Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS434/534: Topics in Network Systems High-Level Programming for Programmable Networks Yang (Richard) Yang Computer Science Department Yale University.

Published byHanna-Mari Oksanen Modified over 5 years ago

Similar presentations

Presentation on theme: "CS434/534: Topics in Network Systems High-Level Programming for Programmable Networks Yang (Richard) Yang Computer Science Department Yale University."— Presentation transcript:

1 CS434/534: Topics in Network Systems High-Level Programming for Programmable Networks Yang (Richard) Yang Computer Science Department Yale University 208A Watson

2 Outline Admin and recap SND Datapath model SDN programming
Basic datapath model: flow tables Improved datapath model: flow table pipelines SDN programming Higher-level logic driven user programming

3 L3: Example 1 (same network): A->B
Look up dest address in routing table find dest is on same net (what is the matching alg?) Hand datagram to L2 to send inside a link-layer frame

4 ARP Protocol Issue: Need to convert L3 address to L2 address
Current solution: Data structure: each host has an ARP table mapping IP to L2 arp –a IP -> MAC Protocol: a broadcast protocol Client broadcasts query frame, containing queried IP address Node with queried IP receives ARP frame, replies its MAC address

5 ARP Format and Features
Query: Layer 2 (Link layer) broadcast: destination ff:ff:ff:ff:ff:ff to be received by all hosts at the same local network Response: Host with the MAC returns its MAC if it has the query IP Gratuitous ARP: A host sends this message to update other devices if it changes MAC

6 A -> B in Layer 2 A B After A finds the link-layer (MAC) address of B, it constructs the L2 frame: A’s MAC addr B’s MAC A’s IP B’s IP IP payload datagram frame source, dest address

7 Datapath: Example 2 (Different Networks): A-> E
Look up dst address in routing table routing table: next hop router to dest is Hand datagram to link layer to send to router inside a link-layer frame

8 Datapath: Example 2 (Different Networks): A-> E
look up dest address in router’s forwarding table E on same network as router’s interface link layer sends datagram to inside link-layer frame via interface

9 Recap: Basic Network Device Data Structure and Operations
Function Data Structure How currently populated? L2 basic switch table MAC -> ports flooding +self learning +spanning tree protocol L2 VLAN MAC+VLAN -> ports Flooding +selflearning +config+spanning tree L3 lookup routing table (forwarding information base) IP -> next hop router IP; longest prefix match distributed routing protocols; command line ARP arp table IP -> MAC ARP protocol NAT/LB NAT/LB table srcIP, srcPort, dstIP, dstPort -> srcIP, srcPort, dstIP, dstPort NAT/LB controller through config

10 Exercise: Draw a Big Picture of Internet using (L2/L3) Tables

11 Exercise: Visualize a Real Network using Tables
Internet CE F2 F1 (Firewall) S2 R1 S1 LB2 LB1 (Load balancer) IPS3 IPS2 IPS1 (Intrusion prevention) S6 S5 S4 S3 tier-1 H6 H5 H3 H4 H1 H2 Logger Tier-3 Tier-2 Tier-1

12 Exercise: Visualize a Real Network using Tables
Internet CE F2 F1 (Firewall) S2 S1 R1 LB2 LB1 (Load balancer) IPS3 IPS2 IPS1 (Intrusion prevention) S6 S5 S4 S3 tier-1 H6 H5 H3 H4 H1 H2 VLAN 300 VLAN 400 Logger Tier-3 Tier-2 Tier-1

13 Recap: Software Defined Network
Basic ideas Multiple protocols Distributed protocols Vendor manual configuration Common datapath abstraction Programmable network

14 Recap: OpenFlow + mask what fields to match
Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot L4 sport dport + mask what fields to match pcp ToS Forward packet to zero or more ports Encapsulate and forward to controller Send to normal processing pipeline Modify Fields Any extensions you add!

