The document discusses Romana, a network and security automation solution. It describes how Romana uses topology-aware IP addressing to provide network isolation without the need for VLANs or overlays. This simplifies network provisioning and eliminates complexity. Romana integrates tightly with cloud management platforms and supports automation of network and security policies.
The session from the Austin OpenStack Summit on the new Neutron Pluggable IPAM APIs. Includes use case of Romana using the APIs to build their network and security automation solution
OpenStack: Virtual Routers On Compute Nodesclayton_oneill
Learn the production pros and cons of operating Neutron legacy and HA routers on compute nodes in your production cloud. Not ready for DVR or third-party network overhauls? Virtual router network “hot spots” got you down? Large virtual router failure domains keeping you up late at night? Neutron reference architectures not providing a scalable routing solution? If you answered yes to any of these questions then this talk is for you.
The session from the Austin OpenStack Summit on the new Neutron Pluggable IPAM APIs. Includes use case of Romana using the APIs to build their network and security automation solution
OpenStack: Virtual Routers On Compute Nodesclayton_oneill
Learn the production pros and cons of operating Neutron legacy and HA routers on compute nodes in your production cloud. Not ready for DVR or third-party network overhauls? Virtual router network “hot spots” got you down? Large virtual router failure domains keeping you up late at night? Neutron reference architectures not providing a scalable routing solution? If you answered yes to any of these questions then this talk is for you.
Simplifying open stack and kubernetes networking with romanaJuergen Brendel
Romana, the open source project by Pani Networks, brings stunning simplicity to the usually so complex networking in OpenStack and Kubernetes. Using only native L3 routing and no overlays, along with automated distributed application of network policies and security rules, it provides operators with easy to understand and manage networking, while allowing network hardware to operate at its best and with full efficiency.
These slides were used during the OpenStack meetup in Auckland in May 2016, hosted by Catalyst IT.
Sfo17 109 containerized vn fs with data plane acceleration on arm platformLinaro
Session ID: SFO17-109
Session Name: Containerized VNFs with Data Plane Acceleration on ARM-based NFV infrastructure - SFO17-109
Speaker: Bin Lu - Jianbo Liu
Track: LNG
★ Session Summary ★
Kubernetes and DPDK are the biggest hype for NFV solution today. While container provides high scale, low latency and low startup time, and it changes the virtualization model. Also, Kubernetes is the best container orchestration platform, from the test result about containerized VNFs and the community feedback, although there still has some problems to solve. DPDK provides a fast data-path. It’s the necessary component for NFV.
This presentation will show our work of leveraging lightweight, efficient modern container technology to build ARM-based NFV infrastructure. It also describes the deployment of containerized VNFs with DPDK data plane acceleration with high performance and low latency networking design. The benefits of leveraging container-based infrastructure for NFV use cases, particularly on the network edge based on ARM servers will be illustrated.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-109/
Presentation:
Video: https://www.youtube.com/watch?v=2_fm85W-mRc
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
Whether you are replacing Telnet or Terminal, or need a more capable secure remote access tool, SecureCRT is an application you can live in all day long. With the solid security of SSH, extensive session management, and advanced scripting, SecureCRT will help raise your productivity to the nth degree.
Building the Internet of Things with Thingsquare and Contiki - day 1, part 2Adam Dunkels
How to build the Internet of Things - what is an Internet of things device and how do we connect it? This is the second Thingsquare IoT workshop slide deck.
A guide to deploying an initial Docker Swarm mode network and then incorporating Asterisk into that swarm. Commands, a discussion of host mode vs overlay networking, and the basics of a deployable Docker Swarm mode Stack file are all covered.
Integrating OpenStack To Existing InfrastructureHui Cheng
1. How to integrate OpenStack environment to our existing infrastructure.
2. How to efficiently interconnect the SAE & SWS, while preserving security properties and seamless connection.
3. The challenges we are facing when building & providing OpenStack-based public cloud service and how we solved it.
http://openstackconferencespring2012.sched.org/event/370f9d74a4e9e938a7f6f1e2af0958fe?iframe=yes&w=990&sidebar=no&bg=no#?iframe=yes&w=990&sidebar=no&bg=no#sched-body-outer
Programmable network connectivity and network overlay technologies like Docker libnetwork, Weave Net, and Calico are essential tools for DevOps engineers using orchestration tools to manage and deploy Docker containers in production. Because network troubleshooting and optimization falls within the jurisdiction of DevOps, it’s vital that DevOps engineers understand exactly how network overlays work. Participants will learn the fundamentals of container networking, see practical examples of common network overlays, and receive guidance on effectively using and tuning network overlays.
Simplifying and Securing your OpenShift Network with Project CalicoAndrew Randall
OpenShift Commons Webinar presented on March 2 2017
OpenShift networking works great out of the box, right? So why would you consider anything else? This briefing examines an alternative approach that has benefits for many scenarios – from tightly securing a few high value AWS instances to scaling a large private cloud deployment. Come learn about how how Calico differs from traditional solutions like OpenShift SDN, and see how Calico has now been integrated with Kubernetes and OpenShift to provide a smooth deployment experience, and lessons learned across hundreds of enterprise users.
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Nati Shalom
Video recording: https://www.youtube.com/watch?v=tGlIgUeoGz8
It’s no news that containers represent a portable unit of deployment, and OpenStack has proven an ideal environment for running container workloads. However, where it usually becomes more complex is that many times an application is often built out of multiple containers. What’s more, setting up a cluster of container images can be fairly cumbersome because you need to make one container aware of another and expose intimate details that are required for them to communicate which is not trivial especially if they’re not on the same host.
These scenarios have instigated the demand for some kind of orchestrator. The list of container orchestrators is growing fairly fast. This session will compare the different orchestation projects out there - from Heat to Kubernetes to TOSCA - and help you choose the right tool for the job.
Session link from teh summit: https://openstacksummitmay2015vancouver.sched.org/event/abd484e0dedcb9774edda1548ad47518#.VV5eh5NViko
OpenStack and OpenContrail for FreeBSD platform by Michał Dubieleurobsdcon
Abstract
OpenStack and OpenContrail network virtualization solution form a complete suite able to successfully handle orchestration of resources and services of a contemporary cloud installations. These projects, however, have been only available for Linux hosted platforms by now. This talk is about a work underway that brings them into the FreeBSD world.
It explains in greater details an architecture of an OpenStack system and shows how support for the FreeBSD bhyve hypervisor was brought up using the libvirt library. Details of the OpenContrail network virtualization solution is also provided, with special emphasis on the lower level system entities like a vRouter kernel module, which required most of the work while developing the FreeBSD version.
Speaker bio
Michal Dubiel, M.Sc. Eng., born 17th of September 1983 in Kraków, Poland. He graduated in 2009 from the faculty of Electrical Engineering, Automatics, Computer Science and Electronics of AGH University of Science and Technology in Kraków. Throughout his career he worked for ACK Cyfronet AGH on hardware-accelerated data mining systems and later for Motorola Electronics on DSP software for LTE base stations. Currently he is working for Semihalf on various software projects ranging from low level kernel development to Software Defined Networking systems. He is mainly interested in the computer science, especially the operating systems, programming languages, networks, and digital signal processing.
Docker Meetup: Docker Networking 1.11, by Madhu VenugopalMichelle Antebi
In this talk, Madhu Venugopal will present Docker Networking & Service Discovery features shipped in 1.11 and new Experimental Vlan network drivers introduced in 1.11.
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Andrew Randall
Presentation for the London Mesos Users Meetup, 11 May 2016.
An overview of the current state of the art in container networking, with lessons learned over the last 12 months or so deploying Project Calico in the real world.
IOT and System Platform From Concepts to CodeAndy Robinson
This presentation was delivered at the Wonderware Software Users Conference in 2015. In this presentation I cover fundamental concepts related to IOT as well as specific applications using Wonderware System Platform.
Simplifying open stack and kubernetes networking with romanaJuergen Brendel
Romana, the open source project by Pani Networks, brings stunning simplicity to the usually so complex networking in OpenStack and Kubernetes. Using only native L3 routing and no overlays, along with automated distributed application of network policies and security rules, it provides operators with easy to understand and manage networking, while allowing network hardware to operate at its best and with full efficiency.
These slides were used during the OpenStack meetup in Auckland in May 2016, hosted by Catalyst IT.
