software defined vpns
play

Software Defined VPNs S Konstantaras & G Thessalonikefs - PowerPoint PPT Presentation

Mar 28, 2023 •593 likes •942 views

University of Amsterdam System and Network Engineering MSc July 3, 2014 Software Defined VPNs S Konstantaras & G Thessalonikefs stavros.konstantaras@os3.nl george.thessalonikefs@os3.nl Background Software Defined Virtual Private

  1. University of Amsterdam System and Network Engineering MSc July 3, 2014 Software Defined VPNs S Konstantaras & G Thessalonikefs stavros.konstantaras@os3.nl george.thessalonikefs@os3.nl

  2. Background Software Defined Virtual Private Networks Networking (SDN)  Logic separation of a physical infrastructure with complete traffic separation.  A modern flexible networking  Interconnects LANs which are concept separating the control located in different plane from the data plane. countries/continents.  A single entity governs the SDN A type of VPN technology is Virtual topology and applies local Private LAN Service (VPLS) which: policies.  Allows organizations to  A standardized open interface interconnect their local Ethernet (OpenFlow) allowing to combine networks in a scalable way . hardware from different vendors. Page  2

  3. Research Questions The main research question is the following:  How can VPLS be implemented efficiently by using the OpenFlow 1.3 switch specification interface? The main research question can be divided into the following sub-questions: – Can SDN be an underlay layer for building on-demand VPLS services? – Is SDN flexible enough to support at least a scalable, efficient and effective implementation of VPLS as existing solutions? Page  3

  4. Outline  Involved Technologies  Design part  Architecture analysis part  Optimizations and ideas  Conclusion Page  4

  5. MPLS/VPLS Architecture CUSTOMER A VPLS-B SITE 1 FIB CE PE PE VPLS-A CUSTOMER B PROVIDER’S SITE 2 FIB MPLS CORE PE FIB pseudowires CUSTOMER B (full mesh) VPLS-A SITE 1 CE CE CUSTOMER A VPLS-B SITE 2 Page  5 FIB: Forward Information Base

  6. MPLS Page  6 slide: Marijke Kaat

  7. SDN/VPLS Architecture OpenFlow Controller FIB CUSTOMER A VPLS-B SITE 1 OF CE switch VPLS-A CUSTOMER B PROVIDER’S SITE 2 SDN CORE OF links switch OF switch CUSTOMER B VPLS-A SITE 1 CE CE CUSTOMER A VPLS-B SITE 2 Page  7

  8. OpenFlow 1.3  Added support for MPLS – MPLS Label matching (ability to match more than one) – MPLS Label manipulation (push/pop/swap)  Group tables allow multiple actions per flow. – e.g. for packet A send to port 10 AND change VLAN_ID and send to port 3. Page  8

  9. SDN/VPLS vs MPLS/VPLS  Common OpenFlow switches replace PEs.  No full mesh required.  No pseudowires – No Signaling – No Label exchange  Centralized Controller in commodity server with: – Network topology knowledge – FIB Page  9

  10. Architecture requirements Each host can participate Each host can choose to Scalable and in many VPNs participate in any VPN Multi Domain simultaneously Host needs to label Unique information Avoid limitations its own traffic is required of VLAN tagging Combination of VLAN tagging MPLS labeling MAC + VLAN Page  10

  11. VPN representation  Each VPN is represented by a VPLS_ID (MPLS label).  Hosts define VPNs by VLAN (they are MPLS agnostic).  Therefore, 4K VPNs can be represented in an island and 1M can be represented globally. – A mapping is required between local VLAN ID and global VPLS ID per island. Page  11

  12. General Acknowledgements  Inside an island, a HOST is defined  VPLS_ID which is global and as a unique combination of MAC unique by representing VPN address + VLAN instances that can run simultaneously in the complete  Inside provider’s domain , a HOST is network. defined as a unique combination of MAC address + VPLS_ID  ISLAND_ID which is global and unique by representing the  A BROADCAST_MAC is defined as islands that participate in the a MAC address that is either the complete network. well-known Ethernet broadcast address or one of the easily recognizable Ethernet multicast addresses. Page  12

  13. Architecture entities • DE : Domain Edge device • D : Domain device • DBE: Domain Border Edge device • IE : Island Edge device Page  13

  14. 2 Different solutions Core Labeling Island Labeling  Islands are MPLS agnostic  Core is MAC agnostic  Uses 2 MPLS tags  Uses 1 MPLS tag – Destination information – Destination information (Unicast) – VPN information – VPN information (Broadcast)  All information is known to each  MAC Tables on both domain island and island controllers Page  14

