robust software defined
play

Robust Software Defined Networks Ravi Manghirmalani Ramesh - PowerPoint PPT Presentation

Mar 03, 2024 •544 likes •810 views

Experiences in Realizing Large Robust Software Defined Networks Ravi Manghirmalani Ramesh Subrahmaniam Controller Offload SDN mandates a split of control and forwarding plane The control and forwarding planes communicate through a TCP

  1. Experiences in Realizing Large Robust Software Defined Networks Ravi Manghirmalani Ramesh Subrahmaniam

  2. Controller Offload • SDN mandates a split of control and forwarding plane • The control and forwarding planes communicate through a TCP connection • Every lookup miss in the forwarding plane causes the controller and forwarding to exchange three messages - Packet-In Missed information to Controller - Flow-Mod Install a Rule in the forwarding table - Packet-Out Forward the packet to outgoing port • The rate of arrival of new flows will significantly impact this TCP connection • Applications like Firewall would cause an increased communication between the control and forwarding plane r Ericsson Internal | 2012-02-08 | Page 2

  3. Controller Offload • Our solution is to implement a shadow table that - supports flexible rules - allows switches to install rules without involving controller - allows switches to monitor sessions • New Message to Modify Shadow Table instead of the OpenFlow Table • Algorithm change: - Lookup Shadow Table in the case of OpenFlow Table miss - If Match in shadow table execute action - If Miss in shadow table send packet-in to controller r Ericsson Internal | 2012-02-08 | Page 3

  4. Controller Offload – Bridging (No Shadow Table) Messages: No Shadow Table C1 C1 1. Packet-In (Missed pkt from A) Learning Table in Controller 2. Flow mod 1: Add Eth Src B; Eth 1. Lookup Src A in Learning Table; If miss add A port C Dest *; Output Controller 2. Lookup Src B in Learning Table; If miss add B port D 3. Flow mod 2: Add Eth Src *; Eth Dest A; Output Port C 4. Packet-Out; Flood 5. Packet-In (Missed pkt from B) Flow mod 3 Packet-Out: Flood Flow mod 4 Packet-Out Flow mod: 1 Flow mod 2 6. Flow mod 3: Del Eth Src B; Eth Dest *; Output Controller 7. Flow mod 4: Add Eth Src *; Eth Dest B; Output Port D 8. Packet-Out: Eth Src B; Eth Dest A; Output Port C Packet-In Packet-In M Pkt – Dest B; Src A Pkt - Dest Brdcst; Src A Pkt - Src A; Dest Brdcst Host A Host A Pkt – Dest A; Src B Host B Host B C D D Pkt – Src B; Dest A Pkt – Dest A; Src B r Ericsson Internal | 2012-02-08 | Page 4

  5. Controller Offload – Bridging (With Shadow Table) Messages: With Shadow Table C1 1. Packet-In 2. Flow Mod (shadow) 1: Eth Src B; Eth Dest *; Output Local 3. Flow Mod 2(shadow): Eth Src *; Eth Dest A; Output Port C 4. Packet-Out: Flood M Packet-Out: Flood Flow Mod 2 Flow Mod 1 Packet-In M Pkt – Dest B; Src A Pkt – Dest: Brdcst; Src A Host A Pkt – Dest: A; Src B Host B Pkt – Dest B; Src A C D Learning Table in Switch 1. Lookup Src A in Learning Table; If miss add A port C 2. Lookup Src B in Learning Table; If miss add B port D Shadow Table Handler installs rule: Eth Src *; Dest B; Output Port D Shadow Table Handler forwards packet out of port C r Ericsson Internal | 2012-02-08 | Page 5

