Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Nov 20, 2015
Presented by: Franck Baudin, Qosmos
L7 classification with OVS without patch is now possible thanks to conntrack framework and well-crafted OVS rules. The basic idea is to rely on a userland L7 classifier, typically based on a DPI engine, marking the conntracks with L7 classification. Thanks to the new connmark and connlabel matchers, holding the L7 classification thanks to the L7 application mentioned previously, we can craft L7 OVS rules.
This presentation will explains and demonstrate the asynchronous design of L7 classification in two basic use cases:
2. L7 Firewall: BitTorrent denial, ssh on non-regular ports denial
For the demo part, one client VM and one server VM will be interconnected by OVS, with L7 rules applied on the server port (typical micro-segmentation use case). There will be neither OpenStack nor OpenDayLight for this part, just KVM/virsh/namespaces and OVS.
The second part of the talk will demonstrate, on the same laptop, with the same OVS, a service chaining use case with VMs managed by OpenStack Kilo (vanilla, no patch) and Service Chaining managed by OpenDayLight Lithium (vanilla, no patch). The rationales of the technical choices will be explained: why no NSH, what about an NFV use case with DPDK OVS, what about using OVS as a ServiceClassifier and/or as a ServiceFunctionForwarder, what about a real NFV deployment ingredients, ...