Towards truly open and commoditized Sdn in openstack
Download
Report
Transcript Towards truly open and commoditized Sdn in openstack
Towards Truly Open And
Commoditized SDN
In OpenStack
Jun Park (Ph.D.)
Senior Systems Architect
EIG/Bluehost
OpenStack Summit 2013 at Hong Kong
• OpenStack Meets Software-Defined-Networking
• Why Does OpenStack need SDN?
• Why Does SDN need OpenStack?
EIG/Bluehost
2
L2 Fabric
VM1
Keep Public IP Address,
Rack
MAC Address
VM2
Rack
QoS, Isolation, ACL,
Firewall
Tenant isolated networks
Rack
VM3
Rack
This is exactly a killer app of SDN!
EIG/Bluehost
3
Key Points of L2 Fabric
Simple Data
Forwarding
No L3 Agent, No NAT
No Unknown Traffic
Plane
Avoid Performance Overhead
Seamless & Straightforward
VM Migration
EIG/Bluehost
High Entropy in Packets
: Desired for multipath
4
# neutron port-list
For 20,000 ports
EIG/Bluehost
5
Now 3 Seconds
With Optimization
EIG/Bluehost
6
SDN Controller
When Something Closed…
NOX/POX
NEC
3?
BigSwitch
Onix
Ryu
Nicira
4?
FloodLight
OpenDayLight
EIG/Bluehost
7
General SDN Architecture
• Open Flow rules
– Forwarding plane
– No Src MAC learning
• Timing
– Reactive vs. Proactive
• Transition
– Traditional ports -> Open
Flow ports
– Pure Open Flow vs. Hybrid
port
• Max # of Open Flow rules
– 4K – 120K, more or less
– How many rules bundled up
EIG/Bluehost
External Entity
Northbound API
SDN Controllers
SDN Application
Control Logic
Network Topology
• Distributed vs. Single
Southbound API
OpenFlow Switch
8
Current OpenStack SDN Approach
1. Request to create
a virtual interface (vif)
Neutron-server
SDN Controller(s)
3. Call rest api to SDN
controller
2. Create a vif in DB
Neutron
DB
• Intended to be minimal
functionality on agent
• SDN controllers own control logic
• No RPC from Neutron server to
agent
• Who creates OVS vif and externalids? Answer: Nova-compute, why?
EIG/Bluehost
SDN Application
Network Info Base (NIB)
4. Deploy OpenFlow Rules
Compute node
Openvswitch (OVS)
Neutron agent
0. Agent prepares
basic OVS structure
9
Current OpenStack SDN Approach
1. Request to create a vif
3. Call rest api to SDN
controller
Neutron-server
SDN Controller(s)
SDN Application
Network Info Base (NIB)
2. Create a vif in DB
Neutron
DB
Doesn’t Scale!
node
node
node
node
Compute
node
Node
> 18,000 OpenvSwitch
EIG/Bluehost
Hundreds of TOR
physical switches
TOR
switches
TOR
switches
TOR
switches
TOR
switches
TOR
switches
TOR
TORswitches
switches
10
OK, Questions We Got!
Q: What is a truly scalable
SDN solution now?
Q: Can you use a different
approach?
A: Not yet, but will be.
A: Nope.
Q: When?
Q: Why not?
A: Who knows!
A: Vendors working on it.
EIG/Bluehost
11
Edge vs. Fabric
§ Separation of Control:
“The fabric is responsible for packet transport across the network, while
the edge is responsible for providing more semantically rich services such
as network security, isolation, and mobility.”
HotSDN’12, “Fabric: A Retrospective on Evolving SDN”
Martín Casado, Teemu Koponen, Scott Shenker, Amin Tootoonchian
EIG/Bluehost
12
Bluehost OpenStack SDN Approach
1. Request to create a vif
3. Call rest api to SDN
controller
Neutron-server
2. Create a vif in DB
Neutron
DB
Compute node
Openvswitch
4. Deploy OpenFlow rules
Neutron agent
SDN Controller(s)
SDN Application
Network Info Base (NIB)
Hundreds of TOR
physical switches
TOR
switches
TOR
switches
TOR
switches
TOR
switches
TOR
switches
TOR
TORswitches
switches
4. SDN controllers deploy
OpenFlow rules on physical
switches.
