OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions Yotam Harchol The Hebrew University of Jerusalem Joint work with Anat Bremler-Barr (IDC) and David Hay (HUJI) How to bring software defined networking to network functions and why Separate control/data? To appear in ACM SIGCOMM 2016 A preliminary version of this work was published in ACM SIGCOMM HotMiddleboxes 2015
Software-Defined Networking 40%-60% of the appliances are not switches / routers! [Sherry & Ratnasamy, ‘12] Logically-centralized control: Smart, slow Management Plane: Human time scale Firewalls Intrusion detection Network anti-virus Leakage prevention Caching Load balancing Billing NAT Encoders Gateways SSL termination TCP optimization … SDN Controller API to data plane (e.g., OpenFlow) There is a revolution in the world: SDN Great idea: Nicira, Barefoot We bring SDN to middleboxes We implemented this Control Plane: Distributed algorithms Data Plane: Packet streaming Switches: Dumb, fast Data Plane: Packet streaming and processing
Network Functions Expensive to own and to operate Hard to manage – separate vendors No elastic scaling Complex - dominate overall network performance "Network function" is a general term for all those appliances in the network that are not doing forwarding (not switches/routers)
Software-Defined Solutions Forwarding plane (switches, routers): High cost Limited management No multi-tenancy Limited functionality and limited innovation Complex distributed algorithms Forwarding plane (switches, routers): High cost Limited management No multi-tenancy Limited functionality and limited innovation Complex distributed algorithms Solution: SDN / OpenFlow Network Functions (Middleboxes): Higher cost Limited and separate management Limited provisioning and scalability No multi-tenancy Limited functionality and limited innovation Similar processing steps, no re-use Our solution: OpenBox Network Functions (Middleboxes): Higher cost Limited and separate management Limited provisioning and scalability No multi-tenancy Limited functionality and limited innovation Similar processing steps, no re-use OpenBox Controller SDN Controller NFV only targets cost and provisioning/scalability OBI OBI OBI
Challenges Northbound API / language for specifying NF logic Logically-centralized controller that unifies logic of multiple network functions from multiple tenants Communication protocol between controller and data plane Specification of data plane instances Support for hardware accelerators Dynamically extend the protocol Network Functions Northbound API What is the right decoupling between ctrl and data plane Logically-Centralized Controller Control Plane Southbound Protocol Data Plane Data Plane Instances
OpenBox OpenBox: A new protocol Decouples network function control from their data plane Unifies data plane of multiple network functions Benefits: Easier, unified control Better performance Scalability Flexible deployment Multi-tenancy Innovation OpenBox Applications Northbound API OpenBox Controller Control Plane OpenBox Protocol Data Plane www.openboxproject.org OpenBox Service Instances github.com/OpenBoxProject
A Different View of Network Functions Previous works: Network Function = monolithic closed unit Traffic Steering (e.g., SIMPLE [Sigcomm ‘13]) Placement and Virtualization (e.g., CoMb [NSDI ’12]) NFV orchestration (e.g., OpenStack, OpenMano, Statos, E2 [SOSP ‘15]) State Management (e.g., OpenNF [Sigcomm ‘14]) Runtime Platform (e.g., xOMB [ANCS ‘12], SDM [INFOCOM ‘14]) OpenBox: Network Function = logical application Most processing steps are shared among many types of network functions Some steps can be done once for multiple applications Some of them tried to provide frameworks with similar management goals as ours But their basic building block is a NF We say - it's an application - let's look inside OpenBox Applications OpenBox Controller
What Network Functions Do? Firewall: Read Packets Header Classifier Drop Alert Output Load Balancer: Read Packets Header Classifier Rewrite Header Output Intrusion Prevention System: Read Packets Header Classifier Drop Alert DPI Output
Most network functions do very similar processing steps Observation: Most network functions do very similar processing steps But there is no re-use…
