SlideShare a Scribd company logo
Taking Security Groups
to Ludicrous Speed
with Open vSwitch
OpenStack Summit
Vancouver, 2015
Miguel Angel Ajo
@mangel_ajo
Ivar Lazzaro
@ivarlazzaro
Thomas Graf
@tgraf__
Justin Pettit
@Justin_D_Pettit
Agenda
Problem Statement
– Status Quo – a.k.a “The Bridge Mess”
Possible Solution
– OVS + Stateful services (+ OVN)
Results
– Performance Numbers
Q&A
Status Quo
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Mess of Bridges.
br-eth1
(Open vSwitch)
OpenFlow
table
OVS
bridge
br-int
(Open vSwitch)
Mess of Bridges.
br-eth1
(Open vSwitch)
veth
OpenFlow
table
OVS
bridge
br-int
(Open vSwitch)
Mess of Bridges.
br-eth1
(Open vSwitch)
qbr
(Linux Bridge)
qbr
(Linux Bridge)
qbr
(Linux Bridge)
veth
iptables
rules
OpenFlow
tableOVS
bridge
Linux
bridge
br-int
(Open vSwitch)
Mess of Bridges. Why?
VM
br-eth1
(Open vSwitch)
qbr
(Linux Bridge)
qbr
(Linux Bridge)
qbr
(Linux Bridge)
VM lxc
tap
veth
iptables
rules
OpenFlow
table
OVS
bridge
Linux
bridge
4-5 network devices per guest in host!
br-int
(Open vSwitch)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Possible Solution
Stacking Things Properly
(c) Karen Sagovac
Can we have a pure OVS Model?
br-int
(Open vSwitch)
VM
br-eth1
(Open vSwitch)
VM lxc
Tap, veth, or
internal port
OpenFlow table
with security groups
OVS
bridge
1 network device per guest in host!
Makes VMs and containers equally happy.
Some Background
(OVS, OVN, Kernel CT)
● Highly scaleable multi layer virtual switch for hypervisors
– Apache License (User Space), GPL (Kernel)
● Extensive flow table programming capabilities
– OpenFlow 1.0 – 1.5 (some partial)
– Vendor Extensions
● Designed to manage overlay networks
– VXLAN (+ extensions), GRE, Geneve, LISP, STT, VLAN, ...
● Remote management protocol (OVSDB)
● Monitoring capabilities
Open vSwitch
● Virtual Networking for OVS
– Developed by same team that made OVS
– Works on same platorms (Linux, Containers, Hyper-V)
● Provides L2/L3 virtual networking
– Logical switches and routers
– Conntrack-based security groups
– L2/L3/L4 ACLs
– Physical and DPDK-based logical-physical gateways
● Integrated with OpenStack and other CMSs
OVN
Implementing a Firewall with OVS
● OVS has traditionally only supported stateless matches
● As an example, currently, two ways to implement a firewall in OVS
– Match on TCP flags (Enforce policy on SYN, allow ACK|RST)
● Pro: Fast
● Con: Allows non-established flow through with ACK or RST
set, only TCP
– Use “learn” action to setup new flow in reverse direction
● Pro: More “correct”
● Con: Forces every new flow to OVS userspace, reducing flow
setup by orders of magnitude
– Neither approach supports “related” flows or TCP window
enforcement
Connection Tracking
● We are adding the ability to use the conntrack module from Linux
– Stateful tracking of flows
– Supports ALGs to punch holes for related “data” channels
● FTP, TFTP, SIP
● Implement a distributed firewall with enforcement at the edge
– Better performance
– Better visibility
● Introduce new OpenFlow extensions:
– Action to send to conntrack
– Match fields on state of connection
● Have prototype working. Expect to ship as part of OVS in next
release.
Netfilter Conntrack Integration
OVS Flow Table
Netfilter
Connection Tracker
CT
Table
Userspace Netlink API
Create & Update
CT entries
Connection State (conn_state=)
conntrack()
Recirculation
1
2
3
4
Zone 1
Connection Tracking Zones
OVS Flow Table
CT
Table
Zone 2
CT
Table
Netfilter
Connection Tracker
OVSFirewallDriver
OVSFirewallDriver
● Original proposal from Amir Sadoughi
– https://review.openstack.org/#/c/89712
● Stable/kilo (just a POC)
– https://review.openstack.org/#/c/183725/
Example HTTP Request
VM 1 VM 2
HTTP req
response
GLOSARY of OF actions
NORMAL = “do like a normal switch”
ct(commit) = “push this packet to CT”
ct(recirc) = “grab any ct info we have, set
+trk, and send to T0”
SG OpenFlow Table structure
+trk(+est/+rel)
→ NORMAL
ARP (with filters)
→ NORMAL
(…)
SG rules in OF:
ip
Egress T1Input T0 ct(commit,
recirc)
(…)
SG rules:
tp_dst=80
Ingress T2
From VM(n)
(MAC+in_port -trk)
-trk → ct(recirc)
ToVM(n)(MAC)
match
ct(commit),NORMAL
VM1
VM2
SG OpenFlow Table structure
+trk(+est/+rel)
→ NORMAL
ARP (with filters)
→ NORMAL
(…)
SG rules in OF:
ip
Egress T1Input T0 ct(commit,
recirc)
(…)
SG rules:
tp_dst=80
Ingress T2
From VM(n)
(MAC+in_port -trk-trk)
-trk → ct(recirc)
ToVM(n)(MAC)
match
ct(commit),NORMAL
VM1
SG OpenFlow Table structure
+trk(+est/+rel)
→ NORMAL
ARP (with filters)
→ NORMAL
(…)
SG rules in OF:
ip
Egress T1Input T0 ct(commit,
recirc)
(…)
SG rules:
tp_dst=80
Ingress T2
From VM(n)
(MAC+in_port -trk)
-trk → ct(recirc)
ToVM(n)(MAC)
match
ct(commit),NORMAL
SG OpenFlow Table structure
+trk(+est or +rel)
→ NORMAL
ARP (with filters)
→ NORMAL
(…)
SG rules in OF:
ip
Egress T1Input T0 ct(commit,
recirc)
(…)
SG rules:
tp_dst=80
Ingress T2
From VM(n)
(MAC+in_port -trk)
-trk → ct(recirc)
ToVM(n)(MAC)
match
ct(commit),NORMAL
SG OpenFlow Table structure
+trk(+est/+rel)
→ NORMAL
ARP (with filters)
→ NORMAL
(…)
SG rules in OF:
ip
Egress T1Input T0 ct(commit,
recirc)
(…)
SG rules:
tp_dst=80
Ingress T2
From VM(n)
(MAC+in_port -trk)
-trk → ct(recirc)
ToVM(n)(MAC)
match
ct(commit),NORMAL
VM2
SG OpenFlow Table structure
+trk(+est/+rel)
→ NORMAL
ARP (with filters)
→ NORMAL
(…)
SG rules in OF:
ip
Egress T1Input T0 ct(commit,
recirc)
(…)
SG rules:
tp_dst=80
Ingress T2
From VM(n)
(MAC+in_port -trk)
-trk → ct(recirc)
ToVM(n)(MAC)
match
ct(commit),NORMAL
VM2
SG OpenFlow Table structure
+trk(+est/+rel)
→ NORMAL
ARP (with filters)
→ NORMAL
(…)
SG rules in OF:
ip
Egress T1Input T0 ct(commit,
recirc)
(…)
SG rules:
tp_dst=80
Ingress T2
From VM(n)
(MAC+in_port -trk)
-trk → ct(recirc)
ToVM(n)(MAC)
match
ct(commit),NORMAL
SG OpenFlow Table structure
+trk(+est/+rel)
→ NORMAL
ARP (with filters)
→ NORMAL
(…)
SG rules in OF:
ip
Egress T1Input T0 ct(commit,
recirc)
(…)
SG rules:
tp_dst=80
Ingress T2
From VM(n)
(MAC+in_port -trk)
-trk → ct(recirc)
ToVM(n)(MAC)
match
ct(commit),NORMAL
VM1
SG OpenFlow Table structure
+trk(+est/+rel)
→ NORMAL
ARP (with filters)
→ NORMAL
(…)
SG rules in OF:
ip
Egress T1Input T0 ct(commit,
recirc)
(…)
SG rules:
tp_dst=80
Ingress T2
From VM(n)
(MAC+in_port -trk)
-trk → ct(recirc)
ToVM(n)(MAC)
match
ct(commit),NORMAL
openvswitch_firewall.py
● update_security_group_{rules, members}
● prepare_port_filter
● update_port_filter
● remove_port_filter
● filter_defer_apply_{on,off}
neutron.agent.linux.firewall.FirewallDriver
neutron.agent.linux.openvswitch_firewall.OVSFirewallDriver
Performance Numbers
Test Setup Explained
System: 2 Socket, 24 core, IvyBridge
CPU: Intel(R) Xeon(R) CPU E5-2643 v2 @ 3.50GHz
Kernel: 3.10.0-229.1.2.el7.x86_64
Test: Netperf with TCP_STREAM and TCP_RR
Notes: Virt overhead eliminated, netperf/netserver runs baremetal
Compute 1
netperf
Compute 2
10GiB Link
netserver
netserver
local
Multi node
TCP Stream, Local, 1 netperf thread
64 128 512 1024 9000 64000
0
50
100
150
200
250
300
350
400
450
500
0
5,000
10,000
15,000
20,000
25,000
TCP stream Local, 1 netperf threads
sub-title
iptables throughput
OVS throughput
iptables cycles
OVS cycles
Packet Size
CPUMegacyclesperMbit
Mbit
TCP Stream, Local, 16 netperf threads
64 128 512 1024 9000 64000
0
50
100
150
200
250
300
350
400
0
50,000
100,000
150,000
200,000
250,000
TCP stream Local, 16 netperf threads
sub-title
iptables throughput
OVS throughput
iptables cycles
OVS cycles
Packet Size
CPUMegacyclesperMbit
Mbit
TCP Stream, Multi Node, 8 netperf threads
64 128 512 1024 9000 64000
0
50
100
150
200
250
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
10,000
TCP stream node-to-node, 8 netperf threads
iptables throughput
OVS throughput
iptables cycles
OVS cycles
Packet Size
CPUMegacyclesperMbit
Mbit
TCP Requests, Local, 1 netperf thread
64 128 512 1024 9000 64000
0
50
100
150
200
250
300
350
400
450
500
0
5,000
10,000
15,000
20,000
25,000
TCP stream Local, 1 netperf threads
sub-title
iptables throughput
OVS throughput
iptables cycles
OVS cycles
Packet Size
CPUMegacyclesperMbit
Mbit
TCP Requests, Local, 64K packets
1 4 8 16
0
10
20
30
40
50
60
70
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
TCP Requests/s Local, 64K packets
sub-title
iptables requests/s
OVS requests/s
iptables cycles
OVS cycles
Number netperf threads
CPUMegacyclesperMbit
Requests/s
TCP Requests, Multi Node, 1 netperf thread
64 128 512 1024 9000 64000
0
2
4
6
8
10
12
14
16
18
20
0
5,000
10,000
15,000
20,000
25,000
30,000
TCP Requests/s node-to-node, 1 netperf threads
sub-title
iptables requests/s
OVS requests/s
iptables cycles
OVS cycles
Packet Size
CPUMegacyclesperMbit
Requests/s
TCP Requests, Multi Node, 64K packets
1 4 8 16
0
5
10
15
20
25
30
35
40
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
18,000
20,000
TCP Requests/s node-to-node, 64K packets
sub-title
iptables requests/s
OVS requests/s
iptables cycles
OVS cycles
Number netperf threads
CPUMegacyclesperMbit
Requests/s
Conclusion
● Both throughput and latency are considerably improve (Up to 6x in
some situations).
● If limited by wire speed, pure OVS approach generally consumes
less CPU cycles for the same result, leaving more resources for
actual workload.
● Issue for specific packet sizes to be investigated and resolved before
merge.
Next Steps
● Convert ML2 PoC to a patch that can be merged
– Write functional tests
– Optimize OF rules/manipulation
● Complete upstream merge of connection tracking
support in Open vSwitch in the Linux kernel
● Consider and realize OVN integration of this work
● Hopefully ready for Liberty
Q&A
● OVS w/ CT Neutron ML2 plugin
– https://github.com/mangelajo/vagrant-rdo-juno-ovs-ct
-firewall
● Open vSwitch
– http://openvswitch.org/
● Conntrack code on GitHub
– https://github.com/justinpettit/ovs/tree/conntrack
● Stateful Connection Tracking & Stateful NAT (OVS
conference)
– http://www.openvswitch.org/support/ovscon2014/17
/1030-conntrack_nat.pdf
Thank You!

More Related Content

What's hot

Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
Seung-Hoon Baek
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
Te-Yen Liu
 
Openstack Neutron, interconnections with BGP/MPLS VPNs
Openstack Neutron, interconnections with BGP/MPLS VPNsOpenstack Neutron, interconnections with BGP/MPLS VPNs
Openstack Neutron, interconnections with BGP/MPLS VPNs
Thomas Morin
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
어형 이
 
Large scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsLarge scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutions
Han Zhou
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
Vietnam Open Infrastructure User Group
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
ML2/OVN アーキテクチャ概観
ML2/OVN アーキテクチャ概観ML2/OVN アーキテクチャ概観
ML2/OVN アーキテクチャ概観
Yamato Tanaka
 
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
ShapeBlue
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
Sim Janghoon
 
Neutron qos overview
Neutron qos overviewNeutron qos overview
Neutron qos overview
Sławomir Kapłoński
 
L3HA-VRRP-20141201
L3HA-VRRP-20141201L3HA-VRRP-20141201
L3HA-VRRP-20141201
Manabu Ori
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch Introduction
HungWei Chiu
 
OVN DBs HA with scale test
OVN DBs HA with scale testOVN DBs HA with scale test
OVN DBs HA with scale test
Aliasgar Ginwala
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
JuHwan Lee
 
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
LINE Corporation
 
Open vSwitchソースコードの全体像
Open vSwitchソースコードの全体像 Open vSwitchソースコードの全体像
Open vSwitchソースコードの全体像
Sho Shimizu
 
Demystifying openvswitch
Demystifying openvswitchDemystifying openvswitch
Demystifying openvswitch
Prasad Mukhedkar
 
OpenStack: Inside Out
OpenStack: Inside OutOpenStack: Inside Out
OpenStack: Inside Out
Etsuji Nakai
 

What's hot (20)

Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
Openstack Neutron, interconnections with BGP/MPLS VPNs
Openstack Neutron, interconnections with BGP/MPLS VPNsOpenstack Neutron, interconnections with BGP/MPLS VPNs
Openstack Neutron, interconnections with BGP/MPLS VPNs
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
 
Large scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsLarge scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutions
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
ML2/OVN アーキテクチャ概観
ML2/OVN アーキテクチャ概観ML2/OVN アーキテクチャ概観
ML2/OVN アーキテクチャ概観
 
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
 
Neutron qos overview
Neutron qos overviewNeutron qos overview
Neutron qos overview
 
L3HA-VRRP-20141201
L3HA-VRRP-20141201L3HA-VRRP-20141201
L3HA-VRRP-20141201
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch Introduction
 
OVN DBs HA with scale test
OVN DBs HA with scale testOVN DBs HA with scale test
OVN DBs HA with scale test
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
 
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
Excitingly simple multi-path OpenStack networking: LAG-less, L2-less, yet ful...
 
Open vSwitchソースコードの全体像
Open vSwitchソースコードの全体像 Open vSwitchソースコードの全体像
Open vSwitchソースコードの全体像
 
Demystifying openvswitch
Demystifying openvswitchDemystifying openvswitch
Demystifying openvswitch
 
OpenStack: Inside Out
OpenStack: Inside OutOpenStack: Inside Out
OpenStack: Inside Out
 

Similar to Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)

2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
Thomas Graf
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OpenvSwitch
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
Thomas Graf
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
Design and Performance Characteristics of Tap-as-a-Service
Design and Performance Characteristics of Tap-as-a-ServiceDesign and Performance Characteristics of Tap-as-a-Service
Design and Performance Characteristics of Tap-as-a-Service
soichi shigeta
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet Count
Amazon Web Services
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
Amazon Web Services
 
Protocol Independence
Protocol IndependenceProtocol Independence
Protocol Independence
Open Networking Summits
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IP
vijai s
 
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
Cloud Native Day Tel Aviv
 
Computer network (11)
Computer network (11)Computer network (11)
Computer network (11)
NYversity
 
CEF-Based Multilayer Switching, deployingpptx
CEF-Based Multilayer Switching, deployingpptxCEF-Based Multilayer Switching, deployingpptx
CEF-Based Multilayer Switching, deployingpptx
Course11
 
design-compiler.pdf
design-compiler.pdfdesign-compiler.pdf
design-compiler.pdf
FrangoCamila
 
Scaling Kubernetes to Support 50000 Services.pptx
Scaling Kubernetes to Support 50000 Services.pptxScaling Kubernetes to Support 50000 Services.pptx
Scaling Kubernetes to Support 50000 Services.pptx
thaond2
 
Technical Overview of QUIC
Technical  Overview of QUICTechnical  Overview of QUIC
Technical Overview of QUIC
shigeki_ohtsu
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspe
Chris Westin
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
Krunal Shah
 
Lab 4 marking
Lab 4 markingLab 4 marking
Lab 4 marking
VNG
 
Renegotiating the boundary between database latency and consistency
Renegotiating the boundary between database latency  and consistencyRenegotiating the boundary between database latency  and consistency
Renegotiating the boundary between database latency and consistency
ScyllaDB
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
Andriy Berestovskyy
 

Similar to Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015) (20)

2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
Design and Performance Characteristics of Tap-as-a-Service
Design and Performance Characteristics of Tap-as-a-ServiceDesign and Performance Characteristics of Tap-as-a-Service
Design and Performance Characteristics of Tap-as-a-Service
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet Count
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
 
Protocol Independence
Protocol IndependenceProtocol Independence
Protocol Independence
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IP
 
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
 
Computer network (11)
Computer network (11)Computer network (11)
Computer network (11)
 
CEF-Based Multilayer Switching, deployingpptx
CEF-Based Multilayer Switching, deployingpptxCEF-Based Multilayer Switching, deployingpptx
CEF-Based Multilayer Switching, deployingpptx
 
design-compiler.pdf
design-compiler.pdfdesign-compiler.pdf
design-compiler.pdf
 
Scaling Kubernetes to Support 50000 Services.pptx
Scaling Kubernetes to Support 50000 Services.pptxScaling Kubernetes to Support 50000 Services.pptx
Scaling Kubernetes to Support 50000 Services.pptx
 
Technical Overview of QUIC
Technical  Overview of QUICTechnical  Overview of QUIC
Technical Overview of QUIC
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspe
 
Cisco data center support
Cisco data center supportCisco data center support
Cisco data center support
 
Lab 4 marking
Lab 4 markingLab 4 marking
Lab 4 marking
 
Renegotiating the boundary between database latency and consistency
Renegotiating the boundary between database latency  and consistencyRenegotiating the boundary between database latency  and consistency
Renegotiating the boundary between database latency and consistency
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
 

More from Thomas Graf

eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF  & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF  & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
Thomas Graf
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
Thomas Graf
 
BPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable Datapath
Thomas Graf
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
Thomas Graf
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containersCilium - BPF & XDP for containers
Cilium - BPF & XDP for containers
Thomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014   Kernel Networking WalkthroughDevConf 2014   Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 

More from Thomas Graf (17)

eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF  & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF  & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
 
BPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable Datapath
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containersCilium - BPF & XDP for containers
Cilium - BPF & XDP for containers
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014   Kernel Networking WalkthroughDevConf 2014   Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 

Recently uploaded

ERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in CoimbatoreERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in Coimbatore
Nextskill Technologies
 
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
singhlata50dh
 
Introduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of ThingsIntroduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of Things
NachuSubramanian1
 
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
jealousviolet
 
Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech
 
Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …
908dutch
 
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
902basic
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
akshesh doshi
 
React Native vs Flutter - SSTech System
React Native vs Flutter  - SSTech SystemReact Native vs Flutter  - SSTech System
React Native vs Flutter - SSTech System
SSTech System
 
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
norina2645
 
welcome to presentation on Google Apps
welcome to   presentation on Google Appswelcome to   presentation on Google Apps
welcome to presentation on Google Apps
AsifKarimJim
 
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
simran hot girls
 
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
rachitkumar09887
 
To Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance SheetsTo Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance Sheets
Task Tracker
 
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
neshakor5152
 
Artificial intelligence in customer services or chatbots
Artificial intelligence  in customer services or chatbotsArtificial intelligence  in customer services or chatbots
Artificial intelligence in customer services or chatbots
kayash1656
 
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
Srinivas Dukka
 
The Ultimate Guide to Phone Spy Apps: Everything You Need to Know
The Ultimate Guide to Phone Spy Apps: Everything You Need to KnowThe Ultimate Guide to Phone Spy Apps: Everything You Need to Know
The Ultimate Guide to Phone Spy Apps: Everything You Need to Know
onemonitarsoftware
 
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
3610stuck
 
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptxWired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
SimonedeGijt
 

Recently uploaded (20)

ERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in CoimbatoreERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in Coimbatore
 
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
 
Introduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of ThingsIntroduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of Things
 
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
 
Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.
 
Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …
 
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
 
React Native vs Flutter - SSTech System
React Native vs Flutter  - SSTech SystemReact Native vs Flutter  - SSTech System
React Native vs Flutter - SSTech System
 
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
 
welcome to presentation on Google Apps
welcome to   presentation on Google Appswelcome to   presentation on Google Apps
welcome to presentation on Google Apps
 
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
 
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
 
To Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance SheetsTo Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance Sheets
 
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
 
Artificial intelligence in customer services or chatbots
Artificial intelligence  in customer services or chatbotsArtificial intelligence  in customer services or chatbots
Artificial intelligence in customer services or chatbots
 
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
 
The Ultimate Guide to Phone Spy Apps: Everything You Need to Know
The Ultimate Guide to Phone Spy Apps: Everything You Need to KnowThe Ultimate Guide to Phone Spy Apps: Everything You Need to Know
The Ultimate Guide to Phone Spy Apps: Everything You Need to Know
 
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
 
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptxWired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
 

Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)

  • 1. Taking Security Groups to Ludicrous Speed with Open vSwitch OpenStack Summit Vancouver, 2015 Miguel Angel Ajo @mangel_ajo Ivar Lazzaro @ivarlazzaro Thomas Graf @tgraf__ Justin Pettit @Justin_D_Pettit
  • 2. Agenda Problem Statement – Status Quo – a.k.a “The Bridge Mess” Possible Solution – OVS + Stateful services (+ OVN) Results – Performance Numbers Q&A
  • 5. Mess of Bridges. br-eth1 (Open vSwitch) OpenFlow table OVS bridge br-int (Open vSwitch)
  • 6. Mess of Bridges. br-eth1 (Open vSwitch) veth OpenFlow table OVS bridge br-int (Open vSwitch)
  • 7. Mess of Bridges. br-eth1 (Open vSwitch) qbr (Linux Bridge) qbr (Linux Bridge) qbr (Linux Bridge) veth iptables rules OpenFlow tableOVS bridge Linux bridge br-int (Open vSwitch)
  • 8. Mess of Bridges. Why? VM br-eth1 (Open vSwitch) qbr (Linux Bridge) qbr (Linux Bridge) qbr (Linux Bridge) VM lxc tap veth iptables rules OpenFlow table OVS bridge Linux bridge 4-5 network devices per guest in host! br-int (Open vSwitch)
  • 10. Possible Solution Stacking Things Properly (c) Karen Sagovac
  • 11. Can we have a pure OVS Model? br-int (Open vSwitch) VM br-eth1 (Open vSwitch) VM lxc Tap, veth, or internal port OpenFlow table with security groups OVS bridge 1 network device per guest in host! Makes VMs and containers equally happy.
  • 13. ● Highly scaleable multi layer virtual switch for hypervisors – Apache License (User Space), GPL (Kernel) ● Extensive flow table programming capabilities – OpenFlow 1.0 – 1.5 (some partial) – Vendor Extensions ● Designed to manage overlay networks – VXLAN (+ extensions), GRE, Geneve, LISP, STT, VLAN, ... ● Remote management protocol (OVSDB) ● Monitoring capabilities Open vSwitch
  • 14. ● Virtual Networking for OVS – Developed by same team that made OVS – Works on same platorms (Linux, Containers, Hyper-V) ● Provides L2/L3 virtual networking – Logical switches and routers – Conntrack-based security groups – L2/L3/L4 ACLs – Physical and DPDK-based logical-physical gateways ● Integrated with OpenStack and other CMSs OVN
  • 15. Implementing a Firewall with OVS ● OVS has traditionally only supported stateless matches ● As an example, currently, two ways to implement a firewall in OVS – Match on TCP flags (Enforce policy on SYN, allow ACK|RST) ● Pro: Fast ● Con: Allows non-established flow through with ACK or RST set, only TCP – Use “learn” action to setup new flow in reverse direction ● Pro: More “correct” ● Con: Forces every new flow to OVS userspace, reducing flow setup by orders of magnitude – Neither approach supports “related” flows or TCP window enforcement
  • 16. Connection Tracking ● We are adding the ability to use the conntrack module from Linux – Stateful tracking of flows – Supports ALGs to punch holes for related “data” channels ● FTP, TFTP, SIP ● Implement a distributed firewall with enforcement at the edge – Better performance – Better visibility ● Introduce new OpenFlow extensions: – Action to send to conntrack – Match fields on state of connection ● Have prototype working. Expect to ship as part of OVS in next release.
  • 17. Netfilter Conntrack Integration OVS Flow Table Netfilter Connection Tracker CT Table Userspace Netlink API Create & Update CT entries Connection State (conn_state=) conntrack() Recirculation 1 2 3 4
  • 18. Zone 1 Connection Tracking Zones OVS Flow Table CT Table Zone 2 CT Table Netfilter Connection Tracker
  • 20. OVSFirewallDriver ● Original proposal from Amir Sadoughi – https://review.openstack.org/#/c/89712 ● Stable/kilo (just a POC) – https://review.openstack.org/#/c/183725/
  • 21. Example HTTP Request VM 1 VM 2 HTTP req response GLOSARY of OF actions NORMAL = “do like a normal switch” ct(commit) = “push this packet to CT” ct(recirc) = “grab any ct info we have, set +trk, and send to T0”
  • 22. SG OpenFlow Table structure +trk(+est/+rel) → NORMAL ARP (with filters) → NORMAL (…) SG rules in OF: ip Egress T1Input T0 ct(commit, recirc) (…) SG rules: tp_dst=80 Ingress T2 From VM(n) (MAC+in_port -trk) -trk → ct(recirc) ToVM(n)(MAC) match ct(commit),NORMAL VM1 VM2
  • 23. SG OpenFlow Table structure +trk(+est/+rel) → NORMAL ARP (with filters) → NORMAL (…) SG rules in OF: ip Egress T1Input T0 ct(commit, recirc) (…) SG rules: tp_dst=80 Ingress T2 From VM(n) (MAC+in_port -trk-trk) -trk → ct(recirc) ToVM(n)(MAC) match ct(commit),NORMAL VM1
  • 24. SG OpenFlow Table structure +trk(+est/+rel) → NORMAL ARP (with filters) → NORMAL (…) SG rules in OF: ip Egress T1Input T0 ct(commit, recirc) (…) SG rules: tp_dst=80 Ingress T2 From VM(n) (MAC+in_port -trk) -trk → ct(recirc) ToVM(n)(MAC) match ct(commit),NORMAL
  • 25. SG OpenFlow Table structure +trk(+est or +rel) → NORMAL ARP (with filters) → NORMAL (…) SG rules in OF: ip Egress T1Input T0 ct(commit, recirc) (…) SG rules: tp_dst=80 Ingress T2 From VM(n) (MAC+in_port -trk) -trk → ct(recirc) ToVM(n)(MAC) match ct(commit),NORMAL
  • 26. SG OpenFlow Table structure +trk(+est/+rel) → NORMAL ARP (with filters) → NORMAL (…) SG rules in OF: ip Egress T1Input T0 ct(commit, recirc) (…) SG rules: tp_dst=80 Ingress T2 From VM(n) (MAC+in_port -trk) -trk → ct(recirc) ToVM(n)(MAC) match ct(commit),NORMAL VM2
  • 27. SG OpenFlow Table structure +trk(+est/+rel) → NORMAL ARP (with filters) → NORMAL (…) SG rules in OF: ip Egress T1Input T0 ct(commit, recirc) (…) SG rules: tp_dst=80 Ingress T2 From VM(n) (MAC+in_port -trk) -trk → ct(recirc) ToVM(n)(MAC) match ct(commit),NORMAL VM2
  • 28. SG OpenFlow Table structure +trk(+est/+rel) → NORMAL ARP (with filters) → NORMAL (…) SG rules in OF: ip Egress T1Input T0 ct(commit, recirc) (…) SG rules: tp_dst=80 Ingress T2 From VM(n) (MAC+in_port -trk) -trk → ct(recirc) ToVM(n)(MAC) match ct(commit),NORMAL
  • 29. SG OpenFlow Table structure +trk(+est/+rel) → NORMAL ARP (with filters) → NORMAL (…) SG rules in OF: ip Egress T1Input T0 ct(commit, recirc) (…) SG rules: tp_dst=80 Ingress T2 From VM(n) (MAC+in_port -trk) -trk → ct(recirc) ToVM(n)(MAC) match ct(commit),NORMAL VM1
  • 30. SG OpenFlow Table structure +trk(+est/+rel) → NORMAL ARP (with filters) → NORMAL (…) SG rules in OF: ip Egress T1Input T0 ct(commit, recirc) (…) SG rules: tp_dst=80 Ingress T2 From VM(n) (MAC+in_port -trk) -trk → ct(recirc) ToVM(n)(MAC) match ct(commit),NORMAL
