Sherwood,R.,etal.,”CantheProductionNetworkBetheTestbed?”Proc.ofthe9thUSENIXSymposiumonOSDI,2010Reference:[C+07]Cascadoetal.,“Ethane:TakingControloftheEnterprise,”ACMSIGCOMM‘07,37(4):69-74,Oct.2007

Advanced!Computer Networks

SlicingaNetworkWanttocreatevirtualnetworksfromslicesofphysicalnetworkEachvirtualnetworkforwardstrafficatlinespeed:noextraoverheadinpacketforwarding(dataplane),noextraoverheadintheforwardingrulespecifications(controlplane)Slicingisolatesbandwidth,switchCPU,andflowtableentriesbetweenvirtualnetworks

FlowVisorAssumessoftware-definednetworkwithseparatecontrolanddataplanes

BuiltonOpenFlowswitches:NCandswitchescommunicateusingOpenFlowprotocol

Providesnetworkslicingbyaddingalayerbetweenthecontrolanddataplanes

ExtraoverheadinthecommunicationbetweenanOpenFlowswitchandthecentralizedNC

[C+07]

Software-DefinedNetwork(SDN)CentralizedNetworkControl(NC)• monitorsandapprovesalltraffic• allowsforcompletepolicy-basedcontrolofthenetwork

• createsandpopulatesswitcheswithforwardingrules

• accesscontrolsbuiltin• networkunderstandsusers,hardware,topology,andpolicies

FlowSetupProcess1. UserAtriestoconnecttoUserB

2. UserA-to-UserB“flow”isn’tinSwitch1’sflowtable,sothepacketisqueuedandtheNC“notified”

3. NCeitherapprovesordeniesroute

4. Ifapproved,NCaddsanewruleintoSwitch1’sandSwitch2’sflowtablestoestablishaflowfromUserAtoUserB

[C+07]

SwitchforwardingcontrolledbyNC• communicateswithcontrolleroverasecurechannel• OpenFlowisanopenstandardNC-switchcommunicationprotocol

Assumesimple,off-the-shelfswitches• minimalon-boardlogic•  “flow”tablelookuponly• onlystoresactiveflows• nounderstandingofnetworktopology• noNATknowledge

• OpenFlowstandardspecifieslowestcommondenominatorhardwarefeaturesexposedtoNC’scontrol

SDNSwitchesandOpenFlow

FlowTableEntry �Type0OpenFlowSwitch

Switchport

MACsrc

MACdst

Ethtype

VLANID

IPsrc

IPdst

IPprot

TCPsport

TCPdport

Rule Action Stats

1.  Forwardpackettoport(s)2.  Encapsulateandforwardtocontroller3.  Droppacket4.  Sendtonormalprocessingpipeline

+mask

Packet+bytecounters

NetworkSliceDefinitionAnetworksliceisspecifiedintermsoftopology,bandwidth,switchCPUrate,forwardingtablequota,andthesetofflowsthattheslicecontrols

Traffichandledbyasliceisdefinedbybitpatternsinpacketheaders(flowspace)

Eachslicehasitsowncontrolplanethatdefineshowpacketsareforwardedandrewrittenintheslice,e.g.,Bob’sHTTPload-balancerslicespecifies:•  topology:encompassingthewebservers•  flowspace:comprisingflowswithport80

Slicesetupisdonemanuallyintheprototype

NetworkSliceImplementationFlowVisorinterceptsandrewritesOpenFlowmessagesbetweenNCandswitchestoenforcethat:• NC→ switch:•  forwardingrulesonlyapplytothetrafficandtopologyofthesliceandobserveresourcequota

•  rulesmayberewritten,e.g.,all traffic→port 80 all ports→ports in slice

•  switch→ NC:•  onlymessagesfromswitchesintheslice’stopologyareforwardedtoitsNC

•  port-relatedmessagesareprunedorrewrittensuchthatNConlyseesrelevantports

rulesmayberewrittentoapplyonlytoBob’strafficandtopology

FlowSpaceDefinitionFlowspacespecified(manually)asanorderedlistoftuplessimilartofirewallrules,example:

Bob’sHTTPload-balancernetwork:Allow: tcp-port: 80 and ip=Doug’sIP Allow: tcp-port: 80 and ip=Eric’sIP

Implications:

•  newHTTPflownotificationswithDoug’sorEric’sIPs(non-contiguousflowspace)areallsenttoBob’sNC

•  anyflowtableentriesBob’sNCtriestoaddaremodifiedtomatchonlyHTTPtrafficwithDoug’sorEric’sIPs

FlowSpaceDefinition

Alice’sproductionnetwork:Deny: tcp-port:80 and ip=Doug’sIP Deny: tcp-port:80 and ip=Eric’sIP Allow: all ;lowestpriorityrule

Implications:•  onlyOpenFlowmessagesnotintendedforBob’sNCareforwardedtotheproductionnetwork’sNC

•  theproductionnetwork’sNCisnotallowedtoaddanyforwardingentriesforHTTPtrafficwithDoug’sorEric’sIPs

ResourceIsolation

Bandwidthisolation:reliesonhardwarecapabilityexposedtoOpenFlowtoassignfractionallinkbandwidthtouser-createdqueueFlowtableentryisolation:limitthenumberofentriesperslice,musttakeintoaccountanyautomaticruleexpansion,e.g.,whentheruleappliestomultipleinputports

ResourceIsolationswitchCPUisolation:hardwarecapabilitiestoratelimitCPUusageareusuallynotexposedtoOpenFlow,insteadreliesonworkaround:•  ifnewflowarrivalsexceedssomethreshold,insertalowestpriority,time-limitedforwardingruletodropallpacketsmatchingtherule(e.g.,dropallHTTPspacketsnotbelongingtoexistingflows)

• manuallyratelimitNC’sOpenFlowrequeststoswitch

•  rewrites“slow-path”forwardingrulestoone-timeforwardingrule

• manuallytunetheaboveratelimitstoensuresufficientCPUforinternalbookkeeping

Scaling

FlowVisorscaleslinearlywithnewflowrate,numberofrules/slice,andnumberofslices

PerformanceOverheadFlowVisoraddsextraoverheadonlytoOpenFlowmessages:•  switch→NC:newflowmessages,affectsconnectionsetuplatency• NC→switch:portstatusrequests,mustberewrittentomatchtopology

Isolation

Hardwarebandwidthisolationworks

CPUisolationworkaroundworks

ratelimitingNCrequests cappingnewflowsetups

lowestprioritypacketdropruleinstantiated

. . .

DeploymentIssues

Incompatibilitieswithhardwarefeatures,e.g.,multiplephysicalinterfacesmappedintoonelogicalinterface

OpenFlowspanningtreedoesnotmatchunderlyingspanningtreeforloopdetection

DifferentOpenFlowmessageshavedifferentcostsandotherpracticalrealities

LimitationsPrototyperequiresalotofmanualsetup

OpenFlowdoesn’texposemanyhardwarecapabilities

FlowVisordoesn’tallowfordeeppacketinspectionandotherarbitrarypacketmodification,e.g.,payloadprocessing