Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Defined Network

Published byΜνήμη Μακρή Modified over 5 years ago

Similar presentations

Presentation on theme: "Software Defined Network"— Presentation transcript:

1 Software Defined Network
Daniel Graham

2 Martin Casado & Scott Shenker. & , Nick McKeown
In July 2012, VMware acquired Nicira for $1.26 billion. -A

3 Specialized Packet Forwarding Hardware
The fixed Network Routing, management, mobility management, access control, VPNs, … Feature Feature Million of lines of source code 6000+ RFCs Barrier to entry Operating System Specialized Packet Forwarding Hardware Billions of gates Bloated Power Hungry Many complex functions baked into the infrastructure OSPF, BGP, multicast, Traffic Engineering, NAT, firewalls, … 3 3

4 Current Internet Closed to Innovations in the Infrastructure Closed
App Operating System App Specialized Packet Forwarding Hardware Operating System App Specialized Packet Forwarding Hardware The next 3 slides are a set of animation to show how we enable innovation: - Infrastructure is closed to innovation and only driven by vendors. Consumers have little say - Business model makes it hard for new features to be added Operating System App Specialized Packet Forwarding Hardware Operating System Specialized Packet Forwarding Hardware App Operating System Specialized Packet Forwarding Hardware 4

5 “Software Defined Networking” approach to open it
Network Operating System App Operating System App Specialized Packet Forwarding Hardware Operating System App Specialized Packet Forwarding Hardware How do we redefine the architecture to open up networking infrastructure and the industry! By bring to the networking industry what we did to the computing world Operating System App Specialized Packet Forwarding Hardware Operating System Specialized Packet Forwarding Hardware App Operating System Specialized Packet Forwarding Hardware

6 The “Software-defined Network”
2. At least one good operating system Extensible, possibly open-source 3. Well-defined open API App App App Network Operating System 1. Open interface to hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Switches, routers and other middleboxes are dumbed down The key is to have a standardized control interface that speaks directly to hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware

7 How does OpenFlow work? 7

8 Ethernet Switch

9 Current SDN hardware More coming soon... Juniper MX-series NEC IP8800
WiMax (NEC) HP Procurve 5400 Netgear 7324 PC Engines Pronto 3240/3290 Ciena Coredirector More coming soon... 9

10 Control Path (Software)
Data Path (Hardware)

11 OpenFlow Controller Control Path OpenFlow Data Path (Hardware)
OpenFlow Protocol (SSL/TCP) Control Path OpenFlow Data Path (Hardware)

12 OpenFlow Client Controller PC OpenFlow Example Software Layer MAC src
Flow Table MAC src dst IP Src Dst TCP sport dport Action Hardware Layer * port 1 port 1 port 2 port 3 port 4

13 OpenFlow usage Controller PC Alice’s Rule Alice’s code OpenFlow Switch Decision? OpenFlow Protocol How the actual protocol works OpenFlow Switch OpenFlow Switch OpenFlow offloads control intelligence to a remote software 13 13

14 OpenFlow Basics Flow Table Entries
Rule Action Stats Packet + byte counters Forward packet to zero or more ports Encapsulate and forward to controller Send to normal processing pipeline Modify Fields Any extensions you add! Now I’ll describe the API that tries to meet these goals. Switch Port VLAN ID VLAN pcp MAC src MAC dst Eth type IP Src IP Dst IP ToS IP Prot L4 sport L4 dport + mask what fields to match

15 Examples Switching Flow Switching Firewall Switch Port MAC src dst Eth
type VLAN ID IP Src Dst Prot TCP sport dport Action * * 00:1f:.. * * * * * * * port6 Flow Switching Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action port3 00:20.. 00:1f.. 0800 vlan1 4 17264 80 port6 Firewall Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action * * * * * * * * * 22 drop

16 Firewalls firewall isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others administered network public Internet trusted “good guys” untrusted “bad guys” firewall Security 8-16

17 Firewalls: why prevent denial of service attacks:
SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections prevent illegal modification/access of internal data e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network set of authenticated users/hosts three types of firewalls: stateless packet filters stateful packet filters application gateways Security 8-17

