Advanced Computer Networking - Chapter 4

SDN Data Plane and OpenFlow

(1P) What are the components of the SDN architecture?

(5P) What are the functions of the SDN Data Plane?

Data Plane Functions:

• Control Support Function: Interacts with the SDN control layer to support programmability via resource-control interfaces. The switch communicates with the controller and the controller manages the switch via the OpenFlow switch protocol.

• Data Forwarding Function: Accepts incoming data flows from other network devices and end systems and forwards them along the data forwarding paths that have been computed and established according to the rules defined by the SDN applications.

Data Plane Protocols: Data packet flows consist of streams of IP packets. It is necessary for the forwarding table to define entries based on fields in upper-level protocol headers.

• TCP, UDP, transport or application protocol (The forwarding rules are based on packet information — not just destination IPs, but also TCP/UDP ports, or application data).

• Southbound API → OpenFlow protocol data units (PDUs)

  (The southbound API is the communication channel between:

  • the SDN controller (control plane), and

  • the data plane devices (switches/routers).
    The OpenFlow protocol is the language they use)

(1P) Illustrate a Data Plane Network Device

(3P) What is an OpenFlow Logical Network Device?

A common logical architecture in all switches, routers, and other network devices to be managed by an SDN controller (The OpenFlow Logical Network Device is a standard model (or blueprint) for how SDN-controlled network devices — like switches and routers — should look from the controller’s point of view.).

• This architecture may be implemented in different ways on different vendor equipment and in different types of network devices, as long as the SDN controller sees a uniform logical switch functionality.

A standard, secure protocol is needed between the SDN controller and the network device.

(3P) What are the components of OpenFlow?

• OpenFlow switch:

  • A set of OpenFlow resources that can be managed as a single entry, including a data path and a control channel.

  • OpenFlow switches connect logically to each other via their OpenFlow ports.

  • Each switch connects to other OpenFlow switches and end-user devices.

• OpenFlow channel:

  • Interface between an OpenFlow switch and OpenFlow controller, used by the controller to manage the switch.

  • On the switch side, the interface is knwon as an OpenFlow channel.

• OpenFlow port:

  • Where packets enter and exit the OpenFlow pipeline.

  • A packet can be forwarded from one OpenFlow switch to another via an output OpenFlow porto n the 1^st switch and an ingress OpenFlow port of the 2^nd switch.

  • An OpenFlow port also connects the switch to the SDN controller.

(2P) What are the components of an OpenFlow Switch?

Flow tables, Group tables, OpenFlow channels, OpenFlow ports.

(3P) What are the Types of OpenFlow Ports?

• Physical port:

  • Corresponds to a hardware interface of the switch.

  • Ex: On an Ethernet switch, physical ports map one-to-one to the Ethernet interfaces.

• Logical port:

  • Does not correspond directly to the hardware interface of the switch.

  • Logical ports may include packet encapsulation and may map to various physical ports.

  • Ports must interact with OpenFlow processing like OpenFlow physical ports.

• Reserved port:

  • Specifies generic forwarding actions such as sending to and receiving from the controller, flooding, or forwarding using non-OpenFlow methods, such as “normal” switch processing.

(3P) What are the Types of OpenFlow Tables?

OpenFlow specification defines 3 types of tables in the logical switch architecture:

• Flow table: Flow table matches incoming packets to a particular flow and specifies what functions are to be performed on the packets.

• Group table: Flow table may direct a flow to a group table, which may trigger a variety of actions that affect one or more flows.

• Meter table: Meter table can trigger a variety of performance-related actions on a flow.

(Focus on Flow tables and Group tables)

(3P) Discuss the Flow Table Structure.

• Match fields: Used to select packets that match the values in the fields.

• Priority: This is a 16-bit field with 0 corresponding to the lowest priority. In principle, there could be 2¹⁶ = 64k priority levels.

• Counters: Updated for matching packets. The OpenFlow specification defines a variety of counters.

• Instructions: Instruction to be performed if a match occurs.

• Timeouts: Maximum amount of idle time before a flow is expired by the switch.

  • Each flow entry has an idle_timeout and a hard_timeout associated with it.

  • A nonzero hard_timeout field causes the flow entry to be removed after the given number of seconds, regardless of how many packets it has matched.

  • A nonzero idle_timeout field causes the flow entry to be removed when it has matched no packets in the given number of seconds.

• Cookie: 64-bit opaque data value chosen by the controller. May be used by the controller to filter flow statistics, flow modification and flow detection; not used when processing packets.

