OpenStack approach to SDN by way of NFVAdvanced Network Service FrameworkIsaku Yamahata isaku.yamahata@intel.com

CloudOpen Japan May 22, 2014

2

Legal DisclaimersCopyright © 2014 Intel Corporation. All rights reserved

Intel, the Intel logo, Xeon, Atom, and QuickAssist are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.All products, computer systems, dates and figures specified are preliminary based on current expectations, and are subject to change without notice.Intel® Advanced Vector Extensions (Intel® AVX)* are designed to achieve higher throughput to certain integer and floating point operations. Due to varying processor power characteristics, utilizing AVX instructions may cause a) some parts to operate at less than the rated frequency and b) some parts with Intel® Turbo Boost Technology 2.0 to not achieve any or maximum turbo frequencies. Performance varies depending on hardware, software, and system configuration and you should consult your system manufacturer for more information.*Intel® Advanced Vector Extensions refers to Intel® AVX, Intel® AVX2 or Intel® AVX-512. For more information on Intel® Turbo Boost Technology 2.0, visit http://www.intel.com/go/turboNo computer system can provide absolute security. Requires an enabled Intel® processor, enabled chipset, firmware and/or software optimized to use the technologies. Consult your system manufacturer and/or software vendor for more information. No computer system can provide absolute security. Requires an Intel® Identity Protection Technology-enabled system, including an enabled Intel® processor, enabled chipset, firmware, software, and Intel integrated graphics (in some cases) and participating website/service. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com/. Consult your system manufacturer and/or software vendor for more information.No computer system can provide absolute security. Requires an enabled Intel® processor, enabled chipset, firmware, software and may require a subscription with a capable service provider (may not be available in all countries). Intel assumes no liability for lost or stolen data and/or systems or any other damages resulting thereof. Consult your system or service provider for availability and functionality.No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Xeon® processor E7-8800/4800/2800 v2 product families or Intel® Itanium® 9500 series-based system (or follow-on generations of either.) Built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details.For systems also featuring Resilient System Technologies: No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Run Sure Technology-enabled system, including an enabled Intel processor and enabled technology(ies). Built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. For systems also featuring Resilient Memory Technologies: No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Run Sure Technology-enabled system, including an enabled Intel® processor and enabled technology(ies). built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details.The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries.Requires a system with Intel® Turbo Boost Technology. Intel Turbo Boost Technology and Intel Turbo Boost Technology 2.0 are only available on select Intel® processors. Consult your system manufacturer. Performance varies depending on hardware, software, and system configuration. For more information, visit http://www.intel.com/go/turboIntel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, and virtual machine monitor (VMM). Functionality, performance or other benefits will vary depending on hardware and software configurations. Software applications may not be compatible with all operating systems. Consult your PC manufacturer. For more information, visit http://www.intel.com/go/virtualization

Agenda

Introduction: SDN, NFV and OpenStack

Advanced Network Service Framework(ANSF)

Status summary and future work

Questions

Introduction:SDN, NFV and OpenStack

SDN: Software Defined Networking

Making network programmable

Not a new idea

This time with openness and requirement

Packet forwarder

OS

feature feature

SDN

traditional

NFV: Network Function Virtualization

hardware

Virtual appliance

Virtualizing Network Appliance

Openstack Neutron

• Neutron networking

• Core service

• L2/L3 connectivity

• Advanced service

• Loadbalancer(LBaaS)

• Firewall(FWaaS)

• VPN(VPNaaS)

SDN and NFV

SDN NFV

Open InnovationOSS, OpenStack

NFV: VNF manager/orchestrator

• VNF: virtualized network function

• VNF manager/orchestrator: life cycle management

• There are missing building blocks for NFV in OpenStack

• One of the building blocks

gs_NFV002v010101p.pdf

Appliance provider: defining its own service

• Allow appliance provider to define its own service

• The service will be provided to user via openstack API

Cloud provider

Service provider(virtual appliance)

User

Register service

Provide service via openstack API

Advanced Network Service Framework(ANSF)How to add services to OpenStack

Goal of Advanced Network Service Framework

• Make it easy to define new service

• Provide an unified interface to Manage the lifecycle of VMs/services

• Thus lower the bar for appliance provider to integrate their appliance with OpenStack

• Life cycle management

• Side communication channel between vm/service and openstack

• Configuration of VM and services

Horizon

Nova

Heat

Advanced Network Service Framework

ServiceChaining

Services

FWaaSLBaaS…

VPNaaS

Neutron

REST API

REST API

Vender A Firewall

Vender BFirewall

Vender X Firewall

IPtablesFirewall

Create, Configure, Manage Services and Networks

Management NetworkTenant

YTenant

Z Tenant X Network

VM VM VMFWaaS LBaaS

Cloud Deployment

REST API

Block diagram

13

• Configure and Manage

• Common Network Services

• Plugin architecture

• Multi-vendor solutions

• Rest API

Architecture overview

14

Tenant networks

AgentService X

Tenant VMApp

ServiceVM

AgentService Y Tenant VM

DB

OpenStack mgmt network

Neutron Server

Service XVender A

agent

Service YVender B

agent

Relay RPC overSide communication channel

OpenStack mgmt. network is isolated from tenant networks

nova

novadriver

Device/servicemanager

Boot service VM

Vender Adriver

Service X

Vender Bdriver

Service Y

New

ServiceVM

horizon(GUI)

ANSF

DB

Communicating between service and openstack oslo.messaging proxy

agent

Neutron Server

driver

Service

Agent

ServiceVM

Security boundary

RPC

Side Communication Channel

Requirements and other solutions

• Service VM can’t be trusted

• The connection to the public network can’t be assumed

https://docs.google.com/presentation/d/1LTGm4msu-QadYdsRZM-Vp3_t_3-0l0iNRE_Tm_xsf-A/edit#slide=id.g339369fce_13

RPC with Marconi

• Marconi: MQ(Message Queue) service via RestAPI

• http proxy between openstack mgmt. and tenant network

• Inject contact points to VM

• Other use cases

• TripleO(Openstack on Openstack)

• Trove(Database as a Service)

RPC with Marconi

guest agent

VM

Compute node Network node

agent

agent

netns

Controller node

Neutronserver

AMQP

Service X

Data Network

Managementnetwork

Unix socket

Marconiserver

RestAPI

agent

Security with guest agent

guest agent X

VM

agent

agent

Controller node

Neutronserver

Marconi

guest agent Y

VM

ServiceVM

ServiceVM

Data Network Management network

DB

Neutron server

for agent X

Neutron serverFor agent Y

containmentProxy

Attack

Rest API

Status summary and Future workMoving out of Neutron

Status Summary

component status comment

VM/service mgmt Under patch review

Driver for device mgmt patch for nova driver To be posted for patch review

Driver for side communication channel

patch for RPC proxy Discussing in the community with Blueprint

Guest agent Work in progresspatch for LBaaS with haproxy

To be posted for patch reviewas reference implementation

GUI(horizon) Work in progress

22

Tacker: Service VM/Device Manager Project

• https://wiki.openstack.org/wiki/ServiceVM

• Provides unified interface to Neutron and other OpenStack projects.

• Becoming one project independent to Neutron

• Not specific to networking.

• Moving out of Neutron

• Many TODOs as this project has just started.

• Design discussions, Terminology, API/data model, etc…

Incubation Process Starting

Call to Action

• Just started

• Lots of opportunities for innovation

• Share your use cases

• Define Terminology

• Define API/data model

• Design discussion

• Contribute code

Jointhe

project!

Thank you

Questions?

Resource

https://wiki.openstack.org/wiki/Meetings/ServiceVM

https://wiki.openstack.org/wiki/Oslo/blueprints/message-proxy-server