If you have not read the previous post Software Defined Networks, feel free to go and see it. In this blog post, I will be discussing how OpenFlow works in the context of SDNs.
Openflow
Openflow is a communication protocol that gives access to the forwarding plane of a network switch or router over the network. It enables network controllers to determine the path of the network packets across a network of switches. The controllers are distinct from the switches.
The Openflow Protocol is an open-source southbound API that enables the network operating system to communicate with the forwarding devices within the underlying network infrastructure.
The Openflow switch is the forwarding abstraction which allows forwarding behavior without exposing the underlying implementation of the forwarding process.
OpenFlow Switch Architecture
The Openflow switch consists of 2 main components.
- Control channel
- Data Path
The control channel is responsible for contacting the controller (using TCP but also can have multiple other channels) and inferring which flow the current packet is from. This will allow the switch to route the packet based on the flow correctly.
The data path is responsible for forwarding the packet to the correct destination. It consists of many pipelines. Each section of the pipeline consist of a flow table. The flow table is a lookup table that contains the flow entries. The flow entries are the rules that the switch uses to forward the packet. The flow entries are matched against the packet headers. The flow entries are matched in order. The first match is the one that is used to forward the packet.
They also contain a group table to aggregate ports and the actions performed on the packet as well as a meter table which is responsible for rate limiting.
Openflow Terminology
For each packet from a packet flow, it consists of the following
- Packet Header and header fields
- Pipeline fields
- This is where values are attached to the packet during pipeline processing
- EG: Ingress port & Meta data (implement more complex forwarding logic)
- Action
- An operation that acts on a packet
- EG: Drop, Forward, Modify (like decreasing TTL)
- Action Set
- A set of action accumulated while being processed
- They are lazily evaluated at the end of the pipeline processing (There are some exceptions to this)
OpenFlow flow entries
A flow table entry looks like the diagram below
The flow table entry consists of the following
- Match Fields
- Priority
- Counters
- Instructions
- Timeouts
Match Field
This are the fields that the packets are matched against. This is can contain any of the following:
- Header fields
- Pipeline fields
Each of the above fields can be a wildcard or bit mask.
Priority
As the name suggests, this field is used to prioritize matches from one another. The first match of the highest priority is applied to the packet.
Counters
This keeps track of the number of packets that matched the defined rule
Instructions
This is the set of instructions which are used to modify the action set. They can be instructions from the following set
- Meter: Directs the packet to the specified meter to rate limit the packets
- Apply-Actions: Applies the specified actions in the action list immediately
- Clear-Actions: Clears all the actions in the action set immediately
- Write-Actions: Modifies all actions in the action set immediately
- Write-Metadata: Modifies packets between two flow tables (If multiple tables exists.)
- Goto-Table: Indicates the next flow table in the processing pipeline
- Action Set: When the instruction set of a flow entry does not contain a Goto-Table instruction, the action set is applied to the packet based on the order of the instruction set.
- Action List: The actions in the action list are executed immediately in the order specified by the action list. The effects of those actions is cumulative.
- Output: The output action forwards a packet to the specified OpenFlow port. OpenFlow switches must support forwarding packets to physical ports, logical ports and reserved ports
- Drop: Packets which have no explicit output actions are dropped. (Either due to empty instruction or actions set, or due to a Clear-Action instruction)
- Group: Process the packet through the specific group. (Depends on the group type of the packet)
- Set-Queue: Sets the queue ID of the packet to the specified queue ID. When the packet is output to a port, the packet is placed in the queue with the specified queue ID for the port to be scheduled and forwarded.
- Set-Field: The Set-Field action sets the value of a field in a packet header. (This only applies to the outermost header of the packet, EG: Vlan ID sets the outermost VLAN tag)
Timeouts
Timeouts consists of 2 types: Hard and Idle timeouts.
Idle Timeout: The flow entry is removed when it has matched no packets during the idle time
Hard Timeout: The flow entry is removed when the hard time timeout is exceeded regardless of anything.
Cookie
This is the flow entry identifier specified by the controller.