SLIDE 1
Segment routing in container networks
Ben de Graaff Supervisor: Marijke Kaat (SURFnet/UvA)
RP95
Segment routing in container networks Ben de Graaff Supervisor: - - PowerPoint PPT Presentation
Segment routing in container networks Ben de Graaff Supervisor: - - PowerPoint PPT Presentation
RP95 Segment routing in container networks Ben de Graaff Supervisor: Marijke Kaat (SURFnet/UvA) Best path Background A B Arbitrary paths Background 1 1 2 A 3 B 4 4 5 A > 1 > 4 > B Pure IPv6 (SRv6) Background 2000:1::
SLIDE 2
SLIDE 3
3
Arbitrary paths
1 2 4 5 A B
A > 1 > 4 > B
Background
1 4
SLIDE 4
3
Pure IPv6 (SRv6) Background
1 2 4 5 A B
2000:1:: 2000:2:: 2000:B:: 2000:4:: 2000:3:: 2000:5:: 2000:A:: 2000:1::2 2000:1::3 2000:1::A
SLIDE 5
Container networks Background
Internet
SLIDE 6
Platform independent Background
LXC Internet
SLIDE 7
Multi-tenancy Background
Internet
SLIDE 8
Example: load balancer Background
Internet
Transit policy
LB
SLIDE 9
Research
State of segment routing in IPv6 Proof of concept: Container networking Network functions
SLIDE 10
dst 1 3
Network programming
1 2 4 5 A B
src > 1 > 4 > dst
1 4 dst 4 dst src
SLIDE 11
Segment routing header
Extensions Segment N Segment 0
. . .
Header
Segments left
SLIDE 12
Proof of concept
Validate policy Apply policy
SLIDE 13
Multi-tenancy
Internet
Segment ID
2000:A::1000:1 2000:B::1000:2 2000:C::1000:3 2000:B::1000:1 2000:B::1000:2 2000:B::1000:3 2000:C::1000:1 2000:C::1000:3
Results
SLIDE 14
Container discovery/mobility
Routing opaque addresses
Results
::1:2:3:4 ::a:b:c:d
Topology 1: Inject SRH 3: Deliver
NF
2: Compute final hop
SLIDE 15
Implementation
Hardware/software
Results
SLIDE 16
Linux kernel 4.10+
Basic routing/policy Limited extension support Implementation quirks…
Results
SLIDE 17
Hardware
NCS 5500
Software
Vector Packet Processing
The Fast Data Project
SRv6 availability Results
SLIDE 18
Technical stuff
Technical implementation
http://www.story-stick.net/event/here-be-dragons
SLIDE 19
VM
Network function
Container Container
Virtual topology Results
VPP VPP
Container
VPP
VM
SLIDE 20
eBPF
Latest & greatest Process directly in kernel Fast, powerful
Results
myprog.c + LLVM = bytecode ⇓ bpf() syscall ⇓ Kernel network stack
SLIDE 21
eBPF
eth0 tc filter bpf bpf_redirect
Ingress eBPF Egress eBPF
veth Container
Control app
Validate policy Apply policy
✗ ✗
Results
SLIDE 22
Linux do-it-yourself
Tun/tap AF_PACKET ip rule iptables fwmark PF_RING ...
Results
SLIDE 23
Linux do-it-yourself Results
tun AF_PACKET Raw socket
Ingress app Egress app
ip rule Validate policy Apply policy eth0 veth Container
SLIDE 24
Summary Results
Validate policy Apply policy
SLIDE 25
Ingress policy enforcement? Discussion
Internet
eth0
Ingress Egress
veth Container
FW
SLIDE 26
Future work
Ingress path control Linux segment routing Netlink API Develop useful extensions
SLIDE 27
Conclusion
Proof of concept: works SDN easy, at cost of overhead Hardware not strictly required
SLIDE 28
Related work
Cisco, Bell Canada, Comcast, et al, technical workshops @ www.segment-routing.net NFV with SRv6, with SRH unaware hosts (NetSoft 2017, presented today)
SLIDE 29
Segment routing in container networks
Segment routing is effective at enabling SDN and network functions between containers However, it is not yet widely supported in hardware, software
RP95
Check out the report for a full list of references http://rp.delaat.net/2016-2017/p95/report.pdf
SLIDE 30
Backup slides
SLIDE 31
Security/RH0
Enforce policy at network edges SIDs must be explicitly enabled HMAC: check at ingress
SLIDE 32
Remove protocols Remove state
https://xkcd.com/927/
Simplify the network Discussion
SLIDE 33
3
MPLS Background
1 2 4 5 A B
101 102 111 104 103 105 110 202 203 210
No LDP, RSVP required
SLIDE 34