Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
SDN Network Virtualization Practices
Jiann-Liang ChenDepartment of Electrical Engineering, National Taiwan University of Science and Technology
Date: 2015/08/28
The 5th International Symposium on
Network VirtualizationNV Symposium-Social impacts of softwarization and 5G networking
Materials... from Research Teams
Jiann-Liang Chen (National Taiwan University of Science & Technology, Taipei)
Tsung-Nan Lin (National Taiwan University, Taipei)
Ren-Hung Hwang (National Chung Cheng University, Chia-Yi)
Chu-Sing Yang (National Cheng Kung University, Tainan)
2
Partial Results… On-Going Projects
• Study on Hybrid SDN Networking for Cloud Computing (sponsor: MOST Taiwan)
• SDN-enabled Internet-of-Things Cloud Platform (sponsor: MOST Taiwan)
• Cloud Data Center Networking Techniques (sponsor: MOST Taiwan; PI: CCU Ren-Hung Hwang)
• Research on Identification of Devices and Application for Improving Security in SDN enabled IoT/Cloud System (sponsor: MOST Taiwan & JST Japan; International Joint Project with Prof. Nakao)
• LTE Small Cell SON- Test Case Development (sponsor: ITRI Taiwan)
• SDNTest Case and Toolkit Development (sponsor: III Taiwan)
3
Outline
1. SDN Network Virtualization Techniques
2. Network Virtualization Applications
3. SDN Network Virtualization Practices
4. Summary
4
Software-Defined Networking
5
Control
planeData
plane
Agent
Control
planeData
plane
Agent
Control
planeData
plane
Agent
Control
planeData
plane
Agent
Smile!
Packet Flow in SDN Switch
1
1
2
3 4
4
5
5
5
3
2
Network Virtualization
7
Physical
Infrastructure
Virtualisation of resources
Management of virtual networks
Provisioning of virtual networks
Virtualised
Substrate
Virtual
Networks
Independent, isolated
VNs, running different
protocols, packet
formats, management
tools, etc.
Infrastructure made of
virtualizable network
resources
Collection of virtual
resources, aggregated to
build virtual networks
Source: “Network Virtualization: Opportunities and Challenges for Operators,” EURESCOM
8
Network Virtualization- FlowVisor Layer
• An experimental software-defined networking controller that enables network virtualization by slicing a physical network into multiple logical networks.
Virtual Tenant Network (VTN)
• An application that provides multi-tenant virtual network on
an SDN controller.
SDN virtualization technologies will be discussed…
FlowVisor Layer
9
ControllerNOXNOX
Slicing SoftwareFlowVisorExpedient/
Opt-in Mgr
ApplicationsLAVIENVI (GUI) Aggregationn-Casting
OpenWRTOpenWRTNetFPGANetFPGA
PCEngine
WiFi AP
PCEngine
WiFi APOpenvSwitchOpenvSwitch
Hardware/Commercial Switches Software/Test switches
OpenFlow
Switches
OpendaylightOpendaylight
Monitoring/Debugging Tools
oflopsoftrace openseer
Software
Ref. Switch
Software
Ref. SwitchHP, NEC, Pronto,
Juniper.. and many
more
HP, NEC, Pronto,
Juniper.. and many
more
BeaconBeacon TremaTrema BigSwitchBigSwitch
ofmonitor
As Transparent proxy
Create slicesPartition bandwidth and flow table resources
10
FlowVisor LayerNetwork Virtualization
Platform
SDN Controller
SDN Networking
Virtualize the Network
FlowVisor
Network Virtualization
Isolation
Slice 1
Slice 2
Slice N
Service 1
Service 2
Service N
…
Bandwidth
Slice
FlowSpace
11
Source: https://wiki.opendaylight.org/view/Release/Helium/VTN/Developer_Guide
Virtual Tenant Network (VTN) Network Applications
Orchestrations & Services
ControllerPlatform
Southbound Interface& Protocol Plugins
Data Plane Elements
Abstraction models enable
the separation of logical
plane from physical plane
Virtual Tenant Network (VTN)
12
SDN Controller
SDN Networking
VTN ManagerVirtual Tenant Network
Isolation
VTN 1
VTN 2
VTNN
Service 1
Service 2
Service N
…
Offer virtual node features (such as virtual vBridge
mapping to real switch port)
End-to-end dynamic path control per VTN
The physical topology is not directly virtualized.
Network
Policy
FlowVisor vs. VTN
13
VTN Manager
OpenFlow Controller
OpenFlowSwitch
VTN
Slicing Policy 1
Slicing Policy N
…
Resource Allocation Policy
Slicing Policy 2
Translation Unit
Forwarding Unit
FlowVisor
11
22
33
11
22 Use the slicing policy Rewrite the Flow Entry33
22
11 VTN Manager creates the VTN networks
22 Mapping the virtual interfaces to the physical
interfaces (methods: VLAN/Port/ MAC Mapping)
11
OpenFlow
Controller
OpenFlowSwitch
Intercept the OpenFlow messages from controller
Outline
1. SDN Network Virtualization Techniques
2. Network Virtualization Applications
3. SDN Network Virtualization Practices
4. Summary
14
Traffic Path
INSPECT
Version | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP ChecksumSource IP Address
Destination IP AddressIP Options
SourceUDP Port
DestinationUDP Port
INSPECT
StatefulPacket
Inspection
DeepPacket
Inspection
Deep Packet Inspection inspects all
traffic moving through a device
Network Virtualization Application (1)DPI Security
Signature Database
ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT
Traffic Path
StatefulPacket
Inspection
Version | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP ChecksumSource IP Address
Destination IP AddressIP Options
SourceUDP Port
DestinationUDP Port
UDPLength
UDPChecksum
DATAVersion | Service | Total Length
ID | Flags | Fragment
TTL | Protocol | IP ChecksumSource IP Address
Destination IP AddressIP Options
SourceUDP Port
DestinationUDP PortChecksum
Version | Service | Total LengthID | Flags | FragmentTTL | Protocol | IP Checksum
Source IP AddressDestination IP Address
Version | Service | Total LengthID | Flags | FragmentTTL | Protocol | IP Checksum
Source IP AddressDestination IP Address
Version | Service | Total LengthID | Flags | FragmentTTL | Protocol | IP Checksum
Source IP AddressDestination IP Address
Signature Database
DeepPacket
Inspection
Deep Packet Inspection with
Intrusion Prevention can find and
block, application vulnerabilities,
worms or Trojans.
Network Virtualization Application (1)DPI Concept
ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT
Comparing…
Application Attack,
Worm or Trojan
Found!
Network Virtualization Application (1)Security
NetPFGADPI Implementation
DPI - NetFPGA
Network Virtualization Application (1)Security
Intrusion Detection with VN• Intrusion Detection service chain can be traversed parallel,
with one centralized DPI extract information and pass it to intrusion detection service chains.
19
Network Virtualization Application (1)
Malware Detection
1. User Downloads Repackaged
Application
2. Repackaged Application
Detected
3. Mark Traffic Originated
from the Application
(update FlowTable -> OF
Switch)
4. OF Switch Detects the
Marked Packets
(FlowTable …)
(Controller & NFV)
Network Virtualization Application (1)
End-to-end QoSGuaranteed
21
Traditional QoS Issues
Scalability Classification and Routing
Real-time adaptions
• The configuration must be replicatedinevery switching device (e.g.: DSCP filed)
• No standard protocol could directly configure the networking devices over current Internet today.
• Currently, very few tools exist in the network to differentiatetraffic flows and routethem through their appropriate paths
• Only checks the packet'sip address of source anddestination with the routing table.
• While existing networks can support differentiated QoS levels, the provisioning of those resources is typically done manually.
• Therefore, the network cannot dynamically adapt to changing traffic, application, and user demands.
Network Virtualization Applications (2)
SDN Key Capabilities
Scalability Classification and Routing
Real-time adaptions
• With the overall topology view, controllercouldperform and change the polices on every switch automatically and easily.
• Capability of parsingevery packet from layer1 to layer 4 and managing theforwarding policy.
• With programmablecontrol power, we could develop suitable mechanisms and adapt to the changing instantly.
End-to-end QoS Guaranteed
22
Network Virtualization Applications (2)
Provision QoSwith virtualization
The architecture needs specify the high level QoS requirements and automates the process of deriving individual per-device configuration specifications and then configuring the switches.
Network Virtualization Applications (2)
QoS APIs expose the most common existing hardware switch QoScapability, namely rate-limitersand priority queues, to the remote controller.
These dynamic mappings are more flexible than the conventional static priority tagging because the controller can decide the mappings based on the current workload at each switch.
Network Virtualization Applications (2)
Provision QoS with virtualization
QoS controller implements a flow aggregator that categorizesindividual flows into groups, and allocates resources based on the groupswhenever possible.
Flow Spec: represents a set of flows for each service in network.
Slice Spec: shows performance requirementfor a network slice such as maximum bandwidth, minimum delay, etc..
Categorize Slicing
Network Virtualization Applications (2)
Provision QoS with virtualization
Meter-based QoS Guaranteed
26
Limit non-guaranteed traffic
Reroute non-guaranteed traffic
QoS guaranteed provisioning
High priority flow
Medium priority flow
Network Virtualization Applications (2)
Meter-based QoSGuaranteed • After acquire all the QoS demands, along the protected path, we separate
different traffic into different slices.
• Using meter entry to limitthe max-rate of the slice of low priority flows(best-effort traffic) to guarantee the QoS of the high priority flows.
27
Slice 1Slice 2Slice 3
Reserved for high priority flow
Low priority flow
High priority flow
Medium priority flow
Network Virtualization Applications (2)
Meter-based QoSGuaranteed
28
Using Meter entry to achieve Per-flow QoScontrol (slices in slice)
Slice 1Slice 2Slice 3
Data Transfer
Video Streaming
Gaming Traffic
Slice 2
flows Slice 2-A
Slice 2-B
Network Virtualization Applications (2)
Outline
1. SDN Network Virtualization Techniques
2. Network Virtualization Applications
3. SDN Network Virtualization Practices
4. Summary
29
Case 1: Based on FlowVisor technique and
operations, an enterprise application called as
EnterpriseVisor is designed.
Case 2: Based on VTNtechnique, an application to
achieve thenetwork congestion controlis designed.
30
SDN Network Virtualization Practices
Users Requirements Limitation
3131
Slice 3
Slice 2
Slice 1
Assumptions:
• MaximalnetworkcapacityC=100M
40 Mbps
30 Mbps
30 Mbps
20 Mbps
20 Mbps
60 Mbps
10 Mbps
15 Mbps
20 Mbps
55 Mbps
Dynamically allocate bandwidth to different slices
Guarantee Quality-of-Service
32
Network Virtualization Platform
SDN Controller
SDN Networking
Virtualize the Network
Configure
MonitorFlowVisor EnterpriseVisor
Network Virtualization
Isolation
Slice 1Slice 1
Slice 2Slice 2
Slice NSlice N
Service 1
Service 2
Service N
…
Slice 1
Slice 2
…
Slice N
Communicate with FlowVisor
Configure enterprise networks
OFPMP_PORT_STATS_Request
OFPMP_PORT_DESCRIPTION_Request
OFPT_FEATURES_REQUEST
33
Network Virtualization Layer
OpenFlow Controller
Translation Unit
Forwarding Unit
Resource
Allocation
Policy
Network Virtualization Platform
EnterpriseVisor
Network Monitor
Deployment Analysis
Policy Agent
ConfigConfig
Database
FlowVisor
34
Slice 1
Slice 2
Slice 4
Slice 3
Designed Resource Scheduling:
Linear Programming Scheme
Controller:OpenDaylight Hydrogen Base 1.0
Mininet:Mininet 2.1.0, OpenvSwitch 2.1.2
The operation of each slice
Four states are defined here.
S2: Resource Requester ->
if (NU Low & SU High)
S3: Resource Provider ->
If(NU High & SU Low)
35
S4S1 S2 S3S3
� S1: Don't change.� S2: Request for the resource from other slice.� S3: Provide the resource to other slice.� S4: Don't change until.
SU_High:
>80%
SU_low
<60%
Resource
RequesterResource
Provider
Slice
Utilization
Network
Utilization
36
High Utilization
(Requester)Low Utilization
(Provider)
slice2
slice4
slice1
slice2,3
slice4
slice2
slice2,3
slice4
higher network utilization with only a minor sacrifice of control message latency (0.71ms).
37
Slice 3
Slice 2
Slice 1
Add-slice
Controller id
Slice name
Rate
Bandwidth control
FlowVisor API
38
Slice 3
Slice 2
Slice 1
Update-slice
Slice name
Rate
Update bandwidth rate
FlowVisor API
39
Network Virtualization Platform
SDN Controller
SDN Networking
Virtualize the Network
Configure
MonitorFlowVisor EnterpriseVisor
Network Virtualization
Isolation
Slice 1Slice 1
Slice 2Slice 2
Slice NSlice N
Service 1
Service 2
Service N
…
Slice 1
Slice 2
…
Slice N
Update-slice
Add-slice
40
Offer virtual node features
Provide End-to-end path control
VTN Manager
41
����
����
����
����
����
VTN1
VTN3 VTN4 VTN5
VTN2 VTN5VTN4VTN3
VTN2 VTN3 VTN4 VTN5
Routing Path
Planning
Resource
Scheduling
Path1 Path2 Path3
42
Physical Network
Virtual Tenant NetworkSDN Controller
Routing Manager
SLA information
collector
Network
Policy
Network
Monitor
Server User
Resource
Scheduler
Collect the SLA information of each VTNReroute according to the routing schedule (Path Mapping)
Designed Scheduling Scheme:
Linear Programming Scheme
Monitor the network and service status
Adjust the PATH resource to avoid the overloading
Resource Manager
Resource Manager
43
Virtual Tenant Network
Physical Network
Routing Manager
Network
Policy
Controller
1 VTN SLA information
(Bandwidth, Delay…)
SLA Information
Collector
2 Schedule event
Network
Monitor
3 Plan assign
2Response Message
(Bandwidth, Traffic,…)
3 Network Schedule
Resource
Scheduler
4 Reschedule event
user
1 Request message
5 Plan assign
44
Congestion
Without Our Solution With Our Solution
Path2, Path3, Path4
45
+type = {in|out}+locationOne of: vtn | vBridge | vNode_name+IF
+statisticsGeneral per IF and FFEntry and per flow
+flowfilterentries: Flow Filter Entry
Flow Filter
+vNode_name+interface_name+new dst MAC+new src MAC+direction
redir_dst
+name: String+flowlistentries: Flow List Entry
Flow List
+flowlists: Flow List+sequence number+action_type = {pass, drop, redirect, priority, bandwidth, statistics}+redirect_destination: redir_dst+set = {priority|dscp}Mark packets on the wire
Flow Filter Entry1
1
1
1
1
*
*
Action
Combine
+matchSimilar to OF match+sequence number
Flow List Entry
Match
Policy Target
Two policy models on VTN network: Flow Filter Model and Path Mapping Model
Create different
sets of traffic
Select traffic to
apply marking
Create policy table
Select policy table entry
46
Command Number Description
mac-destination-address <mac-address> 1 Destination Mac Address
mac-source-address <mac-address> 2 Source Mac Address
mac-ether-type <ether-type-number> 3 Ether type
mac-vlan-priority <vlan-priority-number> 4 VLAN Priority
ip-destination-address <ip-address>/<prefix-
length>
5 Destination IP Address
ip-source-address <ip-address>/<prefix-length> 6 Source IP Address
ip-protocol <protocol-number> 7 Protocol Type
ip-dscp <dscp-number> 8 DSCP (Differentiated Services Code Point)
l4-destination-port <port-number> [ to <end-
port> ]
9 Destination Port
l4-source-port <port-number> [ to <end-port> ] 10 Source Port
Provide more matching conditions for your applications
47
Intent Description Behavior
Pass Pass packets
Drop Drop packets
Redirect Redirect packets to a
specified point
Priority Set a priority of
packets
Bandwidth Set policing
Statistics Collect statistics
information
PassFlowFilter pass
Drop
FlowFilter drop
RedirectFlowFilter redirect
Priority
FlowFilter priority
FlowFilter pass
FlowFilter statistics Collect Statistics
Provide 6 Actions for your applications
48
Traffic In
vBridge vBridge
ServervRouterHost
VTN 1
Set Policy
Action:Bandwidth
• CIR:Committed information Rate
• PIR:Peak Information Rate
• CBS:Committed burst size
• PBS:Peak burst size
CIR:256000 bps
{ PIR:512000 bps
CBS:48128 bytes
PBS:64000 bytes
49
• Path map consists of:– Flow condition --- equivalent to flow list in flow filter model– Path policy --- defines associated cost for network path– Path map --- correlates flow condition to path policy
1000
10001000
1000000
10001000
Path policy
SW
SW
SW
SW
SW
SW
SWEP1
Match1 = Path1Match2 = Path2Match3 = Path3
Path Map
SW EP2
Path1
Path2
Path3
Outline
1. SDN Network Virtualization Techniques
2. Network Virtualization Applications
3. SDN Network Virtualization Practices
4. Summary
50
51
SummaryFlowVisor Layer VTN
Openflow Protocol
support
support uncompleted
openflow 1.2 protocol
support
openflow 1.3 protocol
Characteristic
• bandwidth Isolation
• topology Isolation
• flowspace Isolation
• multi-tenant virtual
network
• virtual network isolation
• network policy isolation
Others
• functional insufficient
• instability
• suspend updated
• functional sufficient
• stability
• have release plan (2015)
Acquire
Organize
Analyze &Decide
Structured Data /
Highly dense data
Unstructured Data /
Sparse Data of Value
Cloud Computing
Summary SDN Virtualization for Big Data
Big Data
Slice
Case: SDN virtual networking to bigdata computing (Slicing issue)
Objective: We can slice the
bigdata service network to provide
different bigdata service and
enhance the service performance.
Processing domain resource scalability
Network domain
Serving
Network A
Serving
Network B
Serving
Network C
IP CORE
IMS+ID IMS+ID IMS+ID
Application domain
Proxy for network slicing
1. Different network slices to occupy IMS+ID resources.
IoT perception layer events
Network Slice A Network Slice B Network Slice C
SDN Solution for
Flow classification
53
Summary SDN Virtualization for Flow Classification in IOT
Case: SDN virtual networking to the Internet-of-Things (IoT) applications. (Grouping + slicing issue)
2. group the service
request to reduce
network congestion
and to enhance
service quality.
54
Thank You
ありがとう
謝謝