Xin Li, Chen Qian University of Kentucky

Slides:



Advertisements
Similar presentations
Software-defined networking: Change is hard Ratul Mahajan with Chi-Yao Hong, Rohan Gandhi, Xin Jin, Harry Liu, Vijay Gill, Srikanth Kandula, Mohan Nanduri,
Advertisements

Dynamic Scheduling of Network Updates Xin Jin Hongqiang Harry Liu, Rohan Gandhi, Srikanth Kandula, Ratul Mahajan, Ming Zhang, Jennifer Rexford, Roger Wattenhofer.
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
SIMPLE-fying Middlebox Policy Enforcement Using SDN
SDN Applications Jennifer Rexford Princeton University.
VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Nanxi Kang Princeton University
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
OpenFlow-Based Server Load Balancing GoneWild
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.
1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Cellular Core Network Architecture
Enabling Innovation Inside the Network Jennifer Rexford Princeton University
Software-Defined Networks Jennifer Rexford Princeton University.
Higher-Level Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.
SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,
CloudNaaS: A Cloud Networking Platform for Enterprise Applications Theophilus Benson*, Aditya Akella*, Anees Shaikh +, Sambit Sahu + (*University of Wisconsin,
Bohatei: Flexible and Elastic DDoS Defense
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
CellSDN: Software-Defined Cellular Core networks Xin Jin Princeton University Joint work with Li Erran Li, Laurent Vanbever, and Jennifer Rexford.
SIMPLE-fying Middlebox Policy Enforcement Using SDN
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar, Rui Miao, Minlan Yu Presenter : ChoongHee.
Preliminaries: EE807 Software-defined Networked Computing KyoungSoo Park Department of Electrical Engineering KAIST.
Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.
When RINA Meets NFV Diego R. López Telefónica
SketchVisor: Robust Network Measurement for Software Packet Processing
NFP: Enabling Network Function Parallelism in NFV
Network Layer COMPUTER NETWORKS Networking Standards (Network LAYER)
Chen Qian, Xin Li University of Kentucky
Ready-to-Deploy Service Function Chaining for Mobile Networks
Yotam Harchol The Hebrew University of Jerusalem
Yotam Harchol The Hebrew University of Jerusalem
Problem: Internet diagnostics and forensics
SDN Network Updates Minimum updates within a single switch
A Survey of Network Function Placement
Multi-layer software defined networking in GÉANT
Software defined networking: Experimental research on QoS
University of Maryland College Park
The DPIaaS Controller Prototype
Xin Li , Chen Qian University of Kentucky
Martin Casado, Nate Foster, and Arjun Guha CACM, October 2014
Hydra: Leveraging Functional Slicing for Efficient Distributed SDN Controllers Yiyang Chang, Ashkan Rezaei, Balajee Vamanan, Jahangir Hasan, Sanjay Rao.
Efficient Round-Trip Time Monitoring in OpenFlow Networks
ETHANE: TAKING CONTROL OF THE ENTERPRISE
A Study of Group-Tree Matching in Large Scale Group Communications
15-744: Computer Networking
NOX: Towards an Operating System for Networks
Yotam Harchol The Hebrew University of Jerusalem
of Dynamic NFV-Policies
Software Defined Networking (SDN)
Dynamic Scheduling of Network Updates
NFP: Enabling Network Function Parallelism in NFV
Abstractions for Model Checking SDN Controllers
The Stanford Clean Slate Program
Software Defined Networking (SDN)
SDN Based IoT-Cloud Comm.
Software Defined Networking
NFP: Enabling Network Function Parallelism in NFV
An Introduction to Software Defined Networking and OpenFlow
Yotam Harchol The Hebrew University of Jerusalem
OpenSec:Policy-Based Security Using Software-Defined Networking
NFV and SD-WAN Multi vendor deployment
Tokyo OpenStack® Summit
An Introduction to Software Defined Networking and OpenFlow
Towards Predictable Datacenter Networks
Presentation transcript:

Xin Li, Chen Qian University of Kentucky An NFV Orchestration Framework for Interference-free Policy Enforcement Xin Li, Chen Qian University of Kentucky

Network Function Network Function A.k.a. Middlebox Networking device that perform functions other than packet forwarding Build in proprietary hardware

Network Function Security Network Function Firewall IDS Acceleration Network Function WAN Optimizer Proxy

Policy Chain Http Correctness: sequential order Efficiency: not traverse unnecessary ones Http Firewall IDS Proxy Non http Firewall

Network Functions Placement Policy chain Placement not easy to re-deploy Firewall IDS Proxy Http S1 S2 S4 S3 Proxy Firewall

Placement: Hardware Network Functions Traffic Steering Simple [Sigcomm’13] Firewall IDS Proxy Policy Chain: Http Firewall Proxy IDS S1 S2 Dst Image from https://users.ece.cmu.edu/~vsekar/slides/sigcomm13_simple.pptx

Drawbacks of Traffic Steering Modified routing path Conflicting with other applications e.g. Traffic engineering Additional path length more latency, bandwidth Complex routing rules More forwarding table entries Loop Additional mechanism (e.g. tag)

