Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
MidoNet 101!
Face-to-face with the distributed SDN
Antonio Sagliocco ∙ Alex Bikfalvi
FOSDEM 2015
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
About Us
• Software engineer at Midokura
• Previously worke...
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Agenda
3
Network Virtualization
What is? • Key Advantages •...
Network Virtualization
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
What Is Network Virtualization?
5
Decoupling an infrastruct...
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
What Is Network Virtualization?
• Fills the gap between com...
Easy Network Management
• Physical network engineers vs.
virtualization engineers
• Connectivity/capacity monitored
in the...
Overlay vs. Underlay
8
Virtual Topology
Physical Topology
Border Gateway Nodes Compute NodesPrivate IP Network
VirtualMach...
MidoNet 101
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
What is MidoNet?
10
Virtual Switching
• Layer 2 over layer ...
MidoNet Architecture
11
Cloud Orchestrator
Network State Cluster
VMs
MidoNet Agent
Virtual Server
VMs
MidoNet Agent
Virtua...
Overlay vs. Underlay Revisited
12
Virtual Topology
Physical Topology
Border Gateway Nodes Compute NodesPrivate IP Network
...
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Intelligence at the Edge
13
Private IP Network
State Cluste...
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Intelligence at the Edge
14
Scales Better
• Distributes flo...
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Peeking Under the Hood
15
Virtual
Machine
VM1
MidoNet
Agent...
Virtual
Machine
VM1
MidoNet
Agent
OVS Kernel Module
Linux Kernel
Host A
MidoNet 101! Face-to-Face with the Distributed SDN...
Features
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed L2 Switching
18
VM 1 VM 2
Virtual Tenant
Router...
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Layer 2 Gateways
19
VM 1 VM 2
Virtual Tenant
Router B
Virtu...
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed Layer 2 Networks
20
Private IP Network
Virtual ...
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed Layer 3 Routing
21
Private IP Network
Virtual S...
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Firewall
22
• MidoNet supports OpenStack/Neutron Security G...
CHAIN vPort0 ingress
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Firewall
23
VM 1 VM 2
Virtual Tenant
R...
• Different agents must exchange flow
information
• Drop not allowed packets at the
ingress host
• Protects the private un...
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed Flow State
25
VM 1 VM 2
Virtual
Switch B1
VM 1
...
Open Source
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
MidoNet Project
Web midonet.org
Wiki wiki.midonet.org
Blog ...
Confidential
Upcoming SlideShare
Loading in …5
×

MidoNet 101: Face to Face with the Distributed SDN

1,658 views

Published on

Midokura has made the source code for MidoNet freely available at www.midonet.org, delivering the truly open, vendor-agnostic network virtualization solution available for the OpenStack and the Docker community.

About MidoNet
Taking an overlay-based approach to network virtualization, MidoNet sits on top of any IP-connected network, and pushes the network intelligence to the edge of the network, in software. MidoNet makes it possible to build an IaaS cloud with fully virtualized and distributed scale-out L2-L4 networking.

FOSDEM 2015
Presenters: Antonio Sagliocco, Alex Bikfalvi in Midokura Engineering

Published in: Technology
  • Be the first to comment

MidoNet 101: Face to Face with the Distributed SDN

  1. 1. MidoNet 101! Face-to-face with the distributed SDN Antonio Sagliocco ∙ Alex Bikfalvi FOSDEM 2015
  2. 2. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 About Us • Software engineer at Midokura • Previously worked at Amazon as SDE in the network monitoring team • Currently working on the monitoring infrastructure for MidoNet 2 • Also a software engineer at Midokura • Previously a networking researcher in distributed systems • Currently working on re-architecting the state cluster for MidoNet
  3. 3. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Agenda 3 Network Virtualization What is? • Key Advantages • Overlay vs. Underlay MidoNet 101 Feature • Architecture • Intelligence at the Edge • Under the Hood I II Features Switching • Routing • Firewall • NAT • Load Balancing • API III Open Source Initiative Project Showcase • Coming Soon IV
  4. 4. Network Virtualization
  5. 5. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 What Is Network Virtualization? 5 Decoupling an infrastructure/service from the physical hardware assets on which the service operates Network Overlay Physical Underlay Virtual Private Networks (VPNs) Point-to-Point Protocol (PPP) IP Fabric Just a carrier for data Potentially invariant Is it a new concept?
  6. 6. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 What Is Network Virtualization? • Fills the gap between compute and network introduced by host virtualization • Think of it as Network-as-a-Service 6 Network functions implemented in software Router Switch Load Balancer L3 Switch NAT QoS ACLGateway Virtualize the Network to Network the Virtualization
  7. 7. Easy Network Management • Physical network engineers vs. virtualization engineers • Connectivity/capacity monitored in the underlay MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Key Advantages Simplified Physical Network • Standards • Cheap • Easy Cloud Friendly • Reduced provisioning time • Highly programmable • Automated network infrastructure • Scales up and down with your workload No Topologies Limitation • Physical topologies are rigid • Physical topologies have limitations (e.g. 4096 VLANs) 7
  8. 8. Overlay vs. Underlay 8 Virtual Topology Physical Topology Border Gateway Nodes Compute NodesPrivate IP Network VirtualMachines BGP BGP BGP vPort vPort vPort vPort vPort vPort Virtual Switch A1 Virtual Switch A2 Virtual Switch B1Virtual Tenant Router B Virtual Tenant Router A Virtual Provider Router vPort MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
  9. 9. MidoNet 101
  10. 10. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 What is MidoNet? 10 Virtual Switching • Layer 2 over layer 3, decoupled from the physical network and layer 2 isolation 1 Virtual Routing • Routing between virtual networks within software container, layer 3 isolation 2 Network Address Translation • Stateless and stateful NAT, dynamic NAT and port masquerading 3 Firewall and Load Balancing • Kernel integrated for high performance • Reduces the need for dedicated hardware 4 GRE and VXLAN tunneling • Requires only layer 3 connectivity between MidoNet nodes 5 MidoNet and Neutron REST API • Alignment and integration with the OpenStack cloud management platform 6 Virtual Networks Cloud Management Platform MidoNet Virtualization Machine Virtualization (KVM, ESXi, XEN, LXC) Virtual L2 Virtual L3 Firewall Layer 4 LB NAT GRE/VXLAN REST API Application Hardware
  11. 11. MidoNet Architecture 11 Cloud Orchestrator Network State Cluster VMs MidoNet Agent Virtual Server VMs MidoNet Agent Virtual Server x86 Border Router MidoNet Agent BGP Gateway Private IP Network MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Internet REST API Tunnel Cluster RPC
  12. 12. Overlay vs. Underlay Revisited 12 Virtual Topology Physical Topology Border Gateway Nodes Compute NodesPrivate IP Network VirtualMachines State Cluster BGP BGP BGP vPort vPort vPort vPort vPort vPort Virtual Switch A1 Virtual Switch A2 Virtual Switch B1Virtual Tenant Router B Virtual Tenant Router A Virtual Provider Router vPort MidoNet Agent MidoNet Agent MidoNet Agent MidoNet Agent MidoNet Agent MidoNet Agent MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
  13. 13. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Intelligence at the Edge 13 Private IP Network State ClusterBorder Node Compute Nodes (Hosts) Internet 1 VM 1 VM 2 MidoNet Agent VM 1 MidoNet Agent Linux Kernel VM 1 VM 2 Virtual Tenant Router A Virtual Switch A1 Virtual Provider Router Virtual Switch A2 1 2 2 3 4 3 4 VM 1 sends a packet through the virtual network MN Agent fetches the virtual topology/state It simulates the packet through the virtual network It installs a flow rule in the kernel at the ingress host Tunnel 5 Tunnel packets to egress host 5 MidoNet leverages a distributed architecture where the SDN intelligence is pushed at the edge
  14. 14. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Intelligence at the Edge 14 Scales Better • Distributes flow computation and resource usage to the edge • Distributes flow computation vs. flow rules propagation Easier Debugging • More robust, no single-point of failure • Just-in-time flow computation vs. centralized flow pre-computation Easier Synchronization • The consistency model is simpler • Transactional topology updates vs. batches of flow rule updates 1 2 3
  15. 15. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Peeking Under the Hood 15 Virtual Machine VM1 MidoNet Agent OVS Kernel Module Linux Kernel Host A Virtual Machine VM1 MidoNet Agent OVS Kernel Module Linux Kernel Host B Private IP Network VXLAN / GREUPDIPv4Outer Ethernet VM 1 VM 2 Virtual Tenant Router A Virtual Switch A1 Virtual Topology Physical Topology Packet Packet Virtual Switch A2 User Mode Kernel Mode 1 2 3 4 Packet sent by VM1 misses the OVS datapath Packet sent to the MidoNet Agent via Netlink The MidoNet Agent processes and simulates the packet It installs a flow rule in the kernel at the ingress host 5 Tunnel packets to egress host 1 2 3 4 5
  16. 16. Virtual Machine VM1 MidoNet Agent OVS Kernel Module Linux Kernel Host A MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Peeking Under the Hood 16 Virtual Machine VM1 MidoNet Agent OVS Kernel Module Linux Kernel Host B Private IP Network VM 1 VM 2 Virtual Tenant Router B Virtual Topology Physical Topology ARP Request Virtual Switch B1 User Mode Kernel Mode 1 2 3 4 5 ARP Request What is the L2 MAC address for IP of VM2? State Cluster 3 4/5 The MidoNet Agent completes the request Returns ARP reply to the originating VM1 No data transmitted over the wire
  17. 17. Features
  18. 18. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Distributed L2 Switching 18 VM 1 VM 2 Virtual Tenant Router B Virtual Topology Physical Topology ARP Request Virtual Switch B1 VM 1 VM 2 State Cluster Virtual Switch B1 MAC Port Host AC:CA:BA:00:00:01 AC:CA:BA:00:00:02 vPort 0 vPort 1 Host 0 Host 1 Tunnel Zone GRE / VXLAN IPv4Host 192.168.0.1 10.0.0.1 Host 0 Host 1 MAC AC:CA:BA:00:00:01 IP 192.168.0.1 MAC AC:CA:BA:00:00:02 IP 10.0.0.1 vPort 1vPort 0 Host 0 Host 1 • State cluster based on ZooKeeper • Stores the virtual topology • Topology is cached by the MidoNet Agent • Agents access data using publish-subscribe
  19. 19. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Layer 2 Gateways 19 VM 1 VM 2 Virtual Tenant Router B Virtual Topology Physical Topology Virtual Switch B1 vPort 1vPort 0 Virtual Provider Router vPort L3GW vPort L2GW Layer 2 Network VM 1 Host 0 Hardware VTEP State Cluster Layer 2 Network VXLAN L2 gateway for VXLAN tunneling • The state cluster adds L2 gateway functions • Exchange state data with hardware VXLAN tunnel end-points (VTEPs) • Leverages virtualization at the edge to optimize the traffic flow L2 VXLAN Gateway
  20. 20. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Distributed Layer 2 Networks 20 Private IP Network Virtual Servers VM 1 VM 2 Hardware VTEP L2 Network Hardware VTEP Hardware VTEP State Cluster Virtual Switch B1 VM 1 VM 2 vPort 1vPort 0 L2 Network vPort L2GW 0 vPort L2GW 1 vPort L2GW 2 Physical Topology Virtual Topology Scalability and High Availability
  21. 21. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Distributed Layer 3 Routing 21 Private IP Network Virtual Servers VM 1 VM 2 Provider Network State Cluster Virtual Switch B1 VM 1 VM 2 vPort 1vPort 0 Physical Topology Virtual Topology Scalability and High Availability Border Node Border Node Border Node Virtual Tenant Router B Virtual Provider Router vPort L3GW vPort L3GW Provider Network BGP Peer BGP Peer BGP Peer
  22. 22. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Firewall 22 • MidoNet supports OpenStack/Neutron Security Groups • Apply to each network port bound to a VM, inbound or outbound • Any forward traffic not explicitly allowed by a rule is dropped • Return traffic is allowed VM 1 VM 2 Virtual Tenant Router A Virtual Switch A1 Virtual Provider Router Virtual Switch A2 vPort 1vPort 0 Port-level firewall $ neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 -—direction ingress security-group-1 SG-1 Allowing SSH inbound traffic $ neutron security-group-rule-create --protocol icmp --direction ingress security-group-2 SG-2 Allowing ICMP inbound traffic Chains Rules • Anti-spoofing • L2 - L4 header fields • Wildcards • Ranges MidoNet Models
  23. 23. CHAIN vPort0 ingress MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Firewall 23 VM 1 VM 2 Virtual Tenant Router A Virtual Switch A1 Virtual Provider Router Virtual Switch A2 vPort 1vPort 0 $ neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 -—direction ingress security-group-1 SG1 Allowing SSH inbound traffic $ neutron security-group-rule-create --protocol icmp --direction ingress security-group-2 SG2 Allowing ICMP inbound traffic SG-1 SG-1 SG-2 DROP if not MAC1 MAC1 AC:CA:BA:00:00:01 IP1 192.168.0.1 MAC2 AC:CA:BA:00:00:02 IP2 10.0.0.1 DROP if not IP1 ACCEPT return flow JUMP SG-1 ingress DROP everything CHAIN SG-1 ingress ACCEPT TCP port range [22, 22]
  24. 24. • Different agents must exchange flow information • Drop not allowed packets at the ingress host • Protects the private underlay MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Network Address Translation 24 Virtual Switch B1 VM 1 VM 2 Virtual Tenant Router B Virtual Provider Router Provider Network Private Network Public Network 10.0.0.100:1234 151.16.16.1:37001 Forwardflow Returnflow L4 NAT for a TCP connection Private IP Network VM 1 Border Router Virtual Topology Physical Topology
  25. 25. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 Distributed Flow State 25 VM 1 VM 2 Virtual Switch B1 VM 1 VM 2 Virtual Tenant Router B Private Network Public Network Physical Topology Virtual Topology Forward flow Fwd outFwd in Flow state Return flow Ret inRet out Ingress host Possible return flow ingress Possible forward flow ingress Egress host Ingress host Egress host Forward flow Fwd out Fwd in Ingress host Possible return flow ingress Possible forward flow ingress Egress host 1 2 3 • Flow state forwarded to possible interested hosts • No delay for simulating flow ingress packets at other hosts • State backup in cluster State Cluster
  26. 26. Open Source
  27. 27. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015 MidoNet Project Web midonet.org Wiki wiki.midonet.org Blog blog.midonet.org Mailing list lists.midonet.org GitHub github.com/midonet GerritHub gerrithub.io/midonet IRC #midonet on freenode 27
  28. 28. Confidential

×