What Network Functions Do? Read Packets Store Packet Restore Packet Caching HTML Normalizer JavaScript Normalizer XML Normalizer Normalization Alert Log Reporting Output Drop Terminals Header Classifier DPI Classification FIFO Queue Front Drop Queue RED Queue Leaky Bucket Queue Management Gzip Decompress Gzip Compress De/compression Talk about NB API Begin Transaction Rollback Transaction Commit Transaction Transactions VLAN Pop VLAN Push Rewrite Header Header Modification
Northbound API Specify processing graph and block configuration NB API Read Packets Header Classifier Drop Alert Output Rewrite Header DPI OpenBox Applications Specify processing graph and block configuration Events, Load information NB API OpenBox Controller WE WANT OpenBox Protocol Control Plane Data Plane OpenBox Service Instances
Logically-Centralized Controller Multiple tenants run multiple applications for multiple policies in the same network No data sharing between applications OpenBox Applications NB API SDN Protocol SDN Switches SDN Controller Network-wide view Automatic scaling, provisioning, placement, and steering OpenBox Controller WE WANT OpenBox Protocol Control Plane Data Plane OpenBox Service Instances
OpenBox Service Instance OpenBox Data Plane Read Packets Store Packet Restore Packet Caching HTML Normalizer JavaScript Normalizer XML Normalizer Normalization Alert Log Reporting Output Drop Terminals Header Classifier DPI Classification OpenBox Service Instance Virtual or Physical FIFO Queue Front Drop Queue RED Queue Leaky Bucket Queue Management Gzip Decompress Gzip Compress De/compression Begin Transaction Rollback Transaction Commit Transaction Transactions Provides data plane services to realize the logic of network functions Controlled by the logically-centralized OpenBox controller VLAN Pop VLAN Push Rewrite Header Header Modification
Distributed Data Plane Alert DPI Header Classifier Rewrite Header Metadata OpenBox Service Instance Hardware (TCAM) E.g., an OpenFlow switch with encapsulation features OpenBox Service Instance Software
Split Processing Graph HW Instance: Read Packets Header Classifier Write Metadata Encapsulate Metadata Output Drop SW Instance: DPI CHANGE GRAPH!! DPI Drop Read Packets Decapsulate Metadata Read Metadata DPI Alert Output
OpenBox Service Instance OpenBox Service Instance Extensible Data Plane Media Encoder OpenBox Controller OpenBox Service Instance Hardware Implementation Supports encapsulation OpenBox Service Instance Software A new software module can be injected from control plane without modifying or re-deploying software in data plane
Scalable & Reliable Data Plane Scalability Provisioning Reliability OpenBox Controller Provision OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI
Performance ≈ Diameter of Graph (# of classifiers) Naïve Graph Merge Firewall: Read Packets Header Classifier Drop Alert Output Concatenated Processing Graph: Header Classifier Drop Alert (IPS) DPI Output Read Packets (Firewall) Intrusion Prevention System: Read Packets Header Classifier Drop Alert DPI Output Performance ≈ Diameter of Graph (# of classifiers)
Shorter Diameter (less classifiers) Graph Merge Algorithm Merged Processing Graph: Alert (Firewall) DPI Alert (Firewall) DPI Read Packets Header Classifier Alert (Firewall) DPI Alert (IPS) Output It may not always be good to merge, controller can determine when it is good Alert (Firewall) Drop Shorter Diameter (less classifiers)
Implementation github.com/OpenBoxProject Java-based Controller App App App App Java-based Controller Northbound API REST client/server Graph Aggregator Network Manager Management API REST REST API Generic wrapper for execution engines (Python) Translation Engine Click-based execution engine (C++) TCP Software OpenBox Service Instance
Performance Improvement VM1 Firewall VM2 IPS Without OpenBox VM1 OBI1: FW+IPS VM2 OBI2: FW+IPS With OpenBox Standalone VM NF Pipeline -35% +86%
Conclusions Network functions are currently a real challenge in large scale networks OpenBox decouples the data plane processing from network function control logic and: Reduces costs Enhances performance Improves scalability Increases reliability Provides multi-tenancy Allows easier innovation OpenBox Applications NB API OpenBox Controller OpenBox Protocol Control Plane Data Plane OpenBox Service Instances
Questions? Thank You!