15 Example OF Test Commands
sudo mn --topo single,3 --mac --switch ovsk --controller remote sh ovs-ofctl dump-flows s1 sh ovs-ofctl add-flow s1 in_port=1,actions=output:2 sh ovs-ofctl add-flow s1 in_port=2,actions=output:1 sh ovs-ofctl del-flows s1 sh ovs-ofctl add-flow s1 "priority=0,action=normal” sh ovs-ofctl add-flow s1 "priority=100,eth_type=0x800,ip_dst= ,action=drop” sh ovs-ofctl add-flow s1 "priority=100,eth_type=0x806,dl_dst=00:00:00:00:00:02,action=drop"

16 SDN Example: Google WAN
52 edge switches interconnecting google data centers ~143,000 OF rules

17 Exercise: What does this switch do?

18 OpenFlow: Group table A group table consists of group entries
A group entry may consist of zero or more buckets A bucket typically contains actions that modify the packet and an output action that forwards it to a port

19 OpenFlow: Group table There are 4 group types All (Required)

20 OpenFlow: Group table There are 4 group types All (Required)
Select (Optional)

21 OpenFlow: Group table There are 4 group types All (Required)
Select (Optional) Fast failover (Optional)

22 OpenFlow: Group table There are 4 group types All (Required)
Select (Optional) Fast failover (Optional) Indirect (Required)

23 OpenFlow: Meter Table ? Flow Table
Enables OpenFlow to implement rate-limiting Each meter may have one or more meter bands. The bands define the behavior of the meters on packets for various ranges rate. ? Flow Table

24 Discussion Is the flow table computation model complete?
Realize any function: (headers) -> output_ports Realize any function (mapping+transformation): (headers) -> [new headers, output_ports]

25 Flow Table Efficiency Policy:
srcType = lookup ethSrc in hostTypeTable; dstType = lookup ethDst in hostTypeTable; Compute routing according to srcType, dstType MAC hostType Mac1 Linux v1 Mac2 Linux v2 Mac3 IOS12 Mac4 IOS11 Mac5 Win10 Assume n hosts in hostTypeTable; Assume k types of hosts

26 Flow Table Efficiency p1 pn p pn2 a1 an ethSrc ethDst Action a1 p1 a2
.. an pn2 n2 entries

27 Outline Admin and recap SDN datapath model
Basic datapath model: flow tables Improved datapath model: flow table pipelines

28 Multi-Table (2 Tables) Design
ethSrc Action a1 regsrcType=y1 jump 2 a2 regsrcType=y2 jump 2 .. an regsrcType=yn jump 2 otherwise drop Table 1 Table 2 regsrcType ethDst Action y1 a1 p1,1 a2 p1,2 .. yk an pk,n otherwise drop n + kn entries

29 Multi-Table (3 Tables) Design
ethSrc Action a1 regsrcType=y1 jump 2 a2 regsrcType=y2 jump 2 .. an regsrcType=yn jump 2 otherwise drop Table 3 regsrcType regdstType Action y1 p1,1 y2 p1,2 .. yk yn pk,k otherwise drop Table 2 ethDst Action a1 regdsType=y1 jump 3 a2 regdstType=y2 jump 3 .. an regdstType=yn jump 3 otherwise drop 2n + k2 entries

30 Comparison of 3 Designs Assume n = 4000, k = 100 Design #flow rules
1 table 2 tables 3 tables 16,000,000 = 16M ,000 = 404K ,000 = 18K

31 Example Pipeline: OF-DPA

32 Outline Admin and recap SDN datapath model SDN programming
Basic datapath model: flow tables Improved datapath model: flow table pipelines SDN programming

33 Discussion Components of a programming environment to control programmable switches (switches with table pipelines)?

34 Extremely High-Level Programmable Network Arch
logically centralized data store Network View Service/ Policy NE Datapath NE Datapath

35 Two Basic Types of Programming
Reactive First packet of flow triggers controller to insert flow entries Pros Efficient use of flow table Cons Every flow incurs additional flow setup time If control connection lost, switch has limited utility Proactive Controller pre-populates flow table in switch Pro Zero additional flow setup time Loss of control connection does not disrupt traffic Con Need large flow table Many entries maybe cold

