Scribd
Upload
10 views

Increasing Visibility With Perf Flow IPFIX Sampling in OVS OVN

The document discusses the implementation of IPFIX (IP Flow Information Export) sampling in Open vSwitch (OVS) and Open Virtual Network (OVN), highlighting its two modes: per-bridge and per-flow sampling, along with their respective pros and cons. It explores applications of IPFIX sampling, including drop-sampling to diagnose packet loss and ACL sampling to verify access control list configurations. The document emphasizes the flexibility and granularity of per-flow sampling, aided by OVN's capabilities, while also comparing ACL sampling to traditional ACL logging methods.

Uploaded by

beanbubu79
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODP, PDF, TXT or read online on Scribd
10 views

Increasing Visibility With Perf Flow IPFIX Sampling in OVS OVN

The document discusses the implementation of IPFIX (IP Flow Information Export) sampling in Open vSwitch (OVS) and Open Virtual Network (OVN), highlighting its two modes: per-bridge and per-flow sampling, along with their respective pros and cons. It explores applications of IPFIX sampling, including drop-sampling to diagnose packet loss and ACL sampling to verify access control list configurations. The document emphasizes the flexibility and granularity of per-flow sampling, aided by OVN's capabilities, while also comparing ACL sampling to traditional ACL logging methods.

Uploaded by

beanbubu79
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODP, PDF, TXT or read online on Scribd
You are on page 1/ 17

Increasing visibility with

perf-flow IPFIX sampling


in OVS/OVN

Adrián Moreno
Nov ’22
Overview
● Quick overview of IPFIX support in OVS
● IPFIX modes: pros / cons
● Potential of per-flow IPFIX sampling: OVN to the rescue
● Application 1: drop-sampling
● Application 2: ACL sampling
IPFIX Overview
● Protocol + Information Model + Collection Architecture +
much more
○ RFCs: 7011, 7012, 5470, 5153, etc
● The Exporter sends Traffic Flow* Information to the Collector
● Flow information is interpreted according to Templates.
○ Each Template contains a set of Fields (Field ID : Field
Length), a.k.a Entities.
○ There are many standardized Fields
IPFIX Overview II
● There can be many Observation Domains within an Exporter
● There can be many Observation Points within an
Observation Domain
ID Name Size (bits)

149 observationDomainId unsigned32

138 observationPointId unsigned32 *

* Original size was 32 bits . Then extended


to 64.
IPFIX support in OVS: Overview
● Two modes: per-bridge sampling and per-flow sampling
● Common part: dpif_ipfix_exporter (ofproto/ofproto-dpif-ipfix.c)
○ Flexible Templates: one per each possible combination of
L2/L3/L4 protocols (plus some more)
○ Configurable flow cache:
■ Flow number limit
■ Time limit
IPFIX support in OVS: Per-bridge
Associated to
bridge
ovs-vsctl -- set Bridge br0 ipfix=@i \

-- --id=@i create IPFIX targets=\"192.168.0.34:4739\"

obs_domain_id=123 obs_point_id=456 cache_active_timeout=60

cache_max_flows=13 other_config:enable-egress-sampling=false

sampling=400

Fixed Global sampling Sample at


observation rate ingress
domain / point and/or
IDs egress
Per bridge sampling: Pros / Cons

Simple Not very fine


configuration grain

Quick overview of
what traffic is br-int is not just a
flowing bridge
IPFIX support in OVS: Per-flow
Still have
cache
configuration
ovs-vsctl -- --id=@i create IPFIX targets=\"192.168.0.34:4739\"

cache_max_flows=13

-- create Flow_Sample_Collector_Set bridge=$BRIDGE_UUID id=1


ipfix=@i

There’s an
intermediate
table with an
ID
IPFIX support in OVS: Per-flow II
We can select
Flow references
what to
Flow_Sample_Collector_Se
sample
t id

ovs-ofctl add-flow br-test“ip,tcp,dp_dst=8080

actions=sample(probability=32767,collector_set_id=1,

obs_domain_id=123,obs_point_id=234)”

Each flow has its own obs


domain/point ID and
probability
Per flow sampling: Pros / Cons

More fine-grain! More


complex

Can express virtual


OVNNeed
can help!
Openflow
datapaths
OVN support of IPFIX sampling
sample(probability={}, obs_domain={}, obs_point={},
collector_set={})
● probability(32bit): 1 - UINT32_MAX
● collector_set(32bit): Has to be configured in OVS
● obs_domain (8bit): Defines OVN’s sampling “application”
3 0
1
ObservationDomain obs_domain (8bit) datapath key (16bit)
ID:

● obs_point (32bit): The ObservationPointID or $cookie (i.e:


lflow uuid)
Application 1: Drop sampling

Maybe OVN is dropping the


packet…?
If so …
why??
Application 1: drop-sampling
ovn-nbctl set NB_Global . options:debug_drop_collector_set=123

-- set NB_Global . options:debug_drop_domain_id=1

● OVN adds sample action to all drops

● Demo: https://www.youtube.com/watch?v=z3sWgJNRuTg
Application 2: ACL Sampling

Are my ACLs well


configured?
Are they dropping
any traffic?
ACL Sampling
Sample

_uuid domain_id Probability CollectorSetID

someUUID 25 65535 2

ACL

_uuid Match … Sample

.. .. .. someUUID
ACL Sampling vs ACL logging
ACL Logging ACL Sampling

Caching ❌ ✅

Collector ovn-controller External IPFIX collector

Sample information Severity + verdict + ACL L2+L3+L4 headers + datapath +


name ACL info + bytes/packets

Sampling ❌ ✅ (even different for each ACL)

Data format Text (log) IPFIX (standard)

Rate limit Yes: Meter Yes: Meter + Sampling


Thank you!

Adrián Moreno
Nov ’22

You might also like