4. Overlay Networks
VM1 VM2 VM3
Open vSwitch
VM4 VM5 VM6
Open vSwitch
Orchestration
Orchestration
O
pen
Flow
O
VSD
B
O
pen
Flow
O
VSDB
Overlay
VNET 1 VNET 1VNET 2 VNET 2
NetworkNetwork
Compute Node Compute Node
5. OpenFlow
Match on bits in
packet header L2-
L4 plus meta data
Execute actions
● Forward to port
● Drop
● Send to
controller
● Mangle packet
2.2.
OpenFlow enables networks to evolve, by giving a remote
controller the power to modify the behavior of network
devices, through a well-defined "forwarding instruction
set". The growing OpenFlow ecosystem now includes
routers, switches, virtual switches, and access points from
a range of vendors.
ONF Website
1.1.
6. Programmable Flow Tables
● Extensive flow matching capabilities:
– Layer 1 – Tunnel ID, In Port, QoS priority, skb mark
– Layer 2 – MAC address, VLAN ID, Ethernet type
– Layer 3 – IPv4/IPv6 fields, ARP
– Layer 4 – TCP/UDP, ICMP, ND
● One or more actions:
– Output to port (port range, flood, mirror)
– Discard, Resubmit to table x
– Packet Mangling (Push/Pop VLAN header, TOS, ...)
– Send to controller, Learn
– Set VTEP dIP
– Registers
13. Implementing a Firewall
● OVS has traditionally only supported stateless matches
● As an example, currently, two ways to implement a firewall in OVS
– Match on TCP flags (Enforce policy on SYN, allow ACK|RST)
● Pro: Fast
● Con: Allows non-established flow through with ACK or RST
set, only TCP
– Use “learn” action to setup new flow in reverse direction
● Pro: More “correct”
● Con: Forces every new flow to OVS userspace, reducing flow
setup by orders of magnitude
– Neither approach supports “related” flows or TCP window
enforcement
14. Connection Tracking
● We are adding the ability to use the conntrack module from Linux
– Stateful tracking of flows
– Supports ALGs to punch holes for related “data” channels
● FTP, TFTP, SIP
● Implement a distributed firewall with enforcement at the edge
– Better performance
– Better visibility
● Introduce new OpenFlow extensions:
– Action to send to conntrack
– Match fields on state of connection
● Have prototype working. Expect to ship as part of OVS by end of year
16. Conntrack Example
Match Action
in_port(1),tcp,conn_state=-tracked conntrack(zone=10),normal
in_port(2),tcp,conn_state=-tracked conntrack(recirc,zone=10)
in_port(2),tcp,conn_state=+established,+tracked output:1
in_port(2),tcp,conn_state=+new,+tracked drop
Conntrack example that only allows port 2 to respond to
TCP traffic initiated from port 1:
18. Stateful NAT Overview
● SNAT and DNAT
● Based on connection tracking work
● Leverages stateful NAT mechanism of Netfilter
● Able to do port range and address range
mappings to masquerade multiple IPs
● Mapping Modes
– Persistent (across reboots)
– Hash based
– Fully random
20. NAT Example
Match Action
in_port(1),tcp conntrack(zone=10),
nat(type=src,
min=10.0.0.1,
max=10.0.0.255,
type=hash)
in_port(2),tcp,conn_state=-tracked conntrack(zone=10,recirc)
in_port(2),tcp,conn_state=+established nat(reverse)
in_port(2),tcp,conn_state=+new drop
SNAT all TCP packets on port 1 to the IP range
10.0.0.1/24 with reverse SNAT on port 2: