SDN-enhanced Services in Enterprises and Data Centers

626 views

Published on

Talk given at the DIMACS Workshop on Software Defined Networking, December 2012
Rutgers University

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
626
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SDN-enhanced Services in Enterprises and Data Centers

  1. 1. Anees Shaikh IBM TJ Watson Research Center RESEARCH SDN-enhanced Services in Enterprises and Data Centers Collaboration with Mohammad Banikazemi, Salman Baset, Jack Kouloheris, David Olshefski, John Tracey, Guohui Wang © 2012 IBM Corporation
  2. 2. RESEARCH What this talk is about  State of the API / network models in SDN controllers – ultimately crucial to realize the full promise of SDN  Unexplored use cases for SDN in the data center – is  this  considered  “SDN  Research”  ?    maybe  not,  but  it  should  be  … 2 DIMACS SDN | December 2012 © 2012 IBM Corporation
  3. 3. RESEARCH Does anyone care about network APIs? Network engineer view  “Vendors offering APIs to network engineers to help them solve their issues is akin to a an auto manufacturer handing a pile of metal and a welding torch to someone who needs a new car”  “Some  vendors believe the best approach is to hand off APIs, under the assumption that the network engineers know what they need and (apparently) have time to learn a programming  language.  The  reality  is  that  network  engineers  don’t  have  that  kind  of   time”  -- “Why  are  network  engineers  sick  of  hearing  about  SDN?,”  Nov 2012, packetpushers.net Application developer view  Application developers are primarily just users of the network  Little interest or ability to understand details of network operation – rely  on  the  “network  guys”  DevOps model requires more direct ability to influence the operational network – need for network APIs and tools for developers  (no good blog quotes yet) 3 DIMACS SDN | December 2012 © 2012 IBM Corporation
  4. 4. RESEARCH A reference software-defined networking controller platform Enterprise security management network control applications multi-tenant virtualization QoS traffic control storage networking Cloud provisioning IT service management network integration services network cloud network DR security network services enforcement provisioning NETWORK ABSTRACTIONS and APIs … network control applications and integration points logical network models and application APIs network  “system  calls” NETWORK ORCHESTRATION global network view OpenFlow controller 4 virtual overlay controller legacy device configuration DIMACS SDN | December 2012 network runtime state middlebox / 3rd party mgmnt interfaces logical – physical translation , arbitration, network-wide services “drivers”  for  controlling  network   devices and capabilities © 2012 IBM Corporation
  5. 5. RESEARCH Where we are network control applications multi-tenant virtualization traffic steering access control load balancing network-level applications with legacy equivalents NETWORK REPRESENTATION representation of the physical network NETWORK STATE LLDP topology OpenFlow controller 5 virtual overlay controller legacy device configuration DIMACS SDN | December 2012 limited network state, limited orchestration counters middlebox / 3rd party mgmnt interfaces OpenFlow as the primary driver (fowarding plane) © 2012 IBM Corporation
  6. 6. RESEARCH Current SDN controller APIs  Floodlight – mostly OF protocol wrappers, with some abstractions – query for switch properties, read per-switch and global flow counters – insert / delete flow entries • {"switch": "00:00:00:00:00:00:00:01", "name":"flow-mod-1", "cookie":"0", "priority":"32768", "ingress-port":"1","active":"true", "actions":"output=2"} – ACL rules • {"src-ip": "10.0.0.4/32", "nw-proto":"UDP", "tp-src":"5010", "action":"DENY" } – Attach to virtual Quantum network • {"attachment": {"id": "NetworkId1", "mac": "00:00:00:00:00:08"}} – Trema, NOX/POX, Ryu …  similar  (or  fewer)  abstractions  Frenetic – programming simplification on top of a standard OF protocol driver – SQL-like queries for collecting network data – simplified composition and optimization of application rules – abstracted topology views (!) Need APIs that provide alternative models of the network for applications and services 6 DIMACS SDN | December 2012 © 2012 IBM Corporation
  7. 7. RESEARCH Example abstract network models for SDN applications  Single virtual switch – policy-based connectivity between physical or virtual machines VM VM – use switch-level concepts to describe connectivity and policies – ports, VLANs, profiles, etc. – switch per tenant view or single large switch for global policies – attach high-level  rules  or  policies  to  logical  “port   profiles”  (ACLs,  in/out  firewall,  traffic   marking/policing, etc.)  Annotated network graph – suitable for running variety of graph algorithms – example edge annotations: utilization / avail bw, reserved bw, buffer occupancy stats, pkt drop stats – represent full or subset of actual topology (e.g., racklevel topology) – couple with management tooling to collect link or node metrics 7 DIMACS SDN | December 2012 attach rules to logical port profiles 𝒃𝒊 internal nodes edge nodes (e.g., vNICs) 𝒍𝒊 𝒅𝒊 © 2012 IBM Corporation
  8. 8. RESEARCH Example abstract network models for SDN applications  Tenant connectivity model – multi-tenant virtual network service – service model represents tenant VMs, virtual network segments, middleboxes, connectivity policies – requires labeling VMs with tenant ids, access userdefined policies, etc. insert virt middlebox in path VMs belonging to same tenant  Security enforcement model – provides control points for enforcing security actions – model shows applications/OS, VMs, hosts, and control points (not full topology) – integrates varying levels of application-level visibility (e.g., from provisioning engine) host related VMs / OS  types  … control points 8 DIMACS SDN | December 2012 © 2012 IBM Corporation
