OpenFlow/SDN Beginner’s Tutorial June, Srini Seetharaman Deutsche Telekom Innovation center

Why SDN? What is SDN? 2

Critical needs for cloud DC networks 1.Tenant virtualization – Traffic isolation, prioritization and rate limiting – Overlapping IP addressing, along with IPv6 support 2.Speed up configuration to allow reduced time to revenue: – Automatically create required network configs for new tenants – Transparently bridging a L2 network will help reduce time 3.Hybrid clouds with bursting – Adding computational capacity (in the form of new VMs) as needed – Lossless live migration VM A1 Hypervisor Host 1 Switch-1 Switch-2 Switch-3 Switch-1 Switch-2 Switch-3 WAN VLAN-101-x VM B1 VM B1 VM C1 VM C1

Million of lines of source code RFCsBarrier to entry Billions of gates BloatedPower Hungry Many complex functions baked into the infrastructure OSPF, BGP, multicast, differentiated services, Traffic Engineering, NAT, firewalls, MPLS, redundant layers, … An industry with a “mainframe-mentality”, reluctant to change Welcome to the Ossified Network Specialized Packet Forwarding Hardware Operating System Operating System Feature Routing, management, mobility management, access control, VPNs, … 4

5 Current Internet Closed to Innovations in the Infrastructure Specialized Packet Forwarding Hardware Service Specialized Packet Forwarding Hardware Service Specialized Packet Forwarding Hardware Service Specialized Packet Forwarding Hardware Service Specialized Packet Forwarding Hardware Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Service Closed

“Software Defined Networking” approach to open it Specialized Packet Forwarding Hardware Service Specialized Packet Forwarding Hardware Service Specialized Packet Forwarding Hardware Service Specialized Packet Forwarding Hardware Service Specialized Packet Forwarding Hardware Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Service Network Operating System LB service FW service IP routing service

Simple Packet Forwarding Hardware The “Software-defined Network” LB service FW service IP routing service Network Operating System OpenFlow API North-bound interface API Unchanged mgmt API

How does OpenFlow work? 8

Ethernet Switch 9

Data Path (Hardware) Control Path Control Path (Software) 10

Data Path (Hardware) Control Path OpenFlow OpenFlow Controller OpenFlow Protocol (SSL/TCP) 11

Controller PC OpenFlow usage OpenFlow Switch Alice’s code Decision? OpenFlow Protocol Alice’s Rule OpenFlow offloads control intelligence to a remote software

OpenFlow Example 13 Cluster of Controllers PC Hardware Layer Software Layer OpenFlow-enabled hardware Flow Table MAC src MAC dst IP Src IP Dst TCP sport TCP dport Action OpenFlow Client (e.g., OVS) ** ***port 1 port 4port 3 port 2 port PC Software Hardware OpenFlow-enabled hardware OpenFlow protocol

OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport RuleActionStats 1.Forward packet to zero or more ports 2.Encapsulate and forward to controller 3.Send to normal processing pipeline 4.Modify Fields 5.Any extensions you add! + mask what fields to match + priority + timeout (idle and hard) Packet + byte counters 14 VLAN pcp IP ToS

Examples 15 Firewall service * Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action ********22drop IP Routing service * Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action ***** ***port6 VLAN multicast service * Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action ** vlan1 ***** port6, port7, port9 00:1f..

OpenFlow benefits Hardware speed, scale, and fidelity for new services – Made possible through unified API supported by hardware platforms from multiple vendors Flexibility and control of software and simulation Vendors don’t need to expose implementation Leverages hardware inside most switches today (ACL tables implemented using TCAMs) 16

Usage examples – Network Virtualization – Network access control/firewall – Load Balancing – per flow switching – New routing for unicast, multicast, multipath – Home network manager – Network monitoring and debugging … and much more you can create! More available at openflow.org/videos

OpenFlow design, architecture and protocol evolution 18

Design choice 1: Modes of SDN Deployment 1.In-network: Existing/green-field network fabrics upgraded to support OpenFlow 2.Overlay: WITHOUT changing fabric, the intelligence is added to edge-devices, – as an additional appliance (e.g., bump-in-wire managed by controller) – as enhanced server kernel bridge (e.g., OpenVSwitch in x86 hypervisors) Control PathOpenFlow Hardware switch Data path (Hardware) Figure courtesy of Martin ONS 2012

