Stochastic Pre-Classification for SDN Data Plane Matching Author : Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson Conference: 2014 IEEE 22nd.

Slides:



Advertisements
Similar presentations
Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:
Advertisements

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
1 Route Table Partitioning and Load Balancing for Parallel Searching with TCAMs Department of Computer Science and Information Engineering National Cheng.
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.
Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.
Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.
Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Author: Haoyu Song, Fang Hao, Murali Kodialam, T.V. Lakshman Publisher: IEEE INFOCOM 2009 Presenter: Chin-Chung Pan Date: 2009/12/09.
Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:
A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,
EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.
Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.
1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,
IPv6-Oriented 4 OC768 Packet Classification with Deriving-Merging Partition and Field- Variable Encoding Scheme Mr. Xin Zhang Undergrad. in Tsinghua University,
DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : th.
Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
SwinTop: Optimizing Memory Efficiency of Packet Classification in Network Author: Chen, Chang; Cai, Liangwei; Xiang, Yang; Li, Jun Conference: Communication.
Research on TCAM-based OpenFlow Switch Author: Fei Long, Zhigang Sun, Ziwen Zhang, Hui Chen, Longgen Liao Conference: 2012 International Conference on.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
2017/4/26 Rethinking Packet Classification for Global Network View of Software-Defined Networking Author: Takeru Inoue, Toru Mano, Kimihiro Mizutani, Shin-ichi.
Memory-Efficient and Scalable Virtual Routers Using FPGA Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,
Early Detection of DDoS Attacks against SDN Controllers
OpenFlow MPLS and the Open Source Label Switched Router Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,
FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.
Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:
Updating Designed for Fast IP Lookup Author : Natasa Maksic, Zoran Chicha and Aleksandra Smiljani´c Conference: IEEE High Performance Switching and Routing.
Binary-tree-based high speed packet classification system on FPGA Author: Jingjiao Li*, Yong Chen*, Cholman HO**, Zhenlin Lu* Publisher: 2013 ICOIN Presenter:
Lightweight Traffic-Aware Packet Classification for Continuous Operation Author: Shariful Hasan Shaikot, Min Sik Kim Presenter: Yen-Chun Tseng Date: 2014/11/26.
Range Enhanced Packet Classification Design on FPGA Author: Yeim-Kuan Chang, Chun-sheng Hsueh Publisher: IEEE Transactions on Emerging Topics in Computing.
PC-TRIO: A Power Efficient TACM Architecture for Packet Classifiers Author: Tania Banerjee, Sartaj Sahni, Gunasekaran Seetharaman Publisher: IEEE Computer.
Investigating the Prefix-level Characteristics A Case Study in an IPv6 Network Department of Computer Science and Information Engineering, National Cheng.
Lossy Compression of Packet Classifiers Author: Ori Rottenstreich, J’anos Tapolcai Publisher: 2015 IEEE International Conference on Communications Presenter:
Packet Classification Using Dynamically Generated Decision Trees
IP Routing table compaction and sampling schemes to enhance TCAM cache performance Author: Ruirui Guo a, Jose G. Delgado-Frias Publisher: Journal of Systems.
Hierarchical packet classification using a Bloom filter and rule-priority tries Source : Computer Communications Authors : A. G. Alagu Priya 、 Hyesook.
LOP_RE: Range Encoding for Low Power Packet Classification Author: Xin He, Jorgen Peddersen and Sri Parameswaran Conference : IEEE 34th Conference on Local.
SRD-DFA Achieving Sub-Rule Distinguishing with Extended DFA Structure Author: Gao Xia, Xiaofei Wang, Bin Liu Publisher: IEEE DASC (International Conference.
Practical Multituple Packet Classification Using Dynamic Discrete Bit Selection Author: Baohua Yang, Fong J., Weirong Jiang, Yibo Xue, Jun Li Publisher:
Hierarchical Hybrid Search Structure for High Performance Packet Classification Authors : O˜guzhan Erdem, Hoang Le, Viktor K. Prasanna Publisher : INFOCOM,
Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference.
LightFlow : Speeding Up GPU-based Flow Switching and Facilitating Maintenance of Flow Table Author : Nobutaka Matsumoto and Michiaki Hayashi Conference:
JA-trie: Entropy-Based Packet Classification Author: Gianni Antichi, Christian Callegari, Andrew W. Moore, Stefano Giordano, Enrico Anastasi Conference.
2018/4/23 Dynamic Load-balanced Path Optimization in SDN-based Data Center Networks Author: Yuan-Liang Lan , Kuochen Wang and Yi-Huai Hsu Presenter: Yi-Hsien.
Minimizing latency of critical traffic through SDN
A DFA with Extended Character-Set for Fast Deep Packet Inspection
2018/6/26 An Energy-efficient TCAM-based Packet Classification with Decision-tree Mapping Author: Zhao Ruan, Xianfeng Li , Wenjun Li Publisher: 2013.
Statistical Optimal Hash-based Longest Prefix Match
2018/11/19 Source Routing with Protocol-oblivious Forwarding to Enable Efficient e-Health Data Transfer Author: Shengru Li, Daoyun Hu, Wenjian Fang and.
Parallel Processing Priority Trie-based IP Lookup Approach
2018/12/10 Energy Efficient SDN Commodity Switch based Practical Flow Forwarding Method Author: Amer AlGhadhban and Basem Shihada Publisher: 2016 IEEE/IFIP.
2018/12/29 A Novel Approach for Prefix Minimization using Ternary trie (PMTT) for Packet Classification Author: Sanchita Saha Ray, Abhishek Chatterjee,
2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.
Memory-Efficient Regular Expression Search Using State Merging
Virtual TCAM for Data Center Switches
A Small and Fast IP Forwarding Table Using Hashing
Scalable Multi-Match Packet Classification Using TCAM and SRAM
2019/5/2 Using Path Label Routing in Wide Area Software-Defined Networks with OpenFlow ICNP = International Conference on Network Protocols Presenter:Hung-Yen.
SDN-Guard: DoS Attacks Mitigation in SDN Networks
Power-efficient range-match-based packet classification on FPGA
A Hybrid IP Lookup Architecture with Fast Updates
2019/7/26 OpenFlow-Enabled User Traffic Profiling in Campus Software Defined Networks Presenter: Wei-Li,Wang Date: 2016/1/4 Author: Taimur Bakhshi and.
Authors: Ding-Yuan Lee, Ching-Che Wang, An-Yeu Wu Publisher: 2019 VLSI
MEET-IP Memory and Energy Efficient TCAM-based IP Lookup
Towards TCAM-based Scalable Virtual Routers
Packet Classification Using Binary Content Addressable Memory
Presentation transcript:

Stochastic Pre-Classification for SDN Data Plane Matching Author : Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson Conference: 2014 IEEE 22nd International Conference on Network Protocols Presenter: Tung-yin Chi Date: 2015/7/22 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.

Motivation SDNs increase stress on Packet Classification Higher complexity compared to traditional networks Generalizing increases timing variability Denial of Service (DoS) attacks on SDN switches are a potential issue Wastes resources, crowding out legitimate packets Inherent problem: traffic must be classified before it can be determined malicious National Cheng Kung University CSIE Computer & Internet Architecture Lab 2

Packet Classification Exact Matching Hash Tables Prefix Match Tries Arbitrary TCAM (limited in size/availability) National Cheng Kung University CSIE Computer & Internet Architecture Lab 3

Packet Classification National Cheng Kung University CSIE Computer & Internet Architecture Lab 4

Flow Locality 35% of the flows contain 95% of the packets The active-flow window is constantly changing National Cheng Kung University CSIE Computer & Internet Architecture Lab 5

Flow Caching Flow Locality -> Caching becomes fast-path Keeps high-throughput flows Lookup: exact-match using key (i.e. 5-tuple) Cache: action set Hits: bypass Table and Flow selection National Cheng Kung University CSIE Computer & Internet Architecture Lab 6

Pre-Classification Attacks aim to stress slow-path (classification) When stressed, prioritize established traffic Lookup: exact-match using key (i.e. 5-tuple) Cache: seen before Hits: higher classification priority National Cheng Kung University CSIE Computer & Internet Architecture Lab 7

Bloom Filter Hit: flow likely seen within epoch Miss: flow definitely not seen within epoch O[1] Lookups O[1] Inserts National Cheng Kung University CSIE Computer & Internet Architecture Lab 8

Bloom Filter: XOR Hash Function Bit-level XOR helps preserve entropy Avoid mixing heavily correlated bits National Cheng Kung University CSIE Computer & Internet Architecture Lab 9

Experimental Setup National Cheng Kung University CSIE Computer & Internet Architecture Lab 10

Firewall Application Simulated Firewall Application Access Control List (ACL) Protocol IP source/destination Port source/dest. ranges Test ACL Generation 95%: nominal network conditions 60%: network with significant malicious traffic 20%: network under attack National Cheng Kung University CSIE Computer & Internet Architecture Lab 11

Results: Throughput N ormalize d Throughpu t Baseline - 95% Baseline - 60% Baseline - 20% packet Key Extraction packet Table Selection Flow Selection Action Application packet Interface Speed (Gbps) ❇ Stressed >1 Gbps

Results: Throughput N ormalize d Throughpu t Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% miss hit packet Key Extraction Flow Cache packet Table Selection Flow Selection Action Application packet update Interface Speed (Gbps) ❇ Stressed >1 Gbps □ Throughput proportional to unauthorized traffic

Results: Throughput N ormalize d Throughpu t Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% hit miss Priority Scheduler Filter packet Extraction Known Flows Unknown Flows packet Selection Application packet update Interface Speed (Gbps) Lo ❇ Stressed >1 Gbps □ Throughput proportional to unauthorized traffic ▲ Unauthorized traffic has less impact on throughput

Results: Throughput miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Priority Scheduler Hi Lo Bloom Filter packet Key Extraction Known Flows Unknown Flows update N ormalize d Throughpu t Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% Partition+Caching - 95% Partition+Caching - 60% Partition+Caching - 20% ❇ Stressed >1 Gbps □ Throughput proportional to unauthorized traffic ▲ Unauthorized traffic has less impact on throughput  More consistent throughput Interface Speed (Gbps)

Results: Latency Mea n La te nc y (µs ) Baseline - 95% Baseline - 60% Baseline - 20% packet Key Extraction packet Table Selection Flow Selection Action Application packet Interface Speed (Gbps) ❇ Queue saturation causes high latency >1 Gbps

Results: Latency Mea n La te nc y (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% miss hit packet Key Extraction Flow Cache packet Table Selection Flow Selection Action Application packet update Interface Speed (Gbps) ❇ Queue saturation causes high latency >1 Gbps □ Hits improve average latency

Results: Latency Mea n La te nc y (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% hit miss Priority Scheduler Filter packet Extraction Known Flows Unknown Flows packet Selection Application packet update Interface Speed (Gbps) Lo ❇ Queue saturation causes high latency >1 Gbps □ Hits improve average latency ▲ Authorized traffic not yet seen incurs higher latency ▲ Once flow is learned, latency consistent with Baseline

Results: Latency Mea n La te nc y (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% Partition+Caching - 95% Partition+Caching - 60% Partition+Caching - 20% miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss packet Unknown Flows Priority Scheduler Hi Lo Bloom Filter Key Extraction Known Flows update thereafter Interface Speed (Gbps) ❇ Queue saturation causes high latency >1 Gbps □ Hits improve average latency ▲ Authorized traffic not yet seen incurs higher latency ▲ Once flow is learned, latency consistent with Cache  Higher latency at start of flow  Latency is constant with cache

Results: Jitter Jitte r (µs ) Baseline - 95% Baseline - 60% Baseline - 20% packet Key Extraction packet Table Selection Flow Selection Action Application packet Interface Speed (Gbps) ❇ Peaks at saturation point

Results: Jitter Jitte r (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% miss hit packet Key Extraction Flow Cache packet Table Selection Flow Selection Action Application packet update Interface Speed (Gbps) ❇ Peaks at saturation point □ Difference in fast vs. slow path increases variance

Results: Jitter Jitte r (µs ) hit miss Priority Scheduler Filter packet Extraction Known Flows Unknown Flows packet Selection Application packet update Interface Speed (Gbps) Lo ❇ Peaks at saturation point □ Difference in fast vs. slow path increases variance ▲ Learning path incurs higher latency -> jitter ▲ Once flow is learned, jitter consistent with Caching Baseline - 95% Caching - 95%Partition - 95% Baseline - 60% Caching - 60%Partition - 60% 35 Baseline - 20% Caching - 20%Partition - 20%

Results: Jitter Jitte r (µs ) miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Bloom Filter packet Key Extraction Unknown Flows update Priority Scheduler Hi Lo Known Flows update 0 priority mechanism Interface Speed (Gbps) ❇ Peaks at saturation point □ Difference in fast vs. slow path increases variance ▲ Learning path incurs higher latency -> jitter ▲ Once flow is learned, jitter consistent with Caching  Improves jitter incurred by Baseline - 95% Caching - 95%Partition - 95%Partition+Caching - 95% Baseline - 60% Caching - 60%Partition - 60%Partition+Caching - 60% 35 Baseline - 20% Caching - 20%Partition - 20%Partition+Caching - 20%

Conclusions Unknown Flows update SDN complexity increases stress on Classification Flow Cache minimizes the effect of repeatedly classifying high-throughput flows –Increases effective throughput Pre-Classification prioritizes known traffic –Reduces effect of malicious traffic Combined architecture provides orthogonal benefit – Helps decouple legitimate and malicious traffic miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Bloom Filter packet Key Extraction Priority Scheduler Hi Lo 24 Known Flows update

Results: Throughput miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Priority Scheduler Hi Lo Bloom Filter packet Key Extraction Known Flows Unknown Flows update Interface Speed (Gbps) 100 N ormalize d Throughpu t Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% Partition+Caching - 95% Partition+Caching - 60% Partition+Caching - 20% 25

Results: Latency Mea n La te nc y (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% Partition+Caching - 95% Partition+Caching - 60% Partition+Caching - 20% miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Bloom Filter packet Key Extraction Unknown Flows update Priority Scheduler Hi Lo Interface Speed (Gbps) Known Flows update 26

Results: Jitter Jitte r (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% Partition+Caching - 95% Partition+Caching - 60% Partition+Caching - 20% miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Bloom Filter packet Key Extraction Unknown Flows update Priority Scheduler Hi Lo Known Flows update Interface Speed (Gbps) 27