sdn applications and use casespas.csie.ntu.edu.tw/sdn2015workshop/sdn_info/講員...x1 x2 x3 x4 x5...

Copyright 2015 ITRI 工業技術研究院

工研院資通所寬頻網路與系統整合技術組

許名宏

SDN Applications and Use Cases

Copyright 2015 ITRI 工業技術研究院 2

講者簡歷

台灣大學資訊系 Bachelor B87

台灣大學資訊工程所 Ph.D資訊檢索 (IR)

工業技術研究院(ITRI) Engineer 2011至今

竹東-中興院區六甲-南分院


Outline

SDN Basics SDN Use Cases & Applications

Google B4 WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration

Concluding Remarks


Outline

SDN Basics SDN Use Cases & Applications


Concluding Remarks


What is SDN ?


OpenFlow 1.0

• Forward packet to a port list• Add/remove/modify VLAN Tag• Drop packet• Send packet to the controller

• Forward packet to a port list• Add/remove/modify VLAN Tag• Drop packet• Send packet to the controller

Packet counters, byte counters, and etcPacket counters, byte counters, and etc

Matching Fields Actions Stats

Flow Entry

IngressPort

IngressPort

MACDA

MACDA

MACSA

MACSA

EtherTypeEtherTypeVLAN

IDVLAN

IDIPSrcIPSrc

IPDstIPDst

IPProtocol

IPProtocol

TCP/UDPsrc port

TCP/UDPsrc port

TCP/UDPdst port

TCP/UDPdst portP-bitsP-bits

IPDSCP

IPDSCP

IngressPort

MACDA

MACSA

EtherTypeVLAN

IDIPSrc

IPDst

IPProtocol

TCP/UDPsrc port

TCP/UDPdst portP-bits

IPDSCP

OpenFlowprotocol

SDN Controller(software)

SDN = OpenFlow ?

OpenFlowClient

OpenFlowClient

Flow Table

Not Exactly

OpenFlow-EnabledSwitch


SDN = Still Don’t kNow?


SDN is All about…

Network Programmability API interaction with network elements

Separated Control Plane and Forwarding Plane Forwarding Plane can be Software or Hardware Control Plane –agnostic to the underlying hardware

Network topology derived from the application This is how SDN is different from switched networks.

Vendor Independence Open and standardized interface


How does SDN work?


Traditional Interaction Model

Every Network Device can be understood to have an INDEPENDENT•Intelligence Entity and a •Functional Engine

Configuration, Command & Control uses a communicationchannel between the Network Administrator and the Intelligence Entity on-board theNetwork Device.

TM

BrocadeICX 6610-24P

RESET

MS

DIAG

XL6

XL1

XL7-

XL2-XL5

XL10

ID{ 2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LIN K 10 /1 0 0/1 0 0 0 A C T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

Network Command & Control

source: Brocade–SDN–creating intelligent lan infrastructures


T M

B rocadeIC X 6610-24P

RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

XL7-

XL2-XL5

XL10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

The larger the network… … … … … … …the more INDEPENDENT devices you need to manage.

What’s the Problem with the Traditional Model?




T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

XL7-

XL2-XL5

XL10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

The larger the network… … … … … … …the more INDEPENDENT devices you need to manage.

What’s the Problem with the Traditional Model?


- they make their switching & routing decisions independently - they make their fowarding & filtering decsions independently- they treat security policies, VLANs, QoS policies, port policies, etc… … .. INDEPENDENTLY

How Can We Make this Easier? Is there a way to make them all operate as a cohesive group?



What’s the Solution?

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

XL7-

XL2-XL5

XL10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

Software Defined NetworkingSeparates the Intelligence Entity from the Functional Engine and creates a virtualized Command & Control “proxy” in the form of a Controller. SDN Controller




T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

XL7-

XL2-XL5

XL10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

T M


RE SET

MS

DIAG

XL6

XL1

X L7-

X L2-X L5

X L10

ID {2

1

4

3

6

5

8

7

10+

9

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

LI NK 10/ 100/1000 AC T

SPEED SPEED

X5 X6 X7 X8X1 X2 X3 X4

PSU1

PSU2

Software Defined NetworkingSeparates the Intelligence Entity from the Functional Engine and creates a virtualized Command & Control “proxy” in the form of a Controller. SDN Controller

What’s the Solution?




Outline SDN Basics SDN Use Cases & Applications


Concluding Remarks


Google B4 WAN


Motivation: WAN Cost Components

HardwareRoutersTransport gearFiber

Standard practice: overprovisioningShortest path routingSlow convergence timeMaintain SLAs despite failuresNo traffic differentiation

Operational expenses/human costsBox-centric versus fabric-centric views


Google’s WAN: B4

Google inter-datacenter traffic: a. User data copyb. Remote storage accessc. large-scale data push for state synchronizing Volume: a＜b＜c Latency sensitivity: a＞b＞c Priority: a＞b＞c

B4 characteristics Elastic bandwidth demands Moderate number of sites End application control Cost sensitivity


B4 Overview

Source: B4 (SIGCOMM’13)

B4 Operations Simultaneously support standard

routing protocols and centralized traffic engineering.

