tutorial: openflow in geni

Sponsored by the National Science Foundation

Tutorial: OpenFlow in GENI

GENI Project Office

Sponsored by the National Science Foundation 2

“The current Internet is at an impasse because new architecture cannot be

deployed or even adequately evaluated” [PST04]

Modified slide from: http://cenic2012.cenic.org/program/slides/CenicOpenFlow-3-9-12-submit.pdf

[PST04]: Overcoming the Internet Impasse through Virtualization, Larry Peterson, Scott Shenker, Jonothan Turner Hotnets 2004


OpenFlow…

• Enables innovation in networking

• Changes practice of networking

Google’s SDN WAN


OpenFlow basics

How OpenFlow works … (1.0)

Hand’s on tutorial

OpenFlow basics


OpenFlow’s basic idea


OpenFlow is an API

Modified slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt

• Control how packets are forwarded

• Implementable on COTS hardware

• Make deployed networks programmable– not just configurable

• Makes innovation easier


Network Devices

NATfirewall

DHCP

DNS

switch

VPN

router

gateway

proxy

access point

Any network device can be OpenFlow enabled

software


SDN and NFV

Slide from: http://docbox.etsi.org/Workshop/2013/201304_FNTWORKSHOP/S07_NFV/BT_REID.pdf


OpenFlow benefits [1]

• External control– Enables network Apps – General-purpose computers (Moore’s Law)– Deeper integration– Network hardware becomes a commodity

• Centralized control– One place for apps to interact (authentication, auth, etc)– Simplifies algorithms– Global Optimization and planning

[1]: OpenFlow: A radical New idea in Networking, Thomas A. Limoncelli CACM 08/12 (Vol 55 No. 8)


Network Types

CampusMultiple buildings, heterogeneous IT, groups of users, campus backbone

Enterprise Data CentersSecurity, various sizes, storage, WAN optimizations

Data Centers – CloudsMulti-tenant, virutalization, disaster recovery, VM mobility

WANDiversity, multiple domains/carriers/users


Deployment Stories

Google global private WAN [1]Connects dozens of datacenters worldwide with a long-term average of 70% utilization over all links

Stanford Campus deploymentPart of Stanford campus migrated to OpenFlow

NTT’s BGP Free Edge

Internet 2 - AL2SCan build Layer 2 circuits between any Internet 2 end-points

[1] B4: Experience with a Globally-Deployed Software Defined WAN, SIGCOMM’13, Jain et al.

https://www.ntt-review.jp/archive/ntttechnical.php?contents=ntr201310fa3.html


GENI and OpenFlow deployment• Key GENI concept: slices & deep programmability

– Internet: open innovation in application programs– GENI: open innovation deep into the network

Good old Internet

Slice 0

Slice 1

Slice 2

Slice 3

Slice 4

Slice 1

OpenFlow switches one of the ways GENI is providing

deep programmability


GENI OpenFlow Deployment

OpenFlow-enabled hardware switch at:– Each GENI Rack– Backbone and regional networks


GENI OpenFlow Experiments

Prasad Calyam, Missouri

Dipankar (Ray) Raychaudhuri, Rutgers,

leads MobilityFirst

Jae Woo Lee, Columbia

VDC: real-time load-balancing functionality deep into the network to improve QoE

MobilityFirst: A new architecture for the Internet designed for emerging mobile/wireless service requirements at scale

Active CDN: Program content distribution services deep into the network


OpenFlow basics

Hand’s on tutorial



OpenFlow versions

(Dec ’09) OpenFlow 1.0.0 Simple & widely supported

(Feb ‘11) OpenFlow 1.1.0Not implemented by HW vendors

(Dec ‘11) OpenFlow 1.2First ONF standard

(‘12/’13) OpenFlow 1.3.xComplex & support in progress

(Oct ‘13) OpenFlow 1.4

(‘11) Open Networking Foundation (ONF) formed to shepherd standards

(Oct‘13) OpenFlow 1.0.2Under ratification


OpenFlow controllers• Open source controller frameworks

– NoX/PoX– Open Daylight (driven by Cisco)– FloodLight (BigSwitch)– Trema (NEC)– Maestro– Ryu

• Production controllers– Mostly customized solutions based on Open Source

frameworks– ProgrammableFlow - NEC


OpenFlow

Switch

Data Path (Hardware)

Control Path OpenFlow

Any Host

OpenFlow Controller

OpenFlow Protocol (SSL/TCP)


• The controller is responsible for populating forwarding table of the switch

• In a table miss the switch asks the controller


OpenFlow in action

Switch



Any HostOpenFlow Controller



• Host1 sends a packet• If there are no rules

about handling this packet– Forward packet to the

controller– Controller installs a flow

• Subsequent packets do not go through the controller

host1 host2


OpenFlow Basics (1.0)

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPToS

TCPsport

TCPdport

Rule Action Stats

1. Forward packet to port(s)2. Encapsulate and forward to controller3. Drop packet4. Send to normal processing pipeline5. Modify Fields

+ mask what fields to match

Packet + byte counters

slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt

IPProt

VLANPCP


Use Flow Mods• Going through the controller on every packet is

inefficient• Installing Flows either proactively or reactively is

the right thing to do• A Flow Mod consists of :

– A match on any of the 12 supported fields– A rule about what to do matched packets– Timeouts about the rules:

• Hard timeouts• Idle timeouts

– The packet id in reactive controllers


OpenFlow common PitFalls• Controller is responsible for all traffic, not just your

application!– ARPs, DHCP, LLDP

• Reactive controllers– Cause additional latency on some packets– UDP – many packets queued to your controller by time

flow is set up

• Performance in hardware switches– Not all actions are supported in hardware

• No STP to prevent broadcast storms


Multiplexing ControllersFlowVisor

• Only one controller per switch

• FlowVisor is a proxy controller that can support multiple controllers

FlowSpace describes packet flows :

– Layer 1: Incoming port on switch

– Layer 2: Ethernet src/dst addr, type, vlanid, vlanpcp

– Layer 3: IP src/dst addr, protocol, ToS

– Layer 4: TCP/UDP src/dst port

Switch



Any Host

FlowVisor


Any Host

OpenFlow Controller

Any Host

OpenFlow Controller



OpenFlow basics


Hand’s on tutorial Hands on tutorial


OpenFlow Experiments

Debugging OpenFlow experiments is hard: – Network configuration debugging requires coordination– Many networking elements in play– No console access to the switch

Before deploying your OpenFlow experiment test your controller.

http://mininet.github.com/http://openvswitch.org/


Run an OpenFlow experiment

1 host as OVS switch3 VMs connected to OVS

Host1 Host2

Host3

OVS

• Setup OVS• Write simple controllers

– e.g. diverge traffic to a different server

– use python controller PoX


To Save Time …• Slices have been created for you:

– Slice name: ofNN• Resources have been added to your slice:

– 1 Xen VM running OVS– 3 OpenVZ VMs that act as traffic sources & sinks– Resources are from various InstaGENI racks

• Download your private SSH keyhttps://portal.geni.net/secure/profile.php#ssh

• Download key and put in a standard place: $ mv ~/Downloads/id_geni_ssh_rsa ~/.ssh/.

$ chmod 0600 ~/.ssh/id_geni_ssh_rsa• Add the key to your ssh-agent:

$ ssh-add ~/.ssh/id_geni_ssh_rsa


Finding your login information

• Browse to this page https://portal.geni.net/secure/slices.php

• Click on the slice name (there should be only one)• Scroll down to the Slice Status section• Find the row for the aggregate listed on your

worksheet• Click the "Details" button for this row

– keep this window open throughout the tutorial• Find your Login information for each of the four

nodes used in this exercise (OVS, host1, host2, host3)

https://portal.geni.net/secure/slices.php


• Part I: Design/Setup– Obtain Resources– What is OpenFlow, what can I do with Openflow?

• Part II: Execute– Configure and Initialize Services– Execute Experiment

• Part III: Finish– Teardown Experiment


Configure OVS

OVS is a virtual switch running on a xen VM • The interfaces of the node are the ports

of the switch– Configure an ethernet bridge– add all dataplane ports to the switch

• Can be an OpenFlow switch– Need to specify the controller (for convenience run

on the same host but it can be anywhere)• Userspace OVS for this exercise


Configure and Initialize OVS• Log in to OVS host and configure software switch:

$ ifconfig$ sudo ifconfig eth1 0$ sudo ifconfig eth2 0$ sudo ifconfig eth3 0$ sudo ovs-vsctl add-port br0 eth1$ sudo ovs-vsctl add-port br0 eth2$ sudo ovs-vsctl add-port br0 eth3$ sudo ovs-vsctl list-ports br0$ sudo ovs-vsctl set-controller br0 tcp:127.0.0.1:6633$ sudo ovs-vsctl set-fail-mode br0 secure$ sudo ovs-vsctl show

Host1 Host2

Host3

OVS

eth1

eth3

eth2


• Part I: Design/Setup– Obtain Resources– What is OpenFlow, what can I do with Openflow?




Experiments (1/4)

1. Use a Learning Switch Controller:

1. See the traffic flow changes between hosts as the controller is started or stopped.

2. Soft versus hard timeouts for traffic flows.


Experiments (1/4)

• Login host1 and start ping host2$ ping 10.10.1.2

• Start learning switch controller:$ cd /local/pox $ ./pox.py --verbose forwarding.l2_learning

• Look at ping… now works.• Kill controller (Ctrl-c)• Look at ping… still running,


Experiments (2/4)

2. Write and run a Traffic Duplication Controller:

1. Controller will duplicate traffic to a different port on the OVS switch.

2. Use tcpdump to see the packet duplication.


Experiments (2/4)

• Open 2 windows on OVS host• Start tcpdump for on OVS:if1 and OVS:if2• Run duplication controller on OVS:if2

$ cd /local/pox $ ./pox.py --verbose myDuplicateTraffic --duplicate_port=<data_interface_name>

• Look at ping from host1 to host2.• Kill controller (Ctrl-c)


Experiments (3/4)

3. Write and run a port forwarding controller:

a. Controller will do port forwarding on your OVS Switch to port specified.

b. Use two netcat servers on host2 to see traffic delivery.


Experiments (3/4)• Two windows on host2 run the following:

$ nc -l 5000 $ nc -l 6000

• Start learning switch controller:• On host1:

$ nc 10.10.1.2 5000 • See what happens to traffic• Kill controller (Ctrl-c)• Retry with port forwarding controller and see

what happens to traffic, and kill when done.


Experiments (4/4)

4. Write and run a server proxy controllera. To redirect packets to a proxy:

• What fields do you need to overwrite?• Which packets needs special handling?

b. Use netcat to see the deflection


Experiments (4/4)

• On host 3:$ nc –l 7000

• Run proxy controller:$ cd /local/pox $ ./pox.py --verbose myProxy

• On host1:$ nc 10.10.1.2 5000

• Look at host3 window, should now be getting nc traffic.


• Part I: Design/Setup– Obtain Resources– What is OpenFlow, what can I do with Openflow?– Demo: Using OpenFlow in GENI




Part III: Finish Experiment

When your experiment is done, you should always release your resources.

– Normally this is when you would archive your data– Delete your slivers at each aggregate

slice

projectaggregate

RSpecuserresourcesliv

er

AM API

slivercredentials

certificate


Backup


Core Networks

• NLR committed to 2013 meso-scale expansion following reorganization• Internet2 adding 10GbE paths to Advanced Layer 2 Services (AL2S) at 4 of 5

OpenFlow meso-scale/ProtoGENI Pops• GENI Aggregate Manager in Internet2 AL2S and dynamic stitching with GENI

coming in Spiral 5

Internet2 SDN networks


FOAM• An OpenFlow Aggregate Manager

• It’s a GENI compliant reservation service– Helps experimenters reserve flowspace in the

FlowVisor

• Speaks AM API v1

• Rspecs GENI v3, openflow v3 extension


Racks and Campuses

• GENI Rack projects are expanding available GENI infrastructure in the US.

• Racks provide reservable, sliceable compute and network resources using Aggregate Managers.

• GENI AM API compliance

tutorial: openflow in geni

Documents

openflow benefits

openflow switches

internet impasse

open innovation

ways geni

current internet

openflowenables innovation

cots hardware