1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
Why Open vSwitch?
=================
We love the existing network stack in Linux. It is robust, flexible,
and feature rich. Linux already contains an in-kernel L2 switch (the
Linux bridge) which can be used by VMs for inter-VM communication. So,
it is reasonable to ask why there is a need for a new network switch.
The answer is that Open vSwitch is targeted at multi-server
virtualization deployments, a landscape for which the existing stack is
not well suited. These environments are often characterized by highly
dynamic end-points, the maintenance of logical abstractions, and
(sometimes) integration with or offloading to special purpose switching
hardware.
The following characteristics and design considerations help Open
vSwitch cope with the above requirements.
* The mobility of state: All network state associated with a network
entity (say a virtual machine) should be easily identifiable and
migratable between different hosts. This may include traditional
"soft state" (such as an entry in an L2 learning table), L3 forwarding
state, policy routing state, ACLs, QoS policy, monitoring
configuration (e.g. NetFlow, sFlow), etc.
Open vSwitch has support for both configuring and migrating both slow
(configuration) and fast network state between instances. For
example, if a VM migrates between end-hosts, it is possible to not
only migrate associated configuration (SPAN rules, ACLs, QoS) but any
live network state (including, for example, existing state which
may be difficult to reconstruct). Further, Open vSwitch state is
typed and backed by a real data-model allowing for the development of
structured automation systems.
* Responding to network dynamics: Virtual environments are often
characterized by high-rates of change. VMs coming and going, VMs
moving backwards and forwards in time, changes to the logical network
environments, and so forth.
Open vSwitch supports a number of features that allow a network
control system to respond and adapt as the environment changes. This
includes simple accounting and visibility support such as NetFlow and
sFlow. But perhaps more useful, Open vSwitch supports a network state
database (OVSDB) that supports remote triggers. Therefore, a piece of
orchestration software can "watch" various aspects of the network and
respond if/when they change. This is used heavily today, for example,
to respond to and track VM migrations.
Open vSwitch also supports OpenFlow as a method of exporting remote
access to control traffic. There are a number of uses for this
including global network discovery through inspection of discovery
or link-state traffic (e.g. LLDP, CDP, OSPF, etc.).
* Maintenance of logical tags: Distributed virtual switches (such as
VMware vDS and Cisco's Nexus 1000V) often maintain logical context
within the network through appending or manipulating tags in network
packets. This can be used to uniquely identify a VM (in a manner
resistant to hardware spoofing), or to hold some other context that
is only relevant in the logical domain. Much of the problem of
building a distributed virtual switch is to efficiently and correctly
manage these tags.
Open vSwitch includes multiple methods for specifying and maintaining
tagging rules, all of which are accessible to a remote process for
orchestration. Further, in many cases these tagging rules are stored
in an optimized form so they don't have to be coupled with a
heavyweight network device. This allows, for example, thousands of
tagging or address remapping rules to be configured, changed, and
migrated.
In a similar vein, Open vSwitch supports a GRE implementation that can
handle thousands of simultaneous GRE tunnels and supports remote
configuration for tunnel creation, configuration, and tear-down.
This, for example, can be used to connect private VM networks in
different data centers.
* Hardware integration: Open vSwitch's forwarding path (the in-kernel
datapath) is designed to be amenable to "offloading" packet processing
to hardware chipsets, whether housed in a classic hardware switch
chassis or in an end-host NIC. This allows for the Open vSwitch
control path to be able to both control a pure software
implementation or a hardware switch.
There are many ongoing efforts to port Open vSwitch to hardware
chipsets. These include multiple merchant silicon chipsets (Broadcom
and Marvell), as well as a number of vendor-specific platforms.
The advantage of hardware integration is not only performance within
virtualized environments. If physical switches also expose the Open
vSwitch control abstractions, both bare-metal and virtualized hosting
environments can be managed using the same mechanism for automated
network control.
In many ways, Open vSwitch targets a different point in the design space
than the existing Linux networking stack, focusing on the need for
automated and dynamic network control in large-scale Linux-based
virtualization environments.
The goal with Open vSwitch is to keep the in-kernel code as small as
possible (as is necessary for performance) and to re-use existing
subsystems when applicable (for example Open vSwitch uses the existing
QoS stack). Open vSwitch limits disruption by using existing hooks into
the kernel, so Open vSwitch can be deployed as a module without
requiring any modification to the kernel.
|
