Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Tutorial on SDN data plane evolution
1. From dumb to smarter switches
in software defined networks:
an overview of data plane evolution
Antonio Capone, Carmelo Cascone
Politecnico di Milano – ANTLab
Ecole Polytechnque de Montreal
A. Capone & C. Cascone: SDN tutorial
IEEE NETSOFT 2015 – London, April 13, 2015
1
2. Acknowledgements
The authors wish to thank:
- prof. Giuseppe Bianchi and Marco Bonola (Univ. of Rome,
Tor Vergata)
- Luca Pollini and Davide Sanvito (Politecnico di Milano)
A. Capone & C. Cascone: SDN tutorial 2
This tutorial has be supported by the EU
project BEBA
3. Agenda
1) Setting the scene: a brief intro to SDN and
OpenFlow
2) Switches cannot remain dumb: Starting the
process of data plane evolution
3) Not too much not too little: OpenState and
statefull data planes
4) Applied smartness: statefull applications
(with hands-on activities)
A. Capone & C. Cascone: SDN tutorial 3
4. Setting the scene: a brief intro to
SDN and OpenFlow
The future has already arrived. It's just not
evenly distributed yet. [William Gibson]
A. Capone & C. Cascone: SDN tutorial 4
5. Forwarding HW
OS
Classic network paradigm
Distributed network functions
Forwarding HW
OS
Forwarding HW
OS
State distribution mechanism
(protocols)
Router/switch/appliance
A. Capone & C. Cascone: SDN tutorial 5
6. Vertically integrated
Forwarding HW
OS
AppApp App
L3 Routing, L2 switching, ACL, VPNs, etc…
Control-plane
Data-plane
Closed
platform!
Protocols guarantee interoperability…
But what’s the drawback?
A. Capone & C. Cascone: SDN tutorial 6
7. Way too many standards?
Source: IETF
A. Capone & C. Cascone: SDN tutorial 7
10. Non-standard management
• Configuration interfaces vary across:
– Different vendors
– Different devices of same vendor
– Different firmware versions of same device!
• SNMP fail
– Proliferation of non-standard MIBs
– Partially implemented standard MIBS
– IETF recently published a recommendation to stop
producing writable MIB modules
A. Capone & C. Cascone: SDN tutorial 10
12. SDN architecture
Simple forwarding
HW
Simple forwarding
HW
Simple forwarding
HW
Simple forwarding
HW
Network OS
App App App
HW open interface
Network control API
A. Capone & C. Cascone: SDN tutorial 13
13. From protocols to API
• HW forwarding abstraction
– low-level primitives to describe packet forwarding
• Control plane API
– Network topology abstraction
– High-level access to switch programming
– Common libraries
• Host tracking
• Shortest-path
• Etc..
A. Capone & C. Cascone: SDN tutorial 14
14. Success keys
• Low-level HW open interface (but not too low
level …)
• Good, extensible and possibly open-source
Network OS (too many?)
• Open market for third-party network
application developers (development
ecosystem is crucial)
– Network app store
A. Capone & C. Cascone: SDN tutorial 15
16. Active networking
• “The goal for active networking is to have
programmable open nodes, with the ability to deploy
programs dynamically into node engines.”
A. Capone & C. Cascone: SDN tutorial 17
Capsule model
D. Wetherall et al., “ANTS: A toolkit for building and dynamically
deploying network protocols. In IEEE OpenArch, April 1998.
Programmable router model
J.M. Smith et al., "Activating networks: a progress report,"
Computer, vol.32, no.4, pp.32,41, Apr 1999
17. ForCES Architecture
• ForCES - Forwarding and Control Element Separation
• IETF ForCES working group was established in 2001 and closed
in 2014
• RFC3746: “ForCES Framework” defines
– CE:Control Element
– FE:Forwarding Element
• CE may be required to control hundreds of FEs
ForCES NE
CE1 CE2
FE2FE1
Fp
Fif
Fr
CE Manager
FE Manager
Fif
18. ForCES Architecture - FE
– ForCES Protocol
• To provide a universal standardized control interface for FEs
– LFB – Logical Functional Block
• e.g., Classifier LFB, IPv4 LPF LFB, IPv6 LPF LFB, Scheduler LFB
– Datapath
• Can configure dynamically LFB topology for supporting various
over IP services
FE Model
LFB1
ForCES Protocol Stack
Attributes
LFBn
Attributes
...
Datapath
FE
CE
ForCES Protocol
19. … but one winner
OpenFlow
A. Capone & C. Cascone: SDN tutorial 20
20. OpenFlow
• Stanford, 2008
• Clean Slate research program
• “With what we know today, if we were to start
again with a clean slate, how would we design
a global communications infrastructure?”
A. Capone & C. Cascone: SDN tutorial 21
Is it really a clean
slate approach?
21. OpenFlow Protocol
(SSL/TCP)
OpenFlow controller
In-bound or out-bound
OpenFlow
• OpenFlow is actually a pragmatic approach to
SDN based on a simple HW abstraction that can
be implemented with current HW commercial
platforms
A. Capone & C. Cascone: SDN tutorial 22
23. What is OpenFlow
• Switch abstraction
– Match/action flow table
– Flow counters
– It doesn’t describe how this should be implemented in
switches (vendor neutral !!!)
• Application layer protocol
– Binary wire protocol, messages to program the flow
table
• Transport protocol
– TCP, TLS
A. Capone & C. Cascone: SDN tutorial 24
24. Flow table
Match Actions Counters
1. Forward (one or more ports)
2. Drop
3. Encapsulate and send to controller
4. Header rewrite
5. Push/pop MPLS label / VLAN tag
6. Queues + bitrate limiter (bit/s)
7. Etc..
Bytes + packets
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
L4
sport
L4
dport
VLAN
pcp
IP
ToS
Slide courtesy: Rob Sherwood
A. Capone & C. Cascone: SDN tutorial 25
25. Switch abstraction
OpenFlow client
Flow table
(aka Forwarding Information Base)
OpenFlow controller
Software
Hardware (e.g. TCAM)
or software
A. Capone & C. Cascone: SDN tutorial 26
26. Example
Description Port MAC src MAC
dst
Eth
type
VLAN
ID
IP Src IP Dest TCP
sport
TCP
dport
Action
L2 switching * * 00:1f:.. * * * * * * Port6
L3 routing * * * * * * 5.6.*.* * * Port6
Micro-flow
handling
3 00:20.. 00:1f.. 0x800 Vlan1 1.2.3.4 5.6.7.8 4 17264 Port4
Firewall * * * * * * * * 22 Drop
VLAN
switching
* * 00:1f.. * Vlan1 * * * * Port6,
port7,
port8
A. Capone & C. Cascone: SDN tutorial 27
27. Reactive vs Proactive
• Reactive
– Start with flow table empty
– First packet of a flow sent to controller
– Controller install flow entries
– Good for stateful forwarding:
• L2 switching, dynamic firewall, resource management
• Proactive
– Flow entries installed at switch boot
– Good for stateless forwarding:
• L3 routing, static firewall, etc..
A. Capone & C. Cascone: SDN tutorial 28
28. OpenFlow 1.0 recap
Flow table
Redirect to controller
Packet Apply actions, forward
Drop
A. Capone & C. Cascone: SDN tutorial 29
But how do we
implement a
flow table?
