The Road to SDN: An Intellectual History of Programmable Networks (四)


2.3 OpenFlow and Network OSes




In the mid-2000s, researchers and funding agencies gained interest in the idea of network experimentation at scale, encouraged by the success of experimental infrastructures (e.g., PlanetLab [6] and Emulab [83]), and the availability of separate government funding for large-scale “instrumentation” previously reserved for other disciplines to build expensive, shared infrastructure such as colliders and telescopes [52]. An outgrowth of this enthusiasm was the creation of the Global Environment for Networking Innovations (GENI) [33] with an NSF-funded GENI Project Office and the EU FIRE program [32]. Critics of these infrastructure-focused efforts pointed out that this large investment in infrastructure was not matched by well-conceived ideas to use it. In the midst of this, a group of researchers at Stanford created the Clean Slate Program and focused on experimentation at a more local and tractable scale: campus networks


Before the emergence of OpenFlow, the ideas underlying SDN faced a tension between the vision of fully programmable networks and pragmatism that would enable realworld deployment. OpenFlow struck a balance between these two goals by enabling more functions than earlier route controllers and building on existing switch hardware, through the increasing use of merchant-silicon chipsets in commodity switches. Although relying on existing switch hardware did somewhat limit flexibility, OpenFlow was almost immediately deployable, allowing the SDN movement to be both pragmatic and bold. The creation of the OpenFlow API [51] was followed quickly by the design of controller platforms like NOX [37] that enabled the creation of many new control applications

在OpenFlow出现之前,SDN的基本思想面临着完全可编程网络和实用主义之间的紧张关系,后者将使RealWorld部署成为可能。OpenFlow在这两个目标之间取得了平衡,它启用了比早期路由控制器更多的功能,并通过在商品交换机中越来越多地使用商用硅芯片组来构建现有的交换机硬件。尽管依赖现有的交换机硬件在一定程度上限制了灵活性,但OpenFlow几乎可以立即部署,这使得SDN的移动既实用又大胆,OpenFlow API的创建之后,紧接着是NOX这样的控制器平台的设计,它支持创建许多新的控制应用程序。

An OpenFlow switch has a table of packet-handling rules, where each rule has a pattern (that matches on bits in the packet header), a list of actions (e.g., drop, flood, forward out a particular interface, modify a header field, or send the packet to the controller), a set of counters (to track the number ofbytes and packets), and a priority (to disambiguate between rules with overlapping patterns). Upon receiving a packet, an OpenFlow switch identifies the highest-priority matching rule, performs the associated actions, and increments the counters


Technology push and use pull. Perhaps the defining feature of OpenFlow is its adoption in industry, especially as compared with its intellectual predecessors. This success can be attributed to a perfect storm of conditions between equipment vendors, chipset designers, network operators, and networking researchers. Before OpenFlow’s genesis, switch chipset vendors like Broadcom had already begun to open their APIs to allow programmers to control certain forwarding behaviors. The decision to open the chipset provided the necessary impetus to an industry that was already clamoring for more control over network devices. The availability of these chipsets also enabled a much wider range of companies to build switches, without incurring the substantial cost of designing and fabricating their own data-plane hardware.


The initial OpenFlow protocol standardized a data-plane model and a control-plane API by building on technology that switches already supported. Specifically, because network switches already supported fine-grained access control and flow monitoring, enabling OpenFlow’s initial set of capabilities on switch was as easy as performing a firmware upgrade—vendors did not need to upgrade the hardware to make their switches OpenFlow-capable


OpenFlow’s initial target deployment scenario was campus networks, meeting the needs of a networking research community actively looking for ways to conduct experimental work on “clean-slate” network architectures within a researchfriendly operational setting. In the late 2000s, the OpenFlow group at Stanford led an effort to deploy OpenFlow testbeds across many campuses and demonstrate the capabilities of the protocol both on a single campus network and over a widearea backbone network spanning multiple campuses


As real SDN use cases materialized on these campuses, OpenFlow began to take hold in other realms, such as datacenter networks, where there was a distinct need to manage network traffic at large scales. In data centers, the cost of hiring engineers to write sophisticated control programs to run over large numbers of commodity switches proved to be more cost-effective than continuing to purchase closed, proprietary switches that could not support new features without substantial engagement with the equipment vendors. As vendors began to compete to sell both servers and switches for data centers, many smaller players in the network equipment marketplace embraced the opportunity to compete with the established router and switch vendors by supporting new capabilities like OpenFlow


Intellectual contributions. Although OpenFlow embodied many of the principles from earlier work on the separation of control and data planes, the rise of OpenFlow offered several additional intellectual contributions:


Generalizing network devices and functions. Previous work on route control focused primarily on matching traffic by destination IP prefix. In contrast, OpenFlow rules could define forwarding behavior on traffic flows based on any set of 13 different packet headers. As such, OpenFlow conceptually unified many different types of network devices that differ only in terms of which header fields they match, and which actions they perform. A router matches on destination IP prefix and forwards out a link, whereas a switch matches on source MAC address (to perform MAC learning) and destination MAC address (to forward), and either floods or forwards out a single link. Network address translators and firewalls match on the five tuple (of source and destination IP addresses and port numbers, and the transport protocol) and either rewrites address and port fields, or drops unwanted traffic. OpenFlow also generalized the ruleinstallation techniques, allowing anything from proactive installation of coarse-grained rules (i.e., with “wildcards” for many header fields) to reactive installation of fine-grained rules, depending on the application. Still, OpenFlow does not offer data-plane support for deep packet inspection or connection reassembly; as such, OpenFlow alone cannot efficiently enable sophisticated middlebox functionality


The vision of a network operating system. In contrast to earlier research on active networks that proposed a node operating system, the work on OpenFlow led to the notion of a network operating system [37]. A network operating system is software that abstracts the installation of state in network switches from the logic and applications that control the behavior of the network. More generally, the emergence of a network operating system offered a conceptual decomposition of network operation into three layers [46]: (1) a data plane with an open interface; (2) a state management layer that is responsible for maintaining a consistent view of network state; (3) control logic that performs various operations depending on its view of network state


Distributed state management techniques. Separating the control and data planes introduces new challenges concerning state management. Running multiple controllers is crucial for scalability, reliability, and performance, yet these replicas should work together to act like a single, logically centralized controller. Previous work on distributed route controllers [12, 79] only addressed these problems in the narrow context of route computation. To support arbitrary controller applications, the work on the Onix [46] controller introduced the idea of a network information base—a representation of the network topology and other control state shared by all controller replicas. Onix also incorporated past work in distributed systems to satisfy the state consistency and durability requirements. For example, Onix has a transactional persistent database backed by a replicated state machine for slowly-changing network state, as well as an in-memory distributed hash table for rapidly-changing state with weaker consistency requirements. More recently, the ONOS [55] system offers an open-source controller with similar functionality, using existing open-source software for maintaining consistency across distributed state and providing a network topology database to controller applications.


Myths and misconceptions. One myth concerning SDN is that the first packet of every traffic flow must go to the controller for handling. Indeed, some early systems like Ethane [16] worked this way, since they were designed to support fine-grained policies in small networks. In fact, SDN in general, and OpenFlow in particular, do not impose any assumptions about the granularity of rules or whether the controller handles any data traffic. Some SDN applications respond only to topology changes and coarse-grained traffic statistics and update rules infrequently in response to link failures or network congestion. Other applications may send the first packet of some larger traffic aggregate to the controller, but not a packet from every TCP or UDP connection.


A second myth surrounding SDN is that the controller must be physically centralized. In fact, Onix [46] and ONOS [55] demonstrate that SDN controllers can—and should—be distributed. Wide-area deployments of SDN, as in Google’s private backbone [44], have many controllers spread throughout the network


Finally, a commonly held misconception is that SDN and OpenFlow are equivalent; in fact, OpenFlow is merely one (widely popular) instantiation of SDN principles. Different APIs could be used to control network-wide forwarding behavior; previous work that focused on routing (using BGP as an API) could be considered one instantiation of SDN, for example, and architectures from various vendors (e.g., Cisco ONE and JunOS SDK) represent other instantiations of SDN that differ from OpenFlow

最后,一个普遍存在的误解是,SDN和OpenFlow是等价的;实际上,OpenFlow只是SDN原则的一个(广泛流行的)实例化。可以使用不同的api来控制网络范围内的转发行为;以前专注于路由的工作(使用bgp作为api)可以被认为是sdn的一个实例化,例如,来自不同供应商的体系结构(例如Cisco One和Junos SDK)代表了SDN不同于OpenFlow的其他实例化。

In search of control programs and use cases. Despite the initial excitement surrounding SDN, it is worth recognizing that SDN is merely a tool that enables innovation in network control. SDN neither dictates how that control should be designed nor solves any particular problem. Rather, researchers and network operators now have a platform at their disposal to help address longstanding problems in managing their networks and deploying new services. Ultimately, the success and adoption of SDN depends on whether it can be used to solve pressing problems in networking that were difficult or impossible to solve with earlier protocols. SDN has already proved useful for solving problems related to network virtualization, as we describe in the next section