Sfo17 109 containerized vn fs with data plane acceleration on arm platformLinaro
Session ID: SFO17-109
Session Name: Containerized VNFs with Data Plane Acceleration on ARM-based NFV infrastructure - SFO17-109
Speaker: Bin Lu - Jianbo Liu
Track: LNG
★ Session Summary ★
Kubernetes and DPDK are the biggest hype for NFV solution today. While container provides high scale, low latency and low startup time, and it changes the virtualization model. Also, Kubernetes is the best container orchestration platform, from the test result about containerized VNFs and the community feedback, although there still has some problems to solve. DPDK provides a fast data-path. It’s the necessary component for NFV.
This presentation will show our work of leveraging lightweight, efficient modern container technology to build ARM-based NFV infrastructure. It also describes the deployment of containerized VNFs with DPDK data plane acceleration with high performance and low latency networking design. The benefits of leveraging container-based infrastructure for NFV use cases, particularly on the network edge based on ARM servers will be illustrated.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-109/
Presentation:
Video: https://www.youtube.com/watch?v=2_fm85W-mRc
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
Whether you are replacing Telnet or Terminal, or need a more capable secure remote access tool, SecureCRT is an application you can live in all day long. With the solid security of SSH, extensive session management, and advanced scripting, SecureCRT will help raise your productivity to the nth degree.
Building the Internet of Things with Thingsquare and Contiki - day 1, part 2Adam Dunkels
How to build the Internet of Things - what is an Internet of things device and how do we connect it? This is the second Thingsquare IoT workshop slide deck.
A guide to deploying an initial Docker Swarm mode network and then incorporating Asterisk into that swarm. Commands, a discussion of host mode vs overlay networking, and the basics of a deployable Docker Swarm mode Stack file are all covered.
Integrating OpenStack To Existing InfrastructureHui Cheng
1. How to integrate OpenStack environment to our existing infrastructure.
2. How to efficiently interconnect the SAE & SWS, while preserving security properties and seamless connection.
3. The challenges we are facing when building & providing OpenStack-based public cloud service and how we solved it.
http://openstackconferencespring2012.sched.org/event/370f9d74a4e9e938a7f6f1e2af0958fe?iframe=yes&w=990&sidebar=no&bg=no#?iframe=yes&w=990&sidebar=no&bg=no#sched-body-outer
Programmable network connectivity and network overlay technologies like Docker libnetwork, Weave Net, and Calico are essential tools for DevOps engineers using orchestration tools to manage and deploy Docker containers in production. Because network troubleshooting and optimization falls within the jurisdiction of DevOps, it’s vital that DevOps engineers understand exactly how network overlays work. Participants will learn the fundamentals of container networking, see practical examples of common network overlays, and receive guidance on effectively using and tuning network overlays.
Simplifying and Securing your OpenShift Network with Project CalicoAndrew Randall
OpenShift Commons Webinar presented on March 2 2017
OpenShift networking works great out of the box, right? So why would you consider anything else? This briefing examines an alternative approach that has benefits for many scenarios – from tightly securing a few high value AWS instances to scaling a large private cloud deployment. Come learn about how how Calico differs from traditional solutions like OpenShift SDN, and see how Calico has now been integrated with Kubernetes and OpenShift to provide a smooth deployment experience, and lessons learned across hundreds of enterprise users.
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Nati Shalom
Video recording: https://www.youtube.com/watch?v=tGlIgUeoGz8
It’s no news that containers represent a portable unit of deployment, and OpenStack has proven an ideal environment for running container workloads. However, where it usually becomes more complex is that many times an application is often built out of multiple containers. What’s more, setting up a cluster of container images can be fairly cumbersome because you need to make one container aware of another and expose intimate details that are required for them to communicate which is not trivial especially if they’re not on the same host.
These scenarios have instigated the demand for some kind of orchestrator. The list of container orchestrators is growing fairly fast. This session will compare the different orchestation projects out there - from Heat to Kubernetes to TOSCA - and help you choose the right tool for the job.
Session link from teh summit: https://openstacksummitmay2015vancouver.sched.org/event/abd484e0dedcb9774edda1548ad47518#.VV5eh5NViko
OpenStack and OpenContrail for FreeBSD platform by Michał Dubieleurobsdcon
Abstract
OpenStack and OpenContrail network virtualization solution form a complete suite able to successfully handle orchestration of resources and services of a contemporary cloud installations. These projects, however, have been only available for Linux hosted platforms by now. This talk is about a work underway that brings them into the FreeBSD world.
It explains in greater details an architecture of an OpenStack system and shows how support for the FreeBSD bhyve hypervisor was brought up using the libvirt library. Details of the OpenContrail network virtualization solution is also provided, with special emphasis on the lower level system entities like a vRouter kernel module, which required most of the work while developing the FreeBSD version.
Speaker bio
Michal Dubiel, M.Sc. Eng., born 17th of September 1983 in Kraków, Poland. He graduated in 2009 from the faculty of Electrical Engineering, Automatics, Computer Science and Electronics of AGH University of Science and Technology in Kraków. Throughout his career he worked for ACK Cyfronet AGH on hardware-accelerated data mining systems and later for Motorola Electronics on DSP software for LTE base stations. Currently he is working for Semihalf on various software projects ranging from low level kernel development to Software Defined Networking systems. He is mainly interested in the computer science, especially the operating systems, programming languages, networks, and digital signal processing.
Docker Meetup: Docker Networking 1.11, by Madhu VenugopalMichelle Antebi
In this talk, Madhu Venugopal will present Docker Networking & Service Discovery features shipped in 1.11 and new Experimental Vlan network drivers introduced in 1.11.
Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)Andrew Randall
Presentation for the London Mesos Users Meetup, 11 May 2016.
An overview of the current state of the art in container networking, with lessons learned over the last 12 months or so deploying Project Calico in the real world.
IOT and System Platform From Concepts to CodeAndy Robinson
This presentation was delivered at the Wonderware Software Users Conference in 2015. In this presentation I cover fundamental concepts related to IOT as well as specific applications using Wonderware System Platform.
Leverage the Network to Detect and Manage ThreatsCisco Canada
Session: Leverage the Network to Detect and Manage Threats
Presenter: Michael Moriarta, Lancope - Technical Alliance Manager/SE Southeast US
Date: October 6, 2015
Leveraging Network Offload to Accelerate SDN and NFV DeploymentsNetronome
Ron Renwick, Director of Product Marketing and Product Line Manager, presents "Leveraging Network Offload to Accelerate SDN and NFV Deployments," at Layer123 SDN NFV World Congress 2017. Watch the video replay on the Netronome YouTube channel: https://youtu.be/V7cRv12pDsc
Challenges and experiences with IPTV from a network point of viewbrouer
OpenSource IPTV MPEG2-TS analyzer.
This presentation was given at OpenSourceDays 2010 (and in earlier stages of the project at Bifrost Workshop 2009 and 2010)
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
M2M/IoT is rapidly growing and since its early days different “standard” protocols have emerged (e.g. OMA-DM, TR-069, MQTT, …) or are emerging (e.g. CoAP or Lightweight M2M). Understanding which protocol to use for which application can be intimidating, therefore we propose to give an overview of these protocols to help you understand their goals and characteristics. We’ll present common M2M use cases and why they usually require more than just one protocol ; we will also see whether CoAP associated with Lightweight M2M allows to forge “one protocol to rule them all”.
Network Security and Visibility through NetFlowLancope, Inc.
With the rise of disruptive forces such as cloud computing and mobile technology, the enterprise network has become larger and more complex than ever before. Meanwhile, sophisticated cyber-attackers are taking advantage of the expanded attack surface to gain access to internal networks and steal sensitive data.
Perimeter security is no longer enough to keep threat actors out, and organizations need to be able to detect and mitigate threats operating inside the network. NetFlow, a context-rich and common source of network traffic metadata, can be utilized for heightened visibility to identify attackers and accelerate incident response.
Join Richard Laval to discuss the security applications of NetFlow using StealthWatch. This session will cover:
- An overview of NetFlow, what it is, how it works, and how it benefits security
- Design, deployment, and operational best practices for NetFlow security monitoring
- How to best utilize NetFlow and identity services for security telemetry
- How to investigate and identify threats using statistical analysis of NetFlow telemetry
AWS re:Invent 2016: NextGen Networking: New Capabilities for Amazon’s Virtual...Amazon Web Services
Amazon’s Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud and gives you complete control over your virtual networking environment. Amazon VPC continues to evolve with new capabilities and enhancements. These features give you increasingly greater isolation, control, and visibility at the all-important networking layer. In this session, we review some of the latest changes, discuss their value, and describe their use cases.
