Software Defined Network Daniel Graham

Martin Casado & Scott Shenker. & , Nick McKeown In July 2012, VMware acquired Nicira for $1.26 billion. https://www.youtube.com/watch?v=79V_Pm5AV -A

Specialized Packet Forwarding Hardware The fixed Network Routing, management, mobility management, access control, VPNs, … Feature Feature Million of lines of source code 6000+ RFCs Barrier to entry Operating System Specialized Packet Forwarding Hardware Billions of gates Bloated Power Hungry Many complex functions baked into the infrastructure OSPF, BGP, multicast, Traffic Engineering, NAT, firewalls, … 3 3

Current Internet Closed to Innovations in the Infrastructure Closed App Operating System App Specialized Packet Forwarding Hardware Operating System App Specialized Packet Forwarding Hardware The next 3 slides are a set of animation to show how we enable innovation: - Infrastructure is closed to innovation and only driven by vendors. Consumers have little say - Business model makes it hard for new features to be added Operating System App Specialized Packet Forwarding Hardware Operating System Specialized Packet Forwarding Hardware App Operating System Specialized Packet Forwarding Hardware 4

“Software Defined Networking” approach to open it Network Operating System App Operating System App Specialized Packet Forwarding Hardware Operating System App Specialized Packet Forwarding Hardware How do we redefine the architecture to open up networking infrastructure and the industry! By bring to the networking industry what we did to the computing world Operating System App Specialized Packet Forwarding Hardware Operating System Specialized Packet Forwarding Hardware App Operating System Specialized Packet Forwarding Hardware

The “Software-defined Network” 2. At least one good operating system Extensible, possibly open-source 3. Well-defined open API App App App Network Operating System 1. Open interface to hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Switches, routers and other middleboxes are dumbed down The key is to have a standardized control interface that speaks directly to hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware

How does OpenFlow work? 7

Ethernet Switch

Current SDN hardware More coming soon... Juniper MX-series NEC IP8800 WiMax (NEC) HP Procurve 5400 Netgear 7324 PC Engines Pronto 3240/3290 Ciena Coredirector More coming soon... 9

Control Path (Software) Data Path (Hardware)

OpenFlow Controller Control Path OpenFlow Data Path (Hardware) OpenFlow Protocol (SSL/TCP) Control Path OpenFlow Data Path (Hardware)

OpenFlow Client Controller PC OpenFlow Example Software Layer MAC src Flow Table MAC src dst IP Src Dst TCP sport dport Action Hardware Layer * 5.6.7.8 port 1 port 1 port 2 port 3 port 4 5.6.7.8 1.2.3.4

OpenFlow usage Controller PC Alice’s Rule Alice’s code OpenFlow Switch Decision? OpenFlow Protocol How the actual protocol works OpenFlow Switch OpenFlow Switch OpenFlow offloads control intelligence to a remote software 13 13

OpenFlow Basics Flow Table Entries Rule Action Stats Packet + byte counters Forward packet to zero or more ports Encapsulate and forward to controller Send to normal processing pipeline Modify Fields Any extensions you add! Now I’ll describe the API that tries to meet these goals. Switch Port VLAN ID VLAN pcp MAC src MAC dst Eth type IP Src IP Dst IP ToS IP Prot L4 sport L4 dport + mask what fields to match

Examples Switching Flow Switching Firewall Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action * * 00:1f:.. * * * * * * * port6 Flow Switching Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action port3 00:20.. 00:1f.. 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port6 Firewall Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action * * * * * * * * * 22 drop

Firewalls firewall isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others administered network public Internet trusted “good guys” untrusted “bad guys” firewall Security 8-16

Firewalls: why prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections prevent illegal modification/access of internal data e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network set of authenticated users/hosts three types of firewalls: stateless packet filters stateful packet filters application gateways Security 8-17

Stateless packet filtering Should arriving packet be allowed in? Departing packet let out? internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits Security 8-18

Stateless packet filtering: example example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 result: all incoming, outgoing UDP flows and telnet connections are blocked example 2: block inbound TCP segments with ACK=0. result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Security 8-19

Stateless packet filtering: more examples Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, except those for institution’s public Web server only. Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Prevent Web-radios from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (e.g. 130.207.255.255). Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Security 8-20

Access Control Lists ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs: looks like OpenFlow forwarding (Ch. 4)! action source address dest protocol port flag bit allow 222.22/16 outside of TCP > 1023 80 any ACK UDP 53 --- ---- deny all Security 8-21

Stateful packet filtering stateless packet filter: heavy handed tool admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest protocol port flag bit allow outside of 222.22/16 TCP 80 > 1023 ACK stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “makes sense” timeout inactive connections at firewall: no longer admit packets Security 8-22

Stateful packet filtering ACL augmented to indicate need to check connection state table before admitting packet action source address dest proto port flag bit check conxion allow 222.22/16 outside of TCP > 1023 80 any ACK x UDP 53 --- ---- deny all Security 8-23

Application gateways filter packets on application data as well as on IP/TCP/UDP fields. example: allow select internal users to ssh outside application gateway host-to-gateway telnet session router and filter gateway-to-remote host telnet session 1. require all telnet users to ssh through gateway. 2. for authorized users, gateway sets up ssh connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all ssh connections not originating from gateway. Security 8-24