29. HW vs SW switches
• Soft switching based on general CPU
• Switching based on network processors
• Switching based on dedicated chips
A. Capone & C. Cascone: SDN tutorial 30
10x
10x
1 Tb/s capacity is the target switching
capacity for top level devices
The differences in performance
between HW and SW switches are
expected to remain
But the application domain of soft
switches will expand in scenarios where
extremely high rates are not required
30. HW vs SW switches
• OF has been designed having in mind current
specialized HW architecture for switches
• Even if it has greatly stimulated the evolution
of soft switches and extended their use
• OF doesn’t describe how the forwarding
abstraction should be implemented in switches
(vendor neutral !!!)
– but what does this really mean? (…)
A. Capone & C. Cascone: SDN tutorial 31
31. Forwarding Abstraction OF1.0
A. Capone & C. Cascone: SDN tutorial 32
SMT - Single Match Table
TCAM
Ternary Content Addressable Memory
32. Limitations of SMT abstraction
• SMT is a simple and powerful abstraction, but the
option to implement it using a single TCAM is not
practical
• A very big and wide TCAM would be necessary in
most cases
– Wide: all header fields
– Big: all possible combinations of values relevant
– the distance between abstraction and
implementations is at the basis of the OF success
– but also an incentive to try to make the
abstraction evolve and become more flexible (…)
A. Capone & C. Cascone: SDN tutorial 33
33. Other (less known) sides of OF
• Before moving to the evolution of the
forwarding abstraction it is worth pointing out
some other characteristics of OF
• OF focuses only on the control of the data
plane
• However its relation with network
management and configuration is within an
area which is not completely back-n-white
A. Capone & C. Cascone: SDN tutorial 34
34. Control plane vs Management plane?
• Another important practical issue is the relation of OF
and the controller with the network management
platforms
• In principle controllers could take over the
management functions (mainly device configuration
and monitoring)
• This however requires more complex functions and a
number of legacy management services that are still
crucial for networks
• If we take a look at a popular SDN controller
(OpenDayLight) architecture, it is easy to understand
things are more complex than they appear
A. Capone & C. Cascone: SDN tutorial 35
35. Network OS / controller example:
OpenDaylight (Linux Foundation)
A. Capone & C. Cascone: SDN tutorial 36
36. OF-CONFIG
• ONF defined its own configuration protocol based
on NETCONF and xml data models
A. Capone & C. Cascone: SDN tutorial 37
OpenFlow
Capable Switch
resources
(ports, queues)
OF Logical
Switch
OF Logical
Switch
Configuration
Point
Configuration
Point
OF-CONFIG
Configuration
Point
OpenFlow
Controller
Configuration
Point
OpenFlow
Controller
OpenFlow OpenFlow
using IETF Netconf &
XML data models
37. SDN Layers and Architecture Terminology
• IETF is trying to
clean up
terminology and
architecture and
reconcile it with
real schemes
A. Capone & C. Cascone: SDN tutorial 38
Source: IRTF Software-Defined Networking Research Group (SDNRG)
38. Switches cannot remain dumb:
Starting the process of data
plane evolution
One man alone can be pretty dumb sometimes, but for real
bona fide stupidity, there ain't nothin' can beat teamwork.
[Edward Abbey]
A. Capone & C. Cascone: SDN tutorial 39
39. Models can be perfect and clean,
reality is dirty!
• The match/action model can ideally be used to program
any network behavior and to get rid of protocol
limitations at any level
• But unfortunately, with OF:
– Matches can be done only on a set of predefined header
fields (Ethernet, IPv4, MPLS, VLAN tag, etc.)
– Actions are limited to a rather small set
– Header manipulation (like adding label/tags, rewriting of
fields, etc.) is limited to standard schemes
• As a result, OF is not really protocol independent and
standards (including OF standards) are still necessary
A. Capone & C. Cascone: SDN tutorial 40
40. Where do OF limitations come from?
• TCAMs are typically expensive components that are used
by manufacturers only when strictly necessary
• Less expensive memory components based on predefined
search keys are often used for most of the common
functions of a switch
• OF success depends on its “vendor neutral” approach
where implementations issues are completely opaque
(including reuse of standard modules for e.g. MAC and IP
forwarding)
• Specialized ASICs are typically complex with a number of
hard limitations on table types, sizes, and match depth
A. Capone & C. Cascone: SDN tutorial 41
41. Multiple Match Tables (MMT)
• Single Match tables are costly: all possible
combinations of header values in a single long
table
• Solution: Multiple Match Tables (MMT)
• MMTs are the HAL of OF 1.1
A. Capone & C. Cascone: SDN tutorial 42
OpenFlow Switch Specification Version 1.1.0 Implemented
Table
0
Table
1
Table
n
Packet Execute
Action
Set
Packet
In
Action
SetAction
Set = {}
OpenFlow Switch
Packet
Out...
Ingress
port
Packet +
ingress port +
metadata
Action
Set
(a) Packets are matched against multiple tables in the pipeline
Find highest- priority matching flow entry
42. MMT and implementations
• MMT introduced in OF 1.1 are actually much
closer to real switch implementation in
specialized chips
A. Capone & C. Cascone: SDN tutorial 43
source: bigswitch.com
43. Switch pipeline
• Existing switch chips implement a small (4–8) number of
tables whose widths, depths, and execution order are set
when the chip is fabricated
• Optimization of the pipeline can lead to very different
results depending on the context:
– A chip used for a core router may require a very large 32-bit IP
longest matching table and a small 128 bit ACL match table;
– A chip used for an L2 bridge may wish to have a 48-bit
destination MAC address match table and a second 48-bit
source MAC address learning table;
– an enterprise router may wish to have a smaller 32-bit IP prefix
table and a much larger ACL table as well as some MAC address
match tables.
A. Capone & C. Cascone: SDN tutorial 44
[RMT] Pat Bosshart et al, “Forwarding Metamorphosis: Fast Programmable Match-Action Processing in Hardware for SDN”, ACM SIGCOM 2013.
44. Group Tables (OF 1.1)
• Packets of the same flow are applied the same actions
unless the table entry is modified by the controller
• Not good for some common and important cases (e.g.
multicast, multipath load balancing, failure reaction, etc.)
• Solution: Group tables
– Goto table “group table n”
– List of buckets of actions
– All or some of the buckets are executed depending on the type
• Types of Group tables
– All (multicast)
– Select (multipath)
– Fast-failover (protection switching)
A. Capone & C. Cascone: SDN tutorial 45
45. Group Tables (OF 1.1)
• Fast failover
• Note that this is the first “stateful” behavior in the data
plane introduced in OF !!!
