 Ac olygu achos dw i am rhaid gyda'r cyfnod. Ym hystyried ar hynny'n enthylion eisiau'r moynu ar hynny yn fwywyr ychydigon, ac nid yw'ch ddweud ydych chi'r ardal yn y cyfnod o'r byrgyffreir wneud, felly mae Gyllidro BgP. I wnaeth ein ystyried cyfnod, mae e'n dweud dych yn bwyl eu bydolol. Dw i'r wneud yn bwymiad ei ddim yn gwneud yn dweud. Ac awrf diwrnod, oedd amwyl i'r rheirio eraill gyda'r ysgol rhaid gyda'r eisiau yma I see where that fits in with all this. I mean my background is very much in the service provider. So I've been at Cisco like six years, but before that I generally worked at SPs, so most recently at British Telecom, and doing large scale service provider networking. But my original you know when I started my career it was as a software developer I see codes so there's whole SDN things been interesting in terms of coming back to coding. So I want to get a quick oversalodi am ydw i'r bugyiced mewn dieselau fryr ap damages. C'id meddwl o'r cyfan y wahanol wahanol ac yn d созн yma'r d�iano. Rhy feeds yng Ngiggyrchu Gymhwladau. Mae ydych yn ddodd hoor a bych am yrgaf cy 모marydd. Fellyوا'r busf y gall wedi gobeithioff hon i weithig wirgynedd hir. Felly y holl yn ymach, fawr y cyf kolay o'ch ni! Y bell nhw'n Имul gwnaeth nesaf ddechrau hy짝ient. originally PGP in Open Daylight was written specifically for BGP LS. So BGP LS is a way of getting link state roots out of your I gp, so out of OSPF or ISIS and exporting them with BGP. But of course, the nice thing with BGP is once you've built it because you add new address families really just as TLVs. You can just keep adding address families and from an ODL perspective and I guess from any SEM controls perspective Y ddarparu'r dryfnwyr yn ni'n gwybod, rydyn ni wedi bod i'w meddwl yn gwybod. Roedd y rydyn ni wedi bod, o hyd yllus y rydyn ni, yn ddiwethaf o hyd yn llawr dweud ychydig ar y ciwun yma sydd eisiau ffordd mor gweithfartrach. Os y rydych chi yn gwybod, byddai'r draf yn ei gŵr iawn. Mae'r draf mollwn ar hyn yn ei'r rhydwm o'ralenig, ac Charles oedd oedd o gwybod yn yr cwrthaf riba. So we have a topology model that we implement in Open Daylight, which is in the ITRS working group in ITF, and that model can then be specialised for different types of topology. So, BGPLS builds us a topology, so a graph of the network, then PSEP we can use to program LSPs through the network, so MPLS LSPs, but, as I say, we also have all these other address families. So, processing of BGP routes in Open Daylight is just like in any router. For each peer you have, you build an adjacent ribbon, so that's all the routes this guy gave you. You then apply an import policy. Now, currently in Open Daylight, there's very limited policy. I think you can have a policy to block everything, or otherwise pretty much allow everything that's legal, and that generates an effective ribbon. I think there will be some work on doing more policy, but I think one thing, again, to remember is we're dealing with software. This isn't a router, so we can, in the Java code, interface directly into any of these different components that we want to. We can spin up as many ribs as we want to, and we can write our own code that takes stuff out of one rib and puts it into another. So it may not make sense to do topology in the usual sort of Cisco router topology case, or sense. We then have the decision process, so I don't know if anyone here's ever worked in an internet provider, or running networks with BGP. Did you have the list by your desk of the BGP decision process? Because I always had it glued up next to my desk. It's kind of local pref first, then wait, and whatever, I've forgotten it all now. So we have that decision process, and again, that's the sort of thing that we might want to make programmable because we're an SDN controller. Maybe we should let you write your own decision process rather than enforcing one on you. This is kind of a plea for developers at this point. So from that, we generate the local rib. So that is what we'll then use to generate topology, and we have one local rib for all of our neighbours. Then we apply, again, a very simple export policy and we generate an adjacent rib out for each of our peers. Also, because everything's based on these Yang models, so it's a data modeling language, and models tend to either be instantiated as configuration state or operational, and the problem is the ribs are operational data. So what we have to do is create a special instance that we can configure. So this means that through REST comp, we can go in and we can push routes into the system. But as I mentioned before, because if you're coding inside the controller in Java, there's nothing that says you have to do that. You can write Java code that'll poke stuff straight into one of the ribs, whichever one you want. So then topology is generated. So in the BGPLS case, that's effectively your OSPF or ISIS topology. But we also generate other topologies, like the V4 and V6 ones, which are kind of a misnomer as a topology because there's no links. It's just known to your next hops and then for each next hop, a list of free fixes. And again, because you can write these topology exports, you can develop really whatever topologies you want. And I keep meaning to get around to doing like an ASN topology for ISPs that would show you the AS paths through your network. So yeah, topology models. So to my mind, this is the best way of doing a network level abstraction. And really if you're doing anything in SDN in the broader sense, what you need is a network level abstraction because you'd be just going to operate on individual nodes. Why on earth do you need a controller? The whole point is to get away from thinking about individual routers, to thinking about the network as a whole. So what it is is just a list of nodes, a list of links. Finally it seems to be getting towards RFC, modular bit of politics and the ITF over it. As well as nodes and links, you have these termination points. And that's just a way of disambiguating interfaces. So you have two routers, have two links between them. You need to know which is which. In fact, all the links are unidirectional and that's because you can have different metrics in different directions. I'm not an acquisition, but it is just graph theory. It also lets you layer one's apology on another. So if you've built an obstacle topology and we're doing some work on that, you could then take an IP topology and layer it on top and say, this IP link depends on this optical link, which can be very useful. So my formula like as a search provider in a country that's quite long and skinny, the problem that you have is you have vast numbers of routers for router links that end up going through the same fibres and the same dots. So now if one obstacle link goes, you could lose a whole bunch of routers for router links. But it's good to at least know which links depend on which optical links and be able to model that. So the model itself is very abstract. So what you then do is you kind of specialise it for whichever protocol you're dealing with. So for the link state stuff, we map stuff like router IDs into our node IDs, our link IDs, et cetera. But then we augment the model with specific information from our protocols. So what that lets you do is this sort of program to whichever level works for you. So if you just want to draw a topology in the network, you don't need to care if this is open flow or at its link state. It's just a topology. But if you want to start messing with this stuff, you might need to know, well, this is an IP topology. We might even want to know it's OSPF or ISIS. So what you end up with is this kind of dependency tree almost. We say we have the network topology. So in the new topology models that OpenLX is moving to, we actually separate the network, which is just the nodes from the network topology which has links in it. But then we effectively augment that to get a layer three unicast topology for link state. But that, again, gets augmented into OSPF or ISIS. So then you'll see things like retro IDs will end up in unicast topology. But things like your ISIS net ID is going to end up in the ISIS topology. And how that happens is we basically pull the roots out of the rib through a topology exporter that pushes them into this topology. And really, again, this is all about syntax and semantics. So what you want from a controller is easy interfaces for developers. Talking to the rib, you've got that because you've got REST and JSON. But the problem is the object you're looking at still has all the stuff in it that says, here's my local pref, here's my AS path, whatever it is. So you as a developer now have to understand BGP. Once you get to the topology, you've got some semantic change as well as syntax. And now you're actually seeing nodes and links, not seeing roots. And so in general, we'll see people working with that. So I mentioned the VIT state topology and that one's the only one we get from BGP that actually has links in it. But the other one we're going to come on to is PSAP. So this is the path computation, how we push routes into, how push paths into the network. So that's the first demo, which we're hoping will work. I did sacrifice a chicken. So I mentioned the other thing about using different protocols, one to get information, one to push it in. So we're using BGPL as to get data out of the network. So now we know what our ISIS or our SPF topology looks like. Then we use PSAP to program MPR so that we can switch paths into the network. So what I've got running here, oops, wrong way, let's minimise that. What I've got running here is the BUN2VM that's got Open Daylight running in it. It's also got this application called PathmanSR, all this stuff's up on GitHub so I can point you with that. Better find the right browser window. There you go. Aha. This will of course be the problem with changing resolutions. So what I have running in the sandbox in the cloud is a setup with 16 different virtual routers, neatly mapped on to approximately a map for the US. I just twiddle that manually while it's waiting to talk. You can log into these, so literally from here I can tell them into those routers if I want to. But what we're going to do instead is we're going to set up a path through them. Oops, that's the last one I set up. Ha, great. Let's go to that, don't I? So let's pick, I don't know, let's stick the question where we're going to go to San Jose, maybe. So now what I do is I say, well, what's the metric I'm going to use? Do I want to use normalised UP metrics normalised UP metric team metric and so the traffic engineering metric or just count number of halves? Or in fact I can go manually and just sort of draw the path across my network. What's so cute here with the algorithm is so I do my UP metric and compute paths. So instead of Dijkstra getting a shortest path, this is Nijkstra after my colleague Nicholas who wrote this, which gives you every possible path. So let's pick one that's probably fairly insane. Bust in New York, Chicago, Kansas City, Minneapolis, Seattle, San Jose. Ah, there you go, it's deployed. So now if I list my path, you can see that path in the network and then I can just go and delete it if I want. So that's the example of an app that's sitting on top of Open Daylight. The app itself, Pathman, is written in Python, but then it exposes a REST API northbound from the web browser. It's using JavaScript. Again, it's open source. There's a library called NextUI that lets you do topology maps and things in JavaScript, and it's just using that to draw it out. But then the API adds things, commands for pushing paths in the network and that sort of thing. So let's get rid of that one. Back to demo or presentation. Right, so NextUseCase is... So DDOS investigation. So this is kind of a live issue for a lot of carriers, and we've had a fair bit of interest in people using controllers to do this. So the issue is you've got a network, you've got some kind of DDOS attack. The issue is you don't want to be going in... You run the time pressure, so the last thing you want to be doing is going in and telenetting into each of your routers one by one to add ACN entries or anything like that. So what the BGP now has is FlowSpec, which... Whoops. So BGP FlowSpec effectively lets you push... Very much like OpenFlow, push like a flow match action rule into the network, but you're doing it through the BGP infrastructure. So now you've got the use of the root reflectors, so I can push it from a controller and then for example every edge root from my network if it's configured to import that community that I advertise these routes with that'll import that same rule. So instead of having to use OpenFlow and touch each one of them individually, we'll now touch them all in one go through BGP. The question then is how do you figure out that there's a DDoS attack going on? And I think this is one of the big trends we're seeing in network. I think Charles alluded to it, this issue of the amount of data that's coming out of the network. So in the old days we used to poll things with SNP. The challenge there is you just can't get the data out quickly enough. So what you need to do or what your idea wants to do is have some kind of streaming telemetry coming off the network where either events or time series data counters are being pushed through a collection infrastructure. And then what you typically do is put a message bus on the back of this and then from that message bus you can feed multiple applications. And one of the applications that we typically feed is Panda which there's a tool called S Afternoon. So this is a platform for network data analytics. So great, we've now got all these analytics. So with a bit of machine learning food we can see that there's a DDoS attack going on. But the problem is what do we then do about it? So that's where I would say the controller can come in so you can build an API on top of a controller which is now intent based and says okay, I'm getting a DDoS attack from such and such an address on such and such a port, shut it down. Making that call doesn't need to know what that involves. What it would involve in this case is open daylight using BGP FlowSpec to push a flow rule internet work to drop those packets. This is actually the wrong order but just to give the flow spec overview so you have very much like open flow but using BGP, what it lacks because it's IP centric it lacks all the other two stuff. So you can't match MAC addresses because that's kind of meaningless if you're in an IP world. Having said that, open daylight does now support the EVPN address family for BGP which is about MAC addresses. So perhaps we should wind the ITF that they ought to put those in FlowSpec. So in terms of actually blocking it what you would do is advertise that FlowSpec route so you have this RESTCONF API that says ok, shut this down. Some kind of app inside open daylight. BGP plug in when advertising the flow spec routes the route reflectors and those will then push it out to your PEs and that would result in tactless stops. I have got a demo for this somewhere but as I said it uses real routers rather than the sound box. So the final demo I want to quickly show how to zoom through these slides I expect. So CDN localisation. So what this comes down to is ah, I've gone the right direction. This is just the overview of the protocol we're going to use, BMP. We didn't specifically have to use it for this but the nice thing with BMP is that instead of it's basically like BGP, I don't want to hear it's heard of BMP. So it's like BGP but the difference is that instead of just getting the local rib entries from your peer you get everything your peer knows about. So all of that adjacent rib in you get all of that data from your peer. It can be very handy at exchange points because you want to know what all of your peers have advertised to you but equally on a root reflector it can be really useful because then you get to see everything the root reflector knows about and not just the best routes it's selected. So the problem we're trying to address here is over the top video. So I think the US I hear these stats something around a third of all traffic is Netflix a third is other OTTs and a third is regular internet use. I know in other countries it's different. I hear in India it's like over 50% Google this sort of thing. So there's very high volumes of this traffic and of course what you're always trying to do is nice peers cut your cost so what you want to do is have caches as close to your users as possible. The OTT providers are generally pretty happy to give you caches to push out into your network and you can go on any of their websites and explain the process you have to follow. The challenge is how do you figure out which is the right cache for you for a specific user. So typically these providers connect at the internet exchanges but as I said they also deploy caches into ISP networks a quick confession this deck doesn't have that in the reading list I should have edited that and really it comes out of two different problems. So the first one is how do you know which prefix a user is on which actually isn't that trivial because you think about it with DNS because DNS servers cache you do a look up you don't actually know as the authoritative server because the look up from the ISP will only come once you don't know who's asking for that address you just know it's their resolver so how do you map a user to a prefix and then having done that how do you figure out the right cache and that's effectively what we're trying to solve here in terms of mapping users to prefixes you know Netflix do it because they have a portal and I reckon I presented on this SIGCOM last year or before even now about using DNS client subnet where basically what you do is slash 125 granularity every time a user in a different slash 25 asks for something you actually send it to the authoritative server again and you tag it with this client subnet to say this user is coming from this prefix but in terms of the second problem you know really it comes down to why the BGP communities are meds this is my understanding of what the top ATTs do it may or may not be correct but the issue is if you're an ISP you don't have structure in your network and you're probably going to be tagging your different exchanges or as Christopher said central officers you're going to be tagging those with communities we're going to have a hierarchy so your core nodes are going to be tagged one way and your metro is another and the end exchange is another way and so you'll tag your roots for these communities but the question is what do those mean to CDN provided because they have their own structure of communities typically so what we want to do is do some kind of mapping either sort of offline or we might even want to do it real time so we might even want to say we have this link state topology we can use that to give information on our topology as the ISP and do sort of real time changes to the overtop provider the way we can figure this is using this yang model so I mentioned yang so open daylight router platforms like Cisco ISXR typically have their own native yang models what we're seeing now is a migration towards common models XR and ODL have implemented the open confee gang model I think Juniper may have done it as well so we're getting to a world finally when we have common shared models so that's how we configure the mapping and so you configure the mapping rules using Resconf API there's a mapping application inside ODL the roots come in the root reflectors using BMP they flow into the mapping application they also via Kafka flow out into Panda we want to do analytics on them and then from the mapping application we push into the ribs one rib for each of the different CDM providers because they can have different rules and then the roots flow out to them so that's the final demo I'll just quickly show it so I have to tell it back in you can probably guess my username password on this whoops yeah so what we have here is a slash 25 that we've tagged so we've tagged it with community 6550 for 6500 and so what's happening then is it's flowing through a root reflector which I'm not logged into into Open Daylight the app in Open Daylight is changing the communities and then if we look at the roots as it comes out again it was 0.0 wasn't it? you can see the community is now being changed to so the AS has changed of course but the actual semantics on the community have changed from whatever it was 6500 to 1000 and we could do that across any sort of string of prefixes we wanted and what you would find is if I add more prefixes here if I don't tag them with the right community they won't even make it through so if I do a show of course it's annoying you have to add the roots don't you let's go 2.0 I should be doing all this through NetComp on ODL really it was 2.0 wasn't it really foolish of me to try this live and yeah that won't be there but hopefully the other one will ha ha see it isn't might take a while trust me to do a live demo and screw it up well we'll give it a few minutes and then it'll turn up that was very foolish of me I might have killed the controller without looking yeah I think that was pretty much it the um yeah the only thing I wanted to say was just most of this stuff's up there on github so I've got a a git set up for this open daylight setup which includes all the scripts you need to get ODL up and running with NetComp, BGP, PSAP etc including there's like a vagrant box in there so if you want to do it with vagrant rather than just installing it then the path.msr thing is the app I mentioned that I showed there's also a bunch of videos out there these are ones I did at the ODL summit last year running demos that actually work and that sort of thing so yeah any questions sorry probably not yet but I can put them there haha it's made it good good I'll make sure the slides go up online okay any other questions