Underneath OpenStack Quantum: Software Defined Networking with Open vSwitch

Thomas Graf Principal Software Engineer , Inc.

April 24, 2013

1 Thomas Graf Part One Why Open vSwitch?

Open vSwitch enables to become part of a Software Defined Networking architecture.

Application Application Application

Network

VM1 VM2 Switch Switch

Open vSwitch Switch

2 Thomas Graf Switched Networks

Switches learn from the network traffic they observe and decide independently.

Compute Node A Network Node B

Tenant Tenant Tenant Tenant Tenant Tenant 1 2 3 4 5 6

Bridge Bridge

L3 Agent

Switch 1

Switch 2 Switch 3

Peter Alice

3 Thomas Graf Dynamically update flow tables in a universal language.

In the Software Defined Networking architecture, the control and data planes are decoupled, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications.

Software-Defined Networking: The New Norm for Networks ONF White Paper April 13, 2012

4 Thomas Graf Software Defined Networking

A logically centralized controller decides what is best for the network based on a global view of the network.

Compute Node A Network Node B

Tenant Tenant Tenant Tenant Tenant Tenant 1 2 3 4 5 6

vSwitch 1 vSwitch 2

L3 Agent

Controller Switch 1 OpenFlow

Switch 2 Switch 3 Peter Alice

5 Thomas Graf Software Defined Networking An attempt to create a well-known API for applications of the Network that did not succeed yet. OpenDaylight on its way to make this happen.

Application Application Application

Network Operating System Open Interface (OpenFlow)

Switch Vendor X Virtual Switch B Virtual Switch A Switch Vendor Y

6 Thomas Graf OpenFlow

The Open Standard behind it.

Match on arbitrary Execute actions bits in packet ● Forward to port 1. (header) 2. ● Drop ● Send to controller ● Mangle packet OpenFlow enables networks to evolve, by giving a remote controller the power to modify the behavior of network devices, through a well-defined "forwarding instruction set". The growing OpenFlow ecosystem now includes routers, switches, virtual switches, and access points from a range of vendors.

7 Thomas Graf ONF Website OpenFlow Capable Devices

● Software Switches

● Open vSwitch, Cisco Nexus 1000V ● VMware vSphere, NEC Hyper-V, ... ● Hardware Switches

● Brocade, Cisco, HP, IBM, Juniper Networks, NEC, ... ● Switching ASICs

● Indigo – Open source firmware leveraging Ethernet switch ASICs to support up to 48x 10G ports ● Mellanox SwitchX-2 chip

8 Thomas Graf Is it production ready?

9 Thomas Graf Part Two Open vSwitch Open vSwitch is a virtual switch for providing network connectivity to virtual machines.

Controller Compute Node A Network Node B

O p Tenant Tenant Tenant w e Tenant Tenant Tenant

o w n l F o F 1 2 3

1 2 3 l n lo e F p w O n e

Compute Node A p O Open vSwitch Open vSwitch

L3 Agent

Hardware Switch

Alice Peter

10 Thomas Graf Open vSwitch Project

● Primarily used as a virtual switch for VMs

● Multi Platform (Linux, Microsoft, and Silicon)

● Developed by Nicira & Community

● Apache License (), GPL (Kernel)

● OpenFlow 1.1 + extensions

● Any netdevice (physical/virtual) can be added as uplink port

11 Thomas Graf How does it work?

Open vSwitch maintains a flow table that defines what to do with each flow.

Compute/Network Node

Tenant Tenant Tenant Tenant 1 2 3 n

Controller br-int Open vSwitch Flow table Quantum OVS Agent Patch ports Quantum L3 Agent Quantum DHCP Agent OpenFlow br-eth1 br-tun br-ext

eth1 eth0

To Network Node External Network

12 Thomas Graf Feature Fine Grained Flow Table Control ● Extensive flow matching capabilities

● Layer 1 – Tunnel ID, In Port, QoS priority, skb mark ● Layer 2 – MAC address, VLAN ID, Ethernet type ● Layer 3 – IPv4/IPv6 fields, ARP ● Layer 4 – TCP/UDP, ICMP, ND ● Possible chain of actions

● Output to port (port range, flood, mirror) ● Discard, Resubmit to table x ● Packet Mangling (Push/Pop VLAN header, TOS, ...) ● Send to controller, Learn

13 Thomas Graf Feature Security / L2 Segregation VLAN isolation enforces VLAN membership of a VM without the knowledge of the guest itself.

Compute Node

VLAN 1 VLAN 2 # ovs-vsctl add-port ovsbr port2 tag=10 VM1 VM2 VM3

Open vSwitch

Caveat: MAX(VLAN_ID) limited

14 Thomas Graf Feature Tunneling Tunneling provides isolation and reduces dependencies on the physical network.

Compute Node 1 Compute Node 2 Controller VNET 1 VNET 2 VNET 2 VNET 1

O p w e lo n VM1 VM2 VM3 F F VM4 VM5 VM6 n l e o p w O

Open vSwitch Open vSwitch

{ GRE | STT | VXLAN } Tunnel

Hardware Switch

15 Thomas Graf Feature Visibility Supports industry standard technology to monitor the use of a network. ●

● NetFlow

● Port Mirroring

● SPAN ● RSPAN ● ERSPAN

16 Thomas Graf Feature

● Uses existing Traffic Control Layer

● Policer (Ingress rate limiter) ● HTB, HFSC (Egress traffic classes) ● Controller (Open Flow) can select Traffic Class

Virtual Host VLAN 10 # ovs-vsctl set Interface port2 \ VM1 VM2 ingress_policing_rate=1000 1mbit

port1 port2 ovsbr

17 Thomas Graf Architecture

Management ovs-ofctl ovsdb-tool OpenFlow sFlow ovs-dpctl ovs-vsctl

(3) 2 upcall User space 5reinject vswitchd ovsdb

Netlink 4 6 Kernel Datapath Packet Processing Flow Table From NetDevice To NetDevice Management Workflow 1 7 Promiscuous Mode

18 Thomas Graf Modifying the Flow Table

Strip VLAN header of all packets from MAC address 11:22:33:44:55:66 and forward packet to port 1.

# ovs-ofctl add-flow ovsbr \ dl_src=11:22:33:44:55:66,actions=strip_vlan,output:1

# ovs-ofctl dump-flows ovsbr [...] cookie=0x0, duration=36.24s, table=0, n_packets=0, n_bytes=0, idle_age=36, dl_src=11:22:33:44:55:66 actions=strip_vlan,output:1

19 Thomas Graf Questions?

● Open vSwitch

● http://www.openvswitch.org/

● OpenFlow

● http://www.openflow.org/

● Open Networking Foundation

● http://www.opennetworking.org/

● sFlow

● http://www.sflow.org/

● Going with the Flow: Google’s Secret Switch to the Next Wave of Networking

● http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/

20 Thomas Graf