forked from openvswitch/ovs
-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathTODO
285 lines (215 loc) · 11 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
Open vSwitch Project Ideas
==========================
This file lists a number of project ideas for Open vSwitch. The ideas
here overlap somewhat with those in the OPENFLOW-1.1+ file.
Programming Project Ideas
=========================
Each of these projects would ideally result in a patch or a short
series of them posted to ovs-dev.
Please read CONTRIBUTING and CodingStyle in the top of the source tree
before you begin work. The OPENFLOW-1.1+ file also has an
introduction to how OpenFlow is implemented in Open vSwitch. It is
also a good idea to look around the source tree for related code, and
back through the Git history for commits on related subjects, to allow
you to follow existing patterns and conventions.
Meters
------
Open vSwitch has OpenFlow protocol support for meters, but it does not
have an implementation in the kernel or userspace datapaths. An
implementation was proposed some time ago (I recommend looking for the
discussion in the ovs-dev mailing list archives), but for a few
different reasons it was not accepted. Some of those reasons apply
only to a kernel implementation of meters. At the time, a userspace
implementation wasn't as interesting, because the userspace switch
did not perform at a production speed, but with the advent of
multithreaded forwarding and, now, DPDK support, userspace-only meters
would be a great way to get started.
Improve SSL/TLS Security
------------------------
Open vSwitch allows some weak ciphers to be used for its secure
connections. Security audits often suggest that the project remove
those ciphers, but there's not a clean way to modify the acceptable
ciphers. At the very least, the cipher list should be audited, but it
would be nice to make it configurable.
Open vSwitch does not insist on perfect forward security via ephemeral
Diffie-Hellman key exchange when it establishes an SSL/TLS connection.
Given the wiretapping revelations over the last year, it seems wise to
turn this on. (This would probably amount to finding the right
OpenSSL function to call or just reducing the acceptable ciphers
further.)
These changes might have backward-compatibility implications; one
would have to test the behavior of the reduced cipher list OVS against
older versions.
Bash Command Completion
-----------------------
ovs-vsctl and other programs would be easier to use if bash command
completion (with ``tab'', etc.) were supported. Alex Wang
<[email protected]> is leading a team for this project.
Auxiliary Connections
---------------------
Auxiliary connections are a feature of OpenFlow 1.3 and later that
allow OpenFlow messages to be carried over datagram channels such as
UDP or DTLS. One place to start would be to implement a datagram
abstraction library for OVS analogous to the ``stream'' library
that already abstracts TCP, SSL, and other stream protocols.
Controller connection logging to pcap file
------------------------------------------
http://patchwork.openvswitch.org/patch/2249/ is an RFC patch that
allows the switch to record the traffic on OpenFlow controller
connections to a pcap file for later analysis. The patch lacks a good
way to enable and disable the feature. The task here would be to add
that and repost the patch.
Basic OpenFlow 1.4 support
--------------------------
Some basic support for OpenFlow 1.4 is missing and needs to be
implemented. These can be found by looking through lib/ofp-util.c for
mentions of OFP14_VERSION followed by a call to OVS_NOT_REACHED (which
aborts the program).
OpenFlow 1.4: Flow monitoring
-----------------------------
OpenFlow 1.4 introduces OFPMP_FLOW_MONITOR for notifying a controller
of changes to selected flow tables. This feature is based on
NXST_FLOW_MONITOR that is already part of Open vSwitch, so to
implement this feature would be to extend that code to handle the
OpenFlow 1.4 wire protocol.
OpenFlow 1.3 also includes this feature as a ONF-defined extension, so
ideally OVS would support that too.
OpenFlow 1.4 Role Status Message
--------------------------------
OpenFlow 1.4 section 7.4.4 ``Controller Role Status Message''
defines a new message sent by a switch to notify the controller that
its role (whether it is a master or a slave) has changed. OVS should
implement this.
OpenFlow 1.3 also includes this feature as a ONF-defined extension, so
ideally OVS would support that too.
OpenFlow 1.4 Vacancy Events
---------------------------
OpenFlow 1.4 section 7.4.5 ``Table Status Message'' defines a new
message sent by a switch to notify the controller that a flow table is
close to filling up (or that it is no longer close to filling up).
OVS should implement this.
OpenFlow 1.3 also includes this feature as a ONF-defined extension, so
ideally OVS would support that too.
OpenFlow 1.4 Group and Meter Change Notification
------------------------------------------------
OpenFlow 1.4 adds a feature whereby a controller can ask the switch to
send it copies of messages that change groups and meters. (This is
only useful in the presence of multiple controllers.) OVS should
implement this.
OpenFlow 1.3 also includes this feature as a ONF-defined extension, so
ideally OVS would support that too.
Testing Project Ideas
=====================
Each of these projects would ideally result in confirmation that
features work or bug reports explaining how they do not. Please sent
bug reports to dev at openvswitch.org, with as many details as you have.
ONF Plugfest Results Analysis
-----------------------------
Ben Pfaff has a collection of files reporting Open vSwitch conformance
to OpenFlow 1.3 provided by one of the vendors at the ONF plugfest
last year. Some of the reported failures have been fixed, some of the
other failures probably result from differing interpretations of
OpenFlow 1.3, and others are probably genuine bugs in Open vSwitch.
Open vSwitch has also improved in the meantime. Ben can provide the
results, privately, to some person or team who wishes to check them
out and try to pick out the genuine bugs.
OpenFlow Fuzzer
---------------
Build a ``fuzzer'' for the OpenFlow protocol (or use an existing
one, if there is one) and run it against the Open vSwitch
implementation. One could also build a fuzzer for the OSVDB protocol.
Ryu Certification Tests Analysis
--------------------------------
The Ryu controller comes with a suite of ``certification tests''
that check the correctness of a switch's implementation of various
OpenFlow 1.3 features. The INSTALL file in the OVS source tree has a
section that explains how to easily run these tests against an OVS
source tree. Run the tests and figure out whether any tests fail but
should pass. (Some tests fail and should fail because OVS does not
implement the particular feature; for example, OVS does not implement
PBB encapsulation, so related tests fail.)
OFTest Results Analysis
-----------------------
OFTest is a test suite for OpenFlow 1.0 compliance. The INSTALL file
in the OVS source tree has a section that explains how to easily run
these tests against an OVS source tree. Run the tests and figure out
whether any tests fail but should pass, and ideally why. OFTest is
not particularly well vetted--in the past, at least, some tests have
failed against OVS due to bugs in OFTest, not in OVS--so some care is
warranted.
Documentation Project Ideas
===========================
Each of these projects would ideally result in creating some new
documentation for users. Some documentation might be suitable to
accompany Open vSwitch as part of its source tree most likely either
in plain text or ``nroff'' (manpage) format.
OpenFlow Basics Tutorial
------------------------
Open vSwitch has a tutorial that covers its advanced features, but it
does not have a basic tutorial. There are several tutorials on the
Internet already, so a new tutorial would have to distinguish itself
in some way. One way would be to use the Open vSwitch ``sandbox''
environment already used in the advanced tutorial. The sandbox does
not require any real network or even supervisor privilege on the
machine where it runs, and thus it is easy to use with hardly any
up-front setup, so it is a gentle way to get started.
FlowVisor via patch ports
-------------------------
FlowVisor is a proxy that sits between OpenFlow controllers and a
switch. It divides up switch resources, allowing each controller to
control a ``slice'' of the network. For example, it can break up a
network based on VLAN, allowing different controllers to handle
packets with different VLANs.
It seems that Open vSwitch has features that allow it to implement at
least simple forms of FlowVisor control without any need for
FlowVisor. Consider an Open vSwitch instance with three bridges.
Bridge br0 has physical ports eth0 and eth1. Bridge v9 has no
physical ports, but it has two ``patch ports'' that connect it to
br0. Bridge v11 has the same setup. Flows in br0 match packets
received on vlan 9, strip the vlan header, and direct them to the
appropriate patch port leading to v9. Additional flows in br0 match
packets received from v9, attach a VLAN 9 tag to them, and direct them
out eth0 or eth1 as appropriate. Other flows in br0 treat packets on
VLAN 11 similarly. Controllers attached to bridge v9 or v11 may thus
work as if they had full control of a network.
It seems to me that this is a good example of the power of OpenFlow
and Open vSwitch. The point of this project is to explain how to do
this, with detailed examples, in case someone finds it handy and to
open eyes toward the generality of Open vSwitch usefulness.
``Cookbooks''
-------------
The Open vSwitch website has a few ``cookbook'' entries that
describe how to use Open vSwitch in a few scenarios. There are only a
few of these and all of them are dated. It would be a good idea to
come up with ideas for some more and write them. These could be added
to the Open vSwitch website or the source tree or somewhere else.
Demos
-----
Record a demo of Open vSwitch functionality in use (or something else
relevant) and post it to youtube or another video site so that we can
link to it from openvswitch.org.
How to contribute
=================
If you plan to contribute code for a feature, please let everyone know
on ovs-dev before you start work. This will help avoid duplicating
work.
Please consider the following:
* Testing. Please test your code.
* Unit tests. Please consider writing some. The tests directory
has many examples that you can use as a starting point.
* ovs-ofctl. If you add a feature that is useful for some
ovs-ofctl command then you should add support for it there.
* Documentation. If you add a user-visible feature, then you
should document it in the appropriate manpage and mention it in
NEWS as well.
* Coding style (see the CodingStyle file at the top of the source
tree).
* The patch submission guidelines (see CONTRIBUTING). I
recommend using "git send-email", which automatically follows a
lot of those guidelines.
Bug Reporting
=============
Please report problems to [email protected].
Local Variables:
mode: text
End: