sdn applications and use casespas.csie.ntu.edu.tw/sdn2015workshop/sdn_info/講員...x1 x2 x3 x4 x5...
TRANSCRIPT
Copyright 2015 ITRI 工業技術研究院
工研院資通所寬頻網路與系統整合技術組
許名宏
SDN Applications and Use Cases
Copyright 2015 ITRI 工業技術研究院 2
講者簡歷
台灣大學資訊系 Bachelor B87
台灣大學資訊工程所 Ph.D資訊檢索 (IR)
工業技術研究院(ITRI) Engineer 2011至今
竹東-中興院區 六甲-南分院
Copyright 2015 ITRI 工業技術研究院 3
Outline
SDN Basics SDN Use Cases & Applications
Google B4 WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration
Concluding Remarks
Copyright 2015 ITRI 工業技術研究院 4
Outline
SDN Basics SDN Use Cases & Applications
Google B4 WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration
Concluding Remarks
Copyright 2015 ITRI 工業技術研究院 5
What is SDN ?
Copyright 2015 ITRI 工業技術研究院 6
OpenFlow 1.0
• Forward packet to a port list• Add/remove/modify VLAN Tag• Drop packet• Send packet to the controller
• Forward packet to a port list• Add/remove/modify VLAN Tag• Drop packet• Send packet to the controller
Packet counters, byte counters, and etcPacket counters, byte counters, and etc
Matching Fields Actions Stats
Flow Entry
IngressPort
IngressPort
MACDA
MACDA
MACSA
MACSA
EtherTypeEtherTypeVLAN
IDVLAN
IDIPSrcIPSrc
IPDstIPDst
IPProtocol
IPProtocol
TCP/UDPsrc port
TCP/UDPsrc port
TCP/UDPdst port
TCP/UDPdst portP-bitsP-bits
IPDSCP
IPDSCP
IngressPort
MACDA
MACSA
EtherTypeVLAN
IDIPSrc
IPDst
IPProtocol
TCP/UDPsrc port
TCP/UDPdst portP-bits
IPDSCP
OpenFlowprotocol
SDN Controller(software)
SDN = OpenFlow ?
OpenFlowClient
OpenFlowClient
Flow Table
Not Exactly
OpenFlow-EnabledSwitch
Copyright 2015 ITRI 工業技術研究院 7
SDN = Still Don’t kNow?
Copyright 2015 ITRI 工業技術研究院 8
SDN is All about…
Network Programmability API interaction with network elements
Separated Control Plane and Forwarding Plane Forwarding Plane can be Software or Hardware Control Plane –agnostic to the underlying hardware
Network topology derived from the application This is how SDN is different from switched networks.
Vendor Independence Open and standardized interface
Copyright 2015 ITRI 工業技術研究院 9
How does SDN work?
Copyright 2015 ITRI 工業技術研究院 10
Traditional Interaction Model
Every Network Device can be understood to have an INDEPENDENT•Intelligence Entity and a •Functional Engine
Configuration, Command & Control uses a communicationchannel between the Network Administrator and the Intelligence Entity on-board theNetwork Device.
TM
BrocadeICX 6610-24P
RESET
MS
DIAG
XL6
XL1
XL7-
XL2-XL5
XL10
ID{ 2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LIN K 10 /1 0 0/1 0 0 0 A C T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
Network Command & Control
source: Brocade–SDN–creating intelligent lan infrastructures
Copyright 2015 ITRI 工業技術研究院 11
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
XL7-
XL2-XL5
XL10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
The larger the network… … … … … … …the more INDEPENDENT devices you need to manage.
What’s the Problem with the Traditional Model?
Network Command & Control
source: Brocade–SDN–creating intelligent lan infrastructures
Copyright 2015 ITRI 工業技術研究院 12
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
XL7-
XL2-XL5
XL10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
The larger the network… … … … … … …the more INDEPENDENT devices you need to manage.
What’s the Problem with the Traditional Model?
Network Command & Control
- they make their switching & routing decisions independently - they make their fowarding & filtering decsions independently- they treat security policies, VLANs, QoS policies, port policies, etc… … .. INDEPENDENTLY
How Can We Make this Easier? Is there a way to make them all operate as a cohesive group?
source: Brocade–SDN–creating intelligent lan infrastructures
Copyright 2015 ITRI 工業技術研究院 13
What’s the Solution?
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
XL7-
XL2-XL5
XL10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
Software Defined NetworkingSeparates the Intelligence Entity from the Functional Engine and creates a virtualized Command & Control “proxy” in the form of a Controller. SDN Controller
Network Command & Control
source: Brocade–SDN–creating intelligent lan infrastructures
Copyright 2015 ITRI 工業技術研究院 14
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
XL7-
XL2-XL5
XL10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
T M
B rocadeIC X 6610-24P
RE SET
MS
DIAG
XL6
XL1
X L7-
X L2-X L5
X L10
ID {2
1
4
3
6
5
8
7
10+
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
LI NK 10/ 100/1000 AC T
SPEED SPEED
X5 X6 X7 X8X1 X2 X3 X4
PSU1
PSU2
Software Defined NetworkingSeparates the Intelligence Entity from the Functional Engine and creates a virtualized Command & Control “proxy” in the form of a Controller. SDN Controller
What’s the Solution?
Network Command & Control
source: Brocade–SDN–creating intelligent lan infrastructures
Copyright 2015 ITRI 工業技術研究院 15
Outline SDN Basics SDN Use Cases & Applications
Google B4 WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration
Concluding Remarks
Copyright 2015 ITRI 工業技術研究院 16
Google B4 WAN
Copyright 2015 ITRI 工業技術研究院 17
Motivation: WAN Cost Components
HardwareRoutersTransport gearFiber
Standard practice: overprovisioningShortest path routingSlow convergence timeMaintain SLAs despite failuresNo traffic differentiation
Operational expenses/human costsBox-centric versus fabric-centric views
Copyright 2015 ITRI 工業技術研究院 18
Google’s WAN: B4
Google inter-datacenter traffic: a. User data copyb. Remote storage accessc. large-scale data push for state synchronizing Volume: a<b<c Latency sensitivity: a>b>c Priority: a>b>c
B4 characteristics Elastic bandwidth demands Moderate number of sites End application control Cost sensitivity
Copyright 2015 ITRI 工業技術研究院 19
B4 Overview
Source: B4 (SIGCOMM’13)
B4 Operations Simultaneously support standard
routing protocols and centralized traffic engineering.
Control at network edge to adjudicate among competing bandwidth demands.
Use multiple forwarding paths to leverage available network capacity.
Dynamically reallocate bandwidth in the face of link/switch failures or shifting application demands
Link utilization:Traditional 30-40% B4 around 95%
Copyright 2015 ITRI 工業技術研究院 20
B4 Usage & TE Example
Flow Group (FG) Site-to-site flow aggregation Multipath forwarding
Tunnel Group (TG) A fraction of FG forwarded
along each tunnel
Source: B4 (SIGCOMM’13)
Source: OpenFlow @ Google (ONS 2012)
Copyright 2015 ITRI 工業技術研究院 21
NEC ProgrammableFlow VTN
Copyright 2015 ITRI 工業技術研究院 22
VTN Information Model
Source: “NEC’s ProgrammableFlow NBI: VTN Model & Use-cases”
Copyright 2015 ITRI 工業技術研究院 23
VTN Example
Source: “NEC’s ProgrammableFlow NBI: VTN Model & Use-cases”
Copyright 2015 ITRI 工業技術研究院 24
VTN Feature Sets & Policies Virtual Network Provisioning
VTN design (Add/Delete/Change) VTN model operation (Add/Delete/Change)
vFilter: Flow Control in VTN 12-tuple based Flow filter QoS Control in Virtual Network ACL (e.g. drop) Redirect (service chaining) Apply to whole VTN or
Virtual Network Monitoring VTN information collection (Traffic /port/link
statistics, Failure Events & Alarms, Controller status)
Port/VLAN/MAC mapping
Copyright 2015 ITRI 工業技術研究院 25
ProgrammableFlow VTN Use Case
VTN for Kanazawa University Hospital
Copyright 2015 ITRI 工業技術研究院 26
OpenDefenseFlow(Defense4All in OpenDaylight)
Copyright 2015 ITRI 工業技術研究院 27
DDoS Impact on Business
zombie
zombie
zombie
zombie
zombie
Copyright 2015 ITRI 工業技術研究院 28
DDoS Overview Distributed denial-of-service (DDoS) attacks target network
infrastructures or computer services by sending overwhelming number of service requests to the server from many sources.
Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served
Addressing DDoS attacks Detection –Detect incoming fake requests Mitigation
Diversion –Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets
Return –Send back the clean traffic to the server
Copyright 2015 ITRI 工業技術研究院 29
OpenDefenseFlow Overview
29
Controller
DefensePro(mitigation devices)
SDN Data PlaneSDN Data Plane
SDN ControllerSDN Controller
SDN ApplicationsSDN Applications
The SDN Application That Programs Networks for DDoS Protection
The SDN Application That Programs Networks for DDoS Protection
OpenFlow API
API
Source: OpenDefenseFlow proposal overview for OpenDaylight
OpenDefenseFlowApplication
(Defense4All)
SDN Controller
Copyright 2015 ITRI 工業技術研究院 30
DefenseFlow
Slide 30
DefensePro (or equivalent)
Internet
“Flow Diversion”- Control
Detection Analyze & Decide
Programmable Probe –Collect
Security Service provisioning
Attack!!!Create baselines per: IP Address, Protocol &
Service (Port)
OpenDefenseFlow — Anti-DDoS SDNSecurity Application
Configure DefensePro with learned baselines
Source: OpenDefenseFlow proposal overview for OpenDaylight
SDN Controller
servers
servers
servers
Copyright 2015 ITRI 工業技術研究院 31
OpenDefenseFlow onOpenDaylight
Copyright 2015 ITRI 工業技術研究院 32
OpenDefenseFlow Architecture
Match Fields Priority Counters
Flow Entry in OpenFlow v1.0
Statistics Service•addCounter(selector)
•readCounter(selector)
•removeCounter(selector)
•resetCounter(selector)
Copyright 2015 ITRI 工業技術研究院 33
Statistics Service —Counter Smart Placement
Copyright 2015 ITRI 工業技術研究院 34
OpenDefenseFlow Architecture
Redirection Service•redirectTraffic(selector, devices[])
•mirrorTraffic(selector, devices[])
(a) Redirection (b) Mirroring
Copyright 2015 ITRI 工業技術研究院 35
Traffic Redirection for AttackMitigation
PO
Copyright 2015 ITRI 工業技術研究院 36
OpenDefenseFlow Architecture
Anomaly Detection Builds peace time (normal) traffic
baselines
Identifies deviations from normal traffic baselines
Pluggable system to support: Multiple vendors Different detection techniques Extensibility (detect new attacks) etc.
Copyright 2015 ITRI 工業技術研究院 37
OpenDefenseFlow Architecture
Mitigation Driver Configures external mitigation device(s)
– E.g., pass to device baseline to expedite detection
Configuring the network such that the suspicious traffic (and only the suspicious traffic) is diverted to suitable mitigation device
Monitoring of external mitigation device(s) – e.g., attack ended
After attacks, restores the network to original configuration
Vendor Independent Interested vendors can connect to the
system by written a Mitigator Driver (think device drivers in OS)
Copyright 2015 ITRI 工業技術研究院 38
OpenDefenseFlow –Unique Value Proposition
Scalable, precise and fast attack/anomaly detection
Utilize native SDN programming for attack traffic diversion
Lower solution costs Statistical collection without costly specialized hardware detectors Simple attack diversion (no need to use BGP injection, GRE tunnel)
Centralized control allows efficient management of mitigation resources, monitoring and reporting
Extensible Add detection algorithms Add mitigation devices
Copyright 2015 ITRI 工業技術研究院 39
Flow Information Collection inConventional Network
NetFlow record (extended as IETF IPFIX) Input interface index used by SNMP
Output interface index
Timestamps for the flow start and finish time
Number of bytes and packets observed
Layer 3 headers: Source & destination IP addresses Source and destination port numbers for TCP, UDP, SCTP ICMP Type and Code. IP protocol Type of Service (ToS) value
The union of all TCP flags observed over the life of the flow.
Layer 3 Routing information: IP address of the immediate next-hop along the route to the destination Source & destination IP masks (prefix lengths in the CIDR notation)
Copyright 2015 ITRI 工業技術研究院 40
Conventional DDoS Mitigationwith Netflow
Records of all flows passing through specific router interface
Copyright 2015 ITRI 工業技術研究院 41
Conventional DDoS Mitigationwith Netflow
Copyright 2015 ITRI 工業技術研究院 42
Conventional DDoS Mitigationwith Netflow
Copyright 2015 ITRI 工業技術研究院 43
CapabilityNetflow based
MitigationOpen-DefenseFlow
Detection Network DDoS flood attacks Full coverage Full Coverage
Mitigation Mitigation response time Slow –5 MinImmediate –
seconds
Network Operation
Requires BGP announcement, GRE tunneling and several detectors Complicated
Simple - diversion is a network
service
Diversion Traffic granularity Low GranularityHigh Granularity–divert only suspicious traffic
Cost Effective
Requires hardware detectorsRequires scrubbing centerConsumes routers CPU and ports
Expensive Low cost
Netflow vs. OpenDefenseFlow
43
Slow
Complicated
Inaccurate
Expensive
(Conventional network vs. SDN)
Copyright 2015 ITRI 工業技術研究院 44
OpenDefenseFlow Scope
The OpenDefenseFlow (Defense4All) will provide the following: An implementation of the Anomaly Detection subsystem
including a vendor independent framework for plugging different detection algorithms and a reference implementation of such a detection plug-in. This sample detector will be able to handle common DoS attacks, and it will serve as an example for developers of more sophisticated detectors.
An implementation of the Mitigation Driver subsystem including a vendor independent framework for plugging different mitigation devices
and a reference implementation of such mitigator plugin.
An OSGI bundle for the Statistics Service subsystem including a REST API
An OSGI bundle for the Traffic Redirection Service subsystem including a REST API
The OpenDefenseFlow API.
Copyright 2015 ITRI 工業技術研究院 45
Firewall Migration
Copyright 2015 ITRI 工業技術研究院 46
Firewall and Firewall Migration
Firewall (FW)Comprehensive powerful functions: packet-filtering, NAT,
routing, proxy, VPN… etcProduct-dependent configuration/management
Firewall migrationA challenging task where “the devil is in the details”Challenges come from:
Many and many rulesDifferent policy definition manner
Ex: zone-based vs. single zone policies Interpretation errors of migration toolHuman errors
Manual rule translation & validationUnfamiliar with the firewall default behavior
Copyright 2015 ITRI 工業技術研究院 47
Conventional Firewall MigrationStrategies
Big bang strategy A new firewall completely replaces the old one. Higher risk
Finished progress = 0% or 100%
Lower complexity Unpredictable migration time
Due to high risk
Re-addressing strategy The new firewall coexists with the old one. Lower risk
Migrating services step by step
Higher complexity Require topology re-design and IP re-addressing
Time-consuming
Is there a novel strategy with lower risk and lower complexity?
Copyright 2015 ITRI 工業技術研究院 48
A Simple Network
Conventional network with a firewall
Rule subset of the firewall
Firewall Rules
SRC IP DEST IP DST Port Action
155.66.77.11 172.32.32.32 80 Drop
155.66.77.12 172.32.32.32 80 Drop
155.66.77.13 172.32.32.32 80 Permit
Target Flow
Source: Ethereal.com
Copyright 2015 ITRI 工業技術研究院 49
Goal of Firewall MigrationHow to divert target flow to the new path?
Most routers do not support policy-based routing (PBR) with line-rateforwarding.
Idea: firewalls and SDN are both about flows
Source: Ethereal.com
Copyright 2015 ITRI 工業技術研究院 50
OpenFlow for Firewall Migration
Introduce SDN-enabled switches & controller
Source: Ethereal.com
Copyright 2015 ITRI 工業技術研究院 51
SDN-based Firewall Migration
Build FW Migration App1. App reads the configuration from
the old firewall, and parses the configuration into rules. Manual selection
2. App translates the rules then loads the firewall rules into the new firewall. Manual checking and validation
3. Flow cutover: the OpenFlow forwarding rules are sent to the OpenFlow switches Manual testing
Switch Port
MAC src
MAC dst
Eth type
VLAN ID
IP Src
IPDst
IP Prot
TCP sport
TCP dport
Action
* * * * * * 172.32.32.32 * * 80 port2
Example Flow entry in OF1
(OF1)
(OF2)
Source: Ethereal.com
Copyright 2015 ITRI 工業技術研究院 52
ITRI VLAN Migration
Copyright 2015 ITRI 工業技術研究院 53
Motivation of VLAN Migration
Rich services/departments WiFi, U-bike, surveillance system, access control system, …
Legacy L2 switch generally supports (only) port-based VLAN
Managing port-based VLAN is complex and time-consuming
Copyright 2015 ITRI 工業技術研究院 54
VLAN Migration— ITRI ITSCGoal: to reduce operational expense (OPEX)
Flexible VLAN partition ruleport, MAC address, IP address, …
One-shot configurationReplacing access switches
Copyright 2015 ITRI 工業技術研究院 55
Outline SDN Basics SDN Use Cases & Applications
Google B4 WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration
Concluding Remarks
55
Copyright 2015 ITRI 工業技術研究院 56
Potential Innovative Issues
Wired/Wireless network resource management “IEEE tutorial –wireless SDN in access and backhaul”
Application-aware traffic engineering
Efficient/scalable network state monitoring Device, application, switch/link loading, flow table usage …
Protocol independent forwarding “P4: programming protocol-independent packet processors”
Security applications Unified access control, IDS, DDoS protection …
Security of SDN “OpenFlow: A Security Analysis”
Copyright 2015 ITRI 工業技術研究院 57
SDN BringsNetwork Programmability,
Flexibility and Agility
Copyright 2015 ITRI 工業技術研究院 58
There will be much moreSDN/NFV innovations!!
Copyright 2015 ITRI 工業技術研究院 59
Thank You !