The DPIaaS Controller Prototype DPI as a Service –Deepness lab This research was supported by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-2013)/ERC Grant agreement no259085.
Overview DPI as a Service – Reminder The DPIaaS Controller prototype Traffic Steering Application (TSA) Evaluation Discussion
DPI as a Service Conext 2014
Middleboxes Policy Chains DPI SDN technology allows easy deployment of service chains within the network that consist of several such middleboxes. In this example three of the middleboxes perform DPI. Still: <read bullets> Each MB implements its own DPI engine (higher MB costs, reduced features) Each packet is scanned multiple times causing waste of computation resources DPI Engine is considered a system bottleneck in many of todays MBs (30%-80%)
Our Solution: DPI as a Service Our solution is to use a single DPI engine that provides service to all network functions. By doing so we gain: <read bullets>
The Advantages The idea of having a centralized DPI service instead of multiple instances of it at each Middlebox Rich Functionality – Invest once for all MB Reduced Costs – Cheaper MB HW/SW Improved performance Scan each packet once aggregate MatchRules Innovation – Lower entry barriers
System Overview S2 S1 S4 S3 TS AV1 DPI1 DPI2 AV2 IDS2 IDS1 L7 FW1 Register Rules Add Patterns Update Policy Chain DPI Controller Traffic Steering SDN Controller TS AV1 DPI1 hello DPI2 S2 S1 S4 hello We introduce a new application on top of the controller: the DPI Controller. Upon startup, each middlebox registers its rules at the DPI Controller, which in turn, distributes the patterns that are extracted from these rules to one or more DPI Services in the network. It also instructs the traffic steering app to steer each packet first through the appropriate DPI Service and only then through the middleboxes of the service chain that require DPI. A packet that reaches the DPI Service is scanned. The scan results are added to the packet itself, using some tag or an additional header in case of a wide range of possible pattern matches. Then it is forwarded to the different middleboxes, where the last one in chain removes the results from the packet. S3 AV2 hello IDS2 IDS1 L7 FW1
The DPIaaS Controller Prototype
The Project goals Design and implement DPIaaS controller prototype Design and implement a simple TSA Deploy a functioning DPIaaS network Test the systems in complex networks Evaluate performance and compare to the article
Architecture Overview
The TSA (Traffic Steering Application) based on the “SIMPLE-fying Middlebox Policy Enforcement Using SDN” (SIGCOMM 2013): Network Composition Middlebox Load-balancing Support Packet Modifications Resource constraints Switch TCAM capacity
Simple TSA Network Composition Support Packet Modifications Middlebox Load-balancing Support Packet Modifications Resource constraints Switch TCAM capacity
TSA - implementation Some technical issues Each policy has a unique OpenFlow Match and hosts (IP) chain Using vlan-id tags TSA make no changes the packets Should only affect policy chain traversal
TSA Configuration
TSA pseudo Code 1 2 2 1 3 3 1 2 3 4 hello Id:2 Id:1 hello hello hello ->2 ID=1 | ->3 ID=2 ->3 ID=NONE hello 1 Id:1 hello Id:2 hello hello 2 2 3 1 3 ->2 ID=2 | ->1 Id = 1 RT | ->2 ID=NONE ->1 1 2 hello GenerateRules(PolicyChain) ChainHosts = findHosts(PolicyChain.hosts) Switches = getAllSwitches() vlanTag = firstVlan For (host,nextHost) in ChainHosts: If nextHost <> NULL: // handle packets from host to host flow = generateFlowFromHost(host, nextHost, vlanTag+1, PRIORITY+2) result[getSwitch(Host)].add(flow) For switch in switches: // route to next host If host is FirstHost: flows = generateRouteToFirstHost(host,switch,vlanTag,PRIORITY) Result[switch].add(flows) flow = generateRouteToHost(host,switch,vlanTag, PRIORITY+1) Result[switch].add(Flow) vlanTag++ Id = 1 ->2 Id = 2 RT | ->4 ID=NONE ->1 3 4
TSA pseudo Code – Loop problem ->2 ID=2 | ->3 ID=3 ->3 ->1,ID=1 ->2 | RT 1 2 2 3 1 3 ->2 ID=3 | ->1 Id = 2 RT | ->2 -> 3 ID = 1 |->1 1 2 Id = 2 ->2 Id = 3 RT | ->4 ->3 ID=4|->1 ID = 1 ->1 GenerateRules(PolicyChain) ChainHosts = findHosts(PolicyChain.hosts) Switches = getAllSwitches() vlanTag = firstVlan For (host,nextHost) in ChainHosts: If nextHost <> NULL: // handle packets from host to host flow = generateFlowFromHost(host, nextHost, vlanTag+1, PRIORITY+2) result[getSwitch(Host)].add(flow) For switch in switches: // route to next host If host is FirstHost: flows = generateRouteToFirstHost(host,switch,vlanTag,PRIORITY) Result[switch].add(flows) flow = generateRouteToHost(host,switch,vlanTag, PRIORITY+1) Result[switch].add(Flow) vlanTag++ 3 4
The DPI Controller Server for middleboxes and instances Global Match-Rules set of all the middleboxes Managing available instances Negotiating with TSA Reacting to changes
DPI Controller Strategies Rules dividing strategies Balanced Policy-chain across instances Instances placement strategy The assigned instance in the beginning of each chain
Evaluation
Two types of evaluation Functional evaluation – using Mininet Performance evaluation – using virtual machines and real OF switch
Additional Tools Mocks Wrappers DPIaaS mininet creation script Necessary in order to evaluate Correctness and Performance Mocks Wrappers DPIaaS mininet creation script Wrappers Wrap the deepness IDS and service executables with DPI Protocol capabilities Middlebox mock Implementing the DPI Protocol Can load match-rules from file Can add and remove rules using interactive console Loop packets back to network Instance mock register and deregister to controller Print incoming messages (Match-rules) Setting up a DPI network using Mininet Supporting FatTree topology Script steps: Running the mininet network with the desired topology Ping all host pairs to create connectivity Connecting DPI controller Host to SDN controller Running middleboxes and instances in the desired hosts Possibly loading initial MatchRules Can automatically start sniffing on the network parts
Functional evaluation Testing the DPIaaS correctness in a large Fat-Tree network
Functional evaluation 2 1 4 6 8 3 5 7 We will set up a large network that uses DPI as a Service Starting Using 3 middleboxes and 1 dpi instance We will test the network by sniffing and send different packets We will add an instance a see the network change automatically We will play with the TSA We will add new middlebox to the network and to the policy chain Add some rules We will change a policy class
Performance evaluation Deploy and Test the system in a real environment, using a real OF Switch Comparing Full system performance to the Paper’s preliminary results
Evaluation setup
Testing scenario HTTP Top site from Alexa
Results Paper’s results Full-system results
Results Paper’s results Full-system results
Further Investigation Virtualization related Drops Divide and conquer experiments Using only physical servers Not using network The libpcap issue ניסויים נוספים הרצה על המכונות הפיזיות הרצה ללא רשת
Conclusion and Future work We have a functioning system, now what Verify the results ODL impressions DPI controller – implement better strategies TSA – improve TCAM utilization Load-balancing ODL – מורכב מאוד אבל מספק הרבה שירותים חלוקה יעילה יותר של החוקים והמכונות מאפשר לעשות scaling לInstaces