So
ware Dened

Network: SDN

Khalid EL BAAMRANI

ENSA de Marrakech

Agenda
• General introduc on to SDN
• SDN Basics
• SDN Concepts
• OpenFlow Protocole
• OpenFlow Switchs
• OpenFlow Controllers
• QoS in SDN
• FlowVisor
• NFV
• SDN Security
• Mininet
2 SDN
 What is software defined networking?
 Software-defined networking (SDN) is an approach to
computer networking that separate data plane from control
plane. It allows network administrators to manage network
services through abstraction of lower-level functionality.

 SDN is
 Directly programmable: network control is programmable
because it is decoupled from forwarding functions
 Agile: administrator can dynamically adjust network-wide traffic
flow to meet changing needs.
 Centrally managed: network intelligence is logically centralized.
 Open standards-based and vendor-neutral

23 SDN

SDN Concept
 Separate Control plane and Data plane entities
 Network intelligence and state are logically centralized
 The underlying network infrastructure is abstracted from the
applications
 Execute or run Control plane software on general
purpose hardware
 Decouple from specific networking hardware
 Use commodity servers
 Have programmable data planes
 Maintain, control and program data plane state from a
central entity
 An architecture to control not just a networking
device but an entire network

24 SDN
 So
ware Dened Networks Architecture
 Write a simple program to configure a simple model
 Configuration merely a way to specify what you want
 Examples
 ACLs: who can talk to who
 Isolation: who can hear my broadcasts
 Routing: only specify routing to the degree you care
 QoS: specify in terms of quality of service, not routes
 Controller “compiles” these requirements
 Produces suitable configuration of actual network devices
 Controller then transmits these settings to physical
boxes

27 SDN

Northbound API
 The northbound API interface enables applications
and the overall management system to program
the network and request services from it
 No standards have been ratified for northbound
APIs, with several open and proprietary protocols
being developed using different northbound APIs.
 REST
 RESTful
 RESTConf

28 SDN
 Southbound API
 The southbound API defines the programming
interface between the controller and the
network switches
 SNMP
 BGP
 Netconf
 Openflow
 OpenFlow is one of the most widely accepted
standard for the Southbound API

31 SDN

SDN vs Conventional network

SDN Conventional
Controller may not be in the Forwarding hardware and
same box as the forwarding its control are in the same
hardware box
Centralized routing Distributed routing algorithm
algorithm with logically
global view
Network functions are Network functions must be
realized with a global view realized in a distributed
manner, subject to error

32 SDN
 How SDN changing Industry?
Startups
 Big Switch Networks: OpenFlow-based SDN switches, controllers and
monitoring tools acquired by Arista in February 2020
 Embrane: layer 3-7 SDN services to enterprises and service providers. April
13, 2015 – Cisco annonced that has acquired Embrane
 Accelera: software defined wireless networks funded by Stanford Professor
Andrea Goldsmith
 Nicira: was founded in 2007 by Martin Casado, Nick McKeown and Scott
Shenker that their mission is to virtualize the network. On July 23, 2012,
VMware announced they intended to acquire Nicira for $1.26 billion
 Nov 6, 2013: Cisco buys for $838M
 Viptela provides Software-Defined Wide Area Network (SD-WAN)
technology that allows global companies to build cost-effective WANs.
August 2017 – Cisco announced that it has completed the acquisition of
Viptela for 610M$
37  Augest 1, 2017: Cisco buys Viptela for $610M SDN

How SDN changing Research?

Ease of trying new ideas

 Exis
ng tools: NOX, Beacon, switches, Mininet
 More rapid technology transfer
 GENI, OFELIA and many more

A stronger founda on to build

 Provable proper
es of forwarding
 New languages and specica
on tools

38 SDN
 OPENFLOW
57 SDN

What is OpenFlow

OpenFlow
 is a protocol for remotely controlling the
forwarding table of a switch or router
 is one element of SDN

58 SDN
 What is OpenFlow
 OpenFlow is similar to an x86 instruction set for the network
 Provide open interface to “black box” networking node
 (ie. Routers, L2/L3 switch) to enable visibility and openness in network
 Separation of control plane and data plane.
 The datapath of an OpenFlow Switch consists of a Flow Table, and an
action associated with each flow entry
 The control path consists of a controller which programs the flow entry in
the flow table
 OpenFlow is based on an Ethernet switch, with an internal flow-
table, and a standardized interface to add and remove flow
entries
 Openflow defines the standard interface to add and remove flow
entries in the table
59 SDN

What is OpenFlow
 An Openflow switch (Ethernet switch) has an
internal flow table.
 If a packet matches an entry in the flow table,
perform the actions (e.g. forward to port 10)
according to the flow table.
 If a packet does not match any entry in the flow
table. Send it to the Openflow controller
 The controller will figure out what to do with such packet
 The controller will then respond to the switch, informing
how to handle such a packet so that the switch would know
how to deal with such packets next time.
 For each flow, ideally the controller will be queried once.

60 SDN
 History of OpenFlow
 2006: Martin Casado, a PhD student at Stanford propose a clean-slate
security architecture (SANE) which defines a centralized control of
security. Ethane generalizes it to all access policies.
 2007: Martin Casado co-founds Nicira
 2008, Nicira Networks released NOX platform.

 April 2008: OpenFlow paper in ACM SIGCOMM CCR

 2009: Stanford publishes OpenFlow V1.0.0 specs

 March 2011: Open Networking Foundation is formed

 Oct 2011: First Open Networking Summit.
 2012 ONF released OpenFlow 1.3
 2013 ONF released OpenFlow 1.4
 Dec. 19th, 2014, ONF released OpenFlow 1.5

 April 2015: The current version of OpenFlow is 1.5.1.

 September 2016: version 1.6 has been available but accessible only to
65 ONF's members. SDN

Components of OpenFlow Network

 Controller
 OpenFlow protocol
messages
 Controlled channel
 Processing
 Packet Matching
 Instructions & Action Set

 OpenFlow switch
 Secure Channel (SC)
 Flow Table
 Flow entry

66 SDN
 Secure Channel (SC)

 SC is the interface that connects each OpenFlow switch to

controller
 A controller configures and manages the switch via this
interface.
 Receives events from the switch
 Send packets out the switch
 SC establishes and terminates the connection between
OpenFlow Switch and the controller using the procedures
 Connection Setup
 Connection Interrupt
 The SC connection is a TLS connection. Switch and
controller mutually authenticate by exchanging certificates
signed by a site-specific private key.

67 SDN

Flow Table

Rule Ac
on Stats

Packet + byte counters

1. Forward packet to zero or more ports
2. Encapsulate and forward to controller
3. Send to normal processing pipeline
4. Modify Fields
5. Any extensions you add!

Switc
VLAN VLAN MAC MAC Eth IP IP IP IP L4 L4
h
ID prt src dst type Src Dst ToS Prot sport dport
Port
+ mask what  elds to match
68 SDN
 Examples

Switching

Switch MAC MAC Eth VLAN IP IP IP TCP TCP

Ac
on
Port src dst type ID Src Dst Prot sport dport
* * 00:1f:.. * * * * * * * port6

Flow Switching

Switch MAC MAC Eth VLAN IP IP IP TCP TCP

Ac
on
Port src dst type ID Src Dst Prot sport dport
port3 00:20.. 00:1f.. 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port8

Firewall

Switch MAC MAC Eth VLAN IP IP IP TCP TCP

Ac
on
Port src dst type ID Src Dst Prot sport dport
* * * * * * * * * 22 drop

71 SDN

Examples

Rou
ng

Switch MAC MAC Eth VLAN IP IP IP TCP TCP

Ac
on
Port src dst type ID Src Dst Prot sport dport
* * * * * * 5.6.7.8 * * * port6

