Using SDN-OpenFlow
for High-level Services
Nabil Damouny
Sr. Director, Strategic Marketing – Netronome
Vice Chair, Marketing Education, ONF
ndamouny@netronome.com
Open Server Summit, Networking Applications
October 22, 2013 - Santa Clara, CA
Santa Clara, CA USA
October 2013
1
Agenda
§  SDN … Critical properties
§  What are L4-L7 services?
§  Challenges catering to L4-L7 service
in SDN-OpenFlow
§  Possible deployment models
§  Taking advantage of L7 intelligence
§  Integration with NFV
§  Next steps.
Santa Clara, CA USA
October 2013
2
ONF’s SDN Architecture ….
Opportunities for API Standards
SDN-enabled
Application
Applications
App’s Explicit
Requirements
1
Network
Controller
and
2
Network
Admin
Network Controller
§ Provides network stats up to Apps
§ Translates requirements down to Devices
Monitors
Performance
Router
Switch
Host X
Santa Clara, CA USA
October 2013
Network
Statistics, Hints
and Events
Configures
Network Policy
3
Network
Devices
Opportunity
to
Standardize
Firewall
Switch
Standardized API/Protocol
Enforced Behavior
Low-level Control
Capability Discovery
Statistics and Faults
Server Y
3
Critical Properties of SDN
Architecture
1.  Applications are network-aware: SDN-enabled Applications
•  Communicate their requirements/polices to the network
•  Can monitor network state and adapt accordingly
2.  Network is logically centralized: SDN Network Controller
•  Controller translates from app requirement to low-level rules
•  Controller summarizes the network state for applications
3.  Well-understood driver-like model for devices: SDN Datapath
•  Programmatic low-level control of all forwarding and configuration
•  API for capabilities advertisement and publishing statistics
•  No resource contention with other entities
→ Controller “owns” this device, subject to capabilities
advertisement/negotiation
Santa Clara, CA USA
October 2013
4
What are L4-L7 Services?
§  Layer 2 / Layer 3
•  Switching
•  Routing
•  Packet forwarding
•  OpenFlow
•  Architectures
optimized to process
individual packets.
§  Layer 4 through 7
•  Security
•  Load balancing
•  WAN optimization
•  Architectures
optimized to process
flows and content
Santa Clara, CA USA
October 2013
No Flow
Inspection
Categorized
by depth of
Layer 4-7
inspection
•  OpenFlow switch
Partial
Flow
Inspection
•  Load balancer
•  Next-generation firewall
•  WAN optimization
•  Web application firewall
Flow
Monitoring
•  Test and measurement
•  Policing and metering
•  Quality of Service (QoS)
•  Traffic analysis
Full Flow
Inspection
•  Anti-virus / anti-spam
•  Intrusion prevention system
(IPS)
•  SSL inspection
•  VPN
5
Challenges with L4-L7 Service in
SDN-OpenFlow Envornment
§  Inefficient use of network bandwidth and compute
resources, due to lack of L4-L7 visibility
§  Bottlenecks and lack of coverage due to inability to
rapidly respond to new networking and application
requirements
§  Hosting on controllers results in reduced throughput,
increased latency and limited scalability of the
network, due to limited compute resources
§  Lack of feedback from L4-L7 services, which could
potentially reprogram network paths, based on L4-L7
analysis
Santa Clara, CA USA
October 2013
6
Many Deployment Models
1. Running as applications
on the controller
Application
Layer
•  Controller programs SDN switch
on per-flow basis
2. Standalone network appliance
•  Inline OF-based appliance
•  Traffic directed to “legacy”
appliance either based on static
policy, or dynamically driven by
controller
•  Or just in-line
3. Full L4-L7 network services
running on intelligent switch
Applications
Layer 4-7 Services
1
Northbound APIs
Control
Layer
Network Controller
SDN Control Software
Southbound API
2
Infrastructure
Layer
Layer 4 through 7
Appliance
Intelligent Switch
with Layer 4-7
3
Network Device
Network Device
Network Device
•  Intelligent switch becomes L2-L7
device
Santa Clara, CA USA
October 2013
7
Use Case Example:
Advanced Traffic Analysis
Applications
SDN Control
Software
Network Services
Infrastru
cture
Layer
Santa Clara, CA USA
October 2013
IM
Analytics
VoIP
Email
P2P
GGSN
Traffic
Steering
Content
Filtering
Layer 7 Network
Service Device
Network Device
Network Device
QoS / QoE
Other
Southbound API
Layer 7 Network
Service Device
Video
Layer 4-7:
Data
Plane Protocol and
Application
Traffic Identification
Northbound APIs
Control
Layer
Video
Optimization
Web
Applicati
on Layer
Layer 4-7 Network
Device
Embedded DPI feeds network
intelligence to services on Layer 7
network service devices.
Application flows forwarded directly to
specialized service processing.
•  Requires Layer 4 through 7 intelligence
embedded directly in switches
8
Integrating SDN-OpenFlow in
NFV Architecture Framework
Santa Clara, CA USA
October 2013
9
Netronome Integrates SDN & NFV
vLAN -to- MPLS Gateway
SDN – OpenFlow Controller
OF1.3
Multi-tenant
Private DC
OF1.3
MPLS
WAN
Public DC
OpenFlow Gateway
§  Netronome SDN/NFV gateway combines the advantages of
both worlds
•  NFV is ideal for L4-L7 devices
•  SDN is ideal for network-aware applications
§  Gateway hosts VNF applications
•  Under OF1.3 control
Santa Clara, CA USA
October 2013
10
Next Steps
§  Define phases of OpenFlow enhancement
•  Traffic steering
•  Adding “Stateful” inspection
§  Is it possible to extend OpenFlow to cater to
L4-L7 without making it more complex?
•  Controlling L4-L7 devices
§  Integration with NFV architecture model
Santa Clara, CA USA
October 2013
11