Design choice 2: Centralized vs Distributed Control Centralized Control OpenFlow Switch OpenFlow Switch OpenFlow Switch Controller Distributed Control OpenFlow Switch OpenFlow Switch OpenFlow Switch Controller 20

Design choice 3: Per-Flow Routing vs. Aggregation Flow-Based Every flow is individually set up by controller Exact-match flow entries Flow table contains one entry per flow Good for fine grain control, e.g. campus networks Aggregated One flow entry covers large groups of flows Wildcard flow entries Flow table contains one entry per category of flows Good for large number of flows, e.g. backbone 21

Design choice 4: Reactive vs. Proactive (pre-populated) Reactive First packet of flow triggers controller to insert flow entries Efficient use of flow table Every flow incurs small additional flow setup time If control connection lost, switch has limited utility Proactive Controller pre-populates flow table in switch Zero additional flow setup time Loss of control connection does not disrupt traffic Essentially requires aggregated (wildcard) rules 22

Design choice 5: End-to-end OpenFlow vs. Hybrid Based on how OpenFlow is deployed, there may be issues coexisting with legacy networks OpenFlow controller view is not always complete. For instance, what does the controller see here? Host A X Y Non-OF switch OF switch Host B Host C Internet

OpenFlow Implementations (Switch and Controller) 24

Open-source controllers ControllerNotes Ryu Apache license Python NOX/POX GPL C++ and Python Stanford’s Beacon BSD-like license Java-based Maestro (from Rice Univ) GPL Based on Java NEC’s Trema Open-source Written in C and Ruby Included test harness Big Switch’s Floodlight Apache license Java-based 25

Sample Commercial Switches ModelVirtualizeNotes HP Procurve 5400zl or OF instance per VLAN -LACP, VLAN and STP processing before OpenFlow -Wildcard rules or non-IP pkts processed in s/w -Header rewriting in s/w -CPU protects mgmt during loop NEC IP OF instance per VLAN -OpenFlow takes precedence -Most actions processed in hardware -MAC header rewriting in h/w Brocade MLX routers Multiple OF instance per switch -Hybrid OpenFlow switch with legacy protocols and OpenFlow coexisting -OpenFlow commands can override state created by legacy protocos Pronto 3290 or 3780 with Pica8 or Indigo firmware 1 OF instance per switch -No legacy protocols (like VLAN, STP) -Most actions processed in hardware -MAC header rewriting in h/w

Hands-on Tutorial 27

Bootstrap 1.Install VirtualBox or Vmware player or Vmware Fusion 2.Import the tutorial VM appliances available at: – 64-bit: (Login: ubuntu, Passwd: ubuntu) – 32-bit: (Login: ubuntu, Passwd: ubuntu) Install X-Windows if you do not already have it – Mac user: Install xquartz – Windows user: Install xming 4.Start the VM, and “ssh -X” to its host-only IP address – VirtualBox: Ensure the vboxnet0 interface is configured for “host-only” File->Preferences->Network and “Add host-only network” button with default settings. 28

Inside the Virtual Machine openvswitch: Virtual switch programmable using OpenFlow mininet: Network emulation platform – $sudo mn --topo single,3 --mac --switch ovsk --controller remote wireshark: Graphical tool for viewing packets with OF protocol plug-in – Start wireshark: $sudo wireshark – Start capture packets going through interface “lo” and Decode as OFP dpctl: Command-line utility for checking switch status and manually inserting flow entries. – Check supported commands in manual: $ man dpctl Multiple OpenFlow controllers with sample apps prepackaged – NOX, POX, Ryu, and OpenDayLight 29

Mininet-based Virtual Topology #1 Controller port6633 Controller port6633 c0 OpenFlow Switch s1 dpctl (user space process) dpctl (user space process) h h h h h h virtual hosts OpenFlow Tutorial 3hosts-1switch Topology loopback ( :6633) loopback ( :6634) s1-eth0 s1-eth1s1-eth2 h1-eth0h2-eth0h3-eth0 30 $ sudo mn --topo single,3 --mac --switch ovsk --controller remote

Mininet-based Virtual Topology #2 OpenFlow Tutorial 2hosts-2switch Topology 31 $ sudo mn --topo linear --switch ovsk --controller remote

dpctl and wireshark workflow Before controller is started, execute the following $ dpctl show tcp: :6634 $ dpctl dump-flows tcp: :6634 mininet> h1 ping h2 $ dpctl add-flow tcp: :6634 in_port=1,actions=output:2 $ dpctl add-flow tcp: :6634 in_port=2,actions=output:1 mininet> h1 ping h2 Start controller and check OF messages on wireshark (enabling OFP decode) – Openflow messages exchanged between switch and controller: openflow/include/openflow/openflow.h /* Header on all OpenFlow packets. */ struct ofp_header { uint8_t version; /* OFP_VERSION. */ uint8_t type; /* one of the OFPT_ constants.*/ uint 16_t length; /*Length including this ofp_header. */ uint32_t xid; /*Transaction id associated with this packet..*/ }; 32 All ports of switch shown, but no flows installed. Ping fails because ARP cannot go through Ping works now!

Top 3 features in most controllers A.Event-driven model – Each module registers listeners or call-back functions – Example async events include PACKET_IN, PORT_STATUS, FEATURE_REPLY, STATS_REPLY B.Packet parsing capabilities – When switch sends an OpenFlow message, module extracts relevant information using standard procedures C.switch.send(msg), where msg can be – PACKET_OUT with buffer_id or fabricated packet – FLOW_MOD with match rules and action taken – FEATURE_REQUEST, STATS_REQUEST, BARRIER_REQUEST 33

OpenDayLight controller 34

Controller Architecture 35

Java, Maven, OSGi, Interface Java allows cross-platform execution Maven allows easier building OSGi: – Allows dynamically loading bundles – Allows registering dependencies and services exported – For exchanging information across bundles Java Interfaces are used for event listening, specifications and forming patterns 36

Setup INSTALL OPENDAYLIGHT (Dependency Maven, JDK1.7) git clone mv controller opendaylight; cd opendaylight cd opendaylight/distribution/opendaylight/ mvn clean install cd target/distribution.opendaylight SNAPSHOT- osgipackage/opendaylight/./run.sh IMPORT OPENDAYLIGHT TO ECLIPSE Install Eclipse with Maven Integration Version File => Import => Maven => Existing Maven Projects Browse ~/opendaylight/opendaylight/distribution/opendaylight In distribution.opendaylight, right click on opendaylight-assembleit.launch and select “Run”. Then “Run” opendaylight-application.launch 37

OpenDayLight web interface 38

Writing a new application 39 Clone an existing module (e.g., arphandler) in Eclipse project explorer Include the new app in opendaylight/distribution/ope ndaylight/pom.xml and in the Eclipse“Run Configurations” Update dependencies and services exported in the new bundle’s pom.xml List dependencies imported and interfaces implemented in the module’s Activator.java Update set/unset bindings in the module’s class so as to access other bundle objects Implement the interface functions to handle the async events or use other bundle objects to edit state Add needed northbound REST API and associate with the web bundle Done

Interfaces Package/OSGi BundleExported InterfacesDescription arphandler IHostFinder IListenDataPacket Component responsible for learning about host location by handling ARP. forwarding.staticrouti ng IForwardingStaticRouting ICacheUpdateAware IfNewHostNotify IConfigurationContainerAware Provide the necessary hooks to inject in the area controlled by the controller, routes to reach traditional IP networks. forwardingrulesmana ger IContainerListener ISwitchManagerAware IForwardingRulesManager IInventoryListener ICacheUpdateAware IConfigurationContainerAware IFlowProgrammerListener Manager of all the Forwarding Rules, this component take care of forwarding rules and is the one that manage conflicts between them. hosttracker ISwitchManagerAware IInventoryListener IfIptoHost IfHostListener ITopologyManagerAware Track the location of the host relatively to the SDN network. 40

Interfaces 41 Package/OSGi BundleExported InterfacesDescription routing.dijkstra_imple mentation ITopologyManagerAware IRouting Implementation of Dijkstra routing algorithm over the network graph as seen by the topology manager. sal.implementation IReadService IPluginOutTopologyService ITopologyService IInventoryService IPluginOutInventoryService IFlowProgrammerService IPluginOutFlowProgrammerService IPluginOutDataPacketService IDataPacketService Implements the services that SAL export to the applications using it as well to the protocol plugins. samples.loadbalancer IListenDataPacket IConfigManager Implementation of a simple load-balancer. samples.simpleforwar ding IInventoryListener IfNewHostNotify IListenRoutingUpdates Sample implementation of an application simulating a traditional IP network.

Interfaces 42 Package/OSGi BundleExported InterfacesDescription statisticsmanager IStatisticsManager Component in charge of using the SAL ReadService to collect several statistics from the SDN network. switchmanager IListenInventoryUpdates ISwitchManager ICacheUpdateAware IConfigurationContainerAware Component holding the inventory information for all the known nodes in the controller. topologymanager IListenTopoUpdates ITopologyManager IConfigurationContainerAware Component holding the whole network graph. usermanager ICacheUpdateAware IUserManager IConfigurationAware Component taking care of user management. northbound JAXRS implementation of REST API for each module. web IDaylightWeb Component tracking the several pieces of the UI depending on bundles installed on the system.

The End 43

Summary OpenFlow/SDN is evolving to facilitate an ecosystem for innovation through programmability OpenFlow/SDN is being deployed in over 100 organizations world-wide – Many academic ones, but also includes service provider clouds SDN provides a simple solution to problems with complex solutions without vendor lock-in

Backup 45

POX controller 46

Intro to POX controller General execution: $ ~/pox/pox.py. Example: $ ~/pox/pox.py forwarding.hub Parses messages from switch and throws following events FlowRemoved FeaturesReceived ConnectionUp FeaturesReceived RawStatsReply PortStatus PacketIn BarrierIn SwitchDescReceived FlowStatsReceived AggregateFlowStatsReceived TableStatsReceived PortStatsReceived QueueStatsReceived Packets parsed by pox/lib arp dhcp dns eapol eap ethernet icmp igmp ipv4 llc lldp mpls rip tcp udp vlan Example msg sent from controller to switch ofp_packet_out header: version: 1 type: 13 length: 24 xid: 13 buffer_id: 272 in_port: actions_len: 1 actions: type: 0 len: 8 port: max_len: 65535

(A) (B) (C) Application 1: Hub (inspect file pox/pox/misc/of_tutorial.py) OF Switch POX Hub (1) (2) (3)(4) (5) (6)

Application 2: MAC-learning switch (convert pox/pox/misc/of_tutorial.py to L2 switch) Build on your own with this logic: – On init, create a dict to store MAC to switch port mapping self.mac_to_port = {} – On packet_in, Parse packet to reveal src and dst MAC addr Map src_mac to the incoming port – self.mac_to_port[dpid] = {} – self.mac_to_port[dpid][src_mac] = in_port Lookup dst_mac in mac_to_port dict to find next hop If found, create flow_mod and send Else, flood like hub. Execute: pox/pox.py misc.of_tutorial 49 msg = of.ofp_flow_mod() msg.match = of.ofp_match.from_packet(packet) msg.buffer_id = event.ofp.buffer_id action = of.ofp_action_output(port = out_port) msg.actions.append(action) self.connection.send(msg)

Ryu controller 50

Intro to RYU: OpenFlow Controller 51 RYU Controller OF Switch Topology Viewer Topology Viewer Statistics Firewall Libraries: – Functions called by components – Ex: OF-Config, Netflow, sFlow, Netconf, OVSDB Components: – Provides interface for control and state and generates events – Communicates using message passing app_manager of_parser of_header simple_ switch ofctl_ rest app base controller ofproto controller handler dpset ofp_event ofp_handler event lib quantum plugin

(A) (B) (C) Application 1: Hub ryu-manager --verbose ryu/ryu/app/tutorial_l2_hub.py OF Switch RYU Hub (1) (2) (3)(4) (5) (6)

Application 2: MAC-learning switch Build on your own with this logic: – On init, create a dict to store MAC to switch port mapping self.mac_to_port = {} – On packet_in, Parse packet to reveal src and dst MAC addr Map src_mac to the incoming port – self.mac_to_port[dpid] = {} – self.mac_to_port[dpid][src_mac] = in_port Lookup dst_mac in mac_to_port dict to find next hop If found, create flow_mod and send Else, flood like hub. 53 Pssst… solution in tutorial_l2_switch.py