VLAN Switching

Switch MAC MAC Eth VLAN IP IP IP TCP TCP

Ac
on
Port src dst type ID Src Dst Prot sport dport
port7,
* * 00:1f.. * vlan1 * * * * * port8,
port9

72 SDN
 Openflow specifications
 From 1.0.0 to 1.5.1

 Briefly introduce concepts in versions 1.0.0 to

1.2.0

77 SDN

Openflow 1.0 concepts

 Messaging between controller and switch
 Actions and packet forwarding
 Flow table
 Packet matching

78 SDN
 Openflow 1.1 concepts
 Multiple flow tables
 Groups
 MPLS and VLAN tag support
 Virtual ports

79 SDN

1.2.0 concepts
 IPv6
 Multiple controller enhancements
 Etc.

 Laterversions of Openflow specification supports

more necessary functions.
 1.3, 1.4, 1.5, 1.6 (2016)

80 SDN
 Pipelining processing
 The flow tables of a switch are sequentially numbered, starting at 0
 A packet is processed sequentially in multiple flow tables (version 1.1)
 If a flow entry is found, the instruction set included in that flow entry is executed
 Instructions may explicitly direct the packet to another flow table (“ goto-table”)
 Pipeline processing can only go forward and not backward
 Two stage pipeline processing (version 1.5)
 Ingress processing
 Mandatory, performed before egress processing, use the rules specified in ingress tables
 Egress processing
 Optional, performed in the context of output port, use the rules specified in egress tables
 Useful to manage complicated processing
 E.g., table 1 for VLAN processing, table 2 for multicast group processing

Ingress processing Egress processing

Flow Flow Flow Flow
Packet In Table 0 … Table n Table e … Table e+m Packet Out
Instructio Instructio Instructio Instruction/
n/Action n/Action n/Action Action

Packet Processing
Packet In
Yes
Update counters Yes
Execute instruction set:
• Update action set Execute action set: Group
Match in Yes • Update packet headers Goto- No • Update packet headers action?
table n? • Update match set fields Table n? • Update match set fields
• Update pipeline fields • Update pipeline fields
• As needed, clone
No
No packet to egress
Yes Output
Table-miss Yes action?
flow entry
exists?
Yes Switch No
No has egress
Drop packet
Drop packet tables?
No Ingress

Start egress processing: Egress

• Action set = {output port}
• Start at first egress table
Update counters
Execute instruction set: Yes
• Update action set Execute action set:
Match in Yes • Update packet headers Goto- No • Update packet headers
table n? • Update match set fields Table n? • Update match set fields
• Update pipeline fields • Update pipeline fields
• As needed, clone
No packet to egress
Table-miss Yes No Output
flow entry Drop packet
action?
exists?
No Yes
Drop packet Packet Out
 Open
ow Messages
 Controller-to-switch messages are initiated by the
controller and used to directly manage or inspect the
state of the switch
 Features, config, modify state, read state, packet-out,
etc
 Asynchronous messages are initiated by the switch
and used to update the controller of network events
and changes to the switch state
 Packet-in, flow removed/expired, port status, error, etc
 Symmetric messages are initiated by either the
switch or the controller and sent without solicitation
 Hello, Echo, etc.
92 SDN

Controller-to-switch Messages
 Features: The controller may request the capabilities of a
switch by sending a features request; the switch must
respond with a features reply that specifies the
capabilities of the switch. This is commonly performed
upon establishment of the OpenFlow channel.
 Configuration: The controller can set and query
configuration parameters in the switch
 Modify-State: Modify-State messages are sent by the
controller to manage state on the switches. Their primary
purpose is to add/delete and modify flows in the
OpenFlow tables and to set switch port properties
93 SDN
 Controller-to-switch Messages
 Read-State: Read-State messages are used by
the controller to collect statistics from the
switch.
 Packet-out: Used by the controller to send
packets out of a specified port on the switch,
and to forward packets received via Packet-in
messages
 Barrier: Barrier request/reply messages are used
by the controller to receive notifications for
completed operations

