Authors: Mark Reitblatt, Nate Foster, Jennifer Rexford, Cole Schlesinger, David Walker Presenter: Byungkwon Choi Abstractions for Network Update INA.

Slides:

Advertisements

Similar presentations

Path Splicing with Network Slicing

Advertisements

zUpdate: Updating Data Center Networks with Zero Loss

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.

Traffic Engineering with Forward Fault Correction (FFC)

Software-defined networking: Change is hard Ratul Mahajan with Chi-Yao Hong, Rohan Gandhi, Xin Jin, Harry Liu, Vijay Gill, Srikanth Kandula, Mohan Nanduri,

Dynamic Scheduling of Network Updates Xin Jin Hongqiang Harry Liu, Rohan Gandhi, Srikanth Kandula, Ratul Mahajan, Ming Zhang, Jennifer Rexford, Roger Wattenhofer.

Dynamic Scheduling of Network Updates Based on the slides by Xin Jin Hongqiang Harry Liu, Rohan Gandhi, Srikanth Kandula, Ratul Mahajan, Ming Zhang, Jennifer.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

Live Migration of an Entire Network (and its Hosts) Eric Keller, Soudeh Ghorbani, Matthew Caesar, Jennifer Rexford HotNets 2012.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

Nanxi Kang Princeton University

Packet Switching COM1337/3501 Textbook: Computer Networks: A Systems Approach, L. Peterson, B. Davie, Morgan Kaufmann Chapter 3.

An Overview of Software-Defined Network Presenter: Xitao Wen.

Data and Computer Communications Ninth Edition by William Stallings Chapter 12 – Routing in Switched Data Networks Data and Computer Communications, Ninth.

Software Defined Networking COMS , Fall 2013 Instructor: Li Erran Li SDNFall2013/

Incremental Consistent Updates Naga Praveen Katta Jennifer Rexford, David Walker Princeton University.

VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Consensus Routing: The Internet as a Distributed System John P. John, Ethan Katz-Bassett, Arvind Krishnamurthy, and Thomas Anderson Presented.

Programming Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.

Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.

Towards Virtual Routers as a Service 6th GI/ITG KuVS Workshop on “Future Internet” November 22, 2010 Hannover Zdravko Bozakov.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Shadow Configurations: A Network Management Primitive Richard Alimi, Ye Wang, Y. Richard Yang Laboratory of Networked Systems Yale University.

© nCode 2000 Title of Presentation goes here - go to Master Slide to edit - Slide 1 Reliable Communication for Highly Mobile Agents ECE 7995: Term Paper.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

An Overview of Software-Defined Network

Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.

Copyright © 2012, QoS-aware Network Operating System for Software Defined Networking with Generalized OpenFlows Kwangtae Jeong, Jinwook Kim.

Languages for Software-Defined Networks Nate Foster, Arjun Guha, Mark Reitblatt, and Alec Story, Cornell University Michael J. Freedman, Naga Praveen Katta,

Scalable Server Load Balancing Inside Data Centers Dana Butnariu Princeton University Computer Science Department July – September 2010 Joint work with.

An Overview of Software-Defined Network Presenter: Xitao Wen.

Cost-Performance Tradeoffs in MPLS and IP Routing Selma Yilmaz Ibrahim Matta Boston University.

Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.

Frenetic: A Programming Language for Software Defined Networks Jennifer Rexford Princeton University Joint work with Nate.

Software-Defined Networks Jennifer Rexford Princeton University.

9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.

Formal Modeling of an Openflow Switch using Alloy Natali Ruchansky and Davide Proserpio.

VeriFlow: Verifying Network-Wide Invariants in Real Time

Higher-Level Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.

Languages for Software-Defined Networks Nate Foster, Michael J. Freedman, Arjun Guha, Rob Harrison, Naga Praveen Katta, Christopher Monsanto, Joshua Reich,

Software Defined Networking Kathryn Abbett. Definition □Origins from Berkley and Stanford, around 2008 □Software-Defined Networking (SDNs) allows applications.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

1 MANETS – An overview. 2 MANETs Model and Definitions Simulatability – mobility models Routing algorithms Security issues with routing algorithms Tracing.

Program Synthesis for Network Updates Pavol Černý CU Boulder Dagstuhl, February 2015.

Programming Languages for Software Defined Networks Jennifer Rexford and David Walker Princeton University Joint work with the.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University

High-Level Abstractions for Programming Software Defined Networks Joint with Nate Foster, David Walker, Arjun Guha, Rob Harrison, Chris Monsanto, Joshua.

Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University

Efficient Resource Allocation for Wireless Multicast De-Nian Yang, Member, IEEE Ming-Syan Chen, Fellow, IEEE IEEE Transactions on Mobile Computing, April.

Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:

Header Space Analysis: Static Checking for Networks Broadband Network Technology Integrated M.S. and Ph.D. Eun-Do Kim Network Standards Research Section.

Exam Code: Pass CCIE Routing and Switching By Using Study Materialwww.realbraindumps.com.

Protocols and layering Network protocols and software Layered protocol suites The OSI 7 layer model Common network design issues and solutions.

Quality and Value for the Exam 100% Guarantee to Pass Your Exam Based on Real Exams Scenarios Verified Answers Researched by Industry.

Xin Li, Chen Qian University of Kentucky

SDN challenges Deployment challenges

SDN Network Updates Minimum updates within a single switch

The DPIaaS Controller Prototype

Martin Casado, Nate Foster, and Arjun Guha CACM, October 2014

ETHANE: TAKING CONTROL OF THE ENTERPRISE

Program Synthesis for Networks Pavol Černý FMCAD September 2016.

Dynamic Scheduling of Network Updates

Abstractions for Model Checking SDN Controllers

Languages for Software-Defined Networks

The Network Layer Network Layer Design Issues:

Programmable Networks

Lecture 10, Computer Networks (198:552)

Error Checking continued

Presentation transcript:

Authors: Mark Reitblatt, Nate Foster, Jennifer Rexford, Cole Schlesinger, David Walker Presenter: Byungkwon Choi Abstractions for Network Update INA

Upgrade  Reboot Traffic Flows Networks exist in a state of flux 2 / 26 SSH: Drop * reference: author’s slides

Virtual Machines Traffic Flows Networks exist in a state of flux 3 / 26 * reference: author’s slides

1-1 Example: Distributed Access Control 4 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic * Design from author’s slide

1-1 4 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic F1 F2, F3 Other: SSH: Any: Example: Distributed Access Control * Design from author’s slide

1-1 4 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic F1, F2 F3 Other: SSH: Any: Other: SSH: Example: Distributed Access Control * Design from author’s slide

1-1 4 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic F1 F2, F3 Other: SSH: Any: Order I F1 F2 F3 Example: Distributed Access Control * Design from author’s slide

1-1 4 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic Other: SSH: Any: Order F1 F2 F3 F1, F2 F3 Example: Distributed Access Control * Design from author’s slide

1-1 4 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic Any: Order F2 F3 F1, F2 F3 Other: SSH: Example: Distributed Access Control * Design from author’s slide

1-1 4 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic Any: Order F2 F3 F1, F2 F3 Other: SSH: Example: Distributed Access Control * Design from author’s slide

1-1 4 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic Any: Order F2 F3 F1, F2 F3 Other: SSH: Example: Distributed Access Control * Design from author’s slide

1-1 4 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic Any: Order F2 F3 F1, F2 F3 Other: SSH: Example: Distributed Access Control * Design from author’s slide

1-1 4 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic Any: Order F2 F3 F1, F2 F3 Other: SSH: Example: Distributed Access Control * Design from author’s slide

1-1 Goal 5 / 26 Security Policy Before update During update After update

1-1 Valid Transition Plan 6 / Update I to forward all trusted traffic to F3, while continuing to forward untrusted to F1. 2. Wait until in-flight packets have been processed by F2 3. Update F2 to drop SSH packets 4. Update I to forward untrusted traffic to F2 also, while continuing to forward trusted traffic to F3.

1-1 Valid Transition Plan 6 / Update I to forward all trusted traffic to F3, while continuing to forward untrusted to F1. 2. Wait until in-flight packets have been processed by F2 3. Update F2 to drop SSH packets 4. Update I to forward untrusted traffic to F2 also, while continuing to forward trusted traffic to F3. Tedious and error-prone, Sometimes step-by-step is not possible to!

1-1 Prior Works 7 / 26 Consensus Routing Reliable BGP Graceful Migration Seamless Migration * reference: author’s slides

1-1 Prior Works 7 / 26 Consensus Routing Reliable BGP Graceful Migration Seamless Migration Limited to a specific protocol/set of properties, Increasing the complexity!

1-1 Network Update Abstractions 8 / 26 Tools for whole network update ; Preventing errors during update ; Preserving many properties ; Allowing the programmer to update the entire network in one fell swoop

1-1 Per-Packet Consistent Update 9 / 26 Each packet is processed with old or new configuration, but not a mixture of the two. Packet Old configurationNew configuration Mixture of the two or

1-1 Universal Property Preservation 10 / 26 Any property of a single packet’s path through the network - Trace Property - Universal Property Preservation If a trace property such as loop-freedom or access control holds of the network configurations before and after an update, It is guaranteed that a trace property holds of every trace generated throughout the update process. Per-packet consistent updates preserve all trace properties. - Theorem Loop freedom, access control, waypointing … - Examples of Trace Properties

1-1 2-Phase Update 11 / 26 - Algorithm (1) Installing new rules on internal switches, leaving old configuration in place (2) Installing edge rules on ingress switches that stamp with the new version number SSH Any: Other: SSH: F1 SSH Ingress SwitchInternal Switch

1-1 2-Phase Update in Action 12 / 26 F1 F2 F3 I F1 F2, F3 Other: SSH: Any:

1-1 2-Phase Update in Action 12 / 26 I F1 F2, F3 Other: SSH: Any: F1 F2 F3 Other: SSH: Any: Other: SSH:

1-1 2-Phase Update in Action 12 / 26 I SSH: Other: Any: F1 F2 F3 Other: SSH: Any: Other: SSH: F1, F2 F3

1-1 2-Phase Update in Action 12 / 26 I SSH: Other: F1 F2 F3 Other: SSH: Any: Other: SSH: F1, F2 F3

1-1 Atomic Update? 13 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic F1 F2, F3 Other: SSH: Any: SSH

1-1 Atomic Update? 13 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic F1 F2, F3 Other: SSH: Any: SSH

1-1 Atomic Update? 13 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic F1, F2 F3 Other: SSH: Any: Other: SSH: SSH

1-1 Atomic Update? 13 / 26 Security Policy SrcTrafficAction SSHDrop Non-SSHAllow AnyAllow F1 F2 F3 I Traffic F1, F2 F3 Other: SSH: Any: Other: SSH:

1-1 Correctness 14 / 26 Question: Is 2-Phase Update Per-Packet consistent update? Answer: YES ; Implementing per-packet consistent updates can be reduced to 2 blocks. Unobservable Update + One-touch Update = Per-packet Update 2-Phase Update = Per-packet update (1) Unobservable Update: ; An update that does not change the set of traces generated by a network. ; The 1 st step of 2-Phase Update is an unobservable update. (2) One-touch Update ; An update with the property that no packet can follow a path through the network that reaches an updated part of the switch rule space more than once ; The 2 nd step of 2-Phase Update is an one-touch update.

1-1 Verification 15 / 26 Old configurationNew configuration In order to verify whether configuration sticks to security policy, Programmer can turn any trace property checker into a verification engine. Security Policy Analyzer Security Policy Analyzer Verification Tools - Anteater[SIGCOMM `11] - Header Space Analysis [NSDI `12] - ConfigChecker [ICNP `09]

1-1 Optimized Mechanisms 16 / 26 The cost of installing a new configuration should be proportional to the size of the configuration change. - Update Proportionality - Cases for Optimizations (1) Extension: strictly adding paths (2) Retraction: strictly removing paths (3) Subset: affecting small # of paths * reference: author’s slides

1-1 Subset Optimization 17 / 26 F1 F2 F3 I F1 F2, F3 Other: SSH: Any:

1-1 Subset Optimization 17 / 26 I F1 F2, F3 Other: SSH: Any: F1 F2 F3 Other: SSH:

1-1 Subset Optimization 17 / 26 I F1 F2 Other: SSH: Any: F1 F2 F3 Other: SSH: F2

1-1 Subset Optimization 17 / 26 I F1 F2 Other: SSH: Any: F1 F2 F3 Other: SSH: F2

1-1 Implementation 18 / 26 Runtime - NOX Library - OpenFlow k lines of Python - Using VLAN tags for versions * reference: author’s slides

1-1 Evaluation 19 / 26 * reference: author’s slides

1-1 Experimental Results 20 / 26 * reference: Table 2 in the paper Results comparing 2-Phase Update(2PC) with their subset optimization(Subset) - Subset was more effective than 2PC with routing application. - Fewer improvements for the multicast example

1-1 Conclusion Update abstractions –Per-packet consistent update : Only one configuration adopted to each packet : Preserving all trace properties Mechanisms –2-Phase Update –Optimizations Network update without errors and in one fell swoop using an high-level abstract operation Network update without errors and in one fell swoop using an high-level abstract operation 21 / 26

1-1 Additional Problem: Excess of Link Capacity During traffic migration –Difficulty in synchronizing the changes to the flows –Could lead to severe congestion –Cannot be solved by 2-Phase Update mechanism 22 / 26

Constant: Current Traffic Distribution Variable: Target Traffic Distribution Variable: Intermediate Traffic Distribution Constraint: Congestion-free Constraint: Update Requirements Variable: Intermediate Traffic Distribution zUpdate: Updating with Zero Loss 23 / 26 * reference: author’s slides

zUpdate: Updating with Zero Loss 24 / 26

 Conclusion Switch and flow asynchronization can cause severe congestion during datacenter network(DCN) updates. We present zUpdate for congestion-free DCN updates Novel algorithms to compute update plan Practical implementation on commodity switches Evaluations in real DCN topology and update scenarios zUpdate: Updating with Zero Loss 25 / 26 * reference: author’s slides

How to know timing to conduct the 2 nd step of 2-Phase Update? ― Nothing to check whether the installation of new rules on internal switches has been done on or not What if a traffic distribution changes during the calculation? ― Is it possible too to update with zero loss at this time? Discussion 26 / 26 * reference: author’s slides

1-1 Thank you! Q & A