什么是SDN——软件定义网络

话说最近网络虚拟化（Networking Virtualization，NV）和SDN真实热得发烫，先谈一下我个人的理解和看法。由于没有实际玩过相应的产品，所以也只是停留在理论阶段，而且尚在学习中，有些地方难以理解甚至理解错误，因此，特地来和大家交流一下。

早在2009年就出现了SDN（Software Defined Networking）的概念，但最近才开始被众人所关注，主要还是因为Google跳出来表态其内部数据中心所有网络都开始采用OpenFlow进行控制，将OpenFlow从原本仅是学术性的东西瞬间推到了商用领域。第二个劲爆的消息就是VMWare大手笔12.6个亿$收掉了网络虚拟化公司Nicira。

SDN只是一个理念，归根结底，她是要实现可编程网络，将原本封闭的网络设备控制面（Control Plane）完全拿到“盒子”外边，由集中的控制器来管理，而该控制器是完全开放的，因此你可以定义任何想实现的机制和协议。比如你不喜欢交换机/路由器自身所内置的TCP协议，希望通过编程的方式对其进行修改，甚至去掉它，完全由另一个控制协议取代也是可以的。正是因为这种开放性，使得网络的发展空间变为无限可能，换句话说，只有你想不到，没有你做不到。

 那SDN为什么会和NV扯上关系呢？其实他们之间并没有因果关系，SDN不是为实现网络虚拟化而设计的，但正式因为SDN架构的先进性，使得网络虚拟化的任务也得以实现。很多人（包括我自己）在最初接触SDN的时候，甚至认为她就是NV，但实际上SDN的目光要远大得多，用句数学术语来说就是“NV包含于SDN，SDN包含NV”。

再来看看NV，为什么NV会如此火爆，归根结底还是因为云计算的崛起。服务器/存储虚拟化为云计算提供了基础架构支撑，也已经有成熟的产品和解决方案，但你会发现一个问题，即便如此，虚拟机的迁移依然不够灵活，例如VMWare vMotion可以做到VM在线迁移，EMC VPLEX可以做到双活站点，但虚拟机的网络（地址、策略、安全、VLAN、ACL等等）依然死死地与物理设备耦合在一起，即便虚拟机从一个子网成功地迁移到另一个子网，但你依然需要改变其IP地址，而这一过程，必然会有停机。另外，很多策略通常也是基于地址的，地址改了，策略有得改，所以依然是手动活，繁杂且易出错。所以说，要实现Full VM Migration，即不需要更改任何现有配置，把逻辑对象（比如IP地址）与物理网络设备去耦（decouple）才行。这是一个举例，总而言之，目的就是实现VM Migration Anywhere within the DataCenter non-disruptively，尤其是在云这样的多租户（Multi-tanency）环境里，为每一个租户提供完整的网络视图，实现真正的敏捷商务模型，才能吸引更多人投身于云计算。

SDN不是网络虚拟化的唯一做法，Network overly（mac in mac, ip in ip）的方式也是现在很多公司实际在使用的，比如Microsoft NVGRE、Cisco/VMWare VXLAN、Cisco OTV、Nicira STT等。事实上overly network似乎已经成为NV实现的标准做法，SDN模型下的NV实现目前更多的是在学术、研究领域。新技术总是伴随大量的竞争者，都想在此分一杯羹，甚至最后成为标准。好戏才刚刚上演，相信会越发精彩。

个人觉得这是一个非常有意思的话题，希望和大家交流心得，互相学习.

NV的目标就是如何呈现一个完全的网络给云环境中的每一个租户，租户可能会要求使用任何其希望使用的IP地址段，任何拓扑，当然更不希望在迁移至公共云的情况下需要更改其原本的IP地址，因为这意味着停机。所以，客户希望有一个安全且完全隔离的网络环境，保证不会与其他租户产生冲突。既然vMotion之类的功能能够让虚拟机在云中自由在线漂移，那网络是否也能随之漂移呢？这里简单介绍下微软的Hyper-v networking virtualization，到不是因为技术有多先进，只不过他的实现细节比较公开，而其它公司的具体做法相对封闭，难以举例。

其实微软的思路很简单，就是将原本虚拟机的二层Frame通过NVGRE再次封装到 IP packet中进行传输，使得交换机能够通过识别NVGRE的Key字段来判断数据包的最终目的地。这其实就是一个Network Overlay的做法，它将虚拟网络与物理网络进行了分离。试想，公司A和公司B都迁移到公有云且就那么巧，他们的一些虚拟机连接到了同一个物理交换机上，现在的问题是，他们各自的虚拟机原本使用的私有IP段是一样的，如果没有VLAN就会导致IP冲突。但现在看来，这已经不是问题，因为虚拟机之间的通信都要通过NVGRE的封装，而新的IP包在物理网络上传输时是走物理地址空间的，而物理地址空间是由云服务提供者所独占的，因此不存在IP冲突的情况。

总结一下就是，这里的网络虚拟化可以认为是IP地址虚拟化，将虚拟网络的IP与物理网络完全分离，这样做就可以避免IP冲突，跨子网在线迁移虚拟机的问题，微软的要求是：虚拟机可以在数据中心中任意移动，而客户不会有任何感觉，这种移动能力带来了极大的灵活性。

Software-defined networking (SDN) is an approach to computer networking which evolved from work done at UC Berkeley and Stanford University around 2008.^[1] SDN allows network administrators to manage network services throughabstraction of lower level functionality. This is done by decoupling the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forwards traffic to the selected destination (the data plane). The inventors and vendors of these systems claim that this simplifies networking.^[2]

SDN requires some method for the control plane to communicate with the data plane. One such mechanism, OpenFlow, is often misunderstood to be equivalent to SDN, but other mechanisms could also fit into the concept. The Open Networking Foundation was founded to promote SDN and OpenFlow, marketing the use of the term cloud computing before it became popular.

This section does not cite any references or sources. Please help improve this section by adding citations to reliable sources. Unsourced material may be challenged andremoved. (February 2013)

One application of SDN is the infrastructure as a service (IaaS).

This extension means that SDN virtual networking combined with virtual compute (VMs) and virtual storage can emulate elastic resource allocation as if each such enterprise application was written like a Google or Facebook application. In the vast majority of these applications resource allocation is statically mapped in inter process communication (IPC). However if such mapping can be expanded or reduced to large (many cores) or small VMs the behavior would be much like one of the purpose built large Internet applications.

Other uses in the consolidated data-center include consolidation of spare capacity stranded in static partition of racks to pods. Pooling these spare capacities results in significant reduction of computing resources. Pooling the active resources increases average utilization.

The use of SDN distributed and global edge control also includes the ability to balance load on lots of links leading from the racks to the switching spine of the data-center. Without SDN this task is done using traditional link-state updates that update all locations upon change in any location. Distributed global SDN measurements may extend the cap on the scale of physical clusters. Other data-center uses being listed are distributed application load balancing, distributed fire-walls, and similar adaptations to original networking functions that arise from dynamic, any location or rack allocation of compute resources.

Other uses of SDN in enterprise or carrier managed network services (MNS) address the traditional and geo-distributed campus network. These environments were always challenged by the complexities of moves-adds-changes, mergers & acquisitions, and movement of users. Based on SDN principles, it expected that these identity and policy management challenges could be addressed using global definitions and decoupled from the physical interfaces of the network infrastructure. In place infrastructure on the other hand of potentially thousands of switches and routers can remain intact.

It has been noted that this "overlay" approach raises a high likelihood of inefficiency and low performance by ignoring the characteristics of the underlying infrastructure. Hence, carriers have identified the gaps in overlays and asked for them to be filled by SDN solutions that take traffic, topology, and equipment into account.^[7]

SDN deployment models[edit]

This section does not cite any references or sources. Please help improve this section by adding citations to reliable sources. Unsourced material may be challenged andremoved. (February 2013)

Symmetric vs asymmetric

In an asymmetric model, SDN global information is centralized as much as possible, and edge driving is distributed as much as possible. The considerations behind such an approach are clear, centralization makes global consolidation a lot easier, and distribution lowers SDN traffic aggregation-encapsulation pressures. This model however raises questions regarding the exact relationships between these very different types of SDN elements as far as coherency, scale-out simplicity, and multi-location high-availability, questions which do not come up when using traditional AS based networking models. In a Symmetrically distributed SDN model an effort is applied to increase global information distribution ability, and SDN aggregation performance ability so that the SDN elements are basically one type of component. A group of such elements can form an SDN overlay as long as there is network reachability among any subset.

Floodless vs flood-based

In a flood-based model, a significant amount of the global information sharing is achieved using well known broadcast and multicast mechanisms. This can help make SDN models more Symmetric and it leverages existing transparent bridging principles encapsulated dynamically in order to achieve global awareness and identity learning. One of the downsides of this approach is that as more locations are added, the load per location increases, which degrades scalability. In a FloodLess model, all forwarding is based on global exact match, which is typically achieved using Distributed Hashing and Distributed Caching of SDN lookup tables.

Host-based vs Network-centric

In a host-based model an assumption is made regarding use of SDN in data-centers with lots of virtual machines moving to enable elasticity. Under this assumption the SDN encapsulation processing is already done at the host HyperVisor on behalf of the local virtual machines. This design reduces SDN edge traffic pressures and uses "free" processing based on each host spare core capacity. In a NetworkCentric design a clearer demarcation is made between network edge and end points. Such an SDN edge is associated with the access of Top of Rack device and outside the host endpoints. This is a more traditional approach to networking that does not count on end-points to perform any routing function.

Some of the lines between these design models may not be completely sharp. For example in data-centers using compute fabrics "Big" hosts with lots of CPU cards perform also some of the TopOfRack access functions and can concentrate SDN Edge functions on behalf of all the CPU cards in a chassis. This would be both HostBased and NetworkCentric design. There may also be dependency between these design variants, for example a HostBased implementation will typically mandate an Asymmetric centralized Lookup or Orchestration service to help organize a large distribution. Symmetric and FloodLess implementation model would typically mandate in-network SDN aggregation to enable lookup distribution to a reasonable amount of Edge points. Such concentration relies on local OpenFlow interfaces in order to sustain traffic encapsulation pressures.^[5] [6]