Containers as reference environment “Secure Network Bootstrapping Infrastructure” in OpenDaylight Frank Brockners, Kannan Varadhan, Liming Wei, Y F Siu , Balaji B L, Vijay Anand R Container Summit, June 5th, 2014
Objectives: Complementing “Existing” with “Open” Agile development of new, customer-specific functionality Rapid customized innovation / integration (DC, IoT, SP, Enterprise) – Combine with existing functionality (integrate and co-host several components – Cisco and 3rd-party) Ease to Develop and Run: Developer-friendly development and runtime environment for new network functions – leverage common tooling (OSS/Linux-style) Evolution not Revolution: Build on top of / leverage world class Cisco control and forwarding plane – integrate new functions with existing infrastructure rather than move or replace existing functions Deploy network functions where they run best (performance, scale, ease of use): On the devices, on a server, on a controller – distributed and/or centralized Competitive Differentiation: Make Network functions (Cisco and 3rd-party) run better on Cisco-HW/SW than on any other HW/SW. Create a vNF Control Point owned by Cisco
Virtual Network Components: Packaging Options Orchestration Management, Chaining Orchestration Management, Lifecycle, Chaining Orchestration Management, Lifecycle, Chaining NC NC NC NC NC NC NC NC NC Operating System Operating System Operating System HW/SW Forwarding SW Forwarding HW/SW Forwarding ASIC, X86, ARM, ... X86, ARM, Hypervisor, ... ASIC, X86, ARM, Hypervisor, ... Physical Network Appliance Example for VNF: Virtual Route Reflector (based on XR-VR) Virtual Network Function (VNF) Network Components Legend: Packaging options of functionality; NC: Network Component
Virtual Network Components … hosted in a Network Container Orchestration Network Container Network Container Network Container NC NC NC NC NC Network Control Plane Core Functions Network Control Plane Core Functions Controller Core Functions Routing Sessions Security … Routing Sessions Security … Topology Inventory Security … Operating System Operating System Operating System Physical Router/Switch Virtual Router/Switch Server, Controller Common Development and Runtime Experience for NC across Devices AND Controllers AND Servers Cisco Confidential
Open Application Container: Developer Perspective Common Environment for Network Functions Physical Router/Switch - Virtual Router/Switch Controller Server/Application Common Development Experience Linux-style programming experience Typical networking functions available to developer as integrated libraries Distributed/Centralized/Combined NFs Common Runtime Experience Run network function at the most optimal place in the network (device, controller, application server), depending on NF’s needs (performance, scale, ease of use) Open Ecosystem / Open-Source Orchestration & Life-cycle management Open Application Container Portable Network Component … … Logging Load/ Unload HA Scale Storage Update Data-Plane API Fwd’ing Control Routing Control Comms (NC-NC) Topology … Hooks into network functions (local/remote) Operating System Data-Plane (HW/SW) Network Control Plane
Open Source Development Efforts Related To Network Functions Orchestrate and Manage Life-Cycle Evolved Services Platform (“Mozart”) Integrate, Package, Manage OpenNFV Develop, Create Abstract Hardware
Open Application Container Functionality Orchestration/Life-cycle Management System Operations Life-cycle manage the network components in a network container and the network container Support network functions operations Package Management (rpm, yum,..) Pull (rpm, yum…) Push (from Cloud (Meraki-style) Config (e.g.. Chef, Puppet, … Orchestration / Service Chaining (OpenStack Heat, Flynn, ..) API framework (model driven) Open Boot Loader (ONIE++) Authentication Container Security Logging Storage access HA, checkpointing, ISSU Portable Network Function APIs APIs Starting point for open source project in OpenDaylight Bootstrapping / Inter-Container Comms Open DataPlane API (for HW and SW dataplane) ( Advanced Flow programming Data-Plane configuration) SW-Dataplane Bootstrapping / Inter-Container Comms APIs APIs OpFlex Netconf Routing protocols & RIB access (I2RS) Subscriber control (I2SS) Inter-Container comms / “Message Bus” DHCP, MDNS, Bonjour, … snooping/proxy Discovery/Topology Netflow … POSIX functions Linux-style Interfaces Access to the data-plane – hardware/software; incl. software data plane Hooks into the network control plane Data-Plane Control-Plane
Motivation: Secure Network Bootstrapping Infrastructure How do devices get initial secure IP connectivity? Several southbound protocols assume IP connectivity exist for the control protocol (e.g. OpenFlow, Netconf, ..) How do we ensure devices associate with the “right” controller and get an appropriate IP address to do so? (Join a particular Domain) How do we ensure connectivity to all the devices which have joined a particular domain ? (Reachability) How do we ensure that devices once connected do not get silently swapped? (Security) C2 C1 FE2 FE4 FE1 FE6 FE3 FE5 9
Approach Zero touch secure connectivity establishment Fully automatic: Incremental discovery and attachment of devices to a network domain Manufacturer installed IEEE 802.1AR credentials for device identification Automatic enrollment of certificates to devices to secure communication and device identity Automatic assignment of IP-addresses Virtual out-of-band channel (VOOBC) to connect devices – “hop-by-hop” tunneling Scalable connectivity (e.g. no star topology overlay) Routing over tunneled network ensures “always-on” reachability in case of topology changes. C2 X C1 FE2 FE4 FE1 FE6 FE3 FE5 Nice “side effects”: Topology discovery Virtual out-of-band channel can be used by other control protocols running between Controller and Forwarding Elements (e.g. Netconf, OpenFlow); i.e. we bootstrap the management network over which OpenFlow, Netconf, etc. can run
OpenDaylight Project: “Secure Network Bootstrapping Infrastructure (SNBI)” Base Network Service Functions Controller …. Topo Mgr SNBI Registrar LISP Service Affinity Mgr … SAL PCEP plugin OF plugin Netconf plugin OVSDB plugin SNBI plugin BGP plugin LISP plugin … plugin Secure channel, automatic setup and addressing Network OS NC NC NC S N B I S N B I NC NC NC Portable Foundation Portable Foundation (Container) Linux Linux ASIC, X86, ARM, .. X86, ARM, .. Forwarding Element (Switch/Router) Forwarding Element (Server) For details see: https://wiki.opendaylight.org/view/SecureNetworkBootstrapping:Main
SNBI And Container In OpenDaylight SNBI: Key Technologies Leveraged Cisco’s Autonomic Networking Containers: Option: Docker Next technology candidates for addition to the “Portable Foundation” (i.e. Container) OpFlex Netconf (incl. I2RS, …) …
Competitive Considerations Open Application Container Evolve from tight ASIC <-> data-plane coupling to tight x86 <-> DP coupling through HW-specific accelerations in software data-plane (OVS enhancements for DPDK) Network Container Data-Plane API offers enhanced experience over OVS, is DP-agnostic (SW/HW data-plane), offers superior performance on Cisco equipment Similar open development experience offered PLUS: Existing world-class control plane accessible Similar open development experience offered PLUS: Existing control plane leveraged, no need to rebuild existing functions Similar open development experience offered PLUS: Enhanced data-plane API, security for container, on-box/off-box application support Servers and network devices become the same: All control plane functions are available as standard Linux packages (all it takes is to apt-get the required networking packages) “Linux”-friendly networking stack for white labeled boxes: Networking hardware looks like a server to the programmer/operator Present a switch like a server with OVS wrt/ configuration/management, Linux-style scripting/runtime environment
References OpenDaylight “Secure Network Bootstrapping Infrastructure (SNBI)”: https://wiki.opendaylight.org/view/SecureNetworkBootstrapping:Main