View Source

Goals

In ICN's SDWAN usages, SFC (Service Function Chain) is designed to support Corp networks to connect to external internet with security connection. The SFC includes Security VNF (e.g. firewall etc.), WAN Opt CNF and SDWAN VNF/CNF, and SDWAN module is worked as software defined router which can be used to defined the rules when connect to external internet. Below diagram shows where SDWAN module located in the whole system.

Akraino > ICN - SDEWAN > sdwan-arch.png

Basic Technology

OpenWRT

The OpenWRT Project (https://openwrt.org/) is an open source project based on Linux, and it is primarily used on embedded devices to route network traffic. There are more than 3500 software packages which can be installed on OpenWRT via opkg package management system. OpenWRT provides both docker image and VM image to support virtualization solution (https://openwrt.org/docs/guide-user/virtualization/start). In ICN, we run OpenWRT in container.

OpenWRT Mwan3 package (a replacement for multiwan package) provides the capabilities for multiple WAN management: WAN interfaces management, outbound traffic rules, traffic load balancing etc.

ovn4nfv-k8s-plugin

ovn4nfv-k8s-plugin is a CNI plugin based on ovn. It can work together with Multus CNI to add multiple interfaces for the pod. One of the interfaces is the Multus default interface, it could be flannel, calico, etc. The other interfaces are added by ovn4nfv-k8s-plugin according the the pod annotation. With ovn4nfv-k8s-plugin, we can create virtual network in run-time. Also we can connect the pod with the provider network, this is important for CNF.

Design Proposals

Implementation

SDWAN module is implemented as CNF instead of VNF for better performance and proving of CNF can also be effect way to deploy SDWAN

SDWAN will leverage OpenWRT for it functionality:

Base Image: x86-generic rootfs image (http://downloads.openwrt.org/releases/18.06.4/targets/x86/generic/)
Packages:
- mwan3: multiple wans configuration and management
- luci-app-mwan3: web configuration interface for mwan3
- uhttp: web server for luci services

Deployment

Helm will be used to deploy SDWAN CNF as pod on nodes with external network connection with below parameters:

Network interfaces: multiple interfaces from difference CNI plugins, e.g. one is Multus default CNI (e.g. flannel or Calico), one is OVN CNI to connect to virtual network1 then connect to corp network, and the last one is OVN CNI which connect to external router

WAN configuration: an initial script running in the container will use uci command to do initial WAN configuration based on the input

WAN interface definition (e.g. interface, member etc.)

config interface 'wan'
	option enabled '1'
	list track_ip '8.8.4.4'
	list track_ip '8.8.8.8'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option reliability '2'
	option count '1'
	option timeout '2'
	option interval '5'
	option down '3'
	option up '8'

config member 'wan_m1_w3'
	option interface 'wan'
	option metric '1'
	option weight '3'

Initial Traffic rules (e.g. policy, rule etc.)

config policy 'wan_only'
	list use_member 'wan_m1_w3'

config rule 'sticky_even'
	option src_ip '0.0.0.0/0.0.0.1'
	option dest_port '443'
	option proto 'tcp'
	option use_policy 'wan_only'

Runtime Configuration

SDWAN traffic rules and WAN interfaces are required to be configured at runtime through Restful API interface.

OpenWRT luci invoking mechanism:

(1) logon: POST /cgi-bin/luci with luci_username and luci_password to get sysauth Cookie

e.g. wget --post-data "luci_username=root&luci_password=" http://192.168.56.2/cgi-bin/luci/

response header will include sysauch cookie, like: "Set-Cookie: sysauth=e5b2e5c2ae0099c078bb3cb72052ed95;"

(2) Call luci http service with sysauth Cookie

e.g. wget --header="Cookie:sysauth=e5b2e5c2ae0099c078bb3cb72052ed95" http://192.168.56.2/cgi-bin/luci

Mwan3 supported services:

interface_status: GET /cgi-bin/luci/admin/status/mwan/interface_status

Sample response:

"interfaces":{"wan":{"running":true,"score":0,"track_ip":[{"status":"down","latency":0,"packetloss":0,"ip":"208.67.220.220"},{"status":"down","latency":0,"packetloss":0,"ip":"208.67.222.222"},{"status":"down","latency":0,"packetloss":0,"ip":"8.8.4.4"},{"status":"down","latency":0,"packetloss":0,"ip":"8.8.8.8"}],"lost":536,"status":"offline","age":5,"turn":134},"wanb6":{"running":false,"score":0,"track_ip":[],"lost":0,"status":"","age":0,"turn":0},"wanb":{"running":false,"score":0,"track_ip":[],"lost":0,"status":"","age":0,"turn":0},"wan6":{"running":false,"score":0,"track_ip":[],"lost":0,"status":"","age":0,"turn":0}},"connected":{"ipv6":["Members:","fe80::\/64"],"ipv4":["Members:","224.0.0.0\/3","192.168.56.2","127.0.0.0\/8","127.255.255.255","192.168.56.0\/24","10.0.3.0\/24","10.0.3.15","127.0.0.0","192.168.56.255","127.0.0.1","192.168.56.0","10.0.3.0","10.0.3.255"]}

detaild_status: GET /cgi-bin/luci/admin/status/mwan/detailed_status
diagnostics_display: GET /cgi-bin/luci/admin/status/mwan/diagnostics_display
troubleshooting_display: GET /cgi-bin/luci/admin/status/mwan/troubleshooting_display

Note: configuration for WAN's interface, member, policy and rule are supported in the web UI, but with no direct restful API available. It needs implement luci cgi plugin to provide restful API for WAN configuration. In ICN, one interface is implemented as POC to support running commands in CNF through Rest API call.

command:
POST /cgi-bin/luci/admin/config/command
Execute commands in OpenWRT CNF
Normal Response Code: 200
Error Response Code: 400
Request:
Name In Type Description
command Body String commands to be executed in CNF, each command is separated by semicolon

SDWAN Controller Implementations

The Akraino-SDEWAN-OutOfBoxNetworking.pptx describes the whole SDEWAN solution design.

ICN R3 release will focus on implementing the SDEWAN CNF and EWAN config Agent then designing the End-to-End demo with other components described in the SDEWAN solution.

Below diagram describes the interaction between SDEWAN CNF and EWAN config Agent.

Akraino > ICN - SDEWAN > sdewan work-flow.png