18 Stateless packet filtering
Should arriving packet be allowed in? Departing packet let out? internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits Security 8-18

19 Stateless packet filtering: example
example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 result: all incoming, outgoing UDP flows and telnet connections are blocked example 2: block inbound TCP segments with ACK=0. result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Security 8-19

20 Stateless packet filtering: more examples
Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, except those for institution’s public Web server only. Drop all incoming TCP SYN packets to any IP except , port 80 Prevent Web-radios from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (e.g ). Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Security 8-20

21 Access Control Lists ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs: looks like OpenFlow forwarding (Ch. 4)! action source address dest protocol port flag bit allow 222.22/16 outside of TCP > 1023 80 any ACK UDP 53 --- ---- deny all Security 8-21

22 Stateful packet filtering
stateless packet filter: heavy handed tool admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest protocol port flag bit allow outside of 222.22/16 TCP 80 > 1023 ACK stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “makes sense” timeout inactive connections at firewall: no longer admit packets Security 8-22

23 Stateful packet filtering
ACL augmented to indicate need to check connection state table before admitting packet action source address dest proto port flag bit check conxion allow 222.22/16 outside of TCP > 1023 80 any ACK x UDP 53 --- ---- deny all Security 8-23

24 Application gateways filter packets on application data as well as on IP/TCP/UDP fields. example: allow select internal users to ssh outside application gateway host-to-gateway telnet session router and filter gateway-to-remote host telnet session 1. require all telnet users to ssh through gateway. 2. for authorized users, gateway sets up ssh connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all ssh connections not originating from gateway. Security 8-24

25 Limitations of firewalls, gateways
IP spoofing: router can’t know if data “really” comes from claimed source if multiple app’s. need special treatment, each has own app. gateway client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser filters often use all or nothing policy for UDP tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks Security 8-25

26 Intrusion detection systems
packet filtering: operates on TCP/IP headers only no correlation check among sessions IDS: intrusion detection system deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) examine correlation among multiple packets port scanning network mapping DoS attack Security 8-26

27 Examples Routing VLAN Switching Switch Port MAC src dst Eth type VLAN
ID IP Src Dst Prot TCP sport dport Action * * * * * * * * * port6 VLAN Switching Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action port6, port7, port9 * * 00:1f.. * vlan1 * * * * *

28 VLANs: motivation consider:
CS user moves office to EE, but wants connect to CS switch? single broadcast domain: all layer-2 broadcast traffic (ARP, DHCP, unknown location of destination MAC address) must cross entire LAN security/privacy, efficiency issues Computer Science Computer Engineering Electrical Engineering Link Layer

29 VLANs port-based VLAN: switch ports grouped (by switch management software) so that single physical switch …… Virtual Local Area Network 1 7 9 15 2 8 10 16 switch(es) supporting VLAN capabilities can be configured to define multiple virtual LANS over single physical LAN infrastructure. Electrical Engineering (VLAN ports 1-8) Computer Science (VLAN ports 9-15) Electrical Engineering (VLAN ports 1-8) 1 8 2 7 9 16 10 15 Computer Science (VLAN ports 9-16) … operates as multiple virtual switches Link Layer

30 Electrical Engineering
Port-based VLAN router traffic isolation: frames to/from ports 1-8 can only reach ports 1-8 can also define VLAN based on MAC addresses of endpoints, rather than switch port forwarding between VLANS: done via routing (just as with separate switches) in practice vendors sell combined switches plus routers 1 7 9 15 2 8 10 16 dynamic membership: ports can be dynamically assigned among VLANs Electrical Engineering (VLAN ports 1-8) Computer Science (VLAN ports 9-15) Link Layer

31 802.1Q VLAN frame format 802.1 frame 802.1Q frame
type dest. address source address preamble data (payload) CRC 802.1 frame type dest. address source preamble 802.1Q frame data (payload) CRC 2-byte Tag Protocol Identifier (value: 81-00) Recomputed CRC Tag Control Information (12 bit VLAN ID field, 3 bit priority field like IP TOS) Link Layer

