The Challenges of SDN/OpenFlow in an Operational and Large-scale NetworkOpen Networking Summits
Jun Bi
Professor & Director
Tsinghua University
Outline
• Intra-AS (campus level) IPv6 source address validation using OpenFlow (with extension)
– Good for introducing new IP services to network
• Planning next step if we run SDN as a common infrastructure for new services and architectures
– Some personal viewpoints and thoughts on design challenges
– Forwarding abstraction for Post-IP architectures
– Control abstraction for scalable NOS and programmable/manageable virtualization platform
– Inter-AS policies negotiation abstraction
ONS2015: http://bit.ly/ons2015sd
ONS Inspire! Webinars: http://bit.ly/oiw-sd
Watch the talk (video) on ONS Content Archives: http://bit.ly/ons-archives-sd
The dark side of SDN and OpenFlow
Security & Dependability issues, challenges, and research opportunities.
Attack vectors and threats.
Practical security assessment of OpenFlow-enabled networks.
Vulnerabilities of current Network Operating Systems (e.g., Cisco IOS).
The Challenges of SDN/OpenFlow in an Operational and Large-scale NetworkOpen Networking Summits
Jun Bi
Professor & Director
Tsinghua University
Outline
• Intra-AS (campus level) IPv6 source address validation using OpenFlow (with extension)
– Good for introducing new IP services to network
• Planning next step if we run SDN as a common infrastructure for new services and architectures
– Some personal viewpoints and thoughts on design challenges
– Forwarding abstraction for Post-IP architectures
– Control abstraction for scalable NOS and programmable/manageable virtualization platform
– Inter-AS policies negotiation abstraction
ONS2015: http://bit.ly/ons2015sd
ONS Inspire! Webinars: http://bit.ly/oiw-sd
Watch the talk (video) on ONS Content Archives: http://bit.ly/ons-archives-sd
The dark side of SDN and OpenFlow
Security & Dependability issues, challenges, and research opportunities.
Attack vectors and threats.
Practical security assessment of OpenFlow-enabled networks.
Vulnerabilities of current Network Operating Systems (e.g., Cisco IOS).
Security of software defined networking (sdn) and cognitive radio network (crn)Ameer Sameer
Security of Software Defined Networking (SDN)
Overview
Definition Software Defined Networking (SDN)
SDN security & Security Challenges
SDN Attack Surface & Attacks Examples
SDN Threat Model
Open Research issues SDN
Future Research Directions
Simulator for Software Defined Networking
Security of Cognitive Radio Network (CRN)
Overview
Definition Cognitive Network
Security of Cognitive Radios & Threats
Security issues in cognitive radio
Attacks and the proposed defense mechanisms
Open Research issues in Cognitive Radio
Evaluation Methodologies for Cognitive Networking
Future Research Directions
Simulator for Cognitive Radio
SDN (Software Defined Networking) ControllerVipin Gupta
SDN is going to redefine networking and cloud world. This is the biggest thing that has happened in networking field in last 30 years. SDN is a New Way to Design, Build and Operate Networks. Here we are discussing about SDN Controllers.
Introduction to SDN: Software Defined NetworkingAnkita Mahajan
SDN is the next big thing in networking. It focuses on separating the intelligence from the hardware. OpenFlow is one of the ways (currently the open standard followed by all Datacenters) to implement SDN.
Software Defined Networks are coming to leverage the power of the networks, defining controllers to manage the network elements simplifying the configuration, bringing flexibility and blablabla ...
But ... how to program and manage this new monster?
Security of software defined networking (sdn) and cognitive radio network (crn)Ameer Sameer
Security of Software Defined Networking (SDN)
Overview
Definition Software Defined Networking (SDN)
SDN security & Security Challenges
SDN Attack Surface & Attacks Examples
SDN Threat Model
Open Research issues SDN
Future Research Directions
Simulator for Software Defined Networking
Security of Cognitive Radio Network (CRN)
Overview
Definition Cognitive Network
Security of Cognitive Radios & Threats
Security issues in cognitive radio
Attacks and the proposed defense mechanisms
Open Research issues in Cognitive Radio
Evaluation Methodologies for Cognitive Networking
Future Research Directions
Simulator for Cognitive Radio
SDN (Software Defined Networking) ControllerVipin Gupta
SDN is going to redefine networking and cloud world. This is the biggest thing that has happened in networking field in last 30 years. SDN is a New Way to Design, Build and Operate Networks. Here we are discussing about SDN Controllers.
