Fast Testing Network Data Plane with RuleChecker

Slides:



Advertisements
Similar presentations
An Efficient IP Address Lookup Algorithm Using a Priority Trie Authors: Hyesook Lim and Ju Hyoung Mun Presenter: Yi-Sheng, Lin ( 林意勝 ) Date: Mar. 11, 2008.
Advertisements

Memory-Efficient Regular Expression Search Using State Merging Department of Computer Science and Information Engineering National Cheng Kung University,
1 Route Table Partitioning and Load Balancing for Parallel Searching with TCAMs Department of Computer Science and Information Engineering National Cheng.
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:
Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:
Research on TCAM-based OpenFlow Switch Author: Fei Long, Zhigang Sun, Ziwen Zhang, Hui Chen, Longgen Liao Conference: 2012 International Conference on.
2017/4/26 Rethinking Packet Classification for Global Network View of Software-Defined Networking Author: Takeru Inoue, Toru Mano, Kimihiro Mizutani, Shin-ichi.
Memory-Efficient and Scalable Virtual Routers Using FPGA Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,
Early Detection of DDoS Attacks against SDN Controllers
Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:
Updating Designed for Fast IP Lookup Author : Natasa Maksic, Zoran Chicha and Aleksandra Smiljani´c Conference: IEEE High Performance Switching and Routing.
TFA: A Tunable Finite Automaton for Regular Expression Matching Author: Yang Xu, Junchen Jiang, Rihua Wei, Yang Song and H. Jonathan Chao Publisher: ACM/IEEE.
Binary-tree-based high speed packet classification system on FPGA Author: Jingjiao Li*, Yong Chen*, Cholman HO**, Zhenlin Lu* Publisher: 2013 ICOIN Presenter:
A Fast Regular Expression Matching Engine for NIDS Applying Prediction Scheme Author: Lei Jiang, Qiong Dai, Qiu Tang, Jianlong Tan and Binxing Fang Publisher:
Lightweight Traffic-Aware Packet Classification for Continuous Operation Author: Shariful Hasan Shaikot, Min Sik Kim Presenter: Yen-Chun Tseng Date: 2014/11/26.
Range Enhanced Packet Classification Design on FPGA Author: Yeim-Kuan Chang, Chun-sheng Hsueh Publisher: IEEE Transactions on Emerging Topics in Computing.
PC-TRIO: A Power Efficient TACM Architecture for Packet Classifiers Author: Tania Banerjee, Sartaj Sahni, Gunasekaran Seetharaman Publisher: IEEE Computer.
Lossy Compression of Packet Classifiers Author: Ori Rottenstreich, J’anos Tapolcai Publisher: 2015 IEEE International Conference on Communications Presenter:
Packet Classification Using Dynamically Generated Decision Trees
GFlow: Towards GPU-based High- Performance Table Matching in OpenFlow Switches Author : Kun Qiu, Zhe Chen, Yang Chen, Jin Zhao, Xin Wang Publisher : Information.
1 Using Network Coding for Dependent Data Broadcasting in a Mobile Environment Chung-Hua Chu, De-Nian Yang and Ming-Syan Chen IEEE GLOBECOM 2007 Reporter.
LOP_RE: Range Encoding for Low Power Packet Classification Author: Xin He, Jorgen Peddersen and Sri Parameswaran Conference : IEEE 34th Conference on Local.
Practical Multituple Packet Classification Using Dynamic Discrete Bit Selection Author: Baohua Yang, Fong J., Weirong Jiang, Yibo Xue, Jun Li Publisher:
Hierarchical Hybrid Search Structure for High Performance Packet Classification Authors : O˜guzhan Erdem, Hoang Le, Viktor K. Prasanna Publisher : INFOCOM,
LightFlow : Speeding Up GPU-based Flow Switching and Facilitating Maintenance of Flow Table Author : Nobutaka Matsumoto and Michiaki Hayashi Conference:
Scalable Multi-match Packet Classification Using TCAM and SRAM Author: Yu-Chieh Cheng, Pi-Chung Wang Publisher: IEEE Transactions on Computers (2015) Presenter:
JA-trie: Entropy-Based Packet Classification Author: Gianni Antichi, Christian Callegari, Andrew W. Moore, Stefano Giordano, Enrico Anastasi Conference.
A Multi-dimensional Packet Classification Algorithm Based on Hierarchical All-match B+ Tree Author: Gang Wang, Yaping Lin*, Jinguo Li, Xin Yao Publisher:
SDN Network Updates Minimum updates within a single switch
Reorganized and Compact DFA for Efficient Regular Expression Matching
Minimizing latency of critical traffic through SDN
A DFA with Extended Character-Set for Fast Deep Packet Inspection
IP Routers – internal view
2018/6/26 An Energy-efficient TCAM-based Packet Classification with Decision-tree Mapping Author: Zhao Ruan, Xianfeng Li , Wenjun Li Publisher: 2013.
Toward Taming Policy Enforcement for SDN_______ in the RIGHT way_
Statistical Optimal Hash-based Longest Prefix Match
2018/11/19 Source Routing with Protocol-oblivious Forwarding to Enable Efficient e-Health Data Transfer Author: Shengru Li, Daoyun Hu, Wenjian Fang and.
Dynamic Packet-filtering in High-speed Networks Using NetFPGAs
SigMatch Fast and Scalable Multi-Pattern Matching
Parallel Processing Priority Trie-based IP Lookup Approach
Maple: Simplifying SDN Programming Using Algorithmic Policies
2018/12/10 Energy Efficient SDN Commodity Switch based Practical Flow Forwarding Method Author: Amer AlGhadhban and Basem Shihada Publisher: 2016 IEEE/IFIP.
2018/12/29 A Novel Approach for Prefix Minimization using Ternary trie (PMTT) for Packet Classification Author: Sanchita Saha Ray, Abhishek Chatterjee,
Binary Prefix Search Author: Yeim-Kuan Chang
2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.
Memory-Efficient Regular Expression Search Using State Merging
Virtual TCAM for Data Center Switches
A Small and Fast IP Forwarding Table Using Hashing
Scalable Multi-Match Packet Classification Using TCAM and SRAM
EMOMA- Exact Match in One Memory Access
2019/5/2 Using Path Label Routing in Wide Area Software-Defined Networks with OpenFlow ICNP = International Conference on Network Protocols Presenter:Hung-Yen.
2019/5/3 A De-compositional Approach to Regular Expression Matching for Network Security Applications Author: Eric Norige Alex Liu Presenter: Yi-Hsien.
2019/5/13 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter:Hung-Yen Wang Authors:Peng Wang, George Trimponias, Hong Xu,
SDN-Guard: DoS Attacks Mitigation in SDN Networks
Autonomous Network Alerting Systems and Programmable Networks
Large-scale Packet Classification on FPGA
OpenSec:Policy-Based Security Using Software-Defined Networking
Authors: A. Rasmussen, A. Kragelund, M. Berger, H. Wessing, S. Ruepp
An x-Coordinate Point Compression Method for Elliptic Curves over Fp
Design principles for packet parsers
A Hybrid IP Lookup Architecture with Fast Updates
Communication Driven Remapping of Processing Element (PE) in Fault-tolerant NoC-based MPSoCs Chia-Ling Chen, Yen-Hao Chen and TingTing Hwang Department.
2019/10/9 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter:Hung-Yen Wang Authors:Jin-Li Ye, Yu-Huang Chu, Chien Chen.
Authors: Ding-Yuan Lee, Ching-Che Wang, An-Yeu Wu Publisher: 2019 VLSI
MEET-IP Memory and Energy Efficient TCAM-based IP Lookup
Towards TCAM-based Scalable Virtual Routers
Packet Classification Using Binary Content Addressable Memory
2019/11/12 Efficient Measurement on Programmable Switches Using Probabilistic Recirculation Presenter:Hung-Yen Wang Authors:Ran Ben Basat, Xiaoqi Chen,
Presentation transcript:

Fast Testing Network Data Plane with RuleChecker 2019/5/21 Fast Testing Network Data Plane with RuleChecker Author: Peng Zhang, Cheng Zhang, and Chengchen Hu Publisher: IEEE ICNP 2017 Presenter: Chia-He Lin Date: 2017/11/29 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1

Outline Introduction Background Proposed scheme Evaluation Conclusion National Cheng Kung University CSIE Computer & Internet Architecture Lab

2019/5/21 Introduction Software Defined Networking (SDN) decouples control functions away from the data plane, thereby offering a centralized, flexible, and programmable network control. A new risk rises: the data plane states may not agree with the control plane policies. For example, switches may fail to correctly install the rules issued by the controller, due to software bugs, hardware faults , or attacks. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/5/21 Introduction Both VeriDP and REV cannot handle packet rewrites, and need to modify SDN switches to add tags. Data plane testing tools like Monocle and RuleScope detect rule missing fault and priority fault by generating probes for rules, and checking whether the switch outputs the probes according to their corresponding rules. Compared with VeriDP and REV,Monocle and RuleScope need to send a small number of probe packets, require no switch modification and are thus a more preferable approach to check the correspondence of network data plane. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/5/21 Introduction (1) They are relatively slow in generating probes due to the need of solving Boolean Satisfiability (SAT) problems. (2) They may generate false negatives when there are multiple missing rules that are correlated. (3) They do not support incremental probe update, and are thus inefficient under dynamic network re-configurations. (4) They cannot test cascaded flow tables, a mandatory feature of OpenFlow. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/5/21 Introduction RuleChecker monitors (without blocking) the rule install/remove messages, and computes/updates probes based on the rules. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/5/21 Introduction (1) RuleChecker uses a new probe generation method, which does not require solving SAT problems. (2) RuleChecker introduces a new rule dependency model, and uses multiple rounds of probing to eliminate false negatives. (3) RuleChecker only needs to re-compute a minimal number of probes when a new rule is added. (4) RuleChecker generates a probe for each rule of each of cascaded flow table, based on a model named rule path. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Background Rule missing fault 2019/5/21 Background Rule missing fault (1) the controller sends a rule installation message to the switch, but the switch fails to install the rules to its flow table. A possible reason for (1) is that the switch software may contain bugs such that it fails to properly process the rule installation messages. (2) the rule that previously exists in a switch’s flow table disappears without being noticed by the controller. As for (2), it is possible that a switch deletes a rule from its flow table due to table overflow, without reporting to the controller. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Background Rule priority fault 2019/5/21 Background Rule priority fault We say a pair of rule ri and rj are experiencing a priority fault, if their priorities are swapped. Priority faults can happen if the switch totally ignores the priority fields of rules. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme-Overview Detecting rule missing fault According Monocle, a probe that can detect the missing fault of ri should satisfy: 1) The probe should match rule ri, but no any other rule whose priority is higher than ri. 2) Let rj be the highest-priority rule satisfying rj.p < ri.p and the probe matches rj , then we should have ri.a ≠ rj.a. National Cheng Kung University CSIE Computer & Internet Architecture Lab

Proposed scheme National Cheng Kung University CSIE Computer & Internet Architecture Lab

Proposed scheme Detecting rule priority fault 2019/5/21 Proposed scheme Detecting rule priority fault The probes generated for detecting rule missing faults may not detect priority faults. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme-Encoding Header Fields 2019/5/21 Proposed scheme-Encoding Header Fields Before generating probes using Eqs. (1), we need a method to encode header fields. Wildcard is a good choice for representing IP prefix or suffix, and is adopted by HAS. Binary Decision Diagram (BDD) is an efficient data structure for encoding Boolean expressions. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/5/21 Proposed scheme National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme-Generating Probes Sets 2019/5/21 Proposed scheme-Generating Probes Sets (Line 1)The algorithm first sorts the rules in the order of decreasing priority , (Line 2)and initializes the set of unmatched headers, denoted as Ha, as the whole set, e.g., the logical “true”. (Line 3-14) Generates probe sets for each rule ri. (Line 4)In each loop, the algorithm first calculates the hitting fields ri.h and updates Ha. (Line 5-8)If ri.h is not empty, then the algorithm initializes Hb as ri.h, and calculates the overriding fields for each rj that has a lower priority than ri. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme-Generating Probes Sets 2019/5/21 Proposed scheme-Generating Probes Sets (Line 9-12 )If override(ri, rj) is not empty and the actions of ri and rj are different, then it will be put as a probe set into ri.t, and override(ri, rj) is subtracted from Hb. (Line 13-14)Finally, if there are still remaining headers in Hb (meaning that Hb will match the default rule), then Hb will be added to ri.t. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme-Sampling Probes 2019/5/21 Proposed scheme-Sampling Probes AnySAT problem is very efficient for BDD: one only needs to find a path from the root node leading to the True node. If the BDD encodes a set of IPv4 addresses, then the number of variables is 32. That is, AnySAT has a linear complexity, compared with Boolean Satisfiability (SAT), which is NP-complete. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme-The Complete Construction 2019/5/21 Proposed scheme-The Complete Construction (1) it may raise false negatives when there are multiple missing rules; (2) it cannot incrementally update probes when a new rule is added; (3) it does not support cascaded flow tables. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme-Eliminating False negatives 2019/5/21 Proposed scheme-Eliminating False negatives National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/5/21 Proposed scheme National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme Dependency-aware rule probing and repairing 2019/5/21 Proposed scheme Dependency-aware rule probing and repairing (1) The conservative approach always sends probes for rules that depend on no other rules. If these probes pass the test, then we remove the rules, together with their corresponding edges, from the dependency graph. Then, we continue to send probes for rules that depend on other rules. (2) The aggressive approach simply sends all probes without waiting, and see if there are failed probes. Since there are no false positives, we only need to repair the rules whose probes fail, and re-send all probes again. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme National Cheng Kung University CSIE Computer & Internet Architecture Lab

Proposed scheme-Incremental Probe Update 2019/5/21 Proposed scheme-Incremental Probe Update Rh: the rules whose matching fields overlap with r, and whose priority is higher than r. Rl: the rules whose matching fields overlap with r, and whose priority is lower than r. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme-Testing Cascaded Flow Tables 2019/5/21 Proposed scheme-Testing Cascaded Flow Tables We assume that packets will match Table 1 and Table 2 in sequence. Each flow table has three rules, numbered in the order of decreasing priority, and at the last is a default rule that catches all unmatched headers. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme-Testing Cascaded Flow Tables 2019/5/21 Proposed scheme-Testing Cascaded Flow Tables National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed scheme (Line 4-7)calculates their matching fields and hitting fields. (Line 9),For each rule ri,j , the algorithm selects one of its leaf rules r.k, (Line 10-19)and tries to find another rule rl satisfying rk overrides rl and rk.a ≠ rl.a. (Line 5-14 )The process of finding such rl is mostly the same with that of Algorithm 1, and difference is that rl is chosen from Relative(ri,j , rk). National Cheng Kung University CSIE Computer & Internet Architecture Lab

Evaluation RuleChecker:3.1GHz dual-core Intel i5 CPU,16GB RAM 2019/5/21 Evaluation RuleChecker:3.1GHz dual-core Intel i5 CPU,16GB RAM Software switches (OpenvSwitches) 2 * 2GHz 6-core Intel E5 CPUs, 32 GB RAM National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab

Conclusion We presented RuleChecker, which can generate probes to actively test the correctness of SDN flow tables. Different from previous probe-based testing tools like Monocle, RuleChecker is extremely fast due to a novel set-based probe generation method. Moreover, RuleChecker fills some important parts missed by previous tools, including elimination of false negatives, incremental probe update, and support of cascaded flow tables. National Cheng Kung University CSIE Computer & Internet Architecture Lab