  • 31. openvswitch_firewall.py ● update_security_group_{rules, members} ● prepare_port_filter ● update_port_filter ● remove_port_filter ● filter_defer_apply_{on,off} neutron.agent.linux.firewall.FirewallDriver neutron.agent.linux.openvswitch_firewall.OVSFirewallDriver
  • 33. Test Setup Explained System: 2 Socket, 24 core, IvyBridge CPU: Intel(R) Xeon(R) CPU E5-2643 v2 @ 3.50GHz Kernel: 3.10.0-229.1.2.el7.x86_64 Test: Netperf with TCP_STREAM and TCP_RR Notes: Virt overhead eliminated, netperf/netserver runs baremetal Compute 1 netperf Compute 2 10GiB Link netserver netserver local Multi node
  • 34. TCP Stream, Local, 1 netperf thread 64 128 512 1024 9000 64000 0 50 100 150 200 250 300 350 400 450 500 0 5,000 10,000 15,000 20,000 25,000 TCP stream Local, 1 netperf threads sub-title iptables throughput OVS throughput iptables cycles OVS cycles Packet Size CPUMegacyclesperMbit Mbit
  • 35. TCP Stream, Local, 16 netperf threads 64 128 512 1024 9000 64000 0 50 100 150 200 250 300 350 400 0 50,000 100,000 150,000 200,000 250,000 TCP stream Local, 16 netperf threads sub-title iptables throughput OVS throughput iptables cycles OVS cycles Packet Size CPUMegacyclesperMbit Mbit
  • 36. TCP Stream, Multi Node, 8 netperf threads 64 128 512 1024 9000 64000 0 50 100 150 200 250 0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 10,000 TCP stream node-to-node, 8 netperf threads iptables throughput OVS throughput iptables cycles OVS cycles Packet Size CPUMegacyclesperMbit Mbit
  • 37. TCP Requests, Local, 1 netperf thread 64 128 512 1024 9000 64000 0 50 100 150 200 250 300 350 400 450 500 0 5,000 10,000 15,000 20,000 25,000 TCP stream Local, 1 netperf threads sub-title iptables throughput OVS throughput iptables cycles OVS cycles Packet Size CPUMegacyclesperMbit Mbit
  • 38. TCP Requests, Local, 64K packets 1 4 8 16 0 10 20 30 40 50 60 70 0 20,000 40,000 60,000 80,000 100,000 120,000 140,000 160,000 TCP Requests/s Local, 64K packets sub-title iptables requests/s OVS requests/s iptables cycles OVS cycles Number netperf threads CPUMegacyclesperMbit Requests/s
  • 39. TCP Requests, Multi Node, 1 netperf thread 64 128 512 1024 9000 64000 0 2 4 6 8 10 12 14 16 18 20 0 5,000 10,000 15,000 20,000 25,000 30,000 TCP Requests/s node-to-node, 1 netperf threads sub-title iptables requests/s OVS requests/s iptables cycles OVS cycles Packet Size CPUMegacyclesperMbit Requests/s
  • 40. TCP Requests, Multi Node, 64K packets 1 4 8 16 0 5 10 15 20 25 30 35 40 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 18,000 20,000 TCP Requests/s node-to-node, 64K packets sub-title iptables requests/s OVS requests/s iptables cycles OVS cycles Number netperf threads CPUMegacyclesperMbit Requests/s
  • 41. Conclusion ● Both throughput and latency are considerably improve (Up to 6x in some situations). ● If limited by wire speed, pure OVS approach generally consumes less CPU cycles for the same result, leaving more resources for actual workload. ● Issue for specific packet sizes to be investigated and resolved before merge.
  • 42. Next Steps ● Convert ML2 PoC to a patch that can be merged – Write functional tests – Optimize OF rules/manipulation ● Complete upstream merge of connection tracking support in Open vSwitch in the Linux kernel ● Consider and realize OVN integration of this work ● Hopefully ready for Liberty
  • 43. Q&A ● OVS w/ CT Neutron ML2 plugin – https://github.com/mangelajo/vagrant-rdo-juno-ovs-ct -firewall ● Open vSwitch – http://openvswitch.org/ ● Conntrack code on GitHub – https://github.com/justinpettit/ovs/tree/conntrack ● Stateful Connection Tracking & Stateful NAT (OVS conference) – http://www.openvswitch.org/support/ovscon2014/17 /1030-conntrack_nat.pdf