9.1 - Programming SDNs

Question 1

OpenFlow API updates to multiple switches in a path may result in what problems?

Answer 1

1. Packet-level consistency problem

2. Flow-level consistency problem

Question 2

Packet-level consistency problem

Answer 2

Switches updated at different times in the same path may not have consistent states, and this could result in disruption.

Question 3

Flow-level consistency problem

Answer 3

Updates that occur in the middle of a flow may cause packets from that same flow to be subjected to two different states.

Question 4

What are the three steps of SDN programming?

Answer 4

1. Read/monitor state
2. Compute policy
3. Write policy

Question 5

“Read/Monitor State” step of SDN programming

Answer 5

These events may include:

• failures
• topology changes
• security events

Question 6

“Compute Policy” step of SDN programming

Answer 6

This is the role of the decision plane in decided what the forwarding behavior of the network should be in response to various states from the network switches.

Question 7

“Write Policy” step of SDN programming

Answer 7

Installing the appropriate flow table state into the switches.

Question 8

In what two steps can consistency errors occur?

Answer 8

1. Read - reading the network at different times can result in inconsistencies
2. Write - the controller may be writing policy as traffic is actively flowing through the network which can disrupt packets

Question 9

Simple match-action rules do not allow certain exception to be expressed. What is a solution to this problem?

Answer 9

A runtime system that can translate PREDICATES such as AND or NOT into low-level OpenFlow rules.

Question 10

Switches only have a limited amount of space to store rules. What is a solution to this problem?

Answer 10

The run-time system dynamically “UNFOLDS” rules as traffic arrives. This guarantees that there are only rules in the switch which correspond to active traffic.

Example: programmer could specify something such as “group by IP address”

Question 11

What happens if a switch receives additional packets in a flow before a rule has arrived from the controller?

Answer 11

• A programmer can specify a limit of 1 packet which can initiate a rule request, and the subsequent packets should be SUPPRESSED.
• The system can then hide the extra events.

Question 12

What are three approaches to handling consistency in the reading state?

Answer 12

1. Predicates
2. Rule Unfolding
3. Suppression

Question 13

What are some reasons that a controller may want to write policy to change the state in network switches?

Answer 13

• Maintenance
• Unexpected Failure
• Traffic Engineering

Question 14

What invariants does a controller attempt to maintain when writing policy?

Answer 14

• No forwarding loops
• No black holes
• No security violations

Question 15

How might a forwarding loop occur?

Answer 15

If an operator wishes to redirect traffic off of a particular link, he might change the weight of that link. However if that state were updated in one switch before another, the other switch in the new path could forward the traffic back because it’s unaware of the new shortest route.

Question 16

What’s the solution to preventing a forwarding loop due to inconsistent states among switches?

Answer 16

Two-Phase Commit:

Packets are tagged on ingress, and copies of both rule sets are maintained for some time. Packets aren’t tagged with the new rule set until all switches have received the updates.

Question 17

T/F: One way of coping with inconsistencies is having different controllers for different switches.

Answer 17

FALSE - Each controller may be making independent decisions, so this could lead to an inconsistent state.

Question 18

T/F: One way of coping with inconsistencies is keeping a “hot spare” replica.

Answer 18

FALSE - This does no good if the spare also writes state inconsistently to the network.

Question 19

T/F: One way of coping with inconsistencies is keeping both the old and new state on the routers and switches.

Answer 19

TRUE - This is the “two-phase commit” approach

Question 20

T/F: One way of coping with inconsistencies is resolving conflicts on the routes.

Answer 20

FALSE - No router has a complete view of the network state.

Question 21

What is Network Virtualization?

Answer 21

It is an abstraction of a physical network.

• Multiple logical networks can by same underlying physical network.
• Logical networks can have a different topology than the physical network.

Question 22

Tunnels

Answer 22

Tunnels are how nodes connect on a virtual network.

Question 23

One of the main motivations for the rise of virtual network was the ______ of Internet architecture.

Answer 23

One of the main motivations for the rise of virtual network was the “OSSIFICATION” of Internet architecture.

Question 24

How does network virtualization enable evolution?

Answer 24

By allowing multiple architectures to exist in parallel.

Question 25

Where has network virtualization really taken off in practice?

Answer 25

Multi-tenant data centers

Question 26

T/F: One of the motivations for virtual networking is easier troubleshooting.

Answer 26

FALSE - Virtual networks are not inherently easier to troubleshoot.

Question 27

T/F: One of the motivations for virtual networking is facilitation research and evolution by co-existence.

Answer 27

TRUE - Experimental networks can co-exist with production networks

Question 28

T/F: One of the motivations for virtual networking is being able to adjust resources to demand.

Answer 28

TRUE - Resources devoted to any particular service can be scaled up or down

Question 29

T/F: One of the motivations for virtual networking is better forwarding performance.

Answer 29

FALSE - Virtual networks do not necessarily provide better performance. In fact it may be worse.

Question 30

What are some of the promised benefits of network virtualization?

Answer 30

1. Rapid Innovation 2. New Forms of Network Control 3. (Potentially) Simpler Programming

Question 31

Why is "rapid innovation" a benefit of network virtualization?

Answer 31

Innovation can proceed at the rate which software evolves as opposed to hardware cycles.

Question 32

How are SDN and Network Virtualization different?

Answer 32

- SDN is a tool for implementing network virtualization. It is defined by the separation of data and control planes. - Network virtualization is an application of SDN. It is defined by the separation of logical and physical networks.

Question 33

T/F: Allowing multiple tenants to share underlying physical infrastructure is a characteristic of Network Virtualization.

Answer 33

TRUE

Question 34

T/F: Controlling behavior from a centralized controller is a characteristic of Network Virtualization.

Answer 34

FALSE - This is a characteristic of SDN

Question 35

T/F: Separating logical and physical networks is a characteristic of Network Virtualization.

Answer 35

TRUE

Question 36

T/F: Separating data and control planes is a characteristic of Network Virtualization.

Answer 36

FALSE - This is a characteristic of SDN

Question 37

What are some of the design goals of Network Virtualization?

Answer 37

- Flexible - Manageable - Scalable - Secure - Programmable - Able to support different technologies

Question 38

What are the two components of Virtual Networks?

Answer 38

- Nodes | - Edges

Question 39

What is one way of virtualizing a physical node?

Answer 39

- Virtual Machines (or Virtual Environments) | - The hypervisor "slices" the underlying hardware to provide the illusion of multiple guest nodes

Question 40

How are edges implemented in virtual networks?

Answer 40

- The appearance that two nodes on separate VMs are connected over a layer 2 topology can be created using TUNNELS - Tunnels encapsulate packets as they leave a VM and the host on the other end encapsulates the packet

Question 41

What are some problems with programming with OpenFlow?

Answer 41

- It's not easy. There is a low level of abstraction. - The controller only sees events that switches do not know how to handle. - There can be race conditions if switch-level rules are not installed properly

Question 42

What is the solution to network programming given the problems with OpenFlow?

Answer 42

- A "northbound" API that allows for applications to be written without writing low-level or "southbound" OpenFlow rules

Question 43

What are the benefits of programming against an API rather than directly with OpenFlow?

Answer 43

- Vendor Independence | - The ability to quickly modify or customize control through various popular programming languages

Question 44

What are some example of applications that may need to be written?

Answer 44

- large virtual switches - security apps - middlebox interpretation

Question 45

"Northbound" API

Answer 45

- API that allows for applications to be written for controllers without writing low-level or "southbound" OpenFlow rules

Question 46

Frenetic

Answer 46

A SQL-like query language that uses the northbound API

Question 47

Composition Operators

Answer 47

Specify how individually programmed modules are combined to create a single set of OpenFlow rules.

Question 48

What are two ways of composing policies?

Answer 48

1. Parallel | 2. Sequential

Question 49

Parallel Policies

Answer 49

Operations are performed simultaneously. Example: Counting and Forwarding

Question 50

Sequential Policies

Answer 50

Operations are performed one after another. Example: Firewall, then Switch Example: Load Balancer

Question 51

How are sequential policies used in a load balancer?

Answer 51

First a policy load balances the traffic. Predicates are used to decide how to balance packets. Then a routing policy is implemented to forward packets to the appropriate destination.

Question 52

Pyretic

Answer 52

An SDN Language and Runtime Language - provides a way to express policies Runtime: Compiles policies into OpenFlow rules

Question 53

"Located" Packets

Answer 53

One of the key abstractions of Pyretic, the idea that we can apply a policy based on a packet at it's location in the network (i.e. switch or port)

Question 54

What are some of the features of Pyretic?

Answer 54

- Network policy as a function - Boolean predicates - Virtual packet header fields - Composition Operators

Question 55

What are some example functions in Pyretic?

Answer 55

identity - returns the original packet none - (drop) returns an empty set match (f = v) - returns packets where f = v mod - returns packet with f set to v fwd(a) - modifies output port field flood - returns to packet on each port of the spanning tree (like a hub)

Question 56

How is sequential composition expressed in Pyretic?

Answer 56

>> Operator Example: match() >> fwd()

Question 57

How is parallel composition expressed in Pyretic?

Answer 57

+ Operator Example: match() >> fwd() + match() >> fwd()

Question 58

Dynamic Policies

Answer 58

Policies whose forwarding behavior can change. - Represented as a time series of static policies