slides - Laurent Vanbever
Transcription
slides - Laurent Vanbever
Novel Applications for a SDN-enabled Internet Exchange Point Laurent Vanbever [email protected] SDN Research Group, IETF87 July, 29 2013 Based on joint work with Arpit Gupta, Muhammad Shahbaz, Hyojoon Kim, Russ Clark, Nick Feamster, Jennifer Rexford and Scott Shenker BGP is notoriously unflexible and difficult to manage Operating BGP has at least three limitations BGP is notoriously unflexible and difficult to manage Operating BGP has at least three limitations assume destination IP based routing BGP is notoriously unflexible and difficult to manage Operating BGP has at least three limitations assume destination IP based routing what people really want customized routing decisions BGP is notoriously unflexible and difficult to manage Operating BGP has at least three limitations assume destination IP based routing policies are applied to direct neighbors what people really want customized routing decisions BGP is notoriously unflexible and difficult to manage Operating BGP has at least three limitations what people really want assume destination IP based routing customized routing decisions policies are applied to direct neighbors affect end-to-end paths BGP is notoriously unflexible and difficult to manage Operating BGP has at least three limitations what people really want assume destination IP based routing customized routing decisions policies are applied to direct neighbors affect end-to-end paths indirectly influence forwarding paths BGP is notoriously unflexible and difficult to manage Operating BGP has at least three limitations what people really want assume destination IP based routing customized routing decisions policies are applied to direct neighbors affect end-to-end paths indirectly influence forwarding paths directing traffic on specific paths SDN can enable fine-grained, flexible and direct expression of interdomain policies SDN devices forward based on any packet-header fields at line rate, enabling flexible forwarding SDN controller can be controlled by remote parties on a bilateral basis, without any global standards SDN controller exerts direct control on the data plane using a standardized API such as OpenFlow Internet Exchange Points are perfect places to deploy new interdomain features Internet Exchange Points are perfect places to deploy new interdomain features Internet Exchange Points (IXPs) ... Internet Exchange Points are perfect places to deploy new interdomain features Internet Exchange Points (IXPs) connect a large number of participants Internet Exchange Points are perfect places to deploy new interdomain features Internet Exchange Points (IXPs) connect a large number of participants AMS-IX: 600 participants Internet Exchange Points are perfect places to deploy new interdomain features Internet Exchange Points (IXPs) AMS-IX: connect a large number of participants 600 participants carry a large amount of traffic > 2250 Gb/s (peak) Internet Exchange Points are perfect places to deploy new interdomain features Internet Exchange Points (IXPs) AMS-IX: connect a large number of participants 600 participants carry a large amount of traffic > 2250 Gb/s (peak) are a hotbed of innovation BGP Route Server Mobile peering Open peering ... Internet Exchange Points are perfect places to deploy new interdomain features Internet Exchange Points (IXPs) connect a large number of participants carry a large amount of traffic are a hotbed of innovation Even a single deployment can have a large impact! An IXP is a large L2 domain where participants routers peer using BGP !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! * !"#$ + ) %&'()&#!"#* !"#+ * + ) , , !"#$%&'() -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, !"#$%&'(+ !"#$%&'()&**+) ,&62&5.74(81&9:;014(4#7;.45 6 ,#-$!./(01/'2$345)/0 7 % <&074(!4;/4; !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ An IXP is a large L2 domain where !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ *!"#+ + participants* routers using BGP ) + ) peer * + , !"#$%&'() * !"#$%&'() + %&'()&#!"#* ) * + , , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, * !"#$%&'()&**+) + ) * + ) , , -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(+ ,#-$!./(01/'2$345)/0!"#$%&'()&**+) 6 ,&62&5.74(81&9:;014(4#7;.45 6 ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 <&074(!4;/4; % 7<&074(!4;/4; % <&074(!4;/4; Participant BGP Edge router 7 % !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ An IXP is a large L2 domain where !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ *!"#+ + participants* routers using BGP ) + ) peer * + , !"#$%&'() * !"#$%&'() + %&'()&#!"#* ) * + , , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, * !"#$%&'()&**+) + ) * + ) , , -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(+ ,#-$!./(01/'2$345)/0!"#$%&'()&**+) 6 ,&62&5.74(81&9:;014(4#7;.45 6 <&074(!4;/4; ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 (private) 7<&074(!4;/4; eBGP session % % <&074(!4;/4; Participant BGP Edge router 7 % !"#$%&'() !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ An IXP is a large L2 domain where !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ *!"#+ + participants* routers using BGP ) + ) peer * + , !"#$%&'() * !"#$%&'() + %&'()&#!"#* ) * + , , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, 6 * Route-Server , eBGP session -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 !"#$%&'()&**+) + ) * + ) , !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(+ ,#-$!./(01/'2$345)/0!"#$%&'()&**+) 6 ,&62&5.74(81&9:;014(4#7;.45 6 ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 <&074(!4;/4; % 7<&074(!4;/4; % <&074(!4;/4; Participant BGP Edge router 7 % <&074(!4;/4; Route server !"#$%&'() !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ An IXP is a large L2 domain where !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ *!"#+ + participants* routers using BGP ) + ) peer * + , !"#$%&'() * !"#$%&'() + %&'()&#!"#* ) * + , , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, 6 * !"#$%&'()&**+) + ) * + ) , , -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 Traffic !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(+ ,#-$!./(01/'2$345)/0!"#$%&'()&**+) 6 ,&62&5.74(81&9:;014(4#7;.45 6 ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 <&074(!4;/4; % 7<&074(!4;/4; % <&074(!4;/4; Participant BGP Edge router 7 % <&074(!4;/4; Route server !"#$%&'() !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ With respect !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: to IXPs, SDN-enabled IXPs (SDX) ...’ !"#! !"#$ *!"#+ + %&'()&#!"#* ) * , data plane *relies+ on) SDN-capable devices ) * + , , -#$./.$0"1()!(2&1.3.45 !"#$%&'() * !"#$%&'() + -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, 6 * !"#$%&'()&**+) + ) * + ) , , -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(+ ,#-$!./(01/'2$345)/0!"#$%&'()&**+) 6 ,&62&5.74(81&9:;014(4#7;.45 6 ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 <&074(!4;/4; % 7<&074(!4;/4; % <&074(!4;/4; + Participant Edge router 7 % <&074(!4;/4; Route server !"#$%&'() !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ With respect !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: to IXPs, SDN-enabled IXPs (SDX) !"#! !"#$ *!"#+ + %&'()&#!"#* ) * , data plane *relies+ on) SDN-capable devices ) * + , , -#$./.$0"1()!(2&1.3.45 !"#$%&'() * !"#$%&'() + -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, 6 * !"#$%&'()&**+) + ) * + ) , , -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 !"#$%&'() !"#$%&'(* !"#$%&'(, OpenFlow enabled Switch ,#-$!./(01/'2$345)/0!"#$%&'()&**+) 6 !"#$%&'(+ ,&62&5.74(81&9:;014(4#7;.45 6 ,#-$!./(01/'2$345)/0 F O ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 <&074(!4;/4; % 7<&074(!4;/4; % <&074(!4;/4; + Participant Edge router 7 % <&074(!4;/4; Route server !"#$%&'() !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ With respect !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: to IXPs, SDN-enabled IXPs (SDX) !"#! !"#$ *!"#+ + %&'()&#!"#* ) * , control plane relies ) * + )on, a SDX * controller + , -#$./.$0"1()!(2&1.3.45 !"#$%&'() * + -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, 6 !"#$%&'() * !"#$%&'()&**+) + ) * + ) , , -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(+ ,#-$!./(01/'2$345)/0!"#$%&'()&**+) 6 ,&62&5.74(81&9:;014(4#7;.45 6 ,#-$!./(01/'2$345)/0 F O ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 <&074(!4;/4; % 7<&074(!4;/4; % <&074(!4;/4; + Participant Edge router 7 % SDX controller <&074(!4;/4; !"#$%&'() !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ SDX participants write policies using a high-level !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ *!"#+ + %&'()&#!"#* ) * , language on top +of )a virtual ) * *topology + , , -#$./.$0"1()!(2&1.3.45 !"#$%&'() * + -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ match(dstip=ipA) >> fwd(outA) ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, 6 !"#$%&'() * !"#$%&'()&**+) + ) * + ) , , -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(+ ,#-$!./(01/'2$345)/0!"#$%&'()&**+) 6 ,&62&5.74(81&9:;014(4#7;.45 match(dstip=ipC) >> fwd(C) + 6 match(dstip=ipA) >> fwd(A) + match(dstip=ipB) >> fwd(outB) + ,#-$!./(01/'2$345)/0 F O ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 <&074(!4;/4; % 7<&074(!4;/4; % <&074(!4;/4; match(dstip=ipC) >> fwd(outC) 7 % SDX controller <&074(!4;/4; !"#$%&'() !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ The SDX controller composes policies !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ *!"#+ + %&'()&#!"#* ) * , together ensuring isolation and correctness ) * + ) * + , , -#$./.$0"1()!(2&1.3.45 !"#$%&'() * + -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ match(dstip=ipA) >> fwd(outA) ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, 6 !"#$%&'() * !"#$%&'()&**+) + ) * + ) , , -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(+ ,#-$!./(01/'2$345)/0!"#$%&'()&**+) 6 ,&62&5.74(81&9:;014(4#7;.45 match(dstip=ipC) >> fwd(C) + 6 match(dstip=ipA) >> fwd(A) + match(dstip=ipB) >> fwd(outB) + ,#-$!./(01/'2$345)/0 F O ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 <&074(!4;/4; % 7<&074(!4;/4; % <&074(!4;/4; match(dstip=ipC) >> fwd(outC) 7 % SDX controller <&074(!4;/4; !"#$%&'() !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ The SDX controller composes policies !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ *!"#+ + %&'()&#!"#* ) * , together ensuring isolation and correctness ) * + ) * + , , -#$./.$0"1()!(2&1.3.45 !"#$%&'() * + -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ match(dstip=ipA) >> fwd(outA) ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, 6 !"#$%&'() * !"#$%&'()&**+) + ) * + , ) , -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(+ ,#-$!./(01/'2$345)/0!"#$%&'()&**+) 6 OpenFlow rules ,&62&5.74(81&9:;014(4#7;.45 match(dstip=ipC) >> fwd(C) + 6 match(dstip=ipA) >> fwd(A) + match(dstip=ipB) >> fwd(outB) + ,#-$!./(01/'2$345)/0 F O ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 <&074(!4;/4; % 7<&074(!4;/4; % <&074(!4;/4; match(dstip=ipC) >> fwd(outC) 7 % SDX controller <&074(!4;/4; !"#$%&'() !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#! !"#$ !"#$ %&'()&#!"#* !"#+ !"#+ !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! * !"#$ + ) 6 , !"#$%&'() * !"#$%&'() + *!"#+ * + + %&'()&#!"#* ) * , ) , -#$./.$0"1()!(2&1.3.45 ,#-$!./(01/'2$345)/0 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'()&**+) ) ) * + , , !"#$%&'()&**+) SDX controller ,&62&5.74(81&9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 %&'()&#!"#* !"#! !"#$ !"#+ ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'(* !"#$%&'(+ !"#$%&'(, 6 * !"#$%&'()&**+) + ) 7 * + ) , , -#$./.$0"1()!(2&1.3.45 ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 ,#-$!./(01/'2$345)/0 What 6does SDX enable that was hard <&074(!4;/4; or impossible to do before? !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'(+ !"#$%&'()&**+) ,&62&5.74(81&9:;014(4#7;.45 6 ,#-$!./(01/'2$345)/0 F O ,#-$!./(01/'2$345)/0 6 7 <&074(!4;/4; % 7 <&074(!4;/4; % 7<&074(!4;/4; % <&074(!4;/4; + Participant Edge router 7 % <&074(!4;/4; Route server % SDX enables a wide range of novel interdomain applications security Prevent/block policy violation Prevent participants communication forwarding optimization Middlebox traffic steering Traffic offloading Inbound Traffic Engineering peering Application-specific peering remote-control Wide-area load balancing Influence BGP path selection Upstream blocking of DoS attacks SDX enables a wide range of novel interdomain applications security Prevent/block policy violation Prevent participants communication forwarding optimization Middlebox traffic steering Traffic offloading Inbound Traffic Engineering peering Application-specific peering remote-control Wide-area load balancing Influence BGP path selection Upstream blocking of DoS attacks Novel Applications for a SDN-enabled Internet Exchange Point 1 Inbound Traffic Engineering 2 Upstream DoS blocking 3 Wide-area load balancing Novel Applications for a SDN-enabled Internet Exchange Point 1 Inbound Traffic Engineering Upstream DoS blocking Wide-area load balancing SDX can improve inbound traffic engineering #$ !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: %&'()&#!"#* !"#! !"#$ !"#+ !"#+ %&'()&#!"#* SDX can improve inbound traffic engineering !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * ) + , * + ) , -#$./.$0"1()!(2&1.3.45 !"#! %&'(* !"#$%&'(, !"#! !"#$ !"#$ !"#+ !"#$%&'(+ !"#$%&'() ) * + %&'()&#!"#* %&'()&#!"#* !"#+ -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, , !"#$%&'(+ !"#$%&'()&**+) Given an IXP Physical Topology ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'()&**+) !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: +* ) + ) * * , !"#$ !"#! !"#+, +* ) %&'()&#!"#* ,&62&5.74(81&9:;014(4#7;.45 ) ,+ , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'(, ) !"#$%&'() * + ) * + !./(01/'2$345)/0 !"#$%&'(+ , , ,#-$!./(01/'2$345)/0 !"#$%&'()&**+) !"#$%&'()&**+) 6 !"#$%&'(+ !"#$%&'(, -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'()&**+),&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 7 6 % ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6,#-$!./(01/'2$345)/0 6 <&074(!4;/4; eBGP session 7 % <&074(!4;/4; 71 72 % <&074(!4;/4; <&074(!4;/4; % % #$ !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: %&'()&#!"#* !"#! !"#$ !"#+ !"#+ %&'()&#!"#* SDX can improve inbound traffic engineering !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * ) + , * + ) , -#$./.$0"1()!(2&1.3.45 !"#! %&'(* !"#$%&'(, !"#! !"#$ !"#$ !"#+ !"#$%&'(+ !"#$%&'() !"#$%&'(* !"#$%&'()&**+) Given an IXP Physical Topology ,&62&5.74(81&9:;014(4#7;.45 , !"#$ !"#! !"#+, !"#$%&'(, !"#$%&'()&**+) and !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: +* ) + ) * * ) * + %&'()&#!"#* %&'()&#!"#* !"#+ -#$./.$0"1()!(2&1.3.45 +* ) %&'()&#!"#* * + ) * + a BGP topology !"#! !"#$ !"#+ %&'()&#!"#*%&'()&#!"#* !"#! !"#$ !"#+ !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ * %&'()&#!"#* !"#+ + , ) *+ , * ) ) + , , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 ) + ) * + , !"#$%&'(+ , !"#$%&'(*!"#$%&'(, !"#$%&'(, !"#$%&'() !"#$%&'() !"#$%&'(* !"#$%&'(+ 192.0.{1,2,3}.0/24 !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 !"#$%&'(+ !"#$%&'() !"#$%&'()&**+)!"#+ !"#$%&'()&**+) !"#$ !"#! !"#$%&'(* %&'()&#!"#* !"#$%&'(+ !"#$%&'(, ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 , , !./(01/'2$345)/0 !"#$%&'(+ !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: ,&62&5.74(81&9:;014(4#7;.45 ) *+ *, ) ,+ -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'(, ) !"#$%&'() , !"#$%&'()&**+) ,#-$!./(01/'2$345)/0 !"#$%&'()&**+) !"#$%&'()&**+) 6 !"#$%&'(* !"#$%&'(+ !"#$%&'(, -#$./.$0"1()!(2&1.3.45 !"#$%&'() ,&62&5.74(81&9:;014(4#7;.45 * + , ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 * + !"#$%&'()&**+),&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 192.0.1.0/24 6 ,&62&5.74(81&9:;014(4#7;.45 6 % !"#$%&'(, <&074(!4;/4; % % ,&62&5.74(81&9:;014(4#7;.45 % 192.0.3.0/24 7 6 % ,#-$!./(01/'2$345)/0 AS A AS C <&074(!4;/4; 7 % <&074(!4;/4; 7 71 72 % <&074(!4;/4; % <&074(!4;/4; <&074(!4;/4; % !"#$%&'(+ 7 192.0.3.0/24 ,#-$!./(01/'2$345)/0 , ,#-$!./(01/'2$345)/0 !"#$%&'()&**+)192.0.2.0/24 7 <&074(!4;/4;<&074(!4;/4; ,#-$!./(01/'2$345)/0 6,#-$!./(01/'2$345)/0 6 AS !"#$%&'(* B !"#$%&'() 7 ) 192.0.1.0/24 -#$./.$0"1()!(2&1.3.45 6 6 192.0.2.0/24 ) * + ) * ) + , , * + ) !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9 , -#$./.$0"1()!(2&1.3.45 !"#! !"#$%&'(* !"#$%&'(, %&'()&# !"#! !"#$ !"#$ !"#+ !"#+ -#$./.$0"1()!(2 !"#$%&'(+ !"#$%&'() !"#$%&'(* SDX can improve inbound!"#$%&'()&**+) traffic engineering!"#$%&'() !"#$%&'() ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * +* ) ) * ,+ , !"#! !"#$ ) +* %&'()&#!"#* !"#+ ,& ,+ -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 Implements B’s inbound policy !"#$%&'()* 6 !"#$%&'() !"#$%&'(* + ) * !"#$%&'(* !"#$%&'(, ) + ,#-$!./(01/'2$345)/0 !"#$%& !"#$%&'(, , , ,#-$!./(01/'2$34 6 !"#$%&'()&**+) !"#$%&'()&**+) !"#$%&'(+ -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, !"#$%&'() !"#$%&'()&**+),&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:; ,&62&5.74(81&9:;014(4#7;.45 to from receive on 7 7 ,#-$!./(01/'2$345)/0 6 % ,#-$!./(01/'2$345)/0 6 ,#-$!./(01/'2$345)/0 6 <&074(!4;/4; 192.0.1.0/24 A <&074(!4;/4; B1 7 % <&074(!4;/4; 192.0.2.0/24 B 72 71 B2 !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ !"#+ %&'()&#!"#*%&'()&#!"#* !"#! !"#$ !"#+ !"#! 192.0.2.0/24 ATT_IP B2 <&074(!4;/4; <&074(!4;/4; IXP * B1 % %&'()&#!"#* !"#+ Topology + ) ) *+ , * , ) + ) , , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 ) + ) * + , , !"#$%&'() !"#$%&'() !"#$%&'(* !"#$%&'(*!"#$%&'(, !"#$%&'(, !"#$%&'(+ !"#$%&'(+ * 192.0.2.0/24 *+ * % !"#$ 192.0.{1,2,3}.0/24 -#$./.$0"1()!(2&1.3.45 !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()&**+) !"#$%&'()&**+) !"#$%&'() !"#! !"#$%&'(* !"#$ !"#$%&'(, !"#+ !"#$%&'(+%&'()&#!"#* ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'()&**+) 192.0.3.0/24 * B2 ,&62&5.74(81&9:;014(4#7;.45 * 192.0.1.0/24 + 6 6 * , ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 + ) , -#$./.$0"1()!(2&1.3.45192.0.1.0/24 AS !"#$%&'(* B !"#$%&'() 192.0.2.0/24 ) !"#$%&'(, !"#$%&'(+ 7 !"#$%&'()&**+)192.0.2.0/24 % % ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 7 192.0.3.0/24<&074(!4;/4;<&074(!4;/4; 192.0.3.0/24 7 6 % ,#-$!./(01/'2$345)/0 AS A AS C <&074(!4;/4; 7 BGP Topology <&074(!4;/4; % * + ) * ) + , , * + ) !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9 , -#$./.$0"1()!(2&1.3.45 !"#! !"#$%&'(* !"#$%&'(, %&'()&# !"#! !"#$ !"#$ !"#+ !"#+ -#$./.$0"1()!(2 !"#$%&'(+ !"#$%&'() !"#$%&'(* How do you do that with !"#$%&'()&**+) BGP? !"#$%&'() !"#$%&'() ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * +* ) ) * ,+ , !"#! !"#$ ) +* %&'()&#!"#* !"#+ ,& ,+ -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 Implements B’s inbound policy !"#$%&'()* 6 !"#$%&'() !"#$%&'(* + ) * !"#$%&'(* !"#$%&'(, ) + ,#-$!./(01/'2$345)/0 !"#$%& !"#$%&'(, , , ,#-$!./(01/'2$34 6 !"#$%&'()&**+) !"#$%&'()&**+) !"#$%&'(+ -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, !"#$%&'() !"#$%&'()&**+),&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:; ,&62&5.74(81&9:;014(4#7;.45 to from receive on 7 7 ,#-$!./(01/'2$345)/0 6 % ,#-$!./(01/'2$345)/0 6 ,#-$!./(01/'2$345)/0 6 <&074(!4;/4; 192.0.1.0/24 A <&074(!4;/4; B1 7 % <&074(!4;/4; 192.0.2.0/24 B 72 71 B2 !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ !"#+ %&'()&#!"#*%&'()&#!"#* !"#! !"#$ !"#+ !"#! 192.0.2.0/24 ATT_IP B2 <&074(!4;/4; <&074(!4;/4; IXP * B1 % %&'()&#!"#* !"#+ Topology + ) ) *+ , * , ) + ) , , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 ) + ) * + , , !"#$%&'() !"#$%&'() !"#$%&'(* !"#$%&'(*!"#$%&'(, !"#$%&'(, !"#$%&'(+ !"#$%&'(+ * 192.0.2.0/24 *+ * % !"#$ 192.0.{1,2,3}.0/24 -#$./.$0"1()!(2&1.3.45 !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()&**+) !"#$%&'()&**+) !"#$%&'() !"#! !"#$%&'(* !"#$ !"#$%&'(, !"#+ !"#$%&'(+%&'()&#!"#* ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 !"#$%&'()&**+) 192.0.3.0/24 * B2 ,&62&5.74(81&9:;014(4#7;.45 * 192.0.1.0/24 + 6 6 * , ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 + ) , -#$./.$0"1()!(2&1.3.45192.0.1.0/24 AS !"#$%&'(* B !"#$%&'() 192.0.2.0/24 ) !"#$%&'(, !"#$%&'(+ 7 !"#$%&'()&**+)192.0.2.0/24 % % ,&62&5.74(81&9:;014(4#7;.45 ,#-$!./(01/'2$345)/0 6 7 192.0.3.0/24<&074(!4;/4;<&074(!4;/4; 192.0.3.0/24 7 6 % ,#-$!./(01/'2$345)/0 AS A AS C <&074(!4;/4; 7 BGP Topology <&074(!4;/4; % It is at least hard... BGP provides few knobs to influence remote decisions Implementing such a policy is configuration-intensive using AS-Path prepend, MED, community tagging, etc. and even impossible for some requirements... BGP policies cannot influence remote parties decisions based on source addresses to from receive on 192.0.2.0/24 ATT_IP B2 In any case, the outcome is unpredictable Implementing such a policy is configuration-intensive using AS-Path prepend, MED, community tagging, etc. Absolutely no guarantee that the remote party will comply one can only “influence” remote decisions Networks engineers have no choice but to “try and see” which makes it impossible to adapt to traffic pattern With a SDX, implementing B’s inbound policy is easy SDX policies give B direct control on its forwarding paths to from fwd B’s SDX Policy 192.0.1.0/24 A B1 match(dstip=192.0.1.0/24, srcmac=A) >> fwd(B1) 192.0.2.0/24 B B2 match(dstip=192.0.2.0/24, srcmac=B) >> fwd(B2) 192.0.2.0/24 ATT_IP B2 match(dstip=192.0.2.0/24, srcip=ATT) >> fwd(B2) 192.0.2.0/24 * B1 match(dstip=192.0.2.0/24) >> fwd(B1) 192.0.3.0/24 * B2 match(dstip=192.0.3.0/24) >> fwd(B2) Novel Applications for a SDN-enabled Internet Exchange Point Inbound Traffic Engineering 2 Upstream DoS blocking Wide-area load balancing !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ %&'()&#!"#* !"#+ SDX can help blocking DoS attacks !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: closer to the source * + ) * ) + , , !"#$%&'() -#$./.$0"1()!(2&1.3.45 !"#! !"#$%&'(* !"#$%&'(, !"#$ !"#$%&'(+ !"#$%&'()&**+) A simple Internet topology ,&62&5.74(81&9:;014(4#7;.45 + ) , * !"#$%&'() 6 Attacker * AS13 -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, ,#-$!./(01/'2$345)/0 6 % ,#-$!./(01/'2$345)/0 controller 7 % SDX#B <&074(!4;/4; AS7 Victim ) , !"#$%&'( ,&62&5.74(81&9:;014(4#7;.45 7 <&074(!4;/4; SDX#A + %&'()&#!" !"#$%&'()&**+) controller AS1 !"#+ !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ AS7 is under a DoS attack originated by AS13 * + !"#$%&'() %&'()&#!"#* !"#+ ) ) , * + , !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: -#$./.$0"1()!(2&1.3.45 !"#! !"#$%&'(* !"#$%&'(, !"#$ !"#$%&'(+ !"#$%&'()&**+) ,&62&5.74(81&9:;014(4#7;.45 + ) , * !"#$%&'() 6 AS13 6 % ,#-$!./(01/'2$345)/0 controller 7 % SDX#B <&074(!4;/4; AS7 Victim ) , !"#$%&'( ,&62&5.74(81&9:;014(4#7;.45 7 <&074(!4;/4; SDX#A + !"#$%&'()&**+) controller AS1 Attacker * -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, ,#-$!./(01/'2$345)/0 %&'()&#!" !"#+ !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ %&'()&#!"#* !"#+ AS7 can remotely install drop rule !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: in the SDX platforms * + ) * ) + , , !"#$%&'() -#$./.$0"1()!(2&1.3.45 !"#! !"#$%&'(* !"#$%&'(, !"#$ !"#$%&'(+ !"#$%&'()&**+) ,&62&5.74(81&9:;014(4#7;.45 + ) , * !"#$%&'() 6 Attacker * AS13 -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, ,#-$!./(01/'2$345)/0 6 % ,#-$!./(01/'2$345)/0 controller 7 % SDX#B <&074(!4;/4; AS7 Victim ) , !"#$%&'( ,&62&5.74(81&9:;014(4#7;.45 7 <&074(!4;/4; SDX#A + %&'()&#!" !"#$%&'()&**+) controller AS1 !"#+ !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#! !"#$ %&'()&#!"#* !"#+ AS7 can remotely install drop rule !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: in the SDX platforms * + ) * ) + , , !"#$%&'() -#$./.$0"1()!(2&1.3.45 !"#! !"#$%&'(* !"#$%&'(, !"#$ !"#$%&'(+ !"#$%&'()&**+) ,&62&5.74(81&9:;014(4#7;.45 + ) , * !"#$%&'() 6 Attacker * AS13 -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, ,#-$!./(01/'2$345)/0 6 % ,#-$!./(01/'2$345)/0 controller match(srcip=Attacker/24, dstip=Victim/32) >> drop 7 % SDX#B <&074(!4;/4; AS7 Victim ) , !"#$%&'( ,&62&5.74(81&9:;014(4#7;.45 7 <&074(!4;/4; SDX#A + %&'()&#!" !"#$%&'()&**+) controller AS1 !"#+ SDX-based DoS protection is more efficient than traditional blackholing solutions Remote ASes could drop traffic destined to their network even if there are not physically connect to the IXP! Traffic drop can be done based on any field source address, destination address, port number, etc. Traffic drop can be coordinated across multiple IXPs thanks to SDX controllers collaboration Novel Applications for a SDN-enabled Internet Exchange Point Inbound Traffic Engineering Upstream DoS blocking 3 Wide-area load balancing DNS-based wide-area load balancing has several limitations High TTL values lead to slow recovery when a server fails due to caching by local DNS servers and browsers Low TTL values lead to higher delay for DNS resolution due to cache misses Load-balancing is not based on the client IP address but on the IP address of the DNS resolver (e.g., Google DNS) SDX enable direct and quick control of traffic redirection !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: SDX enable direct and quick control !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: of traffic redirection !"#! !"#$ %&'()&#!"#* !"#+ !"#! * + ) * !"#+ ) + , !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * + ) * , , -#$./.$0"1()!(2&1.3.45 C is a CDN hosting three types of services: !"#! !"#$%&'() !"#$ !"#$%&'(* !"#!!"#$ !"#$ !"#+ !"#$%&'(+ !"#$%&'() !"#$%&'(, + %&'()&#!"#* %&'()&#! !"#+ -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, !"#$%&'()&**+) !"#$%&'()&**+) * ,&62&5.74(81&9:;014(4#7;.45 +!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * ) ) *, , !"#$+ !"#! !"#+ DC1 ) ,&62&5.74(81&9:;0 ) , + , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'(, ) !"#$%&'() 6 + * %&'()&#!"#* * + ) * + , ,#-$!./(01/'2$345)/0 !"#$%&'() !"#$%&' , ,#-$!./(01/'2$345)/0 !"#$%&'()&**+) !"#$%&'()&**+) 6 !"#$%&'(+ -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, !"#$%&'()&**+) ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 7 7 DC2 % 6 ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6,#-$!./(01/'2$345)/0 6 <&074(!4;/4; <&074(!4;/4; 7 % <&074(!4;/4; 71 72 % <&074(!4;/4; <&074(!4;/4; % % !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: SDX enable direct and quick control !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: of traffic redirection !"#! !"#$ %&'()&#!"#* !"#+ !"#! * + ) * !"#$ !"#+ ) + , !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * + ) * , , -#$./.$0"1()!(2&1.3.45 Each of C’s data center is assigned !"#! !"#$%&'() !"#$%&'(* !"#$%&'(, to a single IP prefix !"#!!"#$ !"#$ !"#+ !"#$%&'(+ !"#$%&'() + %&'()&#!"#* %&'()&#! !"#+ -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, !"#$%&'()&**+) !"#$%&'()&**+) * 192.0.2.0/24 DC1 6 ,&62&5.74(81&9:;014(4#7;.45 +!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * ) ) *, , !"#$+ !"#! !"#+ + * ) %&'()&#!"#* ,&62&5.74(81&9:;0 ) , + , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'(, ) !"#$%&'() * + ) * + , ,#-$!./(01/'2$345)/0 !"#$%&'() !"#$%&' , ,#-$!./(01/'2$345)/0 !"#$%&'()&**+) !"#$%&'()&**+) 6 !"#$%&'(+ -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, !"#$%&'()&**+) ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 7 7 DC2 % 6 ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6,#-$!./(01/'2$345)/0 6 <&074(!4;/4; <&074(!4;/4; 7 192.0.3.0/24 % <&074(!4;/4; 71 72 % <&074(!4;/4; <&074(!4;/4; % % !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: SDX enable direct and quick control !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: of traffic redirection !"#! !"#$ %&'()&#!"#* !"#+ !"#! * + ) * ) + !"#!!"#$ !"#$ !"#+ !"#$%&'(+ !"#$%&'() 192.0.1.2 !"#$%&'()&**+) * 192.0.2.0/24 + %&'()&#!"#* %&'()&#! !"#+ -#$./.$0"1()!(2&1.3.45 192.0.1.1 C assigns one IP address per-#$./.$0"1()!(2&1.3.45 service !"#! !"#$%&'() !"#$%&'(* !"#$%&'(, taken from a service prefix DC1 !"#+ , !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * + ) * , , 6 !"#$ ,&62&5.74(81&9:;014(4#7;.45 192.0.1.3 +!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * ) ) *, , !"#$+ !"#! !"#+ !"#$%&'(* !"#$%&'(, 192.0.1.0/24 !"#$%&'()&**+) service prefix + * ) %&'()&#!"#* ,&62&5.74(81&9:;0 ) , + , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'(, ) !"#$%&'() * + ) * + , ,#-$!./(01/'2$345)/0 !"#$%&'() !"#$%&' , ,#-$!./(01/'2$345)/0 !"#$%&'()&**+) !"#$%&'()&**+) 6 !"#$%&'(+ -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, !"#$%&'()&**+) ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 7 7 DC2 % 6 ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6,#-$!./(01/'2$345)/0 6 <&074(!4;/4; <&074(!4;/4; 7 192.0.3.0/24 % <&074(!4;/4; 71 72 % <&074(!4;/4; <&074(!4;/4; % % !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: SDX enable direct and quick control !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: of traffic redirection !"#! !"#$ %&'()&#!"#* !"#+ !"#! * + ) * !"#$ !"#+ ) + , !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * + ) * , , + %&'()&#!"#* %&'()&#! !"#+ -#$./.$0"1()!(2&1.3.45 192.0.1.1 -#$./.$0"1()!(2&1.3.45 C announces the service prefix !"#! !"#$%&'() !"#$%&'(* !"#$%&'(, directly from the IXP !"#!!"#$ !"#$ !"#+ !"#$%&'(+ !"#$%&'() 192.0.1.2 !"#$%&'()&**+) !"#$%&'(* !"#$%&'(, 192.0.1.0/24 !"#$%&'()&**+) * 192.0.2.0/24 DC1 6 ,&62&5.74(81&9:;014(4#7;.45 192.0.1.3 +!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * ) ) *, , !"#$+ !"#! !"#+ + * ) %&'()&#!"#* ,&62&5.74(81&9:;0 ) , + , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'(, ) !"#$%&'() * + ) * + , ,#-$!./(01/'2$345)/0 !"#$%&'() !"#$%&' , ,#-$!./(01/'2$345)/0 !"#$%&'()&**+) !"#$%&'()&**+) 6 !"#$%&'(+ -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, 192.0.1.0/24 !"#$%&'()&**+) ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 7 7 DC2 % 6 ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6,#-$!./(01/'2$345)/0 6 <&074(!4;/4; <&074(!4;/4; 7 192.0.3.0/24 % <&074(!4;/4; 71 72 % <&074(!4;/4; <&074(!4;/4; % % !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: SDX enable direct and quick control !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: of traffic redirection !"#! !"#$ %&'()&#!"#* !"#+ !"#! * + ) * !"#$ !"#+ ) + , !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * + ) * C installs a policy to direct requests to a given service , -#$./.$0"1()!(2&1.3.45 , !"#$%&'()replica!"#$%&'(* to the appropriate based on + %&'()&#!"#* %&'()&#! !"#+ -#$./.$0"1()!(2&1.3.45 !"#! !"#!!"#$ !"#$ !"#+ !"#$%&'(, the client’s IP!"#$%&'(+ address !"#$%&'() !"#$%&'(* !"#$%&'(, !"#$%&'()&**+) !"#$%&'()&**+) * ,&62&5.74(81&9:;014(4#7;.45 +!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9: * ) ) *, , !"#$+ !"#! !"#+ + * ) %&'()&#!"#* ,&62&5.74(81&9:;0 ) , + , -#$./.$0"1()!(2&1.3.45 -#$./.$0"1()!(2&1.3.45 !"#$%&'() !"#$%&'(* !"#$%&'(* !"#$%&'(+ !"#$%&'(, !"#$%&'(, ) !"#$%&'() !"#$%&' match(dstip=192.0.1.1) >> ,#-$!./(01/'2$345)/0 6 ,#-$!./(01/'2$345)/0 !"#$%&'()&**+) !"#$%&'()&**+) 6 DC1 (match(srcip=0.0.0.0/1) >> !"#$%&'()&**+) ,&62&5.74(81&9:;014(4#7;.45 ,&62&5.74(81&9:;014(4#7;.45 (match(dstip=192.0.1.1) >> mod(dstip=192.0.0.161)) + mod(dstip=192.0.2.161)) + (match(srcip=192.0.1.2) >> mod(dstip=192.0.0.139)) + 7 (match(srcip=128.0.0.0/1) >> 7 (match(srcip=192.0.1.3) >> mod(dstip=192.0.0.111)) ,#-$!./(01/'2$345)/0 6 % % mod(dstip=192.0.3.139)) ,#-$!./(01/'2$345)/0 ,#-$!./(01/'2$345)/0 6 6 <&074(!4;/4; DC2 <&074(!4;/4; 7 ... * + ) * + , , !"#$%&'() -#$./.$0"1()!(2&1.3.45 !"#$%&'(* !"#$%&'(, !"#$%&'(+ ,&62&5.74(81&9:;014(4#7;.45 % <&074(!4;/4; 71 DC3 72 % <&074(!4;/4; <&074(!4;/4; % SDX enable direct and quick control of traffic redirection SDX load-balancing is fast no more problem due to DNS caching flexible any load-balancing algorithm can be used efficient based on the actual client IP address Novel Applications for a SDN-enabled Internet Exchange Point Inbound Traffic Engineering Upstream DoS blocking Wide-area load balancing We have running code as well as a first deployment site We have implemented a first SDX controller prototype which supports policies composition We have partnered with a large regional IXP in Atlanta which hosts many large content providers such as Akamai Ping me if you are interested in knowing more Several challenges remain We need authentication mechanisms to validate policies e.g., using RPKI We need “access-lists” to constrain the policies e.g., limiting the capabilities available to each participant We need to make the platform scalable as SDN devices currently support a relatively small # of rules Novel Applications for a SDN-enabled Internet Exchange Point Laurent Vanbever Laurent Vanbever http://vanbever.eu SDN Research Group, IETF87 July, 29 2013