Unleashing the power of the fabric

1. Unleashing the power of the fabric Manjeet Singh Bhatia (Intel) Munish Mehan (AT&T) Deepak Tiwari (AT&T)

2. Outline Background on the Networking Evolution Custom Nic driver functions available via sysfs TaaS Overview TaaS Motivations TaaS Architecture and Components TaaS for SRIOV Use Cases TaaS Limitations/Enhancements for our Use Case Development Progress: Complete, In-Progress, Future CI testing using zuul v3 Demo

3. Background on the Networking Evolution. • SRIOV • Neutron Integration • DPDK • Virtual Function Daemon (DPDK-based driver for ixgbeNICs) • Custom NIC Driver with sysfsinterface

4. Custom Nic driver functions available via sysfs. • /sys/class/net/<interface-name>/device/sriov*1 • | +-- qos • +-- [TC, 0-7] # TC • | +-- priority # list of PCP values mapped to this TC • | +-- lsp # link strict priority • | +-- max_bw # max bandwidth for this class • | +-- min_bw # min bandwidth for this class • | +-- egress_mirror # mirror traffic from this PF to specified VF • | +-- ingress_mirror

5. Custom Nic driver functions available via sysfs.(contd) • +-- [VF-id, 0 ... 127]*2 • | +-- vlan_mirror # list of VLANs to mirror to this VF • | +-- trunk # list of VLANs to filter on (802.1Q trunk) • | +-- tpid # TPID of outer (s-tag) 0x8100 | 0x88A8 • | +-- egress_mirror # mirror traffic from this VF to specified VF • | +-- ingress_mirror • | +-- mac_anti_spoof # enable/disable MAC anti spoofing • | +-- vlan_anti_spoof # enable/disable VLAN anti spoofing • | +-- loopback # enable/disable local traffic loopback (VEB/VEPA) • | +-- default_mac # default MAC, if not set use random • | +-- mac_list # list of additional MACs (00:11:22:33:44:55, aa:bb:cc:dd:ee:ff) • | +-- ucast_promisc # unicast promiscuous • | +-- mcast_promisc # multicast promiscuous • | +-- allow_bcast # allow/not allow bcast • | +-- strip_stag # strip outer tag (s-tag) • | +-- enable # enable/disable VF

6. Custom Nic driver functions available via sysfs.(contd) • | +-- link_state # up/down • | +-- queue_type # type of queues 0 – RSS, 1 – QoS • | +-- num_queues # num of RSS queues allocated to this VF, if queue_type QoS same as • number TCs set in PF • | +-- max_tx_rate # ignore if TC in use • | +-- min_tx_rate # ignore if TC in use • | +-- trust # set VF in trust mode • | +-- stats # 64 bit counters • | +-- rx_bytes/rx_packets/rx_dropped/tx_bytes/tx_packets/tx_dropped/tx_spoofed • | +-- reset_stats # reset VF stats counters • | +-- qos • +-- [TC, 0-8] • | +-- share # % share of TC for this VF

7. Tap as a Service (TaaS) TaaS • An extension to the OpenStack network service (Neutron) • Provides an API to enable port mirroring (PM) capability for tenant virtualized workload Packet Mirroring (PM) • Network packets entering (and/or leaving) one port (or vLAN) are copied and sent to another port, where the packets can be analyzed. • Use-cases • Network Debugging: Analyze and debug data or diagnose errors on a network • Passive IDS: Mirrored packets sent to IDS that monitors a network for malicious activity or policy violation • Network Forensics • Security: Investigate security incidents, monitor anomalous traffic • Law enforcements: reassembling transferred files, searching for keywords, parsing human communications.

8. TaaS Architecture and Components

9. TaaS Resources Tap Service • Represents the port on which mirrored packets is delivered • Any service (VM) using the mirrored packets is attached to this port Tap Flow • Represents the port from which packets need to be mirrored Key Points • Multiple Tap Flows can be associated to a single Tap Service • Destination TaaS port must be created beforehand on a network owned by the tenant requesting TaaS services • To preserve tenant isolation, ports to be mirrored and added to service must be owned by the same tenant who created the Tap Service instance

10. TaaS Data Models Neutron database schema for Tap Service and Tap Flow Tap Service 'tap_services': { 'id': {'allow_post': False, 'allow_put': False,'validate': {'type:uuid': None}, 'is_visible': True,'primary_key': True}, 'tenant_id': {'allow_post': True, 'allow_put': False,'validate': {'type:string': None},'required_by_policy': True, 'is_visible': True}, 'name': {'allow_post': True, 'allow_put': True,'validate': {'type:string': None},'is_visible': True, 'default': ''}, 'description': {'allow_post': True, 'allow_put': True,'validate': {'type:string': None},'is_visible': True, 'default': ''}, 'port_id': {'allow_post': True, 'allow_put': False,'validate': {'type:uuid': None},'is_visible': True}, } Tap Flow 'tap_flows': { 'id': {'allow_post': False, 'allow_put': False,'validate': {'type:uuid': None}, 'is_visible': True,'primary_key': True}, 'tenant_id': {'allow_post': True, 'allow_put': False,'validate': {'type:string': None},'required_by_policy': True, 'is_visible': True}, 'name': {'allow_post': True, 'allow_put': True,'validate': {'type:string': None},'is_visible': True, 'default': ''}, 'description': {'allow_post': True, 'allow_put': True,'validate': {'type:string': None},'is_visible': True, 'default': ''}, 'tap_service_id': {'allow_post': True, 'allow_put': False,'validate': {'type:uuid': None},'required_by_policy': True, 'is_visible': True}, 'source_port': {'allow_post': True, 'allow_put': False,'validate': {'type:uuid': None},'required_by_policy': True, 'is_visible': True}, 'direction': {'allow_post': True, 'allow_put': False,'validate': {'type:values': direction_enum},'is_visible': True}, 'vlan_filter': {'allow_post': True, 'allow_put': False, 'validate': {'type:regex_or_none': RANGE_REGEX}, 'is_visible': True, 'default': None} }

