2015 FOSDEM - OVS Stateful Services
•
19 j'aime•5,270 vues
Quick status of OVS community introducing stateful services
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à 2015 FOSDEM - OVS Stateful Services
Similaire à 2015 FOSDEM - OVS Stateful Services (20)
Plus de Thomas Graf
Plus de Thomas Graf (8)
Dernier
Dernier (20)
2015 FOSDEM - OVS Stateful Services
- 1. Open vSwitch Stateful Services FOSDEM 2015 Thomas Graf Noiro Networks, Cisco
- 2. Agenda ● Introduction ● Stateful Services – Conntrack – NAT – Queuing ● Q&A
- 3. ● Highly scaleable multi layer virtual switch for hypervisors – Apache License (User Space), GPL (Kernel) ● Extensive flow table programming capabilities – OpenFlow 1.0 – 1.5 (some partial) – Vendor Extensions ● Designed to manage overlay networks – VLAN, VXLAN (+ exts), GRE, Geneve, LISP, STT, ... ● Remote management protocol (OVSDB) ● Monitoring capabilities ● Offloadable to hardware Open vSwitch
- 4. Overlay Networks VM1 VM2 VM3 Open vSwitch VM4 VM5 VM6 Open vSwitch Orchestration Orchestration O pen Flow O VSD B O pen Flow O VSDB Overlay VNET 1 VNET 1VNET 2 VNET 2 NetworkNetwork Compute Node Compute Node
- 5. OpenFlow Match on bits in packet header L2- L4 plus meta data Execute actions ● Forward to port ● Drop ● Send to controller ● Mangle packet 2.2. OpenFlow enables networks to evolve, by giving a remote controller the power to modify the behavior of network devices, through a well-defined "forwarding instruction set". The growing OpenFlow ecosystem now includes routers, switches, virtual switches, and access points from a range of vendors. ONF Website 1.1.
- 6. Programmable Flow Tables ● Extensive flow matching capabilities: – Layer 1 – Tunnel ID, In Port, QoS priority, skb mark – Layer 2 – MAC address, VLAN ID, Ethernet type – Layer 3 – IPv4/IPv6 fields, ARP – Layer 4 – TCP/UDP, ICMP, ND ● One or more actions: – Output to port (port range, flood, mirror) – Discard, Resubmit to table x – Packet Mangling (Push/Pop VLAN header, TOS, ...) – Send to controller, Learn – Set VTEP dIP – Registers
- 7. Architecture ovsdbvswitchd Datapath OpenFlow Kernel User space Management ovs-vsctl Flow Table ovs-dpctl upcall Netlink sFlow To DeviceFrom Device Promiscuous Mode reinject 1 2 (3) 4 5 6 7 Packet Processing Management Workflow ovsdb-tool ovs-ofctl
- 8. Architecture with DPDK ovsdbvswitchd Userspae Datapath OpenFlow Kernel User space Management ovs-vsctl ovs-dpctl sFlow To DeviceFrom Device Packet Processing Management Workflow ovsdb-tool ovs-ofctl Poll Mode Driver
- 9. Megaflows Set of wildcarded flow hash tables in fast path in_port=3 src_mac=02:80:37:ec:02:00, dst_mac=0a:e0:5a:43:b6:a1, vlan=10, eth_type=0x0800 ip_src=10.10.1.1, ip_dst=10.10.1.2, tcp_src=80, tcp_dst=32990, ... in_port=3, src_mac=02:80:37:ec:02:00, dst_mac=0a:e0:5a:43:b6:a1, vlan=10
- 10. Monitoring / Visbility ● ● Netflow ● Port Mirroring ● SPAN ● RSPAN ● ERSPAN
- 11. Quality of Service ● Uses existing Traffic Control Layer ● Policer (Ingress rate limiter) ● HTB, HFSC (Egress traffic classes) ● Controller (Open Flow) can select Traffic Class VM1 Compute Node VM2 ovsbr VLAN 10 port1 port2 1mbit # ovs-vsctl set Interface port2 ingress_policing_rate=1000
- 13. Implementing a Firewall ● OVS has traditionally only supported stateless matches ● As an example, currently, two ways to implement a firewall in OVS – Match on TCP flags (Enforce policy on SYN, allow ACK|RST) ● Pro: Fast ● Con: Allows non-established flow through with ACK or RST set, only TCP – Use “learn” action to setup new flow in reverse direction ● Pro: More “correct” ● Con: Forces every new flow to OVS userspace, reducing flow setup by orders of magnitude – Neither approach supports “related” flows or TCP window enforcement
- 14. Connection Tracking ● We are adding the ability to use the conntrack module from Linux – Stateful tracking of flows – Supports ALGs to punch holes for related “data” channels ● FTP, TFTP, SIP ● Implement a distributed firewall with enforcement at the edge – Better performance – Better visibility ● Introduce new OpenFlow extensions: – Action to send to conntrack – Match fields on state of connection ● Have prototype working. Expect to ship as part of OVS by end of year
- 15. Netfilter Conntrack Integration OVS Flow Table Netfilter Connection Tracker CT Table Userspace Netlink API Create & Update CT entries Connection State (conn_state=) conntrack() Recirculation 1 2 3 4
- 16. Conntrack Example Match Action in_port(1),tcp,conn_state=-tracked conntrack(zone=10),normal in_port(2),tcp,conn_state=-tracked conntrack(recirc,zone=10) in_port(2),tcp,conn_state=+established,+tracked output:1 in_port(2),tcp,conn_state=+new,+tracked drop Conntrack example that only allows port 2 to respond to TCP traffic initiated from port 1:
- 17. Zone 1 Connection Tracking Zones OVS Flow Table CT Table Zone 2 CT Table Netfilter Connection Tracker
- 18. Stateful NAT Overview ● SNAT and DNAT ● Based on connection tracking work ● Leverages stateful NAT mechanism of Netfilter ● Able to do port range and address range mappings to masquerade multiple IPs ● Mapping Modes – Persistent (across reboots) – Hash based – Fully random
- 19. Stateful NAT Flow OVS Flow Table Netfilter Connection Tracker CT Table Create & Update CT entries conntrack() Recirculation 1 2 3 4 Netfilter NAT nat()
- 20. NAT Example Match Action in_port(1),tcp conntrack(zone=10), nat(type=src, min=10.0.0.1, max=10.0.0.255, type=hash) in_port(2),tcp,conn_state=-tracked conntrack(zone=10,recirc) in_port(2),tcp,conn_state=+established nat(reverse) in_port(2),tcp,conn_state=+new drop SNAT all TCP packets on port 1 to the IP range 10.0.0.1/24 with reverse SNAT on port 2:
- 21. Kernel Userspace Stateful services integration: NFQUEUE action OVS Flow Tablenetif_rx NFNETLINK Q App Q Q App App CT Table conn_state=+tracked, conn_mark=0x20 {sync|async} nfqueue(queue=2) L2 reinject skb->mark = 0x10 queue
- 22. Q&A ● More Information: – http://openvswitch.org/ ● Conntrack on GitHub – https://github.com/justinpettit/ovs/tree/conntrack