Sponsored by the National Science Foundation Tutorial: OpenFlow in GENI

Sponsored by the National Science Foundation 2 “The current Internet is at an impasse because new architecture cannot be deployed or even adequately evaluated” [PST04] Modified slide from: [PST04]: Overcoming the Internet Impasse through Virtualization, Larry Peterson, Scott Shenker, Jonothan Turner Hotnets 2004

Sponsored by the National Science Foundation 3 OpenFlow… Enables innovation in networking Changes practice of networking Google’s SDN WAN

Sponsored by the National Science Foundation 4 OpenFlow basics How OpenFlow works … (1.0) Hands-on tutorial OpenFlow basics

Sponsored by the National Science Foundation 5 Traditional Switch

Sponsored by the National Science Foundation 6 OpenFlow’s basic idea

Sponsored by the National Science Foundation 7 OpenFlow is an API Modified slide from : Control how packets are forwarded Implementable on COTS hardware Make deployed networks programmable –not just configurable Makes innovation easier

Sponsored by the National Science Foundation 8 Network Devices NAT firewall DHCP DNS switch VPN router gateway proxy access point Any network device can be OpenFlow enabled software

Sponsored by the National Science Foundation 9 Network Function Virtualization (NFV) Slide from:

Sponsored by the National Science Foundation 10 OpenFlow benefits [1] External control –Enables network Apps –General-purpose computers (Moore’s Law) –Deeper integration –Network hardware becomes a commodity Centralized control –One place for apps to interact (authentication, auth, etc) –Simplifies algorithms –Global Optimization and planning [1]: OpenFlow: A radical New idea in Networking, Thomas A. Limoncelli CACM 08/12 (Vol 55 No. 8)

Sponsored by the National Science Foundation 11 Network Types Campus Multiple buildings, heterogeneous IT, groups of users, campus backbone Enterprise Data Centers Security, various sizes, storage, WAN optimizations Data Centers – Clouds Multi-tenant, virtualization, disaster recovery, VM mobility WAN Diversity, multiple domains/carriers/users

Sponsored by the National Science Foundation 12 Deployment Stories Google global private WAN [1] Connects dozens of datacenters worldwide with a long-term average of 70% utilization over all links Stanford Campus deployment Part of Stanford campus migrated to OpenFlow NTT’s BGP Free Edge Internet 2 - AL2S Can build Layer 2 circuits between any Internet 2 end-points [1] B4: Experience with a Globally-Deployed Software Defined WAN, SIGCOMM’13, Jain et al.

Sponsored by the National Science Foundation 13 GENI and OpenFlow deployment Key GENI concept: slices & deep programmability –Internet: open innovation in application programs –GENI: open innovation deep into the network Good old Internet Slice 0 Slice 1 Slice 2 Slice 3 Slice 4 Slice 1 OpenFlow switches one of the ways GENI is providing deep programmability

Sponsored by the National Science Foundation 14 GENI OpenFlow Deployment OpenFlow-enabled hardware switch at: –Each GENI Rack –Backbone and regional networks

Sponsored by the National Science Foundation 15 GENI OpenFlow Experiments Prasad Calyam, Missouri Dipankar (Ray) Raychaudhuri, Rutgers, leads MobilityFirst Jae Woo Lee, Columbia VDC: real-time load-balancing functionality deep into the network to improve QoE MobilityFirst: A new architecture for the Internet designed for emerging mobile/wireless service requirements at scale Active CDN: Program content distribution services deep into the network

Sponsored by the National Science Foundation 16 OpenFlow basics Hands-on tutorial How OpenFlow works … (1.0)

Sponsored by the National Science Foundation 17 OpenFlow versions (Dec ’09) OpenFlow Simple & widely supported (Feb ‘11) OpenFlow Not implemented by HW vendors (Dec ‘11) OpenFlow 1.2 First ONF standard (‘12/’13) OpenFlow 1.3.x Complex & support in progress (Oct ‘13) OpenFlow 1.4 (‘11) Open Networking Foundation (ONF) formed to shepherd standards (Oct‘13) OpenFlow Under ratification Docs at:

Sponsored by the National Science Foundation 18 OpenFlow controllers Open source controller frameworks –NoX/PoX –Open Daylight –FloodLight (BigSwitch) –Trema (NEC) –Maestro –Ryu Production controllers –Mostly customized solutions based on Open Source frameworks –ProgrammableFlow - NEC

Sponsored by the National Science Foundation 19 OpenFlow Switch Data Path (Hardware) Control Path OpenFlow Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP) Modified slide from : The controller is responsible for populating forwarding table of the switch In a table miss the switch asks the controller

Sponsored by the National Science Foundation 20 OpenFlow in action Switch Data Path (Hardware) Control Path OpenFlow Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP) Modified slide from : Host1 sends a packet If there are no rules about handling this packet –Forward packet to the controller –Controller installs a flow Subsequent packets do not go through the controller host1 host2

Sponsored by the National Science Foundation 21 OpenFlow Basics (1.0) Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP ToS TCP sport TCP dport RuleActionStats 1.Forward packet to port(s) 2.Encapsulate and forward to controller 3.Drop packet 4.Send to normal processing pipeline 5.Modify Fields + mask what fields to match Packet + byte counters slide from : IP Prot VLAN PCP

Sponsored by the National Science Foundation 22 Use Flow Mods Going through the controller on every packet is inefficient Installing Flows either proactively or reactively is the right thing to do A Flow Mod consists of : –A rule/match on any of the 12 supported fields –A action about what to do with matched packets –Timeouts about the rules: Hard timeouts Idle timeouts –The packet id in reactive controllers

Sponsored by the National Science Foundation 23 OpenFlow common PitFalls Controller is responsible for all traffic, not just your application! –ARPs, DHCP, LLDP Reactive controllers –Cause additional latency on some packets –UDP – many packets queued to your controller by time flow is set up Performance in hardware switches –Not all actions are supported in hardware No STP to prevent broadcast storms

Sponsored by the National Science Foundation 24 Multiplexing Controllers FlowVisor Only one controller per switch FlowVisor is a proxy controller that can support multiple controllers FlowSpace describes packet flows : –Layer 1: Incoming port on switch –Layer 2: Ethernet src/dst addr, type, vlanid, vlanpcp –Layer 3: IP src/dst addr, protocol, ToS –Layer 4: TCP/UDP src/dst port Switch Data Path (Hardware) Control Path OpenFlow Any Host FlowVisor OpenFlow Protocol (SSL/TCP) Any Host OpenFlow Controller Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP)

Sponsored by the National Science Foundation 25 OpenFlow basics How OpenFlow works … (1.0) Hand’s on tutorial Hands-on tutorial

Sponsored by the National Science Foundation 26 OpenFlow Experiments Debugging OpenFlow experiments is hard: –Network configuration debugging requires coordination –Many networking elements in play –No console access to the switch Before deploying your OpenFlow experiment test your controller.

Sponsored by the National Science Foundation 27 Run an OpenFlow experiment 1 host as OVS switch 3 VMs connected to OVS Host1 Host2 Host3 OVS Setup OVS Write simple controllers –e.g. diverge traffic to a different server –use python controller PoX

Sponsored by the National Science Foundation 28 To Save Time … Slices have been created for you: –Slice name: ofNN Resources have been added to your slice: –1 Xen VM running OVS –3 OpenVZ VMs that act as traffic sources & sinks –Resources are from various InstaGENI racks Download your private SSH key Download key and put in a standard place: $ mv ~/Downloads/id_geni_ssh_rsa ~/.ssh/. $ chmod 0600 ~/.ssh/id_geni_ssh_rsa Add the key to your ssh-agent: $ ssh-add ~/.ssh/id_geni_ssh_rsa

Sponsored by the National Science Foundation 29 Finding your login information Browse to this page Click on the slice name (there should be only one) Scroll down to the Slice Status section Find the row for the aggregate listed on your worksheet Click the "Details" button for this row –keep this window open throughout the tutorial Find your Login information for each of the four nodes used in this exercise (OVS, host1, host2, host3)

Sponsored by the National Science Foundation 30 Part I: Design/Setup –Obtain Resources –What is OpenFlow, what can I do with Openflow? Part II: Execute –Configure and Initialize Services –Execute Experiment Part III: Finish –Teardown Experiment

Sponsored by the National Science Foundation 31 Configure OVS OVS is a virtual switch running on a xen VM The interfaces of the node are the ports of the switch –Configure an ethernet bridge –add all dataplane ports to the switch Can be an OpenFlow switch –Need to specify the controller (for convenience run on the same host but it can be anywhere) Userspace OVS for this exercise

Sponsored by the National Science Foundation 32 Configure and Initialize OVS Log in to OVS host and configure software switch: $ ifconfig $ sudo ifconfig eth1 0 $ sudo ifconfig eth2 0 $ sudo ifconfig eth3 0 $ sudo ovs-vsctl add-port br0 eth1 $ sudo ovs-vsctl add-port br0 eth2 $ sudo ovs-vsctl add-port br0 eth3 $ sudo ovs-vsctl list-ports br0 $ sudo ovs-vsctl set-controller br0 tcp: :6633 $ sudo ovs-vsctl set-fail-mode br0 secure $ sudo ovs-vsctl show Host1 Host2 Host3 OVS eth1 eth3 eth2

Sponsored by the National Science Foundation 33 Part I: Design/Setup –Obtain Resources –What is OpenFlow, what can I do with Openflow? Part II: Execute –Configure and Initialize Services –Execute Experiment Part III: Finish –Teardown Experiment

Sponsored by the National Science Foundation 34 Experiments (1/4) 1.Use a Learning Switch Controller: 1.See the traffic flow changes between hosts as the controller is started or stopped. 1.Soft versus hard timeouts for traffic flows.

Sponsored by the National Science Foundation 35 Experiments (1/4) Login host1 and start ping host2 $ ping Start learning switch controller: $ cd /local/pox $./pox.py --verbose forwarding.l2_learning Look at ping… now works. Kill controller (Ctrl-c) Look at ping… still running,

Sponsored by the National Science Foundation 36 Experiments (2/4) 2.Write and run a Traffic Duplication Controller: a)Controller will duplicate traffic to a different (physical) port on the OVS switch. b)Use tcpdump to see the packet duplication.

Sponsored by the National Science Foundation 37 Experiments (2/4) Open 2 windows on OVS host Start tcpdump for on OVS:if1 and OVS:if2 Run duplication controller on OVS:if2 $ cd /local/pox $./pox.py --verbose myDuplicateTraffic -- duplicate_port= Look at ping from host1 to host2. Kill controller (Ctrl-c)

Sponsored by the National Science Foundation 38 Experiments (3/4) 3.Write and run a (TCP) port forwarding controller: a.Controller will do port forwarding on your OVS Switch to port specified. b.Use two netcat servers on host2 to see traffic delivery.

Sponsored by the National Science Foundation 39 Experiments (3/4) Two windows on host2 run the following: $ nc -l 5000 $ nc -l 6000 Start learning switch controller: On host1: $ nc See what happens to traffic Kill controller (Ctrl-c) Retry with port forwarding controller and see what happens to traffic, and kill when done.

Sponsored by the National Science Foundation 40 Experiments (4/4) 4. Write and run a server proxy controller a.To redirect packets to a proxy: What fields do you need to overwrite? Which packets needs special handling? b.Use netcat to see the deflection

Sponsored by the National Science Foundation 41 Experiments (4/4) On host 3: $ nc –l 7000 Run proxy controller: $ cd /local/pox $./pox.py --verbose myProxy On host1: $ nc Look at host3 window, should now be getting nc traffic.

Sponsored by the National Science Foundation 42 Part I: Design/Setup –Obtain Resources –What is OpenFlow, what can I do with Openflow? –Demo: Using OpenFlow in GENI Part II: Execute –Configure and Initialize Services –Execute Experiment Part III: Finish –Teardown Experiment

Sponsored by the National Science Foundation 43 Part III: Finish Experiment When your experiment is done, you should always release your resources. –Normally this is when you would archive your data –Delete your slivers at each aggregate slice project aggregate RSpec user resource sliver AM API sliver credentials certificate