OpenStack/Quantum SDN-

based network virtulization

with Ryu
Kei Ohmura
NTT

May 31, 2013

© 2013 NTT Software Innovation Center
Outline
• Introduction  to  Ryu

• O penStack  Quantum  and  Ryu

• D emo

• S ummary

© 2013 NTT Software Innovation Center 2

What is “Ryu”

流流
(ryu) (ryu)
⿓龍龍
means  “flow” means  “japanese  dragon”,  
one  of  warter  gods

© 2013 NTT Software Innovation Center 3

What is “Ryu”

manages  “flow”  control  

to  enable  intelligent  
networking
Packet

© 2013 NTT Software Innovation Center 4

SDN(Software Defined Networking)
•  Separates  control  and  data  plane:
•  Open interface between control and data plane
•  Network control and management features in software

Feature Feature Feature Feature

OS OS

Specialized  packet Specialized  packet

Forwarding Forwarding
hardware hardware

Feature Feature

OS

Specialized  packet
Forwarding
hardware

© 2013 NTT Software Innovation Center 5

SDN(Software Defined Networking)
•  Separates  control  and  data  plane:
•  Open interface between control and data plane
•  Network control and management features in software
Applicatoin layer

Business applications
Business applications
North-‐‑‒bound  API:  
Programmable  Open  APIs
Control layer
SDN control
software Network services
Network services
Network-related control
Network services

South-‐‑‒bound  API
Infrastructure layer (ex.,  OpenFlow)
Packet forwarding
Network Device Network Device Network Device

Network Device Network Device

http://www.opennetworking.org/sdn-resources/meet-sdn
© 2013 NTT Software Innovation Center 6
OpenFlow Overview
• One   of   the   key   technologies   to   realize  
SDN
• Open  interface  between  control  and  data  
plane

match  field
OpenFlow Controller
Mac Mac IP IP TCP count
… Action
dst src dst src dst er
OpenFlow  
protocol byte  
output coun
* * * * 6667 *
:  3 ters,  
OpenFlow
etc
switch
.
.. .. .. .. .. ..
OpenFlow OpenFlow .
switch switch

OpenFlow Flow  Table

switch
© 2013 NTT Software Innovation Center 7
Ryu SDN framework
• SDN  Framework
•  A platform for building SDN applications
•  Provides useful libraries and well-defined API
• Open  source  software  (Apache  v2)
•  Fully written in Python
•  Project site: http://osrg.github.com/ryu/

SDN SDN SDN

apps apps apps
well-‐‑‒defined  API

Ryu SDN framework

OpenFlow  
protocol
OpenFlow OpenFlow
switch switch

© 2013 NTT Software Innovation Center 8

Our goals
• D e  facto  SDN  platform
• Standard network controller for cloud
orchestrators, e.g. OpenStack
• Default network controller for Linux
Distributions, e.g. RHEL/feadora/
ubuntu

• H igh  quality  for  commercial  

deployment
• code quality, functionality, usability

© 2013 NTT Software Innovation Center 9

Features
• Generality
• Vendor-neutral
• Supports open interface (eg., OpenFlow)
• Used by some switch vendors

• Agile
• Framework for SDN application
development instead of all-purpose big
monolithic ‘controller’.

© 2013 NTT Software Innovation Center 10

Architecture
• I mplement  your  apps  by  using  Ryu  
SDN  Framework
OpenStack User
operator Apps
cloud orchestration
RESTful REST API
management User-defined API
for Quantum via REST or RPC
API
Ryu SDN frame work

Built-in Apps: tenant isolation, L2 switch

Libraries: OF REST, topology discovery, firewall

OF  protocols  parser/ Non-‐‑‒OF  protocols

serializer parser/serializer existing
IP
networks
OF1.0,  1.2,  1.3 netconf,  vrrp,  netflow,  
OF-‐‑‒Config  1.1 packet  lib
OpenFlow
OpenFlow
switch
© 2013 NTT Software Innovation Center 11
Current status
•  OpenFlow  protocol
•  OF1.0 + nicira extensions, OF1.2, OF1.3
•  OF-Config 1.1

•  Other protocols
•  netconf, vrrp, xFlow, snmp, ovsdb

•  Ryu  applications /libraries

•  Topology viewer
•  OF REST
•  Firewall
•  Some sample apps are in the ryu/app directory.

