Tuesday, April 25, 2017

design pattern - labels as metadata

FAUCET now allows you to push, via the ACL language, multiple VLAN headers.

    - rule:
        dl_dst: "01:02:03:04:05:06"
                dl_dst: "06:06:06:06:06:06"
                vlan_vids: [123, 456]
                port: acloutport
See https://github.com/REANNZ/faucet/pull/517/commits/117ed988c8d42dab7e2ce2d154d520b1fd79810e for caveats.

Why is this useful? Apart from being a tunneling mechanism, it also allows you add metadata to a packet for a downstream NFV application. For example, you might push an additional VLAN header onto a packet, based on an ACL entry that identifies a particular user or application known to match the ACL conditions.

In particular, you could also push a VLAN representing the input port number, on top of another header that tells you the input VLAN. For example, an ACL could tag a packet on untagged VLAN 100, on port 2, with VLAN 100, then VLAN 2 (so that a "mirroring" application can know what VLAN and port the packet came from).

In the future, FAUCET will make more use of this design pattern as an alternative to packet in. It will be able to alternatively use PBB or MPLS labels in a similar way.

Testing the CPN (and TLS support)

Unit testing the dataplane is important, but so is testing control plane connectivity.

FAUCET now supports, when testing hardware, that TLS can be used by FAUCET to secure the OpenFlow connection to the switch.

To configure FAUCET for TLS, follow the Ryu instructions at https://github.com/osrg/ryu/blob/master/doc/source/tls.rst.

To test that it works with your hardware, see the the new TLS fields in https://github.com/REANNZ/faucet/blob/master/tests/hw_switch_config.yaml.

There will be additional control plane testing added to the FAUCET test suite over time.