1 SDN and Virtualization“Can the Production Network Be the Testbed?” (Flowvisor), OSDI, 2010 “Network Virtualization in Muti-tenant Datacenters,” NSDI 2014

2 Virtualization (FlowVisor)Flowvisor Overview App App App App App App Controller 1 Controller 2 Windows (OS) Linux Mac OS Controller 1 Controller 2 Windows (OS) Linux Mac OS Controller 1 Controller 2 Windows (OS) Linux Mac OS Virtualization (FlowVisor) Virtualization x86 (Computer) OpenFlow Simple, common, stable, hardware substrate below + Programmability + Strong isolation model

3 Flowvisor Overview (Cont’d)• Divide the production network into logical slices o each slice/service controls its own packet forwarding o users pick which slice controls their traffic: opt-in o existing production services run in their own slice e.g., Spanning tree, OSPF/BGP • Enforce strong isolation between slices o actions in one slice do not affect another • Allows the (logical) slice to mirror the production network o real hardware, performance, topologies, scale, users

4 Network slice and flowspaceA network slice controls a subset of traffic The subset is defined by a collection of packet headers. n-bit headers has n-dimension space – flowspace Example: HTTP traffic – TCP port = 80 All traffic from node – IP_SRC= A subset of flowspace + a subset of topology = network slice

5 Substrate: “Flowspace”Ethernet DA, SA, etc IP DA, SA, etc TCP DP, SP, etc Payload Collection of bits to plumb flows (of different granularities) between end points Payload Header User-defined flowspace “OpenFlow++”

6 Properties of FlowspaceBackwards compatible Current layers are a special case No end points need to change Easily implemented in hardware e.g. TCAM flow-table in each switch Strong isolation of flows Simple geometric construction Can prove which flows can/cannot communicate

7 FlowSpace: Maps Packets to Slices

8 Real User Traffic: Opt-In• Allow users to Opt-In to services in real-time o Users can delegate control of individual flows to Slices o Add new FlowSpace to each slice's policy • Example: o "Slice 1 will handle my HTTP traffic" o "Slice 2 will handle my VoIP traffic" o "Slice 3 will handle everything else" • Creates incentives for building high-quality services

9 Slicing control & data planes

10 Slicing OpenFlow

11 Network Slicing ArchitectureA network slice is a collection of sliced switches/routers • Data plane is unmodified - Packets forwarded with no performance penalty - Slicing with existing ASIC • Transparent slicing layer - each slice believes it owns the data path - enforces isolation between slices • i.e., rewrites, drops rules to adhere to slice police - forwards exceptions to correct slice(s)

12 Slicing Policies The policy specifies resource limits for each slice:- Link bandwidth - Maximum number of forwarding rules - Topology - Fraction of switch/router CPU FlowSpace: which packets does the slice control?

13 FlowVisor Slicing ExampleBob’s Controller Alice’s Controller OpenFlow Protocol FlowVisor OpenFlow Switch OpenFlow Protocol OpenFlow Switch OpenFlow Switch 10/27/14

14 FlowVisor Slicing Example (Cont’d)http Load-balancer Multicast Broadcast OpenFlow Protocol FlowVisor OpenFlow Switch OpenFlow Protocol OpenFlow Switch OpenFlow Switch 10/27/14

15 FlowVisor Slicing Example (Cont’d)Tricast Lossless Handover LTE-WiFi Handover Learning switch Mobile VMs New BGP Bob’s FlowVisor Alices’s FlowVisor GENI’s FlowVisor Production Network Controller OpenFlow Protocol Network Administrator’s FlowVisor OpenFlow Protocol OpenFlow Switch OpenFlow Switch OpenFlow Switch 10/27/14

16 Software Defined Networking (COMS 6998-10)FlowVisor Implemented on OpenFlow Server Servers Custom OpenFlow Controller OpenFlow OpenFlow OpenFlow Control Controller Controller Controller Plane OpenFlow Network OpenFlow FlowVisor Protocol OpenFlow Stub Control OpenFlow OpenFlow Plane Firmware Firmware Data Plane Data Path Data Path Switch/ Switch/ Router Software Defined Networking (COMS ) Router

17 Software Defined Networking (COMS 6998-10)FlowVisor Message Handling Rule Alice Bob Cathy Controller Controller Controller OpenFlow Policy Check: Policy Check: Is this rule allowed? FlowVisor Who controls this packet? OpenFlow Exception Full Line Rate Forwarding OpenFlow Firmware Packet Data Path 10/27/14 Software Defined Networking (COMS ) Source: R. Sherwood

18 Flowvisor implementationMessage to control plane Message to forwarding plane Bandwidth isolation Device CPU isolation Flow entry isolation

19 Flowvisor implementationMessage to control plane Rewrites message from OpenFlow switch to slice controller for transparency only send message when switch is in slice topology slice controller only sees the ports that appears in the slice port up/down message only to affected slices Message to forwarding plane rewrite the insert and delete flow table messages only to the switches in the slice

20 Flowvisor implementationBandwidth isolation per-port queues in switch hardware Flowvisor creates a per-slice queue on each port queue is configured for a certain bandwidth as defined in slice definition rewrite rules from “send out port X” to “send out queue Y on X”.

21 Flowvisor implementationCPU isolation Device CPU on commodity network hardware are low-power embedded processors, easily overloaded, no isolation mechanism Work around: no slice monopolizes device CPU Limiting rule insertion rate from controller Use periodic drop rules to throttle exceptions Flow table entry isolation Enforce what is defined by the slice

22 Conclusion • Network slicing can help perform more realistic evaluations and support multiple tenants • FlowVisor allows experiments to run concurrently but safely on the production network • Currently limited to subsets of actual topology - Add virtual links, nodes support

23 SDN and Virtualization“Can the Production Network Be the Testbed?” (Flowvisor), OSDI, 2010 “Network Virtualization in Multi-tenant Datacenters,” NSDI 2014

24 Multi-tenant datacenter challengesTenants want to move their code from their enterprises directly to datacenters without modification Different services require different topologies – flat L2, some L3, multiple levels of services Address space: virtualized workload should not operate in the same address space as the physical network (VM’s IP is learned from the first L3 router!) Cannot move MV to arbitrary locations Tenant cannot manage its own IP Operator cannot change the addressing type.

25 Multi-tenant datacenter challengesIdeal multi-tenant datacenter: Arbitrary network topologies and addressing architectures could be overlayed over the same physical network. Network virtualization: not clear what it is a network virtualization layer allows for the creation of virtual networks, each with independent service models, topologies, and addressing architectures, over the same physical network. Tenants can configure its virtual network Existing mechanisms all fall short: VLAN, NAT, MPLS, VRB (Virtualized L3 FIB),

26 Network hypervisor Network virtualization platformControl abstraction: allow tenants to define logical network elements that can be configured Packet abstraction: Packets from the end hosts to have the same switching, forwarding, and filtering behavior as configured by the tenant

27

28

29 Virtualization architectureImplement the logical data path in the host vswitch inside the host hypervisor for point-to-point traffic – tunnel between hypervisor Use SDN controller to set the first-hop vswitch. Use service node to support broadcast/multicast Use gateway node to support communication with outside

30

31 Computation challengesMost maintain O(N^2) flows for N end-points with frequent dynamic changes. Controllers learn the location of VMs Controllers proactively compute and push all forwarding state required to connect the VMs Forwarding State = F(configuration, VM locations)

32 Solution to computation challengesIncremental computation and pushing for quick updates. Share the computation across controller cluster. Use a language to program F avoid handwritten finite state machines, all are generated

33 Software Defined Networking (COMS 6998-10)10/27/14 Software Defined Networking (COMS )

34

35

36 Conclusion Openflow can facilitate network virtualizationThe current practice of network virtualization is not ideal. This paper presents a limited form of network virtualization for special cases.