MONSTER. Managing an Operator s Network with Software Defined Networking and Segment Routing. Ing. Luca Davoli

Similar documents
Implemen'ng IPv6 Segment Rou'ng in the Linux Kernel

Software-Defined Networking (SDN) Overview

IPtables and Netfilter

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Network Administra0on

Implementation of Virtual Network Function Chaining through Segment Routing in a Linux-based NFV Infrastructure

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Introduc)on to SDN and NFV. Tomás Lynch Solu/on Architect III Ericsson

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

CSC 474/574 Information Systems Security

Netfilter & Packet Dropping

Linux IP Networking. Antonio Salueña

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Lesson 9 OpenFlow. Objectives :

SRv6 Network Programming

Dual stack lite. draft-durand-softwire-dual-stack-lite-01. A. Durand, R. Droms, B. Haberman, J. Woodya<

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Advanced Linux System Administra3on

A 10 years journey in Linux firewalling Pass the Salt, summer 2018 Lille, France Pablo Neira Ayuso

Linux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples

OPTIMAL ROUTING VS. ROUTE REFLECTOR VNF - RECONCILE THE FIRE WITH WATER

Lecture 8. Network Layer (cont d) Network Layer 1-1

Network Security Fundamentals

OpenContrail as SDN controller for NFV infrastructure in AT&T network Alexey Gorbunov Network Architect CCIE 41088

Firewalling. Alessandro Barenghi. May 19, Dipartimento di Elettronica e Informazione Politecnico di Milano barenghi - at - elet.polimi.

Lecture 3. The Network Layer (cont d) Network Layer 1-1

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Lecture 10.1 A real SDN implementation: the Google B4 case. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

Next hop in rou-ng Summary of Future Internet WP1 work. Hannu Flinck

Donato Ba*aglino Lorenzo Bracciale

Network Address Translation

Link Layer. w/ much credit to Cisco CCNA and Rick Graziani (Cabrillo)

Packet Filtering and NAT

Network layer overview

Definition of firewall

Assignment 3 Firewalls

Laboratory 2 Dynamic routing using RIP. Iptables. Part1. Dynamic Routing

Basic elements of IP and its interac2on with Ethernet

Data Center Configuration. 1. Configuring VXLAN

VPN-against-Firewall Lab: Bypassing Firewalls using VPN

Routing Header Is back... Should We Panic?

Suricata IDPS and Nftables: The Mixed Mode

Network Administration

SIMPLE ROUTER PROJECT 2. - Balachander Padmanabha - TA CSE 123 (FALL 2017) - OH (Wed 9-11am B240A)

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

Supporting Fine-Grained Network Functions through Intel DPDK

draft-xu-mpls-unified-source-routing-instruction

Introduction to Firewalls using IPTables

VALE: a switched ethernet for virtual machines

Network Layer Overview. Star8ng the Network Layer! Builds on the link layer. Routers send packets over mul8ple networks

Introduc3on to Computer Networks

Performance Considerations of Network Functions Virtualization using Containers

Evaluating the performance of Netfilter architecture in Private Realm Gateway

PRISTINE Project A different approach to SDN

ProAc&ve Rou&ng In Scalable Data Centers with PARIS

The Research and Application of Firewall based on Netfilter

Network and Filesystem Security

CSC 4900 Computer Networks: Network Layer

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Addressing and Routing

Ethernet/IP interac.on emulated with NETKIT. DHCP relay, proxy ARP, Port stealing and ARP poisoning adack.

