Sherwood,R.,etal.,”CantheProductionNetworkBetheTestbed?”Proc.ofthe9thUSENIXSymposiumonOSDI,2010Reference:[C+07]Cascadoetal.,“Ethane:TakingControloftheEnterprise,”ACMSIGCOMM‘07,37(4):69-74,Oct.2007
Advanced!Computer Networks
SlicingaNetworkWanttocreatevirtualnetworksfromslicesofphysicalnetworkEachvirtualnetworkforwardstrafficatlinespeed:noextraoverheadinpacketforwarding(dataplane),noextraoverheadintheforwardingrulespecifications(controlplane)Slicingisolatesbandwidth,switchCPU,andflowtableentriesbetweenvirtualnetworks
FlowVisorAssumessoftware-definednetworkwithseparatecontrolanddataplanes
BuiltonOpenFlowswitches:NCandswitchescommunicateusingOpenFlowprotocol
Providesnetworkslicingbyaddingalayerbetweenthecontrolanddataplanes
ExtraoverheadinthecommunicationbetweenanOpenFlowswitchandthecentralizedNC
[C+07]
Software-DefinedNetwork(SDN)CentralizedNetworkControl(NC)• monitorsandapprovesalltraffic• allowsforcompletepolicy-basedcontrolofthenetwork
• createsandpopulatesswitcheswithforwardingrules
• accesscontrolsbuiltin• networkunderstandsusers,hardware,topology,andpolicies
FlowSetupProcess1. UserAtriestoconnecttoUserB
2. UserA-to-UserB“flow”isn’tinSwitch1’sflowtable,sothepacketisqueuedandtheNC“notified”
3. NCeitherapprovesordeniesroute
4. Ifapproved,NCaddsanewruleintoSwitch1’sandSwitch2’sflowtablestoestablishaflowfromUserAtoUserB
[C+07]
SwitchforwardingcontrolledbyNC• communicateswithcontrolleroverasecurechannel• OpenFlowisanopenstandardNC-switchcommunicationprotocol
Assumesimple,off-the-shelfswitches• minimalon-boardlogic• “flow”tablelookuponly• onlystoresactiveflows• nounderstandingofnetworktopology• noNATknowledge
• OpenFlowstandardspecifieslowestcommondenominatorhardwarefeaturesexposedtoNC’scontrol
SDNSwitchesandOpenFlow
FlowTableEntry �Type0OpenFlowSwitch
Switchport
MACsrc
MACdst
Ethtype
VLANID
IPsrc
IPdst
IPprot
TCPsport
TCPdport
Rule Action Stats
1. Forwardpackettoport(s)2. Encapsulateandforwardtocontroller3. Droppacket4. Sendtonormalprocessingpipeline
+mask
Packet+bytecounters
NetworkSliceDefinitionAnetworksliceisspecifiedintermsoftopology,bandwidth,switchCPUrate,forwardingtablequota,andthesetofflowsthattheslicecontrols
Traffichandledbyasliceisdefinedbybitpatternsinpacketheaders(flowspace)
Eachslicehasitsowncontrolplanethatdefineshowpacketsareforwardedandrewrittenintheslice,e.g.,Bob’sHTTPload-balancerslicespecifies:• topology:encompassingthewebservers• flowspace:comprisingflowswithport80
Slicesetupisdonemanuallyintheprototype
NetworkSliceImplementationFlowVisorinterceptsandrewritesOpenFlowmessagesbetweenNCandswitchestoenforcethat:• NC→ switch:• forwardingrulesonlyapplytothetrafficandtopologyofthesliceandobserveresourcequota
• rulesmayberewritten,e.g.,all traffic→port 80 all ports→ports in slice
• switch→ NC:• onlymessagesfromswitchesintheslice’stopologyareforwardedtoitsNC
• port-relatedmessagesareprunedorrewrittensuchthatNConlyseesrelevantports
rulesmayberewrittentoapplyonlytoBob’strafficandtopology
FlowSpaceDefinitionFlowspacespecified(manually)asanorderedlistoftuplessimilartofirewallrules,example:
Bob’sHTTPload-balancernetwork:Allow: tcp-port: 80 and ip=Doug’sIP Allow: tcp-port: 80 and ip=Eric’sIP
Implications:
• newHTTPflownotificationswithDoug’sorEric’sIPs(non-contiguousflowspace)areallsenttoBob’sNC
• anyflowtableentriesBob’sNCtriestoaddaremodifiedtomatchonlyHTTPtrafficwithDoug’sorEric’sIPs
FlowSpaceDefinition
Alice’sproductionnetwork:Deny: tcp-port:80 and ip=Doug’sIP Deny: tcp-port:80 and ip=Eric’sIP Allow: all ;lowestpriorityrule
Implications:• onlyOpenFlowmessagesnotintendedforBob’sNCareforwardedtotheproductionnetwork’sNC
• theproductionnetwork’sNCisnotallowedtoaddanyforwardingentriesforHTTPtrafficwithDoug’sorEric’sIPs
ResourceIsolation
Bandwidthisolation:reliesonhardwarecapabilityexposedtoOpenFlowtoassignfractionallinkbandwidthtouser-createdqueueFlowtableentryisolation:limitthenumberofentriesperslice,musttakeintoaccountanyautomaticruleexpansion,e.g.,whentheruleappliestomultipleinputports
ResourceIsolationswitchCPUisolation:hardwarecapabilitiestoratelimitCPUusageareusuallynotexposedtoOpenFlow,insteadreliesonworkaround:• ifnewflowarrivalsexceedssomethreshold,insertalowestpriority,time-limitedforwardingruletodropallpacketsmatchingtherule(e.g.,dropallHTTPspacketsnotbelongingtoexistingflows)
• manuallyratelimitNC’sOpenFlowrequeststoswitch
• rewrites“slow-path”forwardingrulestoone-timeforwardingrule
• manuallytunetheaboveratelimitstoensuresufficientCPUforinternalbookkeeping
Scaling
FlowVisorscaleslinearlywithnewflowrate,numberofrules/slice,andnumberofslices
PerformanceOverheadFlowVisoraddsextraoverheadonlytoOpenFlowmessages:• switch→NC:newflowmessages,affectsconnectionsetuplatency• NC→switch:portstatusrequests,mustberewrittentomatchtopology
Isolation
Hardwarebandwidthisolationworks
CPUisolationworkaroundworks
ratelimitingNCrequests cappingnewflowsetups
lowestprioritypacketdropruleinstantiated
. . .
DeploymentIssues
Incompatibilitieswithhardwarefeatures,e.g.,multiplephysicalinterfacesmappedintoonelogicalinterface
OpenFlowspanningtreedoesnotmatchunderlyingspanningtreeforloopdetection
DifferentOpenFlowmessageshavedifferentcostsandotherpracticalrealities
LimitationsPrototyperequiresalotofmanualsetup
OpenFlowdoesn’texposemanyhardwarecapabilities
FlowVisordoesn’tallowfordeeppacketinspectionandotherarbitrarypacketmodification,e.g.,payloadprocessing
Top Related