A. Capone & C. Cascone: SDN tutorial 46
Port A
Status
monitoring
Port B
Status
monitoring
Port C
Status
monitoring
Port D
Status
monitoring
Group table
fast failover
Action bucket 1:
FWD Port A, …
Action bucket 2:
FWD Port B, …
Action bucket 3:
FWD Port C, …
Action bucket 4:
FWD Port D, …
A
B
CD
46. OF 1.2
• Extensible match (Type Length Value)
• Support for IPv6, new match fields:
– source address, destination address, protocol
number, traffic class, ICMPv6 type, ICMPv6 code,
IPv6 neighbor discovery header fields, and IPv6
flow labels
• Experimenter extensions
• Full VLAN and MPLS support
• Multiple controllers
A. Capone & C. Cascone: SDN tutorial 47
47. OF 1.3
• Initial traffic shaping and QoS support
– Meters: tables (accessed as usual with “goto
table”) for collecting statistics on traffic flows and
applying rate-limiters
A. Capone & C. Cascone: SDN tutorial 48
Meter Table
Meter indentifier Meter band Counters
… … …
… … …
… … …
Type Rate Counters Type/argument
48. OF 1.4
• More extensible wire protocol
• Synchronized tables
– tables with synchronized flow entries
• Bundles
– similar to transactional updates in DB
• Support for optical ports
A. Capone & C. Cascone: SDN tutorial 49
50. OF 1.5
• Packet type aware pipeline
• Extensible flow entry statistics
• TCP flags matching
A. Capone & C. Cascone: SDN tutorial 51
51. OF future extensions
• The discussion on flow states
– The capability to store / access flow metadata that
persists for lifetime of flow (not just current packet)
– Potential to enable a variety of new capabilities:
• Fragment handling without reassembly
• Relation between bidirectional flows (e.g., RDI)
• Autonomous flow learning + flow state tracking
• MAC learning
• TCP proxy
– Hierarchies of flows
• e.g. FTP control / data, all belonging to a user, etc.
A. Capone & C. Cascone: SDN tutorial 52
[MAC13] Ben Mack-Crane, “OpenFlow Extensions”, US Ignite ONF GENI workshop, Oct 2013
52. Also abstraction “involutions” (?):
Typed tables
• “A step back to ensure wider applicability”
• A third way between reactive and proactive
• Pre-run-time description of switch-level
“behavioral abstraction” (tell to the switch which
types of flowmods will be instantiated at run time)
• Limit types supported according to HW type
A. Capone & C. Cascone: SDN tutorial 53
ONF Forwarding Abstractions WG
OpenFlow
1.0
Typed tables patterns: Forwarding Elements (F:E.)
Constrained
OpenFlow 1.1
Layer 3
IPv4
Stateless
Generic
Tunnel
Statefull
Generic
Tunnel
802.1D
Forwarding (…)
53. Breaking the limitation of specialized
pipelines: Reconfigurable Match Table
• OF introduced the MMT model but does not mandate
the width, depth, or even the number of tables
• OF allows the introduction of new match fields through
a user-defined field facility
• Recent proposal by McKeown, Varghese et al. [BOS13]:
RMT
• Goal: reconfigurability of multiple tables with arbitrary
width
A. Capone & C. Cascone: SDN tutorial 54
[BOS13] P. Bosshart, G. Gibb, H.-S. Kim, G. Varghese, N. McKeown, M. Izzard, F. Mujica, and M. Horowitz, “Forwarding
metamorphosis: Fast programmable match-action processing in hardware for sdn”, in ACM SIGCOMM 2013.
54. Reconfigurable Match Tables (RMT)
• Field definitions can be altered and
new fields added
• Number, topology, widths, and
depths of match tables can be
specified, subject only to an overall
resource limit on the number of
matched bits
• New actions may be defined
• Arbitrarily modified packets can be
placed in specified queues, for
output at any subset of ports, with
a queuing discipline specified for
each queue.
A. Capone & C. Cascone: SDN tutorial 55
[BOS13] P. Bosshart, G. Gibb, H.-S. Kim, G. Varghese, N. McKeown, M. Izzard, F. Mujica, and M. Horowitz, “Forwarding
metamorphosis: Fast programmable match-action processing in hardware for sdn”, in ACM SIGCOMM 2013.
Input
Channels
Select
...
...
VLIW
Action
Match
Tables
Prog.
Parser
Header
Payload
...
Packets
1
K
.
(a) RMT model as a sequence o
Physical
Stage 1
Physical
Stage 2
Logical Stage 1
Logical Stage 2
Physical
Stage M
...
: Ingress logical
match tables
: Egress logical
match tables
Logical
Stage N
(b) Flexible match table configuration.
Pa
He
Ve
M
Ta
Figure 1: RMT mo
2. Flexible Resource Allocation Minimizing Resource Waste:
A physical pipeline stage has some resources (e.g., CPU,
memory). The resources needed for a logical stage can vary
considerably. For example, a firewall may require all ACLs,
a core router may require only prefix matches, and an edge
router may requiresomeof each. By flexibly allocating phys-
ical stages to logical stages, one can reconfigure the pipeline
to metamorphose from a firewall to a core router in the field.
The number of physical stages N should be large enough
so that a logical stage that uses few resource will waste at
most 1/ N -th of the resources. Of course, increasing N will
increase overhead (wiring, power): in our chip design we
chose N = 32 as a compromise between reducing resource
wastage and hardware overhead.
3. Layout Optimality: As shown in Figure 1b, a logical
stage can be assigned more memory by assigning the logical
stage to multiple contiguous physical stages. An alternate
design is to assign each logical stage to a decoupled set of
Physical
flexible
architecture
on chip
55. Reconfigurable Match Tables (RMT)
A. Capone & C. Cascone: SDN tutorial 56
[BOS13] P. Bosshart, G. Gibb, H.-S. Kim, G. Varghese, N. McKeown, M. Izzard, F. Mujica, and M. Horowitz, “Forwarding
metamorphosis: Fast programmable match-action processing in hardware for sdn”, in ACM SIGCOMM 2013.
Input
Channels
Logical Stage 1
...
Switch State
(metadata)
Select
...
...
VLIW
Action
Match
Tables
Statistics State
Prog.
Parser
Header
Payload
...
Packets
1
K
...
Logical Stage N
Recombine
Output
Channels
...
1
K
Configurable
Output
Queues
Packets
NewHeader
(a) RMT model as a sequence of logical Match-Action stages.
Physical
Stage 1
Physical
Stage 2
Logical Stage 1
Logical Stage 2
Physical
Stage M
...
: Ingress logical : Egress logical
Logical
Stage N
Packet
Header
Vector
ActionInputSelector(Crossbar)
Action
Memory OP code
Ctrl
Action
Unit
Packet
Header
Vector
...
Src 1
Src 2
Src 3
Src 1
Src 2
Src 3
OP code
(from inst
mem)
Match
Results
...
Match
Tables
Action
Unit
VeryWide
HeaderBus
Programmable
parser
Global states
Header re-write with very
long instruction word (VLIW)
Configurable
queues
1
...
VLIW
ction
State
...
Logical Stage N
Recombine
Output
Channels
...1
K
Configurable
Output
Queues
Packets
NewHeader
sequence of logical Match-Action stages.
Packet
Header
Vector
ActionInputSelector(Crossbar)
Action
Memory OP code
VLIW Instruction Memory
Ctrl
Action
Unit
Packet
Header
Vector
...
Src 1
Src 2
Src 3
Src 1
Src 2
Src 3
OP code
(from inst
mem)
Match
Results
...
Match
Tables
Action
Unit
VeryWide
HeaderBus
(c) VLIW action architecture.
RMT model architecture.
Waste:
CPU,
n vary
ACLs,
delays can be ameliorated by pipelining, the ultimate chal-
lenge in such a design is wiring: unless the current match
and action widths (1280 bits) are reduced, running so many
wires between every stage and every memory may well be
56. Pipeline flexibility: FlexPipeTM (Intel)
A. Capone & C. Cascone: SDN tutorial 57
Source: Dr. Recep Ozdag - INTEL
• Flexible pipeline and
table solutions already
available from some
vendors
57. All the way down to programmability: P4
• OpenFlow 2.0 proposal by McKeown, Rexford et al.
[BOS14]
A. Capone & C. Cascone: SDN tutorial 58
[BOS14] P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A.
Vahdat, G. Varghese, and D. Walker “P4: Programming protocol-independent packet processors,”
SIGCOMM CCR, July 2014
• 3 goals:
– Protocol independence
• Configurable packet parser
• Match/actions not tied to any specific network protocols
– Target independence
• Compiler handles mapping independently to switch details
(e.g. TCAM vs RAM, softswitch, RMT, FlexPipe, etc.)
– Reconfigurability
• Change parsing and processing in the field
58. All the way down to programmability: P4
A. Capone & C. Cascone: SDN tutorial 59
• Configuration achieved with a programming language
describing parsing and control
• Flow tables populated with “Classic” OpenFlow
• Compiler maps parser and tables to specialized hardware
or software
expressiveness with the ease of implementation across a
e range of hardware and software switches. In designing
we have three main goals:
econfi gur abilit y. The controller should be able to re-
efine the packet parsing and processing in the field.
r ot ocol independence. The switch should not be tied
specific packet formats. Instead, the controller should
e able to specify (i) a packet parser for extracting header
elds with particular names and types and (ii) a collection
typed match+ action tables that process these headers.
ar get independence. Just as a C programmer does
ot need to know the specifics of the underlying CPU, the
ntroller programmer should not need to know the de-
ils of the underlying switch. Instead, a compiler should
ke the switch’s capabilities into account when turning
target-independent description (written in P4) into a
rget-dependent program (used to configure the switch).
outline of the paper is as follows. We begin by in-
ucing an abstract switch forwarding model. Next, we
ain the need for a new language to describe protocol-
pendent packet processing. We then present a simple
vating example where a network operator wants to sup-
a new packet-header field and process packets in mul-
e stages. We use this to explore how the P4 program
ifies headers, the packet parser, the multiple match+
on tables, and the control flow through these tables. Fi-
y, we discuss how a compiler can map P4 programs to
et switches.
elat ed wor k. In 2011, Yadav et al. [4] proposed an ab-
ct forwarding model for OpenFlow, but with less empha-
n a compiler. Kangaroo [1] introduced thenotion of pro-
actions are composed from protocol-independent primitives
supported by the switch.
Our abstract model generalizes how packets are processed
in di↵erent forwarding devices(e.g., Ethernet switches, load-
balancers, routers) and by di↵erent technologies (e.g., fixed-
function switch ASICs, NPUs, reconfigurable switches, soft-
ware switches, FPGAs). This allows us to devise a com-
mon language (P4) to represent how packets are processed
in terms of our common abstract model. Hence, program-
mers can create target-independent programs that a com-
piler can map to a variety of di↵erent forwarding devices,
ranging from relatively slow software switches to the fastest
ASIC-based switches.
Figur e 2: T he abst r act for war ding m odel.
59. • Header
– Ordered list of fields with name and width
• Parser
– State machine traversing the packet to extract header fields
(If ethertype == 0x800 then…)
• Action functions
– Custom functions made of primitive actions
(add_field,remove_header, copy, set, increment, checksum, etc…)
• Typed tables
– What fields are matched in what way
(exact match, longest prefix, range, etc...)
• Control flow
– Table application order, conditionals, functions
• Stateful memories
– Counters, meters and registers which persist across packets
A. Capone & C. Cascone: SDN tutorial 60
All the way down to programmability: P4
P4 configuration abstractions:
60. All the way down to programmability: P4
A. Capone & C. Cascone: SDN tutorial 61
Example:
Header formats:
Parser state function:
Typed tables and functions:
Action function:
copy_f i el d( mTag. et her t ype, vl an. et her t ype) ;
/ / Set VLAN’ s et her t ype t o si gnal mTag
set _f i el d( vl an. et her t ype, 0xaaaa) ;
set _f i el d( mTag. up1, up1) ;
set _f i el d( mTag. up2, up2) ;
set _f i el d( mTag. down1, down1) ;
set _f i el d( mTag. down2, down2) ;
/ / Set t he dest i nat i on egr ess por t as wel l
set _f i el d( met adat a. egr ess_spec, egr _spec) ;
}
If an action needs parameters (e.g., the up1 value for the
mTag), it is supplied from the match table at runtime.
In this example, the switch inserts the mTag after the
VLAN tag, copies the VLAN tag’s Ethertype into the mTag
61. Protocol Oblivious Forwarding (POF)
• Removing/neglecting constraints on general HW can lead
to extreme flexibility of a clean slate approach (not in the
OF evolution track)
• POF proposal by Huawei [SON13]
• POF makes the forwarding plane totally protocol-oblivious
• The POF FE has no need to understand the packet format
• Arbitrary field definition:
A. Capone & C. Cascone: SDN tutorial 62
[SON13] H. Song, “Protocol-oblivious forwarding: Unleash the power of SDN through a future-proof
forwarding plane, HotSDN ’13. ACM, 2013, pp. 127–132.
field {
type;
offset;
length;
};
The type” is used to indicate the field type, for which the value 0 me
data field and the value 1 means it is a metadata field. The “offset” i
relative to the current protocol head. The following example shows
format.
dst src type
MAC
0 6 12
There are three fields: dst, src, and type. They are denoted as follow
dst: {0, 0, 48}; /*packet field, offset is 0bit, length is 48b
src: {0, 48, 48}; /*packet field, offset is 48bit, length is 4
type: {0, 96, 16}; /*packet field, offset is 96bit, length is 1
It is easy to see that any existing or new protocols can be denoted in
3.2 Forwarding Instructions
dst: {0, 0, 48};
src: {0, 48, 48};
type: {0, 96, 16};
Example:
62. Protocol Oblivious Forwarding (POF)
• POF FE execute instruction of its controller to:
– extract and assemble the search keys from the
packet header,
– conduct the table lookups,
– execute the associated instructions (in the form of
executable code written in FIS or compiled from
FIS).
A. Capone & C. Cascone: SDN tutorial 63
[SON13] H. Song, “Protocol-oblivious forwarding: Unleash the power of SDN through a future-proof
forwarding plane, HotSDN ’13. ACM, 2013, pp. 127–132.
63. Protocol Oblivious Forwarding (POF)
A. Capone & C. Cascone: SDN tutorial 64
[SON13] H. Song, “Protocol-oblivious forwarding: Unleash the power of SDN through a future-proof
forwarding plane, HotSDN ’13. ACM, 2013, pp. 127–132.
relative to its own protocol header. For example, the “Src_Addr” position has a 64-bit offset
relative to the starting position of the IPvX header field.
The following figure shows the process of IPvX packets by using the instruction
“Goto-Table”.
MAC IPvX
0 14
Dst_Addr Src_Addr Type
0 8 16
MAC IPvX
0 14
Dst_Addr Src_Addr Type
0 8 16
Packet Process Pointer Packet Process Pointer
Flow Table 0 (Dst, Type)
Fields Instructions
Fields Instructions
Goto-Table{
Table 1, /*Flow Table 1*/
14, /*Packet Process Pointer
move forward 14bytes */
1, /*match field number is 1*/
{0, 64,64}, /*match field is Src_Addr*/
}
Flow Table 1 (Src_Addr)
Fields Instructions
Fields Instructions
0
1
0
1
2
3
2
3
Figure 1: Instance for Goto-Table Instruction
In Flow Table 0, the “destination address” and the “type” of the MAC header are used as the
match fields. Flow Table 0 has one flow entry configured by controller which instructs the
microcode to go to Flow Table 1 for further processing. In Flow Table 1, the “Src_Addr” of
Example: forwarding based on a “new” protocol IPvX with 64 bits addresses
64. Tiny programs in the packets
• Taking programmability to the extreme …
• Remember “active networks” …
A. Capone & C. Cascone: SDN tutorial 65
[JEY13] V. Jeyakumar, M. Alizadeh, C. Kim, and D. Mazieres, “Tiny packet programs for low-latency
network control and monitoring,”. HotSDN ’13
ch to packet
et to switch
tomic operations
thesubsequent instructions
per require support only for
ill be clear when we discuss
nstructions are simple in
udget for handling small
structions free the ASIC
s to coordinate with the
achieve a desired func-
nimal read and write in-
es on anetwork, many of
today only after years of
questions and concerns,
SP = 0x0
PUSH [ QSi ze]
SP = 0x4
PUSH [ QSi ze]
0x00
SP = 0x8
PUSH [ QSi ze]
0x00
0xa0
SP = 0xc
PUSH [ QSi ze]
0x00
0xa0
0x0e
Packet memory is preallocated. The TPP never grows/shrinks inside the network.
Ethernet Header
Other headers
(e.g., TCP/IP)
Figure1: Visualizing theexecution of aTPP that queriesthenetwork
for queue sizes. As the TPP traverses a network of switches, the ASIC
executes the program, which modifies the packet to reflect the queue
sizes on thelink.
For readability, when wewriteTPPsin an x86-likeassem-
65. Deeply Programmable Networks (FLARE)
• Fully programmable control plane
• Fully programmable data plane
• Flexible and extensible API for both planes
• Experimental implementation
A. Capone & C. Cascone: SDN tutorial 66
Aki Nakao, FLARE Project, NakaoLab, The university of Tokyo.
FLARE Node Implementation
36 - 7 2 cores
(upto 100-200 cores in future)
(board desig ned by NakaoLab)
x8 6
Processor
M any Core
Processor
H ierarchical Resource M anag ement
66. Not too much not too little:
OpenState and stateful data planes
Too clever is dumb.
[Ogden Nash]
A. Capone & C. Cascone: SDN tutorial 67
67. Looking for the “right” abstraction
• Programmability and real world viability
– High levels of (deep) programmability in the data
and control planes since ages
• Active Networks
• IETF ForCES
• Keywords for success:
– Pragmatism
– Compromise
– “Right” mix of programmability: right level of
abstraction
• Many wonderful programmable platforms buried in the
“lab world”
A. Capone & C. Cascone: SDN tutorial 68
68. A. Capone & C. Cascone: SDN tutorial 69
Remember: OF meant to be a compromise
[original quotes: from OF 2008 paper]
• Best approach: “persuade commercial name-brand
equipment vendors to provide an open, programmable,
virtualized platform on their switches and routers”
– Plainly speaking: open the box!! No way…
• Viable approach: “compromise on generality and seek
a degree of switch flexibility that is
– High performance and low cost
– Capable of supporting a broad range of research
– Consistent with vendors’ need for closed
platforms.
69. OF forces separation of data and control
Logically-centralized control
DUMB!
SMART!
Events from switches
Topology changes,
Traffic statistics,
Arriving packets
Commands to switches
(Un)install rules,
Query statistics,
Send packets
A. Capone & C. Cascone: SDN tutorial 70
70. Centralized Control: pros and cons
• PROS:
– Central view of the network as a whole
• Network states, etc
– One-click network config/deploy
• Platform agnosting switch API is key - e.g.
OpenFlow forwarding abstraction
• CONS:
– Control latency!!!
• O(second)
1s = 300M packets lost @ 100 gbps
– Signalling overhead
Great idea for
network-wide states
and «big picture»
decisions
Poor idea for local
states/decision,
(way!) better
handled locally
(less delay, less load)
A. Capone & C. Cascone: SDN tutorial 71
71. Distributed controllers
the «common» way to address such cons
A non-solution!
still slow path latency!!
Proprietary controller extensions?
Back to Babel?
«true» fast path solution: update
forwarding rules in 1 packet
time – 3 ns @ 40B x 100 Gbps
3 ns = 60cm signal propagation…
A. Capone & C. Cascone: SDN tutorial 72
72. A. Capone & C. Cascone: SDN tutorial 73
SMART!
SMART!
Events from switches & central rule updates
Restricted to those of interest
for GLOBAL decisions
Inject “switch control programs”
Change forwarding behavior as
specified by “this program” IF
(local) events occur
Decision on how network should operate
remains at the controller (SDN vision)
But “execution” of forwarding plane
updates can be locally delegated
Local processing: Ultra low Latency:
o(nanosec) versus o(sec)
Local states: lower signalling
Our vision
73. What is missing in the picture
Behavioral Description
src=1.2.*.*, dest=3.4.5.* drop
src = *.*.*.*, dest=3.4.*.* forward(2)
src=10.1.2.3, dest=*.*.*.* send to controller
«generic»
forwarding
device
Any vendor, any size, any HW/SW platform…
OF forwarding abstraction insufficient!!
Platform-agnostic stateful processing: how to?
«repurposed
» device
A. Capone & C. Cascone: SDN tutorial 74
74. Stateless vs. Stateful data plane
A. Capone & C. Cascone: SDN tutorial 75
Switch
Stateless
Controller
Global + local states
Switch
Local states
Controller
Global states
Control
enforcing
Control
delegation
Stateless model
(e.g. OpenFlow)
Stateful model
SMART!
DUMB! SMART!
SMART!
Auto-adaption
Event
notifications
75. Easier said than done
• We need a switch architecture and API which is…
– High performance: control tasks executed at wire-speed (packet-
based events)
– Platform-independent: consistent with vendors’ needs for
closed platforms
– Low cost and immediately viable: based on commodity HW
Apparently, far beyond OpenFlow switches…
Our (perhaps surprising?) finding:
much closer to OF than expected!!
A. Capone & C. Cascone: SDN tutorial 76
76. Our findings at a glance
• Any control program that can be described by
a Mealy (Finite State) Machine is already (!)
compliant with OF1.3
• MM + Bidirectional flow state handling
requires minimal hardware extensions to
OF1.1+
• Proof of concept HW and SW implementation
A. Capone & C. Cascone: SDN tutorial 77
77. Our approach: OpenState
easier understood via a running
example: port knocking
A. Capone & C. Cascone: SDN tutorial 78
[CCR14] G. Bianchi, M. Bonola, A. Capone, C. Cascone, “OpenState: programming
platform-independent stateful OpenFlow applications inside the switch”, ACM
Computer Communication Review, vol. 44, no. 2, April 2014.
[ARX14] G. Bianchi, M. Bonola, A. Capone, C. Cascone, S. Pontarelli, “Towards Wire-
speed Platform-agnostic Control of OpenFlow Switches”, available on ArXiv, 2014.
78. Remember OF match/action API
Multiple flow tables
since OF version 1.1
Switch
Port
MAC
src
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
Matching
Rule Action
1. FORWARD TO PORT
2. ENCAPSULATE&FORWARD
3. DROP
4. …
Extensible
Vendor-implementedProgrammabile logic
Pre-implemented matching engine
A. Capone & C. Cascone: SDN tutorial 79
79. Background: Port Knocking firewall
knock «code»: 5123, 6234, 7345, 8456
IPsrc=1.2.3.4 Port=5123 Drop(); 1.2.3.4 1° knock OK
IPsrc=1.2.3.4 Port=6234 Drop(); 1.2.3.4 2° knock OK
IPsrc=1.2.3.4 Port=7345 Drop(); 1.2.3.4 3° knock OK
IPsrc=1.2.3.4 Port=8456 Drop(); 1.2.3.4 OPEN port SSH
IPsrc=1.2.3.4 Port=22 Forward()
A. Capone & C. Cascone: SDN tutorial 80
80. Port Knocking @ controller
IPsrc=any Port=any
DROP
controller
Encapsulate & forward
ALL packets of ALL flows
IPsrc=any Port=any
Maintain Knock state per flow
When knock sequence
finalized, add entry
<Ipsrc, port=22; forward>
Lots of overhead!!
Needed as no «knock» state handled in switch
A. Capone & C. Cascone: SDN tutorial 81
81. «Abstract» description for port
knocking: Mealy Machine
DEFAULT Stage 1 Stage 2 Stage 3 OPEN
Port=6234
Drop()
Port!=6234
Drop()
Port!=5123
Drop()
Port=5123
Drop()
Port=7345
Drop()
Port=8456
Drop()
Port!=7345
Drop()
Port!=8456
Drop()
Port=22
Forward()
Port!=22
Drop()
A. Capone & C. Cascone: SDN tutorial 82
82. Can transform in a flow table? Yes:
MATCH: <state, port> ACTION: <drop/forward, state_transition>
Plus a state lookup/update
state event
DEFAULT
STAGE-1
Port=5123
Port=6234
STAGE-2
STAGE-3
Port=7345
Port=8456
OPEN Port=22
OPEN
*
Port=*
Port=*
Match fields Actions
action Next-state
drop
drop
STAGE-1
STAGE-2
drop
drop
STAGE-3
OPEN
forward OPEN
drop
drop
OPEN
DEFAULT
IPsrc Port
Metadata:
State-label
State DB
State DB
IpsrcOPEN
Ipsrc: ??
A. Capone & C. Cascone: SDN tutorial 83
83. Putting all together
Flow key state
IPsrc= … …
Ipsrc= … …
… … …
… … …
IPsrc=1.2.3.4
IPsrc=5.6.7.8
STAGE-3
OPEN
IPsrc= no match DEFAULT
IPsrc= … …
State Table
… … …
IPsrc=1.2.3.4 Port=8456
1) State lookup
state event
DEFAULT
STAGE-1
Port=5123
Port=6234
STAGE-2
STAGE-3
Port=7345
Port=8456
OPEN Port=22
OPEN
*
Port=*
Port=*
XFSM Table
Match fields Actions
action Next-state
drop
drop
STAGE-1
STAGE-2
drop
drop
STAGE-3
OPEN
forward OPEN
drop
drop
OPEN
DEFAULT
IPsrc=1.2.3.4 Port=8456STAGE-3
2) XFSM state transition
IPsrc=1.2.3.4 Port=8456
OPEN
3) State update
write
Write: OPEN
1 «program» XFSM table for all flows
(same knocking sequence)
N states, one per (active) flow
A. Capone & C. Cascone: SDN tutorial 84
84. Proof of concept
• SW implementation:
– Trivial modifications to SoftSwitch
– Public domain
• HW implementation:
– 5 clock (2 SRAM read + 2 TCAM + 1 SRAM write)
– 10 Gbps just requires 156 MHz clock TCAM, trivial
– Optimization in progress (pipelining) for 100 Gbps.
A. Capone & C. Cascone: SDN tutorial 85
85. Cross-flow state handling
MACdst MACsrc
Flow key state
48 bit MAC addr Port #
lookup
State Table
MACdst MACsrc
Flow key state
48 bit MAC addr Port #
update
State Table
state event
Port# *
action Next-state
forward In-port
XFSM Table
DIFFERENT lookup/update scope
Field 1 Field 2 Field N
Flowkey selector Read/write signal
• Yes but what about MAC learning, multi-port protocols
(e.g., FTP), bidirectional flow handling, etc?
A. Capone & C. Cascone: SDN tutorial 86
86. Current challenge
Prove programmability of complex functions
DONE:
• Port Knocking
• MAC learning
• Label/address
advertisement learning
• Reverse Path Forwarding
• Flow-consistent Load
Balancing
• DDoS multi-stage flow
marking
• …
Our challenge: towards an open «flow processor»?
CHALLENGE:
IDS/DPI
TCP flow processing
Monitoring
…
Need new «actions»
Need extra logic (full XFSM)
A. Capone & C. Cascone: SDN tutorial 87
All (!) otherwise not possible without
explicit controller’s involvement or
custom distrib. control…
87. Aftermath
• Control intelligence in devices seems possible
– Via Platform-independent abstraction
– Retaining high speed & scalability
– As «small» OpenFlow extension (?!)
• TCAM as «State Machine processor»
– Now Mealy Machines
– Currently working on full XFSM extension
• Rethinking control-data plane SDN
separation?
– Control = Decide! Not decide+enforce!
A. Capone & C. Cascone: SDN tutorial 88
88. Applied smartness:
stateful applications
There are science and the applications of science,
bound together as the fruit of the tree which bears it.
[Louis Pasteur]
A. Capone & C. Cascone: SDN tutorial 89
89. Forwarding Consistency
• Ensure consistency in forwarding decisions for
packets of a same transport layer flow
A. Capone & C. Cascone: SDN tutorial 90
Example: LAG @Internet Exchange Point
Example: Server
Load Balancer
90. Fault Tolerance
A. Capone & C. Cascone: SDN tutorial 91
• OpenFlow
Fast failover: local
reroute based on port
states (Group table)
But what if a local
reroute in not
available ???
93. Forwarding Consistency
• Ensure consistency in forwarding decisions for
packets of a same transport layer flow
A. Capone & C. Cascone: SDN tutorial 94
Example: LAG @Internet Exchange Point
Example: Server
Load Balancer
94. Forwarding Consistency
A. Capone & C. Cascone: SDN tutorial 95
One to Many:
Intra-flow state handling
Many to One:
Cross-flow state handling
Many to Many:
Inter-stage cross-flow state
handling
95. Forwarding Consistency: One to Many
A. Capone & C. Cascone: SDN tutorial 96
The first packet of a TCP connection coming from the input port
is sent to one of many possible output ports.
All the next packets of the same TCP connection must be
forwarded on the same selected port.
96. Forwarding Consistency: One to Many
A. Capone & C. Cascone: SDN tutorial 97
OpenFlow solution: the controller is in charge of states management.
controller
First packet of each new TCP connection is sent to the controller
in order to:
-select an output port (e.g. randomly) and forward the packet
-install a flow entry for subsequent packets
97. Forwarding Consistency: One to Many
A. Capone & C. Cascone: SDN tutorial 98
Controller is not involved!
OpenState solution:
the switch itself handles connection’s state.
A flow is identified by [IP_SRC,IP_DST,TCP_SRC,TCP_DST]
FLOW STATE: output port
First packet of each new TCP connection is sent to the
Group Table in order to:
• select an output port randomly
• store the selected port in the State Table for subsequent
packets
98. # action Next-state
Flow key State
State Table
IP_src=10.0.0.1
1) State lookup
state event
DEF.
1
In-port=1
In-port=1
2
3
In-port=1
In-port=1
* In-port=2
*
*
In-port=3
In-port=4
XFSM Table
Match fields Actions
action
Group(1)
Forward(2)
Forward(3)
Forward(4)
Forward(1)
Forward(1)
Forward(1)
2) XFSM state transition
2
4) State update
write
• In this case the state is set in the group table
• Random Group Entry
Lookup Scope: IP_src, IP_dst, TCP_src,TCP_dst
Update Scope: IP_src, IP_dst, TCP_src,TCP_dst
IP_dst=10.0.0.2 TCP_src=2500 TCP_dst=80
IP_src=10.0.0.1 IP_dst=10.0.0.2 TCP_src=1000 TCP_dst=80
… … … … … … … …
IP_src=10.0.0.1 IP_dst=10.0.0.2 TCP_src=3000 TCP_dst=80
* * * *
1
… …
3
DEFAULT
IP_src=10.0.0.1 IP_dst=10.0.0.2 TCP_src=2500 TCP_dst=80DEFAULT
Group Entry Buckets
Entry 1
Forward(2) 1
Forward(3) 2
Forward(4) 3
Group Table
IP_dst=10.0.0.2IP_src=10.0.0.1 TCP_src=2500 TCP_src=80 2
IP_src=10.0.0.1 IP_dst=10.0.0.2 TCP_src=2500 TCP_dst=80
Forwarding Consistency: One to Many
A. Capone & C. Cascone: SDN tutorial 99
99. Forwarding Consistency: Many to One
A. Capone & C. Cascone: SDN tutorial 100
Forwarding consistency must be ensured according to packets
received in the reverse direction.
The first packet of a TCP connection coming from one of the
many input ports is forwarded on the only output port.
All packets of the reverse flow of the same TCP connection
must be forwarded on the same ingress port.
100. Forwarding Consistency: Many to One
A. Capone & C. Cascone: SDN tutorial 101
OpenFlow solution:
the controller is in charge of states management.
controller
First packet of each new TCP connection is sent to the controller
in order to:
-forward the packet
-install a flow entry for reverse flow’s packets
101. Forwarding Consistency: Many to One
A. Capone & C. Cascone: SDN tutorial 102
Cross-flow state
Controller is not involved!
OpenState solution:
the switch itself handles connection’s state.
First packet of each new TCP connection is forwarded and the
input port is stored to forward response packets
A flow is identified by [IP_SRC,IP_DST,TCP_SRC,TCP_DST]
FLOW STATE: input port
102. Next-stateaction
Flow key State
State Table
IP_dst=10.0.0.100
1) State lookup
state event
1
2
In-port=4
In-port=4
3
*
In-port=4
In-port=1
* In-port=2
* In-port=3
XFSM Table
Match fields Actions
Forward(1)
Forward(2)
Forward(3)
Forward(4)
Forward(4)
Forward(4)
2) XFSM state transition
1
3) State update
write
Communication Host -> Server
Lookup Scope: IP_src, IP_dst,TCP_src,TCP_dst
Update Scope: IP_dst,IP_src,TCP_dst,TCP_src
IP_src=10.0.0.1 TCP_src=2500 TCP_dst=80
IP_dst=10.0.0.2IP_src=10.0.0.200 TCP_src=80 TCP_dst=1000
… …… … … … … …
… …… … … … … …
** * *
2
… …
… …
DEFAULT
IP_src=10.0.0.1 IP_dst=10.0.0.100 TCP_src=2500 TCP_dst=80DEFAULT
IP_src=10.0.0.100 IP_dst=10.0.0.1 TCP_src=80 TCP_dst=2500 1 -
-
-
1
2
3
IP_dst=10.0.0.100IP_src=10.0.0.1
TCP_dst=2500TCP_src=80IP_src=10.0.0.100 IP_dst=10.0.0.1
TCP_src=2500 TCP_dst=80
DIFFERENT
lookup/update
scope
Forwarding Consistency: Many to One
A. Capone & C. Cascone: SDN tutorial 103
103. Communication Server -> Host
Lookup Scope: IP_src, IP_dst,TCP_src,TCP_dst
Update Scope: IP_dst,IP_src,TCP_dst,TCP_src
Next-stateaction
Flow key State
State Table
IP_src=10.0.0.100
1) State lookup
state event
1
2
In-port=4
In-port=4
3
*
In-port=4
In-port=1
* In-port=2
* In-port=3
XFSM Table
Match fields Actions
Forward(1)
Forward(2)
Forward(3)
Forward(4)
Forward(4)
Forward(4)
2) XFSM state transition
IP_dst=10.0.0.1 TCP_src=2500 TCP_dst=80
IP_dst=10.0.0.2IP_src=10.0.0.200 TCP_src=80 TCP_dst=1000
IP_dst=10.0.0.1IP_src=10.0.0.100 TCP_scr=80 TCP_dst=2500
… …… … … … … …
** * *
2
1
… …
DEFAULT
IP_src=10.0.0.1 IP_dst=10.0.0.100 TCP_src=2500 TCP_dst=801
-
-
-
1
2
3
Forwarding Consistency: Many to One
A. Capone & C. Cascone: SDN tutorial 104
104. Combining the first two, we want here to load balance on the
output ports while doing reverse path forwarding on the input
port
Forwarding Consistency: Many to Many
A. Capone & C. Cascone: SDN tutorial 105
The first packet of a TCP connection coming from one of the many input ports is
forwarded to one of many possible output ports.
All the next packets of the same TCP connection must be forwarded on the same
selected output port, while all packets of the reverse flow of the same TCP
connection must be forwarded on the same ingress port.
105. OpenState solution
A flow is identified by [IP_SRC,IP_DST,TCP_SRC,TCP_DST]
Two states are needed for each bidirectional flow:
FLOW STATE 1: output port
FLOW STATE 2: input port
For each first packet of each new TCP connection:
• packet is forwarded to a random output port
• the selected output port is stored in the State Table 0
• the input port is stored in the State Table 1
A. Capone & C. Cascone: SDN tutorial 106
Forwarding Consistency: Many to Many
106. # action Next-state
Flow key State
State Table (Stage 0)
1) State lookup
XFSM Table (Stage 0)
2) XFSM state transition
5
4) State update (Stage 0)
write
Lookup Scope: IP_src, IP_dst, TCP_src,TCP_dst
Update Scope: IP_src, IP_dst, TCP_src,TCP_dst
IP_src=10.0.0.3 IP_dst=10.0.0.100 TCP_src=1000 TCP_dst=80
… … … … … … … …
IP_src=10.0.0.2 IP_dst=10.0.0.100 TCP_src=3000 TCP_dst=80
* * * *
6
… …
4
DEFAULT
Group Entry Buckets
Entry 1
Forward(4) 4
Forward(5) 5
Forward(6) 6
Group Table
IP_dst=10.0.0.100IP_src=10.0.0.1 TCP_src=2500 5
IP_src=10.0.0.1 IP_dst=10.0.0.100 TCP_src=2500 TCP_dst=80
TCP_src=80
IP_src=10.0.0.1 IP_dst=10.0.0.100 TCP_src=2500 TCP_dst=80
IP_src=10.0.0.1 IP_dst=10.0.0.100 TCP_src=2500 TCP_dst=80DEFAULT
Next-stateactionstate event
DEF.
4
In-port=1
In-port=1
5
6
In-port=1
In-port=1
DEF. In-port=2
… …
Match fields Actions
Group(1)
Forward(4)
Forward(5)
Forward(6)
Group(1)
…
(1,stg_1)
-
-
-
(2,stg_1)
…
* In-port=4
*
*
In-port=5
In-port=6
Table(1)
Table(1)
Table(1)
-
-
-
A. Capone & C. Cascone: SDN tutorial 107
Forwarding Consistency: Many to Many
Communication Host -> Server
107. State Table (Stage 0)
IP_src=10.0.0.1
1) State lookup
XFSM Table (Stage 0)
2) XFSM state transition
Lookup Scope: IP_src, IP_dst, TCP_src,TCP_dst
Update Scope: IP_dst, IP_src, TCP_dst,TCP_src
IP_dst=10.0.0.100 TCP_src=2500 TCP_dst=80
IP_src=10.0.0.1 IP_dst=10.0.0.100 TCP_src=2500 TCP_dst=80DEFAULT
DIFFERENT lookup/update scope
1
5) State update (Stage 1) write
IP_dst=10.0.0.100IP_src=10.0.0.1
TCP_dst=2500TCP_src=80IP_src=10.0.0.100 IP_dst=10.0.0.1
TCP_src=2500 TCP_dst=80
State Table (Stage 1)
Flow key State
IP_src=10.0.0. IP_dst=10.0.0.100 TCP_src=1000 TCP_dst=80
IP_src=10.0.0.1 IP_dst=10.0.0.100 TCP_src=2500 TCP_src=80
IP_src=10.0.0.1 IP_dst=10.0.0.100 TCP_src=3000 TCP_dst=80
* * * *
6
5
4
DEFAULT
Flow key State
IP_dst=10.0.0.3IP_src=10.0.0.100 TCP_src=80 TCP_dst=1000
IP_dst=10.0.0.2IP_src=10.0.0.100 TCP_scr=80 TCP_dst=3000
… …… … … … … …
3
2
… …IP_src=10.0.0.100 IP_dst=10.0.0.1 TCP_src=80 TCP_dst=2500 1
Next-stateactionstate event
DEF.
4
In-port=1
In-port=1
5
6
In-port=1
In-port=1
DEF. In-port=2
… …
Match fields Actions
Group(1)
Forward(4)
Forward(5)
Forward(6)
Group(1)
…
(1,stg_1)
-
-
-
(2,stg_1)
…
* In-port=4
*
*
In-port=5
In-port=6
Table(1)
Table(1)
Table(1)
-
-
-
Communication Host -> Server
A. Capone & C. Cascone: SDN tutorial 108
Forwarding Consistency: Many to Many
109. Forwarding Consistency: Example Results
Results will show the average value of the
time required by 1000 TCP SYN packets to cross the switches at increasing rate.
A. Capone & C. Cascone: SDN tutorial 110
Switch: ofsoftswitch13; Controller: Ryu
One-to-Many
OpenFlow
ofsoftswitch13
OpenFlow
Open Vswitch
OpenState
ofsoftswitch13
Many-to-One
OpenFlow
ofsoftswitch13
OpenFlow
Open Vswitch
OpenState
ofsoftswitch13
Many-to-Many
OpenFlow
ofsoftswitch13
OpenFlow
Open Vswitch
OpenState
ofsoftswitch13
110. Fault Tolerance
• Ensure the network failure resiliency, quickly
readapting the routing after a failure
• Fundamental function in any network (telco
operators, data centers)
• Weak support in OpenFlow
A. Capone & C. Cascone: SDN tutorial 111
111. Fault Tolerance
A. Capone & C. Cascone: SDN tutorial 112
• OpenFlow
Fast failover: local
reroute based on port
states (Group table)
But what if a local
reroute in not
available ???
112. Fault Tolerance
controller
Obviously it is always possible to rely on the
controller to:
• forward the packet on the backup path
• install flow entries for the backup path
A. Capone & C. Cascone: SDN tutorial 113
• OpenFlow
113. Fault Tolerance in OpenState
With OpenState the switch itself can react to the fault
PKT
PKTTAG
Proposed solution:
Faults are signaled using the same data packets
Packets are tagged and sent back
Packets are sent back until matched against a node able
to respond to that fault
A. Capone & C. Cascone: SDN tutorial 114
114. Fault Tolerance
OpenState
• A DETOUR is enabled based on the specific failure without
constraints
• Backup paths can be pre-computed and installed by the
controller (traffic engineering and quality/congestion control)
• The controller is entitled to restore the primary path once the
fault has been resolved
A. Capone & C. Cascone: SDN tutorial 115
[CAP14] A. Capone, C. Cascone, A. Nguyen, B. Sansò, “Detour Planning for Fast and
Reliable Failure Recovery in SDN with OpenState”, available on ArXiv, Nov. 2014.
115. Fault Tolerance: Fault Reaction Example
PKTPKT PKTTAG PKTTAGPKTTAG PKTPKTTAGPKT
PKT
Redirect Node:
FLOW STATE = DEF
Detect Node:
GLOBAL REGISTERS = 0020 01
DEF 20
i
DEF 20
STATE
TRANSITION!
FLAG
SETUP
Fault_ID=20
TAG = FAULT_ID = 20TAG = STATE = 20
A. Capone & C. Cascone: SDN tutorial 116
OpenState
116. Fault Tolerance:
Example on larger network
Primary node19
13
17
16
15
Detect node
Forward-back node
Redirect node
Detour node
A. Capone & C. Cascone: SDN tutorial 117
117. Fault Tolerance: Example Results
A. Capone & C. Cascone: SDN tutorial 118
Numberofpacketslost
Ping rate (req/s)
OpenFlow (Ideal)
OpenFlow (Realistic)
OpenState (Ideal)
OpenState (Realistic)
Ideal case:
0ms failure detection
delay
Realistic case:
Switch embedded failure
detection mechanism
OpenState vs. OpenFlow
118. Thanks
OpenState: openstate-sdn.org
EU project BEBA – http://www.beba-project.eu
This slide-set is available on OpenState web site!
A. Capone & C. Cascone: SDN tutorial 119
Antonio Capone (antonio.capone@polimi.it)
Carmelo Cascone (carmelo.cascone@polimi.it)
Editor's Notes
Closed platform
HW, OS and apps usually proprietary and implemented by the same vendor
Interoperability trough standard protocols
Way too many standard too comply with…
The transition from IPv4 to IPv6, started more than a decade ago and still largely incomplete, bears witness to this challenge, while in fact IPv6 represented merely a protocol update.
Too simple
Lossy abstraction
Too simple
Lossy abstraction
Too simple
Lossy abstraction
Too simple
Lossy abstraction
The new group abstraction enables OpenFlow to represent a set of ports as a single entity for forwarding
packets. Different types of groups are provided, to represent different abstractions such as multicasting or
multipathing.
The new group abstraction enables OpenFlow to represent a set of ports as a single entity for forwarding
packets. Different types of groups are provided, to represent different abstractions such as multicasting or
multipathing.
The new group abstraction enables OpenFlow to represent a set of ports as a single entity for forwarding
packets. Different types of groups are provided, to represent different abstractions such as multicasting or
multipathing.
The new group abstraction enables OpenFlow to represent a set of ports as a single entity for forwarding
packets. Different types of groups are provided, to represent different abstractions such as multicasting or
multipathing.
The new group abstraction enables OpenFlow to represent a set of ports as a single entity for forwarding
packets. Different types of groups are provided, to represent different abstractions such as multicasting or
multipathing.
Type Length Value allow greater flexibility for the treatment of current and future
Protocols.
Experimentere extensions introduce dedicated fields and code points (assigned by ONF) for the implementation of extensions to the OpenFlow protocol