openflow in depth
TRANSCRIPT
OpenFlow In Depth
This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org) and Indiana Center for Network Translational Research and Education (InCNTRE). This document may be freely copied, modified, and otherwise re-used on
the condition that any re-use acknowledge the NSRC and InCNTRE as the original sources.
Current State of OF Standards • OpenFlow 1.3
– Supported & Maintained – Now up to 1.3.5
• OpenFlow 1.5.1 Latest Spec Release • OF-Config 1.2 Available • Conformance Testing
– 1.0.1 Full, L2, L3 Profiles – 1.3.4 Basic Single Table Profile – https://www.opennetworking.org/openflow-
conformance-certified-products
More Flow Tables
1.0 ● Single Flow Table
1.3 ● Allows for multiple Flow Tables
o Jump to other tables, but only in a positive direction ● Includes a group table with multiple group table
types ● Includes meter table for Rate Limiting and QoS
Flow Table Types
Match Fields Priority Counters Instructions Timeouts
1.0
1.3
Group ID Type Counters Action Buckets
Cookies
Group Tables
Match Fields Priority Counters Actions Timeouts Cookies
Meter Identifier
Meter Bands Counters
Meter Tables
Packet Processing 1.0 - If packet Matches flow table entry, perform Action. 1.3 - If packet match flow table entry, look at Instructions…
● Instructions may execute immediate action(s), or ● Instructions may set actions in the action set ● Instructions may write to metadata field ● Instructions may change pipeline processing:
o Goto table X o Goto group table Y o Apply meter Z
meta data packet Action Set
New Data Structure in Pipeline
Instructions
Instruction Description Required / Optional
OFPIT_GOTO_TABLE Jump to table n Required
OFPIT_WRITE_METADATA Write to Metadata field for use later in pipeline
Optional
OFPIT_WRITE_ACTIONS Add Actions(s) to the Action Set for later use
Required
OFPIT_APPLY_ACTIONS Applies Actions immediately Optional
OFPIT_CLEAR_ACTIONS Clears all Actions from Action Set Optional
OFPIT_METER Apply meter (rate limiter) Optional
OFPIT_EXPERIMENTER (0xFFFF) Experimenter Instructions Optional
Required Match Fields (proposed) Match Field Description Pre-requisite
OXM_OF_IN_PORT Ingress port None
OXM_OF_ETH_DST Ethernet destination address None
OXM_OF_ETH_SRC Ethernet source address None
OXM_OF_ETH_TYPE Ethernet type of OpenFlow packet payload None
OXM_OF_IP_PROTO IPv4 or IPv6 protocol number ETH_TYPE = 0x800 or ETH_TYPE =0x86dd
OXM_OF_IPV4_SRC IPv4 source address ETH_TYPE = 0x800
OXM_OF_IPV4_DST IPv4 destination address ETH_TYPE = 0x800
OXM_OF_IPV6_SRC IPv6 source address ETH_TYPE = 0x86dd
OXM_OF_IPV6_DST IPv6 destination address ETH_TYPE = 0x86dd
OXM_OF_TCP_SRC TCP source port IP_PROTO = 6
OXM_OF_TCP_DST TCP destination port IP_PROTO = 6
OXM_OF_UDP_SRC UDP source port IP_PROTO = 17
OXM_OF_UDP_DST UDP destination port IP_PROTO = 17
Optional Match Fields (proposed) Match Field Description Match Field Description OXM_OF_IN_PHY_PORT Physical ingress port OXM_OF_ARP_THA Target L2 Add of ARP payload
OXM_OF_METADATA Table metadata OXM_OF_IPV6_FLABEL IPv6 flow label
OXM_OF_VLAN_VID VLAN ID OXM_OF_ICMPV6_TYPE ICMPv6 type
OXM_OF_VLAN_PCP VLAN PCP OXM_OF_ICMPV6_CODE ICMPv6 code
OXM_OF_IP_DSCP Diff Serv Code Point OXM_OF_IPV6_ND_TARGET Target Addr IPv6 Neigh Disc
OXM_OF_IP_ECN Ecn bits of the IP header OXM_OF_IPV6_ND_SLL SRC L2 Addr IPv6 Neigh Disc
OXM_OF_SCTP_SRC SCTP source port OXM_OF_IPV6_ND_TLL Target L2 Add IPv6 Neigh Disc
OXM_OF_SCTP_DST SCTP destaination port OXM_OF_MPLS_LABEL MPLS label
OXM_OF_ICMPV4_TYPE ICMP type OXM_OF_MPLS_TC MPLS TC
OXM_OF_ICMPV4_CODE ICMP code OXM_OF_MPLS_BOS MPLS BoS bit
OXM_OF_ARP_OP ARP opcode OXM_OF_PBB_ISID I-SID in PBB srvc instance tag
OXM_OF_ARP_SPA SRC IPv4 Addr of ARP payload OXM_OF_TUNNEL_ID Metadata for a logical port
OXM_OF_ARP_TPA Target IPv4 Addr of ARP payload OXM_OF_IPV6_EXTHDR IPv6 extension header field
OXM_OF_ARP_SHA SRC Eth Addr of ARP payload
1.3 Actions Action Description
OFPAT_OUTPUT Output to port
- PORT # Physical or Logical switch port #
– ALL, CONTROLLER, TABLE, IN_PORT Required Reserved Ports
- LOCAL, NORMAL, FLOOD Optional Reserved ports
OFPAT_COPY_TTL_OUT Copy TTL to next outwards header
OFPAT_COPY_TTL_IN Copy TTL to next inwards header
OFPAT_SET_MPLS_TTL Set MPLS TTL
OFPAT_DEC_MPLS_TTL Decrement MPLS TTL
OFPAT_PUSH_VLAN Push a new VLAN Tag
OFPAT_POP_VLAN Pop the outer VLAN Tag
OFPAT_PUSH_MPLS Push a new MPLS Tag
OFPAT_POP_MPLS Pop the outer MPLS Tag
More 1.3 Actions
Action Description
OFPAT_SET_QUEUE Set queue id when outputting to a port
OFPAT_GROUP Apply Group
OFPAT_SET_NW_TTL Set IP TTL
OFPAT_DEC_NW_TTL Decrement IP TTL
OFPAT_SET_FIELD Set a header field using OXM TLV format
OFPAT_PUSH_PBB Push a new PBB service tag (I-TAG)
OFPAT_POP_PBB Pop the outer PBB service tag (I-TAG)
OFPAT_EXPERIMENTER 0xffff
OFPAT_DROP No explicit drop action
1.3 Message Types
• Symmetric – Sent without solicitation in either direction
• Controller-to-Switch – initiated by the controller – may or may not require a response from the switch.
• Asynchronous – sent without a controller soliciting them from a switch – denote a packet arrival, switch state change, or error
1.3 Controller-to-Switch • OFPT_FEATURES_REQUEST • OFPT_FEATURES_REPLY • OFPT_GET_CONFIG_REQUEST • OFPT_GET_CONFIG_REPLY • OFPT_SET_CONFIG • OFPT_PACKET_OUT • OFPT_FLOW_MOD • OFPT_GROUP_MOD • OFPT_PORT_MOD • OFPT_TABLE_MOD
1.3 Controller-to-Switch Messages (Cont.)
• OFPT_MULTIPART_REQUEST • OFPT_MULTIPART_REPLY • OFPT_BARRIER_REQUEST • OFPT_BARRIER_REPLY • OFPT_ROLE_REQUEST • OFPT_ROLE_REPLY
Table-miss
• Specifies how to process the packet that do not match any flows in the flow table.
• By default, unmatched packets are dropped. • Controller can override this behavior. It is
identified by match and priority. • A flow entry with all wildcard match and priority 0
is a table-miss flow entry. • Must at least support sending packet to the
controller.
1.3 Error Message
• OFPT_ERROR used to notify controller of a problem
• Each error message has a type, code and data. • Type indicates high-level type of error. • Code is interpreted based on the type and points
the specific type of problem. • Data field contains at least first 64 bytes of the
failed request that triggered the error.
1.3 Error Examples
• Request: ofp_flow_mod with invalid outport in action. o Error Type: OFPET_BAD_ACTION. o Error Code: OFPBAC_BAD_OUT_PORT.
• Request: ofp_flow_mod with invalid match. o Error Type: OFPET_BAD_MATCH. o Error Code : OFPBMC_BAD_TYPE.
• Request: Match in ofp_flow_mod with missing pre-requisites. o Error Type: OFPET_BAD_MATCH. o Error Code: OFPBMC_BAD_PREREQ.
1.3 Group Table Types all - execute each bucket
● each bucket gets copy of packet ● flooding, multicast, etc.
select - execute one of the buckets in group
● Based on algorithm defined in switch (e.g. RR) ● load distribution across span port member links
indirect - execute single bucket in group
● used for next hops and fast convergence fast failover - execute first live bucket (tied to interface)
OpenFlow QoS OF 1.0 ● Optional action "Enqueue"
Forwards packet through a queue attached to a port. ● Header fields can include VLAN priority and IP ToS, so they can be matched against and re-
written.
OF 1.3 ● Stuff from 1.0 ● New table "Meter Table"
32 bit integer used to identify the meter
list of meter bands each band specifies rate and behavior
Meter Identifier Meter Bands Counters
Match Fields Priority Counters Instructions Timeouts Timeouts Cooke
New instruction Meter meter_id
1.3 QoS (Cont.)
Meter Identifier Meter Bands Counters
Band Type Rate Counters Type Specific Arguments
Drop or remark DSCP
kb/s burst
Matching Flow Table Entry Includes instruction: apply
Meter ID
Collect Stats /
Determine which Meter Band Applies
Drop Packet Collect Stats
If band type drop? Remark ToS
Collect Stats
If band type re-mark?
One or more Meter Bands per Meter Table Entry
1.3 QoS (Cont.)
Remark DSCP 2.5Gbs Counters SET DSCP = BE
"the meter applies the meter band with the highest configured rate that is lower than the current measured rate"
Drop 5Gbs Counters N/A
Remark DSCP 1Gbs Counters SET DSCP = AF31
DSCP=AF41 Priority Counters Instructions Timeouts Timeouts Cooke
Meter Identifier Meter Bands Counters
Addi$onal 1.3 Network Behaviors
• Tunneling –PBB/Mac in Mac –Encap/Decap packets
• QinQ VLAN Stacking • Push/Pop/Rewrite MPLS • Rou$ng emula$on (TTL decrement) • Mul$cast/Broadcast (Group Table) •Experimenter Func$ons ???
HTTP Redirec$on using Extension Example
• Controller acts as redirector to designated server • Match
–ip_prot = 6 –tcp_dst = 80 –Extension hUp_method to match on hUp “GET”
• Ac$on –Modify ipv4_dst of packet –Send out switch port towards designated server
Virtual Interface 1 is on same subnet as Host 1 & 2 and acts as Default Gateway
Controller Running Virtual Router App
Virtual Interface 2 is on the same subnet as the ISP router
Arp Table in the Controller
Arp Table in the Controller Virtual Router
No. IP MAC Switch DPID Port Action
1 10.0.0.1 111111:111101 - V-Int1
2 10.0.2.1 111111:111121 - V-Int2 OFPT-PACKET-OUT
3 10.0.0.10 111111:111110 AAA Eth1 OFPT-PACKET-OUT
4 10.0.0.20 111111:111120 AAA Eth2 OFPT-PACKET-OUT
5 10.0.2.2 111111:111122 AAA Eth3
Port 2
Port 1
Port 1
Pipeline
Table 2 Switching
Group Table 1
Group Table 2
Group Table 3
Group Tables: Decrement TTL Set ETH SRC Set ETH DST OUTPUT to Port
Table 3 Routing
Table 1 Eth Dst
Port 3
Packet Enters Port 2
Table 1: Send to Routing Table or Switching Table
Table 2: Match Eth-SRC & DST Output to Port
Table 3: Send to Virtual Router Port or Send to correct Group Table
Table 1 (Routing or Switching)
Table 1
Ethertype Ethernet-dst Action
==ARP * OFPAT_OUTPUT to CONTROLLER
* 111111:111101 OFPIT_GOTO_TABLE 2 (Routing)
* 111111:111121 OFPIT_GOTO_TABLE 2 (Routing)
* * OFPIT_GOTO_TABLE 3 (Switching)
If ARP Packet, send to the controller. If MAC DST is a Virtual Router Interface, Send to the Routing Table. Otherwise, send to Switching Table
Switching Table Table 2 (Switching)
Eth-SRC Eth-DST Action
111111:111110 111111:111120 OFPAT_OUTPUT to Eth 2
111111:111120 111111:111110 OFPAT_OUTPUT to Eth 1
If Eth-SRC is Host 1 and Eth-DST is Host 2, send out Port Eth 2 If Eth-SRC is Host 2 and Eth-DST is Host 1, send out Port Eth 1
Routing Table Table 3 (Routing)
IP-SRC IP-DST Action
* 10.0.0.1 OFPAT_OUTPUT to LOCAL
* 10.0.2.1 OFPAT_OUTPUT to LOCAL
* 10.0.0.10 OFPAT_GROUP 1
* 10.0.0.20 OFPAT_GROUP 2
* 10.0.2.2 OFPAT_GROUP 3
If IP-DST is to a Virtual Router Interface, send to the local (switch) stack. If IP-DST is to Host 1 send to Group Table 1 If IP-DST is to Host 2 send to Group Table 2 If IP-DST is to Internet Gateway send to Group Table 3
Group Tables Group Table 1
No. Action Value
1 OFPAT_DEC_NW_TTL -
2 OFPAT_SET_FIELD OXM_OF_ETH_SRC
111111:111101 (V-Int 1)
3 OFPAT_SET_FIELD OXM_OF_ETH_DST
111111:111110 (Host 1)
4 OFPAT_OUTPUT Eth 1
1) Decrement IP TTL 2) Set ETH SRC to Virtual Router Interface 1 3) Set ETH DST to Host 1 4) OUTPUT to Port Eth 1
Group Tables (Cont)
Group Table 3
No. Action Value
1 OFPAT_DEC_NW_TTL -
2 OFPAT_SET_FIELD OXM_OF_ETH_SRC
111111:111121 (V-Int 2)
3 OFPAT_SET_FIELD OXM_OF_ETH_DST
111111:111122 (ISP GW)
4 OFPAT_OUTPUT Eth 3
Group Table 2
No. Action Value
1 OFPAT_DEC_NW_TTL -
2 OFPAT_SET_FIELD OXM_OF_ETH_SRC
111111:111101 (V-Int 1)
3 OFPAT_SET_FIELD OXM_OF_ETH_DST
111111:111120 (Host 2)
4 OFPAT_OUTPUT Eth 2