DaoliNet A Simple and Smart Networking Technology for Docker Applications

Similar documents
Internet Technology. 15. Things we didn t get to talk about. Paul Krzyzanowski. Rutgers University. Spring Paul Krzyzanowski

CS-580K/480K Advanced Topics in Cloud Computing. Network Virtualization

CSC 4900 Computer Networks: Network Layer

OpenFlow Ronald van der Pol

Software-Defined Networking (SDN) Now for Operational Technology (OT) Networks SEL 2017

Cloud Native Networking

Simplify Container Networking With ican. Huawei Cloud Network Lab

ECPE / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Dockercon 2017 Networking Workshop

Software Defined Networking Security: Security for SDN and Security with SDN. Seungwon Shin Texas A&M University

Lesson 9 OpenFlow. Objectives :

Fully Scalable Networking with MidoNet

Lecture 20: Link Layer

Project Calico v3.1. Overview. Architecture and Key Components

Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall

Welcome to PHOENIX CONTACT Routing

Implementing VXLAN. Prerequisites for implementing VXLANs. Information about Implementing VXLAN

Software-Defined Networking (Continued)

Network Security. Thierry Sans

Software Defined Networks and OpenFlow. Courtesy of: AT&T Tech Talks.

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Data Center Configuration. 1. Configuring VXLAN

Copyright Link Technologies, Inc.

BROCADE CLOUD-OPTIMIZED NETWORKING: THE BLUEPRINT FOR THE SOFTWARE-DEFINED NETWORK

Agenda Introduce NSX-T: Architecture Switching Routing Firewall Disclaimer This presentation may contain product features that are currently under dev

CSC 401 Data and Computer Communications Networks

Chapter 4 Network Layer: The Data Plane

What is SDN, Current SDN projects and future of SDN VAHID NAZAKTABAR

Introduction to Software-Defined Networking UG3 Computer Communications & Networks (COMN)

Outline. SDN Overview Mininet and Ryu Overview Mininet VM Setup Ryu Setup OpenFlow Protocol and Open vswitch Reference

Software Defined Networking

CloudEngine 1800V Virtual Switch

SDN AND NFV SECURITY DR. SANDRA SCOTT-HAYWARD, QUEEN S UNIVERSITY BELFAST COINS SUMMER SCHOOL, 23 JULY 2018

Switching & ARP Week 3

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Red Hat OpenStack Platform 10 Red Hat OpenDaylight Product Guide

Project Kuryr. Antoni Segura Puimedon (apuimedo) Gal Sagie (gsagie)

ECPE / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

VNS3 3.5 Container System Add-Ons

Project 4: SDNs Due: 11:59 PM, Dec 12, 2018

The Internetworking Problem. Internetworking. A Translation-based Solution

OpenFlow Controller Benchmarking Methodologies

Managing and Securing Computer Networks. Guy Leduc. Chapter 2: Software-Defined Networks (SDN) Chapter 2. Chapter goals:

BIG-IP TMOS : Tunneling and IPsec. Version 13.0

Cybersecurity Threat Mitigation using SDN

Cisco Interconnecting Cisco Networking Devices Part 1.

Enabling Efficient and Scalable Zero-Trust Security

Using Diagnostic Tools

Networking Approaches in. a Container World. Flavio Castelli Engineering Manager

Software Defined Networks

Hands on SDN and BRO

ICS 451: Today's plan

CSc 466/566. Computer Security. 18 : Network Security Introduction

Interconnecting Cisco Networking Devices Part1 ( ICND1) Exam.

Chapter 5 Network Layer: The Control Plane

CS 457 Lecture 11 More IP Networking. Fall 2011

Homework 3 Discussion

Bringing Software Innovation Velocity to Networking Hardware

Quantum, network services for Openstack. Salvatore Orlando Openstack Quantum core developer

TEN ESSENTIAL NETWORK VIRTUALIZATION DEFINITIONS

Securing Network Application Deployment in Software Defined Networking 11/23/17

Building NFV Solutions with OpenStack and Cisco ACI

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Software Defined Networking

CS 458 Internet Engineering Spring First Exam

Accelerating SDN and NFV Deployments. Malathi Malla Spirent Communications

Cloud Networking (VITMMA02) Network Virtualization: Overlay Networks OpenStack Neutron Networking

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Design and development of the reactive BGP peering in softwaredefined routing exchanges

Life of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

CS 4226: Internet Architecture

Opendaylight: Enabling 5G through Cloud Native Telco Architecture Edgar Lombara Lumina Networks Inc.

