SlideShare a Scribd company logo
1 of 27
Download to read offline
Overlay Networks & IP Fabrics
FrOSCon 13 Network Track
Falk Stern, Maximilian Wilhelm
1 / 27
Agenda
1. Who's who
2. Encapsulate me one more time
3. Tunnel technologies
4. IP-Fabrics
5. Real-World-examples
2 / 27
Who's who Falk Stern
Full Stack Infrastructure Engineer
IPv6 fanboy
Runs his own Kubernetes cluster in his basement
Consultant @ Profi Engineering Systems AG
Contact
@wrf42
falk@fourecks.de
3 / 27
Who's who Maximilian Wilhelm
Networker
OpenSource Hacker
Fanboy of
(Debian) Linux
ifupdown2
Occupation:
By day: Senior Infrastructure Architect, Uni Paderborn
By night: Infrastructure Archmage, Freifunk Hochstift
In between: Freelance Solution Architect for hire
Contact
@BarbarossaTM
max@sdn.clinic
4 / 27
Who's who
Encaps/Decaps
Encapsulation
Wrapping frames or packets into other packets
Not always a good idea
A bit like Christmas, you're never sure what you get
5 / 27
Who's who
Encaps/Decaps
6 / 27
Who's who
Encaps/Decaps
Tunnel
IPSec
Authenticates and/or encrypts IP packets
Authenticated Header, Encrypted Security Payload
IP protocol 50, 51 RFC4301
Transport / Tunnelmode
Transport inserts header into packet, Tunnel encapsulates
Dynamic Keying through IKEv1, IKEv2
IKE is based on UDP, Port 500
Complex protocol, many options
NAT unfriendly, NAT-Traversal is negotiated, UDP port 4500
7 / 27
Who's who
Encaps/Decaps
Tunnel
IPSec
Phase 1
Exchange of encryption proposals
Both ends exchange session keys through Diffie-Hellman key exchange
Pre-Shared-Key or certificate exchange encrypted with session key
Security Associations are exchanged
Phase 2
Diffie-Hellman key exchange
Periodic key changes for perfect forward secrecy
Only traffic matching Security Associations is encrypted
8 / 27
Who's who
Encaps/Decaps
Tunnel
GRE - Generic Routing Encapsulation
Developed by Cisco in 1994, now RFC2784 and RFC2890
Encapsulates IP, IPX, AppleTalk in IP
IP protocol 47
Adds a 4 byte GRE header, total overhead 20 bytes
Used in
PPTP VPN (encapsulates IP in PPP in GRE)
IPv6 in IPv4
Tunnel between IPSEC endpoints
Low overhead tunnel between everything
9 / 27
Who's who
Encaps/Decaps
Tunnel
L2TP - Layer 2 Tunneling Protocol
L2TPv2 developed to tunnel PPP - RFC2661
L2TPv3 as alternative to MPLS - RFC3931
Based on UDP
NAT-friendly
L2TPv2 VPNs encapsulate L2TP frames in IPSEC - RFC3193
10 / 27
Who's who
Encaps/Decaps
Tunnel
OpenVPN
Flexible SSL VPN
TCP/UDP based
Tunnels IPv4, IPv6 or even Ethernet frames
X.509 Certificate based Authentication
Username/Passwort with 2FA possible
11 / 27
Who's who
Encaps/Decaps
Tunnel
Multi Protocol Label Switching / MPLS
Developed to enable fast switching in core routers
Switching packets based on IP required TCAM, was expensive
Label lookup is faster, no need for longest match
Layer 2.5, requires IP to work, RFC3031
Enables predefined paths through a network
Allows Traffic-Engineering
Used by service providers
12 / 27
Who's who
Encaps/Decaps
Tunnel
Virtual eXtensible LAN / VXLAN
Poor man's MPLS
Developed by Cisco, Arista Networks, VMware, now RFC7348
Broad industry backing
24 bit VXLAN identifier (VNI) instead of 12 bit VLAN ID
16M vs. 4096
Encapsulates Ethernet frames in UDP packets
40 bytes overhead over IPv4, 60 bytes over IPv6
Endpoints are called Virtual Tunnel EndPoint (VTEP)
13 / 27
Who's who
Encaps/Decaps
Tunnel
Virtual eXtensible LAN / VXLAN
Unicast mode
VTEPs are statically defined
Point-to-Point
Can be used for data center interconnects
Multicast mode
All VTEPs listen on a specified multicast address
Broadcasts and unknown Unicasts (BUM) are mapped to Multicast Groups
Dynamic learning of endpoints through listening
14 / 27
Who's who
Encaps/Decaps
Tunnel
Virtual eXtensible LAN / VXLAN
Controller based
An external controller programs VTEP endpoints and MAC mappings
BUM traffic gets replicated to all VTEPs
Ideally there is no BUM traffic
Commercially available
Cisco APIC
VMware NSX through OVSDB
Cumulus vxfld (https://github.com/CumulusNetworks/vxfld)
15 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics IP Fabrics
16 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
Clos Fabrics
Invented for the telephone network
Formalized by Charles Clos in 1952
Far fewer connections required than with a single switch
17 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
What's wrong with Layer 2?
Spanning-Tree needs blocked paths
L2 only has a single path
IP can use multiple concurrent paths
MCLAG and LACP are possible solutions
But way too complex, limited to 2 upstream devices
Does not scale
18 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
IP Fabrics
Predictable latency through the whole fabric
Scalable
Predictable bandwidth through the whole fabric
Perfect underlay for overlay networks
Typical design includes Leaf and Spine
Bisectional bandwidth can be scaled with number of Spines
19 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
BGP to the rescue!
BGP has always defined multiple paths between AS
Is able to carry all necessary routes
Through VPNv4 AFI, can carry MAC addresses
One AS per Rack
iBGP would need Route Reflectors or full mesh
20 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
BGP to the rescue!
Packetflow in an IP Fabric
21 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
Tying it all together
VXLAN* can be used as an overlay protocol in the fabric
BGP carries all MAC adresses with next-hop of VTEP
Suddenly
All links in use
More than 4096 VLANs available
"A Network Virtualization Overlay Solution Using Ethernet VPN (EVPN)"
RFC8365, March 2018
* To be fair MPLS can be used as data plane too 22 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
VXLAN Tunnel via Unicast between LO-
IPs of
dr-01
cr-D
VTEPs bridged into
Chaos network on dr-01
eth1 NIC on cr-D
AS13020
AS39225
Core
Distribution
Border
br-01 cr-E cr-A
cr-D
cr-B
cr-C
dr-01
Access
sw-01 ap-04
ap-03ap-02ap-01
dr-02
VXLAN
Tunneled Chaos Ethernet
23 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
Tunneled Chaos Ethernet
Set up VTEPs
dr-01# ip link add vx_chaos type vxlan id 31337 local 94.45.224.0 remote 194.107.207.4
dr-01# ip l s dev vx_chaos up
cr-D# ip link add vx_chaos type vxlan id 31337 remote 94.45.224.0 local 194.107.207.4
cr-D# ip l s dev vx_chaos up
Join VTEP into precon gured bridge br_chaos
# ip l vx_chaos set master br_chaos
24 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
Real World Examples
Cisco ACI
BGP control-plane with VXLAN overlay
VMware NSX
Controller based control-plane with VXLAN overlay
OpenNebula / Apache Cloudstack
Network virtualization with mcast-VXLAN
25 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
Links
Further Reading
Cumulus BGP im DC
cumulus EVPN
26 / 27
Who's who
Encaps/Decaps
Tunnel
IP Fabrics
Links
Questions
Questions?
27 / 27

More Related Content

What's hot

L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPMaximilan Wilhelm
 
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Maximilan Wilhelm
 
Contemporary Linux Networking
Contemporary Linux NetworkingContemporary Linux Networking
Contemporary Linux NetworkingMaximilan Wilhelm
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonMaximilan Wilhelm
 
AS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and LinuxAS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and LinuxMaximilan Wilhelm
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF  & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF  & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service NodeDavid Lapsley
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on LinuxEtsuji Nakai
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANSamsung Open Source Group
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK
 
6 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 200802066 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 20080206pauldeng
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014   Kernel Networking WalkthroughDevConf 2014   Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 

What's hot (20)

IPv6 im Jahre 2018
IPv6 im Jahre 2018IPv6 im Jahre 2018
IPv6 im Jahre 2018
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
 
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
 
6.Routing
6.Routing6.Routing
6.Routing
 
Contemporary Linux Networking
Contemporary Linux NetworkingContemporary Linux Networking
Contemporary Linux Networking
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and python
 
AS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and LinuxAS201701 - Building an Internet backbone with pure 1he servers and Linux
AS201701 - Building an Internet backbone with pure 1he servers and Linux
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF  & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF  & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service Node
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver model
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol
 
6 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 200802066 Lo Wpan Tutorial 20080206
6 Lo Wpan Tutorial 20080206
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014   Kernel Networking WalkthroughDevConf 2014   Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
Low-power IP: 6LoWPAN & Co.
Low-power IP: 6LoWPAN & Co.Low-power IP: 6LoWPAN & Co.
Low-power IP: 6LoWPAN & Co.
 

Similar to Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lösung ist

PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...PROIDEA
 
FEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionFEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionKae Hsu
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
PLNOG 17 - Marek Janik - Sieć dla IXP
PLNOG 17 - Marek Janik - Sieć dla IXPPLNOG 17 - Marek Janik - Sieć dla IXP
PLNOG 17 - Marek Janik - Sieć dla IXPPROIDEA
 
#IBMEdge: "Not all Networks are Equal"
#IBMEdge: "Not all Networks are Equal" #IBMEdge: "Not all Networks are Equal"
#IBMEdge: "Not all Networks are Equal" Brocade
 
LISP_in_Secure_Networks_WP
LISP_in_Secure_Networks_WPLISP_in_Secure_Networks_WP
LISP_in_Secure_Networks_WPCraig Hill
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5   finalVxlan deep dive session rev0.5   final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...SkillFactory
 
Nexus 7000 Series Innovations: M3 Module, DCI, Scale
Nexus 7000 Series Innovations: M3 Module, DCI, ScaleNexus 7000 Series Innovations: M3 Module, DCI, Scale
Nexus 7000 Series Innovations: M3 Module, DCI, ScaleTony Antony
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNCisco Canada
 
Dasan zhone mxk_msan_solution
Dasan zhone mxk_msan_solutionDasan zhone mxk_msan_solution
Dasan zhone mxk_msan_solutionHusam Al-Hasani
 
Generic network architecture discussion
Generic network architecture discussionGeneric network architecture discussion
Generic network architecture discussionARCFIRE ICT
 
What is cisco bgp control plane for vxlan
What is cisco bgp control plane for vxlanWhat is cisco bgp control plane for vxlan
What is cisco bgp control plane for vxlanIT Tech
 
Securing & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave NetSecuring & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave NetLuke Marsden
 
Speed5G Workshop London presentation of the Speed5G MAC framework
Speed5G Workshop London presentation of the Speed5G MAC frameworkSpeed5G Workshop London presentation of the Speed5G MAC framework
Speed5G Workshop London presentation of the Speed5G MAC frameworkKlaus Moessner
 
PLNOG 5: Emil Gągała - ADVANCED VPLS
PLNOG 5: Emil Gągała -  ADVANCED VPLSPLNOG 5: Emil Gągała -  ADVANCED VPLS
PLNOG 5: Emil Gągała - ADVANCED VPLSPROIDEA
 

Similar to Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lösung ist (20)

PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
PLNOG 13: Alexis Dacquay: Architectures for Universal Data Centre Networks, t...
 
FEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP IntroductionFEGTS IP training - TCP/IP Introduction
FEGTS IP training - TCP/IP Introduction
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
 
Data center network reference architecture with hpe flex fabric
Data center network reference architecture with hpe flex fabricData center network reference architecture with hpe flex fabric
Data center network reference architecture with hpe flex fabric
 
PLNOG 17 - Marek Janik - Sieć dla IXP
PLNOG 17 - Marek Janik - Sieć dla IXPPLNOG 17 - Marek Janik - Sieć dla IXP
PLNOG 17 - Marek Janik - Sieć dla IXP
 
#IBMEdge: "Not all Networks are Equal"
#IBMEdge: "Not all Networks are Equal" #IBMEdge: "Not all Networks are Equal"
#IBMEdge: "Not all Networks are Equal"
 
The new imperative in the data center with workload centric networking
The new imperative in the data center with workload centric networkingThe new imperative in the data center with workload centric networking
The new imperative in the data center with workload centric networking
 
IPv6 ND 2020
IPv6 ND 2020IPv6 ND 2020
IPv6 ND 2020
 
LISP_in_Secure_Networks_WP
LISP_in_Secure_Networks_WPLISP_in_Secure_Networks_WP
LISP_in_Secure_Networks_WP
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5   finalVxlan deep dive session rev0.5   final
Vxlan deep dive session rev0.5 final
 
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
 
Nexus 7000 Series Innovations: M3 Module, DCI, Scale
Nexus 7000 Series Innovations: M3 Module, DCI, ScaleNexus 7000 Series Innovations: M3 Module, DCI, Scale
Nexus 7000 Series Innovations: M3 Module, DCI, Scale
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPN
 
Dasan zhone mxk_msan_solution
Dasan zhone mxk_msan_solutionDasan zhone mxk_msan_solution
Dasan zhone mxk_msan_solution
 
Generic network architecture discussion
Generic network architecture discussionGeneric network architecture discussion
Generic network architecture discussion
 
What is cisco bgp control plane for vxlan
What is cisco bgp control plane for vxlanWhat is cisco bgp control plane for vxlan
What is cisco bgp control plane for vxlan
 
Securing & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave NetSecuring & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave Net
 
Hardware9
Hardware9Hardware9
Hardware9
 
Speed5G Workshop London presentation of the Speed5G MAC framework
Speed5G Workshop London presentation of the Speed5G MAC frameworkSpeed5G Workshop London presentation of the Speed5G MAC framework
Speed5G Workshop London presentation of the Speed5G MAC framework
 
PLNOG 5: Emil Gągała - ADVANCED VPLS
PLNOG 5: Emil Gągała -  ADVANCED VPLSPLNOG 5: Emil Gągała -  ADVANCED VPLS
PLNOG 5: Emil Gągała - ADVANCED VPLS
 

Recently uploaded

Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodierahman018755
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowIdeoholics
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样AS
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsrahman018755
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样AS
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...Varun Mithran
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookVarun Mithran
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理Fir
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书c6eb683559b3
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样AS
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理AS
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样AS
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebJie Liau
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsrahman018755
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理A
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样Fi
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书Fir
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirtrahman018755
 

Recently uploaded (20)

Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodie
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
GOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdfGOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdf
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirts
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 

Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lösung ist

  • 1. Overlay Networks & IP Fabrics FrOSCon 13 Network Track Falk Stern, Maximilian Wilhelm 1 / 27
  • 2. Agenda 1. Who's who 2. Encapsulate me one more time 3. Tunnel technologies 4. IP-Fabrics 5. Real-World-examples 2 / 27
  • 3. Who's who Falk Stern Full Stack Infrastructure Engineer IPv6 fanboy Runs his own Kubernetes cluster in his basement Consultant @ Profi Engineering Systems AG Contact @wrf42 falk@fourecks.de 3 / 27
  • 4. Who's who Maximilian Wilhelm Networker OpenSource Hacker Fanboy of (Debian) Linux ifupdown2 Occupation: By day: Senior Infrastructure Architect, Uni Paderborn By night: Infrastructure Archmage, Freifunk Hochstift In between: Freelance Solution Architect for hire Contact @BarbarossaTM max@sdn.clinic 4 / 27
  • 5. Who's who Encaps/Decaps Encapsulation Wrapping frames or packets into other packets Not always a good idea A bit like Christmas, you're never sure what you get 5 / 27
  • 7. Who's who Encaps/Decaps Tunnel IPSec Authenticates and/or encrypts IP packets Authenticated Header, Encrypted Security Payload IP protocol 50, 51 RFC4301 Transport / Tunnelmode Transport inserts header into packet, Tunnel encapsulates Dynamic Keying through IKEv1, IKEv2 IKE is based on UDP, Port 500 Complex protocol, many options NAT unfriendly, NAT-Traversal is negotiated, UDP port 4500 7 / 27
  • 8. Who's who Encaps/Decaps Tunnel IPSec Phase 1 Exchange of encryption proposals Both ends exchange session keys through Diffie-Hellman key exchange Pre-Shared-Key or certificate exchange encrypted with session key Security Associations are exchanged Phase 2 Diffie-Hellman key exchange Periodic key changes for perfect forward secrecy Only traffic matching Security Associations is encrypted 8 / 27
  • 9. Who's who Encaps/Decaps Tunnel GRE - Generic Routing Encapsulation Developed by Cisco in 1994, now RFC2784 and RFC2890 Encapsulates IP, IPX, AppleTalk in IP IP protocol 47 Adds a 4 byte GRE header, total overhead 20 bytes Used in PPTP VPN (encapsulates IP in PPP in GRE) IPv6 in IPv4 Tunnel between IPSEC endpoints Low overhead tunnel between everything 9 / 27
  • 10. Who's who Encaps/Decaps Tunnel L2TP - Layer 2 Tunneling Protocol L2TPv2 developed to tunnel PPP - RFC2661 L2TPv3 as alternative to MPLS - RFC3931 Based on UDP NAT-friendly L2TPv2 VPNs encapsulate L2TP frames in IPSEC - RFC3193 10 / 27
  • 11. Who's who Encaps/Decaps Tunnel OpenVPN Flexible SSL VPN TCP/UDP based Tunnels IPv4, IPv6 or even Ethernet frames X.509 Certificate based Authentication Username/Passwort with 2FA possible 11 / 27
  • 12. Who's who Encaps/Decaps Tunnel Multi Protocol Label Switching / MPLS Developed to enable fast switching in core routers Switching packets based on IP required TCAM, was expensive Label lookup is faster, no need for longest match Layer 2.5, requires IP to work, RFC3031 Enables predefined paths through a network Allows Traffic-Engineering Used by service providers 12 / 27
  • 13. Who's who Encaps/Decaps Tunnel Virtual eXtensible LAN / VXLAN Poor man's MPLS Developed by Cisco, Arista Networks, VMware, now RFC7348 Broad industry backing 24 bit VXLAN identifier (VNI) instead of 12 bit VLAN ID 16M vs. 4096 Encapsulates Ethernet frames in UDP packets 40 bytes overhead over IPv4, 60 bytes over IPv6 Endpoints are called Virtual Tunnel EndPoint (VTEP) 13 / 27
  • 14. Who's who Encaps/Decaps Tunnel Virtual eXtensible LAN / VXLAN Unicast mode VTEPs are statically defined Point-to-Point Can be used for data center interconnects Multicast mode All VTEPs listen on a specified multicast address Broadcasts and unknown Unicasts (BUM) are mapped to Multicast Groups Dynamic learning of endpoints through listening 14 / 27
  • 15. Who's who Encaps/Decaps Tunnel Virtual eXtensible LAN / VXLAN Controller based An external controller programs VTEP endpoints and MAC mappings BUM traffic gets replicated to all VTEPs Ideally there is no BUM traffic Commercially available Cisco APIC VMware NSX through OVSDB Cumulus vxfld (https://github.com/CumulusNetworks/vxfld) 15 / 27
  • 17. Who's who Encaps/Decaps Tunnel IP Fabrics Clos Fabrics Invented for the telephone network Formalized by Charles Clos in 1952 Far fewer connections required than with a single switch 17 / 27
  • 18. Who's who Encaps/Decaps Tunnel IP Fabrics What's wrong with Layer 2? Spanning-Tree needs blocked paths L2 only has a single path IP can use multiple concurrent paths MCLAG and LACP are possible solutions But way too complex, limited to 2 upstream devices Does not scale 18 / 27
  • 19. Who's who Encaps/Decaps Tunnel IP Fabrics IP Fabrics Predictable latency through the whole fabric Scalable Predictable bandwidth through the whole fabric Perfect underlay for overlay networks Typical design includes Leaf and Spine Bisectional bandwidth can be scaled with number of Spines 19 / 27
  • 20. Who's who Encaps/Decaps Tunnel IP Fabrics BGP to the rescue! BGP has always defined multiple paths between AS Is able to carry all necessary routes Through VPNv4 AFI, can carry MAC addresses One AS per Rack iBGP would need Route Reflectors or full mesh 20 / 27
  • 21. Who's who Encaps/Decaps Tunnel IP Fabrics BGP to the rescue! Packetflow in an IP Fabric 21 / 27
  • 22. Who's who Encaps/Decaps Tunnel IP Fabrics Tying it all together VXLAN* can be used as an overlay protocol in the fabric BGP carries all MAC adresses with next-hop of VTEP Suddenly All links in use More than 4096 VLANs available "A Network Virtualization Overlay Solution Using Ethernet VPN (EVPN)" RFC8365, March 2018 * To be fair MPLS can be used as data plane too 22 / 27
  • 23. Who's who Encaps/Decaps Tunnel IP Fabrics VXLAN Tunnel via Unicast between LO- IPs of dr-01 cr-D VTEPs bridged into Chaos network on dr-01 eth1 NIC on cr-D AS13020 AS39225 Core Distribution Border br-01 cr-E cr-A cr-D cr-B cr-C dr-01 Access sw-01 ap-04 ap-03ap-02ap-01 dr-02 VXLAN Tunneled Chaos Ethernet 23 / 27
  • 24. Who's who Encaps/Decaps Tunnel IP Fabrics Tunneled Chaos Ethernet Set up VTEPs dr-01# ip link add vx_chaos type vxlan id 31337 local 94.45.224.0 remote 194.107.207.4 dr-01# ip l s dev vx_chaos up cr-D# ip link add vx_chaos type vxlan id 31337 remote 94.45.224.0 local 194.107.207.4 cr-D# ip l s dev vx_chaos up Join VTEP into precon gured bridge br_chaos # ip l vx_chaos set master br_chaos 24 / 27
  • 25. Who's who Encaps/Decaps Tunnel IP Fabrics Real World Examples Cisco ACI BGP control-plane with VXLAN overlay VMware NSX Controller based control-plane with VXLAN overlay OpenNebula / Apache Cloudstack Network virtualization with mcast-VXLAN 25 / 27
  • 26. Who's who Encaps/Decaps Tunnel IP Fabrics Links Further Reading Cumulus BGP im DC cumulus EVPN 26 / 27