1. Towards Truly Open And
Commoditized SDN
In OpenStack
Jun Park (Ph.D.)
Senior Systems Architect
EIG/Bluehost
OpenStack Summit 2013 at Hong Kong
2. • OpenStack Meets Software-Defined-Networking
• Why Does OpenStack need SDN?
• Why Does SDN need OpenStack?
EIG/Bluehost
2
3. L2 Fabric
VM1
Keep Public IP Address,
Rack
MAC Address
VM2
Rack
QoS, Isolation, ACL,
Firewall
Tenant isolated networks
Rack
VM3
Rack
This is exactly a killer app of SDN!
EIG/Bluehost
3
4. Key Points of L2 Fabric
Simple Data
Forwarding
No L3 Agent, No NAT
No Unknown Traffic
Plane
Avoid Performance Overhead
Seamless & Straightforward
VM Migration
EIG/Bluehost
High Entropy in Packets
: Desired for multipath
4
7. SDN Controller
When Something Closed…
NOX/POX
NEC
3?
BigSwitch
Onix
Ryu
Nicira
4?
FloodLight
OpenDayLight
EIG/Bluehost
7
8. General SDN Architecture
• Open Flow rules
– Forwarding plane
– No Src MAC learning
• Timing
– Reactive vs. Proactive
• Transition
– Traditional ports -> Open
Flow ports
– Pure Open Flow vs. Hybrid
port
• Max # of Open Flow rules
– 4K – 120K, more or less
– How many rules bundled up
EIG/Bluehost
External Entity
Northbound API
SDN Controllers
SDN Application
Control Logic
Network Topology
• Distributed vs. Single
Southbound API
OpenFlow Switch
8
9. Current OpenStack SDN Approach
1. Request to create
a virtual interface (vif)
Neutron-server
SDN Controller(s)
3. Call rest api to SDN
controller
2. Create a vif in DB
Neutron
DB
• Intended to be minimal
functionality on agent
• SDN controllers own control logic
• No RPC from Neutron server to
agent
• Who creates OVS vif and externalids? Answer: Nova-compute, why?
EIG/Bluehost
SDN Application
Network Info Base (NIB)
4. Deploy OpenFlow Rules
Compute node
Openvswitch (OVS)
Neutron agent
0. Agent prepares
basic OVS structure
9
10. Current OpenStack SDN Approach
1. Request to create a vif
3. Call rest api to SDN
controller
Neutron-server
SDN Controller(s)
SDN Application
Network Info Base (NIB)
2. Create a vif in DB
Neutron
DB
Doesn’t Scale!
node
node
node
node
Compute
node
Node
> 18,000 OpenvSwitch
EIG/Bluehost
Hundreds of TOR
physical switches
TOR switches
TOR switches
TOR switches
TOR switches
TOR switches
TOR switches
TOR switches
10
11. OK, Questions We Got!
Q: What is a truly scalable
SDN solution now?
Q: Can you use a different
approach?
A: Not yet, but will be.
A: Nope.
Q: When?
Q: Why not?
A: Who knows!
A: Vendors working on it.
EIG/Bluehost
11
12. Observations & Ideas
Compute node
VM1
Openvswitch
Neutron agent
VM2
VM3
• Observations
– Neutron agent already fully distributed on compute nodes
– OpenFlow rules on a compute node specific to its own VMs only
• Ideas
– Why not add SDN controller functionality to Neutron agent?
– Deploy necessary OpenFlow rules in a right time via Neutron
agent
EIG/Bluehost
12
13. Bluehost OpenStack SDN Approach
1. Request to create a vif
3. Call rest api to SDN
controller
Neutron-server
2. Create a vif in DB
Neutron
DB
Compute node
Openvswitch
4. Deploy OpenFlow rules
Neutron agent
SDN Controller(s)
SDN Application
Network Info Base (NIB)
Hundreds of TOR
physical switches
TOR switches
TOR switches
TOR switches
TOR switches
TOR switches
TOR switches
TOR switches
4. SDN controllers deploy
OpenFlow rules on physical
switches.
3. Agent receives RPC calls
EIG/Bluehost
13
14. Edge vs. Fabric
§ Separation of Control:
“The fabric is responsible for packet transport across the network, while
the edge is responsible for providing more semantically rich services such
as network security, isolation, and mobility.”
HotSDN’12, “Fabric: A Retrospective on Evolving SDN”
Martín Casado, Teemu Koponen, Scott Shenker, Amin Tootoonchian
EIG/Bluehost
14
15. Key Services Achieved
Via Neutron Only
Tenant3
Tenant1
Tenant2
Isolated on flat network
vif1
Firewall Rules
11.22.33.8
11.22.33.4
11.22.33.5
vif2
vif3
QoS: Bandwidth
EIG/Bluehost
11.22.33.7
Multiple IPs per vif
11.22.33.6
Anti-IP spoofing per vif
15
16. Under The Hood
QoS, Anti-IP Spoofing, VM-to-VM
•
Deploy QoS for • DMAC matching for incoming
packets
outgoing packets
• TPA matching in ARP query
VM1
vif1
br-int-eth0
10 Mbps
For VM1, VM2, … VMn,
src_mac, dst_mac -> VM vif
=> O(n^2)
pair of veth
•
Anti-IP
spoofing: SRC
IP matching for
outgoing
packets
phy-br-eth0
Public Networks
br-int
br-eth0
eth0
50 Mbps
VM2
EIG/Bluehost
vif2
16
17. Reduce OpenFlow Rules
For VM-to-VM Traffic
VM1
vif1
br-int-eth0
10 Mbps
pair of veth
phy-br-eth0
Public Networks
br-int
vif2
eth0
dst_mac -> phy-loopback
=> O(n)
50 Mbps
VM2
br-eth0
Int-loopback
pair of veth
phy-loopback
dst_mac -> VM vif
=> O(n)
EIG/Bluehost
17
18. Firewall Rules ~= Security Group
•
•
• Firewall Rules for Incoming packets
• Protocol (TCP, UDP, ICMP) & Ports
VM1
vif1
br-int-eth0
pair of veth
br-int
Firewall Rules for
outgoing packets
Protocol (TCP, UDP,
ICMP) & Ports
phy-br-eth0
br-eth0
eth0
Public Networks
VM2
EIG/Bluehost
vif2
Int-loopback
pair of veth
phy-loopback
18
19. Tenant Networks
Unicast: AMAC <-> PMAC
External SDN
Controller(s)
Bundle Up PMAC
Core Switches
Only See PMAC
Only See PMAC
ToR Switches
L2 Fabric
ToR Switches
Neutron Actual MAC ->
Neutron PMAC -> AMAC
Positional MAC
Agent
Agent
Host
Host
Open vSwitch
ARP Proxy or Not?
VM
VM Open vSwitch
EIG/Bluehost
Path Determination
19
20. Tenant Networks
Unicast: Overlay Networks
External SDN
Controller(s)
Core Switches
See Normal UDP/TCP
ToR Switches
L2 or L3
Fabric
Neutron Overlay Network
Agent
Tunnels
Host
VM Open vSwitch
EIG/Bluehost
See Normal UDP/TCP
ToR Switches
Overlay Network
Neutron Tunnels
Agent
Host
Open vSwitch
VM
VXLAN, STT, GRE
20