 00:20.. 00:1f.. 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port4 Firewall Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action * * * * * * * * * 22 drop
Examples (2) Routing Switch Port MAC src dst Eth type VLAN ID IP Src Prot TCP sport dport Action * * * * * * 5.6.7.8 * * * port4
Proactive vs. Reactive Routing Routes defined by a set of flow table entries along the path of packets So far, we know what a flow table entry contains. Question now: When do we set up flow table entries? Two options: Proactively: before the flow starts Reactively: as soon as the flow starts Controller path
Proactive Routing Controller Controller proactively “pushes“ flow table entries onto the packet forwarding elements. Advantage: Reduces controller load No reactive handling of packets Disadvantage: Occupies space in the flow tables Even without traffic Size of the flow table is limited! Controller add entry Control Logic
Reactive Routing (1) Controller Switch receives a packet without a matching flow table entry Switch redirects packet to the controller packet_in event occurs at the controller Forwarded to the control logic Control logic calculates route Controller packet-in event packet Control Logic
Reactive Routing (2) Controller Controller installs flow table entries along path. Controller add entry Control Logic
Reactive Routing (3) Controller Further packets of the flow do not involve the controller again. Controller packet No packet-in events of this flow anymore until timeout of flow table entries
Reactive Routing (4) Advantage: Saves flow table space Disadvantage: Puts load on the controller and the control network Not such a big problem for TCP Sender blocked until connection setup is done Beware: Connectionless UDP can send at full rate immediately (without warning)!
Required Information for Routing Dynamic routing requires knowledge of the network status Network topology (nodes and links) Packet forwarding elements and hosts Links between packet forwarding elements Links between hosts and packet forwarding elements Bandwidth of links Traffic statistics Number of packets or bytes Number of dropped packets, receive/transmit errors, etc. Per flow (entry), link/port, group, etc.
Secure Channel and Discovery Protocol A secure channel from the switch to the controller is needed. Security is important because opening the interface to remote software opens up new possibilities for attacks! The secure channel is an SSL connection with a site-specific key. It provides encryption and authentication. A controller discovery protocol is needed: When a new packet forwarding element is installed it initially has an empty for-warding table and does not know how to forward packets. The discovery protocol broadcasts the presence of a packet forwarding element so that a controller can establish an association with it and configure its forwarding table.
OSPF Over SDN Example (1) Classic OSPF (Open Shortest Path First) described in RFC 2328: 245 pages A distributed protocol builds a consistent, up-to-date map of the network in a distributed fashion: 101 pages Dijkstra’s Algorithm operates on the network map: 4 pages
OSPF Over SDN Example (2) OSPF = Dijkstra IS-IS Network OS Packet Forwarding Distributed System OSPF IS-IS Distributed System Distributed System OS Custom Hardware
Virtual Networks Example (1) Control Program Global Network View Network OS
Virtual Networks Example (2) Control Program Abstract Network Model Network Virtualization Global Network View Network OS
Virtual Networks Example (3) Specifies behavior Control Program Abstract Network Model Compiles to topology Network Virtualization Global Network View Transmits to switches Network OS
Other SDN Use Cases Energy conservation, routing and management in large data centers Seamless use of diverse wireless networks Network-based load balancing Traffic engineering Experimentation with new approaches and protocols Run a virtual shadow network for traffic analysis and re-configuration and many more … On top of this national OPEN infrastructure, we and others demonstrated a number of new network capabilities at GENI Engineering Conference in Washington DC. The new network capabilities include these … You will see some of them later.
How Well Does SDN Work? Is it modular, i.e., does it allow new protocols? Yes! Is it incrementally deployable? Yes Is it scalable? Yes Is it more responsive than traditional routing? Yes Does it create a single point of failure? No Is it inherently less secure? Yes
Status of SDN The Open Networking Foundation standardizes SDN. SDN was now endorsed by 49 companies. Almost everyone who matters … A few products available in the market, many more coming soon.
Conclusion Software-Defined Networking is a new architecture for networks. It separates the network implementation into a distributed system of packet forwarding elements and a network OS on top of them. The switching node hardware consists of a fast but dumb packet forwarding hardware and an intelligent, slow general-purpose CPU on top of it. OpenFlow is a protocol to run on top of a network of SDN packet forwarding elements. It is based on header:action entries and spans several layers.