94 SDN

Asynchronous Messages
 Packet-in: For all packets that do not have a matching flow
entry, a packet-in event may be sent to the controller
 Flow-Removed: When a flow entry is added to the switch by a
flow modify message, an idle timeout value indicates when
the entry should be removed due to a lack of activity, as well
as a hard timeout value that indicates when the entry should
be removed when the flow expires, regardless of activity.
 Port-status: The switch is expected to send port-status
messages to the controller as port configuration state
changes (for example down/up).
 Error: The switch is able to notify the controller of problems
using error messages.
95 SDN
 Symmetric Messages
 Hello: Hello messages are exchanged between
the switch and controller upon connection
startup.
 Echo: Echo request/reply messages can be sent
from either the switch or the controller, and must
return an echo reply.
 Experimenter: Experimenter messages provide a
standard way for OpenFlow switches to offer
additional functionality within the OpenFlow
message type space. This is a staging area for
features meant for future OpenFlow revisions.

96 SDN

Open
ow Messages

97 SDN
 Open
ow Messages

98 SDN

OPENFLOW SWITCHES

99 SDN
 Hardware OpenFlow Switches
 Arista 7050
 Brocade MLXe, Brocade CER, Brocade CES
 Extreme Summit x440, x460, x670
 Huawei openflow-capable router platforms
 HP 3500, 3500yl, 5400zl, 6200yl, 6600, and 8200zl (the old- style L3
hardware match platform)
 HP V2 line cards in the 5400zl and 8200zl (the newer L2 hardware match
platform)
 IBM 8264
 Juniper (MX, EX)
 NEC IP8800, NEC PF5240, NEC PF5820
 NetGear 7328SO, NetGear 7352SO
 Pronto (3290, 3295, 3780) - runs the shipping pica8 software
102 SDN

Software OpenFlow Switches

 Indigo: Open source implementation that runs on
physical switches and uses features of the ASICs to run
OpenFlow
 LINC: Open source implementation that runs on Linux, Solaris,
Windows, MacOS, and FreeBSD
 Pantou: Turns a commercial wireless router/access point to an
OpenFlow enabled switch. Supports generic Broadcom and some
models of LinkSys and TP-Link access points with Broadcom and
Atheros chipsets.
 Of13softswitch: User-space software switch based on Ericsson
TrafficLab 1.1 softswitch
 XORPlus: Open source switching software to drive high-
performance ASICs. Supports STP/RSTP/MSTP, LCAP, QoS,
VLAN, LLDP, ACL, OSPF/ECMP, RIP, IGMP, IPv6, PIM-SM
 OpenvSwitch: Open Source Virtual Switch
103 SDN
What is OVS?
• OVS is a production quality, multilayer virtual switch licensed
under the open-source Apache 2.0 license
• It is designed to enable network automation through
programmatic extension, while still supporting standard
management interfaces and protocols (e.g., CLI, 802.1Q)
• OVS can operate both as a soft switch running within the
hypervisor, and as the control stack for switching silicon
• It has been ported to virtualization platforms and switching
chipsets

What is OVS?
• An OVS switch forwards packets based on flow (rather than
based on destination MAC or destination IP)
• A flow can be identified by a tuple (combination of fields)
 IPv4 or IPv6 source address
 IPv4 or IPv6 destination address
 Input port
 Ethernet frame type `
 VLAN ID (802.1Q)
 TCP/UDP source port
 TCP/UDP destination port
 Ethernet source address
 Ethernet destination address IP
 IP ToS (DSCP field) …
OVS features
• Visibility into inter-VM communication via NetFlow, sFlow, IPFIX
• Standard 802.1Q VLAN model with trunking
• Fine-grained QoS control
• OpenFlow protocol support
• IPv6 support
• Multiple tunneling protocols (GRE, VXLAN, STT, IPsec)
• Supports LACP- Link Aggregation Control Protocol
• Multicast snooping
• NIC bonding with source-MAC load balancing, active backup and
L4 hashing
• Kernel and userspace forwarding engine options
• Multi-table forwarding pipeline with flow-caching engine

