[pox-dev] Multiple controllers

Silvia Fichera fichera.sil at gmail.com
Tue Dec 10 23:33:18 PST 2013 

Thank you!
Now it works.
I want two distinct controllers because I suppose that in a very large
network a centralized controller should analyze a huge number of sources
and it risks a sort of overload.
It's for security issues.

Thanks again!

bests,



2013/12/10 Murphy McCauley <murphy.mccauley at gmail.com>

> The second option would be my preference.  As for how C1 knows enough
> about the core network to do the first hop correctly... the first thing I'd
> do is figure out if it was reasonable to just statically configure it.
>
> Still... are two distinct controllers really required?  Why not one
> controller which treats the access switch differently than the core
> switches?  There may well be a good reason, but it's a question worth
> asking.
>
> As to the specific issues in your second email... I think it may actually
> be two problems.
>
> The cause of the warning is explained in the second entry of the POX FAQ.
>
> The OpenFlow error is most commonly seen either there's a loop, or when
> you've sent two flow-mods/packet-outs referencing the same buffer_id (often
> from two different packet-in handlers).  The specified buffer has already
> been used/discarded.  See the OpenFlow spec for more on OFPBRC_BUFFER_EMPTY.
>
> -- Murphy
>
> On Dec 10, 2013, at 3:51 AM, Silvia Fichera <fichera.sil at gmail.com> wrote:
>
> > I'm trying to follow the second option.
> > The forwarding process is working just one way.
> > I would like prepare the switch to forward the ack response from the
> host, so I want to install a proctive rule.
> > I've tried to do it in this way:
> >
> >             actions2=[]
> >             actions2.append(of.ofp_action_dl_addr.set_dst(mac2))
> >             actions2.append(of.ofp_action_output(port=inport))
> >             match = of.ofp_match()
> >             match.in_port=1
> >             match.dl_src=mac
> >             match.dl_dst=mac2
> >             match.nw_proto=6
> >             match.nw_src=dstaddr
> >             match.nw_dst=srcaddr
> >             msg=of.ofp_flow_mod(command=of.OFPFC_ADD,
> >                               #idle_timeout=FLOW_IDLE_TIMEOUT,
> >                               hard_timeout=of.OFP_FLOW_PERMANENT,
> >                               buffer_id=event.ofp.buffer_id,
> >                               actions=actions2,match=match)
> >             event.connection.send(msg.pack())
> >
> > where:
> > mac = self.arpTable[dpid][dstaddr].mac #dst host mac addr
> > mac2 = self.arpTable[dpid][srcaddr].mac #src host mac addr
> > dstaddr = packet.next.dstip
> > srcaddr = packet.next.srcip
> >
> > the in port is setted 1 because it's the default port to/from core
> network.
> >
> > When I try this implementation I've got this error:
> >
> > WARNING:libopenflow_01:Fields ignored due to unspecified prerequisites:
> nw_dst nw_src nw_proto
> >
> > ERROR:openflow.of_01:[00-00-00-00-00-01 3] OpenFlow Error:
> > [00-00-00-00-00-01 3] Error: header:
> > [00-00-00-00-00-01 3] Error:   version: 1
> > [00-00-00-00-00-01 3] Error:   type:    1 (OFPT_ERROR)
> > [00-00-00-00-00-01 3] Error:   length:  76
> > [00-00-00-00-00-01 3] Error:   xid:     17
> > [00-00-00-00-00-01 3] Error: type: OFPET_BAD_REQUEST (1)
> > [00-00-00-00-00-01 3] Error: code: OFPBRC_BUFFER_EMPTY (7)
> > [00-00-00-00-00-01 3] Error: datalen: 64
> > [00-00-00-00-00-01 3] Error: 0000: 01 0e 00 60 00 00 00 11  00 10 00 12
> 00 01 76 57   |...`..........vW|
> > [00-00-00-00-00-01 3] Error: 0010: 3b c6 e3 37 de c9 a5 fe  9c ee 00 00
> 00 00 00 00   |;..7............|
> > [00-00-00-00-00-01 3] Error: 0020: 00 00 00 00 00 00 00 00  00 00 00 00
> 00 00 00 00   |................|
> > [00-00-00-00-00-01 3] Error: 0030: 00 00 00 00 00 00 00 00  00 00 00 00
> 00 00 80 00   |................|
> >
> > What's wrong?
> >
> > Thank you.
> >
> >
> >
> >
> > 2013/12/10 Silvia Fichera <fichera.sil at gmail.com>
> > Hi Murphy,
> >
> > I would like to have controller C1 connected only to the access network.
> It checks if the source is honest pretending the mechanism of 3WHS if the
> source is unknown. So when it receives a SYN request it answers with the
> SYN ACK and, only if the source sends the ACK it is added to a whitelist,
> and it's allowed to send packet in the network. If the source is in
> whitelist when it wants send packet sends againg SYN but this time is a
> controller C0 that install the forwarding rules because it's connected to
> all switches of the network. C0 and C1 could share a list of valid source
> or malicious source (whitelist and blacklist).
> >
> > Another solution could be connect C1 only to the access network and C0
> to the core network,
> >
> > After the mechanism of 3WHS check, C1 installs the rule to forward the
> packet through the port connected to the core network (a sort of default
> gateway). When the packet arrives on the switch belonging to the core
> network C0 will install forwanding rules to the destination (that is never
> in my access network).
> > But here the problem is have a mechanism to know a priori the output
> port of all access switches or to set it when I build the network.
> >
> > Have you got any suggestions?
> >
> > Bests,
> >
> >
> > 2013/12/9 Murphy McCauley <murphy.mccauley at gmail.com>
> > So you want to have two controllers which communicate with the same
> switch, but that do different things?  There's no straightforward way to do
> this with straight OpenFlow 1.0, but it may be possible with some of the
> Open vSwitch extensions related to multiple controllers.  You should look
> into those OVS features (controller role, controller ID, etc.).
> >
> > I assume you have a good reason for wanting to use two separate
> controllers.  From your description, it's not obvious.
> >
> > -- Murphy
> >
> > On Dec 9, 2013, at 4:11 AM, Silvia Fichera <fichera.sil at gmail.com>
> wrote:
> >
> > > Hi all,
> > > I've a l3_learning controller that check if a TCP request connection
> is valid.
> > > In a tree topology I would like that this one checks only the edge
> switches and, if the connection if valid, another controller will install
> flow rule on the switches.
> > >
> > > So, if I receive a tcp SYN packet first of all the switch talks to my
> controller, it checks the "honesty" of the source:
> > > - if it's not honest "install" a drop rule on the switch
> > > - else I would that the switch forwards the connection request to the
> regular controller that install flows.
> > >
> > > How can I contact the regular controller from the switch?
> > >
> > > Thank you
> > >
> > > --
> > > Silvia Fichera
> >
> >
> >
> > --
> > Silvia Fichera
> >
> >
> >
> > --
> > Silvia Fichera
>
>


-- 
Silvia Fichera
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.noxrepo.org/pipermail/pox-dev-noxrepo.org/attachments/20131211/6f18830e/attachment-0002.htm>

More information about the pox-dev mailing list