VNU University of Engineering and Technology

Faculty of Electronics and Telecommunications

======================

SOFTWARE DEFINED NETWORKS

Lecture 7: SDN and NFV

Page 1 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU UET
 Contents

❖ Network Functions Virtualization Definition

❖ Flowvisor and Network Slicing
❖ Network Virtualization in Multi-tenant Data Center

Page 2 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Contents

❖ Network Functions Virtualization Definition

❖ Flowvisor and Network Slicing
❖ Network Virtualization in Multi-tenant Data Center

Page 3 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Network Functions Virtualization

Network Functions Virtualization aims to transform the way that network

operators architect networks by evolving standard IT virtualization technology to
consolidate many network equipment types onto industry standard high volume
servers, switches and storage, which could be located in Data Centers, Network
Nodes and in the end user premises.

Page 4 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
Network Virtualization Function

Fig: Vision for NFV

Page 5 > Software Defined Networks
Dr. Dinh Thi Thai Mai – VNU - UET
Network Virtualization Function

Fig: NFV relationship with SDN

Page 6 > Software Defined Networks
Dr. Dinh Thi Thai Mai – VNU - UET
 Network Virtualization Function

NFV relationship with SDN

• NFV goals can be achieved using non-SDN mechanisms,

relying on the techniques currently in use in many data
centres. But approaches relying on the separation of the
control and data forwarding planes as proposed by SDN
can enhance performance, simplify compatibility with
existing deployments, and facilitate operation and
maintenance procedures.
• NFV is able to support SDN by providing the infrastructure
upon which the SDN software can be run. Furthermore,
Network Functions Virtualisation aligns closely with the
SDN objectives to use commodity servers and switches.

Page 7 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Network Virtualization Function

Fields of Application and Use Cases of NFV

• Switching elements: BNG, CG-NAT, routers.

• Mobile network nodes: HLR/HSS, MME, SGSN, GGSN/PDN-GW, RNC,
Node B, eNode B.
• Functions contained in home routers and set top boxes to create
virtualised home environments.
• Tunnelling gateway elements: IPSec/SSL VPN gateways.
• Traffic analysis: DPI, QoE measurement.
• Service Assurance, SLA monitoring, Test and Diagnostics.
• NGN signalling: SBCs, IMS.
• Converged and network-wide functions: AAA servers, policy control
and charging platforms.
• Application-level optimisation: CDNs, Cache Servers, Load Balancers,
Application Accelerators.
• Security functions: Firewalls, virus scanners, intrusion detection
systems, spam protection
Page 8 > Software Defined Networks
Dr. Dinh Thi Thai Mai – VNU - UET
 Network Virtualization Function
Benefits of NFV

• Reduced equipment costs and reduced power consumption through

consolidating equipment and exploiting the economies of scale of the IT
industry
• Increased velocity of Time to Market by minimising the typical network
operator cycle of innovation.
• The possibility of running production, test and reference facilities on the same
infrastructure provides much more efficient test and integration, reducing
development costs and time to market.
• Targeted service introduction based on geography or customer sets is possible.
Services can be rapidly scaled up/down as required. In addition, service
velocity is improved by provisioning remotely in software without any site
visits required to install new hardware.

Page 9 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Network Virtualization Function
Benefits of NFV
• Enabling a wide variety of eco-systems and encouraging openness. It opens
the virtual appliance market to pure software entrants, small players and
academia, encouraging more innovation to bring new services and new
revenue streams quickly at much lower risk.
• Optimizing network configuration and/or topology in near real time based on
the actual traffic/mobility patterns and service demand.
• Supporting multi-tenancy thereby allowing network operators to provide
tailored services and connectivity for multiple users, applications or internal
systems or other network operators, all co-existing on the same hardware with
appropriate secure separation of administrative domains.
• Reduced energy consumption by exploiting power management features in
standard servers and storage, as well as workload consolidation and location
optimisation. For example, relying on virtualisation techniques it would be
possible to concentrate the workload on a smaller number of servers during
off-peak hours (e.g. overnight) so that all the other servers can be switched off
or put into an energy saving mode.[3]
• Improved operational efficiency by taking advantage of the higher uniformity
of the physical network platform and its homogeneity to other support
platforms Page 10 > Software Defined Networks
Dr. Dinh Thi Thai Mai – VNU - UET
 Contents

❖ Network Functions Virtualization Definition

❖ Flowvisor and Network Slicing
❖ Network Virtualization in Multi-tenant Data Center

Page 11 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 SDN and Virtualization

“Can the Production Network Be the Testbed?” (Flowvisor), OSDI, 2010

“Network Virtualization in Muti-tenant Datacenters,” NSDI 2014

Page 12 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Flowvisor Overview

App App App

App App App

Controller
Controller
Windows
Windows Mac
Mac
Controller11
Controller Controller
Windows Linux Mac Controller 1 2
22
(OS) Linux
Linux OS
(OS) OS
OS
(OS)

Virtualization Virtualization (FlowVisor)

x86
OpenFlow
(Computer)

Simple, common, stable, hardware substrate below

+ Programmability
+ Strong isolation model

Page 13 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Flowvisor Overview (Cont’d)

• Divide the production network into logical slices

o each slice/service controls its own packet forwarding
o users pick which slice controls their traffic: opt-in
o existing production services run in their own slice
e.g., Spanning tree, OSPF/BGP

• Enforce strong isolation between slices

o actions in one slice do not affect another

• Allows the (logical) slice to mirror the production network

o real hardware, performance, topologies, scale, users

Page 14 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Network slice and flowspace

A network slice controls a subset of traffic

The subset is defined by a collection of packet headers.
o n-bit headers has n-dimension space – flowspace

• Example:
• HTTP traffic – TCP port = 80
• All traffic from node 127.2.1.12 – IP_SRC=127.2.1.12

• A subset of flowspace + a subset of topology = network slice

Page 15 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Substrate: “Flowspace”

Ethernet IP TCP
Payload
DA, SA, etc DA, SA, etc DP, SP, etc

Collection of bits to plumb flows

(of different granularities)
between end points

Header
Payload
User-defined flowspace
“OpenFlow++”

Page 16 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Properties of Flowspace

Backwards compatible
 Current layers are a special case
 No end points need to change
Easily implemented in hardware
 e.g. TCAM flow-table in each switch
Strong isolation of flows
 Simple geometric construction
 Can prove which flows can/cannot communicate

Page 17 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
FlowSpace: Maps Packets to Slices

Page 18 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
Real User Traffic: Opt-In

• Allow users to Opt-In to services in real-time

o Users can delegate control of individual flows to
Slices
o Add new FlowSpace to each slice's policy

• Example:
o "Slice 1 will handle my HTTP traffic"
o "Slice 2 will handle my VoIP traffic"
o "Slice 3 will handle everything else"

• Creates incentives for building high-quality services

Page 19 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
Slicing control & data planes

Page 20 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
Slicing OpenFlow

Page 21 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
Network Slicing Architecture

A network slice is a collection of sliced switches/routers

• Data plane is unmodified

- Packets forwarded with no performance penalty
- Slicing with existing ASIC

• Transparent slicing layer

- each slice believes it owns the data path
- enforces isolation between slices
• i.e., rewrites, drops rules to adhere to slice police
- forwards exceptions to correct slice(s)

Page 22 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
Slicing Policies

The policy specifies resource limits for each slice:

- Link bandwidth
- Maximum number of forwarding rules
- Topology
- Fraction of switch/router CPU

FlowSpace: which packets does the slice

control?

Page 23 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 FlowVisor Slicing Example
Bob’s
Alice’s
Controller
Controller

OpenFlow
Protocol

OpenFlow
Switch FlowVisor
OpenFlow
Protocol
OpenFlow OpenFlow
Switch Switch

Page 24 > Software Defined Networks

4/20/2022 Dr. Dinh Thi Thai Mai – VNU - UET
 FlowVisor Slicing Example (Cont’d)
http
Multicast Load-balancer
Broadcast

OpenFlow
Protocol

OpenFlow
Switch FlowVisor

OpenFlow
Protocol

OpenFlow OpenFlow
Switch Switch

Page 25 > Software Defined Networks

4/20/2022 Dr. Dinh Thi Thai Mai – VNU - UET
 FlowVisor Slicing Example (Cont’d) Tricast Lossless
LTE-WiFi
Handover Handover

Learning
Mobile VMs New BGP
switch
Bob’s
FlowVisor

Alices’s GENI’s
FlowVisor FlowVisor
Production
Network
OpenFlow Protocol
Controller
Network Administrator’s
FlowVisor
OpenFlow Protocol

OpenFlow OpenFlow OpenFlow

Switch Switch Switch

Page 26 > Software Defined Networks

4/20/2022 Dr. Dinh Thi Thai Mai – VNU - UET
 FlowVisor Implemented on OpenFlow
Server Servers
Custom OpenFlow OpenFlow OpenFlow
Control OpenFlow
Controller Controller Controller Controller
Plane
OpenFlow
Network OpenFlow FlowVisor
Protocol
OpenFlow
Stub
Control OpenFlow OpenFlow
Plane Firmware Firmware
Data
Plane Data Path Data Path

Switch/ Switch/
Router Router

Page 27 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 FlowVisor Message Handling
Alice Bob Cathy Rule
Controller Controller Controller
OpenFlow
Policy Check: Policy Check:
Is this rule FlowVisor Who controls
allowed? OpenFlow this packet?
Exception
Full Line Rate OpenFlow
Forwarding Firmware

Packet Data Path

Source: R. Sherwood

Page 28 > Software Defined Networks

4/20/2022 Dr. Dinh Thi Thai Mai – VNU - UET
 Flowvisor implementation

Message to control plane

Message to forwarding plane
Bandwidth isolation
Device CPU isolation
Flow entry isolation

Page 29 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Flowvisor implementation

Message to control plane

❖ Rewrites message from OpenFlow switch to slice controller for
transparency
❖ only send message when switch is in slice topology
❖ slice controller only sees the ports that appears in the slice
❖ port up/down message only to affected slices
Message to forwarding plane
❖ rewrite the insert and delete flow table messages
❖ only to the switches in the slice

Page 30 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Flowvisor implementation

Bandwidth isolation
❖ per-port queues in switch hardware
❖ Flowvisor creates a per-slice queue on each port
❖ queue is configured for a certain bandwidth as defined in slice
definition
❖ rewrite rules from “send out port X” to “send out queue Y on X”.

Page 31 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Flowvisor implementation

• CPU isolation
❖ Device CPU on commodity network hardware are low-power
embedded processors, easily overloaded, no isolation mechanism
❖ Work around: no slice monopolizes device CPU
❖ Limiting rule insertion rate from controller
❖ Use periodic drop rules to throttle exceptions
• Flow table entry isolation
❖ Enforce what is defined by the slice

Page 32 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Conclusion

• Network slicing can help perform more realistic

evaluations and support multiple tenants

• FlowVisor allows experiments to run concurrently

but safely on the production network

• Currently limited to subsets of actual topology

- Add virtual links, nodes support

Page 33 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Contents

❖ Network Functions Virtualization Definition

❖ Flowvisor and Network Slicing
❖ Network Virtualization in Multi-tenant Data Center

Page 34 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 SDN and Virtualization

“Can the Production Network Be the Testbed?” (Flowvisor), OSDI, 2010

“Network Virtualization in Multi-tenant Datacenters,” NSDI 2014

Page 35 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Multi-tenant datacenter challenges

Tenants want to move their code from their enterprises directly to

datacenters without modification
❖ Different services require different topologies – flat L2, some L3,
multiple levels of services
❖ Address space: virtualized workload should not operate in the same
address space as the physical network (VM’s IP is learned from the first
L3 router!)
❑ Cannot move MV to arbitrary locations
❑ Tenant cannot manage its own IP
❑ Operator cannot change the addressing type.

Page 36 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Multi-tenant datacenter challenges

Ideal multi-tenant datacenter:

❖ Arbitrary network topologies and addressing architectures could be
overlayed over the same physical network.
❖ Network virtualization: not clear what it is
❑ a network virtualization layer allows for the creation of virtual
networks, each with independent service models, topologies, and
addressing architectures, over the same physical network. Tenants
can configure its virtual network

❑ Existing mechanisms all fall short: VLAN, NAT, MPLS, VRB

(Virtualized L3 FIB),

Page 37 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Network hypervisor

Network virtualization platform

❖ Control abstraction: allow tenants to define logical network elements that
can be configured
❖ Packet abstraction: Packets from the end hosts to have the same switching,
forwarding, and filtering behavior as configured by the tenant

Page 38 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
Page 39 > Software Defined Networks
Dr. Dinh Thi Thai Mai – VNU - UET
 GENERALITY OF DATAPATH
Switch CP Router CP Switch CP
Datapath Datapath Datapath

ACL L2 ACL ACL L2 L3 ACL ACL L2 ACL

2-tier logical Arbitrary logical

One logical switch
topology topology

Faithful reproduction of physical network service model.

Page 40 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Virtualization architecture

Implement the logical data path in the host vswitch inside the host hypervisor for point-to-point
traffic – tunnel between hypervisor
 Use SDN controller to set the first-hop vswitch.
Use service node to support broadcast/multicast
Use gateway node to support communication with outside

Page 41 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 INSIDETHEVIRTUAL SW ITCH
Datapath Datapath Datapath

ACL L2 ACL ACL L2 L3 ACL ACL L2 ACL

Logical Topology
First-hop vSwitch
OF OF OF OF OF OF OF OF OF OF OF OF OF OF

Send to tunnel
3rd logical datapath
Determine the next…
2nd logical datapath
Determine the next logical datapath
Execute 1st logical datapath
Identify logical ingress por t

Page 42 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Computation challenges

Most maintain O(N^2) flows for N end-points with frequent dynamic

changes.
❖ Controllers learn the location of VMs
❖ Controllers proactively compute and push all forwarding state required
to connect the VMs

Forwarding State = F(configuration, VM locations)

Page 43 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
 Solution to computation challenges

Incremental computation and pushing for quick updates.

❖ Share the computation across controller cluster.
Use a language to program F
❖ avoid handwritten finite state machines, all are generated

Page 44 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
LESSONS LEARNT: ABSTRACTIONS
“Basic Enterprise App” “Modern App” “Bank”

A logical switch Two tier logical network Arbitrary logical network

• Assumptions about logical network structure often embedded into the workload.

• A single L2 domain sufficient for initial, simple workloads.

• To suppor t more complex workloads without changing them, more complex logical
topologies become a necessity.

Page 45 > Software Defined Networks

4/20/2022 Dr. Dinh Thi Thai Mai – VNU - UET
 LESSONS: FAILURE ISOLATION

Batch N
Custom
OpenFlow OVSDB Batch 2
Protocol

Batch 1

Two Channels, N o Atomic Updates One Channel, Atomic Updates

• Proactive pushing of all state not enough to • Atomically applied, batched updates.
decouple controllers from data plane.
• Connection failure does not result in
• Connection may die while pushing updates. incomplete state.

Data plane may operate over incomplete state! At most old state.

Page 46 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
Page 47 > Software Defined Networks
Dr. Dinh Thi Thai Mai – VNU - UET
 Conclusion

Openflow can facilitate network virtualization

The current practice of network virtualization is not ideal. This paper presents
a limited form of network virtualization for special cases.

Page 48 > Software Defined Networks

Dr. Dinh Thi Thai Mai – VNU - UET
Page 49 > Software Defined Networks
Dr. Dinh Thi Thai Mai – VNU - UET