Upload
fawad-khaliq
View
224
Download
0
Embed Size (px)
Citation preview
In Collaboration With
April 28, 2016
Tap-as-a-service: What you need to know now
Copyright © PLUMgrid, Inc. 2011-20162
IntroductionSpeaker(s)
Sr. Software Engineer PLUMgrid Inc
KhaliqFawad
Distinguished EngineerGigamon
RaoAnil
Tech LeadNEC Technologies
BanerjeeReedip
Experienced ResearcherEricsson
YadhavVinay
Sr. Software EngineerMidokura
YamamotoTakashi
Copyright © PLUMgrid, Inc. 2011-20163
• Tap-as-a-Service Introduction • Motivation for TaaS• Progress so far• TaaS Object Model• Demo• Next Steps• Q&A
Agenda
4
Tap-as-a-ServiceIntroduction
Copyright © PLUMgrid, Inc. 2011-20165
Tap-as-a-service in OpenStack
• Advanced networking service in OpenStack to provide traffic mirroring.
• API for port mirroring currently.• Facilitates tenants/operators to mirror packets from one or more
Neutron ports.• Neutron port could be a VM, container or baremetal based on
backend implementation.
Copyright © PLUMgrid, Inc. 2011-20166
Tap-as-a-service in OpenStack
TaaS
Neutron
source port 1
source port 2
TaaS
dest port 1
TaaS
User
7
Motivation for TaaS
Copyright © PLUMgrid, Inc. 2011-20168
Motivation for TaaS
Traffic Monitoring Process
• Involves placing tap devices at appropriate locations within the network infrastructure and attaching traffic analyzers to them.
• These analyzers can then see the same packets passing through those network segments, as if they were also inline.
• A logical tap device can be (easily) constructed using the port-mirroring function of a network switching element.
• So, why is it [still] not possible to monitor the activity in OpenStack virtual networks?
Copyright © PLUMgrid, Inc. 2011-20169
Motivation for TaaS
Architectural Characteristics of Cloud Platforms
Multi-tenancy Location Independency
• Multi-tenancy allows available resources and services to be shared among different groups of users.
• Each group, known as a tenant, is provided with an environment that is completely isolated from the others.
• Members of a tenant are oblivious of the fact that other groups may be co-existing with them.
• Multi-tenancy promotes delegation of control in a safe and secure manner.
• Location independence is primarily concerned with hiding the identities of individual infrastructure components from virtualized workloads.
• This has made it possible to relocate running virtual machines from one host to another.
• An equally important but less appreciated benefit of location independence is the improved efficiency in resource allocation.
Copyright © PLUMgrid, Inc. 2011-201610
Motivation for TaaS
• Tenants are (typically) unaware of the physical hosts on which their VMs are running.• VMs belonging to different tenants may be placed on the same host.• Tenant virtual networks often extend across multiple hosts.
• To avoid the possibility of cross-tenant data leakage, tenants are prevented from directly accessing the controls of the underlying switch fabric.
- comprising of host-level virtual switches, top-of-rack switches, etc.
• Unfortunately, this means that the port-mirroring capability of those switches is also not available.
Copyright © PLUMgrid, Inc. 2011-201611
Motivation for TaaS
Desire:• A tapping service that will enable a tenant and/or the cloud administrator to safely
monitor Neutron ports.• The service must ensure that tenant isolation boundaries are not compromised.• Port-mirror sessions should transparently span hosts to preserve location independence.
Solution:• Tap-as-a-Service is a platform oriented approach that satisfies the above need.
• It has effectively virtualized port-mirroring, which used to be a switch layer function, and made it available to users of Neutron provisioned networks.
• TaaS will serve as the basic building block on top of which more complex traffic visibility solutions can be engineered.
12
Progress So Far
Copyright © PLUMgrid, Inc. 2011-201613
Progress So Far
• Version 0.1 for TaaS presented in Demo, with successful integration.• Source code resides on Github (https://github.com/openstack/tap-as-a-service).• Application for inclusion as an official OpenStack project in Governance and as a
possible participant in Neutron Stadium.• Support for TaaS in Horizon Dashboard (Beta version).• TaaS is now available as a CLI with NeutronClient.
