Thursday, February 27, 2014

My research into SDN and Openvswitch (OVS)

So I've been researching SDN with openvswitch (OVS) and I'm not impressed. I'm all for network virtualization and SDN, but this implementation is rather poor. For one, why are they building antiquated technologies.

On their features page they mention:

  • STP (IEEE 802.1D-1998)
WTF? Why? It's even an older version of spanning tree to boot. If you're going to put spanning tree in OVS why not use the much faster RSTP instead. What's the intention of STP? Backwards compatibility? So are you going to deploy brand new technology (i.e. OVS and Openstack) on a network that has old switches?

If you're going to create an SDN network, why not use a new technology like Shortest Path Bridging or TRILL that allows all paths to be active. Better yet, program the network so all paths are active so when a failure occurs, reroute around the failure. Isn't that what SDN is all about?

Also OVS is flow based. Flow setup rate for GRE tunnels are low ~24K connects/sec utilizing >80% of the CPU. And this makes it vulnerable to DOS attacks. Compromise a VM and have the instance create BUM frames (Broadcast, unknown Unicast, and Multicast) will bring OVS to it's knees. And if you're going to use STP on OVS, beware of a hacker crafting packets with a superior BPDU. You wouldn't want to have ports go into a blocking state for no reason.

There has to be a different approach to doing this without copying old technology and porting it to something new. 

No comments:

Post a Comment