Control at network edge to adjudicate among competing bandwidth demands.

Use multiple forwarding paths to leverage available network capacity.

Dynamically reallocate bandwidth in the face of link/switch failures or shifting application demands

Link utilization:Traditional 30-40% B4 around 95%


B4 Usage & TE Example

Flow Group (FG) Site-to-site flow aggregation Multipath forwarding

Tunnel Group (TG) A fraction of FG forwarded

along each tunnel

Source: B4 (SIGCOMM’13)

Source: OpenFlow @ Google (ONS 2012)


NEC ProgrammableFlow VTN


VTN Information Model

Source: “NEC’s ProgrammableFlow NBI: VTN Model & Use-cases”


VTN Example

Source: “NEC’s ProgrammableFlow NBI: VTN Model & Use-cases”


VTN Feature Sets & Policies Virtual Network Provisioning

VTN design (Add/Delete/Change) VTN model operation (Add/Delete/Change)

vFilter: Flow Control in VTN 12-tuple based Flow filter QoS Control in Virtual Network ACL (e.g. drop) Redirect (service chaining) Apply to whole VTN or

Virtual Network Monitoring VTN information collection (Traffic /port/link

statistics, Failure Events & Alarms, Controller status)

Port/VLAN/MAC mapping


ProgrammableFlow VTN Use Case

VTN for Kanazawa University Hospital


OpenDefenseFlow(Defense4All in OpenDaylight)


DDoS Impact on Business

zombie

zombie

zombie

zombie

zombie


DDoS Overview Distributed denial-of-service (DDoS) attacks target network

infrastructures or computer services by sending overwhelming number of service requests to the server from many sources.

Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served

Addressing DDoS attacks Detection –Detect incoming fake requests Mitigation

Diversion –Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets

Return –Send back the clean traffic to the server


OpenDefenseFlow Overview

29

Controller

DefensePro(mitigation devices)

SDN Data PlaneSDN Data Plane

SDN ControllerSDN Controller

SDN ApplicationsSDN Applications

The SDN Application That Programs Networks for DDoS Protection

The SDN Application That Programs Networks for DDoS Protection

OpenFlow API

API

Source: OpenDefenseFlow proposal overview for OpenDaylight

OpenDefenseFlowApplication

(Defense4All)

SDN Controller


DefenseFlow

Slide 30

DefensePro (or equivalent)

Internet

“Flow Diversion”- Control

Detection Analyze & Decide

Programmable Probe –Collect

Security Service provisioning

Attack!!!Create baselines per: IP Address, Protocol &

Service (Port)

OpenDefenseFlow — Anti-DDoS SDNSecurity Application

Configure DefensePro with learned baselines

Source: OpenDefenseFlow proposal overview for OpenDaylight

SDN Controller

servers

servers

servers


OpenDefenseFlow onOpenDaylight


OpenDefenseFlow Architecture

Match Fields Priority Counters

Flow Entry in OpenFlow v1.0

Statistics Service•addCounter(selector)

•readCounter(selector)

•removeCounter(selector)

•resetCounter(selector)


Statistics Service —Counter Smart Placement



Redirection Service•redirectTraffic(selector, devices[])

•mirrorTraffic(selector, devices[])

(a) Redirection (b) Mirroring


Traffic Redirection for AttackMitigation

PO



Anomaly Detection Builds peace time (normal) traffic

baselines

Identifies deviations from normal traffic baselines

Pluggable system to support: Multiple vendors Different detection techniques Extensibility (detect new attacks) etc.



Mitigation Driver Configures external mitigation device(s)

– E.g., pass to device baseline to expedite detection

Configuring the network such that the suspicious traffic (and only the suspicious traffic) is diverted to suitable mitigation device

Monitoring of external mitigation device(s) – e.g., attack ended

After attacks, restores the network to original configuration

Vendor Independent Interested vendors can connect to the

system by written a Mitigator Driver (think device drivers in OS)


OpenDefenseFlow –Unique Value Proposition

Scalable, precise and fast attack/anomaly detection

Utilize native SDN programming for attack traffic diversion

Lower solution costs Statistical collection without costly specialized hardware detectors Simple attack diversion (no need to use BGP injection, GRE tunnel)

Centralized control allows efficient management of mitigation resources, monitoring and reporting

Extensible Add detection algorithms Add mitigation devices


Flow Information Collection inConventional Network

NetFlow record (extended as IETF IPFIX) Input interface index used by SNMP

Output interface index

Timestamps for the flow start and finish time

Number of bytes and packets observed

Layer 3 headers: Source & destination IP addresses Source and destination port numbers for TCP, UDP, SCTP ICMP Type and Code. IP protocol Type of Service (ToS) value

The union of all TCP flags observed over the life of the flow.

Layer 3 Routing information: IP address of the immediate next-hop along the route to the destination Source & destination IP masks (prefix lengths in the CIDR notation)


Conventional DDoS Mitigationwith Netflow

Records of all flows passing through specific router interface


CapabilityNetflow based

MitigationOpen-DefenseFlow

Detection Network DDoS flood attacks Full coverage Full Coverage

Mitigation Mitigation response time Slow –5 MinImmediate –

seconds

Network Operation

Requires BGP announcement, GRE tunneling and several detectors Complicated

Simple - diversion is a network

service

Diversion Traffic granularity Low GranularityHigh Granularity–divert only suspicious traffic

Cost Effective

Requires hardware detectorsRequires scrubbing centerConsumes routers CPU and ports

Expensive Low cost

Netflow vs. OpenDefenseFlow

43

Slow

Complicated

Inaccurate

Expensive

(Conventional network vs. SDN)


OpenDefenseFlow Scope

The OpenDefenseFlow (Defense4All) will provide the following: An implementation of the Anomaly Detection subsystem

including a vendor independent framework for plugging different detection algorithms and a reference implementation of such a detection plug-in. This sample detector will be able to handle common DoS attacks, and it will serve as an example for developers of more sophisticated detectors.

An implementation of the Mitigation Driver subsystem including a vendor independent framework for plugging different mitigation devices

and a reference implementation of such mitigator plugin.

An OSGI bundle for the Statistics Service subsystem including a REST API

An OSGI bundle for the Traffic Redirection Service subsystem including a REST API

The OpenDefenseFlow API.


Firewall Migration


Firewall and Firewall Migration

Firewall (FW)Comprehensive powerful functions: packet-filtering, NAT,

routing, proxy, VPN… etcProduct-dependent configuration/management

Firewall migrationA challenging task where “the devil is in the details”Challenges come from:

Many and many rulesDifferent policy definition manner

Ex: zone-based vs. single zone policies Interpretation errors of migration toolHuman errors

Manual rule translation & validationUnfamiliar with the firewall default behavior


Conventional Firewall MigrationStrategies

Big bang strategy A new firewall completely replaces the old one. Higher risk

Finished progress = 0% or 100%

Lower complexity Unpredictable migration time

Due to high risk

Re-addressing strategy The new firewall coexists with the old one. Lower risk

Migrating services step by step

Higher complexity Require topology re-design and IP re-addressing

Time-consuming

Is there a novel strategy with lower risk and lower complexity?


A Simple Network

Conventional network with a firewall

Rule subset of the firewall

Firewall Rules

SRC IP DEST IP DST Port Action

155.66.77.11 172.32.32.32 80 Drop

155.66.77.12 172.32.32.32 80 Drop

155.66.77.13 172.32.32.32 80 Permit

Target Flow

Source: Ethereal.com


Goal of Firewall MigrationHow to divert target flow to the new path?

Most routers do not support policy-based routing (PBR) with line-rateforwarding.

Idea: firewalls and SDN are both about flows



OpenFlow for Firewall Migration

Introduce SDN-enabled switches & controller



SDN-based Firewall Migration

Build FW Migration App1. App reads the configuration from

the old firewall, and parses the configuration into rules. Manual selection

2. App translates the rules then loads the firewall rules into the new firewall. Manual checking and validation

3. Flow cutover: the OpenFlow forwarding rules are sent to the OpenFlow switches Manual testing

Switch Port

MAC src

MAC dst

Eth type

VLAN ID

IP Src

IPDst

IP Prot

TCP sport

TCP dport

Action

* * * * * * 172.32.32.32 * * 80 port2

Example Flow entry in OF1

(OF1)

(OF2)



ITRI VLAN Migration


Motivation of VLAN Migration

Rich services/departments WiFi, U-bike, surveillance system, access control system, …

Legacy L2 switch generally supports (only) port-based VLAN

Managing port-based VLAN is complex and time-consuming


VLAN Migration— ITRI ITSCGoal: to reduce operational expense (OPEX)

Flexible VLAN partition ruleport, MAC address, IP address, …

One-shot configurationReplacing access switches


Outline SDN Basics SDN Use Cases & Applications


Concluding Remarks

55


Potential Innovative Issues

Wired/Wireless network resource management “IEEE tutorial –wireless SDN in access and backhaul”

Application-aware traffic engineering

Efficient/scalable network state monitoring Device, application, switch/link loading, flow table usage …

Protocol independent forwarding “P4: programming protocol-independent packet processors”

Security applications Unified access control, IDS, DDoS protection …

Security of SDN “OpenFlow: A Security Analysis”


SDN BringsNetwork Programmability,

Flexibility and Agility


There will be much moreSDN/NFV innovations!!


Thank You !

sdn applications and use casespas.csie.ntu.edu.tw/sdn2015workshop/sdn_info/講員...x1 x2 x3 x4 x5...

Documents