  15. Core Labeling - Unicast 3 6 5 7 4 2 1 8 1: Host sends packet with VLAN_ID 5: DBE forwards packet to other domain 2: IE forwards packet to Domain 6: Controller calculates shortest path to 3: Controller calculates shortest path to destination DE and install flows destination DBE and install flows 7: DE pops MPLS tags and changes VLAN_ID 4: DE pushes ISLAND_ID + VPLS_ID 8: Host receives packet Page  15

  16. Island Labeling - Unicast 3 6 5 7 4 2 1 8 1: Host sends packet with VLAN_ID 5: DBE forwards packet to other domain 2: IE changes VLAN_ID, pushes 6: Controller calculates shortest path to ISLAND_ID and forwards to Domain destination DE and install flows 3: Controller calculates shortest path to 7: DE pops MPLS tag and forwards to island destination DBE and install flows 8: Host receives packet 4: DE forwards packets by ISLAND_ID Page  16

  17. Broadcast considerations  Broadcast traffic can not be blindly flooded to all ports – Traffic isolation is ignored and privacy is violated ! • Preconfiguration based on (PORT,VLAN) required – Split Horizon needed to avoid broadcast loops.  Broadcast traffic must be as minimum as possible at core – Multicast trees are needed to forward traffic only to corresponding islands. Page  17

  18. Core Labeling - Broadcast 3 6 5 7 4 7 2 1 8 1: Host sends packet with VLAN_ID 5: DBE forwards packet to other domain 2: IE forwards packet to VPN ports 6: Controller creates multicast tree to VPN 3: Controller creates multicast tree to VPN destination islands and install flows destination islands and install flows 7: DE pops MPLS tags and changes VLAN_ID 4: DE pushes BRCAST_TAG + VPLS_ID 8: Host receives packet Page  18

  19. Island Labeling - Broadcast 3 6 5 4 2 7 7 1 8 1: Host sends packet with VLAN_ID 5: DBE forwards packet to other domain 2: IE forwards packet to VPN host ports, 6: Controller creates multicast tree to VPN AND pushes VPLS_ID + send to domain destination islands and install flows 3: Controller creates multicast tree to VPN 7: IE pops MPLS tag and changes VLAN_ID destination islands and install flows 8: Host receives packet 4: DE forwards packets by VPLS_ID Page  19

  20. MAC Learning  Based on OpenFlow Packet In events in order to combine (source) MAC addresses with PORT + VLAN  Nevertheless , the ‘Unknown unicast’ problem exists: “ Response traffic from unknown hosts may match existing flows and the MAC learning mechanism is skipped. ” Solution “ Skip global flooding and introduce a new host discovery mechanism ”* *(Based on ForceMacLearning mechanism) Page  20

  21. Solving Unknown Unicast Page  21

  22. Solving Unknown Unicast Page  22

  23. Solving Unknown Unicast Page  23

  24. Solving Unknown Unicast - ForceMacLearning Page  24

  25. Solving Unknown Unicast - ForceMacLearning Page  25

  26. Solving Unknown Unicast - ForceMacLearning Page  26

  27. Architecture analysis – Scalability (1/2) Core labeling  Able to support up to 1 048 575 islands in total.  Requires two MPLS labels to operate Customer Island  Up to 4096 VPNs running simultaneously  Unicast Flows at the OF Switch increase linearly by the number of hosts  Broadcast Flows at the OF Switch increase by the combination of IN_PORT+VLAN ID Provider’s Domain  Up to 1 048 575 VPNs running simultaneously. All islands can participate in any 4096 VPNs  Unicast Flows at the DE switches increase linearly by the number of hosts  Broadcast Flows at the OF Switches increase by the combination of VPLS_ID + INPORT Page  27

  28. Architecture analysis – Scalability (2/2) Island labeling  Able to support up to 1 048 575 islands in total.  Requires one MPLS label to operate Customer Island  Up to 4096 VPNs running simultaneously  Unicast Flows at the OF Switch increase linearly by the number of hosts  Broadcast Flows at the OF Switch increase by the combination of IN_PORT+VLAN ID Provider’s Domain  Up to 1 048 575 VPNs running simultaneously. All islands can participate in any 4096 VPNs  Unicast Flows at the OF Switches increase linearly by the number of islands  Broadcast Flows at the OF Switches increase by the combination of VPLS_ID + INPORT Page  28

  29. Optimizations/Ideas – M-Domain Discovery Based on LLDP Introduce 3 sub-fields: type 127 Controller IP, Level and Domain ID Page  29

  30. Optimizations/Ideas – Aggregation at core (Unicast Multi Domain traffic) New MPLS tag Splitting MPLS TAG  Introduce Domain ID (20 bits)  Introduce Domain ID (8 bits) and and let each provider choose its let each provider choose its own own unique identifier. island identifiers.  Insert the Domain ID as an  Separate the MPLS Label at additional MPLS label at every Domain and Island Part: packet needing to exit Provider’s 150 40 = LABEL domain. 10010110 000000101000 = 614440  Install flows at the core pointing  MAX 256 Domains and 4096 to other provider domains. It will islands per Domain. aggregate all the traffic from any  Flows matching one MPLS VPN/Island. label. Page  30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined

software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined

software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined networking software defined networking (OpenFlow, originally) Stanford computer scientist Nick McKeown and colleagues developed a standard called

1.13k views • 77 slides
Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined

Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined

Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined Radio A wireless system whose operating modes and parameters can be changed or augmented post- manufacturing, via software. Based on an

703 views • 22 slides
Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of

Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of

Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of Things Principal Architect Technology Strategy, TELUS June 06, 2016 TELUS RESTRICTED Storyboard Generational changes via Software Defined

601 views • 18 slides
Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe

Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe

Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe Mambretti, Director, (j-mambretti@northwestern.edu) International Center for Advanced Internet Research (www.icair.org) Northwestern University Director,

442 views • 23 slides
Intro & Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1

Intro & Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1

Intro & Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1 Working Group and the WINNF: A radio in which some or all of the physical layer functions are software-defined. 2 What is Software Radio? Defined

714 views • 25 slides
Securing the Connected Car Eystein Stenberg CTO Mender.io The software defined car Assisted

Securing the Connected Car Eystein Stenberg CTO Mender.io The software defined car Assisted

Securing the Connected Car Eystein Stenberg CTO Mender.io The software defined car Assisted Electronics Telematics Infotainment Connected Autonomous driving Hardware enabled Software enabled Software defined 1990 2000 2010 2020

390 views • 23 slides
Software Defined Radio Ramsey Doany Texas State University Raise your hand if you have

Software Defined Radio Ramsey Doany Texas State University Raise your hand if you have

Software Defined Radio Ramsey Doany Texas State University Raise your hand if you have little/no background in communication Stop me and ask questions, please! Outline What is a Software Defined Radio? How is a Software Defined

1.53k views • 18 slides
MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu

MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu

MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu Institute for Interdisciplinary Information Sciences Tsinghua University Software-Defined Networks (SDN): promises and challenges SDN will simplify

414 views • 25 slides
Virtex-7 FPGAs Target Software Virtex-7 FPGAs Target Software Defined Radio Applications Defined

Virtex-7 FPGAs Target Software Virtex-7 FPGAs Target Software Defined Radio Applications Defined

Virtex-7 FPGAs Target Software Virtex-7 FPGAs Target Software Defined Radio Applications Defined Radio Applications Rodger Hosking Rodger Hosking 1 Software Defined Radio Needs High-Performance Signal Processing DSP: filtering, FFTs,

859 views • 26 slides
Virtual Private Networks Types of VPNs Tunneling Security Cmput 410 Presentations

Virtual Private Networks Types of VPNs Tunneling Security Cmput 410 Presentations

Virtual Private Networking Outline Introduction Virtual Private Networks Types of VPNs Tunneling Security Cmput 410 Presentations Encryption November 25 - 2004 Future of VPNs VPN - Definition a way to provide

595 views • 11 slides
(First) NSF AiTF Workshop on Algorithms for Software-Defined Networking Michael Dinitz Vyas

(First) NSF AiTF Workshop on Algorithms for Software-Defined Networking Michael Dinitz Vyas

Welcome! (First) NSF AiTF Workshop on Algorithms for Software-Defined Networking Michael Dinitz Vyas Sekar JHU CMU 1 Context for this workshop Software-defined Networking taking off! E.g., Google Software-defined WAN E.g.,

501 views • 9 slides
Effective Topology Tampering Attacks and Defenses in Software- Defined Networks RICHARD

Effective Topology Tampering Attacks and Defenses in Software- Defined Networks RICHARD

Effective Topology Tampering Attacks and Defenses in Software- Defined Networks RICHARD SKOWYRA, LEI XU, GUOFEI GU, VEER DEDHIA, THOMAS HOBSON, HAMED OHKRAVI, JAMES LANDRY Software Defined Networks Allows controller to modify network

766 views • 29 slides
Layering, dynamics, optimization & control in software defined networks Nikolai Matni

Layering, dynamics, optimization & control in software defined networks Nikolai Matni

Layering, dynamics, optimization & control in software defined networks Nikolai Matni Computing and Mathematical Sciences joint work with John Doyle (Caltech) and Kevin Tang (Cornell) Distributed optimal control & software defined

591 views • 21 slides
CompSci 514: Computer Networks Lecture 11: Software Defined Networking Xiaowei Yang 1

CompSci 514: Computer Networks Lecture 11: Software Defined Networking Xiaowei Yang 1

CompSci 514: Computer Networks Lecture 11: Software Defined Networking Xiaowei Yang 1 Overview Introducing SDN A real-world application of SDN Googles B4 netwok 2 Software Defined Networking Slides adapted from Mohammad

661 views • 50 slides
Defined Tableau Software is a software company headquartered in Seattle, Washington, which

Defined Tableau Software is a software company headquartered in Seattle, Washington, which

Defined Tableau Software is a software company headquartered in Seattle, Washington, which produces interactive data visualization products focused on business intelligence. Why are Companies and Academia Interested in Tableau? It is one of the

312 views • 7 slides
A node in MANET is not about a host. It is about a router! Depending on radio range, not all links

A node in MANET is not about a host. It is about a router! Depending on radio range, not all links

A type of network consisting of mobile nodes that communicate with each other using wireless links to fulfill the need for IP packet routing The operation of MANET can interwork with, but does not rely on, any existing communication

148 views • 10 slides
` Good Morning LAIA FOUNDERS Immigration Crusaders!!! Welcome to DAY 2 of your Training The

` Good Morning LAIA FOUNDERS Immigration Crusaders!!! Welcome to DAY 2 of your Training The

` Good Morning LAIA FOUNDERS Immigration Crusaders!!! Welcome to DAY 2 of your Training The Essentials of Immigration Document Preparation KEEPING FAMILIES TOGETHER Want to see how to earn 100K Plus in income as (( an Immigration

400 views • 20 slides
Conference 2017 Learning to Live with Windows 10 What weve learned at UVic Where the

Conference 2017 Learning to Live with Windows 10 What weve learned at UVic Where the

Conference 2017 Learning to Live with Windows 10 What weve learned at UVic Where the journey started Early adopters of Windows 10 in Fall 2015 Limited deployment in Spring 2016 with version 1511 Moved to Windows 10 on all

368 views • 20 slides
Park Naming Recommendations - Report Back Park Board Committee Meeting Monday, May 1, 2017

Park Naming Recommendations - Report Back Park Board Committee Meeting Monday, May 1, 2017

Park Naming Recommendations - Report Back Park Board Committee Meeting Monday, May 1, 2017 Purpose To review and respond to recommendations from the Park Naming Committee, for naming the following: The playing fields at the southeast

428 views • 25 slides
PeeringDB 2.0 Greg Hankins ghankins@peeringdb.com 23 - 27 May, 2016 RIPE 72, Copenhagen 1

PeeringDB 2.0 Greg Hankins ghankins@peeringdb.com 23 - 27 May, 2016 RIPE 72, Copenhagen 1

PeeringDB 2.0 Greg Hankins ghankins@peeringdb.com 23 - 27 May, 2016 RIPE 72, Copenhagen 1 Agenda PeeringDB 2.0 Membership and Governance Committees Sponsorship Information and Resources 23 - 27 May, 2016 RIPE 72,

613 views • 32 slides
Bridging Generations: How a Modern Mainframe Development Approach Can Help Maximize Productivity,

Bridging Generations: How a Modern Mainframe Development Approach Can Help Maximize Productivity,

Bridging Generations: How a Modern Mainframe Development Approach Can Help Maximize Productivity, Cost-Efficiency and IT and Business Agility Tyler Allman Compuware March 15, 2012 Session # 10573 Traditional IT Staff Novice Programmers

677 views • 21 slides
TkDND: a cross-platform dragndrop package Georgios Petasis Software and Knowledge

TkDND: a cross-platform dragndrop package Georgios Petasis Software and Knowledge

TkDND: a cross-platform dragndrop package Georgios Petasis Software and Knowledge Engineering Laboratory, Institute of Informatics and Telecommunications, National Centre for Scientific Research Demokritos, Athens, Greece

620 views • 18 slides
Python 3 Divya Pai Object Oriented Analysis and Design S Python: History S It was started

Python 3 Divya Pai Object Oriented Analysis and Design S Python: History S It was started

Python 3 Divya Pai Object Oriented Analysis and Design S Python: History S It was started in the late 80s, implementation started in 1989 S Version 2.0 on 16 th October ,2000 S Development shifts to a more transparent, community

876 views • 29 slides

More recommend