open vswitch% - workshop.netfilter.org · overview • ovs%is%amul0alayer%switch% •...
TRANSCRIPT
![Page 1: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/1.jpg)
Open vSwitch
Jus0n Pe2t NetFilter Workshop
22 June 2015
![Page 2: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/2.jpg)
Overview
• OVS is a mul0-‐layer switch • Visibility (NetFlow, sFlow, SPAN/RSPAN) • Fine-‐grained ACLs and QoS policies • Port bonding, LACP, tunneling • Centralized control through OpenFlow and OVSDB
• Open source • Mul0ple ports to physical switches
![Page 3: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/3.jpg)
Where is it used?
• Broad support – Linux, FreeBSD, NetBSD, Windows, ESX – KVM, Xen, Docker, VirtualBox, Hyper-‐V,… – OpenStack, Cloudstack, OpenNebula,…
• Widely used – Most popular OpenStack networking backend – Default network stack in XenServer – 1440 hits in Google Scholar – Thousands of subscribers to OVS mailing lists
![Page 4: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/4.jpg)
(Par0al) List of Contributors
![Page 5: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/5.jpg)
Who develops OVS?
• 184 contributors listed in AUTHORS – From 80 unique email domains
• 13 “commicers” • Commits from outside Nicira/VMware growing – 2012 and 2013: 19% – 2014: 24% – 2015 to date: 31%
![Page 6: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/6.jpg)
Sohware-‐Defined Networking
• SDN is a method of using sohware to define networking behavior instead of having it baked into ASICs
• Benefit of having God-‐like knowledge of en0re system as opposed to coopera0vely working with neighbors
• OpenFlow is ohen used interchangeably with SDN, but SDN does not require OpenFlow
![Page 7: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/7.jpg)
OpenFlow
• Idealized view of a switch’s datapath • Centralized controller configures flow table – Lookup based on L2-‐L4 – Supports full wildcarding and priori0es – Flows associated with ac0ons: forward, drop, modify – Missed flows go to controller
• Remote visibility – Descrip0on of switch (supported ac0ons, flow tables’ sizes, etc.)
– Sta0s0cs (flows, tables, ports)
![Page 8: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/8.jpg)
Main Components
openvswitch_mod.ko
ovsdb-‐server
User
Kernel
Control Cluster
ovs-‐vswitchd
Management Protocol (6640/TCP) OpenFlow (6653/TCP) Netlink
Off-‐box
![Page 9: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/9.jpg)
Flow Complexity
• Many different applica0ons of SDN – Traffic management (Google-‐scale) – Network virtualiza0on (Enterprises and Cloud Providers)
– Security policies (Government Agencies)
• An applica0on can includes hundreds of thousands of rules on an OVS instance with dozens of lookups per packet
![Page 10: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/10.jpg)
Forwarding Components
• ovs-‐vswitchd (slow path) – Forwarding logic (Flow tables)
– Remote configura0on and visibility
• Kernel module (fast path) – Packet lookup, modifica0on, and forwarding
– Tunnel encapsula0on/decapsula0on
OVS Kernel Module
User
Kernel
ovs-‐vswitchd
First Packet Subsequent Packets
![Page 11: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/11.jpg)
Decoupling
• Decoupling Helps – A number of different SDN applica0ons have been wricen without requiring changes to OVS.
– A number of new OpenFlow protocols have been added without changes to kernel
• Flow programming with slow-‐path/fast-‐path design ohen performs becer than fixed-‐pipeline
• NSDI paper on design and implementa0on: – hcp://openvswitch.org/support/papers/nsdi2015.pdf
![Page 12: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/12.jpg)
Kernel Integra0on
• Kernel is where performance-‐cri0cal processing is done
• Looking to integrate with other components – Connec0on tracking for stateful firewalls – Load-‐balancing – NAT
• Reducing duplica0on of code
![Page 13: Open vSwitch% - workshop.netfilter.org · Overview • OVS%is%amul0Alayer%switch% • Visibility%(NetFlow, sFlow,%SPAN/RSPAN)% • FineAgrained%ACLs%and%QoSpolicies • Portbonding,%LACP,%tunneling%](https://reader033.vdocuments.site/reader033/viewer/2022060212/5f050c317e708231d410ff5f/html5/thumbnails/13.jpg)
Future Plans
• Focus is on moving up the stack (OVN) and adding more stateful services
• Becer integra0on with the kernel • Bringing OVS to more plarorms