Click here to close now.

Welcome!

Cloud Security Authors: Elizabeth White, Pat Romanski, Liz McMillan, Lori MacVittie, John Wetherill

Related Topics: SDN Journal, Microservices Expo, Containers Expo Blog, CloudExpo® Blog, Cloud Security

SDN Journal: Blog Post

Overlay Entropy

A Plexxi solution provides an optimized L1, L2 and L3 network

There have been many articles describing overlay networks in the past few quarters. It's a relatively straightforward concept, not far removed from some of the older VPN technologies very popular a while ago. The actual transport of packets is probably the simplest, it is the control plane that is much harder to construct and therefore explain. It is therefore also that the control plane in overlay networks has seen the most innovation and change, and is likely to change some more in standard and proprietary ways in the next little while. A perfect example is the use of IP Multicast for unknown, multicast and broadcast traffic as defined in the latest IETF draft for VXLAN, but controller implementations try and avoid IP Multicast as part of the necessary data path. Which will continue to lead to changes in the control plane for learning, distribution of destinations, etc.

A Plexxi solution provides an optimized L1, L2 and L3 network. With the advent of overlay networks, the relationship and interaction between the physical, L2 and L3 network and the overlay infrastructure is important to understand. We strongly believe the control and data planes should be interconnected and coordinated/orchestrated. In this and next week’s blog, I will describe some key touch points of the two at the data plane: entropy as a mechanism to discern flow like information and the role and capabilities of a hardware gateway.

I looked at VXLAN, NVGRE and STT as the major overlay encapsulations. VXLAN and STT are very much driven by VMWare, with STT used as the tunnel encapsulation between vSwitch based VXLAN Tunnel End Points (VTEP), VXLAN used as the tunnel encapsulation to external entities like gateways. NVGRE of course is the tunnel protocol of choice for Microsoft’s overlay solution and very similar to to previous GRE based encapsulations. All encapsulations are IP based, allowing the tunnels to be transported across a basic IP infrastructure (with the above mentioned note for IP Multicast). VXLAN and NVGRE are packet based mechanisms, each original packet ends up being encapsulated into a new packet.

VXLAN is build on top of UDP. As shown below, an encapsulated ethernet packet has 54 bytes of new header information added (assuming it is being transported again over ethernet). The first 18 bytes contain the ethernet header containing the MAC address of the source VTEP and its next IP destination, most likely the next IP router/switch. This header changes at each IP hop. The next 20 bytes contain the IP header. The protocol is set to 17 for UDP. The source IP address is that of the originating VTEP, the destination IP address that of the destination VTEP. The IP header is followed by 8 bytes of UDP header containing source UDP port, destination UDP port (4789) and the usual UDP length and checksum fields. While formatted in a normal way, the UDP source port is used in a special way to create “entropy”, explained in more detail below.

VXLAN Packet Format2

A VXLAN Encapsulated Ethernet Packet

Following the UDP header is the actual 8 byte VXLAN header. Just about all fields except the 24 bit VXLAN Network Identifier (VNI) are reserved and set to zero. The VNI is key, it determines which VXLAN the original packet belongs to. When the destination VTEP receives this packet and decapsulates it, it will use this to find the right table to use for MAC address lookups of the original packet to get it to its destination. Only the original packets (shown with Ethernet headers above) follows the VXLAN header. For every packet sent out by a VM, VXLAN adds 54 bytes of new tunnel headers between the source and destination VTEP. Intermediate systems do all their forwarding based on this new header: ethernet switches will use the Outer Ethernet header, IP routers will use the Outer IPv4 header to route this packet towards its destination. Each IP router will replace the Outer Ethernet header with a new one representing itself as the source, and the next IP router as the destination.

NVGRE packets look very similar to VXLAN packets. The initial Outer Ethernet header is the same as VXLAN, representing the source tunnel endpoint and the first IP router as the source and destination. The next 20 bytes of IP header are also similar to VXLAN, except that the protocol is 47 for GRE. NVGRE encodes the Virtualized LAN (Virtual Subnet ID or VSID in NVGRE terms) inside the GRE header, using 24 bits of the original GRE Key field to represent the VSID, leaving 8 bits for a FlowID field, which serves a similar entropy function as the UDP source port for VXLAN, explain further below. The VSID in NVGRE and VNI in VXLAN represent the overlay virtual network ID for each of the technologies. Following the GRE header, the original (Ethernet) packet. NVGRE added 46 bytes of new header information to existing packets.

NVGRE Packet Format2

A NVGRE Encapsulated Ethernet Packet

As I mentioned in last week’s blog, a tunnel endpoint is an aggregation point and as a result, all of the individual flows that are put into a specific VTEP to VTEP tunnel go through the transport network based on the new headers that have been added. Many networks rely on some form of L2 or L3 ECMP to use all available bandwidth between any two points on the network, spine and leaf networks being the prime example of an absolute dependency on a very well functioning ECMP to perform at its best. Without discussing the virtues of ECMP again, tunneled packets need something in the new header that allows an hash calculation to make use of multiple ECMP paths. With pretty much all of the L2 and L3 header identical (except for the VNI or VSID) for all traffic between two tunnel endpoints, the creators of these encapsulations have been creative in encoding entropy in these new headers so that hash calculations for these headers can be used to place traffic onto multiple equal cost paths.

For VXLAN, this entropy is encoded in the UDP source port field. With only a single UDP VXLAN connection between any two endpoints allowed (and necessary), the source port is essentially irrelevant and can be used to mark a packet with a hash calculation result that in effect acts as a flow identifier for the inner packet. Except that it is not unique. The VXLAN spec does not specify exactly how to calculate this hash value, but its generally assumed that specific portions of the inner packet L2, L3 and/or L4 header are used to calculate this hash. The originating VTEP calculates this, puts it in the new UDP header as the source port, and it remains there unmodified until it arrives at the receiving VTEP. Intermediate systems that calculate hashes for L2 or L3 ECMP balancing typically use UDP ports as part of their calculation and as a result, different inner packet flows will result in different placement onto ECMP links. As mentioned, intermediate routers or switches that transport the VXLAN packet do not modify the UDP source port, they only use its value in their ECMP calculation.

NVGRE is fairly similar. GRE packets have no TCP or UDP header, and as a result network hardware typically has the ability to recognize these packets as GRE and use the 32-bit GRE key field as an information source in their ECMP calculations. GRE tunnel endpoints encode inner packet flows with individual (but not necessarily unique) key values, and as a result, intermediate network systems will calculate different hash results to place these inner packet flows onto multiple ECMP links. NVGRE has taken 24 of these bits to encode the VSID, but has left 8 bits to create this entropy at the tunnel endpoint, the field has been renamed FlowID. The VSID and FlowID combined will be used to calculate hashes for ECMP link placement. A possible challenge is that for networks that have many many flows inside a VSID between two specific NVGRE endpoints, the 8 bits worth of differentiation may not create a “normal” ECMP distribution.

While the packet formats have been constructed to ensure that the “normal” tools of entropy can be used for ECMP and LAG by existing switching hardware, the latest hardware platforms have the ability to look well beyond the outer headers. Many bits and pieces of the new headers can be examined and decisions can be made on them. While specific switching ASICs will have slightly different tools, the latest generations of them have he ability to look at VNI and VSID even when not acting as a gateway, and packet modification or forwarding decisions can be made on their value. Inner MAC and IP headers can also be examined and acted on, with a bit more complexity. Switching ASICs are built to have quick access to the most important fields to make decisions on, access to less common fields is there, but requires some manual construction by those that program the ASIC (the networking vendors).

When the switching platform is configured to be a gateway to provide bridging functions between regular VLANs and the tunneled VXLAN or NVGRE infrastructure, the ASIC has access to the entire original packet, since it actively encapsulates or decapsulates the original packet. That gives the switch decision choices very similar to a vSwitch, but at a smaller scale. More detail on the gateway function and STT next week.

The post Overlay Entropy appeared first on Plexxi.

Read the original blog entry...

More Stories By Marten Terpstra

Marten Terpstra is a Product Management Director at Plexxi Inc. Marten has extensive knowledge of the architecture, design, deployment and management of enterprise and carrier networks.

@ThingsExpo Stories
SYS-CON Events announced today that BMC will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. BMC delivers software solutions that help IT transform digital enterprises for the ultimate competitive business advantage. BMC has worked with thousands of leading companies to create and deliver powerful IT management services. From mainframe to cloud to mobile, BMC pairs high-speed digital innovation with robust IT industrialization – allowing customers to provide amazing user experiences with optimized IT per...
SYS-CON Events announced today that MetraTech, now part of Ericsson, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Ericsson is the driving force behind the Networked Society- a world leader in communications infrastructure, software and services. Some 40% of the world’s mobile traffic runs through networks Ericsson has supplied, serving more than 2.5 billion subscribers.
The world is at a tipping point where the technology, the device and global adoption are converging to such a point that we will see an explosion of a world where smartphone devices not only allow us to talk to each other, but allow for communication between everything – serving as a central hub from which we control our world – MediaTek is at the heart of both driving this and allowing the markets to drive this reality forward themselves. The next wave of consumer gadgets is here – smart, connected, and small. If your ambitions are big, so are ours. In his session at @ThingsExpo, Jack Hu, D...
The 4th International Internet of @ThingsExpo, co-located with the 17th International Cloud Expo - to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA - announces that its Call for Papers is open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
SYS-CON Events announced today that DragonGlass, an enterprise search platform, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. After eleven years of designing and building custom applications, OpenCrowd has launched DragonGlass, a cloud-based platform that enables the development of search-based applications. These are a new breed of applications that utilize a search index as their backbone for data retrieval. They can easily adapt to new data sets and provide access to both structured and unstruc...
We’re entering a new era of computing technology that many are calling the Internet of Things (IoT). Machine to machine, machine to infrastructure, machine to environment, the Internet of Everything, the Internet of Intelligent Things, intelligent systems – call it what you want, but it’s happening, and its potential is huge. IoT is comprised of smart machines interacting and communicating with other machines, objects, environments and infrastructures. As a result, huge volumes of data are being generated, and that data is being processed into useful actions that can “command and control” thi...
As the Internet of Things unfolds, mobile and wearable devices are blurring the line between physical and digital, integrating ever more closely with our interests, our routines, our daily lives. Contextual computing and smart, sensor-equipped spaces bring the potential to walk through a world that recognizes us and responds accordingly. We become continuous transmitters and receivers of data. In his session at @ThingsExpo, Andrew Bolwell, Director of Innovation for HP's Printing and Personal Systems Group, discussed how key attributes of mobile technology – touch input, sensors, social, and ...
All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades. With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo, June 9-11, 2015, at the Javits Center in New York City. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will addresses this very serious issue of profound change in the industry.
WebRTC defines no default signaling protocol, causing fragmentation between WebRTC silos. SIP and XMPP provide possibilities, but come with considerable complexity and are not designed for use in a web environment. In his session at @ThingsExpo, Matthew Hodgson, technical co-founder of the Matrix.org, discussed how Matrix is a new non-profit Open Source Project that defines both a new HTTP-based standard for VoIP & IM signaling and provides reference implementations.
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud environment, and we must architect and code accordingly. At the very least, you'll have no problem fil...
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
"People are a lot more knowledgeable about APIs now. There are two types of people who work with APIs - IT people who want to use APIs for something internal and the product managers who want to do something outside APIs for people to connect to them," explained Roberto Medrano, Executive Vice President at SOA Software, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect at GE, and Ibrahim Gokcen, who leads GE's advanced IoT analytics, focused on the Internet of Things / Industrial Internet and how to make it operational for business end-users. Learn about the challenges posed by machine and sensor data and how to marry it with enterprise data. They also discussed the tips and tricks to provide the Industrial Internet as an end-user consumable service using Big Data Analytics and Industrial Cloud.
Building low-cost wearable devices can enhance the quality of our lives. In his session at Internet of @ThingsExpo, Sai Yamanoor, Embedded Software Engineer at Altschool, provided an example of putting together a small keychain within a $50 budget that educates the user about the air quality in their surroundings. He also provided examples such as building a wearable device that provides transit or recreational information. He then reviewed the resources available to build wearable devices at home including open source hardware, the raw materials required and the options available to power s...
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happens, where data lives and where the interface lies. For instance, it's a mix of architectural styles ...
We certainly live in interesting technological times. And no more interesting than the current competing IoT standards for connectivity. Various standards bodies, approaches, and ecosystems are vying for mindshare and positioning for a competitive edge. It is clear that when the dust settles, we will have new protocols, evolved protocols, that will change the way we interact with devices and infrastructure. We will also have evolved web protocols, like HTTP/2, that will be changing the very core of our infrastructures. At the same time, we have old approaches made new again like micro-services...
Connected devices and the Internet of Things are getting significant momentum in 2014. In his session at Internet of @ThingsExpo, Jim Hunter, Chief Scientist & Technology Evangelist at Greenwave Systems, examined three key elements that together will drive mass adoption of the IoT before the end of 2015. The first element is the recent advent of robust open source protocols (like AllJoyn and WebRTC) that facilitate M2M communication. The second is broad availability of flexible, cost-effective storage designed to handle the massive surge in back-end data in a world where timely analytics is e...
Collecting data in the field and configuring multitudes of unique devices is a time-consuming, labor-intensive process that can stretch IT resources. Horan & Bird [H&B], Australia’s fifth-largest Solar Panel Installer, wanted to automate sensor data collection and monitoring from its solar panels and integrate the data with its business and marketing systems. After data was collected and structured, two major areas needed to be addressed: improving developer workflows and extending access to a business application to multiple users (multi-tenancy). Docker, a container technology, was used to ...
The true value of the Internet of Things (IoT) lies not just in the data, but through the services that protect the data, perform the analysis and present findings in a usable way. With many IoT elements rooted in traditional IT components, Big Data and IoT isn’t just a play for enterprise. In fact, the IoT presents SMBs with the prospect of launching entirely new activities and exploring innovative areas. CompTIA research identifies several areas where IoT is expected to have the greatest impact.