•  Switch  Interoperability
•  Referenced by some switch vendors
•  Open vSwitch
•  Integration testing with Open vSwitch (OF1.0, OF1.2)
•  nicira extensions, OVSDB

•  Integration  with  other  components

•  HA with Zookeeper
•  IDS (Intrusion Detection System)
•  OpenStack Quantum
© 2013 NTT Software Innovation Center 12
How to use
• Install  Ryu  from  pip
$ sudo pip install ryu

• Install  Ryu  from  the  source  code

$ git clone git://github.com/osrg/ryu.git
$ cd ryu; sudo python ./setup.py install

• Run  your  application

$ ryu-manager yourapp.py

© 2013 NTT Software Innovation Center 13

Mac learning switch

$ ryu-manager ryu/app/simple_switch.py

L2 switch
app

Ryu
(2)
(3)
(1) (4)

FlowTable
OpenFlow
switch
Host A Host B

tutorial: https://github.com/osrg/ryu/wiki/OpenFlow_Tutorial
© 2013 NTT Software Innovation Center 14
OF REST

$ ryu-manager ryu/app/ofctl_rest.py

OF REST API
operator ・add a flow entry
POST http://example.org/stats/flownetry/
OF REST add
API ・delete flow entries
DELETE http://example.org/stats/
flowentry/delete
・get flow stats
Ryu GET http://example.org/stats/flow/{dpid}

OpenFlow
protocol
OpenFlow
switch

OpenFlow OpenFlow
switch switch

© 2013 NTT Software Innovation Center 15

Firewall REST

$ ryu-manager ryu/app/rest_firewall.py

Firewall  REST  API  

operator ・ add  a  rule  
       POST  h4p://example.org/firewall/rules/{switch-­‐id}  
Firewall ・delete  a  rule  
REST API      DELETE  h4p://example.org/firewall/rules/{switch-­‐id}
・get  rules  
     GET  h4p://example.org/firewall/rules/{switch-­‐id}

Ryu

OpenFlow
protocol Allow

OpenFlow
switch

https://github.com/osrg/ryu/wiki/Third-Party-Tools,-Etc.
Drop
© 2013 NTT Software Innovation Center 16
Topology viewer
• Show  topology  and  flows  dynamically

© 2013 NTT Software Innovation Center 17

HA with Zookeeper
• Centralized controller is single point of
failure (SPOF)
• Ryu + ZooKeeper is able to avoid SPOF

ZooKeeper
master slave

Ryu Ryu
Failover

OpenFlow
switch

Host A Host B

© 2013 NTT Software Innovation Center 18

IDS integration
• Ryu  +  IDS  can  cope  with  threats  in  
real  time. Deep packet
(3) inspection
Alert
snort IDS(Snort)
control app

Ryu
(2)
(4)

OpenFlow
switch

(1) L1~L4
matching

https://github.com/osrg/ryu/wiki/Snort-Integration
© 2013 NTT Software Innovation Center 19
Ryu plugin for OpenStack Quantum

• Ryu  plugin  was  merged  into  

OpenStack  Quantum  Grizzly  release

Ryu Quantum REST API

Nova Quantum ・create network
PUT http://example.org/v1.0/
networks/{network-id}
Ryu plugin ・delete network
DELETE http://example.org/
REST v1.0/networks/{network-id}
API ・connect a new VM
PUT http://example.org/v1.0/
VM VM VM VM networks/{switch-id}_{port-id}
VM VM VM VM OpenStack
Open vSwitch apps
Open vSwitch
Ryu
OpenFlow
https://github.com/osrg/ryu/wiki/OpenStack
© 2013 NTT Software Innovation Center 20
OpenStack
*-­‐as-­‐a-­‐Service   OpenStack  Service  

