Networking in virtual environments

Transcription

1 Networking in virtual environments Guillaume Urvoy-Keller January 7, / 36

2 Source documents Teemu Koponen, Keith Amidon, Peter Balland, Martín Casado, Anupam Chanda, Bryan Fulton, Igor Ganichev, Jesse Gross, Paul Ingram, Ethan J. Jackson, Andrew Lambeth, Romain Lenglet, Shih-Hao Li, Amar Padmanabhan, Justin Pettit, Ben Pfaff, Rajiv Ramanathan, Scott Shenker, Alan Shieh, Jeremy Stribling, Pankaj Thakkar, Dan Wendlandt, Alexander Yip, Ronghua Zhang: Network Virtualization in Multi-tenant Datacenters. NSDI 2014: Ben Pfaff, Justin Pettit, Teemu Koponen, Ethan J. Jackson, Andy Zhou, Jarno Rajahalme, Jesse Gross, Alex Wang, Joe Stringer, Pravin Shelar, Keith Amidon, Martín Casado: The Design and Implementation of Open vswitch. NSDI 2015: / 36

3 Outline 1 SDN primer / 36

4 Traditional networks Strict layering Layer 2 : VLANs Layer 3 : routing between VLANs Middleboxes (NAT, Firewalls, IDS ) operate at layer 4 and above, e.g., check TCP port or application info (e.g., HTTP header) Relies on distributed algorithms (spanning tree, routing protocols) You don t control their convergence, e.g., spanning tree prunes some links to avoid loops and elects a master or you assigns weights to OSPF but can t impose a root MPLS allows virtualization if links and actual path control 4 / 36

5 Software Defined Networking "One ring to rule them all" centralized control plane, a.k.a, controller Controller injects rules in switches and can read stats If a switch does not a rule for a flow, it asks the controller Rules are more complex and can mix layer 2 to 4 attributes (e.g., if src MAC is xxx and TCP port is yyy, then) + meta-data info like input port. OpenFlow v1.0 header fields Ingress Port, Ethec Src, Ether Dst, Ether Type, Vlan ID, IP Dst, IP Src, TCP Dst, TCP Src, IP Proto. A rule is filter and an action :forward, discard, send to controller or modify packet (e.g., like NAT) 5 / 36

6 Software Defined Networking 6 / 36

7 Software Defined Networking SDN enables fine grained traffic control of traffic Protocol to inject between controller and switches is normalized Openflow Major vendors (HP, CISCO, etc) have released hardware switches Also virtual switches like Open vswitch () Variety of Openflow controller: Floodlight, Opendaylight,... 7 / 36

8 Open vswitch 8 / 36

9 Open vswitch Borrowed slides from Ben Pfaff. See online talk at presentation/pfaff What is (from openswitch.org)? Open vswitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license. It is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces and protocols (e.g. NetFlow, sflow, SPAN, RSPAN, CLI, LACP, 802.1ag). 9 / 36

10 Where is used? Broad support: Linux, FreeBSD, NetBSD, Windows, ESX KVM, Xen, Docker, VirtualBox, Hyper-V,... OpenStack, CloudStack, OpenNebula,... Widely used: Most popular OpenStack networking backend Default network stack in XenServer 1,440 hits in Google Scholar Thousands of subscribers to OVS mailing lists 10 / 36

11 architecture 11 / 36

12 architecture ovs-vswitchd: userland daemon talks Openflow with controller Essentially the same for all OS datapath kernel module OS dependent + technology dependent, e.g., DPDK From These libraries can be used to: receive and send packets within the minimum number of CPU cycles (usually less than 80 cycles) develop fast packet capture algorithms (tcpdump-like) run third-party fast path stacks ovsdb-server: Stores configuration of switches Openflow does not allow to create/delete switches. ovsdb does this job! 12 / 36

13 Packet data path Kernel Datapath "the datapath module simply follows the instructions, called actions, given by ovs-vswitchd, which list physical ports or tunnels on which to transmit the packet" Datapath does not talk/is not aware of Openflow (this is the ovs-vswitchd job) 13 / 36

14 Packet data path The more you do in the kernel, the better (faster) it is. 14 / 36

15 15 / 36

16 Network virtualization ( - see next section on VMware) Mutli-tenant architecture Each tenant expresses its network architecture in the form of a set of tables to traverse Each table corresponds to a function (NAT, layer 2, routing, etc) Each line in the table is an openflow rule 16 / 36

17 Implementation of table CAM Hardware SDN switches benefit from TCAM memory TCAM = Ternary Content Addressable Memory CAM is an hardware implementation of an associative array CAM is a memory that can do memory lookups in one clock cycle and in a parallel fashion looking at multiple fields at once in a lookup. 17 / 36

18 Binary and Ternary CAMs BCAM outputs a 0 or a 1 Figure: source: 18 / 36

19 Binary and Ternary CAMs TCAM further supports 0, 1 or don t care bit. Allows to account for variable size inputs to be hashed, e.g., IP prefixes of different sizes /24 and /25 Figure: source: 19 / 36

20 How do we do in software? Problem: x86 architecture does not feature TCAM but simple RAM. We have efficient hashing functions but the keys must have the same length For, they use Tuple search classifiers V.Srinivasan, S.Suri, and G.Varghese. PacketClassification Using Tuple Space Search. In Proc. of SIGCOMM, / 36

21 Tuple packet classification A tuple is a known set of bits in each input fields Ex: assume rules only use IP source and destination and there are 2 different prefix lengths /8 and /24 this gives 4 tuples: IP source with 8 bits + IP dest with 8 bits IP source with 24 bits + IP dest with 8 bits IP source with 8 bits + IP dest with 24 bits IP source with 24 bits + IP dest with 24 bits A tuple search can be implemented as a hash function We benefit from the fact that each field layer 4 ports) feature in practice a limited number of different lengths Ex: you don t have all /x addresses for x {1,2,...32} but maybe only {8,16,32} 21 / 36

22 22 / 36

23 Improving tuple search performance 100 lookup (not unusual in practice in an implementation) too long at high rate, several 100s of Mb/s to Gb/s Solution: pay the price for the first packet and cache result in kernel datapath for subsequent packet of the same layer 4 connection a single hash for packet number 2,3,... A layer 4 connection is called a micro-flow in parlance 23 / 36

24 Going to controller to ask the rule is not consider has an option in real implementation pro-active (install rules in advance) rather than reactive model! 24 / 36 Microflow caching

25 Microflow caching In practice, performance has improved but they use other techniques (called mega-flow) in practice 25 / 36

26 Network Virtualization Platform () 26 / 36

27 VMware & Nicira, Nicira Network Virtualization Platform () Slides, article and presentation at: Nicira: a startup that developed network virtualization tools Bought by VMware in 2012 and now NSX (The Network Virtualization and Security Platform) - see 27 / 36

28 Network virtualization already exists 28 / 36

29 What if we use those legacy tools... What if two tenants want to use the same set of private addresses, say 10/8? 1 need to decouple space of clients from the one of the physical ones. 1 VRF might help but you have to be cautious in dynamic environments where tenants provision their VMs/networks by themselves 29 / 36

30 Decoupling physical from logical network Similarly to what (OS) hypervisors do. Enable tenants to reproduce their network with architecture and security constraints 30 / 36

31 Your constraints when building a network hypervisors for clients to share the network VMs must not be aware that there is not a physical but a logical network same TCP/IP stack Clients must be able to express their architectural/security constraints There is no one single control plane? (CISCO CLI, JunOS, firewall specific interface...) VMware vision: tenants needs can always be expressed as datapath, a set of tables containing rules 31 / 36

32 Generality of datapath model 32 / 36

33 Where to implement? Inside the virtual switches hosted in each hypervisor no hardware support. Tenants use an API to instruct the network hypervisor, e.g., Openstack GUI to specify network architecture and a driver is used with the network hypervisor 33 / 36

34 Inside the virtual switch Significant burden for virtual switches that implement the whole datapath of the tenant 34 / 36

35 Physical network (between hypervisors) Physical layer is kept simple and stupid mesh of IP tunnels between physical IP addresses of hypervisors They bump into known performance models for tunnels like GRE Problem stems from difficulty to perform TCP checksum offloading to NIC. Use of STT 35 / 36

36 Challenge of controller Cluster of controller to compute and maintain states (and other techniques) 36 / 36