OpenFlow: What s it Good for? Apricot 2016 Pete Moyer pmoyer@brocade.com Principal Solutions Architect
Agenda SDN & OpenFlow Refresher How we got here SDN/OF Deployment Examples Other practical use cases for SDN/OF Conclusion 2
OpenFlow & SDN Refresher
Data center networks are in my way --James Hamilton
Software Defined Networking Evolving Definition A network in which the Control Plane is physically separated from the Data Plane OpenFlow is the enabler SDN =? OpenFlow SDN > OpenFlow Distribute what you must, centralize what you can Traditional Router Control Plane (software) Data Plane (hardware) SDN-OpenFlow Control Plane (software) APIs Controller Router Control Plane (software) Data Plane (hardware) Hybrid 5
OpenFlow Version History OpenFlow v1.0 (12/2009) L2 and L3 (IPv4) matching fields Many actions (including normal) OpenFlow v1.1 (02/2011) MPLS label/exp matching fields Multiple flow tables, Group table Virtual ports OpenFlow v1.2 (12/2011) IPv6 matching fields Multiple controllers, role change OpenFlow v1.3 (4/2012) QOS Metering Capabilities & version negotiation OpenFlow v1.4 (8/2013) Improved capability discovery, extensibility OpenFlow v1.5 (12/2014) TCP Flag matching Egress Tables Improved metering OpenFlow v1.6 (2016?) Tunneling OF v2.0 or NG? (TBD) P4? TTPs http://www.sigcomm.org/sites/default/files/ccr/papers/2014/ July/0000000-0000004.pdf 6
OF/SDN Deployment Examples
Google B4 OF/SDN Network Inter-DC Backbone 5/2013 4/2014 8
Google B4 OF/SDN Network Summarized Benefits Separate control plane from forwarding plane Choose HW based on necessary features Choose SW based on protocol requirements Decouple HW & SW innovation Logically centralize the network control plane Deterministic Efficient Global view Allow automation, flexibility and innovation Achieved ~99% WAN link utilization 9
Internet2 SDN Backbone 7/2012 10
Internet2 Backbone Routers http://routerproxy.grnoc.iu.edu/al2s/ 11
Internet2 OpenFlow flows installed http://routerproxy.grnoc.iu.edu/al2s/ 12
A few more SDN Announcements 3/2014 10/2012 12/2015 13
Other Deployment Examples Where are they? Another POV: the demise of OpenFlow has been greatly exaggerated 14
So what (else) is OpenFlow good for? 15
SDN Use Cases CONTROL AUTOMATION VISIBILITY Volumetric Attack Mitigation Elephant Flow Management Firewall Bypass Policy Based Flow Forwarding Botnet Attack Mitigation SDN Based MPLS Traffic Engineering Bandwidth Scheduler Packet-Optical Integration WAN Network Virtualization Flow Metering SDN Based Wiretap VXLAN Monitoring 16
L2-L4 DDoS Mitigation Example Network Volumetric Attack Mitigation Internet SDN App Open Daylight Incoming Attack Flow Mitigation: Discard Flow BGP Border Router (hybrid) Core Router Core Router 17
Flow Metering & Accounting Improve network utilization and reliability Committed GA Flow in Optimizer May GA Shipping for in 2015 May v1.1 2015 sflow Collector SDN App Analytic Flow Control Flow parameters of interesting traffic OF rule to Rate Limit WAN / Internet OF based Metering Normal L2/ L3 Forwarding Router Campus / DC WAN or DC network
Traditional REN Science-DMZ Campus Firewall is a Performance Bottleneck Traditional Science-DMZ architecture connects science LAN outside FW Creates security exposure? Science DMZ Switch 10G/40G 10G/40G High performance Data Transfer Nodes with high-speed storage WAN Science DMZ Enterprise Border Router/Firewall Switch 100 GbE link 10/40 GbE link https://fasterdata.es.net/science-dmz/ 19
SDN for Policy-Based Firewall Insertion / Bypass Operator driven or sflow threshold driven policy enforcement for large trusted flows Enterprise Datacenter 1 One-armed Firewall Inline Firewall Enterprise Datacenter 2 WAN SDN App Default Traffic Flow Trusted Traffic Flow SDN Controller Internet
Elephant Flow Management Dynamic and Programmatic Action for Efficient Network Target for v1.2 Programmable / Scheduled via Northbound API sflow Collector SDN App App Monitor Flow Policy matched flow parameters, action WAN / Cloud OF Matching Normal Forwarding Re-mark Regular Traffic Critical Campus / DC Router Re-direct Dedicated paths for Elephants
Or keep doing this? ip access-list extended <name> permit ip any host 10.250.64.2 permit ip any host 10.250.120.0 permit ip any host 10.110.65.6 permit ip any host 10.2333.120.4 deny udp any host 10.223.98.8 eq 2152 deny udp any host 10.223.98.5 eq 2152 deny udp any host 10.223.98.3 eq 2152 deny udp any eq 2152 host 10.223.98.8 deny udp any eq 2152 host 10.223.98.5 deny udp any eq 2152 host 10.223.98.3 permit ip any host 10.119.65.7 permit ip any host 10.119.65.11access-list 10 permit any access-list 50 permit 10.100.64.0 0.0.0.255 access-list 165 permit ip host 10.142.64.31 10.196.48.0 0.0.0.255 access-list 165 permit ip 10.62.64.0 0.0.0.255 host 10.79.213.25 access-list 165 permit ip host 10.72.64.2 host 10.79.213.11 ip access-list extended <name> permit vlan 1250 ip any any permit vlan 1251 ip any any route-map <name> permit 50 match ip address 50 set ip next-hop 172.16.10.10 route-map <name> permit 51 match ip address 51 set ip next-hop 172.16.11.11 route-map test permit 101 rule-name <name> match ip address <ipv4-prefix-list> match ipv6 address <ipv6-prefix-list> set next-hop-flood-vlan 1013 set interface null0 route-map <name> permit 102 rule-name <name> match ip address <ipv4-prefix-list> match ipv6 address <ipv6-prefix-list> set next-hop-flood-vlan 1123 set interface null0 22
What about OpenFlow with MPLS? Multiple RSVP-signaled LSPs (Gold, Silver, Bronze, etc) OpenFlow rules for per-application classification (and metering) applied at ingress LER. Redirect action into MPLS LSP LER1 Data Center MPLS WAN SDN App Data Center LER3 Different LSPs for application/traffic prioritization and traffic-engineering Classification at ingress into appropriate TE d LSP (aka: flow-based forwarding) OF granularity for classification May also provide ingress policing/metering (eg. CAC function) 23
But there s more! How do you get packet captures?
Current Network Visibility Mode of Operation Problem 1 Obtaining data plane traffic visibility in production networks is *very* challenging Network probes are commonly deployed; or a dedicated out-of-band visibility network is deployed Both approaches increase CAPEX Both approaches limit the visibility of traffic to specific aggregation points in the network. Either due to where the probes are deployed or where the network is tapped to send flows to the visibility fabric Problem 2 Provisioning and operating a dynamic visibility solution is not efficient, nor in real-time Hampers ability to troubleshoot real-time performance problems 25
Current Network Visibility Mode of Operation Problem 3 Networking devices have many limitations in terms of providing specific data traffic to be monitored Switch/Router SPAN/RSPAN mirrors *all* traffic from one port to another port ACL-based port mirroring can provide traffic granularity; however At the expense of very complex CLI configurations Lacks an efficient & dynamic update capability Has scalability limitations No central repository of these distributed, network wide ACL-based port mirroring configurations 26
Committed for v1.1 SDN-based Inline Packet Capture Example SDN App Flow parameters No network taps or probes Per-flow in-line visibility Surgical mirroring Centralized control No complex router configurations (ACL, PBR, SPAN, etc) Ingress Port Router SDN FlowTap Normal Forwarding Pipeline Analytics Network DC or Campus network Tool(s) No separate Visibility network required 27
Conclusions OF-based SDN is here. Deployed A few examples provided OF-based forwarding of normal traffic; network transport Centralized control plane OF-based SDN can solve many other problems As a tool for programmatic control of policy Centrally managed ACL & PBR replacement OF-based exception handling of interesting traffic; network services Normal traffic forwarded normally Solves various operational use cases 28