Yotam Harchol The Hebrew University of Jerusalem

Slides:



Advertisements
Similar presentations
Towards Software Defined Cellular Networks
Advertisements

SIMPLE-fying Middlebox Policy Enforcement Using SDN
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Network Virtualization COS 597E: Software Defined Networking.
Nanxi Kang Princeton University
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.
An Overview of Software-Defined Network Presenter: Xitao Wen.
ViSION Status Update Dan Savu Stefan Stancu 1D. Savu - CERN openlab.
Keith Wiles DPACC vNF Overview and Proposed methods Keith Wiles – v0.5.
An Overview of Software-Defined Network
An Overview of Software-Defined Network Presenter: Xitao Wen.
Toward Software-Defined Middlebox Networking Aaron Gember, Prathmesh Prabhu, Zainab Ghadiyali, Aditya Akella University of Wisconsin-Madison 1.
Workshop on Software Defined Networks Spring 2014.
Data Center Network Redesign using SDN
Enabling Innovation Inside the Network Jennifer Rexford Princeton University
Composing Software Defined Networks Jennifer Rexford Princeton University With Joshua Reich, Chris Monsanto, Nate Foster, and.
Software-Defined Networks Jennifer Rexford Princeton University.
Deep Packet Inspection as a Service Anat Bremler-Barr IDC Herzliya Joint work with Yotam Harchol, David Hay and Yaron Koral The Hebrew University Appeared.
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.
A survey of SDN: Past, Present and Future of Programmable Networks Speaker :Yu-Fu Huang Advisor :Dr. Kai-Wei Ke Date:2014/Sep./30 1.
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
SDN Management Layer DESIGN REQUIREMENTS AND FUTURE DIRECTION NO OF SLIDES : 26 1.
Extending OVN Forwarding Pipeline Topology-based Service Injection
NEWS: Network Function Virtualization Enablement within SDN Data Plane.
SDN and Beyond Ghufran Baig Mubashir Adnan Qureshi.
Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference.
Design and Implementation of a Data Plane for the OpenBox Framework Pavel Lazar March 2016 This research was supported by the European Research Council.
Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.
THE HEBREW UNIVERSITY OF JERUSALEM OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions Yotam Harchol The Hebrew.
NFP: Enabling Network Function Parallelism in NFV
InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.
Ready-to-Deploy Service Function Chaining for Mobile Networks
Xin Li, Chen Qian University of Kentucky
SDN challenges Deployment challenges
Yotam Harchol The Hebrew University of Jerusalem
Yotam Harchol The Hebrew University of Jerusalem
David Hay The Hebrew University of Jerusalem
Some slides have been adapted from:
15-744: Computer Networking
The DPIaaS Controller Prototype
Heitor Moraes, Marcos Vieira, Italo Cunha, Dorgival Guedes
Martin Casado, Nate Foster, and Arjun Guha CACM, October 2014
Hydra: Leveraging Functional Slicing for Efficient Distributed SDN Controllers Yiyang Chang, Ashkan Rezaei, Balajee Vamanan, Jahangir Hasan, Sanjay Rao.
StratusLab Final Periodic Review
StratusLab Final Periodic Review
15-744: Computer Networking
Yotam Harchol The Hebrew University of Jerusalem
of Dynamic NFV-Policies
Management of Virtual Execution Environments 3 June 2008
Software Defined Networking (SDN)
Stanford University Software Defined Networks and OpenFlow SDN CIO Summit 2010 Nick McKeown & Guru Parulkar In collaboration with Martin Casado and Scott.
A Novel Framework for Software Defined Wireless Body Area Network
NFP: Enabling Network Function Parallelism in NFV
Chapter 5 Network Layer: The Control Plane
Northbound API Dan Shmidt | January 2017
The Stanford Clean Slate Program
Software Defined Networking (SDN)
Software Defined Networking
Extending MPLS/BGP VPNs to End-Systems
NFP: Enabling Network Function Parallelism in NFV
Open vSwitch HW offload over DPDK
VNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon.
Programmable Networks
OpenSec:Policy-Based Security Using Software-Defined Networking
Chapter 5 Network Layer: The Control Plane
NFV and SD-WAN Multi vendor deployment
Elmo Muhammad Shahbaz Lalith Suresh, Jennifer Rexford, Nick Feamster,
Control-Data Plane Separation
Presentation transcript:

OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions Yotam Harchol The Hebrew University of Jerusalem Joint work with Anat Bremler-Barr and David Hay This research was supported by the European Research Council ERC Grant agreement no 259085, the Israeli Centers of Research Excellence (I-CORE) program (Center No. 4/11), and the Neptune Consortium.

Network Functions (Middleboxes) Monolithic closed black-boxes High cost Limited provisioning and scalability Firewall Load Balancer NFs, or middleboxes, have been traditionally implemented as closed hardware appliances. Intrusion Prevention System Network Function Virtualization (NFV): Reduce cost (by moving to software) Improve provisioning and scalability (by virtualizing software NFs)

Network Functions (Middleboxes) High cost Limited provisioning and scalability Limited and separate management Different vendors No standards Separate control plane However, NFs, virtual or physical, still have other problems

Network Functions (Middleboxes) Actually, many of these black-boxes are very modular Network Function High cost Limited provisioning and scalability Limited and separate management Limited functionality and limited innovation (High entry barriers) Similar complex processing steps, no re-use high entry barriers – if someone wants to improve or change they need to do everything from scratch

OpenBox www.openboxproject.org github.com/OpenBoxProject OpenBox: A new software-defined framework for network functions Decouples network function control from their data plane Unifies data plane of multiple network functions Benefits: Easier, unified control Better performance Scalability Flexible deployment Inter-tenant isolation Innovation OpenBox Controller להתלהב! OpenBox is a new… NFs now become applications on top of the OpenBox controller. The OpenBox data plane realizes the packet processing as directed by the controller. Packet processing remains in data plane. The benefits we get are: … WE IMPLEMENTED OBI OBI OBI

OpenBox Service Instances The OpenBox Framework Network Functions: OpenBox Applications Northbound API Logically-Centralized OpenBox Controller Control Plane OpenBox Protocol Data Plane Northbound API to specify NF logic Logically-centralized controller that unifies logic of multiple network functions from multiple tenants Communication protocol between controller and data plane Specification of data plane instances that perform the actual packet processing (packets do not flow through the controller) (ADD EXAMPLE) OpenBox Service Instances Additionally: Isolation between NFs / multiple tenants Support for hardware accelerators Dynamically extend the protocol

Most network functions do very similar processing steps Observation: Most network functions do very similar processing steps But there is no re-use… The design the OpenBox framework is based on this observation

Network Function Decomposition Firewall: Read Packets Header Classifier Drop Alert Output Load Balancer: Read Packets Header Classifier Rewrite Header Output We use Click-like notation to decompose NF logic Each block has its own configuration parameters Intrusion Prevention System: Read Packets Header Classifier Drop Alert DPI Output

Northbound API Specify processing graph and block configuration NB API Intrusion Prevention System Load Balancer Firewall Read Packets Header Classifier Drop Alert Output Rewrite Header DPI OpenBox Applications Specify processing graph and block configuration Events, Load information NB API OpenBox Controller Give example for events and load info OpenBox Protocol Control Plane Data Plane OpenBox Service Instances

Logically-Centralized Controller Multiple tenants run multiple applications for multiple policies in the same network Isolation between applications and tenants enforced by NB API OpenBox Applications NB API SDN Protocol SDN Switches SDN Controller Network-wide view Automatic scaling, provisioning, placement, and steering OpenBox Controller OpenBox Protocol Control Plane Data Plane OpenBox Service Instances

Performance ≈ Diameter of Graph (# of classifiers) Naïve Graph Merge Firewall: Read Packets Header Classifier Drop Alert Output Concatenated Processing Graph: Header Classifier Drop Alert (IPS) DPI Output Read Packets (Firewall) 30μs 10μs 50μs 2μs The performance is correlated with the diameter Intrusion Prevention System: Read Packets Header Classifier Drop Alert DPI Output Performance ≈ Diameter of Graph (# of classifiers) Total: 134μs

Graph Merge Algorithm Merged Processing Graph: Algorithm and details are in the paper Alert (Firewall) DPI Alert (Firewall) DPI Read Packets Header Classifier Alert (Firewall) DPI Alert (IPS) Output In the paper we provide an algorithm that merges multiple processing graphs, and specifically merges classifiers to reduce the lengths of paths in the result graph. We show that this indeed improves data plane performance. --- It may not always be good to merge, controller can determine when it is good 2μs 30μs 2μs 50μs 10μs Alert (Firewall) 10μs Drop Shorter Diameter (less classifiers) Total: 104μs (22% improvement)

OpenBox Data Plane Processing Read Packets Store Packet Restore Packet Caching HTML Normalizer JavaScript Normalizer XML Normalizer Normalization Alert Log Reporting Output Drop Terminals Header Classifier DPI Classification FIFO Queue Front Drop Queue RED Queue Leaky Bucket Queue Management Gzip Decompress Gzip Compress De/compression Begin Transaction Rollback Transaction Commit Transaction Transactions VLAN Pop VLAN Push Rewrite Header Header Modification

OpenBox Data Plane Processing OpenBox Service Instance Virtual or Physical Provides data plane services to realize the logic of network functions Controlled by the logically-centralized OpenBox controller

Distributed Data Plane Alert DPI Header Classifier Rewrite Header Metadata OpenBox Service Instance Hardware (TCAM) E.g., an OpenFlow switch with encapsulation features (e.g., NSH, Geneve, FlowTags) OpenBox Service Instance Software

Split Processing Graph HW Instance: Read Packets Header Classifier Write Metadata Encapsulate Metadata Output Drop SW Instance: DPI IPS processing graph DPI Drop Read Packets Decapsulate Metadata Read Metadata DPI Alert Output

Extensible Data Plane Option 2: Software module injection NB API Media Encoder Option 2: Software module injection NEW APP Custom software module (signed) NB API OpenBox Controller On the fly No need to recompile No need to redeploy OpenBox Protocol Control Plane Data Plane OpenBox Service Instances Option 1: New hardware implementation Supports encapsulation

Scalable & Reliable Data Plane Scalability Provisioning Reliability OpenBox Controller Provision OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI Hypervisor OBI OBI Hypervisor

(Plug here other execution engines. E.g., ClickNP) Implementation github.com/OpenBoxProject FW IPS Load Balancer . . . Java-based OpenBox Controller 7500 LoCs (Java) Northbound API REST client/server Graph Aggregator Network Manager Management API REST Control Plane REST API Data Plane Generic wrapper for execution engines (Python) Software OpenBox Service Instance Or the one we are working on now which is a hybrid SW-HW using a HW OpenFlow switch 5500 LoCs (Python) Translation Engine Click-based execution engine (C++) 2400 LoCs for plugin (C++) (Plug here other execution engines. E.g., ClickNP)

Performance Improvement VM1 Firewall VM2 IPS Without OpenBox VM1 OBI1: FW+IPS VM2 OBI2: FW+IPS With OpenBox Standalone VM NF Pipeline -35% Now for some performance measurments We consider a simple scenario where packets go from one host through a firewall, then through an IPS, then to another host. +86% Without OpenBox With OpenBox

Conclusions Network functions are currently a real challenge in large scale networks OpenBox decouples the data plane processing from network function control logic and: Reduces costs Enhances performance Improves scalability Increases reliability Provides inter-tenant isolation Allows easier innovation OpenBox Applications NB API OpenBox Controller OpenBox Protocol Control Plane Data Plane OpenBox Service Instances

Limitations

State Management Glosses over state management No Detail about API Implementation State Replication, latency etc

Fault Tolerance State Replication Traffic Steering NF Replication

Implementation Code is still under development Incomplete Components Mininet Implementation does not work

Further Work Use P4 to extend the OpenBox system to become protocol agnostic.

Questions?