Introduction to SDN: Software Defined NetworkingAnkita Mahajan
SDN is the next big thing in networking. It focuses on separating the intelligence from the hardware. OpenFlow is one of the ways (currently the open standard followed by all Datacenters) to implement SDN.
Software Defined Networks are coming to leverage the power of the networks, defining controllers to manage the network elements simplifying the configuration, bringing flexibility and blablabla ...
But ... how to program and manage this new monster?
Software Innovations and Control Plane Evolution in the new SDN Transport Arc...Cisco Canada
Loukas Paraschis, Technology Solution Architecture at Cisco presents software innovation and control plane evolution in the new SDN transport at Cisco Connect Toronto 2015.
By Nir Solomon, Yoav Francis and Liahav Eitan
Abstract:
One of greatest applicative benefits of SDN is enhancement of network security by making the network react to threats in real-time using data from all the switches in the network. For example, the OpenFlow Controller (OFC) can identify a DDoS attack on the network and divert or block traffic in an adaptive manner.
Unfortunately, OpenFlow also introduces a new threat to network security – attacks on the OFC itself, the “soft-belly” in regards to network security in SDN. The controller, by being responsible for multiple switches, is a `high-valued` target (a single point-of-failure), and we aim to understand better its vulnerability to DDoS attacks.
DDoS on the OFC can affect the entire network in several ways, depending on the OpenFlow Applications in the network and the level of dependency of the OF Switches on the OFC:
1. The entire network might be slowed down and suffer from packet-loss.
2. Some packets might be handled normally while others are mishandled by switches in the network, depending on the OpenFlow Applications that apply to these packets and whether they require communication with the OFC.
3. The entire network might stop functioning.
All of the above share a unique property that does not apply in ordinary DDoS attacks: even if only one or two switches are being flooded, the entire network can be affected.
Presentation by Nicolas Fischbach @niCRO at MPLS/SDN/NFV World Congress 2016 - Paris 2016.
The architecture behind Colt On Demand - which provides self-service capabilities for flexible, PAYG network services. Supports elastic bandwidths, elastic topology and an elastic service edge through SDN/NFV for a digital, real time on demand customer experience.
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
Presentation detailed about SDN (Software Defined Network) overview . It covers from basics like different controllers and touches upon some technical details.
Covers Terminologies used, OpenFlow, Controllers, Open Day light, Cisco ONE, Google B4, NFV,etc
SDN Basics – What You Need to Know about Software-Defined NetworkingSDxCentral
SDNUniversity™ is our exclusive educational series on software-defined networking (SDN) and network functions virtualization (NFV) designed to help you develop practical, real-world knowledge and skills. Take advantage of this opportunity to learn SDN basics through a free, interactive online training session featuring experts from SDNCentral and Computerlinks.
Bigger and more sophisticated distributed denial of service (DDoS) attacks are targeting the Internet’s Domain Name System (DNS) causing significant downtime to websites and application. Amazon Route 53, the AWS DNS service, integrates tightly with AWS Shield, the AWS service that provides managed DDoS protection, to safeguard your web applications and protect against large scale attacks. Techniques Amazon Route 53 employs to thwart DDoS attacks including Anycast Striping, Shuffle Sharding and a global network of 56 points of presence. Mitigation strategies AWS Shield provides including inline mitigations, visibility and cost protection.
Learning Objectives:
• Learn how Amazon Route 53 scales against DDoS attacks
• Learn about the advanced features like Anycast Striping and traffic shaping mitigates DDoS risks
• Learn how always-on inline mitigation techniques protects against advanced attacks
• Learn how AWS Shield integrates with Amazon Route53 to monitor traffic signatures and undertakes deterministic packet filtering to minimize application downtime
• Learn why customers should use Amazon Route 53 and AWS Shield to protect against DNS DDoS attacks
Introduction to Software Defined Networking (SDN)rjain51
Class lecture by Prof. Raj Jain on Introduction to . The talk covers Origins of SDN, What is SDN?, Original Definition of SDN, What = Why We need SDN?, SDN Definition, XMPP, XMPP in Data Centers, Path Computation Element, PCE, Forwarding and Control Element, Sample ForCES Exchanges, Application Layer Traffic Optimization, ALTO, ALTO Extension, Current SDN Debate: What vs. How?, SDN Controller Functions, RESTful APIs, OSGi Framework, Open Daylight SDN Controller, OpenDaylight Tools, Affinity Metadata Service, SDN Related Organizations and Projects, SDN Web Sites, Hierarchy of Operations, Introduction to, Origins of SDN, What is SDN?, Original Definition of SDN, What = Why We need SDN?, SDN Definition, XMPP, XMPP in Data Centers, Path Computation Element, PCE, Forwarding and Control Element, Sample ForCES Exchanges, Application Layer Traffic Optimization, ALTO, ALTO Extension, Current SDN Debate: What vs. How?, SDN Controller Functions, RESTful APIs, OSGi Framework, Open Daylight SDN Controller, OpenDaylight Tools, Affinity Metadata Service, SDN Related Organizations and Projects, SDN Web Sites. Video recording available in YouTube.
The realization of network softwarization, an overarching buzzword to encompass all software-centric developments from the Software-Defined Networking (SDN) and Network Function Virtualization (NFV) trends, is being enabled through a set of innovations in high-speed data plane design and implementation. Recent efforts include te-architecting the hardware-software interfaces and exposing programmatic interfaces (e.g., OpenFlow), programmable hardware-based pipelines (e.g. Protocol Independent Switch Architecture – PISA) along suitabe programming languages (e.g., P4), and multiple advances on low overhead virtualization and fast packet processing libraries (e.g. DPDK, FD.io) for Linux based general purpose processor platforms. This talk provides an overview of relevant ongoing work and discusses the trade-offs of each design and implementation choice of software-defined dataplanes regarding Programmability, Performance, and Portability.
Enterprise Datacenter Virtualization und Cloud Computing stellen neue Anforderungen an das Netzwerk. Traditionsgemäss wurden virtuelle Workloads über als Bridge fungierende virtuelle Switches mit VLANs auf dem physischen Netzwerk verbunden. Mit dem Wachstum der Anfordungen an Skalierung und Automatisierung stossen diese Modelle an Grenzen.
Thomas Graf bot an diesem OpenTuesday einen Einblick in Protokolle und Technologien wie OpenFlow, VXLAN, OpenStack Neutron und Open vSwitch, die eingesetzt werden, um neue automatisierte Netzwerkkonzepte der nächsten Generation, wie Software Defined Networking oder Network Function Virtualization, umzusetzen.
Many thanks to Nick McKeown (Stanford), Jennifer Rexford (Princeton), Scott Shenker (Berkeley), Nick Feamster (Princeton), Li Erran Li (Columbia), Yashar Ganjali (Toronto)
Radisys/Wind River: The Telcom Cloud - Deployment Strategies: SDN/NFV and Vir...Radisys Corporation
Radisys and Wind River present on the evolution to the Telecom Cloud and how cloud technology and network virtualization will provide both big opportunities and challenges for operators. Important details and insights are shared on Network Function Virtualization (NFV), Software Defined Network (SDN) and Virtualization.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1. 9/8/14
1
Outline
• SDN
Basics
– Concepts
– OpenFlow
– Controller:
Floodlight
– OF-‐Config
– Mininet
1
SDN
Concepts
• What
is
soCware
defined
networking?
• Why
SDN?
2
2. 9/8/14
2
Vertically integrated
Closed, proprietary
Slow innovation
Small industry
Specialized
Operating
System
Specialized
Hardware
App
App
App
App
App
App
App
App
App
App
App
Specialized
Applications
Horizontal
Open interfaces
Rapid innovation
Huge industry
Microprocessor
Open Interface
Linux
Mac
OS
Windows
(OS)
or or
Open Interface
3
Source:
Nick
Mckeown,
Stanford
Vertically integrated
Closed, proprietary
Slow innovation
App
App
App
App
App
App
App
App
App
App
App
Horizontal
Open interfaces
Rapid innovation
Control
Plane
Control
Plane
Control
Plane
or or
Open Interface
Specialized
Control
Plane
Specialized
Hardware
Specialized
Features
Merchant
Switching Chips
Open Interface
4
Source:
Nick
Mckeown,
Stanford
3. 9/8/14
3
Million
of
lines
of
source
code
6,000
RFCs
Billions
of
gates
Bloated
Power
Hungry
•
VerVcally
integrated,
complex,
closed,
proprietary
•
Networking
industry
with
“mainframe”
mind-‐set
Custom Hardware
OS
Routing, management, mobility management,
access control, VPNs, …
Feature
Feature
5
Source:
Nick
Mckeown,
Stanford
Custom
Hardware
Custom
Hardware
Custom
Hardware
Custom
Hardware
Custom
Hardware
OS
OS
OS
OS
OS
Network
OS
Feature
Feature
The
network
is
changing
Feature Feature
Feature Feature
Feature Feature
Feature Feature
Feature Feature
6
Source:
Nick
Mckeown,
Stanford
4. 9/8/14
4
Feature
Feature
Network
OS
1.
Open
interface
to
packet
forwarding
3.
Consistent,
up-‐to-‐date
global
network
view
2.
At
least
one
Network
OS
probably
many.
Open-‐
and
closed-‐source
SoCware
Defined
Network
(SDN)
Packet
Forwarding
Packet
Forwarding
Packet
Forwarding
Packet
Forwarding
Packet
Forwarding
7
Source:
Nick
Mckeown,
Stanford
Network
OS
Network
OS:
distributed
system
that
creates
a
consistent,
up-‐to-‐date
network
view
– Runs
on
servers
(controllers)
in
the
network
– Floodlight,
POX,
PyreVc,
Ne_le
ONIX,
Beacon,
…
+
more
Uses
forwarding
abstracVon
to:
– Get
state
informaVon
from
forwarding
elements
– Give
control
direcVves
to
forwarding
elements
8
Source:
Nick
Mckeown,
Stanford
5. 9/8/14
5
Control
Program
A
Control
Program
B
Network
OS
SoCware
Defined
Network
(SDN)
Packet
Forwarding
Packet
Forwarding
Packet
Forwarding
Packet
Forwarding
Packet
Forwarding
9
Source:
Nick
Mckeown,
Stanford
Control
Program
Control
program
operates
on
view
of
network
– Input:
global
network
view
(graph/database)
– Output:
configuraVon
of
each
network
device
Control
program
is
not
a
distributed
system
– AbstracVon
hides
details
of
distributed
state
10
Source:
Nick
Mckeown,
Stanford
6. 9/8/14
6
Forwarding
AbstracVon
Purpose:
Abstract
away
forwarding
hardware
Flexible
– Behavior
specified
by
control
plane
– Built
from
basic
set
of
forwarding
primiVves
Minimal
– Streamlined
for
speed
and
low-‐power
– Control
program
not
vendor-‐specific
OpenFlow
is
an
example
of
such
an
abstracVon
11
Source:
Nick
Mckeown,
Stanford
Why SDN?
Great talk by Scott Shenker
http://www.youtube.com/watch?v=WVs7Pc99S7w
(Story summarized here)
7. 9/8/14
7
Networking
Networking
is
“Intellectually
Weak”
Networking
is
behind
other
fields
Networking
is
about
the
mastery
of
complexity
Good
abstracVons
tame
complexity
Interfaces
are
instances
of
those
abstracVons
No
abstracVon
=>
increasing
complexity
We
are
now
at
the
complexity
limit
13
Source:
Nick
Mckeown,
Stanford
By
comparison:
Programming
Machine
languages:
no
abstracVons
– Had
to
deal
with
low-‐level
details
Higher-‐level
languages:
OS
and
other
abstracVons
– File
system,
virtual
memory,
abstract
data
types,
...
Modern
languages:
even
more
abstracVons
– Object
orientaVon,
garbage
collecVon,…
14
Source:
Nick
Mckeown,
Stanford
8. 9/8/14
8
Programming
Analogy
What
if
programmers
had
to:
– Specify
where
each
bit
was
stored
– Explicitly
deal
with
internal
communicaVon
errors
– Within
a
programming
language
with
limited
expressability
Programmers
would
redefine
problem
by:
– Defining
higher
level
abstracVons
for
memory
– Building
on
reliable
communicaVon
primiVves
– Using
a
more
general
language
15
Source:
Nick
Mckeown,
Stanford
SpecificaVon
AbstracVon
Network
OS
eases
implementaVon
Next
step
is
to
ease
specificaVon
Provide
abstract
view
of
network
map
Control
program
operates
on
abstract
view
Develop
means
to
simplify
specificaVon
16
Source:
Nick
Mckeown,
Stanford
9. 9/8/14
9
Control
Program
A
Control
Program
B
SoCware
Defined
Network
(SDN)
Packet
Forwarding
Packet
Forwarding
Packet
Forwarding
Packet
Forwarding
Packet
Forwarding
Network
OS
Global Network View
Abstract Network View
VirtualizaVon
17
Source:
Nick
Mckeown,
Stanford
Outline
• SDN
Basics
– Concepts
– OpenFlow
– Switches
and
Controllers
– OF-‐Config
– Mininet
18
10. 9/8/14
10
OpenFlow
• Why
OpenFlow?
• How
does
OpenFlow
work?
19
Why
OpenFlow?
20
11. 9/8/14
11
Million
of
lines
of
source
code
5400
RFCs
Barrier
to
entry
Billions
of
gates
Bloated
Power
Hungry
Many
complex
funcVons
baked
into
the
infrastructure
OSPF,
BGP,
mul,cast,
differen,ated
services,
Traffic
Engineering,
NAT,
firewalls,
MPLS,
redundant
layers,
…
An
industry
with
a
“mainframe-‐mentality”,
reluctant
to
change
The
Ossified
Network
Specialized
Packet
Forwarding
Hardware
OperaVng
System
Feature
Feature
RouVng,
management,
mobility
management,
access
control,
VPNs,
…
21
21
Research
StagnaVon
• Lots
of
deployed
innovaVon
in
other
areas
– OS:
filesystems,
schedulers,
virtualizaVon
– DS:
DHTs,
CDNs,
MapReduce
– Compilers:
JITs,
vectorizaVon
• Networks
are
largely
the
same
as
years
ago
– Ethernet,
IP,
WiFi
• Rate
of
change
of
the
network
seems
slower
in
comparison
– Need
be_er
tools
and
abstracVons
to
demonstrate
and
deploy
22
12. 9/8/14
12
Closed
Systems
(Vendor
Hardware)
• Stuck
with
interfaces
(CLI,
SNMP,
etc)
• Hard
to
meaningfully
collaborate
• Vendors
starVng
to
open
up,
but
not
usefully
• Need
a
fully
open
system
–
a
Linux
equivalent
23
Open
Systems
Performance
Fidelity
Scale
Real
User
Traffic?
Complexity
Open
SimulaVon
medium
medium
no
medium
yes
EmulaVon
medium
low
no
medium
yes
SoCware
Switches
poor
low
yes
medium
yes
NetFPGA
high
low
yes
high
yes
Network
Processors
high
medium
yes
high
yes
Vendor
Switches
high
high
yes
low
no
gap
in
the
tool
space
none
have
all
the
desired
a_ributes!
24
Source:
Big
Switch
Networks
13. 9/8/14
13
Ethane,
a
precursor
to
OpenFlow
Centralized,
reacVve,
per-‐flow
control
Controller
Flow Switch
Host
A
Host
B
Flow Switch
Flow Switch
Flow Switch
See
Ethane
SIGCOMM
2007
paper
for
details
25
OpenFlow:
a
pragmaVc
compromise
• +
Speed,
scale,
fidelity
of
vendor
hardware
• +
Flexibility
and
control
of
soCware
and
simulaVon
• Vendors
don’t
need
to
expose
implementaVon
• Leverages
hardware
inside
most
switches
today
(ACL
tables)
26
14. 9/8/14
14
How
does
OpenFlow
work?
h_ps://www.opennetworking.org
27
27
Ethernet
Switch
28
16. 9/8/14
16
Controller
PC
Hardware
Layer
SoCware
Layer
Flow
Table
MAC
src
MAC
dst
IP
Src
IP
Dst
TCP
sport
TCP
dport
AcVon
OpenFlow
Client
*
*
5.6.7.8
*
*
*
port
1
port
4
port
3
port
2
port
1
1.2.3.4
5.6.7.8
OpenFlow Example
31
OpenFlow
Basics
Flow
Table
Entries
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
L4
sport
L4
dport
Rule
AcVon
Stats
1. Forward
packet
to
zero
or
more
ports
2. Encapsulate
and
forward
to
controller
3. Send
to
normal
processing
pipeline
4. Modify
Fields
5. Any
extensions
you
add!
+
mask
what
fields
to
match
Packet
+
byte
counters
32
VLAN
pcp
IP
ToS
17. 9/8/14
17
Examples
Switching
*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
AcVon
*
00:1f:..
*
*
*
*
*
*
*
port6
Flow
Switching
port3
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
AcVon
00:20..
00:1f..
0800
vlan1
1.2.3.4
5.6.7.8
4
17264
80
port6
Firewall
*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
AcVon
*
*
*
*
*
*
*
*
22
drop
33
Examples
RouVng
*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
AcVon
*
*
*
*
*
5.6.7.8
*
*
*
port6
VLAN
Switching
*
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
AcVon
*
*
vlan1
*
*
*
*
*
port6,
port7,
port9
00:1f..
34
18. 9/8/14
18
Centralized
vs
Distributed
Control
Both
models
are
possible
with
OpenFlow
Centralized
Control
OpenFlow
Switch
OpenFlow
Switch
OpenFlow
Switch
Controller
Distributed
Control
OpenFlow
Switch
OpenFlow
Switch
OpenFlow
Switch
Controller
Controller
Controller
35
Flow
RouVng
vs.
