Welcome!

Security Authors: Elizabeth White, Pat Romanski, Trevor Parsons, Vormetric Blog, Wallace Sann

Related Topics: SDN Journal, SOA & WOA, Virtualization, Cloud Expo, Security

SDN Journal: Blog Post

Overlay Entropy

A Plexxi solution provides an optimized L1, L2 and L3 network

There have been many articles describing overlay networks in the past few quarters. It's a relatively straightforward concept, not far removed from some of the older VPN technologies very popular a while ago. The actual transport of packets is probably the simplest, it is the control plane that is much harder to construct and therefore explain. It is therefore also that the control plane in overlay networks has seen the most innovation and change, and is likely to change some more in standard and proprietary ways in the next little while. A perfect example is the use of IP Multicast for unknown, multicast and broadcast traffic as defined in the latest IETF draft for VXLAN, but controller implementations try and avoid IP Multicast as part of the necessary data path. Which will continue to lead to changes in the control plane for learning, distribution of destinations, etc.

A Plexxi solution provides an optimized L1, L2 and L3 network. With the advent of overlay networks, the relationship and interaction between the physical, L2 and L3 network and the overlay infrastructure is important to understand. We strongly believe the control and data planes should be interconnected and coordinated/orchestrated. In this and next week’s blog, I will describe some key touch points of the two at the data plane: entropy as a mechanism to discern flow like information and the role and capabilities of a hardware gateway.

I looked at VXLAN, NVGRE and STT as the major overlay encapsulations. VXLAN and STT are very much driven by VMWare, with STT used as the tunnel encapsulation between vSwitch based VXLAN Tunnel End Points (VTEP), VXLAN used as the tunnel encapsulation to external entities like gateways. NVGRE of course is the tunnel protocol of choice for Microsoft’s overlay solution and very similar to to previous GRE based encapsulations. All encapsulations are IP based, allowing the tunnels to be transported across a basic IP infrastructure (with the above mentioned note for IP Multicast). VXLAN and NVGRE are packet based mechanisms, each original packet ends up being encapsulated into a new packet.

VXLAN is build on top of UDP. As shown below, an encapsulated ethernet packet has 54 bytes of new header information added (assuming it is being transported again over ethernet). The first 18 bytes contain the ethernet header containing the MAC address of the source VTEP and its next IP destination, most likely the next IP router/switch. This header changes at each IP hop. The next 20 bytes contain the IP header. The protocol is set to 17 for UDP. The source IP address is that of the originating VTEP, the destination IP address that of the destination VTEP. The IP header is followed by 8 bytes of UDP header containing source UDP port, destination UDP port (4789) and the usual UDP length and checksum fields. While formatted in a normal way, the UDP source port is used in a special way to create “entropy”, explained in more detail below.

VXLAN Packet Format2

A VXLAN Encapsulated Ethernet Packet

Following the UDP header is the actual 8 byte VXLAN header. Just about all fields except the 24 bit VXLAN Network Identifier (VNI) are reserved and set to zero. The VNI is key, it determines which VXLAN the original packet belongs to. When the destination VTEP receives this packet and decapsulates it, it will use this to find the right table to use for MAC address lookups of the original packet to get it to its destination. Only the original packets (shown with Ethernet headers above) follows the VXLAN header. For every packet sent out by a VM, VXLAN adds 54 bytes of new tunnel headers between the source and destination VTEP. Intermediate systems do all their forwarding based on this new header: ethernet switches will use the Outer Ethernet header, IP routers will use the Outer IPv4 header to route this packet towards its destination. Each IP router will replace the Outer Ethernet header with a new one representing itself as the source, and the next IP router as the destination.

NVGRE packets look very similar to VXLAN packets. The initial Outer Ethernet header is the same as VXLAN, representing the source tunnel endpoint and the first IP router as the source and destination. The next 20 bytes of IP header are also similar to VXLAN, except that the protocol is 47 for GRE. NVGRE encodes the Virtualized LAN (Virtual Subnet ID or VSID in NVGRE terms) inside the GRE header, using 24 bits of the original GRE Key field to represent the VSID, leaving 8 bits for a FlowID field, which serves a similar entropy function as the UDP source port for VXLAN, explain further below. The VSID in NVGRE and VNI in VXLAN represent the overlay virtual network ID for each of the technologies. Following the GRE header, the original (Ethernet) packet. NVGRE added 46 bytes of new header information to existing packets.

NVGRE Packet Format2

A NVGRE Encapsulated Ethernet Packet

As I mentioned in last week’s blog, a tunnel endpoint is an aggregation point and as a result, all of the individual flows that are put into a specific VTEP to VTEP tunnel go through the transport network based on the new headers that have been added. Many networks rely on some form of L2 or L3 ECMP to use all available bandwidth between any two points on the network, spine and leaf networks being the prime example of an absolute dependency on a very well functioning ECMP to perform at its best. Without discussing the virtues of ECMP again, tunneled packets need something in the new header that allows an hash calculation to make use of multiple ECMP paths. With pretty much all of the L2 and L3 header identical (except for the VNI or VSID) for all traffic between two tunnel endpoints, the creators of these encapsulations have been creative in encoding entropy in these new headers so that hash calculations for these headers can be used to place traffic onto multiple equal cost paths.

For VXLAN, this entropy is encoded in the UDP source port field. With only a single UDP VXLAN connection between any two endpoints allowed (and necessary), the source port is essentially irrelevant and can be used to mark a packet with a hash calculation result that in effect acts as a flow identifier for the inner packet. Except that it is not unique. The VXLAN spec does not specify exactly how to calculate this hash value, but its generally assumed that specific portions of the inner packet L2, L3 and/or L4 header are used to calculate this hash. The originating VTEP calculates this, puts it in the new UDP header as the source port, and it remains there unmodified until it arrives at the receiving VTEP. Intermediate systems that calculate hashes for L2 or L3 ECMP balancing typically use UDP ports as part of their calculation and as a result, different inner packet flows will result in different placement onto ECMP links. As mentioned, intermediate routers or switches that transport the VXLAN packet do not modify the UDP source port, they only use its value in their ECMP calculation.

NVGRE is fairly similar. GRE packets have no TCP or UDP header, and as a result network hardware typically has the ability to recognize these packets as GRE and use the 32-bit GRE key field as an information source in their ECMP calculations. GRE tunnel endpoints encode inner packet flows with individual (but not necessarily unique) key values, and as a result, intermediate network systems will calculate different hash results to place these inner packet flows onto multiple ECMP links. NVGRE has taken 24 of these bits to encode the VSID, but has left 8 bits to create this entropy at the tunnel endpoint, the field has been renamed FlowID. The VSID and FlowID combined will be used to calculate hashes for ECMP link placement. A possible challenge is that for networks that have many many flows inside a VSID between two specific NVGRE endpoints, the 8 bits worth of differentiation may not create a “normal” ECMP distribution.

While the packet formats have been constructed to ensure that the “normal” tools of entropy can be used for ECMP and LAG by existing switching hardware, the latest hardware platforms have the ability to look well beyond the outer headers. Many bits and pieces of the new headers can be examined and decisions can be made on them. While specific switching ASICs will have slightly different tools, the latest generations of them have he ability to look at VNI and VSID even when not acting as a gateway, and packet modification or forwarding decisions can be made on their value. Inner MAC and IP headers can also be examined and acted on, with a bit more complexity. Switching ASICs are built to have quick access to the most important fields to make decisions on, access to less common fields is there, but requires some manual construction by those that program the ASIC (the networking vendors).

When the switching platform is configured to be a gateway to provide bridging functions between regular VLANs and the tunneled VXLAN or NVGRE infrastructure, the ASIC has access to the entire original packet, since it actively encapsulates or decapsulates the original packet. That gives the switch decision choices very similar to a vSwitch, but at a smaller scale. More detail on the gateway function and STT next week.

The post Overlay Entropy appeared first on Plexxi.

Read the original blog entry...

More Stories By Marten Terpstra

Marten Terpstra is a Product Management Director at Plexxi Inc. Marten has extensive knowledge of the architecture, design, deployment and management of enterprise and carrier networks.

@ThingsExpo Stories
Things are being built upon cloud foundations to transform organizations. This CEO Power Panel at 15th Cloud Expo, moderated by Roger Strukhoff, Cloud Expo and @ThingsExpo conference chair, addressed the big issues involving these technologies and, more important, the results they will achieve. Rodney Rogers, chairman and CEO of Virtustream; Brendan O'Brien, co-founder of Aria Systems, Bart Copeland, president and CEO of ActiveState Software; Jim Cowie, chief scientist at Dyn; Dave Wagstaff, VP and chief architect at BSQUARE Corporation; Seth Proctor, CTO of NuoDB, Inc.; and Andris Gailitis, C...
SYS-CON Media announced that Cisco, a worldwide leader in IT that helps companies seize the opportunities of tomorrow, has launched a new ad campaign in Cloud Computing Journal. The ad campaign, a webcast titled 'Is Your Data Center Ready for the Application Economy?', focuses on the latest data center networking technologies, including SDN or ACI, and how customers are using SDN and ACI in their organizations to achieve business agility. The Cisco webcast is available on-demand.
Today’s enterprise is being driven by disruptive competitive and human capital requirements to provide enterprise application access through not only desktops, but also mobile devices. To retrofit existing programs across all these devices using traditional programming methods is very costly and time consuming – often prohibitively so. In his session at @ThingsExpo, Jesse Shiah, CEO, President, and Co-Founder of AgilePoint Inc., discussed how you can create applications that run on all mobile devices as well as laptops and desktops using a visual drag-and-drop application – and eForms-buildi...
The Industrial Internet revolution is now underway, enabled by connected machines and billions of devices that communicate and collaborate. The massive amounts of Big Data requiring real-time analysis is flooding legacy IT systems and giving way to cloud environments that can handle the unpredictable workloads. Yet many barriers remain until we can fully realize the opportunities and benefits from the convergence of machines and devices with Big Data and the cloud, including interoperability, data security and privacy.
IoT is still a vague buzzword for many people. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed the business value of IoT that goes far beyond the general public's perception that IoT is all about wearables and home consumer services. He also discussed how IoT is perceived by investors and how venture capitalist access this space. Other topics discussed were barriers to success, what is new, what is old, and what the future may hold. Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Pa...
SYS-CON Events announced today that CodeFutures, a leading supplier of database performance tools, has been named a “Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. CodeFutures is an independent software vendor focused on providing tools that deliver database performance tools that increase productivity during database development and increase database performance and scalability during production.
Dale Kim is the Director of Industry Solutions at MapR. His background includes a variety of technical and management roles at information technology companies. While his experience includes work with relational databases, much of his career pertains to non-relational data in the areas of search, content management, and NoSQL, and includes senior roles in technical marketing, sales engineering, and support engineering. Dale holds an MBA from Santa Clara University, and a BA in Computer Science from the University of California, Berkeley.
The Internet of Things (IoT) is rapidly in the process of breaking from its heretofore relatively obscure enterprise applications (such as plant floor control and supply chain management) and going mainstream into the consumer space. More and more creative folks are interconnecting everyday products such as household items, mobile devices, appliances and cars, and unleashing new and imaginative scenarios. We are seeing a lot of excitement around applications in home automation, personal fitness, and in-car entertainment and this excitement will bleed into other areas. On the commercial side, m...
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., showed what is needed to leverage the IoT to transform your business. He discussed opportunities and challenges ahead for the IoT from a market and technical point of vie...
The 3rd International Internet of @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that its Call for Papers is now open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
"People are a lot more knowledgeable about APIs now. There are two types of people who work with APIs - IT people who want to use APIs for something internal and the product managers who want to do something outside APIs for people to connect to them," explained Roberto Medrano, Executive Vice President at SOA Software, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Performance is the intersection of power, agility, control, and choice. If you value performance, and more specifically consistent performance, you need to look beyond simple virtualized compute. Many factors need to be considered to create a truly performant environment. In his General Session at 15th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, discussed how to take advantage of a multitude of compute options and platform features to make cloud the cornerstone of your online presence.
SYS-CON Media announced that Splunk, a provider of the leading software platform for real-time Operational Intelligence, has launched an ad campaign on Big Data Journal. Splunk software and cloud services enable organizations to search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices. The ads focus on delivering ROI - how improved uptime delivered $6M in annual ROI, improving customer operations by mining large volumes of unstructured data, and how data tracking delivers uptime when it matters most.
In this Women in Technology Power Panel at 15th Cloud Expo, moderated by Anne Plese, Senior Consultant, Cloud Product Marketing at Verizon Enterprise, Esmeralda Swartz, CMO at MetraTech; Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems; Seema Jethani, Director of Product Management at Basho Technologies; Victoria Livschitz, CEO of Qubell Inc.; Anne Hungate, Senior Director of Software Quality at DIRECTV, discussed what path they took to find their spot within the technology industry and how do they see opportunities for other women in their area of expertise.
DevOps Summit 2015 New York, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that it is now accepting Keynote Proposals. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential.
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
"BSQUARE is in the business of selling software solutions for smart connected devices. It's obvious that IoT has moved from being a technology to being a fundamental part of business, and in the last 18 months people have said let's figure out how to do it and let's put some focus on it, " explained Dave Wagstaff, VP & Chief Architect, at BSQUARE Corporation, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
“The age of the Internet of Things is upon us,” stated Thomas Svensson, senior vice-president and general manager EMEA, ThingWorx, “and working with forward-thinking companies, such as Elisa, enables us to deploy our leading technology so that customers can profit from complete, end-to-end solutions.” ThingWorx, a PTC® (Nasdaq: PTC) business and Internet of Things (IoT) platform provider, announced on Monday that Elisa, Finnish provider of mobile and fixed broadband subscriptions, will deploy ThingWorx® platform technology to enable a new Elisa IoT service in Finland and Estonia.
Advanced Persistent Threats (APTs) are increasing at an unprecedented rate. The threat landscape of today is drastically different than just a few years ago. Attacks are much more organized and sophisticated. They are harder to detect and even harder to anticipate. In the foreseeable future it's going to get a whole lot harder. Everything you know today will change. Keeping up with this changing landscape is already a daunting task. Your organization needs to use the latest tools, methods and expertise to guard against those threats. But will that be enough? In the foreseeable future attacks w...
As enterprises move to all-IP networks and cloud-based applications, communications service providers (CSPs) – facing increased competition from over-the-top providers delivering content via the Internet and independently of CSPs – must be able to offer seamless cloud-based communication and collaboration solutions that can scale for small, midsize, and large enterprises, as well as public sector organizations, in order to keep and grow market share. The latest version of Oracle Communications Unified Communications Suite gives CSPs the capability to do just that. In addition, its integration ...