  9. 9. RESEARCH What this talk is about  State of the API / network models in SDN controllers – ultimately crucial to realize the full promise of SDN  Services use cases for SDN in the enterprise data center – IT service management processes – application connectivity services 9 DIMACS SDN | December 2012 © 2012 IBM Corporation
  10. 10. RESEARCH SDN progression in the data center SDN enablers SDN applications OpenFlow and centralized control multi-tenant network virtualization • industry standard protocol for SDN • first production use case for SDN • network-level automation • hardware and software enablement • solutions with and without OpenFlow • application-level network services • quickly becoming a standard feature on switches 10 • more OF controller options DIMACS SDN | December 2012 • ultimately, a universal feature network services and network integration • services on converged networks • integration with security, provisioning, disaster recovery, etc. © 2012 IBM Corporation
  11. 11. RESEARCH Migration and workload consolidation 7.1.3.8 Firewall rule: allow 7.6.*.* 7.2.3.4 DNS 7.2.3.5 Web Server 7.8.3.4 Web Server LDAP 7.3.3.4 Firewall rule: allow 7.2.3.4, 7.2.3.5 7.3.2.4 7.3.5.4 7.9.3.4 App Svr App Svr network configuration capture deploy configuration onto target 7.3.2.5 Firewall rule: allow 7.3.2.4, 7.3.2.5 7.5.2.3 11 DB2 DIMACS SDN | December 2012 © 2012 IBM Corporation
  12. 12. RESEARCH Migration and consolidation – IT process view (service transition) SDN-enhanced process application component discovery prepare / virtualize application • • • • • • 12 • • • • testing and cutover standardize application for cloud network renumbering overlap checking VLAN recreation middlebox traversal firewall rules … DIMACS SDN | December 2012 image remediation and fixups sandbox creation traffic mirroring access control re-integration in prod register app components in cloud • network installation • connectivity testing • ext service reachability © 2012 IBM Corporation
  13. 13. RESEARCH Security: Closed-loop network reconfiguration  Determine optimal security policies in response to anomalies detected or workload observed  abstract model shows applications/OS, VMs, hosts, and control points (not full topology) Security Analytics • Events from VM / host firewalls (iptables, ebtables) reconfiguration actions • Events from VPN, IPS/IDS appliances • Integrity management information from hosts and guests Network Security Manager event data from network devices additional events, scan results, patch releases …  collaboration with IBM CRL, Security Research Dept. at Watson host related VMs / app control points 13 DIMACS SDN | December 2012 © 2012 IBM Corporation
  14. 14. RESEARCH Security management – IT process view (service operations) monitor and detect security violations document security violation SDN-enhanced process security event detected event management (qualify event) incident diagnosis / escalation • redirect flows for further analysis • deploy additional analysis tools (e.g., honeypots) 14 DIMACS SDN | December 2012 incident resolution (e.g., network support) • tighten access control • quarantine to VLAN • notify patch system © 2012 IBM Corporation
  15. 15. RESEARCH Application connectivity patterns IPS Web FW App FW DB broadcast storage array disjoint LB cluster 15 Princeton / CS | November 2012 © 2012 IBM Corporation
  16. 16. RESEARCH Connectivity services for enterprises  Enterprises often have organizational silos between application and network teams – information / requirements exchanged through tickets, email, etc. – iterative process for complex applications  Traditional application teams have little understanding of connectivity, security, or network performance requirements for their applications – SDN-based connectivity service should not place burden of specifying network details on application deployers – contrast to self-service cloud model  SDN connectivity service interface should mimic the application  network team information exchange – SDN controller and apps assist network team through automation and consistent operations  SDN connectivity application must be populated with semantics and policy information to perform correct configurations – Q: What is the interface for populating this knowledge? Who provides it? 16 DIMACS SDN | December 2012 © 2012 IBM Corporation
  17. 17. RESEARCH Example: enterprise connectivity service abstractions app pattern • type: 3-tier webapp endpoint • MAC,  IP,  … • other props inherited from group app-layer connection group • properties: inet-facing, load-balanced • org: cust service • tier: 1 group • properties: load-balanced • org: cust service • tier: 2 17 DIMACS SDN | December 2012 group • properties: HADR • org: cust service • storevol: volumeid • tier: 3 © 2012 IBM Corporation
  18. 18. RESEARCH Summary: SDN consumption models  SDN  promises  more  seamless  integration  of  the  network  with  IT  processes  …  but, SDN APIs and abstractions are primarily geared for low-level network control – more work needed to develop the application interface of the SDN stack – discussed some examples in various states of experimentation  SDN use cases that matter to non-network experts – maybe more important than solving problems of correctness, reliability, scalability in SDN protocols and devices – needs  research  (this  isn’t  a  marketing  problem) 18 DIMACS SDN | December 2012 © 2012 IBM Corporation
  19. 19. RESEARCH Thank you 19 DIMACS SDN | December 2012 © 2012 IBM Corporation

×