Today’s networks are waging a ceaseless battle against an army of ingenious and fast-evolving advanced threats. Companies must be well-provisioned to deploy a quick, decisive and network-wide response to attacks. Protecting the network demands robust monitoring that is actually built into the network architecture. Learn how to build scalable network protection and improve overall security and performance of network.
Blind spots are commonly caused by these common issues: lack of SPAN ports, dropped and duplicated packets, oversubscribed security and performance tools, unseen inter-VM traffic and more.
Ixia developed a highly scalable Visibility Architecture that helps eliminate those blind spots while providing resilience and control without complexity. Ixia's new Visibility Architecture, is founded on a comprehensive product portfolio which includes:
- Network TAPs (aggregation, regeneration, 1/10/40/100G)
- Bypass Switches (for inline security deployments, 1/10/40G)
- Network Packet Brokers (intelligent filtering, load-balancing, de-duplication, matrix switching)
- Virtual TAPs (for full Virtual Network visibility)
Join NPC and Ixia to learn how Visibility Architecture helps speed application delivery and enables effective troubleshooting and monitoring for network security, application performance, and service level agreement (SLA) fulfilment — and allows IT to meet compliance mandates.
In Infrastructure-as-a-Service (IAAS) clouds, Xen is a popular choice of hypervisor. While the Xen hypervisor has strong isolation, integrating with the cloud infrastructure environment (switches, routers, load balancers, firewalls, ip address allocation) requires additional work by the IAAS cloud management platform (CMP) to achieve this. We will look at various solutions such as network virtualization, SDN, network function virtualization and L3 isolation that work with the Xen hypervisor, in the context of the Apache CloudStack IAAS platform. Attendees will come away with an understanding of the challenges of network isolation, how Apache CloudStack solves some of the scaling issues and the future of Xen-based clouds.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1. Romana Project
Network and Security Automation
romana.ioJune 2016
OpenStack
Operators Meetup
June 7, 2016
2. romana.io
New Networks, New Problems, New Solutions
• Legacy Apps/Enterprise Private
Cloud
• LAN Emulation to support vMotion
• Automated data center
infrastructure provisioning
• Cloud Native Apps
• Seamless public/private cloud
deployment and orchestration
• Docker and Container networking
• Endpoint explosion and compressed
lifecycle
• Whitebox and GIFEE Networks
• Enterprise SDN
• VMware/NSX
• Cisco ACI
• Others…
• Cloud Native Networks
• Network automation for
rapid provisioning
• Security automation
• Multi-cloud
romana.io
June 2016 Slide 1
3. Cloud Native vs. Enterprise Networks
• Amazon AWS Style v. Enterprise Apps
• Service orientation (Cattle) v. Endpoint orientation (Pets)
• Network requirements
• Reachable IP addresses v. Auto discovered MAC (ARP on VLANs)
• Service orientation further decouples apps from infrastructure
• No VM migration
• No IP Failover
• Good News: Cloud Native apps don’t need layer 2 networks
• Avoiding Layer 2 networks eliminates a lot of SDN complexity
• Bad News: Layer 2 networks provided a convenient way to isolate apps
• Even a small number of VLANs were difficult to automate
Bottom Line: Need a new way to isolate networks
romana.ioJune 2016 Slide 2
4. Romana Network and Security Automation
• Layer 3 based isolation and tenancy model
• Topology-aware addressing
• Embed tenant and segment IDs in IP addresses
• Requires nothing more than standard L3 routing
• Hierarchical design simplifies scalable deployment
• No virtual network required
• Native performance and visibility
• Eliminates overlays
• Routes map to services 1:1
• Simplifies composition, security and control
• Tightly integrated into Cloud Management/Orchestration IPAM
romana.ioJune 2016 Slide 3
5. SDN Complexity melts away
• No VLANs, VXLANs, VTEP/VNID, OpenFlow, OVS/OVN/OVSDB
• Route aggregation simplifies network
• Static routing eliminates need for route distribution (BGP, XMPP, KVS)
• Reduces the number of firewall rules (i.e. network v. endpoint)
• Simplifies Operations
• Existing tools, techniques and diagnostics all just work
• Existing security, policy and control systems all work
• Firewalls, IDS, LB, etc., etc., etc.
