Overview of Distributed programming of the overlay by Alexander Gabert.

1. Distributed Programming for the overlay.
Alexander Gabert
Junior Field Service Engineer

2. hello from Midokura
• Scala, Akka, Zookeeper, Netlink, Vxlan
• massive L2, L3 scale
• massive L4 scale
• distributed flow state scale
• L7 scale-out based on L4 scale-out
• distributed {service chaining, flow tracing}

4. logical code design

5. NSDB NSDB
NSDB
Open vSwitch Datapath
IF IF
Interfaces on the host
IF
VM VM VM Midolman
(MidoNet
agent)
Network
Flow Table
MidoNet APINova
API
Horizon MidoNet CLI
Watch/modify
Add/remove flows
Neutron API
MidoNet Plugin
Host
Cache
+
local state
Store virtual
topology
information
Clients / Users
Nova compute
datapath
design

6. distributed flow state
over 1000 vports
over 1000 servers
1 million virtual machines
1 billion active connections
100.000 Gbit/s stateful L4 traffic

7. F
PacketsEntryPoint
NetlinkCallback
Dispatcher
DeduplicationActor
PacketWorkflow
UpcallDatapath
ConnectionManager
One-to-Man
One-to-On
HTB
Supended
Packets
Waiting
Room
(NetlinkInputChannel)
NetlinkChannel
Fast Path
State Management
Open vSwitch Datapath
Flow Table
UpcallPacket
1. Input stage
Select Loop

8. Datapath
Controller
Flow Controller
PacketsEntryPoint
NetlinkCallback
Dispatcher
DeduplicationActor
PacketWorkflow
UpcallDatapath
ConnectionManager
One-to-Many
One-to-One
HTB
Supended
Packets
Waiting
Room
(NetlinkInputChannel)
NetlinkChannel
(NetlinkOutputChannel)
DatapathChannel
ment
path Open
WildcardFlow
Pa
Wildcard Flows
Flow
Managem
2. Packet processing stage
PacketContext
PacketContextPacketContext
PacketContext
PacketContext
PacketContext
Routing by hashing with FlowKey

9. Datapath
Controller
Flow Controller
PacketsEntryPoint
RoutingManager
Actor
DatapathReady
VirtualTopology
Actor
VirtualTo
PhysicalMapper
DeduplicationActor
UpcallDatapath
nnectionManager
NS
etlinkInputChannel) (NetlinkOutputChannel)
DatapathReady
WildcardFlow
Flow Invalidation
by Tag
Virt
State
Wildcard Flows
DatapathReady
Datap
oper
Flow
Management
2. Packet processing stage
Manage virtual to local
and physical mapping
• Interface name to UUID
• UUID to local port number
• Which host has the interface
• …

10. Datapath
Controller
Flow Controller
PacketsEntryPoint
NetlinkCallback
Dispatcher
DeduplicationActor
PacketWorkflow
UpcallDatapath
ConnectionManager
One-to-Many
One-to-One
HTB
Supended
Packets
Waiting
Room
(NetlinkInputChannel)
NetlinkChannel
(NetlinkOutputChannel)
DatapathChannel
ment
path Open
WildcardFlow
Pa
Wildcard Flows
Flow
Managem
2. Packet processing stage
PacketContextPacketContext
PacketContext
PacketContext
PacketContext
PacketContext
Simulation

11. Datapath
Controller
Flow Controller
PacketsEntryPoint
VirtualTo
PhysicalMapper
DeduplicationActor
PacketWorkflow
Disruptor
Ring Buffer
Supended
Packets
Waiting
Room
el) (NetlinkOutputChannel)
DatapathChannel
Flow Table
DatapathReady
WildcardFlow
validation
y Tag
Virtual Topology
State data / Messages
Packet
Flow
Wildcard Flows
DatapathReady
Datapath port
operations
Flow
Management
2. Packet processing stage
Local datapath management
• Create local datapath ports
• Track UUID to port # mapping
• Manage overlay tunnels
PacketContext

12. Datapath
Controller
Flow Controller
PacketsEntryPoint
VirtualTo
PhysicalMapper
DeduplicationActor
PacketWorkflow
Disruptor
Ring Buffer
Supended
Packets
Waiting
Room
(NetlinkOutputChannel)
DatapathChannel
Flow Table
DatapathReady
WildcardFlow
n
Virtual Topology
State data / Messages
Packet
Flow
Wildcard Flows
DatapathReady
Datapath port
operations
Flow
Management
2. Packet processing stage
Flow
Flow
Flow
Flow
Query statistics
Invalidate flows
PacketContext

13. Datapath
Controller
Flow Controller
PacketsEntryPoint
NetlinkCallback
Dispatcher
DeduplicationActor
PacketWorkflow
One-to-Many
One-to-One
B
Disruptor
Ring Buffer
Supended
Packets
Waiting
Room
(NetlinkOutputChannel)
DatapathChannel
Open vSwitch Datapath
Flow Table
WildcardFlow
Virtual Topology
State data / Messages
Packet
Flow
Wildcard Flows
Datapath port
operations
Flow
Management
3. Output stage
Select Loop

14. logical code design

15. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed L2 Switching
VM 1 VM 2
Virtual Tenant
Router B
Virtual Topology
Physical Topology
ARP Request
Virtual
Switch B1
VM 1 VM 2
State Cluster
Virtual Switch B1
MAC Port Host
AC:CA:BA:00:00:01
AC:CA:BA:00:00:02
vPort 0
vPort 1
Host 0
Host 1
Tunnel Zone
GRE / VXLAN IPv4Host
192.168.0.1
10.0.0.1
Host 0
Host 1
MAC AC:CA:BA:00:00:01
IP 192.168.0.1
MAC AC:CA:BA:00:00:02
IP 10.0.0.1
vPort 1vPort 0
Host 0 Host 1
• State cluster based on ZooKeeper
• Stores the virtual topology
• Topology is cached by the MidoNet Agent
• Agents access data using publish-subscribe

16. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Layer 2 Gateways
VM 1 VM 2
Virtual Tenant
Router B
Virtual Topology
Physical Topology
Virtual
Switch B1
vPort 1vPort 0
Virtual Provider
Router
vPort L3GW
vPort L2GW
Layer 2 Network
VM 1 Host 0 Hardware VTEP
State Cluster
Layer 2 Network
VXLAN
L2 gateway for VXLAN tunneling
• The state cluster adds L2 gateway
functions
• Exchange state data with hardware
VXLAN tunnel end-points (VTEPs)
• Leverages virtualization at the edge to
optimize the traffic flow
L2 VXLAN
Gateway

17. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed Layer 3 Routing
Private IP Network
Virtual Servers
VM 1
VM 2
Provider
Network
State Cluster
Virtual
Switch B1
VM 1 VM 2
vPort 1vPort 0
Physical Topology Virtual Topology
Scalability and High Availability
Border Node
Border Node
Border Node
Virtual Tenant
Router B
Virtual Provider
Router
vPort L3GW
vPort L3GW
Provider
Network BGP Peer
BGP Peer
BGP Peer

18. CHAIN vPort0 ingress
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Firewall
VM 1 VM 2
Virtual Tenant
Router A
Virtual
Switch A1
Virtual Provider
Router
Virtual
Switch A2
vPort 1vPort 0
$ neutron security-group-rule-create --protocol tcp
--port-range-min 22 --port-range-max 22
-—direction ingress security-group-1
SG1 Allowing SSH inbound traffic
$ neutron security-group-rule-create --protocol icmp
--direction ingress security-group-2
SG2 Allowing ICMP inbound traffic
SG-1
SG-1
SG-2
DROP
if not MAC1
MAC1 AC:CA:BA:00:00:01
IP1 192.168.0.1
MAC2 AC:CA:BA:00:00:02
IP2 10.0.0.1
DROP
if not IP1
ACCEPT
return flow
JUMP
SG-1 ingress
DROP
everything
CHAIN SG-1 ingress
ACCEPT
TCP port range [22, 22]
Port-level firewall

19. • Different agents must exchange flow
information
• Drop not allowed packets at the ingress
host
• Protects the private underlay
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Network Address Translation
Virtual
Switch B1
VM 1 VM 2
Virtual Tenant
Router B
Virtual Provider
Router
Provider
Network
Private Network
Public Network
10.0.0.100:1234
151.16.16.1:37001
Forwardflow
Returnflow
L4 NAT for a TCP connection
Private IP Network
VM 1
Border Router
Virtual Topology Physical Topology

20. Köszönöm!
PS: we are hiring :)

21. MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed Flow State
21
VM 1 VM 2
Virtual
Switch B1
VM 1
VM 2
Virtual Tenant
Router B
Private Network
Public Network
Physical Topology Virtual Topology
Forward flow
Fwd outFwd in
Flow state
Return flow Ret inRet out
Ingress host
Possible return
flow ingress
Possible forward
flow ingress
Egress host
Ingress host Egress host
Forward flow
Fwd out
Fwd in
Ingress host
Possible return
flow ingress
Possible forward
flow ingress
Egress host
1
2
3
• Flow state forwarded to
possible interested hosts
• No delay for simulating flow
ingress packets at other hosts
• State backup in cluster
State Cluster

22. Confidential 22