• Flags: Flags alter the way flow entries are managed.

(1P) What are some Required OpenFlow Counters?

(1.5P) What are some Match Field Components?

• Ingress port: The identifier of the port on this switch on which the packet arrived.

  • This may be a physical port or a switch-defined virtual port.

  • Required in ingress tables.

• Egress port: The identifier of the egress port from action set.

  • Required in egress tables.

• Ethernet source and destination addresses:

  • Each entry can be an exact address, a bitmasked value for which only some of the address are echecked, or a wildcard value (match any value).

• Ethernet type field: Indicates type of the Ethernet packet payload.

• IP: Version 4 or 6

• IPv4 or IPv6 source address, and destination address:

  • Each entry can be an exact address, a bitmasked value, a subnet mask value, or a wildcard value.

• TCP source and destination ports: Exact match or wildcard value.

• UDP source and destination ports: Exact match or wildcard value.

(0P) Other Optional Match Fields

(3P) What is the definition of FLOW?

New definition of FLOW:

→ Flow is a sequence of packets that matches a specific entry in the flow table.

→ A flow is made by linking flow entries from several switches, which sets a fixed path.

(3P) Discuss the ‘Instructions’ component of a flow table entry field

The ‘Instructions’ component of a table entry consists of a set of instructions that are executed if the packet matches the entry.

• Action: Actions define how packets are forwarded, changed, or processed in groups.

• Action set: As a packet goes through the tables, a list of actions is collected that decides how the packet will be handled.

(3P) Discuss the ‘Actions’ of the ‘instructions’ component

• Output: Forward packet to specified port. Another switch or Controller.

• Set-Queue: Sets queue ID for a packet. The Queue ID determines which queue attached to this port is used for scheduling and forwarding packets.

• Group: Process packet through specified group.

• Push-Tag/Pop-Tag: Push or Pop a tag field for a VLAN or MPLS.

• Set-Field: Set-Field actions are identified by their field type and modify the values of respective field in the packets.

• Change-TTL: Modify the values of the IPv4 TTL, IPv6 hop limit, or MPLS TTL in the packet.

• Drop: Packets whose action sets have no output action should be dropped.

(3P) Discuss the ‘Action set’ of the ‘instructions’ component

• Direct packet through pipeline:

  • Goto-Table instruction directs the packets to a table farther along in the pipeline.

  • Meter instruction directs the packets to a specified meter.

• Perform action on packet:

  • Apply-Actions instructions applies the specific action immediately, without changing any change to the action set associated with the packet.

  • Instruction may be used to modify the packet between two tables in the pipeline.

• Update action set:

  • Write-Actions instructions merges specified actions into the current action set for this packet.

  • Clear-Actions instruction clears all actions in the action set.

• Update metadata:

  • A meta value can be associated with a packet.

  • Carry information from one table to the next.

  • Write-Metadata instruction updates an existing metadata value or creates a new value.

(3P) Discuss the Flow Table Pipeline

A switch includes one or more flow tables.

If there is more than one flow table, they are organized as a pipeline, with the tables labeled with increasing numbers starting with zero (0, 1, 2…)

The use of multiple tables in a pipeline, rather than a single flow table, provides the SDN controller with considerable flexibility.

The OpenFlow specification defines two stages of processing:

• Ingress processing (“This packet came from Port 1 and is going to 10.0.0.2 → send it out Port 5.”)

• Egress processing (“Before sending this out Port 5, add VLAN tag 100 and update the MAC address.”)

(3P) Discuss Ingress processing and Egress processing

Ingress processing:

• Ingress processing always happens, beginning with Table 0, and uses the identity of the input port.

• Table 0 may be the only table, in which case the ingress processing is simplified to the processing performed on that single table, and there is no egress processing.

Egress processing:

• Egress processing is the processing that happens after the determination of the output port.

• It happens in the context of the output port.

• This stage is optional.

• If it occurs, it may involve one or more tables.

• The separation of the two stages is indicated by the numerical identifier of the first egress table.

• All tables with a number lower than the first egress table must be used as ingress tables, and no table with a number higher than or equal to the first egress table can be used as an ingress table.

(3P) Explain the Flow Table Pipeline Processing (Ingress & Egress) (had to put one img here and one img in answer)

• Pipeline processing always starts with ingress processing at the first flow table.

• The packet must first be matched against flow entries of low Table 0.

• Other ingress flow tables may be used depending on the outcome of the match in the first table.

• If the outcome of ingress processing is to forward the packet to an output port, the OpenFlow switch may perform egress processing in the context of that output port.

• When a packet is presented to a table for matching, the input consists of the packet, the identity of the ingress port, the associated metadata value, and the associated action set.

• For Table 0, the metadata value is blank and the action set is null. 

At each table, processing proceeds as follows:

1. If there is a match on one or more entries, other than the table-miss entry, the match is defined to be with the highest-priority matching entry. The following steps may then be performed:

   a. Update any counters associated with this entry.

   b. Execute any instructions associated with this entry. This may include updating the action set, updating the metadata value, and performing actions.

   c. The packet is then forwarded to a flow table further down the pipeline, to the group table, to the meter table, or directed to an output port.

2. If there is a match only on a table-miss entry, the table entry may contain instructions, as with any other entry. In practice, the table-miss entry specifies one of three actions:
   a. Send packet to controller. This will enable the controller to define a new flow for this and similar packets, or decide to drop the packet.
   b. Direct packet to another flow table farther down the pipeline.

   c. Drop the packet
   

3. If there is no match on any entry and there is no table-miss entry, the packet is dropped.

(3P) Discuss the use of Multiple Tables. What does it allow you to do?

Use of multiple tables enables the nesting of flows.

Breaking down of a single flow into a number of parallel subflows.

Example:

Table 0 Flow: All packets with same Source and Destination Address (All packets between the same two hosts (regardless of what application or protocol they use)).

Table 1 divide flow into subflow: Separate entry based on transport layer protocols (TCP/UDP).

Table 2 divide subflows even further:

• TCP sublow → FTP, SMTP

• UDP sublow → SNTP

(3P) Which are the Group Table Entry Fields?

Refresh: A group table is a table which may trigger a variety of actions that affect one or more flows.

• Group identifier: A 32-bit unsigned integer that uniquely identifies the group. A group is defined as an entry in the group table.

• Group Type: To determine group semantics (more detail in another flashcard).

• Counters: Updated when packets are processed by a group.

• Action buckets: An ordered list of action buckets, where each action bucket contains a set of actions to execute and associated parameters.

Note: Each group includes a set of one or more action buckets. Each bucket contains a list of actions.

(3P) Explain the possible types within the ‘Group Type’ field in a Group Table

• All type: Execute all the buckets in the group

  • Each arriving packet is effectively cloned

  • Each bucket will designate a different output port

  • Used for multicast or broadcast forwarding

• Select type: Execute one bucket n the group.

  • Used for load balancing across multiple ports or paths using a load balancing algorithm (Ex: round-robin).

• Fast failover type: Provides immediate backup on failure

  • Buckets are evaluated in order and 1^st live bucket is selected.

  • Ensures high availability and reliability by immediately rerouting traffic to an alternative path in case of a port failure.

• Indirect type

  • Used to apply the same action to multiple flows, making flow definitions simpler and avoiding repetition.

(3P) What is the OpenFlow Protocol?

The OpenFlow protocol describes message exchanges that take place between an OpenFlow controller and an OpenFlow switch.

Typically, the protocol is implemented on top of TLS, providing a secure OpenFlow channel.

The OpenFlow protocol enables the controller to perform add, update, and delete actions to the flow entries in the flow tables.

It supports three types of messages:

• Controller to switch

• Asynchronous

• Symmetric

(3P) What are the three types of messages supported by OpenFlow?

• Controller to switch: This message is sent by the controller to a switch when that switch sends a packet to the controller and the controller decides not to drop the packet but to direct it to a switch output port.

• Asynchronous: These messages are sent to the controller automatically, without being requested. This class includes various status messages to the controller.

• Symmetric: These messages are sent automatically, without being by the controller or the switch. They are simple yet helpful.

(2P) Here are some OpenFlow Messages. Read them.

(3P) Mention some OpenFlow to Controller Information Type messages

• Event based message: Sent by the switch to the controller when a link or port change occurs.

• Flow statistics: This information enables the controller to

  • Monitor traffic

  • Reconfigure the network as needed

  • Adjust flow parameter

• Encapsulated packets: Sent by the switch to the controller

  • To send this packet in a flow table entry

  • For establishing a new flow

    (The switch sends a copy of an unknown packet to the controller (encapsulated) so the controller can decide how to handle it and possibly install a new rule in the flow table. The packet itself isn’t “sent into” a flow table — it causes the controller to create one.)

By the way, these are all asynchronous messages (?).