Try out current version on OF switches

[mcanini]

Pica8 in CNRS is a no go

[Baloc]

Additional inputs for Pica8:

Testing of endeavour platform on Pica8 P-3295 switch

test of edge1 rules from test1-mh topology

Output of OpenFlow agent (ovs)

  cookie=0x35, duration=63576.870s, table=0, n_packets=n/a, n_bytes=0, priority=8,arp,arp_tpa=172.0.1.0/24 actions=set_field:08:00:27:89:33:ff->eth_dst,goto_table:4
  cookie=0x1, duration=63599.650s, table=0, n_packets=n/a, n_bytes=0, priority=5,in_port=5 actions=set_field:08:00:bb:bb:01:00->eth_dst,goto_table:1
  cookie=0x32, duration=63788.958s, table=0, n_packets=n/a, n_bytes=0, priority=9,arp,dl_dst=00:00:00:01:00:03/00:00:03:ff:ff:ff actions=set_field:08:00:bb:bb:03:01->eth_dst,goto_table:4
  cookie=0x31, duration=63692.041s, table=0, n_packets=n/a, n_bytes=0, priority=9,arp,dl_dst=00:00:00:00:00:03/00:00:03:ff:ff:ff actions=set_field:08:00:bb:bb:03:00->eth_dst,goto_table:4
  cookie=0x2f, duration=63737.764s, table=0, n_packets=n/a, n_bytes=0, priority=9,arp,dl_dst=00:00:00:00:00:01/00:00:03:ff:ff:ff actions=set_field:08:00:bb:bb:01:00->eth_dst,goto_table:4
  cookie=0x30, duration=63675.733s, table=0, n_packets=n/a, n_bytes=0, priority=9,arp,dl_dst=00:00:00:00:00:02/00:00:03:ff:ff:ff actions=set_field:08:00:bb:bb:02:00->eth_dst,goto_table:4
  cookie=0x33, duration=64303.682s, table=0, n_packets=n/a, n_bytes=0, priority=2,dl_dst=80:00:00:00:00:00/80:00:00:00:00:00 actions=goto_table:1
  cookie=0x34, duration=63644.450s, table=0, n_packets=n/a, n_bytes=0, priority=1 actions=goto_table:3
  cookie=0x0, duration=63614.113s, table=0, n_packets=n/a, n_bytes=0, priority=0 actions=CONTROLLER:65509
  cookie=0x0, duration=63659.350s, table=0, n_packets=n/a, n_bytes=0, priority=8,tcp,tp_src=179 actions=goto_table:4
  cookie=0x38, duration=63529.355s, table=1, n_packets=n/a, n_bytes=0, priority=1 actions=goto_table:2
  cookie=0x0, duration=63513.986s, table=1, n_packets=n/a, n_bytes=0, priority=0 actions=CONTROLLER:65509
  cookie=0x37, duration=63490.214s, table=2, n_packets=n/a, n_bytes=0, priority=1 actions=goto_table:3
  cookie=0x0, duration=63458.565s, table=2, n_packets=n/a, n_bytes=0, priority=0 actions=CONTROLLER:65509
  cookie=0x36, duration=63398.829s, table=2, n_packets=n/a, n_bytes=0, priority=3,dl_dst=00:00:00:00:00:03/00:00:00:00:ff:ff actions=set_field:00:00:00:00:00:03->eth_dst,goto_table:3
  cookie=0x3b, duration=63266.315s, table=3, n_packets=n/a, n_bytes=0, priority=4,dl_dst=00:00:00:00:00:01/00:00:00:00:ff:ff actions=set_field:08:00:bb:bb:01:00->eth_dst,goto_table:4
  cookie=0x3c, duration=63253.157s, table=3, n_packets=n/a, n_bytes=0, priority=4,dl_dst=00:00:00:00:00:02/00:00:00:00:ff:ff actions=set_field:08:00:bb:bb:02:00->eth_dst,goto_table:4
  cookie=0x3d, duration=63382.135s, table=3, n_packets=n/a, n_bytes=0, priority=1 actions=goto_table:4
  cookie=0x0, duration=63319.638s, table=3, n_packets=n/a, n_bytes=0, priority=0 actions=CONTROLLER:65509
  cookie=0x39, duration=63303.727s, table=3, n_packets=n/a, n_bytes=0, priority=4,dl_dst=00:00:00:00:00:03/00:00:03:ff:ff:ff actions=set_field:08:00:bb:bb:03:00->eth_dst,goto_table:4
  cookie=0x3a, duration=63286.066s, table=3, n_packets=n/a, n_bytes=0, priority=4,dl_dst=00:00:00:01:00:03/00:00:03:ff:ff:ff actions=set_field:08:00:bb:bb:03:01->eth_dst,goto_table:4
  cookie=0x0, duration=63239.983s, table=4, n_packets=n/a, n_bytes=0, priority=0 actions=CONTROLLER:65509
  cookie=0x77, duration=62689.865s, table=5, n_packets=n/a, n_bytes=0, priority=4,dl_dst=00:05:00:00:00:00/00:ff:00:00:00:00 actions=set_field:08:00:27:89:33:ff->eth_dst,output:5
  cookie=0x79, duration=62729.530s, table=5, n_packets=n/a, n_bytes=0, priority=4,dl_dst=00:07:00:00:00:00/00:ff:00:00:00:00 actions=set_field:08:00:27:89:33:ff->eth_dst,output:7
  cookie=0x78, duration=62713.910s, table=5, n_packets=n/a, n_bytes=0, priority=4,dl_dst=00:06:00:00:00:00/00:ff:00:00:00:00 actions=set_field:08:00:27:89:33:ff->eth_dst,output:6
  cookie=0x0, duration=62822.165s, table=5, n_packets=n/a, n_bytes=0, priority=0 actions=CONTROLLER:65509
  cookie=0x19, duration=62661.679s, table=5, n_packets=n/a, n_bytes=0, priority=4,dl_dst=08:00:bb:bb:01:00 actions=output:5
  cookie=0x1a, duration=62648.155s, table=5, n_packets=n/a, n_bytes=0, priority=4,dl_dst=08:00:27:89:3b:ff actions=output:6
  cookie=0x1b, duration=62674.988s, table=5, n_packets=n/a, n_bytes=0, priority=4,dl_dst=08:00:27:89:33:ff actions=output:7
  cookie=0x25, duration=62833.951s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x40,dl_dst=08:00:bb:bb:03:00 actions=set_field:03:05:00:00:00:00->eth_dst,output:4
  cookie=0x24, duration=63014.538s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x20,dl_dst=08:00:bb:bb:03:00 actions=set_field:03:05:00:00:00:00->eth_dst,output:2
  cookie=0x28, duration=62944.262s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x20,dl_dst=08:00:bb:bb:03:01 actions=set_field:04:05:00:00:00:00->eth_dst,output:2
  cookie=0x21, duration=62958.696s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x40,dl_dst=08:00:bb:bb:02:00 actions=set_field:02:05:00:00:00:00->eth_dst,output:4
  cookie=0x20, duration=62918.607s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x20,dl_dst=08:00:bb:bb:02:00 actions=set_field:02:05:00:00:00:00->eth_dst,output:2
  cookie=0x26, duration=62848.680s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x30,dl_dst=08:00:bb:bb:03:00 actions=set_field:03:05:00:00:00:00->eth_dst,output:3
  cookie=0x22, duration=62900.621s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x30,dl_dst=08:00:bb:bb:02:00 actions=set_field:02:05:00:00:00:00->eth_dst,output:3
  cookie=0x27, duration=62888.250s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x10,dl_dst=08:00:bb:bb:03:01 actions=set_field:04:05:00:00:00:00->eth_dst,output:1
  cookie=0x29, duration=62988.773s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x40,dl_dst=08:00:bb:bb:03:01 actions=set_field:04:05:00:00:00:00->eth_dst,output:4
  cookie=0x2a, duration=63029.381s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x30,dl_dst=08:00:bb:bb:03:01 actions=set_field:04:05:00:00:00:00->eth_dst,output:3
  cookie=0x23, duration=62876.975s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x10,dl_dst=08:00:bb:bb:03:00 actions=set_field:03:05:00:00:00:00->eth_dst,output:1
  cookie=0x1f, duration=62973.551s, table=5, n_packets=n/a, n_bytes=0, priority=4,metadata=0x10,dl_dst=08:00:bb:bb:02:00 actions=set_field:02:05:00:00:00:00->eth_dst,output:1
  cookie=0x7, duration=62740.116s, table=5, n_packets=n/a, n_bytes=0, priority=8,arp,arp_tpa=172.0.0.11 actions=set_field:02:05:00:00:00:00->eth_dst,output:4
  cookie=0x1, duration=62752.753s, table=5, n_packets=n/a, n_bytes=0, priority=8,arp,arp_tpa=172.0.0.1 actions=set_field:08:00:bb:bb:01:00->eth_dst,output:5
  cookie=0x8, duration=62764.816s, table=5, n_packets=n/a, n_bytes=0, priority=8,arp,arp_tpa=172.0.0.21 actions=set_field:03:05:00:00:00:00->eth_dst,output:4
  cookie=0x9, duration=62776.319s, table=5, n_packets=n/a, n_bytes=0, priority=8,arp,arp_tpa=172.0.0.22 actions=set_field:04:05:00:00:00:00->eth_dst,output:4
  cookie=0x3, duration=62802.607s, table=5, n_packets=n/a, n_bytes=0, priority=8,arp,arp_tpa=172.0.255.253 actions=set_field:08:00:27:89:33:ff->eth_dst,output:7
  cookie=0x2, duration=62791.512s, table=5, n_packets=n/a, n_bytes=0, priority=8,arp,arp_tpa=172.0.255.254 actions=set_field:08:00:27:89:33:ff->eth_dst,output:6

Output of TCAM implementation (custom command of PicOS)

admin@PicOS-OVS$ovs-appctl pica/dump-flows
#1196 normal permanent priority=12,recirc_id=0,arp,dl_dst=00:05:00:00:00:00/00:ff:00:00:00:00, actions:drop
#1126 normal permanent priority=14,recirc_id=0,tcp,tp_src=179, actions:userspace(pid=0,slow_path(controller))
#1193 normal permanent priority=12,recirc_id=0,arp,dl_dst=00:06:00:00:00:00/00:ff:00:00:00:00, actions:drop
#1130 normal permanent priority=4,recirc_id=0,dl_dst=80:00:00:00:00:01/80:00:00:00:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1168 normal permanent priority=12,recirc_id=0,arp,dl_dst=08:00:bb:bb:03:01, actions:userspace(pid=0,slow_path(controller))
#1131 normal permanent priority=4,recirc_id=0,dl_dst=80:00:00:00:00:02/80:00:00:00:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1202 normal permanent priority=12,recirc_id=0,arp,dl_dst=08:00:bb:bb:01:00, actions:drop
#1115 normal_u permanent priority=18000008,recirc_id=0,tcp,nw_src=10.10.10.101,tp_src=6633, actions:To_CPU(for_packet_driven)
#1132 normal permanent priority=3,recirc_id=0,dl_dst=80:00:00:00:00:00/80:00:00:00:00:00, actions:userspace(pid=0,slow_path(controller))
#1134 normal permanent priority=2,recirc_id=0,dl_dst=00:00:00:00:00:02/00:00:00:00:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1184 normal permanent priority=13,recirc_id=0,arp,arp_tpa=172.0.0.1, actions:drop
#1112 normal_u permanent priority=18000002,recirc_id=0,arp,dl_src=92:61:d4:a9:cf:63,arp_op=1, actions:To_CPU(for_packet_driven)
#1190 normal permanent priority=12,recirc_id=0,arp,dl_dst=00:07:00:00:00:00/00:ff:00:00:00:00, actions:drop
#1199 normal permanent priority=12,recirc_id=0,arp,dl_dst=08:00:27:89:33:ff, actions:drop
#1178 normal permanent priority=13,recirc_id=0,arp,arp_tpa=172.0.0.22, actions:drop
#1205 normal permanent priority=12,recirc_id=0,arp,dl_dst=08:00:27:89:3b:ff, actions:drop
#1166 normal permanent priority=12,recirc_id=0,arp,dl_dst=08:00:bb:bb:02:00, actions:userspace(pid=0,slow_path(controller))
#1128 normal permanent priority=6,recirc_id=0,dl_dst=80:00:00:01:00:03/80:00:03:ff:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1172 normal permanent priority=13,recirc_id=0,arp,arp_tpa=172.0.255.253, actions:drop
#1119 normal_u permanent priority=18000004,recirc_id=0,arp,dl_src=a0:36:9f:10:67:fd,arp_op=1, actions:To_CPU(for_packet_driven)
#1120 normal_u permanent priority=18000003,recirc_id=0,arp,dl_dst=a0:36:9f:10:67:fd,arp_op=2, actions:To_CPU(for_packet_driven)
#1181 normal permanent priority=13,recirc_id=0,arp,arp_tpa=172.0.0.21, actions:drop
#1122 normal permanent priority=15,recirc_id=0,arp,dl_dst=00:00:00:00:00:03/00:00:03:ff:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1121 normal permanent priority=15,recirc_id=0,arp,dl_dst=00:00:00:01:00:03/00:00:03:ff:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1133 normal permanent priority=2,recirc_id=0,dl_dst=00:00:00:00:00:01/00:00:00:00:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1124 normal permanent priority=15,recirc_id=0,arp,dl_dst=00:00:00:00:00:02/00:00:03:ff:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1187 normal permanent priority=13,recirc_id=0,arp,arp_tpa=172.0.0.11, actions:drop
#1136 normal permanent priority=2,recirc_id=0,dl_dst=00:00:00:01:00:03/00:00:03:ff:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1117 normal_u permanent priority=18000006,recirc_id=0,arp,arp_spa=10.10.10.101,arp_op=1, actions:To_CPU(for_packet_driven)
#1167 normal permanent priority=12,recirc_id=0,arp,dl_dst=08:00:bb:bb:03:00, actions:userspace(pid=0,slow_path(controller))
#1113 normal_u permanent priority=18000001,recirc_id=0,arp,dl_dst=92:61:d4:a9:cf:63,arp_op=2, actions:To_CPU(for_packet_driven)
#1206 normal permanent priority=1,recirc_id=0, actions:userspace(pid=0,slow_path(controller))
#1169 normal permanent priority=11,recirc_id=0,arp, actions:userspace(pid=0,slow_path(controller))
#1125 normal permanent priority=14,recirc_id=0,arp,arp_tpa=172.0.1.0/24, actions:userspace(pid=0,slow_path(controller))
#1129 normal permanent priority=5,recirc_id=0,dl_dst=80:00:00:00:00:03/80:00:00:00:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1127 normal permanent priority=6,recirc_id=0,dl_dst=80:00:00:00:00:03/80:00:03:ff:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1135 normal permanent priority=2,recirc_id=0,dl_dst=00:00:00:00:00:03/00:00:03:ff:ff:ff, actions:userspace(pid=0,slow_path(controller))
normal_u permanent internal priority=18000000,recirc_id=0,udp,in_port=60008,dl_src=92:61:d4:a9:cf:63,tp_src=68,tp_dst=67, actions:To_CPU(for_packet_driven)
#1175 normal permanent priority=13,recirc_id=0,arp,arp_tpa=172.0.255.254, actions:drop
#1114 normal permanent priority=18000009,recirc_id=0,tcp,dl_dst=92:61:d4:a9:cf:63,nw_src=10.10.10.101,tp_src=6633, actions:set(skb_priority(0x7)),60008
#1123 normal permanent priority=15,recirc_id=0,arp,dl_dst=00:00:00:00:00:01/00:00:03:ff:ff:ff, actions:userspace(pid=0,slow_path(controller))
#1118 normal_u permanent priority=18000005,recirc_id=0,arp,arp_tpa=10.10.10.101,arp_op=2, actions:To_CPU(for_packet_driven)
#1116 normal_u permanent priority=18000007,recirc_id=0,tcp,nw_dst=10.10.10.101,tp_dst=6633, actions:To_CPU(for_packet_driven)
Total 42 flows in HW.

Analyse

• Not the same number of flows (even if we remove the inband functionnality in the counting)
• Actions are not applied correctly in hardware (set_field part), puts drop by default
• Issues for matching metadata (not sure why, documentation says it is supported)
• Shift in prioities, but respect the values defined by the controller (no mixing between rules inserted)

Version

admin@PicOS-OVS$version
Copyright (C) 2009-2014 Pica8, Inc.
===================================
Hardware Model                : P3295
Linux System Version/Revision : 2.6.5/24714
Linux System Released Date    : 02/22/2016
L2/L3 Version/Revision        : 2.6.5/24714
L2/L3 Released Date           : 02/22/2016
OVS/OF Version/Revision       : 2.6.5/24714
OVS/OF Released Date          : 02/22/2016

[mcanini]

Instructions of the iSDX setup on of-dpa https://github.com/h2020-endeavour/iSDX/blob/master/examples/test-ms/ofdpa/README.md

[mcanini]

List of tasks that we need to address

• static rules for the topology we planned
• exposing multiple virtual switches to the ctrl
• understand the basic deployment mode of iSDX code base
• how to run the participant border router (some virtualization technology?)

[ederlf]

I think the documentation for iSDX may not apply for the switches we have. It looks like corsa is FPGA based and Centecs use a proprietary ASIC chip for OpenFlow.

That said, I have an idea for the topology. As the Corsa switches look more capable of handling multiple tables and matching on multiple fields, due to the flexibility of the implementation, they can compose the edge of the topology. Since in the core, we need only to handle umbrella, the Centec is a good fit, since we only need to match and rewrite the MAC address for umbrella (not considering monitoring, it can be included depending on the pipeline of the Centec.)

For the border routers we can use virtual machines/ containers in the servers. For the anomaly detection I used lxc, but it could be docker or what is the most familiar virtualization technology for us. Also, it depends on how many interfaces do we have in the servers. We could use vlans to have more containers sharing the same port, but this can complicate the environment.

Here is a high level sketch of how the idea looks like.