If you've set up pyswitch and NOX with Open vSwitch then you'll notice that any packets that don't match a flow get sent to the Openflow controller. If you set no flows, the controller receives every packet, until either you or the controller adds flows. Pyswitch will set flows for unicast traffic, but what happens when you start getting a substantial amount of background multicast/broadcast traffic?
A standard NOX setup can handle 10 flows per second. This means it can set up flows to handle 10 new hosts, or 10 different protocols, or it can simply return 10 packets to the switch and tell it to flood them.
Can you see the potential problem here? Any medium-to -large sized network will have all sorts of background multicast/unicast traffic, here are some of the things that will generate broadcast/multicast traffic on your network:
- ARP requests
- DHCP requests
- SSDP messages (from any UPnP-enabled device)
- SMB/NetBIOS (windows machines)
- Bonjour/mDNS (Apple / anything with iTunes)
- IGP routing protocols
- Spanning tree
- IPv6 router-advertisement messages
Taking a closer look
If you fire up wireshark you can filter on these messages
What's worse is that if you sit and watch, you'll see groups of packets show up in large groups at a time - SSDP, mDNS and NBNS all send 5-10 packets at a time, and with a standard Openflow controller-switch setup, these 10 packets will pause your network for a whole second.
The solution
With Open vSwitch, you have a few options - you could add all your flows manually, or you can delegate that to an Openflow controller. For something like this however, you can add a flow that makes your switch automatically flood any multicast/broadcast traffic, leaving your Openflow controller to focus on unicast traffic.
The ovs-ofctl documentation gives us an easy answer - set a flow that masks the group address bit as follows:
ovs-ofctl add-flow br0 priority=65500,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00,actions=flood
That was easy! If you want to do IGMP or MLD snooping, you can add flows with higher priorities - but first have a look at how much IP multicast traffic is on your network already - remember, 10 flows per second is probably your limit.
ovs-ofctl add-flow br0 priority=65500,dl_dst=01:00:5e:00:00:16,actions=controller
ovs-ofctl add-flow br0 priority=65500,dl_dst=33:33:00:00:00:16,actions=controller
The first flow will match IGMP traffic, and the second will match MLDv2 (IPv6 version of IGMPv3) traffic, but both versions of MLD unfortunately need more complicated flows, MLDv1 uses the all-local-nodes address, and even though MLDv2 has its own address, the MAC address 33:33:00:00:00:16 is valid for any IPv6 multicast address that ends in :0:16.
Has anyone done IGMP/MLD snooping on an Openflow controller yet? It's probably outside the scope of my current project, but it should be easy enough to build into Pyswitch if someone had the time. Let me know if you've done this, my twitter is @samrussellnz
(I am looking the answer of following ? May you help ?)
ReplyDeleteOver OPENVPN - Forwarding of UPnP SSDP Multicast Packets from One Network to Another
Network Configuration :
(PC-A-Network-A - 192.168.60.X) --Switch(Router) -- Internet (ISP) -- Switch (Router) -- (PC-B-Network-B - 192.168.10.X)
What is happening ?
libupnp device is running at PC-A-Network-A(192.168.60.128) and sending multicast packets(SSDP-Notify) at 239.255.255.250:1900
libupnp ctrlpoint is running at PC-B Network-B(192.168.10.104) and sending multicast packets(SSDP-Msearch) at 239.255.255.250:1900
OpenVPN Server is running at PC-B Network-B
OpenVPN Client is running at PC-A Network-A
(open VPN fully configured, as both network can ping each other)
Via using smcroute ( from this : http://bda.ath.cx/blog/2009/01/24/multicast-routing-upnp-traffic-with-linux/), its possible
to route PC-A-Network Packets to Network-B (SSDP-Multicast Packets), and vice versa.
What is not hapening ?
PC-A sending multicast SSDP Packets , and those are forwarded via openVPN to Network -B and vice versa, but no one accepts the multicast packets received from another network ?
Is there any body can explain ?
Do I need to configure iptables rules so that packet should be forwarded ? Or required to add some NAT rules or Is it possible to do this scenario