Segment routing incontainer networks

Ben de Graaff

Supervisor: Marijke Kaat (SURFnet/UvA)

RP95

Best path

AB

Background

3

Arbitrary paths

1 2

45

AB

A > 1 > 4 > B

Background

1

4

3

Pure IPv6 (SRv6) Background

1 2

45

AB

2000:1:: 2000:2::

2000:B::

2000:4::

2000:3::

2000:5::

2000:A::

2000:1::2

2000:1::32000:1::A

Container networks BackgroundInternet

Platform independent Background

LXC

Internet

Multi-tenancy BackgroundInternet

Example: load balancer BackgroundInternet

Transit policy

LB

Research

State of segment routing in IPv6

Proof of concept:Container networkingNetwork functions

dst1

3

Network programming

1 2

45

AB

src > 1 > 4 > dst

1

4

dst

4dstsrc

Segment routing header

Extensions

Segment N

Segment 0...

HeaderSegments left

Proof of concept

Validate policy

Apply policy

Multi-tenancy Internet

Segment ID

2000:A::1000:12000:B::1000:22000:C::1000:3

2000:B::1000:12000:B::1000:22000:B::1000:3

2000:C::1000:12000:C::1000:3

Results

Container discovery/mobility

Routing opaque addresses

Results

::1:2:3:4 ::a:b:c:dTopology

1:Inject SRH

3:Deliver

NF2:

Computefinal hop

Implementation

Hardware/software

Results

Linux kernel 4.10+

Basic routing/policy

Limited extension support

Implementation quirks…

Results

Hardware

NCS 5500

Software

Vector Packet Processing

The Fast Data Project

SRv6 availability Results

Technical stuff

Technical implementation

http://www.story-stick.net/event/here-be-dragons

VM

Network function

ContainerContainer

Virtual topology Results

VPPVPP

Container

VPP

VM

eBPF

Latest & greatest

Process directly in kernel

Fast, powerful

Results

myprog.c + LLVM = bytecode

⇓

bpf() syscall

⇓

Kernel network stack

eBPF

eth0

tc filter bpf

bpf_redirectIngress eBPF

EgresseBPF

veth ContainerControl app

Validate policy

Apply policy

✗

✗

Results

Linux do-it-yourself

Tun/tapAF_PACKETip ruleiptables fwmarkPF_RING...

Results

Linux do-it-yourself Results

tun

AF_PACKET

Raw socketIngress app

Egress app

ip rule

Validate policy

Apply policy

eth0 veth Container

Summary Results

Validate policy

Apply policy

Ingress policy enforcement? Discussion

Internet

eth0

Ingress

Egress

veth ContainerFW

Future work

Ingress path control

Linux segment routing Netlink API

Develop useful extensions

Conclusion

Proof of concept: works

SDN easy, at cost of overhead

Hardware not strictly required

Related work

Cisco, Bell Canada, Comcast, et al, technical workshops @ www.segment-routing.net

NFV with SRv6, with SRH unaware hosts (NetSoft 2017, presented today)

Segment routing incontainer networks

Segment routing is effective at enabling SDN and network

functions between containers

However, it is not yet widely supported in hardware, software

RP95

Check out the report for a full list of references

http://rp.delaat.net/2016-2017/p95/report.pdf

Backup slides

Security/RH0

Enforce policy at network edges

SIDs must be explicitly enabled

HMAC: check at ingress

Remove protocols

Remove state

https://xkcd.com/927/

Simplify the network Discussion

3

MPLS Background

1 2

45

AB

101 102

111

104

103

105

110

202

203

210

No LDP, RSVPrequired

Multi-tenancy

Layer 2 and 3cross-connects

Multi-tenancy:Segment ID or extension?

Discussion