  6. Controller Offload – Session Monitoring (No Shadow Table) Messages: No Shadow Table FTP Client server negotiate Port 5001 on the control C1 channel (Port 21) for directory listing. 1. Packet-In The switch needs to open this port only (for security). 2. Flow Mod 1: IP Src IP1; IP Dst IP2; Depending on the number of commands new TCP Dst Port 21; TCP Src Port x; ports may be negotiated. 3. Flow Mod 2: IP Src IP2; IP Dst IP1; TCP Dst Port x; TCP Src Port 21; 4. Packet-Out M Flow mod 1 Packet-Out Flow mod 2 Packet-In M TCP SYN; Dst: Port 21; Src: Port x TCP SYN; Dst: Port 21; Src: Port x TCP SYN-ACK; Dst: Port x; Src Port 21 FTP Client FTP Server C D TCP ACK; Dst Port 21; Port x IP1 Dst port 21; Src Portx; PORT 5001 IP2 r Ericsson Internal | 2012-02-08 | Page 6

  7. Controller Offload – Session Monitoring (No Shadow Table) Method 1 M Packet-Out: Dst 5001; src 20 Flow Mod: Dst 20; Src 5002 Flow Mod: Dst 5002; Src 20 Flow Mod: Dst 20; Src 5001 Flow Mod: Dst 5001; Src 20 Packet-Out: Dst 5001; src 20 Packet-In Packet-In M TCP-SYN; Dst 5002; Src 20 TCP-SYN; Dst 5001; Src 20 FTP Client FTP Server Dst port 21; Src Portx; PORT 5002 Dst port 21; Src Portx; PORT 5001 C D Every new data channel port that is negotiated on the control channel will cause a miss in the OpenFlow table and hence 4 messages across the OpenFlow channel to the controller. r Ericsson Internal | 2012-02-08 | Page 7

  8. Controller Offload – Session Monitoring (No Shadow Table) Method 2 M M FTP Client FTP Server Dst port 21; Src Portx; PORT 5002 Dst port 21; Src Portx; PORT 5001 C D Every conversation packet on the control channel (port 21) is sent to the controller so that it can parse the PORT command and send a Flow mod to install flow rule for the matching data channel port r Ericsson Internal | 2012-02-08 | Page 8

  9. Controller Offload – Session Monitoring (With Shadow Table) Messages: With Shadow Table FTP Client server negotiate Port 5001 on the control C1 channel (Port 21) for directory listing. 1. Packet-In The switch needs to open this port only (for security). 2. Flow Mod Shadow: IP1, IP2, Action Depending on the number of commands new Output Local ports may be negotiated. Reg Exp: ¥b(PORT|port|PASV|pasv)¥b((25[0-5]|2[0- 4][0-9]|[01]?[0-9][0-9]?,){3}¥b(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)¥b M Flow mod 1 Packet-Out 3. Packet-Out Packet-In M TCP SYN; Dst: Port 21; Src: Port x TCP SYN; Dst: Port 21; Src: Port x TCP SYN-ACK; Dst: Port x; Src Port 21 FTP Client FTP Server C D TCP ACK; Dst Port 21; Port x IP1 Dst port 21; Src Portx; PORT 5001 IP2 r Ericsson Internal | 2012-02-08 | Page 9

  10. Controller Offload – Session Monitoring (With Shadow Table) Monitoring with Shadow Table If IP Src == Client IP and Dest IP == Server IP Or IP Src == Server IP and Dest IP == Client IP Trigger Regex Engine with ¥b(PORT|port|PASV|pasv)¥b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?,){3}¥b(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?)¥b M M FTP Client FTP Server C D Dst port 21; Src Portx; PORT 5001 Dst port 21; Src Portx; PORT 5002 Every conversation packet on the control channel (port 21) is parsed by the regex engine with the expression passed to the shadow table in the switch It also installs rule for the data channel port being negotiated (both directions) Forwards the control channel packet to the client/server r Ericsson Internal | 2012-02-08 | Page 10

  11. Controller Offload – Flexible Rule Matching • OpenFlow does not support port/address ranges to be matched • Takes an inordinate number of rules to support all ports/addresses in a range. Should be done by enumerating the ports/addresses with a rule for every port/address combination • Port/Address ranges with certain ports/addresses to be excluded is even harder • Greatly increases controller to switch OpenFlow channel communication r Ericsson Internal | 2012-02-08 | Page 11

