The Open vSwitch – Key Ingredient of Enterprise Ready Clouds
I’m often asked what Citrix and the open source community are trying to achieve with the Open vSwitch Project. The Open vSwitch is an open source virtual switch for Xen (and therefore XenServer, and in future perhaps Amazon EC2 and RackSpace), and KVM based virtual infrastructure that replaces the Linux bridge code with a powerful, programmable switch forwarding capability as well as programmable per-virtual interface ACLs. The Open vSwitch supports an emerging industry standard protocol for programming the forwarding plane from an outside controller. This protocol is called OpenFlow. OpenFlow based virtual switches in each server can be logically pooled into a single fabric by an external distributed virtual switch controller to build a dynamic, multi-tenant, programmable datacenter fabric that supports key innovations in cloud computing, as well as allowing us to take advantage of standard x86 CPUs to run a set of rich edge packet-processing functions to secure, direct, filter and otherwise control the delivery of cloud based applications. With the Open vSwitch in place, the Open Stack open source cloud orchestration layer will be able to exert direct control over the data center fabric to deliver a rich, enterprise ready network layer with powerful controls for security, multi-tenancy, load balancing, monitoring, compliance, charge-back and more.
To understand the need for the Open vSwitch, you have to realize that while CPU virtualization, including hardware support, has evolved rapidly over the last decade, network virtualization has lagged behind pretty badly. The dynamism that virtualization enables is the enemy of today’s locked down enterprise networks. For example, migrating a VM between servers could mean that network based firewall and intrusion detection systems are no longer able to protect it. Moreover, many enterprise networks are administered by a different group than the servers, so VM agility challenges an organizational boundary. What we want to achieve is seamless migration of all network-related state for a workload, along with the workload. The obvious place to effect such network changes is in the last-hop switch – which now, courtesy of Moore’s Law and virtualization, is on the server itself, either in the hypervisor or (increasingly) in smart hardware associated with a 10Gb/s NIC card. The Open vSwitch enables granular control over traffic flows, with per flow admission control, the option for rich per packet processing and control over forwarding rules, granular resource guarantees and isolation between tenants or applications, and enables us to dynamically reconfigure the network state for each VM, or for each multi-VM OVF package, as it is deployed or migrated. Network state for each virtual interface becomes a property of the virtual interface, and as a VM moves about the physical infrastructure, all of the policies associated with the VIF move with it. Suddenly the network team is no longer required in order to move a VM between servers.
The Open vSwitch, answers many of the shortcomings of our original hypervisor bridge code, which grew up from the Linux bridge code, and adds powerful features traditionally found only in dedicated switching infrastructure, such as packet filtering, flow admission control and programmable forwarding. It permits us to take advantage of the incredible price/performance benefits of packet processing on standard CPUs, and the near term addition of so-called Single Root I/O Virtualization (SR-IOV) to the edge packet processing feature set will enable the most profound changes in data center and cloud networking architecture since the invention of the router. Most importantly, the Open vSwitch is open source, and will serve multiple hypervisors. I fully expect the community to make it available as a drop-in replacement for the VMware vDS, and to deliver versions of it for a future release of Hyper-V. This then raises the exciting prospect of an entirely open and programmable architecture for networking in the cloud, that is hypervisor independent. As a result, the richness of both private and public cloud networks (and hence their ability to support a greater proportion of enterprise workloads) will not be hypervisor dependent. Open vSwitch offers the ISV ecosystem an enormous opportunity to innovate in edge networking, free of the constraints of traditional network-appliance centric approaches to application delivery, with new, automated management and control plane functions that simplify, accelerate and ease the management of scalable cloud networks.
From a Citrix-specific perspective, Open vSwitch permits us to dynamically instantiate instances of NetScaler VPX, Branch Repeater VPX, or Access Gateway VPX as value-added networking functions withn cloud based networks, and it will enable us to facilitate the seamless extension of the enterprise network to service provider operated clouds. If, as we expect, the Open vSwitch is more broadly endorsed as a common element of future clouds, with open APIs for dynamic control of the data center fabric, it will catalyze an opportunity for all vendors – including those in the network infrastructure business today – to deliver powerful, secure and differentiated cloud architectures.
Many people wonder if the Open vSwitch is “competitive” with the ambitions of traditional networking vendors or with the Cisco Nexus 1000v virtual switch. The answer is “No – indeed the opposite”: The Nexus 1000v from Cisco provides Cisco customers with a powerful distributed switch architecture that brings the value of the full Cisco edge processing capability to virtualized environments, including Cisco management and toolset support. I would have no hesitation in recommending the Cisco product to Cisco customers. It delivers a value-added proposition on top of the basic concept of a dynamically controllable forwarding plane, very similar to OpenFlow and the Open vSwitch.
It would be easy to implement the Nexus 1000v both in parallel with, or on top of, the Open vSwitch. Indeed the value of OpenFlow has been recognized by one Cisco research group, and HP, Dell and NEC are active participants in the development and use of OpenFlow. Startups, such as Netronome and Solarflare are leading the way toward extensive hardware support of the Open vSwitch, permitting native multi-10Gb/s speed switching on server hardware that also hosts virtualized enterprise workloads.
Open vSwitch can be used to replace the VMware vDS, which is a proprietary, rather prosaic implementation of a modestly richer networking stack for vSphere / vCloud. Unfortunately vDS does not separate forwarding and control plane functions clearly, and therefore limits the ability of the ISV ecosystem to innovate on VMware infrastructure. It is tied to the notion of VLANs as network isolation structure, and provides little in the way of differentiated per-application flow treatment. It also has no mapping onto SR-IOV based hardware functions, and therefore has no clear value in a world where increasingly sophisticated second generation SR-IOV NICs are becoming available, with richly programmable forwarding hardware.
The Open vSwitch is a reminder of the incredible power of open source: It catalyzes the contribution of numerous aligned vendors, commoditizes legacy architectures, accelerates the pace of development, and enables a robust ecosystem of value-added providers to exist around a common core feature set. We can look forward to enabling an ecosystem of many value-added networking vendor products around the (commoditized) forwarding function found in all switches and NICs today.