tap as a service: what you need to know now

In Collaboration With

April 28, 2016

Tap-as-a-service: What you need to know now

Copyright © PLUMgrid, Inc. 2011-20162

IntroductionSpeaker(s)

Sr. Software Engineer PLUMgrid Inc

KhaliqFawad

Distinguished EngineerGigamon

RaoAnil

Tech LeadNEC Technologies

BanerjeeReedip

Experienced ResearcherEricsson

YadhavVinay

Sr. Software EngineerMidokura

YamamotoTakashi


• Tap-as-a-Service Introduction • Motivation for TaaS• Progress so far• TaaS Object Model• Demo• Next Steps• Q&A

Agenda

4

Tap-as-a-ServiceIntroduction


Tap-as-a-service in OpenStack

• Advanced networking service in OpenStack to provide traffic mirroring.

• API for port mirroring currently.• Facilitates tenants/operators to mirror packets from one or more

Neutron ports.• Neutron port could be a VM, container or baremetal based on

backend implementation.


Tap-as-a-service in OpenStack

TaaS

Neutron

source port 1

source port 2

TaaS

dest port 1

TaaS

User

7

Motivation for TaaS


Motivation for TaaS

Traffic Monitoring Process

• Involves placing tap devices at appropriate locations within the network infrastructure and attaching traffic analyzers to them.

• These analyzers can then see the same packets passing through those network segments, as if they were also inline.

• A logical tap device can be (easily) constructed using the port-mirroring function of a network switching element.

• So, why is it [still] not possible to monitor the activity in OpenStack virtual networks?


Motivation for TaaS

Architectural Characteristics of Cloud Platforms

Multi-tenancy Location Independency

• Multi-tenancy allows available resources and services to be shared among different groups of users.

• Each group, known as a tenant, is provided with an environment that is completely isolated from the others.

• Members of a tenant are oblivious of the fact that other groups may be co-existing with them.

• Multi-tenancy promotes delegation of control in a safe and secure manner.

• Location independence is primarily concerned with hiding the identities of individual infrastructure components from virtualized workloads.

• This has made it possible to relocate running virtual machines from one host to another.

• An equally important but less appreciated benefit of location independence is the improved efficiency in resource allocation.


Motivation for TaaS

• Tenants are (typically) unaware of the physical hosts on which their VMs are running.• VMs belonging to different tenants may be placed on the same host.• Tenant virtual networks often extend across multiple hosts.

• To avoid the possibility of cross-tenant data leakage, tenants are prevented from directly accessing the controls of the underlying switch fabric.

- comprising of host-level virtual switches, top-of-rack switches, etc.

• Unfortunately, this means that the port-mirroring capability of those switches is also not available.


Motivation for TaaS

Desire:• A tapping service that will enable a tenant and/or the cloud administrator to safely

monitor Neutron ports.• The service must ensure that tenant isolation boundaries are not compromised.• Port-mirror sessions should transparently span hosts to preserve location independence.

Solution:• Tap-as-a-Service is a platform oriented approach that satisfies the above need.

• It has effectively virtualized port-mirroring, which used to be a switch layer function, and made it available to users of Neutron provisioned networks.

• TaaS will serve as the basic building block on top of which more complex traffic visibility solutions can be engineered.

12

Progress So Far


Progress So Far

• Version 0.1 for TaaS presented in Demo, with successful integration.• Source code resides on Github (https://github.com/openstack/tap-as-a-service).• Application for inclusion as an official OpenStack project in Governance and as a

possible participant in Neutron Stadium.• Support for TaaS in Horizon Dashboard (Beta version).• TaaS is now available as a CLI with NeutronClient.

• neutron tap-service-create/neutron tap-service-delete/neutron tap-service-show/neutron tap-service-list

• neutron tap-flow-create/neutron tap-flow-delete/neutron tap-flow-show/neutron tap-flow-list• Tempest Jobs for TaaS are functional on the gate.

https://github.com/openstack/tap-as-a-service



14

Tap-as-a-service Object Model


Tap-as-a-service Object Model

TAP SERVICERepresents the port on which the mirrored traffic is delivered. Any service (VM) that uses the mirrored data is attached to the port.

TAP FLOWRepresents the port from which the traffic needs to be mirrored.

Multiple TAP FLOW instances can be associated with a single TAP SERVICE instance.


Tap-as-a-service Object Model (cont’d)

PortPort

InstanceInstance



TapService

PortPort

InstanceInstance



TapFlowTapService

PortPort

Instance Instance



TapFlowTapService

PortPort

OUT IN

Instance Instance



TapFlowTapService

PortPortMirror Traffic

OUT INOUT IN

Instance Instance



TapFlow

TapService

Port

Port

Mirror

Instance

Port

TapFlow

Instance

Instance


Tap-as-a-service Design (agent based)

SWITCHING ELEMENT

TaaSAgent Framework

Plugin Service

DRIVERABC

RPC Communication

TaaS API Tenant /

Administrator


Tap-as-a-service Design (controller based)

SDNcontroller

Plugin Service

DRIVERABC

TaaS API Tenant /

Administrator

DEMO

24


Demo: Tap-as-a-service

Overview Environment

Use Cases

What to Expect

Demonstrate how Tap-as-a-Service can be utilized to monitor network traffic associated with VM instances in an OpenStack cloud.

1. Web traffic analysis.

2. Centralized Intrusion Detection System.

The first portion of the demo will show how tap-services and tap-flows can be easily configured via the Horizon Dashboard. Next, we will illustrate how TaaS can play an important role in satisfying the needs of data analytics and security applications.

• Multi-node DevStack cloud

• 1 Controller node

• 1 Network node

• 2 Compute nodes

• This cloud is hosting multiple web-server VM instances whose traffic will be monitored using TaaS. A special monitoring VM is also running in the cloud to receive mirrored traffic and carry out traffic analysis.

• Three Linux desktop systems representing end-users interacting with the cloud.

26

Next Steps


Roadmap

- Policy Based Tap- Support external resources like behind L2 Gateway- Quota enforcement- QoS and TaaS integration- Enhance Tempest Testing- Rally Testing- Complete CI support


• Project Launchpad https://launchpad.net/tap-as-a-service• Project Git Repository https://github.com/openstack/tap-as-a-service• Weekly IRC Meeting http://eavesdrop.openstack.org/#Tap_as_a_Service_Meeting• IRC #openstack-neutron @ Freenode

Join TaaS!

https://launchpad.net/tap-as-a-service






http://eavesdrop.openstack.org/%23Tap_as_a_Service_Meeting



THANK YOU!