Thursday, August 18, 2016

SimpleSwitch 2

https://inside-openflow.com/2016/08/05/ryu-api-reimagining-simple-switch/

SimpleSwitch Reimagined is heavily influenced byFaucet, an Open Source commercial-grade OpenFlow controller application for Ryu. Our purpose was not to rewrite Faucet, but to write an easy-to-understand controller application for learning more advanced OpenFlow concepts. As a result, SS2 does not include some of Faucet’s features such as VLAN learning, but is written to be very easy to follow and and to teach useful design patterns for Ryu controller applications and OpenFlow in general. This tutorial will run through the core of SS2, explaining the thinking and design behind every bit of code and hopefully provide you with ideas on writing your own controller application. The structure and concepts employed by SS2 will also help introduce the logic behind Faucet when we explore it in the near future.

Tuesday, August 9, 2016

FAUCET now supports multiple switches/datapaths

FAUCET now supports the configuration and control of multiple switches, via the same FAUCET process.

Here is a configuration extract for FAUCET controlling two switches at once (Allied Telesis and Zodiac FX).

version: 2
vlans:
    100:
        name: "clock"
        unicast_flood: False
        max_hosts: 3
    2001:
        name: "trusted network"
        unicast_flood: true 
        max_hosts: 20
    2002:
        name: "untrusted network"
        unicast_flood: False 
        max_hosts: 20
    2003:
        name: "roof network"
        unicast_flood: True
        max_hosts: 10
acls:
    100:
        - rule:
            dl_src: "ae:ad:61:7d:02:2f"
            actions:
                allow: 1 
        - rule:
            actions:
                allow: 0
dps:
    zodiac-fx-1:
        dp_id: 0x70b3d56cd0c0
        hardware: "Open vSwitch"
        interfaces:
            1:
                native_vlan: 100 
                name: "clock"
            2:
                native_vlan: 100
                name: "VLAN 2001"
                acl_in: 100
    windscale-faucet-1:
        dp_id: 0x0000eccd6df72de7
        description: "Josh's experimental AT-X930"   
        hardware: "Allied-Telesis" 
        interfaces:
            1:
                tagged_vlans: [2001,2002,2003]
                name: "port1.0.1"
                description: "windscale"
            2:
                native_vlan: 2001
                name: "port1.0.2"

                description: "vek-x"

FAUCET deployments

Here is a map, that we will keep updated with sites that have deployed FAUCET (and don't mind saying so!).

https://www.google.com/maps/d/u/0/viewer?mid=1MZ0M9ZtZOp2yHWS0S-BQH0d3e4s&hl=en

Sunday, August 7, 2016

New configuration format (better Gauge, and enabling multiple datapaths)

FAUCET's original author, Chris Lorier has significantly improved FAUCET configuration.

In particular, it's now possible for you to do things like configure InfluxDb's credentials or even have multiple different kinds of polling/data logging.

You can also configure multiple datapaths (switches) in the same config file - a forthcoming feature will enable one FAUCET process to control many switches.

Read more about the changes here: https://github.com/REANNZ/faucet/commit/b7602a4f5e328414dd8c678c1e3b78ccfd6e577e

In summary, each switch now as a stanza under "dps", and "interfaces" moves under each datapath's configuration. VLAN configuration is shared among datapaths for the moment.

It is strongly recommended you update your configuration to the new format as soon as possible, as the old format is deprecated and will be removed shortly.



Sunday, July 31, 2016

Automatically documenting/generating OF pipelines

FAUCET now has code that automatically enforces correct documentation, of what OpenFlow matches are used in what table. Today, it looks like this (see end of this post).

This is very useful, because it enables you to correctly configure hardware that needs to know what matches are used in what table, in advance. It also lets you optimize the pipeline (for example, by removing matches from tables that don't need them, which can increase forwarding performance).

FAUCET could also support a P4 switch running an OF bridge, if that bridge supported these matches in these tables.

FAUCET's pipeline could use some further optimization (particularly of eth_src_table, which is quite "wide" - it could match a lot of things). This is ongoing.

        self.TABLE_MATCH_TYPES = {
            self.dp.vlan_table: (
                'in_port', 'vlan_vid', 'eth_src', 'eth_dst', 'eth_type'),
            # TODO: eth_src_table matches too many things. It should
            # be split further into two tables for IPv4/IPv6 entries.
            self.dp.eth_src_table: (
                'in_port', 'vlan_vid', 'eth_src', 'eth_dst', 'eth_type',
                'ip_proto',
                'icmpv6_type', 'ipv6_nd_target',
                'arp_tpa', 'ipv4_src'),
            self.dp.ipv4_fib_table: (
                'vlan_vid', 'eth_type', 'ip_proto',
                'ipv4_src', 'ipv4_dst'),
            self.dp.ipv6_fib_table: (
                'vlan_vid', 'eth_type', 'ip_proto',
                'icmpv6_type', 'ipv6_dst'),
            self.dp.eth_dst_table: (
                'vlan_vid', 'eth_dst'),
            self.dp.flood_table: (
                'vlan_vid', 'eth_dst'),
        }


Monday, July 18, 2016

Policy based forwarding with FAUCET

Sometimes, you want certain traffic to be taken out of the dataplane, and entirely diverted to another system (for example, you want to redirect all DHCP request broadcasts to only one DHCP server, or you want a DDoS system to perform deeper analysis).



FAUCET allows you to configure an ACL to divert any packet that can be matched by OpenFlow, to a port, and optionally have the destination address rewritten.


acls:
    1:
        - rule:
            dl_dst: "01:02:03:04:05:06"
            actions:
                output:
                    dl_dst: "06:06:06:06:06:06"
                    port: 2


In this example, any traffic with an Ethernet destination of 01:02:03:04:05:06, will be intercepted, will have its destination address rewritten to be 06:06:06:06:06:06, and then output port 2.

The match expression can match anything OpenFlow can; for example, you could match source or destination IP address.

Here's another example that matches DHCP requests and redirects them to port 1:


acls:
    1:
        - rule:
            dl_dst: "ff:ff:ff:ff:ff:ff"
            dl_type: 0x800
            nw_proto: 17
            nw_src: "0.0.0.0"
            nw_dst: "255.255.255.255"
            tp_src: 68
            tp_dst: 67
            actions:
                output:
                    port: 1


And output from an Allied Telesis switch that shows it working:

awplus#show openflow rules |include table_id=1
table_id=1, duration=69s, n_packets=1, n_bytes=377, priority=9099,udp,in_port=23,dl_dst=ff:ff:ff:ff:ff:ff,nw
_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67,actions=output:1
table_id=1, duration=69s, n_packets=8590, n_bytes=11026081, priority=9098,in_port=23,actions=goto_table:2
table_id=1, duration=69s, n_packets=0, n_bytes=0, priority=0,actions=drop