36 Outline Admin and recap Datapath model SDN programming
Basic datapath model: flow tables Improved datapath model: flow table pipelines SDN programming Reactive, higher-level logic driven user programming (i.e., user generates all the flow rules)

37 An Example Higher-Level Logic
badPort = // policy hostTbl = {A:1,B:2, C:3,D:4} // net view def onPacketIn(p): if badPort == p.tcp_dst: drop else: forward([hostTbl(p.eth_dst)]) 1 4 2 3 A B D C Logic: Assume only packets to A,B,C,D can appear Block traffic to SSH (port 22)

38 Higher-Level Logic with Datapath Generation
hostTbl = {A:1,B:2,C:3,D:4} def onPacketIn(p): if 22 == p.tcp_dst: drop installRule({‘match':{'tcp_dst':22}, ‘action’:[]}) else: forward([hostTbl(p.eth_dst)]) installRule({‘match’: {‘eth_dst’:p.eth_dst, ’tcp_dst’!=22}, ‘action’:[hostTbl(p.eth_dst)]}) match does not support logic negation

39 Higher-Level Logic with Datapath Generation
hostTbl = {A:1,B:2,C:3,D:4} def onPacketIn(p): if 22 == p.tcp_dst: drop installRule({‘priority’:1, ‘match’:{'tcp_dst':22}, ‘action’:[]}) else: forward([hostTbl(p.eth_dst)]) installRule({‘priority’:0, ‘match’: {‘eth_dst’:p.eth_dst}, ‘action’:[hostTbl(p.eth_dst)]})

40 Does the Program Work? EthDst:A, TcpDst:80
Switch {`priority`:0,’match’:{‘eth_dst’:A},'action':[1]} EthDst:A, TcpDst:22 A security bug! def onPacketIn(p): if 22 == p.tcp_dst: // drop installRule({`priority`:1,’match’:{‘tcp_dst':22},'action':[]}) else: installRule({`priority`:0,’match’:{‘eth_dst’:p.eth_dst}, 'action':[hostTbl(p.eth_dst)]}) // forward([hostTbl(p.eth_dst)]) Controller Unfortunately, this program has a bug. To see where the program goes wrong, let’s watch what happens when we connect this controller to a single switch and let two packets arrive. Both packets have destination mac A. The red packet is to TCP destination 80, while the green packet is to TCP destination 22. When the red packet arrives, the switch has an empty flow table and sends the packet to the controller. The controller determines that the packet should be forwarded to the next hop, and installs the appropriate rule. The red packet returns to the switch and moves onward. Now, the port 22 packet arrives at the switch, and instead of being dropped or sent to the controller, it matches the low priority rule for Ethernet destination A and is therefore forwarded onward. This violates the user’s intentions and may represent a security violation.

Download ppt "CS434/534: Topics in Network Systems High-Level Programming for Programmable Networks Yang (Richard) Yang Computer Science Department Yale University."

Similar presentations

Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
RIP V1 W.lilakiatsakun.

RIP V1 W.lilakiatsakun.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.

OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.
OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA 2011. 04. 11 Presented.

OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.
Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.

Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
An Overview of Software-Defined Network

An Overview of Software-Defined Network
IP Address 0 network host 10 network host 110 networkhost 1110 multicast address A B C D class 1.0.0.0 to 127.255.255.255 128.0.0.0 to 191.255.255.255.

IP Address 0 network host 10 network host 110 networkhost 1110 multicast address A B C D class to to
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
Connecting LANs, Backbone Networks, and Virtual LANs

Connecting LANs, Backbone Networks, and Virtual LANs
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.

TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.
Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.
OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.

OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
OpenFlow: Enabling Innovation in Campus Networks

OpenFlow: Enabling Innovation in Campus Networks
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Similar presentations

Ads by Google