Programmable Virtual Networks
description
Transcript of Programmable Virtual Networks
Programmable Virtual Networks
From Network Slicing To
Network Virtualization
Ali Al-ShabibiOpen Networking Laboratory
Outline
• Define FlowVisor– It’s design goal– It’s success– It’s limitation
• Describe and define Network Virtualization• Introduce the OpenVirteX (formerly known as
NetVisor), which provides programmable virtual networks
Why FlowVisor?
Good ideas rarely get deployed
Also require access to real world traffic
New services may require changes to switch software
Experimenters want to control the behaviour of their network
Evaluating new network services is hard
OK… Why is it hard?
Real
Net
wor
ksTe
st b
eds
Current Virtualizationà la FlowVisor
• Network Slice = Collection of sliced switches, links, and traffic or header space
• Each slice associated to a controller
• Transparent slicing, i.e., every slice believes it has full and sole control of datapath FV enforces traffic and
slice isolation
Not a generalized virtualization
Great! What about real traffic?
• FlowVisor allows users to opt-in to services in real-time– Individual flows can be delegated to a slice by a
user– Admins can add policy to slice dynamically
FlowVisor
Web Slice
VoIP SliceVideoSlice
All the rest
Sprinkle some resource limits
• Slicing resources includes:– Specifying the link bandwidth– Maximum number of forwarding rules– Fraction of switch CPU
FlowSpace: Which slice controls which packet?
Mapping Packets to Slices
FlowVisorWhere does it live?
• Sits between switches and controllers
• Speaks OpenFlow up and down.
• Acts like a proxy to switches and controllers
• Datapaths and controllers run unmodified
What kind of magic is this?
PacketIn fromdatapath
Who controls this packet?
It this action allowed?
Message Handling - PacketIn
PacketIn
Drop if controller is not connected.
Is LLDP?
Send to appropriate
slice.
Yes
Extract match
structure and match FlowSpace
No
Done
Insert a drop rule.
No
Yes
Drop if controller is not connected.
Yes
Send to slice.
Are actions
allowed?
Log exception.
Nomatch
Has packet
been send to a slice?
No match
Message Handling - FlowMod
FlowMod Slicing permitted?Slice Actions
Send Error. Log
exception
No
Extract match struct and intersect
FlowSpace
Yes
For each intersection, rewrite
original flowmod with flowspace info.
Has slice permissions?
Intersections
No Intersections
Zero rewrites?
Log exception
Done
Yes
No
FlowVisor Highlights• Demonstrations:
– Open Networking Summit ’12 and ’13– GENI GEC 9– Best demo at SIGCOMM ’09
• Deployments :– GENI– OFELIA– Stanford Production Network– In use at NEC and Ericsson labs, as well as other vendors
• 3 releases in the past year– 1.0 release downloaded over 70 times in one day
FlowVisor DownloadersRelease 1.0
Uni
vers
ity R
esea
rchGeorgia Tech
RutgersKSUU of WisconsinU of UtahClemson
R&E
Net
wor
ksAPNICBBNNYSERNetCENIC
Com
mer
cial
Net
wor
k O
psAT&TComcastEarthLinkPSINetRCN
Vend
orsGoldman
SachsCiscoArubaNECEricsson
FlowVisor Summary
• FlowVisor introduces the concept of a network slice
• Not a complete virtualization solution.• Originally designed to test new network services
on production taffic• But, it’s really only a Network Slicer!
FlowVisor provides network slicing but not a complete network virtualization.
What should Network Virtualization be?
• Conceptually introduces virtual network which is decoupled from physical network
• Should not change the abstractions we know and love of physical networks
• Should provide some new one: Instantiation, deletion, service deployment, migration, etc.
At least what I think ;)
MPLSVRF
Overlays
TRILL
VLANVPN
What is Network Virtualization?
None of these give you a virtual network
They merely virtualize one aspect of a network
Topology Virtualization
• Virtual links• Virtual nodes• Decoupled from
physical network
Address Virtualization
• Virtual Addressing• Maintain current
abstractions• Add some new ones
Policy Virtualization
• Who controls what?• What guarantees are
enforced?
Network Virtualizationvs.
Network Slicing
Say you want two networks with exactly the same properties.
Slicing
• Sorry, you can’t.• You need to discriminate traffic
of two networks with something other than the existing header bits
• Thus no address or complex topology virtualization
Network virtualization
• Virtual nets are completely independent
• Virtual nets are distinguished by the tenant id
• Complete address and topology virtualization
VirtualizationState of the Art
• Functionality implemented at the edge
• Use of tunneling techniques, such as STT, VXLAN, GRE
• Network core is not available for innovation
• Closed source controller controls the behaviour of the network
• Provides address and topology virtualization, but limited policy virtualization.
• Moreover, the topology looks like only one big switch
Big Switch Abstraction
E6
E2
E5
E1
E3 E4
SWITCH 1E1
E3
E2
E5
SWITCH 2E4
E6
• A single switch greatly limits the flexibility of the network controller • Cannot specify your own routing policy.• What if you want a tree topology?
Current Virtualizationvs
OpenVirteX
Current Virtualization Solutions
• Networks are not programmable
• Functionality implemented at the edge
• Network core is not available for innovation
• Must provision tunnels to provide virtual topology
• Address virtualization provided by encapsulation
OpenVirteX
• Each virtual network is handed to a controller for programming.
• Edge & core available for innovation
• Entire physical topology may/can be exposed to the downstream controller.
• Address virtualization provided by remapping/rewriting header fields
• Both dataplanes and controllers can be used unmodified.
OpenVirteX
All problems in computer science can be solved by another level of indirection.- David Wheeler
OpenVirtex
Ultimate Goal
OpenVirteX
Address Space Virtualisation
Control traffic address translation
Data traffic address mapping
Data trafficaddress translation
Topology Virtualization - Abstractions• Expose physical topology to tenants• Virtual link: collapse multi-hop path into one-hop link• Approach is also valid for proactive rules
OpenVirtex
Abstractions (contd.)
• Virtual switch: collapse ports dispersed over network into a switch
• Big switch is virtual switch with all edge ports
• Use separate controller for each virtual switch– Allow OpenVirteX admin
to control routing within virtual switch
virtualphysical
. . .
. . .
virtual switch
edge ports
core ports
VM
OpenVirteXInteraction with the Real-World
NetVisorOpenVirtex
OpenVirteX APIMapping to Quantum
OpenStack Management System
Nova QuantumOther
Components
virtual switch
vSwitch
VM1 VM2 VM3
Novaplugin
Quantumplugin
Quantumplugin
OpenVirteX
Quantumplugin
OpenFlow Physical Network
OpenVirteX APIMapping to Quantum
Create Network API
OpenVirteX Quantum✔
Attach Port API ✔Create vRouter API ✔
Configure Topology API
Via the Router extension
High Level Features• Support for more generalized network virtualization as opposed
to slicing
– Address virtualization: use extra bits or clever use of tenant id in header
– Topology virtualization: on demand topology
• Integrate with cloud using OpenStack
– Via the Quantum plugin
• Support any OF 1.x version, simultaneously
• Support for scale, HA and security-features.
– Incorporate right building blocks from other OSS
Just finised implementing a prototype
Current Status
• Quick and dirty prototype implemented• Provides Address space virtualisation/isolation• Two topology abstractions:– Virtual Link– Virtual Switch
• Current implementation not intended to scale or provide any significant performance– It’s a proof of concept
Future Challenges
• Traffic engineering, e.g., load balancing• Reliability, e.g., disjoint paths• The above needs special attention when offering
topology abstractions– They may even be severely impacted.
• Physical topology changes• Tenant may ask for reconfiguration of virtual
network• Extremely challenging to get right
Conclusion
• FlowVisor 1.0 will remain to be supported
• OpenVirteX is still in the design phase– But our clear goal is to deliver programmable virtual
networks.
• An initial proof of concept may be available in Q3 2013.
• Contributions to FlowVisor and OpenVirteX are greatly appreciated and welcomed.
Thanks!
Questions?