SDN Controllers - Western Michigan University
SDN CONTROLLERSSDN Tutorial1
SDN Controllers The three concepts:– Programmability– Separation of the control and data planes– Management of ephemeral network state in acentralized control plane, regardless of thedegree of centralization A software system or collection ofsystems that together provides aboveideal conceptsSDN Tutorial2
SDN Controllers An idealized controller:SDN Tutorial3
SDN Controllers SDN controller provides:– Management of network state: State management may involve a database,which serve as a repository for informationderived from the controlled network elements Purpose-driven data management processes orin-memory database– A high-level data model: Captures the relationships between managedresources, policies and other services– A modern, often RESTful API: Exposes the controller services to an application Facilitates the controller-to-applicationoperationSDN Tutorial4
SDN Controllers SDN controller provides:– Management of network state: State management may involve a database,which serve as a repository for informationderived from the controlled network elements Purpose-driven data management processes orin-memory database– A high-level data model: Captures the relationships between managedresources, policies and other services– A modern, often RESTful API: Exposes the controller services to an application Facilitates the controller-to-applicationoperationSDN Tutorial5
SDN Controllers SDN controller provides:– A secure TCP control session betweencontroller and associated agents in network– A standard-based protocol for theprovisioning of application-driven networkstate on network– A device, topology, and service discoverymechanism Path computation system and potentially othernetwork-centric or resource-centric informationserviceSDN Tutorial6
SDN Controllers The current commercial SDNcontrollers:–––––Nicira: NVPNEC: TremaBig Switch Networks: Floodlight/BNCJuniper/ContrailCisco XNCSDN Tutorial7
SDN Controllers – Founded in 2007, it’s network virtualizationplatform (NVP) was released in 2011– NVP works with Open vSwitch (OVS), thehypervisor softswitch controlled by the NVPcontroller cluster– Most of the OVS programming is achievedwith a database-like protocol called theOpen vSwitch Data Base ManagementProtocol (OVSDB)– OVSDB provides strong managementinterface to the hypervisorSDN Tutorial8
SDN Controllers – OVSDB characteristics include following: Uses JSON for schema format and wire protocolTransactionalNo-SQLPersistencyMonitoring capabilityStores both provisioning and operational state– The NVP controller is a cluster of serversthat use database synchronization to sharestateSDN Tutorial9
SDN Controllers NVP OVSDB interactions with virtual switches and 3rd party hardwareSDN Tutorial10
SDN Controllers – A layer 2 or layer 3 gateway productconverts Nicira STT tunnel overlays intoVLANs (layer 2), VLAN-to-VLAN, orprovides NAT-like functionality– OVS together with gateways and theservice nodes support redundant controllerconnections for high availability– NVP Manager, the management server witha basic interface used mainly totroubleshoot and verify connectionsSDN Tutorial11
SDN Controllers SDN Controller componentsSDN Tutorial12
SDN Controllers NOX/POX– NOX: NOX developed by Nicira and donated to theresearch community and hence becoming opensource Subsequently extended and supported viaON.LAB activity at Stanford with majorcontribution from UC Berkeley and ICSI NOX provides a C API to OpenFlow and anasynchronous, event-based model NOX is both a primordial controller and acomponent-based framework for developingSDN applicationsSDN Tutorial13
SDN Controllers NOX/POX– NOX: NOX core provides helper methods and APIs forinteracting with OpenFlow switches, including aconnection handler and event engine Additional components that use that API areavailable, including host tracking, routing,topology, and Python interface implemented as awrapper for the component API NOX often used in academic network research todevelop SDN application:– SANE: An approach to representing the network as afilesystem– Ethane: Application for centralized, network-wide secu.SDN Tutorial14
SDN Controllers NOX ArchitectureSDN Tutorial15
SDN Controllers NOX/POX– POX: The newer, Python-based version of NOX Has a high-level SDN API including a query-abletopology graph and support for virtualization Advantages over NOX:– Has a Pythonic OpenFlow interface– Has reusable sample components for path selection,topology discovery, and so on– Runs anywhere and can be bundled with install-freePyPy runtime for easy deployment– Specifically targets Linux, Mac OS, and Windows– Supports the same GUI and virtualization tool as NOX– Performs well compared to NOX applications in PythonSDN Tutorial16
SDN Controllers Trema:– An OpenFlow programming framework fordeveloping an OpenFlow controller that wasoriginally developed by NEC– Provides basic infrastructure services aspart of its core modules that support thedevelopment of user modules in Ruby or C– Developers can individualize or enhance thebase controller functionality by definingtheir own controller subclass object– The core modules provide a message busthat allows the communicationSDN Tutorial17
SDN Controllers Trema:SDN Tutorial18
SDN Controllers Trema:– The infrastructure provides a command-lineinterface and configuration filesystem forconfiguring and controlling applications,managing messaging and filters, andconfiguring virtual networks – via NetworkDomain Specific Language (DSL)– Trema-based OpenFlow controller caninteroperate with any element agent thatsupports OpenFlow without require aspecific agentSDN Tutorial19
SDN Controllers Trema architecture and API interfacesSDN Tutorial20
SDN Controllers Ryu:– Component-based, open source frameworkimplemented entirely in Python– Components include: OpenFlow wire protocol supportEvent managementMessagingIn memory state managementApplication managementReusable libraries– Has an Openstack Quantum plug-insupports both GRE based overlay and VLANSDN Tutorial21
SDN Controllers Ryu architecture, APIs, applicationsSDN Tutorial22
SDN Controllers Ryu:– Component-based, open source frameworkimplemented entirely in Python– Components include: OpenFlow wire protocol supportEvent managementMessagingIn memory state managementApplication managementReusable libraries– Has an Openstack Quantum plug-insupports both GRE based overlay and VLANSDN Tutorial23
SDN Controllers Big Switch Networks/Floodlight:– Popular SDN controller contribution fromBig Switch Networks to the open sourcecommunity– Based on Beacon from Stanford University– An Apache-licensed, Java-based controller– Modular core architecture with componentsincluding: Topology managementDevice management (MAC and IP tracking)Path computationGeneralized storageabstraction for state storageSDN Tutorial24
SDN Controllers Floodlight architecture:SDN Tutorial25
SDN Controllers Big Switch Networks/Floodlight:– Core module handles I/O from switchesand translates OpenFlow messages intoFloodlight events, creating an event-driven,asynchronous application framework– Floodlight incorporates a threading modelthat allows modules to share threads withother modules– Floodlight is Java/Jython centric Jython: Python for the Java PlatformSDN Tutorial26
SDN Controllers Big Switch Networks/Floodlight:– Features: Offers a module loading system that make itsimple to extend and enhance Easy to set up with minimal dependencies Supports a broad range of virtual/physicalOpenFlow switches Can handle mixed OpenFlow and non-OpenFlownetworks Designed to be high-performance – core from acommercial product from Big Switch Networks Support for OpenStack cloud orchestrationplatformSDN Tutorial27
The SDN StackSDN Tutorial28
NETWORK CONTROL PLANESDN Tutorial29
Network Control Plane The part of the router architecture It establishes the local data set used tocreate the forwarding table entries The data set used to store networktopology is called routing informationbase (RIB)– Kept consistent (loop-free) through theexchange of information between otherinstance of control planeSDN Tutorial30
Network Control Plane A forwarding table entries (FIB) areoften mirrored between the control anddata planes– FIB is programmed once the RIB isconsistent and stable The view of the network topology inRIB can be:––––Manually programmedLearned through observationBuilt from pieces of information gatheredCombination of aboveSDN Tutorial31
Network Control PlaneTypical NetworkSDN Tutorial32
Network Control Plane Packets received by node A forwardedto node B– Control plane and data plane running onseparate processor– Packets received on the input port of theline card where the data plane resides– If the packet comes from an unknown MACaddress, it is redirected (4) to thecontrol plane to be learned, processed,and later forwardedSDN Tutorial33
Network Control Plane A packet delivered to the control plane:– The information contained is processed andpossibly result in an alteration of the RIB(new route is learned) Control plane returns the packet(C) to the data plane (2), andforward the packet– FIB is programmed in step (C) The same packets processing happensin the node BSDN Tutorial34
Network Control Plane Layer 2 control plane focuses onhardware or physical layer addresses(MAC) Layer 3 control plane built to facilitatenetwork layer addresses (IP protocol) Scaling concerns:– Layer 2 and 3 are merged due to layer 2doesn’t scale well for large number hosts– End hosts moving between networks,resulting massive churn of forwardingtablesSDN Tutorial35
Network Control Plane In layer 2 network, forwarding focuseson MAC addresses reachability:– Primary deal with MAC address storing– Hard to manage due to large number ofend hosts Layer 3 network focuses on IP addressreachability:– Primary concerns destination IP prefix forboth unicast and multicast– Used to segment or stitch together layer 2domains to overcome scale problemSDN Tutorial36
Network Control Plane Layer 2 bridges that represent somesets of IP subnetworks are typicallyconnected together with a layer 3router Layer 3 routers are connected to form alarger network Protocols blurring these lines:– Multiprotocol Label Switching (MPLS)– Ether Virtual Private Network (EVPN)– Locator/ID Separation Protocol (LISP)SDN Tutorial37
Network Control Plane Multiprotocol Label Switching Protocol:– Combines the best part of layer 2forwarding and best part of layer 3 IProuting extremely fast-packet forwarding– Directs data from one node to next basedon short path labels rather than longnetwork addresses Avoiding intensive lookups in a routing table– Labels used to identify paths betweendistant nodes rather than endpoints– It can encapsulate packets of variousnetwork protocolsSDN Tutorial38
Network Control Plane Multiprotocol Label Switching Protocol:– Packet forwarding decisions are made onlyon the contents of the label Allows one to create point-to-point circuits onany type of transport medium, and any protocols– It operates at the layer between layer 2and layer 3 (layer 2.5 protocol)– Designed to provide a unified data-carryingservice for both circuit-based/packetswitching clients– Can be used to carry different kinds oftraffic: IP, ATM, SONET, and EthernetSDN Tutorial39
Network Control Plane MPLS Operation:– It works by prefixing packets with an MPLSheader, containing one or more labels– Each label contains 4 fields: 20 bits label value3 bits experimental (QoS and ECN)1 bit bottom of stack flag8 bits TTLSDN Tutorial40
Network Control Plane MPLS Operation:– MPLS-labeled packets are switched after alabel lookups instead of looking into IPtable (RIB) Faster due to this can be done within theswitched fabric other than CPU– MPLS packets are routed using label switchrouter (LSR) Uses label as the index to determine next hop– A label edge router (LER) operates at theedge of an MPLS network Labels the IP datagram into MPLS domainSDN Tutorial41
Network Control Plane MPLS Operation:– Labels are distributed between LERs andLSRs using the label distribution protocol(LDP) It is used to build and maintain label-switchedpath (LSP) databases– LSRs regularly exchange label andreachability information with each other tobuild a complete network topologySDN Tutorial42
Network Control Plane Ethernet Virtual Private Network:– A family of methods for utilizing thebeauty of MPLS to create VPNs– An attempt to solve the layer 2 scaleproblem by effectively tunneling distantlayer 2 bridges together over an MPLS– Layer 2 addressing and reachabilityinformation exchange over the tunnel doesnot contaminate the scale of layer 3networksSDN Tutorial43
Network Control Plane Locator/ID Separation Protocol:– A map-and-encapsulate protocol– Combines two functions in one domain: Routing locator: where a client is attached tothe network Identifier: who the client is– Both identifiers and locators can bearbitrary elements IP addresses A MAC address GPS coordinatesSDN Tutorial44
Network Control Plane Locator/ID Separation Protocol:– Originally conceived to address Internetscaling issue: IP addresses denote both location and identity Overloaded IP address makes efficient routingimpossible IPv6 does not fix this issue Routers require more expensive memory to holdthe Internet routing table Expensive for network builders/operators Replacing equipment for the wrong reason (holdthe routing table rather than implementing newfeatures)SDN Tutorial45
Network Control Plane Locator/ID Separation Protocol:– LISP creates 2 name spaces: EID (Endpoint Identifier) – The host IPaddress:– Used inside of sites and end-site addresses for hostsand routers– EIDs go in DNS records – same as today– Generally not globally routed on underlyinginfrastructure RLOC (Routing Locator) – The LISP router IP:– Used in the core and infrastructure addresses for LISProuters and ISP routers – Routed like today– Hosts do not know about them– Globally routed and aggregated along the Internetconnectivity topologySDN Tutorial46
Network Control Plane Locator/ID Separation Protocol:– EID packets are encapsulated in RLOCpackets and forwarded over the Internet– Network-based map-and-encapsulate: No changes in hosts, DNS, or core infrastructure New mapping service required for EID-to-RLOCSDN Tutorial47
Network Control Plane Locator/ID Separation Protocol:SDN Tutorial48
Network Control Plane LISP header format:SDN Tutorial49
Network Control Plane LISP Mapping System:– LISP separates “where” and “who”: Network routers responsible for looking up themapping between endpoint ID (EID) and routinglocator (RLOC) The mapping process is invisible to end-hosts Mappings are stored in a distributed databasecalled the mapping system RLOC: An IPv4 or IPv6 address of an egresstunnel router (ETR), the output of an EID-toRLOC lookup EID: An IPv4 or IPv6 address used in thesource/destination fields of 1st LISP headerSDN Tutorial50
EID-to-RLOC Mapping SystemLISP Delegated Database Tree (LISP-DDT) Similar to DNSSDN Tutorial51
Network Control Plane LISP Mapping System:– LISP network elements: Ingress Tunnel Router (ITR):– Finds EID to RLOC mapping– Encapsulate to Locators at source site Egress Tunnel Router (ETR):– Owns EID to RLOC mapping– Decapsulates at destination site– LISP forwarding:SDN Tutorial52
MORE ON MININETSDN Tutorial53
Mininet – Create Learning SW Controller choice: POX (Python)– The Python-based SDN controller– We do not need the reference controlleranymore so we can kill it from SSH: sudo killall controller– We should need to make sure everything isclean by running:mininet exit sudo mn –c sudo mn –topo single,3 --mac -switch ovsk --controller remoteSDN Tutorial54
Mininet – Create Learning SW Controller choice: POX (Python)– Then you need to download the POX codefrom the POX repository on github to VM: git clone http://github.com/noxrepo/pox cd pox– Now you can try to run a basic hubexample: ./pox.py log.level --DEBUGmisc.of tutorial– The above command enables POX verboselogging and start the of tutorial componentSDN Tutorial55
Mininet – Create Learning SW Controller choice: POX (Python)– The switches may take longer time toconnect since the OpenFlow switch lossesits connection to a controller, up to amaximum of 15 seconds– When the switch connects, POX will displaysomething as follow:INFO:openflow.of 01:[Con 1/1]Connected to 00-00-00-00-00-01DEBUG:samples.of tutorial:Controlling[Con 1/1]SDN Tutorial56
Mininet – Create Learning SW Benchmark hub controller w/iperf– Let’s benchmark the provided of tutorialhub by running:mininet pingall– This will check connectivity of all virtualhost, then we can run:mininet iperf– You should see that every packet goes upto the controller nowSDN Tutorial57
Mininet – Create Learning SW Open hub code and modify it– Let’s stop the tutorial hub controller usingCtrl-C in SSH terminal– We will modify pox/misc/of tutorial.py. Youcan open this file in your favorite editor– The current code calls act like hub()function from the handler for packet inmessages to implement switch behavior,you can also try act like switch()function to explore more about POXSDN Tutorial58
Example: Controller AppSDN Tutorial59
Mininet – Create Learning SW Get to know about Python:– A dynamic, interpreted programminglanguage, no separate compilation step– Uses indentation rather than “{}” and “;”to delimit code– Dynamic typed. No need to pre-declarevariables, types are automatically handled– Has built-in hash tables – Dictionaries, andvectors – Lists– Object-oriented and introspective, easilyprint the member variables and functionsat run timeSDN Tutorial60
Mininet – Create Learning SW Python common operations:– To initialize a dictionary:mactable {}– To add an element to a dictionary:mactable[0x123] 2– To check for dictionary membership:if 0x123 in mactable:print ‘element 2 is in mactable’if 0x123 not in mactable:print ‘element 2 is not in mactable’SDN Tutorial61
Mininet – Create Learning SW Python common operations:– To print a debug message in POX:log.debug(‘saw new MAC!’)– To print an error message in POX:log.error(‘unexpected operation’)– To print member variables and functions:print dir(object)– To comment a line of code:# Prepend comments with a #; no // or/**/SDN Tutorial62
Mininet – Create Learning SW Python common operations:– Sending OpenFlow messages with POX:connection.send( ) # send an OpenFlow msg ofp action output class:– An action for use with ofp packet out and ofp flow mod,which specifies a switch port that you wish to send thepacket out of– Example: Create an output action that would send packetsto all ports:out action of.ofp action output(port of.OFPP FLOOD)SDN Tutorial63
Mininet – Create Learning SW Python common operations:– Sending OpenFlow messages with POX:connection.send( ) # send an OpenFlow msg ofp match class:– It describes packet header fields and an input port tomatch on– Some notable fields of ofp match objects are:» dl src: The data link layer (MAC) source address» dl dst: The data link layer (MAC) destination addr» in port: The packet inputs switch port– Create a match that matches packets arriving on port 3match of.ofp match()match.in port 3SDN Tutorial64
Mininet – Create Learning SW Python common operations:– Sending OpenFlow messages with POX: ofp packet out OpenFlow message:– It instructs a switch to send a packet, which might beconstructed at the controller, or might be the oneswitch received, buffered, and forwarded to thecontroller, those fields are:» buffer id: The ID of the buffer you wish to send» data: Raw bytes you
asynchronous application framework –Floodlight incorporates a threading model that allows modules to share threads with other modules –Floodlight is Java/Jython centric Jython: Pyt
sdn.301 security protocol3(sp3) sdn.401 security protocol4(sp4) sdn.701 messagesecurity protocol sdn.702 directoryspecs forusewith msp key management sdn.601 keymanagement profile sdn.902 kmp definitionof servicesprovided bykmase sdn.903 kmp servicesprovided bykmase sdn,906 kmp traffickey attribute negotiation access control sdn.801 .
SDN 40-24-100C aND SDN 40-24-480C DImENSIoNS Catalog Number Dimensions - mm (in) h w D SDN 5-24-100C 123.0 (4.85) 50.0 (1.97) 111.0 (4.36) SDN 10-24-100C 123.0 (4.85) 60.0 (2.36) 111.0 (4.36) SDN 20-24-100C 123.0 (4.85) 87.0 (3.42) 127.0 (4.98) SDN 5-24-480C 123.0 (4.85) 50.0 (1.97) 111.0 (4.36) SDN 10-24-480C 123.0 (4.85) 60
SDN Waypoint Enforcement Insight #1: 1 SDN switch Policy enforcement Insight #2: 2 SDN switches Fine-grained control Legacy devices must direct traffic to SDN switches Ensure that all traffic to/from an SDN-controlled port always traverses at least one SDN switch
SDN in Access network, SDN in Optical Layer & MPLS on top Working in orchestration Depends on -Control Plane, SDN Controllers, APIs Communication through Open Interfaces Access SDN SDN to MPLS Control Plane API Function Edge Gate way Programmable MAC/VLAN/PBB & MPLS to MPLS Mapping Ethernet CPRI/dRoF
SDN security issues [31-37] Security policies in SDN [28,38-52] DDoS [53-56] DDoS vulnerability in SDN [33,36,57] Policies for rescuing SDN from DDoS [58-69] DDoS, distributed denial of service; SDN, software-defined network. focusing on DDoS issue, followed by the comparison of various proposed countermeasures for them. Table I has
SDN Application (GUI & Orchestration) SDN Controller VIM(OpenStack) Server VSW VM VM Server VSW vFW (A) vFW (A) SDN GW Server VSW vFW (S) vFW (S) Internet DC Router Data Center NFV SDN SDN Service Chain VNFM VNFM ①Create vFW request ②call plugin ③Create FW VM ④response VM ID, vport ⑤send vFW information, classifier rules .
SDN and NFV: Enhancing Network Capacity and Functionality Figure 4. Goal of Wide Area SDN: the SDN Cockpit (not yet a reality) Data Center SDN The Enterprise data center is where SDN is best known, and most advanced in implementation. When SDN is discussed, it is usually in the context of the data center. The common Enterprise data
Dynamic and Diverse SDN Networks . The IxNetwork SDN test solution delivers feature sets covering various SDN technology approaches, including green-field OpenFlow deployment, carrier network SDN technology, data center virtualization overlay, as well as overall orchestration and management. The IxNetwork SDN solution emulates carrier-
