of Dynamic NFV-Policies

Slides:



Advertisements
Similar presentations
Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Advertisements

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN
SDN Applications Jennifer Rexford Princeton University.
Composing Software-Defined Networks Princeton*Cornell^ Chris Monsanto*, Joshua Reich* Nate Foster^, Jen Rexford*, David Walker*
Nanxi Kang Princeton University
Jennifer Rexford Princeton University
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Network Service Header (NSH) draft-quinn-sfc-nsh IETF 90
Network Based Services in Mobile Networks Context, Typical Use Cases, Problem Area, Requirements IETF 87 Berlin, 29 July 2013 BoF Meeting on Network Service.
Generalized Virtual Networking: an enabler for Service Centric Networking and Network Function Virtualization Stefano Salsano (1), Nicola Blefari-Melazzi.
Programming Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.
Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.
Policy Based Routing using ACL & Route Map By Group 7 Nischal ( ) Pranali ( )
1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
A Survey on Interfaces to Network Security
Toward Software-Defined Middlebox Networking Aaron Gember, Prathmesh Prabhu, Zainab Ghadiyali, Aditya Akella University of Wisconsin-Madison 1.
1 Multi-Protocol Label Switching (MPLS) presented by: chitralekha tamrakar (B.S.E.) divya krit tamrakar (B.S.E.) Rashmi shrivastava(B.S.E.) prakriti.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Justine Sherry*, Shaddi Hasan*, Colin Scott*, Arvind Krishnamurthy†,
Enabling Innovation Inside the Network Jennifer Rexford Princeton University
Software-Defined Networks Jennifer Rexford Princeton University.
Higher-Level Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.
Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.
AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561.
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
SIMPLE-fying Middlebox Policy Enforcement Using SDN
FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar, Rui Miao, Minlan Yu Presenter : ChoongHee.
Outline PART 1: THEORY PART 2: HANDS ON
J. Halpern (Ericsson), C. Pignataro (Cisco)
When RINA Meets NFV Diego R. López Telefónica
Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Ready-to-Deploy Service Function Chaining for Mobile Networks
Road to SDN Review the main features of SDN
Xin Li, Chen Qian University of Kentucky
SDN challenges Deployment challenges
Yotam Harchol The Hebrew University of Jerusalem
Yotam Harchol The Hebrew University of Jerusalem
SDN Network Updates Minimum updates within a single switch
A Survey of Network Function Placement
Abstractions for Network Functions
University of Maryland College Park
The DPIaaS Controller Prototype
ODL SFC, Implementing IETF SFC November 14, 2016
Praveen Tammana† Rachit Agarwal‡ Myungjin Lee†
15-744: Computer Networking
NOX: Towards an Operating System for Networks
Yotam Harchol The Hebrew University of Jerusalem
ONOS Drake Release September 2015.
Debashish Purkayastha, Dirk Trossen, Akbar Rahman
CHAPTER 8 Network Management
Zhenbin Li, Shunwan Zhuang Huawei Technologies
Sangfor Cloud Security Pool, The First-ever NSH Use Case
Programmable Networks
Yotam Harchol The Hebrew University of Jerusalem
Lecture 10, Computer Networks (198:552)
Autonomous Network Alerting Systems and Programmable Networks
draft-guichard-sfc-nsh-sr-02
Using Service Function Chaining for In-Network Computation
Tokyo OpenStack® Summit
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

of Dynamic NFV-Policies SDNs for Enforcement of Dynamic NFV-Policies Ashwin Rao 04 / 11 / 2015

Background Increasing presence of Network Functions (NF) Sherry et al. "Making Middleboxes Someone Else's Problem: Network Processing as a Cloud Service." In SIGCOMM '12. Need for dynamic policies ”The current service function deployment models are relatively static … greatly reducing the ability of an operator to introduce new services...” J. Halpern et al. RFC 7665. ”Service Function Chaining (SFC) Architecture.” October 2015.

Challenges in Policy Enforcement NF Composition Resource Management Packet Modification What must S2 do for a packet from S1? Policy: Egress → Firewall → IDS → Proxy → Ingress Firewall Proxy IDS Egress Ingress S1 S2

Outline Background SIMPLE-fying Middlebox Policy Enforcement Using SDN Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags IETF Protocols: NSH and others

SIMPLE Approach Packet modifications by NFs Traffic Matrix Topology Policy Resource Constraints Packet modifications by NFs Flow correlation to support off-the-shelf NFs Collect Pkts Calculate similarity Update rules Resource Manager Dynamics Manager Offline-Online Decomposition Offline: Switch constraints Online: Load Balancing ILP formulation Unambiguous Forwarding In-port and Out-port Adding Processing State (ProcState) in headers Compacting Forwarding Rules Rule Manager Flow Action Counter ... ... ...

SIMPLE Contributions SDN based Policy Enforcement Layer for NF-specific traffic steering Supports off-the-shelf NFs Leverages tunnels between switches and SDN capabilities to modify packet headers Decompose optimization problem Offline component for switch capabilities Online component for load balancing Learns packet modifications by NFs

Discussion on SIMPLE Benefits Flexibility in NF placement Reconfigure rules on NF failure Takes ≈ 1 second for large AS topology Issues Flow correlation Latency & True-Positive/False-Positive Rates of popular NFs unknown Short-term solution Will networks have SDN switches with legacy NFs? What if NFs can be modified?

SDN Tenets violated by NFs ORIGINBINDING Strong binding between packet and its origin Example culprit: NAT, load balancers PATHSFOLLOWPOLICY Explicit policies should determine the packet path Example culprit: Caches HIGHLEVELNAMES Network policies should be expressed in terms of high-level names. Example culprit: NAT

Concept of FlowTags Assumptions NFs add tags that contain Missing Bindings to ensure ORIGINBINDINGS Missing Context to ensure PATHFOLLOWPOLICY Assumptions Adequate header bits available Possibility to modify/extend NF software

Tag Generation 1) Static Policy Graph (DPG) Traffic ↔ Chain to NFs 2) Dynamic Policy Graph (DPG) IN and OUT Nodes NF Nodes Unique Tag for a packet on the edge of the graph Internet Proxy ACL Host 2 {H2} {H2}, HIT {H2}, MISS , allow {H2}, MISS DROP {H2}, * , block {H2}, HIT, allow

FlowTags Components API FlowTags Controller SDN Capable Switch FlowTags-capable NF API FT_GENERATE_QRY & FT_GENERATE_RSP – for Tag generation FT_CONSUME_QRY & FT_CONSUME_RSP - for Tag consumption OFPT_PACKET_IN - switch notifying reception of Tag'ed packet Modifications to NFs Modify internal functions to generate and consume Tags Shim layer for Tag generation and consumption

FlowTags Contribution Propose Tagging for ORIGINBINDINGS and PATHSFOLLOWPOLICY Paper details the tagging mechanism Rule generation, policy abstraction, & controller interface Open avenues for verification and network diagnosis What if additional header(s) are available for Tags?

Outline Background SIMPLE-fying Middlebox Policy Enforcement Using SDN Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags IETF Protocols: NSH and others

Network Service Header (NSH) A dataplane header for carrying information along a service path NSH Header Base NSH Header (version, length, ...) Service Path ID Service Index Network Platform Context Network Shared Context Service Platform Context Service Shared Context

Summary SIMPLE Works with Off-the-shelf NFs Suffers from uncertainty on policy realization FlowTags Tagging flows as they traverse NFs NFs need to be modified Existing headers can be used IETF proposals like NSH Context information can be shared

Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.