Kategoriler
Genel Software Defined Networking

Floodlight Exact/Prefix IP Matching Tutorial

Assalamu alaikum (Peace be upon you) dear friend =)

In this tutorial, I’m going to show you how to make exact IP matching in the Floodlight controller using Mininet, OpenFlow (of course) and Open vSwitch.

Let’s begin with the topology. We have me (Sadican), my workmate (Workmate) and a server (Bilmuh). All of them are connected to an Open vSwitch. Overall network is something like that:

tut_network_topology

Here are the IP addresses and switch ports for each node:

Node Name IP Address Connected Physical SW Port
Sadican 10.0.0.11 1
Workmate 10.0.0.55 2
Bilmuh Server 10.0.0.99 3

Me and my workmate want connect to the Bilmuh server. Whenever we try to connect to the server, (if there is no corresponding rule in the switch) switch sends packet-in message to the Floodlight (FL) controller. FL takes this message and extracts IP addresses. Then, it generates exact IP matching rules. There are several important things to do that.

  • First of all, FL has to know connected ports of nodes, which are given.
  • Secondly, controller must create 4 flow-mod add rules. 2 Rules for ARP packets from one node to another (e.g. Sadican to Bilmuh server and reverse) and 2 rules for TCP connections.
  • FL must specify data layer type in matching. For TCP, it is 0x800 and for ARP, it is 0x806. Do not forget that!
  • FL must also set both of the network masks to 32 bits (full) for source and destination IP addresses.

For TCP Connections:
match.setWildcards(Wildcards.FULL.matchOn(Flag.IN_PORT)
.matchOn(Flag.DL_TYPE).matchOn(Flag.NW_SRC).matchOn(Flag.NW_DST).withNwSrcMask(32).withNwDstMask(32));
match.setDataLayerType(Ethernet.TYPE_IPv4);
match.setNetworkProtocol(IPv4.PROTOCOL_TCP);

For ARP Connections:
match.setWildcards(Wildcards.FULL.matchOn(Flag.IN_PORT).matchOn(Flag.DL_TYPE).matchOn(Flag.NW_SRC).matchOn(Flag.NW_DST).withNwSrcMask(32).withNwDstMask(32));
match.setDataLayerType(Ethernet.TYPE_ARP);
match.setNetworkProtocol(IPv4.PROTOCOL_TCP);

You can download the Mininet script from here.

You can download the Floodlight module from here. 

If you will test this scenario, you should disable Forwarding and LearningSwitch modules. To do so, open floodlightdefault.properties file and delete the modules. Then, add our module (a.tests.ExactIPMatchingTutorial) in it. Since, they also establish paths between nodes. Here is a screenshot from FL’s UI:

Remarks:
If network source and destination masks are less than 32, exact IP matching becomes prefix matching. Actually, you can try it by changing withNwSrcMask and withNwDstMask to something like 16 or whatever. You will see that there will be less than 8 rules in the switch. It is because some rules overlap and they are removed during addition operation as specified in the OpenFlow version 1.0. Besides, exact IP addresses become prefixed IP addresses. For example, 10.0.0.11 becomes 10.0.0.0.

tut_fl_ss_exact_ip_matching

Kategoriler
Anlatım Software Defined Networking

IP Prefix Matching and Flow Insertion using Static Flow Pusher API of Floodlight

Assalamu alaikum wa rahmatullahi wa barakatuh,
Peace be upon you dear visitor 🙂

In this tutorial, I created a simple topology in Mininet (MN). Topology consists of one switch and two hosts. One of hosts is client and another is server. The topology is illustrated as below.

fl_ip_prefix_match_topo

I disabled Forwarding and LearningSwitch modules of Floodlight (FL) by deleting them from /floodlight/src/main/resources/floodlightdefault.properties. Thus, I was able to see that my code works perfectly. If you disable these two modules and run your MN topology code, you see that client and server can not communicate with each other. Because, there will be no flow entry in the switch to forward packets.

In order to provide connection between these two nodes, at first we must insert ARP flow entry to the switch so that client can find server’s MAC address. I used Static Flow Pusher API of Floodlight to insert flows. In the Static Flow Pusher API page, there is a python script that allows developers to insert flow entries to switches. The following two flow codes do the job.

arp_client_server = {
 'switch':"00:00:00:00:00:00:00:01", # DPID of SW
 'name':"arp_client_server", # unique name of flow entry
 'cookie':"1", # opaque identifier
 'priority':"32767", # highest flow priority
 'ingress-port':"1", # packet that comes in from port ### of sw
 'ether-type':"0x806", # hex of ethernet type of ARP
 'active':"true", # activate flow entry
 'actions':"output=2" # forward matched packet from port ### of sw
 }

arp_server_client = {
 'switch':"00:00:00:00:00:00:00:01",
 'name':"arp_server_client", 
 'cookie':"2",
 'priority':"32767",
 'ingress-port':"2",
 'ether-type':"0x806",
 'active':"true",
 'actions':"output=1"
 }

arp_client_server provides ARP packet forwarding from client to server. arp_server_client does the reverse.

As a next step, tcp flow entries must be inserted to the sw. To do so, I wrote the following codes.

ip_host_server = {
 'switch':"00:00:00:00:00:00:00:01",
 'name':"ip_host_server",
 'cookie':"3",
 'priority':"32767", 
 'ether-type':"0x800", # for TCP
 'src-ip':"10.0.0.0/8", # source IP prefix matching
 'active':"true",
 'ingress-port':"1",
 'actions':"output=2"
 }

ip_server_host = {
 'switch':"00:00:00:00:00:00:00:01",
 'name':"ip_server_host",
 'cookie':"4",
 'priority':"32767", 
 'ether-type':"0x800",
 'src-ip':"10.0.0.0/8", 
 'active':"true",
 'ingress-port':"2",
 'actions':"output=1"
 }

Notice that, I used IP prefix matching in src-ip tag. That means, all packets sending from hosts with 10.0.0.0/8 match with this entry. If you do the same, you will have such a switch as shown in the figure below.

fl_ip_prefix_match_sw

After insertion of required flow entries, I ping server from host. The result is as follows:

fl_ip_prefix_match_mn

If you examine the ping result shown above, you will realize that ping time is a lot less when you use Forwarding or LearningSwitch module. That is because, switch already has required flow entries to forward packets.

Assalamu alaikum wa rahmatullahi wa barakatuh 🙂

Kategoriler
Anlatım Software Defined Networking

Floodlight Unknown Host Discovery

Assalamu alaikum wa rahmatulllahi wa barakatuh.
(Peace be upon you dear visitor.)

In my tests, I saw that Floodlight discovers an unknown host per switch as in the figure below.

fl_unknown_host_discovery

I have Floodlight (FL), Mininet (MN) and Open VSwitch (OVS) installed in the same machine where Ubuntu 14.04 LTS x64 is running. As far as I know, OVS 2.0.1 supports kernel from 2.6.32 to 3.10. Since my Ubuntu kernel is 3.13, this may be the source of problem. Update of OVS or downgrade of Ubuntu kernel may solve the problem but I have another simple, not that good, solution.

With the help and advise of Hung-Wei Chiu from Floodlight-Developers group, I noticed that there are many IPv6 packets in the FL logs as he had told. This unknown IPv6 addresses were the same as MAC addresses of switches or hosts. As a solution to this problem, I disabled IPv6 in my computer.

In order to disable IPv6, you must append the three lines of code as in below to the file located in /etc/sysctl.conf . Note that you need root privileges.

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

After modification, you can either reboot your computer or execute sudo sysctl -p command in terminal.

However, this method may not work as expected. (Well, it did not work for me) Alternatively, there is another way of disabling IPv6 in Linux. Using your favorite text editor, open /etc/default/grub file. Then, add ipv6.disable=1 to the GRUB_CMDLINE_LINUX line. In my computer (Ubuntu 14.04 LTS x64), it was like:

GRUB_CMDLINE_LINUX=""

After change:

GRUB_CMDLINE_LINUX="ipv6.disable=1"

After this modification, you must update grub with executing the command sudo update-grub . Finally, reboot your computer and problem solved!

Assalamu alaikum wa rahmatulllahi wa barakatuh.