June 2016 romana.io Slide 4
6. North/South Traffic
• Neutron Network node
routes traffic between
segments
• Network node
performs all
L3 functions
• East/West traffic
encapsulated, but is direct
to destination host
romana.io
VXLAN Decap
VXLAN Decap
VXLAN Encap
VXLAN Encap
2 Top of Rack
Round Trips
East/West
Traffic
Per Instance
Security
June 2016 Slide 5
7. North/South Traffic
• Latency dramatically
reduced
• No Network node
• No encap
• Identical path for
East/West traffic
romana.io
Eliminated
Bypassed
Bypassed
Romana
Router
Romana
Router
1 Top of Rack
Round Trip
Per Network
Security
June 2016 Slide 6
8. Network Latency
• North/South Latency reduced 50%-85%
• 10% improvement for East/West traffic between hosts (no encap)
• No performance penalty for local on-host East/West traffic
romana.io
North/South
(Routed)
East/West
(Switched)
Time (ms) Local Remote Local Remote
Native OpenStack 1.51* 1.51 0.24 0.85
Romana Networks 0.24 0.77 0.24** 0.77**
Relative Performance Local Remote Local Remote
Native OpenStack 100% 100% 100% 100%
Romana Networks 16% 51% 100% 90%
* All N/S OpenStack traffic
goes off host
** All Romana traffic is
routed
June 2016 Slide 7
9. How does it work?
• Assign CIDR length for host (node), tenant and segment
• Example: host 16, tenant 20, segment 24
• On every host, each tenant gets a real physical CIDR
• Tenant can further sub-net for their own private segments
• Assign IP addresses that maintain reachability
• Apply layer 3 firewall rules for network isolation
• Configure next hop gateway for service composition
June 2016 romana.io Slide 8
10. Example
June 2016 romana.io Slide 9
Bit location 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Field
Capacity 0 0 0 0 1 0 1 0
Example: Bits Length Purpose
10/8 Network 8 10/8 Network
Hosts 8 Up to 255 Hosts
Tenants 4 Up to 255 Tenants
Segments 4 Up to 16 Segments per Tenant
Endpoints 8 Up to 16 Endpoints per Segment
Host 1 ID CIDR or IP Host 2 ID CIDR or IP Host 3 ID CIDR or IP
Physical Addr 192.168.0.10 Physical Addr 192.168.0.11 Physical Addr 192.168.0.12
Host 1 10.1/16 Host 2 10.2/16 Host 3 10.3/16
Tenant 0 10.1.0/20 Tenant 0 10.2.0/20 Tenant 0 10.3.0/20
Segment 1 10.1.1/24 Segment 1 10.2.1/24 Segment 2 10.3.2/24
VM 1 22 VM 1 22 VM 1 22
VM 2 33 VM 2 33 VM 2 33
Tenant 1 10.1.16/20 Tenant 1 10.2.16/20 Tenant 1 10.3.16/20
Segment 1 10.1.17/24 Segment 2 10.2.18/24 Segment 1 10.3.17/24
VM 3 44 VM 3 44 VM 3 44
VM 4 55 VM 4 55 VM 4 55
Endpoint ID
Up to 255 Hosts Up to 255 Tenants 255 Endpoints for each Tenant
20 17-20
10/8 Net Mask Host ID Bits (8) Tenant/Segment ID Bits (8)
Location
8 1-8
16 9-16
24 21-24
32 25-32
10.1.1.22
10.1.17.55 10.2.18.55 10.3.17.55
10.3.2.22
10.1.1.33 10.2.1.33 10.3.2.33
10.1.17.44 10.2.18.44 10.3.17.44
10.2.1.22
11. Physical Deployment
June 2016 romana.io Slide 10
192.168.0.10 192.168.0.11 192.168.0.12
Host 1
VM 1: 10.1.1.22
G/W: 10.1.0.1/16
VM 2: 10.1.1.33
VM 3: 10.1.17.44
VM 4: 10.1.17.55
10.2/16 -> 192.168.0.11
10.3/16 -> 192.168.0.12
Host 2
VM 1: 10.2.1.22
G/W: 10.2.0.1/16
VM 2: 10.2.1.33
VM 3: 10.2.18.44
VM 4: 10.2.18.55
10.1/16 -> 192.168.0.10
10.3/16 -> 192.168.0.12
Host 3
VM 1: 10.3.2.22
G/W: 10.3.0.1/16
VM 2: 10.3.2.33
VM 3: 10.3.17.44
VM 4: 10.3.17.55
10.1/16 -> 192.168.0.10
10.2/16 -> 192.168.0.11
12. ECMP
BGP/OSPF Area
Leaf 1
Every host gets /16 network, announces to Leaf
Leaf aggregates 64 /16 networks, announces /10 to Spine
Spine contains only four /10 networks
0.0.0.0 via Spine 1
10.0.0.0/16 via Port 1
10.1.0.0/16 via Port 2
10.2.0.0/16 via Port 3
10.3.0.0/16 via Port 4
…
10.63.0.0/16 via Port 64
Spine 1
0.0.0.0 via Internet
10.0.0.0/10 via Leaf 1
10.64.0.0/10 via Leaf 2
10.128.0.0/10 via Leaf 3
10.192.0.0/10 via Leaf 4
Spine 2
Leaf 2 Leaf 3 Leaf 4
0.0.0.0 via Internet
10.0.0.0/10 via Leaf 1
10.64.0.0/10 via Leaf 2
10.128.0.0/10 via Leaf 3
10.192.0.0/10 via Leaf 4
10.2/16 RIP to Leaf for distribution
0.0.0.0 via Leaf 1, Port 8
Port 8
Host 221
10.194.3.71
0.0.0.0 via Leaf 4, Port 3
Port 3
Host 8
10.2.16.34
0.0.0.0 via Spine 1
10.192.0.0/16 via Port 1
10.193.0.0/16 via Port 2
10.194.0.0/16 via Port 3
10.195.0.0/16 via Port 4
…
10.255.0.0/16 via Port 64
romana.ioJune 2016 Slide 11
Endpoints on Host 8 must get address within 10.2.0.0/16
Endpoints on Host 221 must get address within 10.194.0.0/16
Announce route to ToR
13. Leaf 1
Spine 1 Spine 2
Leaf 2 Leaf 3 Leaf 4
10.2/16 RIP to Leaf for distribution
172.16.1.25 host route
0.0.0.0 via Leaf 1, Port 8
Host
10.194.3.71
0.0.0.0 via Leaf 4, Port 3Host 8
10.2.16.34
Edge/
NAT
Host routes to external service endpoints
June 2016 romana.io Slide 12
SLB
VM
SLB get FIP as VIP
FIP 172.16.1.25
15. Network/Security Policy
NetPolicy.json
{
"Name": "policy2",
"PolicyID": "CF2D2BE2-4553-4C28-BD02-140CF83617A2", # unique identifier across tenants, auto generated for POST.
"AppliedTo": [ # can attach multiple tenants to which the policy can be applied to.
{
"Tenant":"tenant2",
"Segment": "Segment1",
“HostCIDR": “10.23.0.0/0", # Apply policy to entire host
},
],
"Tags": [], # meta data attached to policies for various external environments like openstack/kubernetes
"Direction" : "Ingress", # can be Egress or Ingress.
"Peers": [
{
"CidrBlock": "0.0.0.0/0", # IP from L3 header
},
],
"Rules": [{
"Protocol": "ICMP",
"IcmpTypeCode": [0,8],
"IsStateful": true,
},],
"Description": "hello there, security policies are fun!",
}
June 2016 romana.io Slide 14
16. Scalable Deployments
• Need more IP addresses
• Large OpenStack environments
• Container endpoint explosion
• Separate Romana deployment for each OpenStack cluster
• Clusters interact via service endpoints
• Explicitly manage overlapping IPs
• Use datacenter FIPs
• Support Overlapping in Romana IPAM
• Advantage of consistent policy across environment
• IPv6
June 2016 romana.io Slide 15
17. Cluster 2Cluster 1
Romana 1: 10/8
Shared Block: 10.0.1/24
Local FIPs: 10.0.1.128/25
Remote FIPs: 10.0.1.0/25
Edge
Large Scale Deployments
June 2016 romana.io Slide 16
Romana 2: 10/8
Shared Block: 10.0.1/24
Local FIPs: 10.0.1.0/25
Remote FIPs: 10.0.1.128/25
Alternatively use FIPs from
DC addresses
Shared 172.16.1/24
FIPs
18. Security
Policy
k8s Master
Kubernetes Deployment
May 2016 romana.io
IPAM
Routes
Tenant
DB
Topology
Policy
Slide 17
Minion
Pod
iptables
Pod
Agent
Controllers
Scheduler
API
etcd
Pod/Service
Definition
CNI
Listener
19. Nested Container Networking
June 2016 romana.io Slide 18
Bit location 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Field
Capacity 0 0 0 0 1 0 1 0
Example: Bits Length Purpose
10.0 Network 8 Full Network (10/8)
Hosts 8 Up to 255 Hosts
Tenants 4 Up to 16 Tenants
Segments 4 Up to 16 Segments per Tenant
Endpoints 8 Up to 255 Endpoints per Segment
Bit location 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Field Host ID Bits (4)
Capacity 1 0 1 0 1 1 0 0 0 0 0 1 Up to 16 Hosts
Example: Bits Length Purpose
172.16 Network 12 Full Network (172.16/12)
Hosts 4 Up to 16 Hosts
Tenants 4 Up to 16 Tenants
Segments 4 Up to 16 Segments per Tenant
Endpoints 8 Up to 255 Endpoints per Segment
Endpoint ID
Up to 255 Hosts Up to 255 Tenant/Segments 255 Endpoints
Tenant and Segment ID Bits (8) Endpoint ID
Up to 255 Tenant/Segments 255 Endpoints
Location
12 1-12
16
20 17-20
10/8 Net Mask Host ID Bits (8) Tenant and Segment ID Bits (8)
Location
8 1-8
16 9-16
24 21-24
32 25-32
13-16
20 17-20
24 21-24
32 25-32
172.16/12 Net Mask
21. Ubernetes
June 2016 romana.io
192.168.0.10 192.168.0.11 192.168.0.12
Slide 20
Host 1
VM 1: 10.1.1.22
G/W: 10.1.0.1/16
10.2/16 -> 192.168.0.11
10.3/16 -> 192.168.0.12
172.17/16-> 192.168.0.11
172.18/16 -> 192.168.0.12
Pod 172.16.1.8
Pod 172.16.2.9
GW 172.16.0.1/16
172.17/16 -> 10.2.0.1
172.18/16 -> 10.3.0.1
Host 2
VM 1: 10.2.1.22
G/W: 10.2.0.1/16
Pod 172.17.6.8
Pod 172.17.2.11
GW 172.17.0.1/16
172.18/16 -> 10.3.0.1
172.16.16 -> 10.1.0.1
Host 3
VM 1: 10.3.1.22
G/W: 10.3.0.1/16
Pod 172.18.3.8
Pod 172.18.4.9
GW 172.18.0.1/16
172.16/16 -> 10.1.0.1
172.17/16 -> 10.2.0.1
10.1/16 -> 192.168.0.10
10.3/16 -> 192.168.0.12
172.16/16 -> 192.168.0.10
172.18/16 -> 192.168.0.12
10.1/16 -> 192.168.0.10
10.2/16 -> 192.168.0.11
172.16/16 -> 192.168.0.10
172.17/16-> 192.168.0.11
WAN
22. Networks Define Services
• Tenant ID + Segment ID become a Network ID
• Natural fit for micro- and shared platform
services
• Route control to/from micro services enable
transparent service insertion/chainingand policy
enforcement
• Local/remote/hybrid cloud deployments
romana.io
IP
Int
IP
Int
IP
Int
IP
Int
L/B
Microservice
Endpoint
F/W
Shared Services
June 2016 Slide 21
23. Romana Project
• Cloud Native network and security automation
• All details available at romana.io
• Open source
• Apache 2.0
• Written in Go
• www.github.com/romana
• OpenStack and Kubernetes integration
• Release v0.9 available now
romana.ioJune 2016 Slide 22
24. Demo
• OpenStack on four physical machines
• Launch VMs on private 10/8 network
• Kubernetes running on VMs
• Kubernetes Network 172.16/12
• Container Network Interface (CNI) configuration of pods
• Romana IPAM allocates IPs for VMs and pods
• Chosen specially to maintain static routes and CIDRs to each host
and VM
• All IPs reachable by construction
June 2016 romana.io Slide 23