Open vSwitch and SDN

• Unlike other virtual switches,
Open vSwitch supported
OpenFlow since its inception
• It can be re-programmed through
OpenFlow
• Other virtual switches have fixed
packet processing pipelines
• In contrast to closed source
virtual switches, Open vSwitch
can operate with a user-selected Open vSwitch
operating system and hypervisor
Supported Platforms
• Default switch in Xen and KVM
• Supported in VMware ESXi, MS Hyper-V
• Integrated in Openstack and vSphere
• Supported on Fedora, Debian, FreeBSD

Sample of Contributors

Open vSwitch Components

• Open vSwitch has three main components
• ovs-vswitchd: Open vSwitch daemon running in the
userspace
• ovsdb-server: database server of Open vSwitch
running in the userspace
• Datapath: Kernel space module, forwards Open vSwitch
packets
ovs-vswitchd ovsdb-server

User

Kernel

OVS Kernel Datapath

Open vSwitch Architecture
Control Cluster
• Various tools are used to
interact of the components OpenFlow Remote

of Open vSwitch
• External controller is ovs-dpctl ovs-ofctl ovs-appctl ovs-vsctl ovsdb-cli ent

typically used to populate

flow table entries

ovs-vswitchd
ovs-vswitchd OVSDB-server
ovsdb-server
OVSDB
Mgmt

Netlink User

Kernel

OVS Kernel Module

Open vSwitch Architecture

Control Cluster
• ovs-vswitchd
 Implements the switch OpenFlow Remote

 Communicates with the server ovs-dpctl ovs-ofctl ovs-appctl ovs-vsctl ovsdb-cli ent
through OVSDB management
protocol

 Communicates with the controller

using OpenFlow
ovs-vswitchd
ovs-vswitchd OVSDB-server
OVSDB
Mgmt
 Talks to the Kernel Module via Netlink
Netlink User

The Netlink socket family is a
Linux kernel interface used for Kernel
inter-process communication
OVS Kernel Module
(IPC) between both the kernel
and userspace processes,
and between different
userspace processes
Open vSwitch Architecture
Control Cluster
• ovs-dpctl tool
 A command line tool OpenFlow Remote
responsible for creating,
modifying and deleting Open
ovs-dpctl ovs-ofctl ovs-appctl ovs-vsctl ovsdb-cli ent
vSwitch datapaths

• ovs-ofctl tool
 A command line tool for
monitoring and administering
switches ovs-vswitchd
ovs-vswitchd OVSDB-server
OVSDB
 Able to show the current state Mgmt
of a switch, features, Netlink User
configuration and table
entries Kernel

OVS Kernel Module

• ovs-appctl tool
 QoS, MAC, STP, …

Open vSwitch Architecture

Control Cluster
• ovsdb-server
 Contains switch configuration, OpenFlow Remote
keeps track of created and
modified interfaces ovs-dpctl ovs-ofctl ovs-appctl ovs-vsctl ovsdb-client

 Communicates with ovs-

vswitchd using OVSDB
management protocol
ovs-vswitchd ovsdb-server
OVSDB-server
 Configuration is stored on OVSDB
Mgmt
persistent storage and survives
a reboot Netlink User

Kernel

OVS Kernel Module

Open vSwitch Architecture
Control Cluster
• ovs-vsctl tool
 Manages the switch through OpenFlow Remote
interaction with ovsdb-server
 Used to configure bridges, ovs-dpctl ovs-ofctl ovs-appctl ovs-vsctl ovsdb-client
ports and tunnels

• ovsdb-client tool
 A command line client for
interacting with ovsdb-server ovs-vswitchd ovsdb-server
OVSDB-server
OVSDB
Mgmt

