Chapter 2 Software Define Networking (SDN) PDF
Document Details
Uploaded by AgreeableLongBeach
null
null
null
Tags
Summary
This document provides an overview of Software Defined Networking (SDN). It discusses evolving network requirements that place an increasing burden on system and network administrators.
Full Transcript
Chapter 2: Software Define Networking (SDN) CSSY 3201 Advanced Topics in Information Security Objectives 2 After studying this chapter, you sh...
Chapter 2: Software Define Networking (SDN) CSSY 3201 Advanced Topics in Information Security Objectives 2 After studying this chapter, you should be able to: Brief evolving network requirements Compare traditional network with software define network. Present an overview of an SDN architecture, to include explaining the significance of northbound and southbound APIs. Explain characteristics of SDN. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Evolving Network Requirements 3 Modern networking trends place an increasing burden on system and networking administrators. A number of trends are driving network providers and users to reevaluate traditional approaches to network architecture Demand is increasing Supply is increasing Traffic patterns are more complex CSSY 3201: Advanced topics in information Security (Industrial Network Security) Evolving Network Requirements 4 Demand is increasing With the ever-increasing volume and variety of network traffic, generated by such high demand sources as big data, cloud computing, IoT and mobile traffic, it becomes increasingly difficult to meet stringent QoS and QoE requirements. Supply is increasing: The increase in the capacity of the network transmission technologies has been matched by an increase in the performance of network devices, such as LAN switches, routers, firewalls, intrusion detection system/intrusion prevention systems (IDS/IPS), and network monitoring and management systems. Year by year, these devices have larger, faster memories, enabling greater buffer capacity and faster buffer access, as well as faster processor speeds.. Traffic patterns are more complex: To respond for demands such as differing levels of QoS, high and fluctuating traffic volumes, and security requirements, network traffic has grown more complex and difficult to manage. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Traditional Network Architectures are Inadequate 5 four general limitations of traditional network architectures Static, complex architecture: To respond for demands such as differing levels of QoS, high and fluctuating traffic volumes, and security requirements, networking technology has grown more complex and difficult to manage. This has resulted in a number of independently defined protocols each of which addresses a portion of networking requirements. An example of the difficulty this presents is when devices are added or moved. The network management staff must use device-level management tools to make changes to configuration parameters in multiple switches, routers, firewalls, web authentication portals, and so on Inconsistent policies: To implement a network-wide security policy, staff may have to make configuration changes to thousands of devices and mechanisms. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Traditional Network Architectures are Inadequate 6 Inability to scale: Demands on networks are growing rapidly, both in volume and variety. Vendor(provider)dependence:. A lack of open interfaces for network functions leaves the enterprises limited by the relatively slow product cycles of vendor equipment. To provide adaptability and scalability, two key technologies that are rapidly being deployed by a variety of network service and application providers are: Software Defined Networking (SDN) Network Functions Virtualization (NFV) CSSY 3201: Advanced topics in information Security (Industrial Network Security) Software Defined Networking (SDN) 7 An approach to designing, building and operating large-scale networks based on programming the forwarding decisions in routers and switches via software from a central server. SDN differs from traditional networking, which requires configuring each device separately and which relies on protocols that cannot be altered. The central concept behind SDN is to enable developers and network managers to have the more control over network equipment. CSSY 3201: Advanced topics in information Security (Industrial Network Security) What does SDN consist of? 8 Software-defined networking (SDN) offers a centralized, programmable network that consists of an SDN controller, southbound APIs, and northbound APIs. SDN controllers are the brains of the network, offering a centralized view of the overall network. Southbound APIs relay information to the switches and routers in network. Northbound APIs communicate with the applications and deploy services. CSSY 3201: Advanced topics in information Security (Industrial Network Security) SDN Functionality 9 Traditionally there are two key functions of router: forwarding: switching packets from router’s input to appropriate router output. routing: determine route taken by packets from source to destination. Control function decides the route the traffic takes and the relative priority of traffic, and a Data function, forwards data based on control-function policy. In traditional networks, these functions were performed in an integrated fashion at each network device (router, L3 switch etc.). CSSY 3201: Advanced topics in information Security (Industrial Network Security) Control and Data Planes 10 SDN approach splits the two functions between a data plane and a control plane that are on separate devices (see Figure 3.2). CSSY 3201: Advanced topics in information Security (Industrial Network Security) Software Defined Networking (SDN) 11 Earlier network engineers configure network devices using a command line interface. This work can be time-consuming and error-prone. A SDN uses networking software (controller) to configure the network. SDN adds new features and protocols to network devices. These features and protocols enable third-party applications to dynamically configure the devices and define how the devices process data. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Software Defined Networking (SDN) 12 On a network device, data enters and leaves through the data plane. The decisions of what to do with the data are made on the control plane. Before SDN, these two planes essentially functioned as one. SDN separated the planes to enable completion of network configuration and decisions through a remote control plane. CSSY 3201: Advanced topics in information Security (Industrial Network Security) SDN Functionality 13 Control in a traditional network is exercised by means of a routing and control network protocol that is implemented in each network node. This approach is relatively inflexible and requires all the network nodes to implement the same protocols. CSSY 3201: Advanced topics in information Security (Industrial Network Security) SDN Functionality 14 Traditionally, the routing function is distributed among the routers in a network In an SDN controlled network, routing function is centralize within the SDN controller. The controller can develop a consistent view of the network state for calculating shortest paths and can implement application aware routing policies. CSSY 3201: Advanced topics in information Security (Industrial Network Security) SDN Functionality 15 The data plane switches are relieved of the processing and storage burden associated with routing, leading to improved performance. CSSY 3201: Advanced topics in information Security (Industrial Network Security) SDN Functionality 16 With SDN, a central controller performs all complex functionality, including routing, naming, policy declaration, and security checks. CSSY 3201: Advanced topics in information Security (Industrial Network Security) SDN control plane 17 SDN control plane consists of one or more SDN controllers. The SDN controller defines the data flows that occur in the SDN data plane. Each flow through the network is configured by the controller, which verifies that the communication is permissible by the network policy. If the controller allows a flow requested by an end system, it computes a route for the flow to take and adds an entry for that flow in each of the switches along the path. With all complex function subsumed by the controller, switches simply manage flow tables whose entries can only be populated by the controller. CSSY 3201: Advanced topics in information Security (Industrial Network Security) SDN data plane 18 The switches constitute the data plane and perform only data forwarding. The data plane is simply responsible for forwarding packets, whereas the control plane provides the “intelligence” in designing routes, setting priority and routing policy parameters. Communication between the controller and the switches uses a standardized protocol. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Software Defined Architecture 19 Figure 3.3 elaborates on the structure shown in Figure 2.15, showing more detail of the SDN approach. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Data Plane 20 The data plane consists of physical switches and virtual switches. In both cases, the switches are responsible for forwarding packets. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Southbound API 21 However, each switch must implement a model, or abstraction, of packet forwarding that is uniform and open to the SDN controllers. This model is defined in terms of an open application programming interface (API) between the control plane and the data plane (southbound API). CSSY 3201: Advanced topics in information Security (Industrial Network Security) Southbound API 22 The most prominent example of such an open API is OpenFlow. OpenFlow is used to control the switches in the data plane. The OpenFlow specification defines both a protocol between the control and data planes and an API by which the control plane can invoke the OpenFlow protocol. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Control Plane 23 SDN controllers can be implemented directly on a server or on a virtual server. In addition, controllers use information about capacity and demand obtained from the networking equipment through which the traffic flows. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Northbound APIs 24 SDN controllers also expose northbound APIs, which allow developers and network managers to deploy a wide range of off-the-shelf and custom- built network applications. Unlike custom software, which is designed to meet the specific needs of a particular company or user, off-the-shelf software solutions are ready-made and can be used by anyone who buys them. This type of software solution is typically developed by companies to address the most common tasks and needs of potential users. A number of vendors offer a REpresentational State Transfer (REST)- A general-purpose application program management interface that provides mechanisms to get or push information to/from network resources. CSSY 3201: Advanced topics in information Security (Industrial Network Security) East/westbound API 25 Also envisioned but not yet defined are horizontal APIs (east/westbound), which would enable communication and cooperation among groups or federations of controllers to synchronize state for high availability. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Application Plane 26 At the application plane are a variety of applications that interact with SDN controllers. SDN applications are programs that may use an abstract view of the network for their decision-making goals. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Application Plane 27 These applications convey their network requirements and desired network behavior to the SDN controller via a northbound API. Examples of applications are energy-efficient networking, security monitoring, access control, and network management. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Characteristics of Software-Defined Networking 28 The control plane is separated from the data plane. Data plane devices become simple packet-forwarding devices. The control plane is implemented in a centralized controller. The SDN controller has a centralized view of the network or networks under its control. The controller is portable software that can run on commodity servers and is capable of programming the forwarding devices based on a centralized view of the network. CSSY 3201: Advanced topics in information Security (Industrial Network Security) Characteristics of Software-Defined Networking 29 Open interfaces are defined between the devices in the control plane (controllers) and those in the data plane. The network is programmable by applications running on top of the SDN controllers. The SDN controllers present an abstract view of network resources to the applications. CSSY 3201: Advanced topics in information Security (Industrial Network Security) References: 30 Foundations of Modern Networking SDN, NFV, QoE, IoT, and Cloud William Stallings Pearson Education, Inc. CSSY 3201: Advanced topics in information Security (Industrial Network Security)