Monday, May 30, 2016

NFV/firewall offload with FAUCET

Sometimes, it's convenient to offload a network functionality something other than a switch. You might want to do DHCP or DNS, or you might want to have separate security policy per port. This is becoming known as NFV.

In this post, we will configure FAUCET to use tagged and untagged ports in the same VLAN (via a trunk), to offload processing to a Linux host (in this case, FAUCET runs on the same host, but it does not have to). The following diagram shows two hosts, each in their own untagged VLAN. The NFV host has a dataplane connection as well, that is in both VLANs, with a tag (so that the host knows which packets belong to what port - potentially, you could have one VLAN per port).

On the NFV host (assuming eth0 is the trunk port), you bridge eth0.2001, eth.2002, et al to containers. Within the containers you run the iptables rules or network services appropriate to that VLAN's policy. If you use OVS as the bridge (rather than plain Linux bridging), and you have a NIC that supports DPDK, it may be possible to offload some firewall rules to hardware on the host as OpenFlow flows.


+-------------------------------------------+
|FAUCET untagged VLAN 2001                  |
|                                           |
|                +---------------+   +--------------------------------+
|                |               |   |      |                         |
|                |          +--+ |   | +--+ |                         |
|                | Host 1   |  +-------+  | |                         |
|                |          +--+ |   | +--+ |                         |
|                |               |   |      |                         |
|                +---------------+   |      |                         |
+-------------------------------------------+                         |
                                     |                                |
                                     |                                |
+-------------------------------------------+                         |
|                +---------------+   |      |                         |
|                |               |   |      |                         |
|                |          +--+ |   | +--+ |                         |
|                | Host 2   |  +-------+  | |                         |
|                |          +--+ |   | +--+ |                         |
|                |               |   |      |                         |
|                +---------------+   |      |    switch               |
|                                    |      |                         |
|FAUCET untagged VLAN 2002           |      |                         |
+-------------------------------------------+                         |
                                     |                                |
+-------------------------------------------+                         |
|                +---------------+   |      |                         |
|                |          +--+ |   | +--+ |                         |
|                |          |  +-------+  | |                         |
|                |          +--+ |   | +--+ |                         |
|FAUCET trunk    |               |   |      |                         |
+-------------------------------------------+                         |
                 |               |   |                                |
+-------------------------------------------+                         |
|                |               |   |      |                         |
|                |          +--+ |   | +--+ |                         |
|                |          |  +-------+  | |                         |
|                |          +--+ |   | +--+ |                         |
|FAUCET CPN      |               |   +--------------------------------+
+-------------------------------------------+
                 | FAUCET        |
                 | control/NFV   |
                 |               |
                 |          +--+ |
                 |          |  +-------------+  INTERNET
                 |          +--+ |
                 +---------------+

The following small FAUCET config accomplishes offloading from the switch.

interfaces:
    1:
        native_vlan: 2001
        name: "port1.0.1"
    2:
        native_vlan: 2002
        name: "port1.0.2"
    24:
        tagged_vlans: [2001,2002]
        name: "port1.0.24"

Further, you might choose to configure FAUCET ACLs (which would run on the switch and would add another layer of protection). FAUCET ACLs can match anything OpenFlow can. For example:

interfaces:
    1:
        acl_in: 99
acls:
    99:
        - rule:
            dl_src: 11:22:33:44:55:66
            actions:
                allow: 0

        - rule:
            actions:
                allow: 1

Would drop on input, any packet from a certain MAC address. This can prevent a machine on a port spoofing the MAC address of the NFV host, for example.


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.