OpenFlow-Enabling-Innovation-in-Campus-Networks

发表于 | 分类于

摘要

本白皮书提出OpenFlow:研究人员在他们每天使用的网络中运行实验协议的一种方法。 OpenFlow基于,具有内部流程表和用于添加和删除流条目的标准化接口。我们的目标是鼓励网络供应商将OpenFlow添加到他们的交换机产品中,以部署在大学校园骨干网和配线室中。我们认为,OpenFlow是一个务实的妥协:一方面,它允许研究人员以统一的方式在异构交换机上以线速率和高速运行实验。而另一方面,供应商不需要暴露交换机的内部工作。除了允许研究人员在实际交通环境中评估他们的想法之外,OpenFlow还可以在像GENI这样的大型测试平台中成为有用的校园组件。斯坦福大学的两座建筑将很快运行OpenFlow网络,使用商用以太网交换机和路由器。我们将努力鼓励其他学校的部署;我们鼓励您考虑在您的大学网络中部署OpenFlow。

基于以太网交换机,具有:

  • internal flow-table
  • a standardized interface to add and remove flow entries.

pragmatic compromise:

  • run experiments on heterogeneous switches in a uniform way
  • vendors do not need to expose the internal workings of their switches.

可编程网络的需求?

  • 创新因为既有的巨量已安装的基础设施、已有协议、以及不愿意产生实际流量变得非常困难。
  • 许多 new idea 是 untried、untested

  • Network:ossified(僵死、保守)

  • GENI 研究可编程网络架构、虚拟化、网络分片 slice)的实验室

  • Virtualized programmable networks could lower the barrier to entry for new ideas。but ambitious and costly。

本文提出的问题是:

As researchers, how can we run experiments in our campus networks?

  • 早期实验人员是怎么把网络设备部署在实验网络的?
  • 实验人员是怎么使用部分网络而不影响其他使用这个网络的人的?
  • 实验用交换机有什么功能需求?

Our goal here: to propose a new switch feature that can help extend programmability into the wiring closet(配线间) of college campuses.

一些弃用的方法:说服有名的厂商为它们的路由器交换机开发一个可编程平台。

  • 接口很狭窄(narrow)
  • 内部灵活性(internal flexiblity)被隐藏
  • differ from vendor to vendor
  • vender 不愿开放接口(害怕既有网络被颠覆、害怕潜在的竞争者等等

还有一些现有市面上的软件平台,不过被弃用了,主要原因是 bad performance ,需要 specialized hardware(part of the
Linux distribution, or from XORP)。或者是(ATCA-based virtualized programmable router)、规模小(NetFPGA,只有四个接口)。

OpenFlow 要:

  • 适合高性能和低成本的实现,灵活性
  • 适合用来做广范围的研究
  • 保证实验流量可以和现实流量分开
  • 符合供应商对封闭平台的需求。

OpenFlow Switch — a specification that is an initial attempt to meet these four goals.

OpenFlow 交换机

对象是交换机、路由器中运用的最多的流表

OpenFlow provides an open protocol to program the flowtable in different switches and routers.

研究人员可以通过选择数据包的路由和接收的处理控制自己的流量,由此可以做新的路由协议的实验、新寻址方法、尝试 IP的替代方案等等、

OpenFlow Switch consists of a Flow Table, an action(extensible, but there is a minimum reqirement) associated with each flow entry.

action的设计因为要达到低花费、高性能、灵活性的要求,这意味着放弃指定任意处理每个数据包的能力,并寻求更有限但仍然有用的行动范围。

OpenFlow 交换机包括至少三个部分:

  • 流表 an action associated with each flow entry, to tell the switch how to process the flow,
  • 安全通道 connects the switch to a remote control process(called the controller)
  • OpenFlow Protocol provides an open and standardway for a controller to communicate with a switch.

OpenFlow Protocol 提供标准外部接口,可以让控制器下发流表。

将交换机归类为不支持正常的第2层和第3层处理的专用OpenFlow交换机(Dedicated OpenFlow switches),以及支持OpenFlow的通用商用以太网交换机和路由器(OpenFlow-enabled switches,OpenFlow协议和接口已添加为新功能)是非常有用的。

专用OpenFlow交换机

专用的OpenFlow交换机是一个哑数据路径元素,在远程控制器进程定义的端口之间转发数据包。

  • flows are broadly defined, (Flow 的定义)

could be a TCP connection, or all packets from a particular MAC address or IP address, or all packets with the same VLAN tag, or all packets from the same switch port. For experiments involving non-IPv4 packets, a flow could be defined as all packets matching a specific (but non-standard) header.

流表的每一个项目里有一个 action 对应,最基础的三个是:

  1. Forward(to a given port or ports)
  2. 发送到控制器。(through Secure Channel)
  3. Drop

流表项的三个字段:(1)一个 header 定义流,(2)定义如何处理包的动作,(3)跟踪每个流的包和字节数的统计,以及 自上次数据包匹配流程以来的时间(以帮助删除不活动的流量)。

支持OpenFlow的通用商用以太网交换机

商用的路由器、交换机、接入点等等可以通过升级,使其支持流表功能、安全通道、OpenFlow 协议。

为了赢得网络管理员的信任,启用OpenFlow的交换机必须将实验流量(由流量表处理)与生产流量隔离,生产流量将由交换机的正常的第2层和第3层流水线处理。(方法有 VLAN、或者加入一种新的 action,就是按照正常的流水线发送此包)

Controller

控制器代表实验添加和删除流表中的流入口。

  • might be a simple application running on a PC to statically establish flows to interconnect a set of test computers for the duration of an experiment.
  • Viewed this way, OpenFlow is a generalization of VLANs.

使用 OpenFlow

As a simple example of how an OpenFlow Switch might be used imagine that Amy (a researcher) invented Amy-OSPF as a new routing protocol to replace OSPF. She wants to try her protocol in a network of OpenFlow Switches, without changing any end-host software. Amy-OSPF will run in a controller; each time a new application flow starts AmyOSPF picks a route through a series of OpenFlow Switches, and adds a flow- entry in each switch along the path. In her experiment, Amy decides to use Amy-OSPF for the traffic entering the OpenFlow network from her own desktop PC— so she doesn’t disrupt the network for others. To do this, she defines one flow to be all the traffic entering the OpenFlow switch through the switch port her PC is connected to, and adds a flow-entry with the action “Encapsulate and forward all packets to a controller”. When her packets reach a controller, her new protocol chooses a route and adds a new flow-entry (for the application flow) to every switch along the chosen path. When subsequent packets arrive at a switch, they are processed quickly (and at line-rate) by the Flow Table.

很自然而然的,我们会对这种中心控制器模型的性能、可靠性、可扩展性提出问题:

  1. fast enough?
  2. controller fails?

Ethane prototype: Preliminary(初期) results suggested that an Ethane controller based on a low-cost desktop PC could process over 10,000 new flows per second

还列了几个实验的例子。

  • Network Management and Access Control

A controller checks a new flow against a set of rules, such as “Guests can communicate using HTTP, but only via a web proxy” or “VoIP phones are not allowed to communicate with laptops.” — it essentially takes over DNS, DHCP and authenticates all users when they join, keeping track of which switch port (or access point) they are connected to.

  • VLANs.

OpenFlow can easily provide users with their own isolated network, just as VLANs do.

  • Mobile wireless VOIP clients.

  • A non-IP network.

OpenFlow doesn’t require packets to be of any one format —— so long as the Flow Table is able to match on the packet header 。This would allow experiments using new naming, addressing and routing schemes

  • Processing packets rather than flows. every packet to be processed.

For example, an intrusion detection system that inspects every packet, an explicit congestion control mechanism, or when modifying the contents of packets, such as when converting packets from one protocol format to another.

总结

我们相信OpenFlow是一个务实的妥协方案,可以让研究人员以统一的方式在异构交换机和路由器上运行实验,而无需供应商公开其产品的内部工作,或研究人员编写供应商特定的控制软件。

如果我们在我们的园区成功部署OpenFlow网络,我们希望OpenFlow将在其他大学逐渐流行起来,增加支持实验的网络数量。 我们希望新一代的控制软件能够出现,使研究人员能够重新使用控制器和实验,并在别人的工作基础上继续努力。 随着时间的推移,我们希望不同大学的OpenFlow网络将通过隧道和覆盖网络相互连接,也许可以通过运行在连接大学的骨干网上的新的OpenFlow网络来实现。

阅读感想

本篇论文可以说是 OpenFlow 和 SDN 的开山之作。提出了 OpenFlow 的创新源泉在于网络协议开发者的痛点:开发新的网络协议的困难之处。着眼点在于实现一个统一的方法方便网络创新实验,对无论是硬件从业人员(做交换机)还是软件开发人员(写控制器、开发新协议)都有好处。介绍了流表表项的机制。OpenFlow的特色:性能好,扩展性,实验的前景。可以实现实验流量和现实流量的分离这点我觉得挺不错的。值得一提的是,和互联网在刚开始的时候只是政府支持的一个小项目,也是以学校为起点,最终成长为今天这样一个强大的工具。而在这点上 OpenFlow 是和 Internet 是一样的。