Netlink User

Kernel

OVS Kernel Module

Open vSwitch Architecture

Control Cluster
• OVS Kernel Module
 Designed to be fast and OpenFlow Remote
simple
 Handles switching and ovs-dpctl ovs-ofctl ovs-appctl ovs-vsctl ovsdb-client
tunneling

ovs-vswitchd OVSDB-server
OVSDB
Mgmt

Netlink User

Kernel

OVS Kernel Module

Open vSwitch Workflow
• Kernel receives packets from a
physical network interface controller
(NIC) or the virtual NIC of a virtual
machine (VM)

• Kernel module directs the packet to

the userspace. The userspace makes
the decisions about the actions to be
taken against the packet according to
OpenFlow entries (slow path)

• The action entry is stored in the

kernel, used to forward subsequent
packets, making the forwarding faster
(fast path)

Controller Interaction
Control Cluster
• Control Cluster
OpenFlow Remote
• Manages any number of
remote switches over
ovs-dpctl ovs-ofctl ovs-appctl ovs-vsctl ovsdb-cli ent
OpenFlow protocol and
determine the best path
for application traffic

ovs-vswitchd OVSDB-server
OVSDB
Mgmt

Netlink User

Kernel

OVS Kernel Module

Open vSwitch Fail-modes
• Open vSwitch maintains flow tables that are consulted to
determine how to forward traffic
• The flow tables entries are typically populated by a
controller
• The controller might be down or not available
• Open vSwitch offers the option to operate in a standalone
fail-mode
 Open vSwitch will take over responsibility for setting up flows (regular
MAC-learning)
• Alternatively, the switch can operate in secure mode
 Switch will not set up flows on its own when the controller connection
fails

Open vSwitch Portability

• Open vSwitch (OVS) is intended to be easily ported to new
software and hardware platforms
• Datapath in the hardware instead of the kernel
 Open vSwitch Features
• Many of the features provided in standard hardware are
provided by Open vSwitch
 Standard 802.1Q VLAN model with trunking
 Monitoring: NetFlow, sFlow, IPFIX
 Spanning Tree Protocol (STP)
 Quality of Service shaping and policing
 Port mirroring (SPAN)
 Tunning: GRE, VXLAN, Geneve
 IPSec
 IPv6 support
 OpenFlow protocol support
 LACP
 Stateful/stateless firewalls through conntrack

OPENFLOW CONTROLLERS

123 SDN
 Ryu Architecture
 Follow Standard SDN Architecture
SDN apps SDN apps SDN apps
Well defined API
(REST, RPC...)
Ryu built-in app (Tenant Ryu App Ryu App
Isolation,
Topology Discovery,
Firewall …)
... Application layer

Event dispatcher libraries

Control layer
OpenFlow Protocol support
Parser/serializer (OVSDB, VRRP, ...)
Ryu SDN framework Open protocols
(OpenFlow,
OF-config,
NETConfig, SNMP)
OpenFlow switch OpenFlow switch Network device

136 SDN

Open Controllers
Name Lang Platform License Original Notes
Author
NOX Python Linux GPL Nicira actively developed
, C++

POX Python Any

Beacon Java Win, Mac, GPL David runtime modular, web UI

Linux, Erickson framework, regression test
Android (Stanford) framework

Maestro Java Win, Mac, GPL Zheng Cai

Linux (Rice)

Trema Ruby, Linux GPL NEC includes emulator, regression test

C framework

Floodlight Java Any BigSwitch,

based on
Beacon
137 SDN
 ONOS versus OPENDAYLIGHT comparison

178 SDN

Projects

Take any Conference or Journal paper in Software Defined Networks
(SDN), Network Function Virtualization (NFV), and reproduce the
analytical/simulation results presented in the paper using Mininet, ns2,
ns3 or any other tools of simulation

Topics :
 Traffic engineering
 Routing
 QoS
 load balancing
 Scheduling
 Classification
 ML+AI
 Blockchain
 ...


Note: Talk to the professor before you proceed with your work.

Maximum number of students: Depends on the chosen paper.