Network Functions Virtualizaiton IDS Hardware Software WAN Optimizer More flexible and cheaper New opportunity: interference-free policy enforcement Proxy Virtual Network Function (VNF)

NFV Orchestration Properties Policy enforcement Sequence order should be respect Interference-freedom Not changing the routing path Isolation: security and performance Virtual machine

NFV Orchestration Framework Core idea Network Functions are contained in VMs for isolation. Places the required VNFs on the path of each traffic flow Not changing routing path

Challenges Resource-efficient way to place VNFs while enforcing policies. Optimization problem Traffic is highly dynamic. Fast failover Scale in/out

Framework Overview Inputs to Opt Engine: Flow spec. & available rsc. Traffic 1k 0.5k http FW Proxy ... Policy Path SDN controller Resource Orchestrator Optimization Engine ... App1 App2 Dynamic Handler Rule Generator Inputs to Opt Engine: Flow spec. & available rsc. Take outputs from diff apps as input Generate routing rules (sw & vsw) Fast failover if overloaded Take Opt Engine output as input Install VNFs in APPLE hosts Core. Co-exist with other apps normal app from SDN controller’s view Hosts VNFs Once overloaded, send ntf. to Dyn. Hdl.

Framework Overview SDN controller ... Traffic Policy Path Resource http FW Proxy ... Policy Path SDN controller Resource Orchestrator Optimization Engine ... App1 App2 Dynamic Handler Rule Generator

Optimization Engine Input granularity Benefits: flows having the same path and policy chain are aggregated into a class Benefits: Reduce input size Wildcard rules instead of exact match: reduce forwarding table entry consumption

Optimization Engine Spatial Distribution Load balance Handle jumbo classes Firewall IDS Policy Chain:

Optimization Engine Algorithm Objective Algorithm Input Minimize # of VNFs Algorithm Input VNF capacity : the max traffic rate it can process Available Resource & VNF resource consumption Policy chain Routing path Traffic matrix: estimated by other application Algorithm Output The place and quantify of each VNF (Placement) The portion of traffic to be processed in each VNF instance for each class (Rule generation)

Optimization Engine Integer Linear Programming (ILP) # VNFs CPLEX to solve NP-hard Reduced to Set Cover Problem Approximation algorithm: LP relax # VNFs Topology Nodes Links Time Internet2 12 15 0.08 Sec GEANT 23 74 0.42 Sec UNIV1 43 0.59 Sec AS-3679 79 147 633.59 Sec Appr. Algorithm Time 0.029 Sec 0.1 Sec 0.235 Sec 3.013 Sec

Framework Overview SDN controller ... Traffic Policy Path Resource http FW Proxy ... Policy Path SDN controller Resource Orchestrator Optimization Engine ... App1 App2 Dynamic Handler Rule Generator

Rule generator Optimization Engine Output The portion of traffic to be processed in each VNF instance for each class (Rule generation) Cannot generate rules directly

Rule generator Sub-class: aggregation of flows within a class that traverse the same VNF instances The workload assignment to each sub-class is accepted as long as the result of Optimization Engine is preserved Firewall IDS Policy Chain: FW FW IDS IDS

Rule generator Consistent hashing Split rules Ways to enforce the workload assignment Consistent hashing E.g. <10.0.0.0/24, h ∈[0, 0.75]> No available API in commodity switches Split rules E.g. <10.0.0.0/25, 10.0.0.128/26> Multiple rules

Framework Overview SDN controller ... Traffic Policy Path Resource http FW Proxy ... Policy Path SDN controller Resource Orchestrator Optimization Engine ... App1 App2 Dynamic Handler Rule Generator

Overload notification Using ClickOS: lightweight Dynamic Handler Firewall IDS Policy Chain: Overload notification New FW Install new forwarding rules Initiate new VM Using ClickOS: lightweight

XEN VMs can’t be connected to OpenVswitch directly Implementation Core: Stand-alone REST API XEN VMs can’t be connected to OpenVswitch directly Network Controller Resource Orchestrator ClickOS ClickOS Linux-br

Prototype Emulation Dynamic Handler overload roll back

Simulation Evaluation Methodology The input to Optimization Engine is the average traffic matrix. See the performance of APPLE with time-varying traffic matrix.

Simulation Evaluation Topologies Campus network, enterprise network, data center Network Functions Each host have 64 cores 4 network functions (FW, IDS, Proxy, IDS) Different core # requirement and capacity Policy Synthesize network policy chains

Simulation Evaluation

Simulation Evaluation Less packet loss

Conclusion We design and implement an interference-free NFV Orchestraton Framework Resource efficient Incorporate network dynamics Integrate ClickOS and OpenStack

Thank you!

Backup slides

Optimization Engine: Policy enforcement Policy enforcement. To enforce policies, the requirements are two-folded for each flow. For each network function specified by the policy for a flow, at least one instance is on the network path. For any VNF instance n, there should be at lease one instance of the VNFs succeeding n on the same switch of n or the downstream switches on the path. (recursive)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.