Limitations of firewalls, gateways IP spoofing: router can’t know if data “really” comes from claimed source if multiple app’s. need special treatment, each has own app. gateway client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser filters often use all or nothing policy for UDP tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks Security 8-25

Intrusion detection systems packet filtering: operates on TCP/IP headers only no correlation check among sessions IDS: intrusion detection system deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) examine correlation among multiple packets port scanning network mapping DoS attack Security 8-26

Examples Routing VLAN Switching Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action * * * * * * 5.6.7.8 * * * port6 VLAN Switching Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action port6, port7, port9 * * 00:1f.. * vlan1 * * * * *

VLANs: motivation consider: CS user moves office to EE, but wants connect to CS switch? single broadcast domain: all layer-2 broadcast traffic (ARP, DHCP, unknown location of destination MAC address) must cross entire LAN security/privacy, efficiency issues Computer Science Computer Engineering Electrical Engineering Link Layer

VLANs port-based VLAN: switch ports grouped (by switch management software) so that single physical switch …… Virtual Local Area Network 1 7 9 15 2 8 10 16 switch(es) supporting VLAN capabilities can be configured to define multiple virtual LANS over single physical LAN infrastructure. … … Electrical Engineering (VLAN ports 1-8) Computer Science (VLAN ports 9-15) Electrical Engineering (VLAN ports 1-8) … 1 8 2 7 9 16 10 15 Computer Science (VLAN ports 9-16) … operates as multiple virtual switches Link Layer

Electrical Engineering Port-based VLAN router traffic isolation: frames to/from ports 1-8 can only reach ports 1-8 can also define VLAN based on MAC addresses of endpoints, rather than switch port forwarding between VLANS: done via routing (just as with separate switches) in practice vendors sell combined switches plus routers 1 7 9 15 2 8 10 16 dynamic membership: ports can be dynamically assigned among VLANs … … Electrical Engineering (VLAN ports 1-8) Computer Science (VLAN ports 9-15) Link Layer

802.1Q VLAN frame format 802.1 frame 802.1Q frame type dest. address source address preamble data (payload) CRC 802.1 frame type dest. address source preamble 802.1Q frame data (payload) CRC 2-byte Tag Protocol Identifier (value: 81-00) Recomputed CRC Tag Control Information (12 bit VLAN ID field, 3 bit priority field like IP TOS) Link Layer

VLANS spanning multiple switches 1 7 9 15 16 1 3 5 7 2 8 10 2 4 6 8 … … Electrical Engineering (VLAN ports 1-8) Computer Science (VLAN ports 9-15) Ports 2,3,5 belong to EE VLAN Ports 4,6,7,8 belong to CS VLAN trunk port: carries frames between VLANS defined over multiple physical switches frames forwarded within VLAN between switches can’t be vanilla 802.1 frames (must carry VLAN ID info) 802.1q protocol adds/removed additional header fields for frames forwarded between trunk ports Link Layer

Centralized vs Distributed Control Both models are possible with OpenFlow Centralized Control Distributed Control Controller Controller OpenFlow Switch OpenFlow Switch Controller OpenFlow Switch OpenFlow Switch Controller OpenFlow Switch OpenFlow Switch

Examples Routing VLAN Switching Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action * * * * * * 5.6.7.8 * * * port6 VLAN Switching Switch Port MAC src dst Eth type VLAN ID IP Src Dst Prot TCP sport dport Action port6, port7, port9 * * 00:1f.. * vlan1 * * * * *

Multiprotocol label switching (MPLS) initial goal: high-speed IP forwarding using fixed length label (instead of IP address) fast lookup using fixed length identifier (rather than shortest prefix matching) borrowing ideas from Virtual Circuit (VC) approach but IP datagram still keeps IP address! PPP or Ethernet header MPLS header IP header remainder of link-layer frame label Exp S TTL 20 3 1 5 Link Layer

Bottom of the Stack BoS is a field that is set to 1 for the last MPLS header. http://wiki.kemot-net.com/mpls-header-labels

MPLS capable routers a.k.a. label-switched router forward packets to outgoing interface based only on label value (don’t inspect IP address) MPLS forwarding table distinct from IP forwarding tables flexibility: MPLS forwarding decisions can differ from those of IP use destination and source addresses to route flows to same destination differently (traffic engineering) re-route flows quickly if link fails: pre-computed backup paths (useful for VoIP) Link Layer

MPLS versus IP paths R6 D R4 R3 R5 A R2 IP routing: path to destination determined by destination address alone IP router Link Layer

MPLS versus IP paths entry router (R4) can use different MPLS routes to A based, e.g., on source address R6 D R4 R3 R5 A R2 IP routing: path to destination determined by destination address alone IP-only router MPLS routing: path to destination can be based on source and dest. address fast reroute: precompute backup routes in case of link failure MPLS and IP router Link Layer

MPLS forwarding tables in out out label label dest interface 10 A 0 in out out label label dest interface 10 6 A 1 12 9 D 0 12 D 0 8 A 1 R6 D 1 1 R4 R3 R5 A R2 in out out label label dest interface 6 - A 0 R1 in out out label label dest interface 8 6 A 0 Link Layer

Software Defined Networking Total virtualization

Mininet and Open Flow sudo dhclient eth1 sudo mn topo single,3 mininet> h1 python -m SimpleHTTPServer 80 & mininet> h2 wget -O - h1 ... mininet> h1 kill %python