• neutron tap-service-create/neutron tap-service-delete/neutron tap-service-show/neutron tap-service-list
• neutron tap-flow-create/neutron tap-flow-delete/neutron tap-flow-show/neutron tap-flow-list• Tempest Jobs for TaaS are functional on the gate.
14
Tap-as-a-service Object Model
Copyright © PLUMgrid, Inc. 2011-201615
Tap-as-a-service Object Model
TAP SERVICERepresents the port on which the mirrored traffic is delivered. Any service (VM) that uses the mirrored data is attached to the port.
TAP FLOWRepresents the port from which the traffic needs to be mirrored.
Multiple TAP FLOW instances can be associated with a single TAP SERVICE instance.
Copyright © PLUMgrid, Inc. 2011-201616
Tap-as-a-service Object Model (cont’d)
PortPort
InstanceInstance
Copyright © PLUMgrid, Inc. 2011-201617
Tap-as-a-service Object Model (cont’d)
TapService
PortPort
InstanceInstance
Copyright © PLUMgrid, Inc. 2011-201618
Tap-as-a-service Object Model (cont’d)
TapFlowTapService
PortPort
Instance Instance
Copyright © PLUMgrid, Inc. 2011-201619
Tap-as-a-service Object Model (cont’d)
TapFlowTapService
PortPort
OUT IN
Instance Instance
Copyright © PLUMgrid, Inc. 2011-201620
Tap-as-a-service Object Model (cont’d)
TapFlowTapService
PortPortMirror Traffic
OUT INOUT IN
Instance Instance
Copyright © PLUMgrid, Inc. 2011-201621
Tap-as-a-service Object Model (cont’d)
TapFlow
TapService
Port
Port
Mirror
Instance
Port
TapFlow
Instance
Instance
Copyright © PLUMgrid, Inc. 2011-201622
Tap-as-a-service Design (agent based)
SWITCHING ELEMENT
TaaSAgent Framework
Plugin Service
DRIVERABC
RPC Communication
TaaS API Tenant /
Administrator
Copyright © PLUMgrid, Inc. 2011-201623
Tap-as-a-service Design (controller based)
SDNcontroller
Plugin Service
DRIVERABC
TaaS API Tenant /
Administrator
DEMO
24
Copyright © PLUMgrid, Inc. 2011-2016
Demo: Tap-as-a-service
Overview Environment
Use Cases
What to Expect
Demonstrate how Tap-as-a-Service can be utilized to monitor network traffic associated with VM instances in an OpenStack cloud.
1. Web traffic analysis.
2. Centralized Intrusion Detection System.
The first portion of the demo will show how tap-services and tap-flows can be easily configured via the Horizon Dashboard. Next, we will illustrate how TaaS can play an important role in satisfying the needs of data analytics and security applications.
• Multi-node DevStack cloud
• 1 Controller node
• 1 Network node
• 2 Compute nodes
• This cloud is hosting multiple web-server VM instances whose traffic will be monitored using TaaS. A special monitoring VM is also running in the cloud to receive mirrored traffic and carry out traffic analysis.
• Three Linux desktop systems representing end-users interacting with the cloud.
26
Next Steps
Copyright © PLUMgrid, Inc. 2011-201627
Roadmap
- Policy Based Tap- Support external resources like behind L2 Gateway- Quota enforcement- QoS and TaaS integration- Enhance Tempest Testing- Rally Testing- Complete CI support
Copyright © PLUMgrid, Inc. 2011-201628
• Project Launchpad https://launchpad.net/tap-as-a-service• Project Git Repository https://github.com/openstack/tap-as-a-service• Weekly IRC Meeting http://eavesdrop.openstack.org/#Tap_as_a_Service_Meeting• IRC #openstack-neutron @ Freenode
Join TaaS!
THANK YOU!