  12. Controller Offload – Flexible Rule Matching • The offload mechanism rules can be expressed by the key words range, list and exclude, ip, port, mac, source and dest • The rules with these keywords can be parsed into data structures to be implemented in the shadow table • These rules will optimize the number of rules in the OpenFlow table r Ericsson Internal | 2012-02-08 | Page 12

  13. Controller Offload – Flexible Rule Matching Rules such as the ones shown could be implemented very efficiently by using the shadow table mechanism. • a. Rule: source IP Dest IP Port range N1 to N2 exclude N, N1 < N < N2 Example: source 172.16.10.100 dest 171.16.23.1 dest port range 10 to 30 exclude port 20 • b. Rule: dest IP address Range A.B.C.0/24 to A.B.C.D/24 exclude A.B.C.P, 0 < P < D Example: source 172.16.10.0/24 to 172.16.10.20/24 exclude 172.16.10.2 source port 49200 dest port 50000 • c. Rule: list IP A.B.C.D, E.F.G.H, A1.B1.C1.D1 port list p1, p2, p3 Example: list ip 172.16.10.1, 172.16.10.3, 172.16.10.4 port list 22, 23, 24, 25 r Ericsson Internal | 2012-02-08 | Page 13

  14. Multiple Controllers • High degrees of Scale and reliability demand a cluster of controllers acting as one • Need to balance the Forwarding Element (FE) connection load between the multiple controllers • Need to re-balance connections in the case of controller failures • In some cases need to communicate the notion of Master controller to the FE r Ericsson Internal | 2012-02-08 | Page 14

  15. Multiple Controllers • Existing OpenFlow method to Reject Connection • No response to the ECHO_REQUEST message • This increases the time to converge on required information • The Forwarding Element has to implement logic to connect with the appropriate controller upon failures • Control Plane Load Balancing cannot be implemented r Ericsson Internal | 2012-02-08 | Page 15

  16. Multiple Controllers • One solution is to explicitly configure each Forwarding Element with the required information and this quickly devolves into a configuration nightmare • Our solution is to extend the OpenFlow with a simple reject message r Ericsson Internal | 2012-02-08 | Page 16

  17. Multiple Controllers – Redirect/Reject Connection C1 C1 C2 C2 IP1 IP2 IP2 FE r Ericsson Internal | 2012-02-08 | Page 17

  18. Multiple Peer Controllers – Load Balancing C1 C2 C3 r Ericsson Internal | 2012-02-08 | Page 18

  19. Multiple Controllers – Master Failure Master Master C2 C3 C1 Election Election Election r Ericsson Internal | 2012-02-08 | Page 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FlowGuard: Building Robust Firewalls for Software-Defined Networks Hongxin Hu , Wonkyu Han

FlowGuard: Building Robust Firewalls for Software-Defined Networks Hongxin Hu , Wonkyu Han

FlowGuard: Building Robust Firewalls for Software-Defined Networks Hongxin Hu , Wonkyu Han , Gail-Joon Ahn and Ziming Zhao HotSDN 2014 Outline Introduction Challenges for Building FW in SDN FlowGuard

303 views • 19 slides
software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined

software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined

software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined networking software defined networking (OpenFlow, originally) Stanford computer scientist Nick McKeown and colleagues developed a standard called

1.13k views • 77 slides
Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined

Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined

Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined Radio A wireless system whose operating modes and parameters can be changed or augmented post- manufacturing, via software. Based on an

703 views • 22 slides
Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of

Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of

Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of Things Principal Architect Technology Strategy, TELUS June 06, 2016 TELUS RESTRICTED Storyboard Generational changes via Software Defined

601 views • 18 slides
Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe

Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe

Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe Mambretti, Director, (j-mambretti@northwestern.edu) International Center for Advanced Internet Research (www.icair.org) Northwestern University Director,

442 views • 23 slides
Intro &amp; Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1

Intro &amp; Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1

Intro &amp; Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1 Working Group and the WINNF: A radio in which some or all of the physical layer functions are software-defined. 2 What is Software Radio? Defined

714 views • 25 slides
Securing the Connected Car Eystein Stenberg CTO Mender.io The software defined car Assisted

Securing the Connected Car Eystein Stenberg CTO Mender.io The software defined car Assisted

Securing the Connected Car Eystein Stenberg CTO Mender.io The software defined car Assisted Electronics Telematics Infotainment Connected Autonomous driving Hardware enabled Software enabled Software defined 1990 2000 2010 2020

390 views • 23 slides
Software Defined VPNs S Konstantaras &amp; G Thessalonikefs stavros.konstantaras@os3.nl

Software Defined VPNs S Konstantaras &amp; G Thessalonikefs stavros.konstantaras@os3.nl

University of Amsterdam System and Network Engineering MSc July 3, 2014 Software Defined VPNs S Konstantaras &amp; G Thessalonikefs stavros.konstantaras@os3.nl george.thessalonikefs@os3.nl Background Software Defined Virtual Private

942 views • 34 slides
Software Defined Radio Ramsey Doany Texas State University Raise your hand if you have

Software Defined Radio Ramsey Doany Texas State University Raise your hand if you have

Software Defined Radio Ramsey Doany Texas State University Raise your hand if you have little/no background in communication Stop me and ask questions, please! Outline What is a Software Defined Radio? How is a Software Defined

1.53k views • 18 slides
MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu

MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu

MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu Institute for Interdisciplinary Information Sciences Tsinghua University Software-Defined Networks (SDN): promises and challenges SDN will simplify

414 views • 25 slides
Virtex-7 FPGAs Target Software Virtex-7 FPGAs Target Software Defined Radio Applications Defined

Virtex-7 FPGAs Target Software Virtex-7 FPGAs Target Software Defined Radio Applications Defined

Virtex-7 FPGAs Target Software Virtex-7 FPGAs Target Software Defined Radio Applications Defined Radio Applications Rodger Hosking Rodger Hosking 1 Software Defined Radio Needs High-Performance Signal Processing DSP: filtering, FFTs,

859 views • 26 slides
(First) NSF AiTF Workshop on Algorithms for Software-Defined Networking Michael Dinitz Vyas

(First) NSF AiTF Workshop on Algorithms for Software-Defined Networking Michael Dinitz Vyas

Welcome! (First) NSF AiTF Workshop on Algorithms for Software-Defined Networking Michael Dinitz Vyas Sekar JHU CMU 1 Context for this workshop Software-defined Networking taking off! E.g., Google Software-defined WAN E.g.,

501 views • 9 slides
Layering, dynamics, optimization &amp; control in software defined networks Nikolai Matni

Layering, dynamics, optimization &amp; control in software defined networks Nikolai Matni

Layering, dynamics, optimization &amp; control in software defined networks Nikolai Matni Computing and Mathematical Sciences joint work with John Doyle (Caltech) and Kevin Tang (Cornell) Distributed optimal control &amp; software defined

591 views • 21 slides
Effective Topology Tampering Attacks and Defenses in Software- Defined Networks RICHARD

Effective Topology Tampering Attacks and Defenses in Software- Defined Networks RICHARD

Effective Topology Tampering Attacks and Defenses in Software- Defined Networks RICHARD SKOWYRA, LEI XU, GUOFEI GU, VEER DEDHIA, THOMAS HOBSON, HAMED OHKRAVI, JAMES LANDRY Software Defined Networks Allows controller to modify network

766 views • 29 slides
CompSci 514: Computer Networks Lecture 11: Software Defined Networking Xiaowei Yang 1

CompSci 514: Computer Networks Lecture 11: Software Defined Networking Xiaowei Yang 1

CompSci 514: Computer Networks Lecture 11: Software Defined Networking Xiaowei Yang 1 Overview Introducing SDN A real-world application of SDN Googles B4 netwok 2 Software Defined Networking Slides adapted from Mohammad

661 views • 50 slides
Defined Tableau Software is a software company headquartered in Seattle, Washington, which

Defined Tableau Software is a software company headquartered in Seattle, Washington, which

Defined Tableau Software is a software company headquartered in Seattle, Washington, which produces interactive data visualization products focused on business intelligence. Why are Companies and Academia Interested in Tableau? It is one of the

312 views • 7 slides
Financial modeling after the crisis a few thoughts David Lando Department of Finance, FRIC

Financial modeling after the crisis a few thoughts David Lando Department of Finance, FRIC

Financial modeling after the crisis a few thoughts David Lando Department of Finance, FRIC Copenhagen Business School Conference in honor of Niels Thygesen 5. December, 2014 1 Agenda Benchmark cases are (still) important

409 views • 13 slides
Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

896 views • 58 slides
The Royal Bank of Scotland Group Q1 2012 Results 4 th May 2012 Important Information Certain

The Royal Bank of Scotland Group Q1 2012 Results 4 th May 2012 Important Information Certain

The Royal Bank of Scotland Group Q1 2012 Results 4 th May 2012 Important Information Certain sections in this document contain forward-looking statements as that term is defined in the United States Private Securities Litigation Reform Act

620 views • 26 slides
Computer Graphics (543) Lecture 5 (Part 2): Transformations (Rotations and Matrix Concatenation)

Computer Graphics (543) Lecture 5 (Part 2): Transformations (Rotations and Matrix Concatenation)

Computer Graphics (543) Lecture 5 (Part 2): Transformations (Rotations and Matrix Concatenation) Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) Recall: 3D Translation Translate: Move each vertex by same distance d

550 views • 29 slides
Chapter 11 h Addition Arithmetic Multiplication Building Blocks g Digital Processor

Chapter 11 h Addition Arithmetic Multiplication Building Blocks g Digital Processor

Digital IC-Design Overview Chapter 11 h Addition Arithmetic Multiplication Building Blocks g Digital Processor Example: Wave Digital Filter (WDF) IN Memory REG Coefficient Bus MULT ROM Address REG Read Input APU Control

797 views • 15 slides
Impact of qualitative management of feeding wood mix on the process and pulp quality Patrcia

Impact of qualitative management of feeding wood mix on the process and pulp quality Patrcia

Impact of Qualitative Management of Feeding Wood Mix on Process and Pulp Quality Impact of qualitative management of feeding wood mix on the process and pulp quality Patrcia Nunes Pignaton Patrcia Nunes Pignaton Francisco Costa Neto

273 views • 14 slides
Know Your Rights: Rental Housing and Eviction Prevention During COVID-19 Maine Equal Justice |

Know Your Rights: Rental Housing and Eviction Prevention During COVID-19 Maine Equal Justice |

Know Your Rights: Rental Housing and Eviction Prevention During COVID-19 Maine Equal Justice | Joby Thoyalil &amp; Rob Liscord Pine Tree Legal Assistance | Katie McGovern &amp; Michael Spalding Wednesday, May 13, 2020 | 9:30am-11am What

496 views • 36 slides
CFPBs Final Mortgage Regulations: Ability-to-Repay and Qualified Mortgage Rules November 4,

CFPBs Final Mortgage Regulations: Ability-to-Repay and Qualified Mortgage Rules November 4,

CFPBs Final Mortgage Regulations: Ability-to-Repay and Qualified Mortgage Rules November 4, 2013 E. Andrew Keeney, Esq. Kaufman &amp; Canoles, P.C. Ability-to-Repay and Qualified Mortgage Rules E. Andrew Keeney, Esq. Kaufman &amp;

255 views • 21 slides

More recommend