Programmable Virtual Networks

From Network Slicing To

Network Virtualization

Ali Al-ShabibiOpen Networking Laboratory

Outline

• Define FlowVisor– It’s design goal– It’s success– It’s limitation

• Describe and define Network Virtualization• Introduce the OpenVirteX (formerly known as

NetVisor), which provides programmable virtual networks

Why FlowVisor?

Good ideas rarely get deployed

Also require access to real world traffic

New services may require changes to switch software

Experimenters want to control the behaviour of their network

Evaluating new network services is hard

OK… Why is it hard?

Real

Net

wor

ksTe

st b

eds

Current Virtualizationà la FlowVisor

• Network Slice = Collection of sliced switches, links, and traffic or header space

• Each slice associated to a controller

• Transparent slicing, i.e., every slice believes it has full and sole control of datapath FV enforces traffic and

slice isolation

Not a generalized virtualization

Great! What about real traffic?

• FlowVisor allows users to opt-in to services in real-time– Individual flows can be delegated to a slice by a

user– Admins can add policy to slice dynamically

FlowVisor

Web Slice

VoIP SliceVideoSlice

All the rest

Sprinkle some resource limits

• Slicing resources includes:– Specifying the link bandwidth– Maximum number of forwarding rules– Fraction of switch CPU

FlowSpace: Which slice controls which packet?

Mapping Packets to Slices

FlowVisorWhere does it live?

• Sits between switches and controllers

• Speaks OpenFlow up and down.

• Acts like a proxy to switches and controllers

• Datapaths and controllers run unmodified

What kind of magic is this?

PacketIn fromdatapath

Who controls this packet?

It this action allowed?

Message Handling - PacketIn

PacketIn

Drop if controller is not connected.

Is LLDP?

Send to appropriate

slice.

Yes

Extract match

structure and match FlowSpace

No

Done

Insert a drop rule.

No

Yes

Drop if controller is not connected.

Yes

Send to slice.

Are actions

allowed?

Log exception.

Nomatch

Has packet

been send to a slice?

No match

Message Handling - FlowMod

FlowMod Slicing permitted?Slice Actions

Send Error. Log

exception

No

Extract match struct and intersect

FlowSpace

Yes

For each intersection, rewrite

original flowmod with flowspace info.

Has slice permissions?

Intersections

No Intersections

Zero rewrites?

Log exception

Done

Yes

No

FlowVisor Highlights

• Demonstrations:– Open Networking Summit ’12 and ’13– GENI GEC 9– Best demo at SIGCOMM ’09

• Deployments :– GENI– OFELIA– Stanford Production Network– In use at NEC and Ericsson labs, as well as other vendors

• 3 releases in the past year– 1.0 release downloaded over 70 times in one day

FlowVisor DownloadersRelease 1.0

Uni

vers

ity R

esea

rch Georgia Tech

RutgersKSUU of WisconsinU of UtahClemson

R&E

Net

wor

ks APNICBBNNYSERNetCENIC

Com

mer

cial

Net

wor

k O

ps AT&TComcastEarthLinkPSINetRCN

Vend

ors Goldman

SachsCiscoArubaNECEricsson

FlowVisor Summary

• FlowVisor introduces the concept of a network slice

• Not a complete virtualization solution.• Originally designed to test new network

services on production taffic• But, it’s really only a Network Slicer!

FlowVisor provides network slicing but not a complete network virtualization.

What should Network Virtualization be?

• Conceptually introduces virtual network which is decoupled from physical network

• Should not change the abstractions we know and love of physical networks

• Should provide some new one: Instantiation, deletion, service deployment, migration, etc.

At least what I think ;)

MPLSVRF

Overlays

TRILL

VLANVPN

What is Network Virtualization?

None of these give you a virtual network

They merely virtualize one aspect of a network

Topology Virtualization

• Virtual links• Virtual nodes• Decoupled from

physical network

Address Virtualization

• Virtual Addressing• Maintain current

abstractions• Add some new ones

Policy Virtualization

• Who controls what?• What guarantees are

enforced?

Network Virtualizationvs.

Network Slicing

Say you want two networks with exactly the same properties.

Slicing

• Sorry, you can’t.• You need to discriminate traffic

of two networks with something other than the existing header bits

• Thus no address or complex topology virtualization

Network virtualization

• Virtual nets are completely independent

• Virtual nets are distinguished by the tenant id

• Complete address and topology virtualization

VirtualizationState of the Art

• Functionality implemented at the edge

• Use of tunneling techniques, such as STT, VXLAN, GRE

• Network core is not available for innovation

• Closed source controller controls the behaviour of the network

• Provides address and topology virtualization, but limited policy virtualization.

• Moreover, the topology looks like only one big switch

Big Switch Abstraction

E6

E2

E5

E1

E3 E4

SWITCH 1E1

E3

E2

E5

SWITCH 2E4

E6

• A single switch greatly limits the flexibility of the network controller • Cannot specify your own routing policy.• What if you want a tree topology?

Current Virtualizationvs

OpenVirteX

Current Virtualization Solutions

• Networks are not programmable

• Functionality implemented at the edge

• Network core is not available for innovation

• Must provision tunnels to provide virtual topology

• Address virtualization provided by encapsulation

OpenVirteX

• Each virtual network is handed to a controller for programming.

• Edge & core available for innovation

• Entire physical topology may/can be exposed to the downstream controller.

• Address virtualization provided by remapping/rewriting header fields

• Both dataplanes and controllers can be used unmodified.

OpenVirteX

All problems in computer science can be solved by another level of indirection.- David Wheeler

OpenVirtex

Ultimate Goal

OpenVirteX

Address Space Virtualisation

Control traffic address translation

Data traffic address mapping

Data trafficaddress translation

Topology Virtualization - Abstractions• Expose physical topology to tenants• Virtual link: collapse multi-hop path into one-hop link• Approach is also valid for proactive rules

OpenVirtex

Abstractions (contd.)

• Virtual switch: collapse ports dispersed over network into a switch

• Big switch is virtual switch with all edge ports

• Use separate controller for each virtual switch– Allow OpenVirteX admin

to control routing within virtual switch

virtualphysical

. . .

. . .

virtual switch

edge ports

core ports

VM

OpenVirteXInteraction with the Real-World

NetVisorOpenVirtex

OpenVirteX APIMapping to Quantum

OpenStack Management System

Nova QuantumOther

Components

virtual switch

vSwitch

VM1 VM2 VM3

Novaplugin

Quantumplugin

Quantumplugin

OpenVirteX

Quantumplugin

OpenFlow Physical Network

OpenVirteX APIMapping to Quantum

Create Network API

OpenVirteX Quantum✔

Attach Port API ✔

Create vRouter API ✔

Configure Topology API

Via the Router extension

High Level Features• Support for more generalized network virtualization as

opposed to slicing

– Address virtualization: use extra bits or clever use of tenant id in header

– Topology virtualization: on demand topology

• Integrate with cloud using OpenStack

– Via the Quantum plugin

• Support any OF 1.x version, simultaneously

• Support for scale, HA and security-features.

– Incorporate right building blocks from other OSS

Just finised implementing a prototype

Current Status

• Quick and dirty prototype implemented• Provides Address space virtualisation/isolation• Two topology abstractions:– Virtual Link– Virtual Switch

• Current implementation not intended to scale or provide any significant performance– It’s a proof of concept

Future Challenges

• Traffic engineering, e.g., load balancing• Reliability, e.g., disjoint paths• The above needs special attention when offering

topology abstractions– They may even be severely impacted.

• Physical topology changes• Tenant may ask for reconfiguration of virtual

network• Extremely challenging to get right

Conclusion

• FlowVisor 1.0 will remain to be supported

• OpenVirteX is still in the design phase– But our clear goal is to deliver programmable virtual

networks.

• An initial proof of concept may be available in Q3 2013.

• Contributions to FlowVisor and OpenVirteX are greatly appreciated and welcomed.

Thanks!

Questions?