Monday, February 24, 2014

ONS2014 Announces Finalists for SDN Idol 2014

Today the Open Networking Summit announced the five finalists for the SDN Idol 2014 competition:
Real-time SDN Analytics for DDoS mitigation is an example of a performance aware SDN controller that combines sFlow and OpenFlow for the visibility and control needed to build self optimizing networks that automatically adapt to changing traffic conditions. A number of other use cases were outlined by Brocade at the recent OpenDaylight Summit - see Flow-aware Real-time SDN Analytics (FRSA)

There are interesting links with other finalists:
  • OpenDaylight Hydrogen The Brocade is a Platinum member of the OpenDaylight project, and the Brocade/InMon DDoS mitigation solution employs OpenDaylight Hydrogen as an OpenFlow controller. Like Brocade, many of the OpenDaylight project members also support sFlow in their networking equipment, including: Brocade, Cisco, IBM, Juniper, NEC, A10 Networks, Arista, Dell, HP, Huawei, Intel, and ZTE. One might expect to see other vendors start to build traffic aware solutions on OpenDaylight in the coming months.
  • HP SDN App Store and Open SDN Ecosystem Every OpenFlow enabled switch in HP's SDN Ecosystem supports the sFlow standard. Future versions of HP's SDN controller could leverage the sFlow capabilities of HP switches to deliver network visibility, allowing the controller platform to support scaleable performance aware SDN applications.
  • Pica8 Open SDN Starter Kit The switch contained in the starter kit supports sFlow, making the starter kit a great way to experiment with combined sFlow and OpenFlow solutions. There are a number of examples on this blog that could be tried with the starter kit - see OpenFlow.
The five finalists cover a broad spectrum of SDN solutions - it will be interesting to see them demonstrated live at the Open Networking Summit on Monday, March 3, 02:30P - 04:00P

Saturday, February 22, 2014

Dell, Cumulus, Open Source, Open Standards, and Unified Management

On Thursday, at Network Field Day 7, Arpit Joshipura described Dell's networking strategy. He started by polling the delegates to see which topics were most on their mind.
The first topic raised by many of the delegates was the recently announced Dell/Cumulus partnership (listed as Open NW on the white board), see Dell Unlocks New Era for Open Networking, Decouples Hardware and Software. Next on the list was an interest in Dell's Open Source networking strategy, understanding Dell's Differentiation strategy, and plans for L3.
Dell's open networking strategy is described at time marker 14:55 in the video. Dell was one of the first vendors to move to merchant silicon, now they are opening up the switch platform, allowing customers to choose from standard merchant silicon based switch platforms (Broadcom, Intel) and switch software (currently FTOS / Cumulus).

Arpit suggests that customers will choose Cumulus Linux as the operating system for the layer 3 features and because they can use the same expertise and tools (Puppet, Chef etc.) to manage Linux servers and the switches connecting them. He also suggested that customers would choose FTOS for legacy networks and layer 2 features. Support for the Open Networking Install Environment (ONIE) allows customers to load different switch operating systems on the hardware. This is the same model as Dell uses when selling servers, allowing customers to choose hardware (Intel/AMD), software (Windows, SUSE, Red Hat), and obtain support from Dell. Arpit summarizes the strategy, "Michael Dell did this on PCs, he did it on servers and I think we are in the best position to do it for networking."
The recent talk, It Ain't Software Defined until you Unbundle the Platform, by JR Rivers Co-Founder/CEO of Cumulus Networks, at the Silicon Valley Software Defined Networking Group captures the vision. While the number of hardware and software choices is currently limited, both the Dell and Cumulus talks are clear that Cumulus Linux is the first of many software choices, other likely future candidates include: Broadcom Fastpath, Big Switch's Switch Light Linux, Pluribus OpenNetvisor, Pica8 PicOS, etc. On the hardware front, expect a greater variety of switching platforms, ranging from familiar top of rack configurations to others that look more like servers with the CPU and memory resources to implement application functions like content distribution, caching, load balancing etc.

Open switching platforms and merchant silicon are part of a set of accelerating trends that are driving toward a common set of standards and APIs that deliver the data center wide visibility and control needed to deliver agile, self optimizing, software defined data centers - see Drivers for growth.

Thursday, February 20, 2014

#NFD7 Real Time SDN and NFV Analytics for DDoS Mitigation

Today, at Networking Field Day 7, Ramki Krishnan of Brocade Networks demonstrated how the sFlow and OpenFlow standards can be combined to deliver DDoS mitigation as a service. Ramki is a co-author of related Internet Drafts: Large Flow Use Cases for I2RS PBR and QoS and Mechanisms for Optimal LAG/ECMP Component Link Utilization in Networks.
The talk starts by outlining the growing problem of DDoS attacks and the market opportunity for mitigation solutions, referencing the articles, Prolexic Publishes Top 10 DDoS Attack Trends for 2013, World's largest DDoS strikes US, Europe.
The diagram shows the unique position occupied by Internet Service Provider (ISP) and Internet Exchange (IX) networks, allowing them to filter large flood attacks and prevent them from overwhelming Enterprise customer connections - provided they can use their network to efficiently detect attacks and automatically filter traffic for their customers.
This diagram shows how standard sFlow enabled in the switches and routers provides a continuous stream of measurement data to InMon sFlow-RT, which provided real-time detection and notification of DDoS attacks to the DDoS Mitigation SDN Application. The DDoS Mitigation SDN Application selects a mitigation action and instructs the SDN Controller to push the action to selected switches (for example using a standard OpenFlow rules to drop traffic associated with the DDoS attack).

The key making this solution scale is the use of hybrid port OpenFlow. By default, all traffic is handled by the switch's normal hardware switching and routing function without any intervention from the controller. The OpenFlow rules are used to override the normal forwarding behavior for the selected flow. The solution uses a software controller to leverages the standard sFlow and OpenFlow capabilities of existing network hardware to provide a scaleable, automated, cost effective solution that allows ISP/IX networks to effectively mitigate flood attacks.
The live demo shows a continuous stream of NTP reflection attacks created by a traffic generator, each attack lasting 20 seconds. The chart at the top right shows the attack traffic in red and the normal traffic in green. The Brocade MLXe switch sends a continuous stream of sFlow measurements to InMon's sFlow-RT analytics engine.

The sFlow-RT software performs a number of functions:
  1. Provides a REST API allowing the customer to set thresholds and mitigation policies
  2. Detects the DDoS attack
  3. Extracts attributes that characterize the attack traffic - UDP source port (123) and destination IP address ( in this example
  4. Constructs a filter to drop the attack
  5. Makes a call to OpenDaylight's Flow Programmer REST API to instruct OpenDaylight to send the filter as an OpenFlow rule the MLXe
  6. Continues to monitor the DDoS traffic
  7. Makes a call to OpenDaylight to remove the rule once the attack subsides
  8. Provides statistics to drive the demo dashboard - which in a real deployment would be the customer portal
The chart at the bottom right of the screen shows the traffic after it has been filtered by the controller. As each new attack is launched, it is immediately detected and removed so that the link is protected and the normal traffic gets to the customer network. While the demonstration shows one switch and one protected 10Gigabit link, the solution easily scales to hundreds of switches, tens of thousands links and 100Gigabit link speeds.

This demonstration of DDoS mitigation is only one application of this architecture - Ramki's OpenDaylight Summit talk Flow-aware Real-time SDN Analytics (FRSA)  presented a number of others.

Wednesday, February 5, 2014

Flow-aware Real-time SDN Analytics (FRSA)

Today at the OpenDaylight Summit in Santa Clara, Ram (Ramki) Krishnan of Brocade Communications presented a framework and set of use cases for applying software defined networking (SDN) techniques control large (elephant) flows. Ramki is a co-author of related Internet Drafts: Large Flow Use Cases for I2RS PBR and QoS and Mechanisms for Optimal LAG/ECMP Component Link Utilization in Networks. The slides from the talk are available on the OpenDaylight Summit web site.

This article will review the slides and discuss selected topics in detail.
The FRSA framework identifies four classes of traffic flow based on flow rate and flow duration and identifies long lived large flows as amenable to SDN based control since they can be readily observed, consume significant resources, and last long enough to be effectively controlled. The article, SDN and large flows, discusses the opportunity presented by large flow control in greater detail.
The two elements required in the FRSA framework are real-time traffic analytics - to rapidly identify the large flows (within seconds) and a control mechanism such as integrated hybrid OpenFlow, that allows the normal switch forwarding protocols to handle traffic, but offers a way for the controller to intervene and determine the treatment of large flows.
The first use case described is distributed denial of service (DDoS) mitigation. The slide describes current approaches where a DDoS Appliance is added to the network to detect and filter attack traffic. However, large flood attacks aimed at overwhelming the Internet connection (the link between the Router and the Internet cloud in the diagram) cannot be mitigated using on site resources - they must be handled upstream.
DDoS mitigation is a large and growing problem and the market for DDoS mitigation appliances is significant and growing market, DDoS prevention market to grow by double digits through 2014 and Denial of Service Attacks Surge and Expose Enterprise Infrastructure Vulnerabilities and New Needs, IDC Says. There is an opportunity for service providers to capture a share of this market if they can use SDN to monitor and control their existing network infrastructure and deliver DDoS mitigation as a service to protect their customer's Internet connection from flood attacks. By removing the large flood attacks, existing ADC / load balancers / firewalls can be used to mitigate lower volume application layer attacks.
The following slide details the elements of the SDN DDoS mitigation solution:
This diagram shows how standard sFlow enabled in the switches and routers provides a constant stream of measurement data to an External Collector (sFlow-RT), which notifies the DDoS SDN application when large DDoS flows are detected. The DDoS SDN application selects a mitigation action and instructs the SDN Controller (OpenDaylight) to push the action to selected switches (for example using an OpenFlow rule to drop traffic associated with the DDoS attack). An example of this technique is described in detail in Physical switch hybrid OpenFlow example - demonstrating that the entire detection and mitigation cycle within 1 to 2 seconds.
The second use case is to load balance large flows in link aggregation (LAG) groups. The hash function used to spread traffic on a LAG group works for small flows, but large flows can end up on a single LAG member, limiting throughput even though there is spare capacity on other members of the group, see Load balancing LAG/ECMP groups.
The Large Flow LAG load balancing SDN application again makes use of real-time sFlow based analytics to rapidly detect large flows and the SDN Controller to selectively override forwarding decisions in Router 1 in order to load balance the flows across the link group connecting it to Router 2.
The third use case is similar to LAG load balancing. Equal cost multi-path (ECMP) routing is uses to spread traffic across a leaf and spine network topology. Again, hash based load balancing can result in large flow collisions and sub-optimal throughput.
The Large Flow Global load balancing SDN application makes use of centralized real-time analytics to identify flow collisions anywhere in the fabric and then instructs the SDN Controller to override forwarding in selected switches in order to shift flows to links with spare capacity, see ECMP load balancing.

The next three slides from the talk describe deployment opportunities for SDN based large flow load balancing.
The combination of sFlow analytics with integrated Hybrid OpenFlow described in the FRSA framework is a pragmatic approach to addressing the challenges of DDoS mitigation and load balancing in large scale, high speed network environments. The hybrid approach leverages the capabilities of existing distributed control planes to efficiently load balance small flows and combines it with an SDN controller to manage the relatively small number of large long lived flows that dominate network usage.

The key to making this approach work is pervasive support for the sFlow standard among switch vendors and recent breakthroughs in real-time sFlow analytics (sFlow-RT) that together deliver the scaleable data center wide monitoring and real-time detection of large flows needed to drive SDN applications.

It's exciting to see SDN solutions maturing and major networking vendors describing practical SDN solutions that address pressing challenges that can realistically be deployed in production networks in the near term. It looks like this is the year that SDN will emerge from proof of concept to deployment in commercially viable solutions.

Update Feb 28, 2014 Video of the talk is now available on YouTube - Flow-Aware Real-Time SDN Analytics | OpenDaylight Summit 2014