Compute   Nova  

SwiK  (Objects)  

Storage   Cinder  (Block)  

Glance  (Images)  

idenSty   Keystone  

Network   Quantum  
© 2013 NTT Software Innovation Center 21
OpenStack Quantum
• Provides  networking-‐‑‒as-‐‑‒a-‐‑‒service
• Quantum controls network
virtualization like Nova controls server
virtualization

• “ plugin”  mechanism

• Enable different technologies
• Ryu, Open vSwitch, Cisco UCS, Linux
Bridge, NVP

© 2013 NTT Software Innovation Center 22

What does Ryu bring to OpenStack
• F lat  L2  networks  regardless  of  the  
underlying  physical  network
• We don’t need high-end switches

• S calable  multi-‐‑‒tenant  isolations

• Ryu provides tunneling based isolations
• Virtual networks that Ryu provieds are
decoupled from VLAN limitations

© 2013 NTT Software Innovation Center 23

How Ryu works with OpenStack

Quantum-node Ryu-node

Quantum db:
(Network id, key (tunnel id))
Ryu server
(Network id, key)
Quantum
Ryu Quantum
Server REST API OpenFlow
&
Quantum OVSDB JSON
API

Vif Ryu L3 Ryu

OVS OVS
driver agent agent agent
Create Create
Tap port Tunnel port

Compute-node Network-node

© 2013 NTT Software Innovation Center 24

Demo
• Ryu  and  OpenStack  (GRE  
tunneling)

© 2013 NTT Software Innovation Center 25

Ryu and OpenStack: physical view
demo mode demo mode
VM1 VM1 VM2 VM2
Qemu/KVM Qemu/KVM Qemu/KVM Qemu/KVM

Ryu Glance OVS Nova

OVS
Nova Quantum
Ryu agent
Keystone Horizon

KVM KVM
All-in-one node GRE tunnel GRE tunnel Compute node

bridge
Linux(physical machine)

© 2013 NTT Software Innovation Center 26

Ryu and OpenStack: logical view

Tenant demo ID -> 0x2

Tenant mode ID -> 0x4

demo demo mode mode

VM1 VM2 VM1 VM2

demo network mode network

© 2013 NTT Software Innovation Center 27

Future works
• Adds  more  components(protocols,  
IaaS,  stats,  security,  etc).

• Improves  distributed  deployment  

component(cluster  support)

• N ew  testing  methods  (Ryu  has  

more  than  15,000  lines  test  code).

© 2013 NTT Software Innovation Center 28

Summary
• Ryu  is  an  ongoing  project
• Ryu project needs more developers
• site: http://osrg.github.com/ryu/
• wiki:https://github.com/osrg/ryu/wiki/
_pages
• ML: ryu-devel@lists.sourceforge.net

© 2013 NTT Software Innovation Center 29

Appendix

© 2013 NTT Software Innovation Center

Node boot up

© 2013 NTT Software Innovation Center 31

Network creation

© 2013 NTT Software Innovation Center 32

Instance creation

© 2013 NTT Software Innovation Center 33

 Flow table usage
Src table Tunnel out Local out

In port Table 0 Table 1 Table 2

match action match action match action

in_port set_tunnel tunnel_id output(tunnel)

src mac goto table 1 dst mac goto table 2
VM port
in_port drop tunnel_id goto table 2
tunnel_id output(vm)
dst mac

Tunnel
in_port goto table 2 tunnel_id drop
port
tunnel_id

VM1
GRE tunnel OVS
tunnel VM2
port
© 2013 NTT Software Innovation Center VM port 34