32 VLANS spanning multiple switches
1 7 9 15 16 1 3 5 7 2 8 10 2 4 6 8 Electrical Engineering (VLAN ports 1-8) Computer Science (VLAN ports 9-15) Ports 2,3,5 belong to EE VLAN Ports 4,6,7,8 belong to CS VLAN trunk port: carries frames between VLANS defined over multiple physical switches frames forwarded within VLAN between switches can’t be vanilla frames (must carry VLAN ID info) 802.1q protocol adds/removed additional header fields for frames forwarded between trunk ports Link Layer

33 Centralized vs Distributed Control Both models are possible with OpenFlow
Centralized Control Distributed Control Controller Controller OpenFlow Switch OpenFlow Switch Controller OpenFlow Switch OpenFlow Switch Controller OpenFlow Switch OpenFlow Switch

34 Examples Routing VLAN Switching Switch Port MAC src dst Eth type VLAN
ID IP Src Dst Prot TCP sport dport Action * * * * * * * * * port6 VLAN Switching Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action port6, port7, port9 * * 00:1f.. * vlan1 * * * * *

35

36 Multiprotocol label switching (MPLS)
initial goal: high-speed IP forwarding using fixed length label (instead of IP address) fast lookup using fixed length identifier (rather than shortest prefix matching) borrowing ideas from Virtual Circuit (VC) approach but IP datagram still keeps IP address! PPP or Ethernet header MPLS header IP header remainder of link-layer frame label Exp S TTL 20 3 1 5 Link Layer

37 Bottom of the Stack BoS is a field that is set to 1 for the last MPLS header.

38 MPLS capable routers a.k.a. label-switched router
forward packets to outgoing interface based only on label value (don’t inspect IP address) MPLS forwarding table distinct from IP forwarding tables flexibility: MPLS forwarding decisions can differ from those of IP use destination and source addresses to route flows to same destination differently (traffic engineering) re-route flows quickly if link fails: pre-computed backup paths (useful for VoIP) Link Layer

39 MPLS versus IP paths R6 D R4 R3 R5 A R2 IP routing: path to destination determined by destination address alone IP router Link Layer

40 MPLS versus IP paths entry router (R4) can use different MPLS routes to A based, e.g., on source address R6 D R4 R3 R5 A R2 IP routing: path to destination determined by destination address alone IP-only router MPLS routing: path to destination can be based on source and dest. address fast reroute: precompute backup routes in case of link failure MPLS and IP router Link Layer

41 MPLS forwarding tables
in out out label label dest interface A in out out label label dest interface A D D A R6 D 1 1 R4 R3 R5 A R2 in out out label label dest interface A R1 in out out label label dest interface A Link Layer

42 Software Defined Networking Total virtualization

43 Mininet and Open Flow sudo dhclient eth1 sudo mn topo single,3
mininet> h1 python -m SimpleHTTPServer 80 & mininet> h2 wget -O - h1 ... mininet> h1 kill %python

44

Download ppt "Software Defined Network"

Similar presentations

Chapter 5 Link Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

Chapter 5 Link Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Chapter 5 Link Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

Chapter 5 Link Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.

OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.
Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.

Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.
OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA 2011. 04. 11 Presented.

OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.
Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.

Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
5: DataLink Layer5-1 Cerf & Kahn’s Internetwork Architecture What is virtualized? r two layers of addressing: internetwork and local network r new layer.

5: DataLink Layer5-1 Cerf & Kahn’s Internetwork Architecture What is virtualized? r two layers of addressing: internetwork and local network r new layer.
VLANs Port-based VLAN: switch ports grouped (by switch management software) so that single physical switch …… Switch(es) supporting VLAN capabilities can.

VLANs Port-based VLAN: switch ports grouped (by switch management software) so that single physical switch …… Switch(es) supporting VLAN capabilities can.
Chapter 3 Review of Protocols And Packet Formats

Chapter 3 Review of Protocols And Packet Formats
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
Network Layer4-1 NAT: Network Address Translation 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 138.76.29.7 local network (e.g., home network) 10.0.0/24 rest of.

Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
Chapter 5 Link Layer and LANs

Chapter 5 Link Layer and LANs
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

Similar presentations

Ads by Google