Introduce the basic concept of Open vSwitch. In this slide, we talked about how Linux kernel and networking stack worked together to forward and process the network packet and also compare those Linux networking stack functionality with Open vSwitch and Openflow. At the end of this slide, we talk about the challenge to integrate the Open vSwitch with Kubernetes, what kind of the networking function we need to resolve and what is the benefit we can get from the Open Vswitch.

1. Open vSwitch
Introduction
HungWei Chiu

2. Who Am I
• HungWei Chiu (hwchiu)
• Open Networking Foundation
• Member of Technical Staff
• https://hwchiu.com
• Kubernetes/Container
• Networking/Linux/Kernel
• Co-Organizer of SDNDS-TW/
CNTUG

3. Agenda
• What/How
• TCP/IP Model
• Linux Bridge
• What/How
• Open vSwitch
• Open vSwitch in Kubernetes

4. We all learned

5. Data Link
Switch v.s Router
TCP/IP Model
Network
Transport
Application
Physical
Data Link
Physical
Data Link
Network
Physical
Data Link
Network
Transport
Application
Physical
Client Server
Switch
Router

6. Router v.s Switch
• Both
• Store and forward packets
• Network layer
• Data Link layer
• Router:
• Routing table
• Routing algorithms
• Switch
• Switch table
• Learning algorithms

7. Docker
eth0
Linux Bridge
br0
Container
172.17.8.1
172.17.8.56
10.1.2.3
Linux Host
Container
172.17.8.57

8. Can You Explain

9. Data Link
Switch v.s Router
TCP/IP Model
Network
Transport
Application
Physical
Data Link
Physical
Data Link
Network
Physical
Data Link
Network
Transport
Application
Physical
Client Server
Switch
Router
eth0
Linux Bridge
br0
Container
172.17.8.1
172.17.8.56
10.1.2.3
Linux Host
Container
172.17.8.57
Container to WAN

10. Linux Host
Switch v.s Router
TCP/IP Model
Data Link
Network
Transport
Application
Physical
Data Link
Physical
Data Link
Network
Physical
Data Link
Network
Transport
Application
Physical
Client Server
Switch
Router
Container WAN
Linux
Bridge
Linux Bridge
Instances
veth
function call function call

11. Docker
eth0
Linux Bridge br0
Container
172.17.8.1
172.17.8.56
10.1.2.3
Linux Host
Container
172.17.8.57
net_dev
Kernel object
Packet
Linux Bridge br0
• Received Packets
• ebtables
• iptables
• Forward to net_dev (172.17.9.1)
Packet:
172.17.8.56 -> 172.17.8.1

12. Docker
eth0
Linux Bridge br0
Container
172.17.8.1
172.17.8.56
10.1.2.3
Linux Host
Container
172.17.8.57
net_dev
Kernel object
Linux Kernel
• Received Packet
• Iptables
• Routing tables
• ARP tables
• Forward to eth0 (10.1.2.3)
Packet:
172.17.8.56 -> 172.17.8.1
Packet

13. Tables
• Arp Table (Learning MAC/IP)
• Linux Bridge
• Forwarding Table (Forward by MAC)
• Netfilter
• Iptables (Layer 3, NAT…etc)
• Ebtables (Layer 2 filter…etc)
• Linux Kernel
• Routing table (Routing by IP (Destination/Source))

14. Control
• Arp
• arp
• Forwarding
• brctl show/brctl showman’s
• Routing
• route
• ip route
• netfilter
• iptables/ebtables
• iptables-save/iptables-restore …etc

15. Multiple Nodes
Host
Agent
• No Standard Protocol
Host
Agent
Host
Agent
Host
Agent
Host
Controller
Agent
• Execute commands
• API Call (netlink)

16. Open vSwitch

17. Introduction
https://www.openvswitch.org/

18. Openflow
• Maintained by Open Networking Foundation (ONF)
• The first standard communication interface defined
between control and forwarding layers of an SDN
architecture.
https://en.wikipedia.org/wiki/OpenFlow

19. Openflow
controller
Openflow Enabled Switch
Security Channel
Flow Table
Openflow Enabled Switch
Security Channel
Flow Table
Openflow protocol
Architecture

20. Format
Rule Action Stats
• Forward packet to ports
• Encapsulate and forward to controller
• Modify fields
• Normal Pipeline
• Extension
Packet/Bytes counter
Switch Port Layer 2 Header Layer 3 Header Layer 4 Header

21. Example
Switch Port dst_mac Layer 3 Layer 4src_mac Action
port 3*** * 00:11:32:….
Switching
Switch Port src_ip Layer 4Layer 2 Action
port 4*** *
Routing
dst_ip
140.113.2.4
Switch Port src_ip Layer 4Layer 2 Action
drop*1.2.0.0/16* *
Firewall
dst_ip
140.113.2.4

22. Compare
• Linux
• Arp Table (Learning MAC/IP)
• Linux Bridge
• Forwarding Table (Forward by
MAC)
• Netfilter
• Iptables (Layer 3, NAT…etc)
• Ebtables (Layer 2 filter…etc)
• Linux Kernel
• Routing table (Routing by IP
(Destination/Source))
• Openflow
• Rules
• Switch Port
• Layer 2/3/4 Header
• Action
• Forward/Drop
• Normal Pipeline
• Modify fields
• …etc
• Stats
• Counter

23. Docker example again

24. Docker
eth0
Open vSwith
Ovsbr0
Container
172.17.8.1
172.17.8.56
Linux Host
Container
172.17.8.57

25. Flows
Switch Port Layer 2 Layer 3 Layer 4eth_type Action
…*…* Arp
ARP
Switch Port Layer 3 Header Layer 4 HeaderLayer2 Action
• Change src/dst Mac
• Forward to port…..…..* *
Routing
Switch Port Layer 3 Header Layer 4 Action
* *
NAT
*
Layer2
….. …..
• Change src/dst IP
• Forward to port

26. Open vSwtich
• Need to prepare all flow rules
• Without Linux Kernel (mostly)
• Openflow controller
• Program your logic
• CLI
• Difficult to maintain all logics.

27. Other functions
• Linux
• Tunneling
• GRE/VXLAN/GRE/
STT/NVGRE
• iptables extension
• nfqueue ..etc
• 802.1q VLAN
• Linux
• Link Aggregation with/
without LACP
• QoS
• Traffic Shaping
• Socket Applications
• VPN, other
networking functions.

28. Multiple Nodes
Host
OVS
Host
OVS
Host
OVS
Host
OVS
Host
Openflow
Controller

29. Kubernetes & OVS

30. Kubernetes & Networking
• Pod communication
• Pod to Pod
• Pod to Wan
• Service
• ClusterIP
• NodePort
• NetworkPolicy
CNI Flannel
• Linux Bridge
• ARP Table
• Routing Table
• Iptables
Iptables
Implemented by
CNI.

31. Challenge
• CNI
• Pod to Pod
• Same Node
• Different Node
• Overlay ?
• Pod to Wan
• NAT

32. Challenge
• Kube-proxy (service)
• Monitor service object
• Create/Update/Remove rules
• Translate policy to OpenFlow rules and apply to all switches.
• NetworkPolicy
• Monitor network policy object
• Create/Update/Remove rules
• Translate policy to OpenFlow rules and apply to all switches.

33. Challenge
• Additional controller
• Open vSwitch controller
• Openflow
• OVSDB
• …etc
• Kubernetes controller

34. Projects
• K-vswitch
• SONA-CNI
• Ovn-kubernetes
• ..etc

35. https://github.com/k-vswitch/k-vswitch
k-vswitch

36. sona-cni
https://wiki.onosproject.org/display/ONOS/SONA-CNI+Installation

37. Why OVS?

38. Why
• Networking performance?
• Open vSwitch + DPDK (Kernel Bypass)
• Hardware offloading
• Service chain?
• Rewrite packets header
• Redirect packets within different Pods
• Networking Traffic Monitor?
• Latency
• Counters

39. K8S Node
Pod Pod Pod
eth0
Openflow Switch Openflow Switch Openflow Switch
Data network
K8S Node
Pod Pod Pod
eth0
K8S Node
Pod Pod Pod
eth0
Openflow Controller
Reference Architecture

40. Do I Need It?

41. One
• Learn how system works
• Computing/Storage/Networking
• Linux
• Increase your value
• Don’t rely on Framework or Tools
• Helm/Operator …etc
• Never be the Yaml Engineer

42. Q&A