CSG Winter 2015 – Software Defined Networking

We’re in Berkeley for the Winter 2015 CSG meeting.
The first workshop is on Software Defined Networking
Applications call SDN controller through RESTful API. Controller talks to network switches to configure private virtual network on the fly. Takes control of the network out of the hands of network admins and puts it into apps and services. Have to plan how to open up the network. Have to figure out how to roll out within the old network environment.
Survey results – Jim Jolkl
24 responses.
Do you currently have a separate dedicated network for research? Almost half do.
Do you plan to make significant investment in your core network over the next 12-18 months? 2/3 do.
Are you aware of anyone on your campus holding a NSF award that involves connecting to AL2S? Almost half do.
Your State/Regional network’s support for AL2S – 2/3 do.
Expected level of integration between state network and AL2S – regionals ready to tunnel connection back to campus.
Do you have a SDN strategy? Most say in process.
Most campuses in early stages of figuring out what to do.
Barriers to adoption? Lack of staff time and expertise.
Summarize SD goals – bypassing friction devices, connecting researchers to AL2S
Where do you see SDN used on campus over 3-5 years? Data center, campus bypass network.
Industry survey – 87% will have data center SDN in production in 2016.
Charlie Kneiffel – Duke’s SDN journey
Part 1 – planning
Definitions – implementation of OpenFlow software controller that manages network traffic flow on a set of network devices. Focused on edge more than core. Primary goal is to improve speed, reliability and performance of the network used by researchers.
Current state: SDN switches deployed in production – hub and spoke model. Production controller – Ryu based. Production rule manager – SwitchBoard (Mark developed). perfSONAR nodes deployed across campus. In middle of upgrading to new version (Puppet’izing). Efforts led to redesign of Duke core network. Duke uses an MPLS core and can switch to a VRF easily – so routing is everywhere.
Infrastructure considerations: – Dedicated science network? converged/unified network? fiber infrastructure? Needs at the core? needs at the edge?
Lessons learned –
Test, test, test in controlled fashion (perfSONAR is your friend)
Oversubscription – accidental or intentional. Span ports, layer 2/3 domains
10G Cannons aimed at your network – can melt things in way you never expected
Measurement of real bandwidth availability
Firewalls – what are the real limits – per stream/overall – how do they fall over / fail?
IPS – looking at traffic between VRFs – where is traffic inspected, white listing, how often?
IDS – Passive
It’s another network upgrade: But it’s not fully documented. Keep the core a significant multiplier of the edge
QOS is important if you have converged services.
General SDN model at Duke
Integrated – hosts connect to a network. Default path for traffic is to the production network. Controller allows a rule to bypass.
Fun with Ryu – Mark McCahill – Duke
Why SDN? campus network speed bumps (firewalls, IPS/IDS)
Have self-service bypass networks for researchers – should be simple web app
Also researchers want access to national nets.
Switchboard – Web app (Ruby on Rails)  – who is authorized to enable a bypass/link, status of requests, update SDN controller base on approved requests (created fear and loathing in web developer) RYU gives a REST interface to set up and tear down routes, want to be able to rollback/restore SDN controller state, auditibality of state of network configuration. What’s hard is having web developers talking to network engineers – they have totally different languages
Deployment strategy -start with intermittent bandwidth intensive tasks: backups, bulk data moves, protected network segment data ingestion.  Run building edge switches in hybrid mode – enable open flow ports where needed.
Next steps for Ryu – modifying quite a bit. Limit DHCP responses to authoritative DHCP servers. VLAN tag flipping to support linking VLANs. Detect and throttle ARP flooding (and other DOS attacks on the SDN controller).
Lessons: You can easily simulate an SDN network. Rya-Rest router + Mininet + Open vSwitch. http://sdnhub.org/releases/sdn-starter-kit-ryu/ Open vSwitch is very capable. A SDn simulation on my VM was #1 with a bullet on the top-talker charts on afternoon – network engineers should be careful about which addresses they assign.
Lessons; the open flow port you most care about is probably disabled. Bad connections; how polished is your glass? hybrid mode switches in wrong mode. Fiber terminations that are good enough for 1 Gig aren’t necessarily good enough for 10 gig. Hybrid mode switches  in the wrong mode.
Endgame: Campus SDX (Software Defined Exchange) – Campus core bypass links for science DMZ, interonnects layer 2 services (AL2S, BEN, etc).Start with a self-service app (Switchboard), then automate via the API.
Roy Hockett – University of Michigan SDN Research
Recent research area – Clean Slate project in 2007.
Research on networking and abstractions, research on SDN implementations, research that uses SDN as tool or component
Mobilab – golabal-scale live laboratory for supporting mobile computing science.
Atlas Great Lakes Tier 2 – LHC computing and muon collaboration. Leveraging SDN to build paths to transfer data.
SDN Vendorscape
Lots of activity in this space with many choices. Most vendors claim their hardware/software can be introduced gradually into the network without disruption. Most products or services are designed for data center optimization – with attention just now shifting to the WAN. ISPs are embracing network virtualization, optimization and automation features to vendors are delivering products and services that will do this. SDx Central is a good source of information.
Eric Boyd – Internet2 and AL2S
Innovation story – Abundant Bandwidth – 100G for now, Network programmability – SDN, network virtualization, Friction-Free Science – Science DMZ
AL2S today – a reliable VLAN service. Would like to be able to offer a range of services, each in their own slice. Run your own network on the underlying I2 network to allow rapid prototyping of advanced applications and new network services. Private network capabilities with shared networked costs.
Technology behind network virtualization – Built a hypervisor called FlowSpace Firewall
Example – Prototyoe Multi-Domain Layer 2 Services
Making OpenFlow Networks Manageable – Steve Walerbusser – Stanford
“Northbound” open flow architecture not yet defined (controller-controller, controller-app). Industry is based around SNMP but that doesn’t intersect yet. Most organizations don’t want to deploy technologies that aren’t based on SNMP. Need to fill gap.
OpenFlow shares a lot with previous architectures, but adds new concepts – new capabilities to manage, new gotchas to avoid. How do we manage these new capabilities? metrics, tools, processes.
OpenFlow can provide much faster provisioning – how fast? what are bottlenecks? How reliable? SLAs?
Engineers need tools and data to make decisions about defining policies into controllers.
OpenFlow Management Gateway – OMG – an OPenFlow controller, uses OPenFlow protocol to gather important metrics, translates info to SNMP (could do REST APIs too), works side-by-side with existing controller infrastructure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: