Thanks to FAUCET, Poseidon Now Supports Switches Running OpenFlow 1.3
As a refresher, check out our earlier post outlining Poseidon’s three major objectives. To sum it up, Poseidon is all about performing deep learning on network packet data, setting up an SDN environment, and scheduling a microservice to connect the two.
A while back we wrote about how Hacktoberfest helped us accomplish some important things, and one of things was leveraging an open source SDN controller to work as an alternative SDN controller for Poseidon. In this post we will walk through the background of why we did this, the changes we made to improve Poseidon to be able to use more than one SDN controller implementation, and the improvements recently made to the second SDN controller implementation we chose to go with -FAUCET.
Adding OpenFlow 1.3 support to Poseidon via FAUCET
When we first started the Poseidon project over a year ago, we did a preliminary evaluation of a number of SDN controllers to see which would best fit our needs based on our goals. We also obtained a variety of SDN switches from Dell, Accton Edgecore, Facebook Wedge, Quanta, and Northbound Networks. At the time, we narrowed down the controller options to four: Onos, Ryu, OpenDayLight, and Floodlight. After ultimately picking Onos and running into a number of issues, we discovered through conversations with BigSwitch that the Big Cloud Fabric™ (BCF) Community Edition (forked from Floodlight) would suit our needs and be compatible with our Dell and Accton switches. This simplified the controller part of Poseidon and allowed us to focus on the other aspects of the project.
Tying Poseidon so strongly to BCF meant that Poseidon could only be run with very specific hardware, which made it difficult to demonstrate and trial in environments that didn’t already have an SDN network that was using BCF. Since we still had a couple of the Zodiac FX 4 port OpenFlow switches lying around from Northbound Networks, we decided to see if controller options had gotten any better in the last year. We wanted to see what we could get working with them, since they are cheap ($85) and portable. While searching, we came across this tutorial about FAUCET (not sure how we missed it last time around, but glad we ran into it this time).
FAUCET differs from BCF in a few ways. First, it is quite light-weight, meaning we can run it on something as small as a Raspberry Pi (RPi) without issue. Second, and more importantly, FAUCET’s philosophy for hardware support is essentially to require that the switch be running OpenFlow 1.3. This greatly increases the number of switches (including virtual ones!) that can now be used with Poseidon.
We had FAUCET up and running in no time. While you can build FAUCET yourself if you want to, they conveniently provide Dockerfiles so you can run FAUCET and all of its components in Docker containers. When we first started trying to get FAUCET running locally on a Mac, we ran into volume mount errors, which was easily remedied with this pull request (PR).
Once we saw how quick and easy it was to get it up and running, we started working on getting it running on an RPi. We noticed that they had a docker-compose file for x86_64 machines, but not for ARM, so we opened another PR to include one.
This made our FAUCET setup a single command to build and run. The FAUCET community was very welcoming and quick to receive and approve our small contributions.
Now that we had the basics up and running for our miniature SDN environment, we needed to see how much work needed to be done to make it work with Poseidon; as it turns out, not much. We abstracted away most of controller code from Poseidon, so this PR cleanly stubbed in an additional controller class for FAUCET.
Effectively, Poseidon needs to be able to query an SDN controller to do the following operations:
- Detect new devices at Layer 2 and Layer 3.
- Start and stop mirroring traffic from said new devices to another port that Poseidon specifies.
- Update posture on the switch by performing a (security) action against that new device if necessary.
One of the recent improvements to FAUCET is its ability to learn not only at Layer 2, but now also Layer 3 if it exists, thanks to this PR.
FAUCET now has all of the necessary requirements needed to integrate with Poseidon.
In our next post we will walk through the materials needed and steps required to go from zero to a fully working SDN environment with FAUCET and Poseidon using the RPis and the Zodiac FX switch. Stay tuned!