CSE/EE 461: Introduction to Computer Communications Networks Autumn Module 9

Understanding Load Balance and Policy Route. andrew zheng! edcwifi co limited

These slides contain significant content contributions by

CS Computer and Network Security: Firewalls

Università Ca Foscari Venezia

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker

Dropping Packets in Ubuntu Linux using tc and iptables

Toward an ebpf-based clone of iptables

Seamless Overlays for Application Use

Outline today. MPLS Overview. We saw tunneling on top of IP. What about tunneling below IP? Introducing Mul<- Protocol Label Switching (MPLS) 3/21/11

Initial motivation: 32-bit address space soon to be completely allocated. Additional motivation:

CS 378 (Spring 2003)

Chapter 4: network layer. Network service model. Two key network-layer functions. Network layer. Input port functions. Router architecture overview

Link layer: introduction

PMSR - Poor Man s Segment Routing, a minimalistic approach to Segment Routing and a Traffic Engineering use case

Network Mul,tenancy in Xen- based Clouds. Chiradeep Vi;al CloudStack Commi;er Citrix Sep

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Link Layer. w/ credit to Rick Graziani (Cabrillo) for some of the anima<ons

Software Defined Networking

Chapter 4 Network Layer: The Data Plane

Lecture 2: Basic routing, ARP, and basic IP

Intelligent Service Function Chaining. March 2015

RouteBricks: Exploi2ng Parallelism to Scale So9ware Routers

Firewalls, VPNs, and SSL Tunnels

Introduc8on to Computer Networks. Where we are in the Course. Network Layer Overview. Star8ng the Network Layer!

Certification. Securing Networks

Outline. A Professional Company in Software-Defined Networking (SDN) Copyright , EstiNet Technologies Inc. All Rights Reserved..

User Authentication in an Internet Protocol

Segment Rou+ng IETF 87

NetFPGA Hardware Architecture

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

OPENSDNCORE RELEASE 4. Use cases

COMP211 Chapter 4 Network Layer: The Data Plane

Mul7cast protocols. IP Mul7cast and IGMP SRM (Scalable Reliable Mul7cast) PGM (Pragma7c General Mul7cast)

Internet Technology. 15. Things we didn t get to talk about. Paul Krzyzanowski. Rutgers University. Spring Paul Krzyzanowski

Communication System Design Projects

NAT and Tunnels. Alessandro Barenghi. May 25, Dipartimento di Elettronica e Informazione Politecnico di Milano barenghi - at - elet.polimi.

Transcription:

MONSTER Managing an Operator s Network with Software Defined Networking and Segment Routing Ing. Luca Davoli davoli@ce.unipr.it Tutor: Prof. Ing. Luca Veltri UNIVERSITÀ DEGLI STUDI DI PARMA

Overview Segment Rou<ng Traffic Engineering with SDN & SR IPv6 SR: Alterna<ves and Solu<ons Network Emulator (NEMO) Service Func<on Chaining & Network Func<on Virtualiza<on SR/Virtual Func<on Chaining SR and Network Func<ons SR- aware architecture SR- unaware architecture Luca Davoli Borsisti Day 2016 2

Segment Routing Segment Rou<ng (SR): based on source rou<ng Enhanced packet forwarding without any topological restric<ons and addi<onal signaling requirements Segments based on MPLS or IPv6 Luca Davoli Borsisti Day 2016 3

Traffic Engineering with SDN ISP network managed by a (logically) centralized SDN controller Provider Edge (PE) routers and Core Routers (CR) are hybrid IP/MPLS/ SDN nodes MPLS is used for TE TE paths enforced by using Segment Rou<ng (SR) no change to the MPLS forwarding plane is required no MPLS control plane has to be used Luca Davoli Borsisti Day 2016 4

Traffic Engineering with Segment Routing Enhancement of a SDN controller with TE/SR modules The SDN controller is requested to allocate a set of traffic flows with a specified bit rate The flow assignment algorithm is first executed in order to compute TE paths Minimiza<on of the overall network crossing <me For each TE path, the corresponding SR path is calculated SR path is the list of SIDs that should be added to incoming packets for instruc<ng them through the assigned TE path Simple SR assignment algorithm that minimizes the number of required SIDs Studied different SR algorithms Luca Davoli Borsisti Day 2016 5

Implementation and tests Proposed network architecture has been implemented and tested Experimental analysis with two main goals: tes<ng the SR assignment algorithm 153 nodes, 354 links, 940 out of 2460 flows tes<ng the overall implementa<on of the solu<on both control and data planes Luca Davoli Borsisti Day 2016 6

IPv6 SR IPv6 SR support requires the changing of IPv6 packet processing IPv6 Segment Rou<ng Header (SRH) haps://tools.ieb.org/html/drac- ieb- 6man- segment- rou<ng- header Luca Davoli Borsisti Day 2016 7

IPv6 SR src: 2001:7a:78d::1 src: 2001:7a:78d::1 src: 2001:7a:78d::1 src: 2001:7a:78d::1 src: 2001:7a:78d::1 dst: 2001:7a:78d::11 dst: 2001:7a:78d::21 dst: 2001:7a:78d::31 dst: 2001:7a:78d::41 dst: 2001:7a:78d::51 nh len 4 4 nh len 4 3 nh len 4 2 nh len 4 1 nh len 4 0 reserved reserved reserved reserved reserved Routing Header addr[0]: 2001:7a:78d::51 addr[1]: 2001:7a:78d::41 addr[0]: 2001:7a:78d::51 addr[1]: 2001:7a:78d::41 addr[0]: 2001:7a:78d::51 addr[1]: 2001:7a:78d::41 addr[0]: 2001:7a:78d::51 addr[1]: 2001:7a:78d::41 addr[0]: 2001:7a:78d::51 addr[1]: 2001:7a:78d::41 addr[2]: 2001:7a:78d::31 addr[2]: 2001:7a:78d::31 addr[2]: 2001:7a:78d::31 addr[2]: 2001:7a:78d::31 addr[2]: 2001:7a:78d::31 addr[3]: 2001:7a:78d::21 addr[3]: 2001:7a:78d::21 addr[3]: 2001:7a:78d::21 addr[3]: 2001:7a:78d::21 addr[3]: 2001:7a:78d::21 addr[4]: 2001:7a:78d::11 addr[4]: 2001:7a:78d::11 addr[4]: 2001:7a:78d::11 addr[4]: 2001:7a:78d::11 addr[4]: 2001:7a:78d::11 2001:7a:78d::1 2001:7a:78d::11 2001:7a:78d::21 2001:7a:78d::31 2001:7a:78d::41 2001:7a:78d::51 packet source specified router non-specified router packet final destination Luca Davoli Borsisti Day 2016 8

IPv6 SR Alterna<ves for suppor<ng IPv6 SR on Linux Modifica<on of the Linux kernel Kernel- level dev Highest performance Nebilter hooks + kernel modules Kernel module dev Iptables NFQUEUE + userspace dev User level dev Compa<ble with JNI- based userspace dev Neither Kernel modifica<on nor kernel module required Rawsocket User level dev Luca Davoli Borsisti Day 2016 9

IPv6 SR on Linux: kernel patch Kernel modifica<on Available patch from UCLovail, Belgium Different experimental tests Different kernels tested Limita<ons Require a patched Linux kernel Lower flexibility Difficulty to combine SRH processing with possible network func<ons Issues with large- scale network emula<on Problems with Mininet Luca Davoli Borsisti Day 2016 10

IPv6 SR on Linux: netfilter Nebilter Framework in Linux kernel for packet mangling Series of hooks in various points of the kernel network stack The hooks can be exploited to define custom func<ons for manipula<ng IP packets Local Process tables mangle filter INPUT OUTPUT tables mangle nat filter PREROUTING routing decision FORWARD POSTROUTING Outgoing tables mangle nat tables mangle filter tables mangle nat Luca Davoli Borsisti Day 2016 11

IPv6 SR on Linux: Userspace SR implementa<on Packets are captured in prerou<ng, enqueued (NFQUEUE), processed at userspace, returned with SRH updated C, JNI, Java development C JNI library for receiving packets form the nebilter queue providing a Java interface to nebilter queues Java- based SR processing Note: no kernel modifica<on required ip6tables -t mangle -A PREROUTING -p ipv6 -j NFQUEUE --queue-num 0 Luca Davoli Borsisti Day 2016 12

IPv6 SR on Linux: Testbed IPH SR encapsula<on JNI library SR processing JNI library SR processing (& removal) JNI library IPH Output Prerou<ng Prerou<ng Linux VM1 fc00:1::21 SRH IPH Linux VM2 fc00:1::22 SRH IPH Linux VM3 fc00:1::23 IPH: SA=fc00:1::21 DA=fc00:1::23 DA SRH: SID1=fc00:1::22 SID2=fc00:1::23 SID3=fc00:1::23 DA SRH: SID1=fc00:1::22 SID2=fc00:1::23 SID3=fc00:1::23 Luca Davoli Borsisti Day 2016 13

SR and Network Implementation Java Network Stack Netfilter-based SR Impl UdpLayer Routing Segment Routing Ip4Layer Ip6Layer IPv6SR Function Other network functions IcmpLayer ARP IpNode Icmp6Layer Ethernet PacketHandler NetfilterQueue JNI libqfilter.so Linux Netfilter Ip4Socket Ip6Socket RawIpSocket Socket JNI libqfilter.so Linux Raw Sockets RawLinkSocket Luca Davoli Borsisti Day 2016 14

Network Emulator (NEMO) Java- based framework able to emulate an IP- based network (based on the Java Network Stack) large amount of virtual routers Possibility to interconnect a real network card with mul<ple NICs route traffic coming from/going to an external IP- based network Complete IP stack Ethernet / ARP / IPv4 / IPv6 / ICMP / ICMPv6 / UDP Rou<ng Func<on Shortest Path for dynamic RT configura<on Unix- based plaborms: possibility to intercept incoming packets with Rawsocket mechanism (at Ethernet layer) Integra<on successfully tested and verified Possibility to deploy virtual networks whose rou<ng is handled via SRH Luca Davoli Borsisti Day 2016 15

Service Function Chaining & Network Function Virtualization SR as enabler technology for SFC Set of network services interconnected through the network to support an applica<on SFs or NFs can be physically deployed or virtualized (NFV) NFV moves network func<ons out of dedicated HW and into SW Network func<ons typically execute as VMs under control of an hypervisor Luca Davoli Borsisti Day 2016 16

SR/VNF Chaining Architecture Luca Davoli Borsisti Day 2016 17

SR and Network Functions SR- aware Network Func<ons SR packets are passed to the NF NF may enforce other NFs modifying the segment list in the SRH inserted between this node and the next segment inserted in any posi<on along the SR path the NF is aware of the NFs corresponding to the segment IDs already present in the segment list adds, removes, changes the order of the next segments SR- unaware Network Func<ons packets are first processed before the NF original packet is extracted (without the SRH) the SR list is in some way stored in order to be re- aaached to the packet when returned by the NF Stateful/Stateless Luca Davoli Borsisti Day 2016 18

SR/VNF Chaining Implementation Based on the userspace SR development Packets are captured in prerou<ng and passed to a set of NFs Note: SR can be seen as special case of NF Both SR- aware and SR- unaware NFs are supported In case of SR- unaware NFs, SRH removed and inserted in IPv6 Des<na<on Op<ons Extension Header Stateless mechanism SRH reinserted in postrou<ng Example of SR- unaware NF: nebilter firewall Luca Davoli Borsisti Day 2016 19

SR/VNF Chaining Testbed SRF Chain NF1 SRH remove SR encapsula<on JNI library JNI library NFn SRF JNI SRH add JNI IPH Postrou<ng Prerou<ng Prerou<ng NF Postrou<ng IPH SRH IPH SRH IPH Linux Linux Linux Luca Davoli Borsisti Day 2016 20

MONSTER Managing an Operator s Network with Software Defined Networking and Segment Routing Thanks for your a3en5on!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback