Network Virtualization Flowvisor: Network virtual layer (bottom)

In the previous two articles: Network virtualization flowvisor: Network virtual layer (top) and network virtualization Flowvisor: The network virtual layer (middle) respectively introduced the characteristics and implementation of Flowvisor, three series of the last chapter introduces the virtual network isolation mechanism.

An important element of virtualization is the isolation between slices, because the isolation mechanisms for different resources are not the same, and are described separately next.

1. Bandwidth Isolation

The flowvisor can leverage the existing switch bandwidth isolation feature by tagging the VLAN priority bits of the packet. The VLAN tag has three bit domains, and the PCP (VLAN priority Code Point) has a standard mechanism for mapping packets to one of eight priority queues, and the OpenFlow protocol has the management of VLAN tags and priority bits, So you can give a priority to all packets in the stream.

Because, to enhance bandwidth isolation, Flowvisor overrides the forwarding of all slices, adding a "set VLAN priority" to one of the eight priority queues, All flows in a virtual network instance are mapped to the appropriate flow group according to the Resource allocation policy (flow groups require network administrators to define through the CLI)

The use of VLAN PCP bits is not intrinsic to flowvisor, but rather a short-term workaround chosen to coordinate work with commercial hardware.

2. Topology Isolation

The controller discovers the nodes and links in the network through the OpenFlow protocol, and in the non-virtual network, the controller can discover the device when a network device is connected to the TCP listening port of the controller. Flowvisor as a proxy in the middle of the switch and controller, he only proxies the user virtual network switches and controller connections, in the same vein, used to list all the physical ports of the switch OpenFlow messages, will also be flowvisor interception, modified to only the virtual network of ports.

It is important to note that the processing of LLDP messages, in improving the topology discovery performance of the SDN controller (through improved logic) I have explained in this article the topology Discovery principle and the LLDP packet in the SDN network, the message he has a specific format, so flowvisor intercept this message, Label them with the virtual network number, and when they are received by the switch to the controller, they can be sent to the corresponding virtual network according to the tag.

3. Switch CPU Isolation

The CPU on the commercial switch is typically a low-power embedded processor, so it is easy to overload, and in most switch hardware, a high-load CPU can cause serious network damage. For example, in the case of a high CPU load, the hardware forward data will continue, but the switch will stop responding to the controller's OpenFlow request, causing the LLDP Link discovery protocol to time out, leaving the switch mistaken for a network connection that is very unstable and the network becomes unusable.

The CPU load of the switch is mainly divided by the following four programs, which require different isolation mechanisms for the four load sources:

1. Generates a message that the new stream arrives: In the openflow switch, if a packet fails to match the flow table, a packetin message is sent to the controller, which consumes a portion of the processing resources, and if the new stream is more frequent, the CPU resources are exhausted. To prevent starvation, Flowvisor will track the message arrival rate of the new stream, and if the rate exceeds the threshold, Flowvisor inserts a forwarding flow table rule to discard all packets within a time period, so that Flowvisor uses the OpenFlow protocol to limit the speed of the new stream.
2. Requests for processing controllers: For each virtual network instance, Flowvisor limits CPU consumption by limiting the openflow message rate because different types of messages consume different CPU resources, so this work is now slightly inadequate.
3. Slow path Forwarding: In addition to the very fast dedicated hardware forwarding path, packets are forwarded through a "slow path", which of course consumes a portion of the CPU resources, which is clearly indeterminate. Flowvisor by rewriting multiple forwarding rules, separating them into one packet forwarding event to prevent the controller from inserting multiple "slow path" forwarding rules at a time, such as OpenFlow's packetout message, he can issue many forwarding rules at once. But Flowvisor can intercept it and divide it into multiple. In this way, the slow path packet is limited by the two mechanisms mentioned above: The message generated by the new stream and the request of the controller.
4. Maintain internal status: All network devices use the CPU to update their internal calculators, handle events, and so on, so there must be enough CPU to keep the switch "bookkeeping". Flowvisor ensures that the switch has sufficient resources to perform internal functions by limiting the CPU consumption of the above three points.

As with bandwidth isolation, the CPU isolation mechanism is not a flowvisor inherent design, more like a workaround for the current hardware abstraction problem, which will require a lot of work in the future.

4. Stream Space Isolation

Each virtual network can only handle the flow of data in their streaming space, flowvisor the openflow message, ensuring that each slice's grace controls his own flow and does not affect the flow of other slices. Of course, not all rules can be rewritten to meet the flow space of a slice, flowvisor can only make the rules more detailed and accurate, such as in Network virtualization Flowvisor: Network virtual layer (middle) in this article to describe the Flowvisor working principle of the example, If Bob's controller wants to create a rule to affect all the streams, flowvisor should rewrite the rules to affect only the TCP traffic. However, Flowvisor does not rewrite the rules that affect traffic on port 22, so that it affects only 80 ports (TCP traffic), in which case Flowvisor sends an error message to the controller.

5. Stream Table Entry Isolation

Flowvisor counts the number of flow table entries used by each virtual network, ensuring that it does not exceed a predetermined value. For each rule that the controller plugs into the switch, Flowvisor adds one to its counter, and if a stream table expires, the counter is reduced by one. Due to hardware constraints, some switches internally extend the rules to satisfy multiple input ports, flowvisor need to handle this situation. The OpenFlow protocol provides a mechanism for the Flowvisor protocol to accurately list all the flow table entries in the switch, and when the controller exceeds the pre-given value of the flow table entry, any new rule insertions will only receive a "Table full" error alert message.

6. OpenFlow Control Channel Isolation

In addition to all the physical resources mentioned above, the OpenFlow controller channel itself must be virtualized and isolated. For example, all messages in the OpenFlow protocol contain a unique transport id,flowvisor must override these transport IDs to ensure that messages from different controllers do not use the same ID, similar to if the processing of a packet requires the switch to make a decision, The packet needs to be stored in the switch queue, and the OpenFlow protocol uses a 32-bit integer to identify the different packets in the queue. Flowvisor need to ensure that each switch can access only his own packets in the switch queue.

Here, the origin of the flowvisor, the principle of implementation, the isolation mechanism are analyzed, for the future of the network essential virtual layer has some understanding and new ideas, I believe that the book and paper is to expand the only way of ideas, I believe flowvisor is only a pioneer of the network virtual layer, In the future there will be more perfect, more powerful, more intelligent system generation, I hope that they can contribute to these aspects.

Network Virtualization Flowvisor: Network virtual layer (bottom)