教育部 資通訊軟體創新人才推升計畫 系統軟體創作跨校資源中心 軟體定義網路與應用 1
單元十 : 軟體定義網路 (SDN) 實驗 參與團隊 : 李詩偉教授 黃仁竑教授 鄭伯炤教授 江為國教授 林柏青教授 2
Open vswitch v2.3.1 Environment 環境 OS: Ubuntu 14.04.1 Server LTS X86_64 Kernel version: 3.13.0-34-generic 預先安裝 apt-get install aptitude aptitude install dh-autoreconf libssl-dev openssl 3
Open vswitch Installation 下載及編譯 wget http://openvswitch.org/releases/openvswitch- 2.3.1.tar.gz tar zxvf openvswitch-2.3.1.tar.gz && cd openvswitch-2.3.1./boot.sh./configure --with-linux=/lib/modules/`uname -r`/build make -j && sudo make install sudo make modules_install sudo modprobe gre sudo modprobe openvswitch sudo modprobe libcrc32c 使用 lsmod grep openvswitch 確認 ovs 正確地掛載起來 4
Open vswitch Installation (cont.) 設定 ovsdb ovsdb-tool create /usr/local/etc/openvswitch/conf.db ovsdb-tool create /usr/local/share/openvswitch/vswitch.ovsschema 建立一次即可, 如果設定有問題的話可以把 conf.db 砍掉重建開啟 ovsdb-server ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \ --remote=db:open_vswitch,open_vswitch,manager_options \ --pidfile --detach --log-file cat /usr/local/var/log/openvswitch/ovsdb-server.log 可查到 ovsdb log 開啟 ovs-vsctl ovs-vsctl --no-wait init 開啟 ovs-switchd 功能 ovs-vswitchd --pidfile --detach --log-file 5
Open vswitch Command 新增 Brdige ovs-vsctl add-br [bridge name] ex: ovs-vsctl add-br ovs-br 在 ovs-br 上對應 interface ovs-vsctl add-port [bridge name] [interface name] ex: ovs-vsctl add-port ovs-br eth0 6
Open vswitch Command (cont.) 移除 Bridge ovs-vsctl del-br [bridge name] ex: ovs-vsctl del-br ovs-br 設定 Controller ovs-vsctl set-controller ovs-br tcp:[controller ip]:[port] ex: ovs-vsctl set-controller ovs-br tcp:1.2.3.4:6633 查詢 Controller 設定 ovs-vsctl show 如果有成功連到 controller 則會顯示 is_connected:true 7
Open vswitch Command (cont.) 移除 Controller ovs-vsctl del-controller [bridge name] ex: ovs-vsctl del-controller ovs-br 支援 OpenFlow Version 1.3 1.2 ovs-vsctl set bridge ovs-br protocols=openflow12,openflow13 8
Open vswitch Command (cont.) 新增 flow ovs-ofctl add-flow [bridge name] [match field] actions=[actions] ex: ovs-ofctl add-flow ovs-br priority=0,in_port=1,actions=output:2 刪除 flow ovs-ofctl del-flows [bridge name] ex: ovs-ofctl del-flows ovs-br 查看 flow state ovs-ofctl dump-flows [bridge name] ex: ovs-ofctl dump-flows ovs-br 9
OpenFlow Match Field Field in_port dl_vlan dl_src dl_dst dl_type nw_src nw_dst nw_proto ip_proto tcp_src tcp_dst udp_src udp_dst sctp_src sctp_dst arp_spa arp_tpa Description Matches OpenFlow port port, which may be an OpenFlow port number Matches IEEE 802.1q Virtual LAN tag vlan. Matches an Ethernet source (or destination) address Matches Ethernet protocol type ethertype When dl_type is 0x0800 matches IPv4 source (or destination) address ip matches IP protocol type proto Matches a TCP, UDP, or SCTP source or destination port port Match the source and target IPv4 address 10
Action Description output:port Outputs the packet to OpenFlow port number port. If port is the packet's input port, the packet is not output. group:group Outputs the packet to the OpenFlow group group_id. Group tables _id are only supported in OpenFlow 1.1+. normal Subjects the packet to the device's normal L2/L3 processing. controller Shorthand for controller() or controller(max_len=nbytes), respectively. controller[:n bytes] enqueue(po rt,queue) drop push_vlan: ethertype Actions Enqueues the packet on the specified queue within port port, which must be an OpenFlow port number or keyword (e.g. LOCAL). The number of supported queues depends on the switch; some OpenFlow implementations do not support queuing at all. Discards the packet, so no further processing or forwarding takes place. If a drop action is used, no other actions may be specified. Push a new VLAN tag onto the packet. Ethertype is used as the the Ethertype for the tag. Only ethertype 0x8100 should be used. (0x88a8 which the spec allows isn't supported at the moment.) A priority of zero and the tag of zero are used for the new tag. 11
Actions(cont.) Action Description set_field:value-> Set the value to field field goto_table:table Indicates the next table in the process pipeline. 12
Part I : Without controller Demo Ping HTTP Redirection NAT 13
Question: Step 1. Demo Ping 透過 openflow 協定讓兩端的 host 能夠使用 ICMP 協定進行通訊. ARP reply ARP reply HOST A eth1 Open vswitch eth2 HOST B Step 2. ARP request ICMP reply ARP request ICMP reply HOST A eth1 Open vswitch eth2 HOST B ICMP request ICMP request 14
Demo Ping (Cont.) 建立一個名稱為 br0 的 bridge sudo ovs-vsctl add-br br0 將 port eth1 加入 bridge sudo ovs-vsctl add-port br0 eth1 將 port eth2 加入 bridge sudo ovs-vsctl add-port br0 eth2 透過 show 指令取得 eth1 與 eth2 在 bridge 中的 port number sudo ovs-ofctl -O OpenFlow13 show br0 加入 flow entry. 內容為 port 1 進來的 packet 往 port 2 轉送 sudo ovs-ofctl -O OpenFlow13 add-flow br0 priority=1,in_port=1,actions=output:2 加入 flow entry. 內容為 port 2 進來的 packet 往 port 1 轉送 sudo ovs-ofctl -O OpenFlow13 add-flow br0 priority=1,in_port=2,actions=output:1 查看 flow entry 是否成功寫入 sudo ovs-ofctl -O OpenFlow13 dump-flows br0 15
HTTP Redirect 實驗目的 : 善用 openflow 可以根據需求查看封包內容的特性, 檢查封包是否為 HTTP 的封包, 再根據目的位址作重新導向. 實驗解說 : HTTP server IP:192.168.0.3 16
HTTP Redirect (Cont.) 步驟 1. 先下幾條 flow entry, 只有目的 IP 位址是 server 且使用 TCP/IP 協定與目的 port 為 80 的封包才允許被轉送 sudo ovs-ofctl -O OpenFlow13 add-flow br0 priority=1, dl_type=0x0800, nw_dst=192.168.0.3, ip_proto=6, tcp_dst=80, actions=output:3 步驟 2. 再下幾條 flow entry, 使得 server 能夠回應來自 Host 的請求, 根據目的位址來決定轉送的 port. sudo ovs-ofctl -O OpenFlow13 add-flow br0 priority=1, dl_type=0x0800, nw_dst=192.168.0.1, actions=output:1 sudo ovs-ofctl -O OpenFlow13 add-flow br0 priority=1, dl_type=0x0800, nw_dst=192.168.0.2, actions=output:2 17
NAT 實驗目的 : 透過 NAT 將 Private IP 轉為 Public IP 來連上網路 實驗解說 : Host 192.168.1.1 WAN 18
NAT (Cont.) 步驟 1: 下幾條 flow entry, 先將 ARP 的封包資訊更改為對外 IP 的資訊, 並將反向的 flow entry 也完成 sudo ovs-ofctl -O OpenFlow13 add-flow br0 priority=1, dl_type=0x0806, in_port=1, arp_spa=192.168.1.1 actions= set_field:140.123.1.100-> arp_spa, output:2 sudo ovs-ofctl -O OpenFlow13 add-flow br0 priority=1,ether type=0x0806,in_port=2,arp_tpa=140.123.1.100 actions= set_field:192.168.1.1-> arp_tpa, output:1 步驟 2: 再下幾條 flow entry, 將 IP 封包資訊更改為對外 IP 的資訊, 並將反向的 flow entry 也完成 sudo ovs-ofctl -O OpenFlow13 add-flow br0 priority=1, dl_type=0x0800, in_port=1, nw_src =192.168.1.1 actions= set_field:140.123.1.100-> nw_src, output:2 sudo ovs-ofctl -O OpenFlow13 add-flow br0 priority=1, dl_type=0x0800, in_port=2, nw_src =140.123.1.100 actions= set_field:192.168.1.1-> nw_src, output:1 19
Part II : With controller Demo Ping HTTP Redirection NAT Block specific flow 20
實驗目的 Step 1. Demo Ping 透過 openflow 協定讓兩端的 host 能夠使用 ICMP 協定進行通訊. Controller ARP reply ARP reply HOST A eth1 Open vswitch eth2 HOST B Step 2. ARP request ICMP reply ARP request ICMP reply HOST A eth1 Open vswitch eth2 HOST B ICMP request ICMP request 21
Demo Ping (Cont.) ARP match = parser.ofpmatch(eth_type = 0x0806, arp_tpa = "10.0.0.2", arp_spa = "10.0.0.1") actions = [parser.ofpactionoutput(2)] inst = [parser.ofpinstructionactions(ofproto.ofpit_apply_actions,actions)] self.add_flow(datapath, 0, match, actions, inst) match = parser.ofpmatch(eth_type = 0x0806, arp_tpa = "10.0.0.1", arp_spa = "10.0.0.2") actions = [parser.ofpactionoutput(1)] inst = [parser.ofpinstructionactions(ofproto.ofpit_apply_actions,actions)] self.add_flow(datapath, 0, match, actions, inst) 22
Demo Ping (Cont.) ICMP match = parser.ofpmatch(eth_type = 0x0800, ipv4_src = "10.0.0.1", ipv4_dst = "10.0.0.2") actions = [parser.ofpactionoutput(2)] inst = [parser.ofpinstructionactions(ofproto.ofpit_apply_actions,actions)] self.add_flow(datapath, 0, match, actions, inst) match = parser.ofpmatch(eth_type = 0x0800, ipv4_src = "10.0.0.2", ipv4_dst = "10.0.0.1") actions = [parser.ofpactionoutput(1)] inst = [parser.ofpinstructionactions(ofproto.ofpit_apply_actions,actions)] self.add_flow(datapath, 0, match, actions, inst) 23
HTTP Redirect 實驗目的 : 善用 openflow 可以根據需求查看封包內容的特性, 透過 controller 下達 openflow 的 flow_mod 指令, 檢查封包是否為 HTTP 的封包, 再根據目的位址作重新導向. 實驗解說 : Controller HTTP server IP:192.168.0.3 預期結果 : Host 能夠連上 HTTP server 的網頁 24
HTTP Redirect (Cont.) Request match = parser.ofpmatch(eth_type = 0x0800, ipv4_dst = 192.168.0.3, ip_proto=6,tcp_dst=80") actions = [parser.ofpactionoutput(3)] inst = [parser.ofpinstructionactions(ofproto.ofpit_apply_actions,actions)] self.add_flow(datapath, 0, match, actions, inst) Reply match = parser.ofpmatch(eth_type = 0x0800, ipv4_dst = "192.168.0.1 ) actions = [parser.ofpactionoutput(1)] inst = [parser.ofpinstructionactions(ofproto.ofpit_apply_actions,actions)] self.add_flow(datapath, 0, match, actions, inst) match = parser.ofpmatch(eth_type = 0x0800, ipv4_dst = "192.168.0.2 ) actions = [parser.ofpactionoutput(2)] inst = [parser.ofpinstructionactions(ofproto.ofpit_apply_actions,actions)] self.add_flow(datapath, 0, match, actions, inst) 25
NAT 實驗目的 : 透過 controller 下達 openflow 的 flow_mod 指令, 實現 NAT 將 Private IP 轉為 Public IP 來連上網路的功能. 實驗解說 : Controller Host 192.168.1.1 WAN 預期結果 : Host 能夠透過 private IP 連上外部網路. 26
NAT (Cont.) Send match = parser.ofpmatch(eth_type = 0x0800, ipv4_src = 192.168.1.1 ) actions = [parser.ofpactionsetfield(ipv4_src= 140.123.1.100") parser.ofpactionoutput(2)] inst = [parser.ofpinstructionactions(ofproto.ofpit_apply_actions,actions)] self.add_flow(datapath, 0, match, actions, inst) Receive match = parser.ofpmatch(eth_type = 0x0800, ipv4_dst = 140.123.1.100 ) actions = [parser.ofpactionsetfield(ipv4_dst= 192.168.1.1 ") parser.ofpactionoutput(1)] inst = [parser.ofpinstructionactions(ofproto.ofpit_apply_actions,actions)] self.add_flow(datapath, 0, match, actions, inst) 27
Block 實驗目的 : 現在的網路攻擊有很多種, 就以 DDoS 攻擊為例, 透過大量合法的請求佔用大量網路資源, 以達到癱瘓網路的目的, 此時如果我們有使用 SDN switch 的話,controller 可以透過 openflow 指令定期查看 flow entry 的封包數量, 來阻隔特定大流量攻擊者的封包 實驗解說 : Controller 預期結果 : controller 透過 openflow 的 multi-part message 向 switch 取得 flow table 中所有 flow entry 的封包數量統計值, 再使用 flow_mod 指令下達指定 IP 封包丟棄的 flow. 28
Block (Cont.) 29
Block (Cont.) 30
Block (Cont.) 31
Reference [1]:https://www.facebook.com/paulintoro/posts/1383317425016639?pn ref=story [2]:https://lrs.itsa.org.tw/file.php/587/%E8%BB%9F%E9%AB%94%E5 %AE%9A%E7%BE%A9%E7%B6%B2%E8%B7%AF%E8%88%8 7%E6%87%89%E7%94%A8/%E5%96%AE%E5%85%83%E5%8 D%81- %E7%B6%B2%E8%B7%AF%E5%AF%A6%E9%A9%97.pdf [3]:http://roan.logdown.com/posts/191801-set-openvswitch [4]:http://sdnds.tw/ [5]:http://onlab.us/ [6]:https://wiki.onosproject.org/display/AM/Phil+Huang 05/15/15 32