CSC358 Week 6. Adapted from slides by J.F. Kurose and K. W. Ross. All material copyright J.F Kurose and K.W. Ross, All Rights Reserved

Last time. Network layer. Introduction. Virtual circuit vs. datagram details. IP: the Internet Protocol. forwarding vs. routing

20-CS Cyber Defense Overview Fall, Network Basics

An Analysis and Empirical Study of Container Networks

VXLAN Overview: Cisco Nexus 9000 Series Switches

BYZANTINE FAULT TOLERANT SOFTWARE- DEFINED NETWORKING (SDN) CONTROLLERS

Module 7 Internet And Internet Protocol Suite

CSE/EE 461 The Network Layer. Application Presentation Session Transport Network Data Link Physical

Network Virtualization Based on Flows

Computer Networks Security: intro. CS Computer Systems Security

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Lecture 8 Advanced Networking Virtual LAN. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

ARP Inspection and the MAC Address Table

Networking & Security for Mesos

TCP/IP THE TCP/IP ARCHITECTURE

Virtual Private Cloud. VPC Product Introduction

Lab 3: Simple Firewall using OpenFlow

AGENDA Introduction Pivotal Cloud Foundry NSX-V integration with Cloud Foundry New Features in Cloud Foundry Networking NSX-T with Cloud Fou

COMP211 Chapter 4 Network Layer: The Data Plane

Next Gen Virtual Switch. CloudNetEngine Founder & CTO Jun Xiao

Internet Protocol and Transmission Control Protocol

First Exam for ECE671 Spring /22/18

Cisco CSR 1000V VxLAN Support 2

Kubernetes networking in the telco space

F5 DDoS Hybrid Defender : Setup. Version

Addressing and Routing

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Transcription:

DaoliNet A Simple and Smart Networking Technology for Docker Applications DaoliNet An Open Source Project www.daolinet.org May, 2016

Docker is Awesome! A Linux Container Engine Build, Ship and Run Any App Anywhere Fast Delivery, Easy Portable, High Density of Workloads 2

Docker Networking Question Every Docker host is created independently, therefore containers in different Docker hosts are not connected one another by default There are several Docker networking projects, Weave, Flannel, Libnetwork, Calico, etc., all consume Docker servers resource even when containers are not in communication, e.g., Calico: servers keep running heavyweight routing algorithms; MAC-in-UDP encapsulation: MAC learning by flooding in big scale 3

OpenFlow: Smart Network Control OpenFlow: From Clean Slate Program at Stanford University, for Software Defined Network (SDN) In Standardization by Open Network Foundation (ONF) Separation of control and forwarding planes: Forwarding devices do not know each other; Let a knowing-all Controller tell forwarding devices what to do, in real time of communications Knowing everything Controller Network forwarding devices: they do not know each other 4

OpenFlow for Docker Networking Keep it Simple! Let Docker servers not know each other, leave communications open, and let a Controller tell Docker servers how to forward packets when containers start to communicate 5

DaoliNet: An Openflow Approach Ubiquitously distributed Open-V-Switch in Docker hosts: They will ask the Controller what to do upon containers start talk 6

How it Works What Controller can see from PacketIn: src-ip = ID of communication initiator (C1) dst-ip = ID of communication responder (C2) These IDs suffice Controller to judge legitimacy of the connection request Controller can PacketOut two flows to OVSes in Server1 & Server2 These two flows, plus the Ethernet connection between the two servers, form a hot-plug route for the requested connection Hot-plug connection is resource efficient, fine granular, and simple! 7

Overlay Network No Packet Encapsulation When a packet travels between a container and its Docker server, src-ip, dst-ip are those of containers When a packet travels between two Docker servers, src-mac, dstmac are those of the servers The route information is complete The two routers do not learn, update, and maintain route tables; they are configured by the Controller in real time of container communication No need of packet encapsulation Overlay/underlay packets L2/L3 header data form a complete route 8

User-mode Connection of Overlay Network Lightweight and Simple to Manage OVS 2. Real-time configures two OVSes letting them co-work = hot-plug OVS a, b: plug a, c: unplug b, c: plug a, b: plug a, c: unplug b, c: plug 1. Openflow Controller sees connection request Controller only sees and handles the first packet as connection request The remainder packets are shortcut directly between OVS servers 9

Improved Cloud Security Physically distributed controllers are only deployed in intranet, protected by firewalls SSL security protocol to protect (1) synchronization of network metadata, and (2) PacketIn and PacketOut flows (Openflow standard) Overlay nodes can talk one another only if the Controller PacketOut flows, thus, ARP attack using a wrong MAC address won t work, even for containers in one Docker server 11

Lightweight and Simple OVS never memorizes MAC addresses of containers on another OVS, no need of ARP flood, switching is purely enabled by PacketOut flow from Controller Controller only needs to record very few network metadata: MACs and IPs of containers, MACs and IPs of Docker servers, and security group information of containers No packet encapsulation, therefore no packet fragmentation, no nullification of networking diagnosing and trouble shooting tools, e.g., traceroute Overlay/underlay packets L2/L3 header data form complete route 12

OVS on Every Docker Server: Completely Distributed Switches, Routers and Gateways OVS in distributed Docker hosts form: vswitch, vrouter, vgateway, vfirewall for Docker networking Containers within the same Docker server: if not allowed to connect, are isolated one another Containers can have usual intranet IP subnets: 10.0.0/8, 172.16.0/16, 192.168.0/24, OVS forming distributed vrouters forwarding between these subnets If a Docker host has external IP addresses, then OVS in the host forms a vgateway, and vfirewall, for containers to communicate with outside world 13

To Know More About DaoliNet Open Source: github.com/daolinet Demo System: www.daolicloud.com 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback