Toward Taming Policy Enforcement for SDN_______ in the RIGHT way_

Slides:



Advertisements
Similar presentations
Programming Protocol-Independent Packet Processors
Advertisements

20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
Nanxi Kang Princeton University
CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.
SDN and Openflow.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Copyright: RSVP The ReSerVation Protocol by Sujay koduri.
Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:
CS335 Networking & Network Administration Tuesday, May 11, 2010.
Routing and Routing Protocols
CS335 Networking & Network Administration Tuesday, April 20, 2010.
CSE 461: Distance Vector Routing. Next Topic  Focus  How do we calculate routes for packets?  Routing is a network layer function  Routing Algorithms.
Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.
OpenFlow Switch Limitations. Background: Current Applications Traffic Engineering application (performance) – Fine grained rules and short time scales.
Introduction to networking (Yarnfield) Introduction to routing.
Route Selection in Cisco Routers. Route Selection One of the intriguing aspects of Cisco routers, especially for those new to routing, is how the router.
Chapter 4: Managing LAN Traffic
Page 19/13/2015 Chapter 8 Some conditions that must be met for host to host communication over an internetwork: a default gateway must be properly configured.
Protocol Layering Chapter 10. Looked at: Architectural foundations of internetworking Architectural foundations of internetworking Forwarding of datagrams.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Lecture#1 on Internet. Internet Addressing IP address: pattern of 32 or 128 bits often represented in dotted decimal notation IP address: pattern of 32.
Chapter 22 Q and A Victor Norman CS 332 Spring 2014.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Programming Languages COS 597E: Software Defined Networking.
Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN FastLane Kai Bu Zhejiang University.
Coping with Link Failures in Centralized Control Plane Architecture Maulik Desai, Thyagarajan Nandagopal.
Fabric: A Retrospective on Evolving SDN Presented by: Tarek Elgamal.
Programming Assignment 2 Zilong Ye. Traditional router Control plane and data plane embed in a blackbox designed by the vendor high-seed switching fabric.
WAN Technologies. 2 Large Spans and Wide Area Networks MAN networks: Have not been commercially successful.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.
Comprehensive Laboratory Practice of Information Security Kai Bu Zhejiang University
Xin Li, Chen Qian University of Kentucky
SDN challenges Deployment challenges
SDN Network Updates Minimum updates within a single switch
School of Computing Clemson University Fall, 2012
Project Management: Messages
The DPIaaS Controller Prototype
Martin Casado, Nate Foster, and Arjun Guha CACM, October 2014
ETHANE: TAKING CONTROL OF THE ENTERPRISE
21-2 ICMP(Internet control message protocol)
Packet Switching Datagram Approach Virtual Circuit Approach
Managing IP Traffic with ACLs
Single-Area OSPF 1 Cisco Networking Academy program Routing Protocols
NOX: Towards an Operating System for Networks
Multi Protocol Label Switching (MPLS)
IST 220 Lectures for: Dec. 8, 2009 Dec. 10, 2009
Introduction to Networking
Virtual LANs.
Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.
IOS Network Model 2nd semester
Net 323: NETWORK Protocols
CS 31006: Computer Networks – The Routers
Dr. John P. Abraham Professor UTPA
Is Every Flow on The Right Track? Inspect SDN Fwding with RuleScope
Chapter 20 Network Layer: Internet Protocol
Dr. John P. Abraham Professor UTRGV, EDINBURG, TX
SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke
Dr. John P. Abraham Professor UTPA
Implementing an OpenFlow Switch on the NetFPGA platform
Net 323 D: Networks Protocols
Programmable Networks
1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.
Delivery, Forwarding, and Routing of IP Packets
Hash Functions for Network Applications (II)
Fast Testing Network Data Plane with RuleChecker
Lecture 4a Mobile IP 1.
Control-Data Plane Separation
Presentation transcript:

Toward Taming Policy Enforcement for SDN_______ in the RIGHT way_ SDDCS 2016 Toward Taming Policy Enforcement for SDN_______ in the RIGHT way_ Thank you, So today I’m gonna present the RIGHT framework, on behalf of the authors from Zhejiang University. Kai Bu, Minyu Weng, Junze Bao Zhenchao Lin, Zhikui Xu Zhejiang University

Toward Taming Policy Enforcement for SDN_______ in the RIGHT way_ mitigate detect correct fwding errors RIGHT is a framework that aims to mitigate, detect, and correct forwarding errors for SDN.

Toward Taming Policy Enforcement for SDN_______ in the RIGHT way_ switch admin Controller rules policies Toward Taming Policy Enforcement for SDN_______ in the RIGHT way_ mitigate detect correct fwding errors In SDN, the controller translates management policies specified by network administrator to rules, which are further populated to switches, to guide their forwarding decisions.

Toward Taming Policy Enforcement for SDN_______ in the RIGHT way_ switch admin Controller rules policies Toward Taming Policy Enforcement for SDN_______ in the RIGHT way_ mitigate detect correct fwding errors Any errors occurring to forwarding will violate management policies and affect network reliability. So it’s important to combat forwarding errors for SDN. violate

Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN wait… what’s ? Before introducing our RIGHT design, let’s first walk though SDN forwarding basics.

Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN Software-Defined Networking SDN stands for Software-Defined Networking.

Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN Software-Defined Networking As we know, in traditional networks, management functions reside in distributed switches. It’s relatively hard to manage such networks due to limited policies are supported and the management needs to be distributed.

Controller Controller App App App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN Software-Defined Networking To enrich the flexibility of network management, SDN introduces a centralized controller. [click the mouse] It takes over all these management functions using various applications.

Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn Forwarding When a flow arrives, if the ingress switch doesn’t know how to process corresponding packets, [click the mouse] it needs to query the controller by encapsulating flow-info into a packetin message. flow

Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding Upon receiving packetin message, the controller instructs switches of how to process the flow via FlowMod messages. [click the mouse] Then switches accordingly process and forward corresponding packets. flow

Switch Rule Priority Matching Action sw1 p1 src_ip=10.20.*.* fwd(sw2) sw2 P2 fwd(sw3) sw3 p3 fwd(out) Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding flow table Each FlowMod message should contain a rule that corresponding switch can follow to process certain flow. sw1 sw2 sw3 flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out)

Switch Rule Priority Matching Action sw1 p1 src_ip=10.20.*.* fwd(sw2) sw2 P2 fwd(sw3) sw3 p3 fwd(out) Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding flow table rule As shown in this example, a rule consists of three key fields, priority, matching, and action. Matching field regulates which flow a rule to process while Action field regulates how to process the flow. Take the rule of switch sw1 for example, it forwards all packets with source IP addresses prefixed by 10.20 to switch 2. Since SDN rules contain wildcards, a packet may match with multiple rules. To address such matching ambiguity, each rule is assigned with an additional priority value. Then when a packet matches with more than one rules, it follows the highest-priority one. sw1 sw2 sw3 flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out)

Switch Rule Priority Matching Action sw1 p1 src_ip=10.20.*.* fwd(sw2) sw2 P2 fwd(sw3) sw3 p3 fwd(out) Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding flow table rule wildcard Since SDN rules contain wildcards, a packet may match with multiple rules. sw1 sw2 sw3 flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out)

Switch Rule Priority Matching Action sw1 p1 src_ip=10.20.*.* fwd(sw2) sw2 P2 fwd(sw3) sw3 p3 fwd(out) Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding flow table rule wildcard priority To address such matching ambiguity, each rule is assigned with an additional priority value. Then when a packet matches with more than one rules, it follows the highest-priority one. sw1 sw2 sw3 flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out)

Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding errors However, SDN forwarding is known to be susceptible to errors. sw1 sw2 sw3 flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out)

Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding errors loss First, a rule may fail to be installed due to bugs of switch firmware or hardware, or even losses of rule-update messages. causes: rule installation failure sw1 sw2 sw3 bug flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out)

Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding errors loss Packets supposed to be processed by a missing rule might be unexpectedly dropped or wrongly forwarded. causes: rule installation failure sw1 sw2 sw3 bug flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out)

rule update scheduling Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding Forwarding errors sw4 Second, less well scheduled rule update may make overlapping rules violate designated priority order. For example, let’s assume switch 2 has another rule for processing packets with source IP addresses prefixed with 10.20 but with lower priority. causes: rule installation failure rule priority violation sw1 sw2 sw3 rule update scheduling flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out) p4, src_ip=10.*.*.*, fwd(sw4)

Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding Forwarding errors sw4 When this lower-priority rule turns out to outweigh its higher-priority counterpart, corresponding packets will be mis-forwarded to switch 4 instead of the expected switch 3. causes: rule installation failure rule priority violation sw1 sw2 sw3 flow p4, src_ip=10.*.*.*, fwd(sw4) p1, src_ip=10.20.*.*, fwd(sw2) p3, src_ip=10.20.*.*, fwd(out) p2, src_ip=10.20.*.*, fwd(sw3)

Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding errors Forwarding sw4 Finally, asynchronous rule activation across the forwarding path may also induce forwarding errors. As shown in this example, if the p2 rule on switch sw2 is active later enough than p1 on sw1, packets forwarded by p1 rule will be matched by p4 rule and wrongly forwarded to sw4. causes: rule installation failure rule priority violation async rule activation sw1 sw2 sw3 flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out) p4, src_ip=10.*.*.*, fwd(sw4)

Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN Forwarding errors PacketIn FlowMod mitigate detect correct RIGHT sw4 To guarantee network reliability, we suggest a RIGHT framework to mitigate, detect, and correct forwarding errors. causes: rule installation failure rule priority violation async rule activation sw1 sw2 sw3 flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out) p4, src_ip=10.*.*.*, fwd(sw4)

Switch Rule Priority Matching Action sw1 p1 src_ip=10.20.*.* fwd(sw2) sw2 P2 fwd(sw3) sw3 p3 fwd(out) Motivation: only M&A to TCAM; emulate P using mem loc; higher loc -> higher P Controller mem loc Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN TCAM where pkt may match >1 rules RIGHT mitigation The motivation for our mitigation scheme is that current SDN installs only matching field and action field of rules to TCAM. Priority is emulated using memory address: higher priority rule should be placed at higher memory location. Then a pkt may match more than one rules in TCAM. It will encounter a forwarding error if the highest-priority rule among the matched ones is not the expected one.

Switch Rule Priority Matching Action sw1 p1 src_ip=10.20.*.* unique_tag, fwd(sw2) sw2 P2 unique_tag fwd(sw3) sw3 p3 fwd(out) Controller Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN TCAM where pkt may match >1 rules Solution: RIGHT mitigation pRIority Goes to Hardware TCAM ingress switch uniquely tags pkt; en-route switches forward pkt using unique_tag; We mitigate such matching ambiguity caused forwarding errors by decoupling rules and priorities. In particular, ingress switch of a forwarding path uniquely tags (headers of ) packets in each flow. Then en-route switches simply forward tagged packets based on their unique tags.

Switch Rule Priority Matching Action sw1 p1 src_ip=10.20.*.* unique_tag, fwd(sw2) sw2 P2 unique_tag fwd(sw3) sw3 p3 fwd(out) Controller Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN TCAM where pkt may match >1 rules Solution: RIGHT mitigation pRIority Goes to Hardware TCAM ingress switch uniquely tags pkt; en-route switches forward pkt using unique_tag; no matching ambiguity on en-route switches ingress switch may still go wrong This way, en-route switches push no overlapping rules to TCAM and thus suffer from no matching ambiguity. However, since ingress switch follows the original matching field, it may still encounter forwarding errors.

Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN RIGHT mitigation detection pRIority Goes to Hardware TCAM ingress switch uniquely tags pkt; en-route switches forward pkt using unique_tag; no matching ambiguity on en-route switches ingress switch may still go wrong We let the second hop switch and controller collaboratively verify the forwarding correctness of ingress switch. 2nd-hop switch & controller

Controller original pkt arrives; ingress sw1 forwards pkt using a rule, (potentially overlapping with other rules) sw2 directs pkt to controller for verification; verified; back to sw2; sw2 forwards pkt to sw3; 3 4 1 2 5 sw1 sw2 sw3 Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN ingress RIGHT mitigation detection pRIority Goes to Hardware TCAM ingress switch uniquely tags pkt; en-route switches forward pkt using unique_tag; no matching ambiguity on en-route switches ingress switch may still go wrong In particular, the second-hop switch directs packets from the ingress switch to controller for verification, as shown in Step 3. Then if the forwarding decision of ingress switch is correct, controller directs back the packet to sw2 for further forwarding in Step 4. 2nd-hop switch & controller

Controller sw1 sw2 sw3 Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN ingress inefficient to direct all packets to controller RIGHT mitigation detection pRIority Goes to Hardware TCAM ingress switch uniquely tags pkt; en-route switches forward pkt using unique_tag; no matching ambiguity on en-route switches ingress switch may still go wrong But it’s impractical to direct every packet to controller for verification. 2nd-hop switch & controller

Controller Omit verifying pkt processed by isolated rules (without overlapping rules); Introduce exact-match rules to track verified pkt; Leverage Bloom filters to compress exact-match rules; efficiency1 enhancements sw1 sw2 sw3 Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN ingress inefficient to direct all packets to controller RIGHT mitigation detection pRIority Goes to Hardware TCAM ingress switch uniquely tags pkt; en-route switches forward pkt using unique_tag; no matching ambiguity on en-route switches ingress switch may still go wrong We suggest enhancing efficiency in three ways. Omit verifying packets processed by isolated rules; Introduce exact-match rules to track verified packets; And leverage Bloom filters to compress exact-match rules. 2nd-hop switch & controller

Controller fwding error sw1 sw2 sw3 Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN ingress upon forwarding-error detection RIGHT mitigation detection pRIority Goes to Hardware TCAM ingress switch uniquely tags pkt; en-route switches forward pkt using unique_tag; no matching ambiguity on en-route switches ingress switch may still go wrong And of course, there are cases when controller detects forwarding errors. 2nd-hop switch & controller

directs mis-forwarded packets to expectant forwarding paths Controller fwding correction sw4 sw1 sw2 sw3 Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN ingress upon forwarding-error detection RIGHT mitigation detection correction pRIority Goes to Hardware TCAM ingress switch uniquely tags pkt; en-route switches forward pkt using unique_tag; no matching ambiguity on en-route switches ingress switch may still go wrong Upon detecting a forwarding error, the controller should direct the mis-forwarded packet to its expectant forwarding path. 2nd-hop switch & controller

Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN decouple rules and priorities to mitigate forwarding errors; detect forwarding errors at packet level; correct the forwarding path for mis-forwarded packets; RIGHT contribution In summary, our RIGHT framework makes the following contributions to reliable SDN forwarding. First, it mitigates forward errors through decoupling rules and priorities. Second, it detects forwarding errors at packet level; Third, it corrects the forwarding path for mis-forwarded packets.

Controller Controller Routing App Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN Forwarding errors PacketIn FlowMod mitigate detect correct RIGHT sw4 So this is all about how RIGHT works and benefits. causes: rule installation failure rule priority violation async rule activation sw1 sw2 sw3 flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out) p4, src_ip=10.*.*.*, fwd(sw4)

Controller Controller Routing App THANK YOU Gotta Tell You Switches Only Once Toward Bandwidth-Efficient Flow Setup for SDN PacketIn FlowMod Forwarding errors mitigate detect correct RIGHT @SDDCS 2016 Kai Bu Zhejiang University kaibu@zju.edu.cn sw4 Thank you for your time and interest. Now I’m happy to take any questions. Thank you. You are also welcome to email your questions to the authors. causes: rule installation failure rule priority violation async rule activation sw1 sw2 sw3 flow p1, src_ip=10.20.*.*, fwd(sw2) p2, src_ip=10.20.*.*, fwd(sw3) p3, src_ip=10.20.*.*, fwd(out) p4, src_ip=10.*.*.*, fwd(sw4)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.