9.1-Programming SDNs Flashcards
2 SDN mininet projects
1) write my own virtual switch
2) Use programming language designed for SDN to create a firewall
Consistency problems. Updating switch flow table entries from the controller
1) updates may disrupt packets along an end to end path (Packet level consistency problem)
2) Packets from the same flow may be disrupted (flow level consistency problem)
SDN Programming: Three steps
1) The controller need to Read/monitor network state (as well as various events in the network)
2) To Compute Policy based on state the controller sees on the network (Decision plane… deciding the forwarding behavior)
3) Write policy back to the switches by installing the appropriate flow table state into the switches.
Reading state: extra unexpected events
Solution:
1) Programmer specifies “Limit (1)”
2) Run-time system hides events
Consistency: Reading state
These 3 approaches help guarantee consistency when “reading state”
1) Predicates (i.e “and” and “not”)
2) Dynamically unfold rules as traffic arrives
3) suppression (limit 1 and hide events)
Consistency: writing state
Solution:
Two phase commit
1) Packets are either subjective to the old config on all switches
2) Or to the new configuration on all switches
But packets are not subjective to the new on some switches and the old on others
What problems can arise from inconsistent “writes” of network state?
1) Forwarding loops
2) Security policy violations
3) A flood of traffic at the controller
What are some ways of coping with inconsistency?
1) keeping the old and new state on the routers/switches (two phase state)
Network Virtualization
Abstraction of physical network
Why virtual Networking?
“Ossification” of internet architecture
enables evolution by letting multiple architectures exist in parallel.
Motivations for virtual networking?
1) Facilitating research/evolution by allowing coexistence
2) Adjusting resources to demand
Promise of Network Virtualization
1) Rapid innovation (software speed)
2) New forms of network control
3) (potentially) simpler programming
SDN vs Network Virtualization
SDN helped to allow network virtualization
SDN separates data and control
Network virtualization separates logical and physical
Network virtualization
1) Allowing multiple tenants to share underlying physical infrastructure
2) Separating logical and physical
Design goals for network virtualization
Flexible, manageable, scalable, secure, programmable, able to support different techs (homogeneous)
Mininet
Network Virtualization
The openflow switch
performs forwarding between the interfaces in the root name space… but because the interfaces are paired we get the illusion of sending traffic between h2 and h3.
Technologies that enable virtual networks
VMs and tunneling
Programming SDNs
Programming openflow not easy!
Frenetic
SQL - like Query language
Example:
SELECT (bytes)
WHERE (in:2 & srcport:80)
groupBy (dstMAC)
every (60)
Problem
Modules affect same traffic
Composition policies help with this
For example:
Parallel or Sequential
Policy composition
Parallel: Perform both operations simultaneously (+)
Sequential: perform one operation, then the next (»)
Pyretic
SDN Language (express policies) and Run-time (compiling these policies to openflow rules)
Pyretic features
1) Network policy as function
2) Boolean predicates
3) Virtual packet header fields
4) Composition
Openflow: bit patterns
Match statements for which matching packets are subject to a particular action
Contrast… Pyretic: functions
map packets->to other packets
Pyretic functions
Identity packet -> returns original packet
None -> returns empty set 0
Match (f=v)-> Returns the identity if field F matches V and returns none or dropped otherwise
Mod (F=V) returns same packet with field f set to v
fwd(a) -> mod (outport t = a)
flood()
Sequential composition example
match(dst IP=2.2.2.8)»fwd(1)
Parallel composition example
match(dst IP=2.2.2.8)»_space; fwd(1) +
match(dst IP=2.2.2.9)»_space; fwd(2)
Pyretic
1) Network policy as functions
2) Predicates on packets
3) Virtual packet headers
4) Policy composition
Pyretic
Northbound API which sits on top of an SDN controller allowing operater/programmer to write rules without regards on how openflow rules get installed.