3. Agent receives RPC calls
EIG/Bluehost
13
Key Services Achieved
Via Neutron Only
Tenant3
Tenant1
Tenant2
Isolated on flat network
vif1
Firewall Rules
11.22.33.8
11.22.33.4
11.22.33.5
vif2
vif3
QoS: Bandwidth
EIG/Bluehost
11.22.33.7
Multiple IPs per vif
11.22.33.6
Anti-IP spoofing per vif
14
Under The Hood
QoS, Anti-IP Spoofing, VM-to-VM
•
Deploy QoS for • DMAC matching for incoming
outgoing packets packets
• TPA matching in ARP query
VM1
vif1
br-int-eth0
10 Mbps
For VM1, VM2, … VMn,
src_mac, dst_mac -> VM vif
=> O(n^2)
pair of veth
•
Anti-IP
spoofing: SRC
IP matching for
outgoing
packets
phy-br-eth0
Public Networks
br-int
br-eth0
eth0
50 Mbps
VM2
EIG/Bluehost
vif2
15
Reduce OpenFlow Rules
For VM-to-VM Traffic
VM1
vif1
br-int-eth0
10 Mbps
pair of veth
phy-br-eth0
Public Networks
br-int
vif2
eth0
dst_mac -> phy-loopback
=> O(n)
50 Mbps
VM2
br-eth0
Int-loopback
pair of veth
phy-loopback
dst_mac -> VM vif
=> O(n)
EIG/Bluehost
16
Firewall Rules ~= Security Group
•
•
• Firewall Rules for Incoming packets
• Protocol (TCP, UDP, ICMP) & Ports
VM1
vif1
br-int-eth0
pair of veth
br-int
Firewall Rules for
outgoing packets
Protocol (TCP, UDP,
ICMP) & Ports
phy-br-eth0
br-eth0
eth0
Public Networks
VM2
EIG/Bluehost
vif2
Int-loopback
pair of veth
phy-loopback
17
Tenant Networks
Unicast: AMAC <-> PMAC
External SDN
Controller(s)
Bundle Up PMAC
Core Switches
Only See PMAC
Only See PMAC
ToR Switches
L2 Fabric
ToR Switches
Neutron Actual MAC ->
Neutron PMAC -> AMAC
Positional MAC
Agent
Agent
Host
Host
Open vSwitch
ARP Proxy or Not?
VM
VM Open vSwitch
EIG/Bluehost
Path Determination
18
Tenant Networks
Unicast: Overlay Networks
External SDN
Controller(s)
Core Switches
See Normal UDP/TCP
ToR Switches
L2 or L3
Fabric
Neutron Overlay Network
Agent
Tunnels
Host
VM Open vSwitch
EIG/Bluehost
See Normal UDP/TCP
ToR Switches
Overlay Network
Neutron Tunnels
Agent
Host
Open vSwitch
VM
VXLAN, STT, GRE
19
Tenant Networks
Multicast/Broadcast
Core Switches
ToR Switches
ToR Switches
ToR Switches
VM
VM
EIG/Bluehost
VM
VM
20
Tenant Networks
Multicast/Broadcast
Core Switches
ToR Switches
ToR Switches
Generate Multiple
Unicast Packets VM
ToR Switches
VM
VM
VM
EIG/Bluehost
21
We Need Truly Open, Commoditized SDN
Solutions!
EIG/Bluehost Willing To Contribute!
EIG/Bluehost
22
Thanks!
• Design Summit for Neutron
– http://summit.openstack.org/cfp/details/311
EIG/Bluehost
23