Report Issue

OpenFlowPlugin Project

New Features

  • Arbitrator based device reconciliation mechanism to support replay based controller reboot/upgrade. More details : Arbitrator Reconciliation using OpenFlow bundle
  • Implementation of officially released Nicira NSH extensions. Existing non-GA’ed Nicira NSH extensions were removed.
  • Implemented equal role functionality : Once user enable this feature, OpenFlow plugin will not send the master or salve role request to the device. It will internally maintain the ownership of individual device at the plugin level, but device will always be connected to all the controllers with equal role. This setting is not recommended if the user application highly rely on the packet-in feature of OpenFlow plugin, given that in equal role, switch sends the packet to all the controllers. Although non-owner controller will drop the packet at the very low level, but it can still be a performance hit for the switch to send packet to all the controllers.
  • Forwarding rule manager application is enhanced to take care of the flow to group dependency while programming the flow/group to avoid programming of the dependent flows.
  • Device connection rate limiter functionality : This feature can be leveraged to limit the number of device per seconds connects to the OpenFlow plugin.
  • New configuration parameters were introduced to disable specific statistics collection from the switch. By default all the statistics are enabled.
  • Southbound CLI was enhanced to add CLI command to trigger manual reconciliation of any or all connected OpenFlow device. More details : Southbound CLI
  • Implementation of Nicira extension (ct_tp_src, ct_tp_dst)
  • Migrated LLDP library code from controller project to openflowplugin project.
  • odl-openflowplugin-app-config-pusher module is made cluster aware.
  • odl-openflowplugin-app-topology feature is now broken into 3 separate features (odl-openflowplugin-app-lldp-speaker, odl-openflowplugin-app-topology-lldp-discovery, odl-openflowplugin-app-topology-manager) including this high level feature, so that user can load the feature that they really need for their use-case rather than loading all the features together.

Major Features

odl-openflowjava-protocol

odl-openflowplugin-app-config-pusher

odl-openflowplugin-app-forwardingrules-manager

odl-openflowplugin-app-forwardingrules-sync

odl-openflowplugin-app-table-miss-enforcer

odl-openflowplugin-app-topology

odl-openflowplugin-app-lldp-speaker

odl-openflowplugin-app-topology-lldp-discovery

odl-openflowplugin-app-topology-manager

odl-openflowplugin-onf-extensions

odl-openflowplugin-flow-services

odl-openflowplugin-flow-services-rest

odl-openflowplugin-flow-services-ui

odl-openflowplugin-nsf-model

odl-openflowplugin-southbound

Documentation

Security Considerations

  • Do you have any external interfaces other than RESTCONF? Yes, OpenFlow devices
  • Other security issues?
    • Insecure OpenFlowPlugin <–> OpenFlow device connections
    • Topology spoofing: non authenticated LLDP packets to detect links between switches which makes it vulnerable to a number of attacks, one of which is topology spoofing The problem is that all controllers we have tested set chassisSubtype value to the MAC address of the local port of the switch, which makes it easy for an adversary to spoof that switch since controllers use that MAC address as a unique identifier of the switch. By intercepting clear LLDP packets containing MAC addresses, a malicious switch can spoof other switches to falsify the controller’s topology graph.
    • DoS: an adversary switch could generate LLDP flood resulting in bringing down the openflow network
    • DoS attack when the switch rejects to receive packets from the controller

Quality Assurance

Migration

  • Is it possible to migrate from the previous release? If so, how?

    Yes, API’s from Oxygen release are supported in Fluorine release except the Nicira NSH related extension yang data models. Implementation present in Oxygen release was based on the non-GA version of NSH extension. In Fluorine release these deprecated non-GA Yang models are removed and GA’ed NSH extensions were implemented.

Compatibility

  • Is this release compatible with the previous release? Yes

Known Issues

  • List key known issues with workarounds: In case of heavy load, multiple devices (40+) are connected and user is trying to install 100K+ flows, devices sometime proactive disconnect because controller is not able to response to echo request because of the heavy load. To workaround this issue, it’s recommended that user set the echo time interval in switch to high value (30 seconds).
  • Link to Open Bugs

End-of-life

  • List of features/APIs which are EOLed, deprecated, and/or removed in this release: Non-GA’ed Nicira NSH extensions present in the Oxygen released are removed and GA’ed NSH extension were implemented.

Standards

OpenFlow versions:

Release Mechanics