AggregaVon
Both
models
are
possible
with
OpenFlow
Flow-‐Based
• Every
flow
is
individually
set
up
by
controller
• Exact-‐match
flow
entries
• Flow
table
contains
one
entry
per
flow
• Good
for
fine
grain
control,
e.g.
campus
networks
Aggregated
• One
flow
entry
covers
large
groups
of
flows
• Wildcard
flow
entries
• Flow
table
contains
one
entry
per
category
of
flows
• Good
for
large
number
of
flows,
e.g.
backbone
36
19. 9/8/14
19
ReacVve
vs.
ProacVve
(pre-‐populated)
Both
models
are
possible
with
OpenFlow
ReacVve
• First
packet
of
flow
triggers
controller
to
insert
flow
entries
• Efficient
use
of
flow
table
• Every
flow
incurs
small
addiVonal
flow
setup
Vme
• If
control
connecVon
lost,
switch
has
limited
uVlity
ProacVve
• Controller
pre-‐populates
flow
table
in
switch
• Zero
addiVonal
flow
setup
Vme
• Loss
of
control
connecVon
does
not
disrupt
traffic
• EssenVally
requires
aggregated
(wildcard)
rules
37
Usage
examples
• Alice’s
code:
– Simple
learning
switch
– Per
Flow
switching
– Network
access
control/
firewall
– StaVc
“VLANs”
– Her
own
new
rouVng
protocol:
unicast,
mulVcast,
mulVpath
– Home
network
manager
– Packet
processor
(in
controller)
– IPvAlice
– VM
migraVon
– Server
Load
balancing
– Mobility
manager
– Power
management
– Network
monitoring
and
visualizaVon
– Network
debugging
– Network
slicing
…
and
much
more
you
can
create!
38
20. 9/8/14
20
What
can
you
not
do
with
OpenFlow
ver1.0
• Non-‐flow-‐based
(per-‐packet)
networking
– ex.
Per-‐packet
next-‐hop
selecVon
(in
wireless
mesh)
– yes,
this
is
a
fundamental
limitaVon
– BUT
OpenFlow
can
provide
the
plumbing
to
connect
these
systems
• Use
all
tables
on
switch
chips
– yes,
a
major
limitaVon
(cross-‐product
issue)
– BUT
OpenFlow
1.3
version
will
expose
these
39
What
can
you
not
do
with
OpenFlow
ver1.0
• New
forwarding
primiVves
– BUT
provides
a
nice
way
to
integrate
them
through
extensions
• New
packet
formats/field
definiVons
– BUT
a
generalized
OpenFlow
(2.0)
is
on
the
horizon
• OpVcal
Circuits
– BUT
efforts
underway
to
apply
OpenFlow
model
to
circuits
• Low-‐setup-‐Vme
individual
flows
– BUT
can
push
down
flows
proacVvely
to
avoid
delays
40
21. 9/8/14
21
Where
it’s
going
• OF
v1.3:
Spring
2013
– mulVple
tables:
leverage
addiVonal
tables
– tags
and
tunnels
– mulVpath
forwarding
– per
flow
meters
•
OF
v2+
– generalized
matching
and
acVons:
protocol
independent
forwarding
41
Outline
• SDN
Basics
– Concepts
– OpenFlow
– Switches
and
Controllers
– OF-‐Config
– Mininet
42
23. 9/8/14
23
Ciena Coredirector
NEC IP8800
Current
SDN
hardware
More coming
soon...
Juniper MX-series
HP Procurve 5400
Pronto 3240/3290
WiMax (NEC)
PC EnginesNetgear 7324
45
45
Commercial
Switch
Vendors
Model
Virtualize
Notes
HP
Procurve
5400zl
or
6600
1
OF
instance
per
VLAN
-‐ LACP,
VLAN
and
STP
processing
before
OpenFlow
-‐ Wildcard
rules
or
non-‐IP
pkts
processed
in
s/w
-‐ Header
rewriVng
in
s/w
-‐ CPU
protects
mgmt
during
loop
NEC
IP8800
1
OF
instance
per
VLAN
-‐ OpenFlow
takes
precedence
-‐ Most
acVons
processed
in
hardware
-‐ MAC
header
rewriVng
in
h/w
Pronto
3240
or
3290
with
Pica8
or
Indigo
firmware
1
OF
instance
per
switch
-‐ No
legacy
protocols
(like
VLAN
and
STP)
-‐ Most
acVons
processed
in
hardware
-‐ MAC
header
rewriVng
in
h/w
46
46
24. 9/8/14
24
Controller
Vendors
Vendor
Notes
Nicira’s
NOX
• Open-‐source
GPL
• C++
and
Python
• Researcher
friendly
Nicira’s
ONIX
• Closed-‐source
• Datacenter
networks
SNAC
• Open-‐source
GPL
• Code
based
on
NOX0.4
• Enterprise
network
• C++,
Python
and
Javascript
• Currently
used
by
campuses
Vendor
Notes
Stanford’s
Beacon
• Open-‐source
• Researcher
friendly
• Java-‐based
BigSwitch
controller
• Ha
open
source
version
• Based
on
Beacon
• Enterprise
network
Maestro
(from
Rice
Univ)
• Open-‐source
• Based
on
Java
FreneVc
or
Ne_le
• Open-‐source
• Wri_en
in
funcVonal
programming
languages
47
47
Floodlight
Architecture
48
Overview
– Floodlight
is
a
collecVon
of
modules
– Some
modules
(not
all)
export
services
– All
modules
in
Java
– Rich,
extensible
REST
API
DeviceManager
(IDeviceService)
FloodlightProvider
(IFloodlightProviderService)
TopologyManager
(ITopologyManagerService)
RestServer
(IRestApiService)
StorageSource
(IStorageSourceService)
Forwarding
StaVcFlowPusher
(IStaVcFlowPusherService)
LinkDiscovery
(ILinkDiscoveryService)
VirtualNetworkFilter
(IVirtualNetworkFilterService)
Source:
Big
Switch
Networks
25. 9/8/14
25
Floodlight
Architecture
49
Module
descripVons
DeviceManager
(IDeviceService)
FloodlightProvider
(IFloodlightProviderService)
TopologyManager
(ITopologyManagerService)
RestServer
(IRestApiService)
StorageSource
(IStorageSourceService)
Forwarding
StaVcFlowPusher
(IStaVcFlowPusherService)
LinkDiscovery
(ILinkDiscoveryService)
VirtualNetworkFilter
(IVirtualNetworkFilterService)
! DB
style
storage
(queries,
etc)
! Modules
can
access
all
data
and
subscribe
to
changes
49
• Computes
shortest
path
using
Dijsktra
• Keeps
switch
to
cluster
mappings
! Installs
flow
mods
for
end-‐to-‐end
rouVng
! Handles
island
rouVng
! Tracks
hosts
on
the
network
! MAC
-‐>
switch,port,
MAC-‐>IP,
IP-‐>MAC
! Implements
via
Restlets
(restlet.org)
! Modules
export
RestletRoutable
! Supports
the
inserVon
and
removal
of
staVc
flows
! REST-‐based
API
! Maintains
state
of
links
in
network
! Sends
out
LLDPs
! Create
layer
2
domain
defined
by
MAC
address
! Used
for
OpenStack
/
Quantum
! Translates
OF
messages
to
Floodlight
events
! Managing
connecVons
to
switches
via
Ne_y
Source:
Big
Switch
Networks
Floodlight
Programming
Model
Northbound
APIs
Switch
Switch
vSwitch
Switch
IFloodlight-‐
Module
External
ApplicaVon
REST
IFloodlightModule
! Java
module
that
runs
as
part
of
Floodlight
! Consumes
services
and
events
exported
by
other
modules
! OpenFlow
(ie.
Packet-‐in)
! Switch
add
/
remove
! Device
add
/remove
/
move
! Link
discovery
External
ApplicaJon
! Communicates
with
Floodlight
via
REST
! Quantum
/
Virtual
networks
! Normalized
network
state
! StaVc
flows
Floodlight
Controller
50
26. 9/8/14
26
Network
State
List
Hosts
List
Links
List
Switches
GetStats
(DPID)
GetCounters
(OFType…)
51
A
moving
target…but…
REST
API
Reference
StaJc
Flows
Add
Flow
Delete
Flow
List
Flows
RemoveAll
Flows
Virtual
Network
Create
Network
Delete
Network
Add
Host
Remove
Host
User
Extensions
…
Floodlight
Controller
Switch
Switch
vSwitch
Switch
Source:
Big
Switch
Networks
• Fine-‐grained
ability
to
push
flows
over
REST
• Access
to
normalized
topology
and
device
state
• Extensible
access
to
add
new
APIs
52
Using
the
REST
API
Programming
Floodlight
27. 9/8/14
27
• Handle
OpenFlow
messages
directly
(ie.
PacketIn)
• Expose
services
to
other
modules
• Add
new
REST
APIs
53
CreaVng
a
module
Programming
Floodlight
Source:
Big
Switch
Networks
Outline
• SDN
Basics
– Concepts
– OpenFlow
– Switches
and
Controllers
– OF-‐Config
– Mininet
54
28. 9/8/14
28
55
• Bootstrap OpenFlow network
• Switch connects to controller
• Controller(s) to connect to must be
configured at switches
• Allocate resources within switches
• Ports
• Queues
• . . .
OpenFlow
configuraVon
and
Management
Protocol!
controller
switch
switch
switch
switch
controller
56
• Configuration Point
• Source of switch configuration
• OpenFlow Capable Switch
• Hosts one or more logical switches
OpenFlow
configuraVon
and
Management
Protocol:
Reference
Model
!
OpenFlow
Capable
Switch
resources
(ports,
queues)
• OpenFlow Controller
• OpenFlow Logical Switch
• instance of an OpenFlow
Switch
OF
Logical
Switch
OF
Logical
Switch
ConfiguraVon
Point
ConfiguraVon
Point
OF-‐CONFIG
ConfiguraVon
Point
OpenFlow
Controller
ConfiguraVon
Point
OpenFlow
Controller
OpenFlow
OpenFlow
using
IETF
Netconf
&
XML
data
models
29. 9/8/14
29
57
• OF-CONFIG 1.0 (Jan 2012) based on OpenFlow 1.2
• assigning controllers to logical switches
• retrieving assignment of resources to logical switches
• configuring some properties of ports and queues
• OF-CONFIG 1.1 (Apr 2012) based on OpenFlow 1.3
• added controller certificates and resource type "table"
• retrieving logical switch capabilities signaled to controller
• configuring of tunnel endpoints
• OF-CONFIG 1.1.1 (Aug 2012) based on OpenFlow 1.3.1
• consolidation of version 1.1, fixing small inconsistencies
• OF-CONFIG 1.2 (early 2013) based on OpenFlow 1.3.1
• features still under discussion, candidates include
• retrieving capable switch capabilities, configuring logical switch capab.
• assigning resources to logical switches
• simple topology detection
• event notification
OF-‐CONFIG
Scope
and
Releases!
WG established
in Sep 2011
• Netconf was chosen as management protocol
• not necessarily accepted as ideal solution
• still discussing alternatives
• XML schema was chosen as modeling language
• Yang is also used, but XML is normative
• normative XML schema generated from Yang code
• So far, the focus has been on configuration
• bootstrap of an OpenFlow network is the obvious first thing to do
• New work items will be more on OAM
• incl. event notifications
58
Use
of
Netconf
and
Yang!
30. 9/8/14
30
Outline
• SDN
Basics
– Concepts
– OpenFlow
– Switches
and
Controllers
– OF-‐Config
– Mininet
59
Mininet
• Machine-‐local
virtual
network
– great
dev/tesVng
tool
• Uses
linux
virtual
network
features
– Cheaper
than
VMs
• Arbitrary
topologies,
nodes
60
31. 9/8/14
31
Mininet
(Cont’d)
• Rapidly
prototype,
develop
and
test
– InteresVngly-‐sized
networks
(16-‐100
nodes)
start
up
in
seconds
– No
lengthy
lab
reconfiguraVon
or
rebooVng
required
– Always-‐accessible
network
resources,
in
any
topology,
at
essenVally
no
cost
– Designs
that
work
on
Mininet
transfer
seamlessly
to
hardware
for
full
speed
operaVon
61
Mininet
(Cont’d)
• Repeatably
test,
analyze,
and
predict
network
behavior
– Easy
replicaVon
of
experimental
and
test
results
– Examine
effects
of
code
or
network
changes
before
tesVng/deploying
on
hardware
– Allows
automated
system-‐level
tests
and
experiments
– Recreate
real-‐world
network
and
test
cases
for
a
variety
of
topologies
and
configuraVons
62
32. 9/8/14
32
Mininet
(Cont’d)
• Quickly
get
up
and
running
– Free
and
permissively
licensed
(BSD)
– Minimal
hardware
requirements
– Accessible
to
novices
thanks
to
simple
CLI
– Smooth
learning
curve
thanks
to
walkthrough,
tutorial,
examples
and
API
documentaVon
– Strong
users
and
support
community
63
QuesVons?
64