11. SRIOV Traffic Mirroring: VLANs to VF eth4 Service VM – 2 Service VM – 1 eth0 eth0 VLANs – 163, 172 VLANs – 154 VLANs – 163, 172, 181-198 VLANs – 154 eth2 eth2 eth3 eth3 eth1 eth1 VLANs – 154Direction: BOTH VLANs – 163, 172Direction: BOTH A B 2 1 P1P1 (PF 1) P3P1 (PF 2) Probe VM eth0 VF63 VF63 VF62 VF62 VF2 VF2 VF1 VF1 VF9 VF9 VF3 VF3 VF5 VF8 VF5 VF8 VF4 VF7 VF4 VF7 VF12 VF12 VF11 VF11 VF10 VF10 VF6 VF6 eth2 eth1 VF3 Tap Service bound to NIC P1P1 1 A 1 VLAN (s) – 163, 172 2 Tap Service bound to NIC P3P1 A Tap Flow bound to port “eth1” of Service VM-1 VF5 B 2 VLAN (s) – 154 B Tap Flow bound to port “eth2” of Service VM-1

12. Demo VF3 1a 1b VF5 The steps shall be repeated for each Tap flow, on the concerned compute hosts 2a VF1 VF assigned to probe port Common VLANs in ‘vlan_filter’ in tap flow and the source port VLANs, i.e. port['binding:vif_details’][‘vlan’] VF2 2b Common VLANs in ‘vlan_filter’ in tap flow and the source port VLANs, i.e. port['binding:vif_details’][‘vlan’] VF assigned to probe port

13. CI testing with Zuul v3 • What is Zuul V3 ? • In-repo configuration • Native support for multi-node jobs • Ansiblejob content • Integration with more systems

14. 3rd Party CI architecture Zuul Web Service Mariadb Service DataBase

15. Zuul and nodepoolconfig

16. Test Pipeline • Define zuul config • Add devices to nodepool • Define test pipeline • Define jobs • Docker-compose up

17. Demo Demo Environment Containerized OpenstackOcata deployment using Openstack-helm with Loci images Customized Neutron Loci image with Tap-as-a-service changes (TaaS, python-neutronclient) deployed 'docker.io/deepakdt/neutron:ocata-master-with-neutron-ocata-1804’ Customized Heat Loci image with Tap-as-a-service changes (heat, python-neutronclient) deployed 'docker.io/deepakdt/heat:ocata-taas-osc-1804’ Customized Horizon Loci image with Tap-as-a-service-dashboard changes (heat, python-neutronclient) deployed 'docker.io/deepakdt/heat:ocata-taas-osc-1804’ At least one compute host having required NIC and driver:     - Hardware: Intel Ethernet Network Adapter XXV710 (25GbE)      - Driver: Intel i40e v2.4.18 - Sourceforge link: https://sourceforge.net/projects/e1000/files/i40e%20stable/2.7.12/

18. References Networking Guide: SR-IOV: https://docs.openstack.org/neutron/queens/admin/config-sriov.html#enable-neutron-sriov-agent-computeTap-as-a-service spec: https://review.openstack.org/#/c/256210/Tap as a Service API REFERENCE: https://github.com/openstack/tap-as-a-service/blob/master/API_REFERENCE.rst Project Launchpad [Bugs tracking]: https://bugs.launchpad.net/tap-as-a-service Support in OpenStack: https://docs.openstack.org/dragonflow/latest/specs/tap_as_a_service.html Code repository: https://github.com/openstack/tap-as-a-service TaaS Neutron Blueprint (OVS): https://review.openstack.org/#/c/256210/10/specs/mitaka/tap-as-a-service.rst TaaS blueprint (SRIOV Mirroring support): https://blueprints.launchpad.net/neutron/+spec/port-mirroring-sriov-vf TaaS SRIOV Launchpad and Demo: https://etherpad.net/p/taas_sriov_demo_stein_ptg_new_approach Code commits:     a. TaaS:https://review.openstack.org/#/c/603501/     b. Heat:https://review.openstack.org/#/c/589238/     c. Python-neutronclient:https://review.openstack.org/#/c/449188/     d. Openstack-helm:https://review.openstack.org/#/c/597200/ e. Core OSH: https://review.openstack.org/#/c/597200/ f. rootwrap: https://review.openstack.org/#/c/607392/ g. NC manifests override: (with SRIOV): https://gerrit.mtn5.cci.att.com/#/c/50307/ (for testing in 13b3): https://gerrit.mtn5.cci.att.com/#/c/50454/ https://gerrit.mtn5.cci.att.com/#/c/51879/ h. RBAC: https://gerrit.mtn5.cci.att.com/#/c/47152/ i. Shaker Tests : https://review.openstack.org/#/c/602050/ j. Image build (loci): https://review.gerrithub.io/c/att-comdev/cicd/+/428400

19. Q/A ?