Using SDN-OpenFlow for High-level Services Nabil Damouny Sr. Director, Strategic Marketing – Netronome Vice Chair, Marketing Education, ONF ndamouny@netronome.com Open Server Summit, Networking Applications October 22, 2013 - Santa Clara, CA Santa Clara, CA USA October 2013 1 Agenda § SDN … Critical properties § What are L4-L7 services? § Challenges catering to L4-L7 service in SDN-OpenFlow § Possible deployment models § Taking advantage of L7 intelligence § Integration with NFV § Next steps. Santa Clara, CA USA October 2013 2 ONF’s SDN Architecture …. Opportunities for API Standards SDN-enabled Application Applications App’s Explicit Requirements 1 Network Controller and 2 Network Admin Network Controller § Provides network stats up to Apps § Translates requirements down to Devices Monitors Performance Router Switch Host X Santa Clara, CA USA October 2013 Network Statistics, Hints and Events Configures Network Policy 3 Network Devices Opportunity to Standardize Firewall Switch Standardized API/Protocol Enforced Behavior Low-level Control Capability Discovery Statistics and Faults Server Y 3 Critical Properties of SDN Architecture 1. Applications are network-aware: SDN-enabled Applications • Communicate their requirements/polices to the network • Can monitor network state and adapt accordingly 2. Network is logically centralized: SDN Network Controller • Controller translates from app requirement to low-level rules • Controller summarizes the network state for applications 3. Well-understood driver-like model for devices: SDN Datapath • Programmatic low-level control of all forwarding and configuration • API for capabilities advertisement and publishing statistics • No resource contention with other entities → Controller “owns” this device, subject to capabilities advertisement/negotiation Santa Clara, CA USA October 2013 4 What are L4-L7 Services? § Layer 2 / Layer 3 • Switching • Routing • Packet forwarding • OpenFlow • Architectures optimized to process individual packets. § Layer 4 through 7 • Security • Load balancing • WAN optimization • Architectures optimized to process flows and content Santa Clara, CA USA October 2013 No Flow Inspection Categorized by depth of Layer 4-7 inspection • OpenFlow switch Partial Flow Inspection • Load balancer • Next-generation firewall • WAN optimization • Web application firewall Flow Monitoring • Test and measurement • Policing and metering • Quality of Service (QoS) • Traffic analysis Full Flow Inspection • Anti-virus / anti-spam • Intrusion prevention system (IPS) • SSL inspection • VPN 5 Challenges with L4-L7 Service in SDN-OpenFlow Envornment § Inefficient use of network bandwidth and compute resources, due to lack of L4-L7 visibility § Bottlenecks and lack of coverage due to inability to rapidly respond to new networking and application requirements § Hosting on controllers results in reduced throughput, increased latency and limited scalability of the network, due to limited compute resources § Lack of feedback from L4-L7 services, which could potentially reprogram network paths, based on L4-L7 analysis Santa Clara, CA USA October 2013 6 Many Deployment Models 1. Running as applications on the controller Application Layer • Controller programs SDN switch on per-flow basis 2. Standalone network appliance • Inline OF-based appliance • Traffic directed to “legacy” appliance either based on static policy, or dynamically driven by controller • Or just in-line 3. Full L4-L7 network services running on intelligent switch Applications Layer 4-7 Services 1 Northbound APIs Control Layer Network Controller SDN Control Software Southbound API 2 Infrastructure Layer Layer 4 through 7 Appliance Intelligent Switch with Layer 4-7 3 Network Device Network Device Network Device • Intelligent switch becomes L2-L7 device Santa Clara, CA USA October 2013 7 Use Case Example: Advanced Traffic Analysis Applications SDN Control Software Network Services Infrastru cture Layer Santa Clara, CA USA October 2013 IM Analytics VoIP Email P2P GGSN Traffic Steering Content Filtering Layer 7 Network Service Device Network Device Network Device QoS / QoE Other Southbound API Layer 7 Network Service Device Video Layer 4-7: Data Plane Protocol and Application Traffic Identification Northbound APIs Control Layer Video Optimization Web Applicati on Layer Layer 4-7 Network Device Embedded DPI feeds network intelligence to services on Layer 7 network service devices. Application flows forwarded directly to specialized service processing. • Requires Layer 4 through 7 intelligence embedded directly in switches 8 Integrating SDN-OpenFlow in NFV Architecture Framework Santa Clara, CA USA October 2013 9 Netronome Integrates SDN & NFV vLAN -to- MPLS Gateway SDN – OpenFlow Controller OF1.3 Multi-tenant Private DC OF1.3 MPLS WAN Public DC OpenFlow Gateway § Netronome SDN/NFV gateway combines the advantages of both worlds • NFV is ideal for L4-L7 devices • SDN is ideal for network-aware applications § Gateway hosts VNF applications • Under OF1.3 control Santa Clara, CA USA October 2013 10 Next Steps § Define phases of OpenFlow enhancement • Traffic steering • Adding “Stateful” inspection § Is it possible to extend OpenFlow to cater to L4-L7 without making it more complex? • Controlling L4-L7 devices § Integration with NFV architecture model Santa Clara, CA USA October 2013 11