Skip to end of metadata
Go to start of metadata

Goals

In ICN's SDWAN usages, SFC (Service Function Chain) is designed to support Corp networks to connect to external internet with security connection. The SFC includes Security VNF (e.g. firewall etc.), WAN Opt CNF and SDWAN VNF/CNF, and SDWAN module is worked as software defined router which can be used to defined the rules when connect to external internet. Below diagram shows where SDWAN module located in the whole system.

Basic Technology

The OpenWRT Project (https://openwrt.org/) is an open source project based on Linux, and it is primarily used on embedded devices to route network traffic. There are more than 3500 software packages which can be installed on OpenWRT via opkg package management system. OpenWRT provides both docker image and VM image to support virtualization solution (https://openwrt.org/docs/guide-user/virtualization/start).

OpenWRT Mwan3 package (a replacement for multiwan package) provides the capabilities for multiple WAN management: WAN interfaces management, outbound traffic rules, traffic load balancing etc.

Design Proposals

Implementation

SDWAN module is implemented as CNF instead of VNF for better performance and proving of CNF can also be effect way to deploy SDWAN

SDWAN will leverage OpenWRT for it functionality:

Deployment

Helm will be used to deploy SDWAN CNF as pod on nodes with external network connection with below parameters:

  • Network interfaces: multiple interfaces from difference CNI plugins, e.g. one is Multus default CNI (e.g. flannel or Calico), one is OVN CNI to connect to virtual network1 then connect to corp network, and the last one is OVN CNI which connect to external router
  • WAN configuration: an initial script running in the container will use uci command to do initial WAN configuration based on the input.
    • WAN interface definition (e.g. interface, member etc.)

      config interface 'wan'
      	option enabled '1'
      	list track_ip '8.8.4.4'
      	list track_ip '8.8.8.8'
      	list track_ip '208.67.222.222'
      	list track_ip '208.67.220.220'
      	option reliability '2'
      	option count '1'
      	option timeout '2'
      	option interval '5'
      	option down '3'
      	option up '8'
      config member 'wan_m1_w3'
      	option interface 'wan'
      	option metric '1'
      	option weight '3'
    • Initial Traffic rules (e.g. policy, rule etc.)

      config policy 'wan_only'
      	list use_member 'wan_m1_w3'
      config rule 'sticky_even'
      	option src_ip '0.0.0.0/0.0.0.1'
      	option dest_port '443'
      	option proto 'tcp'
      	option use_policy 'wan_only'

Runtime Configuration

SDWAN traffic rules and WAN interfaces are required to be configured at runtime through Restful API interface, this supposed can be supported by luci-app-mwan3, require more investigation for details. 

OpenWRT luci invoking mechanism:

(1) logon: POST /cgi-bin/luci with luci_username and luci_password to get sysauth Cookie

e.g. wget --post-data "luci_username=root&luci_password=" http://192.168.56.2/cgi-bin/luci/

response header will include sysauch cookie, like: "Set-Cookie: sysauth=e5b2e5c2ae0099c078bb3cb72052ed95;"

(2) Call luci http service with sysauth Cookie

e.g. wget --header="Cookie:sysauth=e5b2e5c2ae0099c078bb3cb72052ed95" http://192.168.56.2/cgi-bin/luci


Mwan3 supported services:

  • interface_status: GET /luci/admin/status/mwan/interface_status

    Sample response:

    "interfaces":{"wan":{"running":true,"score":0,"track_ip":[{"status":"down","latency":0,"packetloss":0,"ip":"208.67.220.220"},{"status":"down","latency":0,"packetloss":0,"ip":"208.67.222.222"},{"status":"down","latency":0,"packetloss":0,"ip":"8.8.4.4"},{"status":"down","latency":0,"packetloss":0,"ip":"8.8.8.8"}],"lost":536,"status":"offline","age":5,"turn":134},"wanb6":{"running":false,"score":0,"track_ip":[],"lost":0,"status":"","age":0,"turn":0},"wanb":{"running":false,"score":0,"track_ip":[],"lost":0,"status":"","age":0,"turn":0},"wan6":{"running":false,"score":0,"track_ip":[],"lost":0,"status":"","age":0,"turn":0}},"connected":{"ipv6":["Members:","fe80::\/64"],"ipv4":["Members:","224.0.0.0\/3","192.168.56.2","127.0.0.0\/8","127.255.255.255","192.168.56.0\/24","10.0.3.0\/24","10.0.3.15","127.0.0.0","192.168.56.255","127.0.0.1","192.168.56.0","10.0.3.0","10.0.3.255"]}

  • detaild_status: GET /luci/admin/status/mwan/detailed_status
  • diagnostics_display: GET /luci/admin/status/mwan/diagnostics_display
  • troubleshooting_display: GET /luci/admin/status/mwan/troubleshooting_display

Note: configuration for WAN's interface, member, policy and rule are supported in the web UI, but with no direct restful API available. It needs implement luci cgi plugin to provide restful API for WAN configuration.

QAT support

QAT support is required for hardware acceleration of https

Open

(1)  Run OpenWRT as CNF: OpenWRT is worked as VM by flowing steps: https://openwrt.org/docs/guide-user/virtualization/virtualbox-vm, while can not work as expected as container by following steps from: https://openwrt.org/docs/guide-user/virtualization/docker_openwrt_image due to issue: "failed to connect to ubus", this issue is reported on community for solution: https://forum.openwrt.org/t/run-openwrt-as-container-failed-to-connect-to-ubus/44345

Implementations

TBD.

  • No labels