OpenFlow for Campuses: A Tutorial at GEC

1. OpenFlow for Campuses A Tutorial at GEC10 March 15, 2011 Srini Seetharaman, DT R&D Lab, USA Masa Kobayashi, NEC Labs/Stanford 1

2. Introductions 2

3. Agenda Time Description 13:00-14:00 Introduction: How OpenFlow works, Potential, Limitations, Current vendors, SDN/OPEN 14:00-14:30 Show tools, demo mininet and NOX intro for researcher 14:30-15:00 Configuring NEC, HP and Pronto switches Break 15:30-16:15 Controller demonstrations (SNAC, BigSwitchs controller and NECs PFC) 16:15-16:45 Slice using FlowVisor, Expedient, and opt-in manager 16:45-17:00 Q&A, Discussions, Community building, Conclusions 3

4. Goals of this Tutorial By the end, everyone should know: what OpenFlow is how its used and how you can use it where its going how OpenFlow fits in the Software-Defined Networking (SDN) spectrum how to slice your network Present a useful mix of lecture-based content and actual operational info Have fun 4

5. Why OpenFlow? 5

6. Million of lines of source code 5400 RFCs Barrier to entry Billions of gates Bloated Power Hungry Many complex functions baked into the infrastructure OSPF, BGP, multicast, differentiated services, Traffic Engineering, NAT, firewalls, MPLS, redundant layers, An industry with a mainframe-mentality, reluctant to change The Ossified Network Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Operating System Operating System Feature Feature Feature Routing, management, mobility management, access control, VPNs, 6

7. Research Stagnation Lots of deployed innovation in other areas OS: filesystems, schedulers, virtualization DS: DHTs, CDNs, MapReduce Compilers: JITs, vectorization Networks are largely the same as years ago Ethernet, IP, WiFi Rate of change of the network seems slower in comparison Need better tools and abstractions to demonstrate and deploy 7

8. Closed Systems (Vendor Hardware) Stuck with interfaces (CLI, SNMP, etc) Hard to meaningfully collaborate Vendors starting to open up, but not usefully Need a fully open system a Linux equivalent 8

9. Open Systems Performance Fidelity Scale Real User Traffic? Complexity Open Simulation medium medium no medium yes Emulation medium low no medium yes Software Switches poor low yes medium yes NetFPGA high low yes high yes Network Processors high medium yes high yes Vendor Switches high high yes low no gap in the tool space none have all the desired attributes! 9

10. Ethane, a precursor to OpenFlow Centralized, reactive, per-flow control Controller Flow Switch Host A Host B Flow Switch Flow Switch Flow Switch See Ethane SIGCOMM 2007 paper for details 10

11. OpenFlow: a pragmatic compromise + Speed, scale, fidelity of vendor hardware + Flexibility and control of software and simulation Vendors dont need to expose implementation Leverages hardware inside most switches today (ACL tables) 11

12. How does OpenFlow work? 12

13. Ethernet Switch Ethernet Switch 13

14. Data Path (Hardware) Data Path (Hardware) Control Path Control Path Control Path (Software) Control Path (Software) 14

15. Data Path (Hardware) Data Path (Hardware) Control Path Control Path OpenFlow OpenFlow OpenFlow Controller OpenFlow Controller OpenFlow Protocol (SSL/TCP) 15

16. Controller PC Hardware Layer Software Layer Flow Table MAC src MAC dst IP Src IP Dst TCP sport TCP dport Action OpenFlow Client * * 5.6.7.8 * * * port 1 port 4 port 3 port 2 port 1 1.2.3.4 5.6.7.8 OpenFlow Example 16

17. OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action Stats 1. Forward packet to zero or more ports 2. Encapsulate and forward to controller 3. Send to normal processing pipeline 4. Modify Fields 5. Any extensions you add! + mask what fields to match Packet + byte counters 17 VLAN pcp IP ToS

18. Examples Switching * Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action * 00:1f:.. * * * * * * * port6 Flow Switching port3 Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action 00:20.. 00:1f.. 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port6 Firewall * Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action * * * * * * * * 22 drop 18

19. Examples Routing * Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action * * * * * 5.6.7.8 * * * port6 VLAN Switching * Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport Action * * vlan1 * * * * * port6, port7, port9 00:1f.. 19

20. Centralized vs Distributed Control Both models are possible with OpenFlow Centralized Control OpenFlow Switch OpenFlow Switch OpenFlow Switch Controller Distributed Control OpenFlow Switch OpenFlow Switch OpenFlow Switch Controller Controller Controller 20

21. Flow Routing vs. Aggregation Both models are possible with OpenFlow Flow-Based Every flow is individually set up by controller Exact-match flow entries Flow table contains one entry per flow Good for fine grain control, e.g. campus networks Aggregated One flow entry covers large groups of flows Wildcard flow entries Flow table contains one entry per category of flows Good for large number of flows, e.g. backbone 21

22. Reactive vs. Proactive (pre-populated) Both models are possible with OpenFlow Reactive First packet of flow triggers controller to insert flow entries Efficient use of flow table Every flow incurs small additional flow setup time If control connection lost, switch has limited utility Proactive Controller pre-populates flow table in switch Zero additional flow setup time Loss of control connection does not disrupt traffic Essentially requires aggregated (wildcard) rules 22

23. Usage examples Alices code: Simple learning switch Per Flow switching Network access control/firewall Static VLANs Her own new routing protocol: unicast, multicast, multipath Home network manager Packet processor (in controller) IPvAlice VM migration Server Load balancing Mobility manager Power management Network monitoring and visualization Network debugging Network slicing and much more you can create!

24. Quiz Time How do I provide control connectivity? Is it really clean slate? Why arent users complaining about time to setup flows over OpenFlow? (Hint: What is the predominant traffic today?) Considering switch CPU is the major limit, how can one take down an OpenFlow network? How to perform topology discovery over OpenFlow-enabled switches? What happens when you have a non-OpenFlow switch inbetween? What if there are two islands connected to same controller? How scalable is OpenFlow? How does one scale deployments? 24

25. What can you not do with OpenFlow ver1.0 Non-flow-based (per-packet) networking ex. Per-packet next-hop selection (in wireless mesh) yes, this is a fundamental limitation BUT OpenFlow can provide the plumbing to connect these systems Use all tables on switch chips yes, a major limitation (cross-product issue) BUT an upcoming OF version will expose these 25

26. What can you not do with OpenFlow ver1.0 New forwarding primitives BUT provides a nice way to integrate them through extensions New packet formats/field definitions BUT a generalized OpenFlow (2.0) is on the horizon Optical Circuits BUT efforts underway to apply OpenFlow model to circuits Low-setup-time individual flows BUT can push down flows proactively to avoid delays

27. Where its going OF v1.1: Extensions for WAN, spring 2011 multiple tables: leverage additional tables tags and tunnels multipath forwarding OF v2+ generalized matching and actions: an instruction set for networking 27

28. OpenFlow Implementations (Switch and Controller) 28

29. OpenFlow building blocks Controller NOX NOX Slicing Software FlowVisor FlowVisor FlowVisor Console 29 Applications LAVI LAVI ENVI (GUI) ENVI (GUI) Expedient Expedient n-Casting n-Casting NetFPGA NetFPGA Software Ref. Switch Software Ref. Switch Broadcom Ref. Switch Broadcom Ref. Switch OpenWRT OpenWRT PCEngine WiFi AP PCEngine WiFi AP Commercial Switches Stanford Provided OpenFlow Switches SNAC SNAC Stanford Provided Monitoring/ debugging tools oflops oflops oftrace oftrace openseer openseer OpenVSwitch OpenVSwitch HP, NEC, Pronto, Juniper.. and many more HP, NEC, Pronto, Juniper.. and many more Beacon Beacon Helios Helios Maestro Maestro

30. Ciena Coredirector NEC IP8800 UNIVERGE PF5240 Current SDN hardware More coming soon... Juniper MX-series HP Procurve 5400 Pronto 3240/3290 WiMax (NEC) PC Engines Netgear 7324 30

31. Commercial Switch Vendors Model Virtualize Notes HP Procurve 5400zl or 6600 1 OF instance per VLAN - LACP, VLAN and STP processing before OpenFlow - Wildcard rules or non-IP pkts processed in s/w - Header rewriting in s/w - CPU protects mgmt during loop NEC IP8800 Series and UNIVERGE PF5240 1 OF instance per VLAN - OpenFlow takes precedence - Most actions processed in hardware - MAC header rewriting in h/w - More than 100K flows (PF5240) Pronto 3240 or 3290 with Pica8 or Indigo firmware 1 OF instance per switch - No legacy protocols (like VLAN and STP) - Most actions processed in hardware - MAC header rewriting in h/w 31

32. Controller Vendors Vendor Notes Niciras NOX Open-source GPL C++ and Python Researcher friendly Niciras ONIX Closed-source Datacenter networks SNAC Open-source GPL Code based on NOX0.4 Enterprise network C++, Python and Javascript Currently used by campuses Vendor Notes Stanfords Beacon Open-source Researcher friendly Java-based BigSwitch controller Closed source Based on Beacon Enterprise network Maestro (from Rice Univ) Open-source Based on Java NECs Helios Open-source Written in C and Ruby NEC UNIVERGE PFC Closed source Based on Helios 32

33. Growing Community Vendors and start-ups Providers and business-unit More... More... 33 Note: Level of interest varies

34. Software-Defined Networking (SDN) 34

35. Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Ap p Ap p Ap p Ap p Ap p Ap p Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Ap p Ap p Ap p Ap p Ap p Ap p Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Ap p Ap p Ap p Ap p Ap p Ap p Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Ap p Ap p Ap p Ap p Ap p Ap p Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Ap p Ap p Ap p Ap p Ap p Ap p 35 Current Internet Closed to Innovations in the Infrastructure Closed

36. Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Ap p Ap p Ap p Ap p Ap p Ap p Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Ap p Ap p Ap p Ap p Ap p Ap p Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Ap p Ap p Ap p Ap p Ap p Ap p Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Ap p Ap p Ap p Ap p Ap p Ap p Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Ap p Ap p Ap p Ap p Ap p Ap p Network Operating System Network Operating System App App App App App App Software Defined Networking approach to open it 36

37. App App Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware App App App App Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Network Operating System Network Operating System 1. Open interface to hardware 3. Well-defined open API 2. At least one good operating system Extensible, possibly open-source The Software-defined Network 37

38. Mininet Setup Controller port6633 Controller port6633 c0 OpenFlow Switch OpenFlow Switch s1 dpctl (user space process) dpctl (user space process) h4 10.0.0.4 h4 10.0.0.4 h3 10.0.0.3 h3 10.0.0.3 h2 10.0.0.2 h2 10.0.0.2 virtual hosts OpenFlow Tutorial 3hosts-1switch topology loopback (127.0.0.1:6633) loopback (127.0.0.1:6634) s1-eth0 s1-eth1 s1-eth2 h1-eth0 h3-eth0 h4-eth0 38

39. Switch Configuration Setup A15 A13 14 13 Of-demo-6 [eth1] 192.168.40.11 00:1b:21:5d:4e:c5 Of-demo-5 [eth1] 192.168.40.10 00:1b:21:5d:4c:3d A14 15 14 13 Pronto 3290 172.27.75.33 hpsw2 necsw5 http://www.openflow.org/wk/index.php/OpenFlowTutorialGEC10 Disabled Backup Controller GUI

40. Virtualizing OpenFlow 40

41. Windows (OS) Windows (OS) Windows (OS) Windows (OS) Linux Linux Mac OS Mac OS x86 (Computer) x86 (Computer) Windows (OS) Windows (OS) App App App App Linux Linux Linux Linux Mac OS Mac OS Mac OS Mac OS Virtualization layer Virtualization layer App App Controller 1 Controller 1 App App App App Controller 2 Controller 2 Virtualization or Slicing Virtualization or Slicing App App OpenFlow OpenFlow Controller 1 Controller 1 NOX (Network OS) NOX (Network OS) Controller 2 Controller 2 Network OS Network OS Trend Computer Industry Network Industry

42. Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Network Operating System 1 Network Operating System 1 Open interface to hardware Virtualization or Slicing Layer Virtualization or Slicing Layer Network Operating System 2 Network Operating System 2 Network Operating System 3 Network Operating System 3 Network Operating System 4 Network Operating System 4 App App App App App App App App App App App App App App App App Many operating systems, or Many versions Open interface to hardware Isolated slices Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware 42

43. Switch Based Virtualization Exists for NEC, HP switches but not flexible enough Normal L2/L3 Processing Flow Table Production VLANs Research VLAN 1 Controller Research VLAN 2 Flow Table Controller 43

44. FlowVisor-based Virtualization OpenFlow Switch OpenFlow Protocol OpenFlow Protocol OpenFlow FlowVisor & Policy Control Craigs Controller Heidis Controller Aarons Controller OpenFlow Protocol OpenFlow Protocol OpenFlow Switch OpenFlow Switch 44 Topology discovery is per slice

45. OpenFlow Protocol OpenFlow FlowVisor & Policy Control Broadcast Multicast OpenFlow Protocol http Load-balancer FlowVisor-based Virtualization OpenFlow Switch OpenFlow Switch OpenFlow Switch 45 Separation not only by VLANs, but any L1-L4 pattern dl_dst=FFFFFFFFFFFF tp_src=80, or tp_dst=80

46. FlowSpace: Maps Packets to Slices

47. FlowVisor Message Handling OpenFlow Firmware Data Path Alice Controller Bob Controller Cathy Controller FlowVisor OpenFlow OpenFlow Packet Exception Policy Check: Is this rule allowed? Policy Check: Who controls this packet? Full Line Rate Forwarding Rule Packet

48. Use Case: New CDN - Turbo Coral ++ Basic Idea: Build a CDN where you control the entire network All traffic to or from Coral IP space controlled by Experimenter All other traffic controlled by default routing Topology is entire network End hosts are automatically added (no opt-in) Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport * * * * * 84.65.* * * * * * * * * * * 84.65.* * * * * * * * * * * * * * 48

49. Use Case: Aarons IP A new layer 3 protocol Replaces IP Defined by a new Ether Type Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport * * * AaIP * * * * * * * * * !AaIP * * * * * * 49

50. OpenFlow/GENI Deployments 50

51. OpenFlow Deployment at Stanford 51 Switches (23) APs (50) WiMax (1)

52. Live Stanford Deployment Statistics http://yuba.stanford.edu/ofhallway/wide-ofv1.html 52

53. How did we get there? Staged Deployment of OpenFlow 1. Add experimental VLAN 2. Enable OpenFlow for Exptl VLAN 3. Configure Controller for new network 4. Add new Production subnetwork 5. Gradually add/move users to new subnet 6. Enable OpenFlow for new subnet 7. Slice the network Verify correctness and performance Verify reachability

54. Kansas State Kansas State GENI OpenFlow deployment (2010) 10 institutions and 2 National Research Backbones 54

55. National Lambda Rail GENI Network Evolution

56. FlowVisor API FlowVisor API GENI Integration FlowVisor Slicing control Expedient Experimenters portal for slice management Opt-in Manager Network admins portal to approve/ deny expt requests for traffic FlowVisor1 FlowVisor2 Substrate 1 Substrate 2 OpenFlow OpenFlow Opt-in Mgr1 Opt-in Mgr2 Expedient1 Expedient2 API X API X Expedient3 GENI API API X

57. Mistakes we made OpenFlow over Q-in-Q OpenFlow routing is unaware and sends traffic with same MAC address in both direction, causing perpetual learning and CPU inflation Moving uplinks for 1 switch, while being pointed to the same controller (causing two islands) Causes controller learning to oscillate between the 2 uplinks Bad interaction with legacy protocols LLDP and STP are treated differently with different switches Loop in OpenFlow network being exposed to non-OF side Miscommunication between the aggregate operator and the experimenter during testing phase Loop across backbones Same campus connected over NLR and Internet2

58. Next steps for GENI Remove duct-tape Fix any issues that we learned about during demos Be better prepared Higher stability and better isolation Test bandwidth slicing Grow topology Add more switches and hosts Wean off Each campus takes charge of control framework

59. Tutorial Setup so far Controller port6633 Controller port6633 c0 OpenFlow Switch OpenFlow Switch s1 dpctl (user space process) dpctl (user space process) h4 10.0.0.4 h4 10.0.0.4 h3 10.0.0.3 h3 10.0.0.3 h2 10.0.0.2 h2 10.0.0.2 virtual hosts OpenFlow Tutorial 3hosts-1switch topology loopback (127.0.0.1:6633) loopback (127.0.0.1:6634) s1-eth0 s1-eth1 s1-eth2 h1-eth0 h3-eth0 h4-eth0 59

60. Virtualized Network Setup Controller port 7000 Controller port 7000 c0 OpenFlow Switch OpenFlow Switch s1 dpctl (user space process) dpctl (user space process) h4 10.0.0.4 h4 10.0.0.4 h3 10.0.0.3 h3 10.0.0.3 h2 10.0.0.2 h2 10.0.0.2 virtual hosts OpenFlow Tutorial 3hosts-1switch topology loopback (127.0.0.1:7000) loopback (127.0.0.1:6634) s1-eth0 s1-eth1 s1-eth2 h1-eth0 h3-eth0 h4-eth0 FlowVisor port 6633 FlowVisor port 6633 loopback (127.0.0.1:6634) 60

61. FlowVisor Usage man ./doc/flowvisor.8 /script/fvctl.sh listDevices list of all OpenFlow switches datapath ID getLinks list of all links (port # and datapath ID of both end switches) createSlice creating slice (specifying controllers URL and slice name) listSlices addFlowSpace add flow space to slices listFlowSpace show current flow space 61

62. Concluding Remarks 62

63. Highlights of Deployments Stanford deployment McKeown group for 1.5 years: production and experiments To scale later this year to entire building (~500 users) Nation-wide trials and deployments 7 other universities and BBN deploying now GEC9 in Nov, 2010 showcased nation-wide OF Internet 2 and NLR starting to serve as the GENI Backbone Global trials Over 60 organizations experimenting 2011 likely to be a big year for OpenFlow 63

64. Current Trials 68 trials/deployments spanning 13 countries 64

65. Get involved! Ask and answer questions on mailing lists: openflow-discuss openflow-spec Share and update wiki content Submit bug-reports and/or patches to OF reference implementation Release open-source applications Write a controller! 65

66. Are you innovating in your network? 66

67. SDN Team at Stanford