Building network automation solutions

The Does Centralized Control Plane Make Sense post triggered several comments along the lines of “do you think there’s no need for OpenFlow?”

TL;DR version: OpenFlow is just a low-level tool. Don’t blame it for how it’s being promoted.

OpenFlow is just a tool that allows you to install PBR-like forwarding entries into networking devices using a standard protocol that should work across multiple vendors (more about that in another blog post). From this perspective OpenFlow offers the same functionality as BGP FlowSpec or ForCES, and a major advantage: it’s already implemented in networking gear from numerous vendors.

Where could you use PBR-like functionality? I’m positive you already have a dozen ideas with various levels of craziness; here are a few more:

• Network monitoring (flow entries have counters);
• Intelligent SPAN ports that collect only the traffic you’re interested in;
• Transparent service insertion;
• Scale-out stateful network services;
• Distributed DoS prevention;
• Policy enforcement (read: ACLs) at the network edge.

OpenFlow has another advantage over BGP FlowSpec – it has the packet-in and packet-out functionality that allows the controller to communicate with the devices outside of the OpenFlow network. You could use this functionality to implement new control-plane protocols or (for example) interesting layered authentication scheme that is not available in off-the-shelf switches.

Summary: OpenFlow is a great low-level tool that can help you implement numerous interesting ideas, but I wouldn’t spend my time reinventing the switching fabric wheel (or other things we already do well).

More informations

• SDN webinars (most of them are free);
• SDN workshop;
• Other SDN resources @ ipSpace.net