Project Calico is sponsored by

Sponsored by

Project Calico: a Pure Layer 3

Approach to Scale-out networking

Christopher Liljesntolpe <cdl@projectcalico.org> April 15, 2015

Project Calico is sponsored by

Christopher Liljenstolpe

Lead Architect, Project Calico

Director, Solutions Architecture

Metaswitch’s Networking Business Unit

Metaswitch

Sequoia-backed software company

SDN & IP Multimedia Communications

1,000+ global customers

Project Calico

Open source project, sponsored by Metaswitch

Pure Layer 3 cloud networking solution

Containers, virtual machines & bare metal

Introductions

Project Calico is sponsored by

• PNNI• SVCs• UNI• IISP• ILMI

Legacy (ATM / SNA)

• SIP• Megaco/H.248• MGCP• Diameter• SBC

VoIP / IMSEthernet / IP Routing

• BGP• OSPF• IS-IS• RIP• PIM• IGMP

MPLS / Optical

• MPLS• RSVP-TE• LDP• VPNs• VPLS

• GMPLS• O-UNI/NNI• E-NNI• LMP• PCE

• SNA/IP• SNAP-IX• APPN• HIS

• LLDP• LACP• STP• ERPS• SyncE• OAM

Project Calico is sponsored by

An (Apache licensed) open source

project to enable networking of

workloads in a data center / cloud

environment

Objectives:

What is Calico?

SimpleScalable OpenThousands of servers,

100k’s of workloads

Don’t demand users to

be networking experts

Open source and open

standards

Project Calico is sponsored byMetaswitch Networks | Proprietary and

confidential | © 2014 | 5

Project Calico is sponsored by

Docker Networking Today: Two Main Models

Port forwarding / NAT

Simple

Works “out of the box”

Easily understood

… but not “real IP

networking”

Won’t work with all

applications (e.g. IPsec)

Only one container per

external IP/port combination

Overlay networks

Give each container its

own private IP address (or

subnet)

Separate “overlay” domain

over “underlay” network

with GRE, MPLS, VXLAN,

or proprietary tunneling

protocols

But…

Project Calico is sponsored by

Virtual L2 segments, implemented

in software by virtual switch

The Standard Virtual Networking Model

vSwitch vSwitch vSwitch

Linux Linux Linux

Encap / de-

encap

(& flooding!)

Outer

MAC

Outer

IP

Outer

UDPVXLAN

VM

MAC

VM

IP

VM

TCP/UDP

VM

Data

Router

services

required to

hop between

tenants

NAT required

for public

Internet

access

On/off-ramp

required to

get to NAS,

etc.

Virtual L2 segments, implemented

in software by virtual switch

Project Calico is sponsored by

☹ Unnecessary complexity

☹ Low scale limits

☹ Performance issues

☹ Inefficient resource utilization

☹ Difficulty troubleshooting

☹ Demands placed on

application developers to be

networking experts

This leads to…

ALL solutions that use

overlay / underlay

model suffer from

these effects, however

they are mitigated.

These issues become

critical with

containers due to the

higher scale than VMs

(100s vs 10s per

server)

… It doesn’t have to be this way!

Project Calico is sponsored by

What if we built a data center like the internet?

IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

Router

Router

Router

BGP BGP

Hosts

Project Calico is sponsored by

What if we built a data center like the internet?

IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

BGP BGP Compute NodeCompute Node

VMs / LXCs

Router

Router

Router

VMs / LXCs

… this is Project Calico!

Project Calico is sponsored by

Project Calico – key Principles

IP

Perform layer 3 forwarding at each compute node

Leverage Linux kernel’s efficient IP forwarding engine –

no separate vSwitch

BGP

Distribute routes using proven Border Gateway

Protocol, with route reflectors for scale

Program routes into Linux kernel on each host (and into

physical fabric if required)

Separate policy decisions from routing information

Translate global policy into distributed firewall on each

host, enabling tenant isolation & more

Project Calico is sponsored by

Technical Details

Architecture components Orchestrator plug-in

Integrates with platform-specific APIs (e.g. Neutron)

Felix agent

Forwarding table update, security policy, per-tenant traffic isolation

etcd – distributed, highly available datastore

BIRD – BGP stack

Linux kernel – layer 3 forwarding and ACL enforcement

Build on and contribute to many existing open source projects

Release status Openstack, Juju: ready for trials

Docker, Fuel: early/experimental

Others: in progress

Supported, hardened commercial release end-Q2, 2015

Any physical fabric (L2, L3, MPLS, …)

Cloud OS / Orchestration SystemCloud OS / Orchestration System

Compute NodeCompute NodeCompute Node

Linux kernel

Cloud OS / Orchestration System

BGPClient

Felix

Routes ACLs

RouteReflector

WorkloadVM / Container

Eth0 Eth1

CalicoPlugin

…

Project Calico is sponsored by

Traditional Overlays and Calico - Compared

Before Calico After Calico

Scale challenges above few hundred

servers / thousands of workloads

Scale to millions of workloads with minimal

CPU and network overhead

Troubleshooting connectivity issues can

take hours

What is happening is “obvious” –

traceroute, ping, etc., work as expected

EXITOn/off ramps + NAT to break out of

overlay

Path from workload to non-virtual device

or public internet (or even between data

centers) is just a route

High availability / load balancing across

links requires LB function (virtual or

physical) and/or app-specific logic

Equal Cost Multi-Path (ECMP) & Anycast

just work, enabling scalable resilience and

full utilization of physical links

CC

NA

CCNA or equivalent required to

understand end-to-end networking,

deploy applications

Basic IP networking knowledge only

required

Project Calico is sponsored by

Calico Roadmap / Future Directions

Q1 2015 Q2 2015 2H 2015 2016

Ready for trial on

OpenStack

Docker support

Automated

installation via

Chef, Juju

(Canonical) Commercially

supported

release

Integration with

Mirantis Fuel

Container

orchestrator

integrations

Integration with

additional

orchestrators

Overlapping IP

addresses with

v4-in-v6

Simplified

deployment

automation

Enhanced

diagnostics,

analytics, policy

MPLS tunnel

termination

Multicast

Project Calico is sponsored by

get involved

Main project website: www.projectcalico.org

Github

https://github.com/Metaswitch/calico

https://github.com/Metaswitch/calico-docker

Mailing list:

http://lists.projectcalico.org/listinfo/calico

Download & try it out

We welcome your feedback and contributions

Follow us @projectcalico