Most modern Ethernet forwarding elements (e.g., switches and routers) include flow-tables (typically built from TCAMs or Ternary Content Addressable Memories) that run at line-rate to implement firewalls, NAT (network address translation), and QoS (quality of service), and to collect statistics. While flow-tables of different vendors may be different, OpenFlow exploits a common set of functions that run in many switches and routers.
OpenFlow provides an open protocol to program flowtables in different forwarding elements (e.g., switches and routers). A network administrator, for example, can partition traffic into production and research flows, and/or researchers can control their own flows by choosing the routes their packets follow and the processing they receive. In this way, researchers can try new routing protocols, security models, addressing schemes, and even alternatives to IP (Internet Protocol). On the same network, the production traffic may be isolated and processed conventionally.
The datapath of an OpenFlow forwarding element (e.g., switch) may include a flow table, and an action associated with each flow rule (also referred to as a flow entry) included in the flow table. The set of actions supported by an OpenFlow forwarding element may be extensible. For high-performance and low-cost, the datapath may have a carefully prescribed degree of flexibility, which may mean forgoing the ability to specify arbitrary handling of each packet and seeking a more limited, but still useful, range of actions.
An OpenFlow forwarding element may include a flow table having a plurality of flow rules (with an action associated with each flow rule) to tell the forwarding element how to process the respective flow, a secure channel that connects the switch to a remote OpenFlow controller (allowing commands and packets to be sent between the controller and the forwarding element using the OpenFlow Protocol (which provides an open and standard way for a controller to communicate with a forwarding element). By specifying a standard interface (the OpenFlow Protocol) through which rules/entries in the forwarding element Flow Table can be defined using an external controller, researchers may not need to individually program OpenFlow forwarding elements.
An OpenFlow forwarding element may include one or more flow tables and a group table (which may perform packet lookups and forwarding) and an OpenFlow channel to an external OpenFlow controller. The OpenFlow controller manages the forwarding element via the OpenFlow protocol. Using this protocol, the controller can add, update, and delete flow rules/entries, both reactively (in response to packets received at the forwarding element) and proactively (e.g., to program flow tables of a new forwarding element).
Each flow table in the forwarding element may include a set of flow rules/entries. Each flow rule/entry may include matched fields, counters, and a set of instructions to apply to matching packets.
Matching at a forwarding element may start at a first flow table (also referred to as a primary flow table) and may continue to additional flow tables of the forwarding element. Flow rules/entries match data packets in priority order, with the first matching rule/entry in each table being used. If a matching rule/entry is found for a data packet in a flow table, the instructions associated with the specific flow rule/entry are executed for the data packet. If no match is found for the data packet in a flow table, the outcome may depend on forwarding element configuration. The data packet may be forwarded to the controller over the OpenFlow channel, the data packet may be dropped, or attempts to match the data packet may continue to a next flow table of the forwarding element.
Instructions associated with each flow rule/entry describe data packet forwarding, data packet modification, group table processing, and pipeline processing. Pipeline processing instructions allow data packets to be sent to subsequent tables for further processing and allow information (e.g., in the form of metadata) to be communicated between tables. Table pipeline processing may stop when the instruction set associated with a matching flow rule/entry does not specify a next table. At this point, the data packet may usually be modified and forwarded.
Flow rules/entries may forward respective data packets to a port. This is usually a physical port, but it may also be a virtual port defined by the switch or a reserved virtual port defined by the OpenFlow switch specification. Reserved virtual ports may specify generic forwarding actions such as sending to the controller, flooding, or forwarding using non-OpenFlow methods, such as “normal” switch processing, while switch-defined virtual ports may specify link aggregation groups, tunnels or loopback interfaces.
Flow rules/entries may also point to a group, which specifies additional processing. Groups represent sets of actions for flooding, as well as more complex forwarding semantics (e.g., multipath, fast reroute, and link aggregation). As a general layer of indirection, groups also enable multiple flows to forward to a single identifier (e.g., IP forwarding to a common next hop). This abstraction may allow common output actions across flows to be changed efficiently.
A group table may include group entries, with each group entry including a list of action buckets with specific semantics dependent on group type. The actions in one or more action buckets are applied to data packets sent to the group.
OpenFlow forwarding elements (e.g., switches and/or routers), controllers, and protocols are discussed, for example, in “OpenFlow Switch Specification,” Version 1.1.0 Implemented (Wire Protocol 0x02), Feb. 28, 2011, and in the reference by McKeown et al. entitled “OpenFlow: Enabling Innovation In Campus Networks,” Mar. 14, 2008. The disclosures of both of the above referenced documents are hereby incorporated herein in their entireties by reference.
The OpenFlow channel is an interface that connects an OpenFlow forwarding element with a controller over an OpenFlow interface. The interface itself may be implementation specific, and it may be implemented using a TCP (Transmission Control Protocol) connection or a SCTP (Stream Control Transmission Protocol) connection. Moreover, TLS (Transport Layer Security) may be used to send messages that are encrypted by the controller and decrypted by the forwarding element.
Notwithstanding networks discussed above, there continues to exist a need in the art for improved operations in networks including forwarding elements and controllers.