OpenNF: Enabling Innovation in Network Function Control Aditya Akella With: Aaron Gember, Raajay Vishwanathan, Chaithan Prakash, Sourav Das, Robert Grandl,

Slides:



Advertisements
Similar presentations
Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.
Advertisements

SIMPLE-fying Middlebox Policy Enforcement Using SDN
Live Migration of an Entire Network (and its Hosts) Eric Keller, Soudeh Ghorbani, Matthew Caesar, Jennifer Rexford HotNets 2012.
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Stratos: A Network-Aware Orchestration Layer for Middleboxes in the Cloud Aditya Akella, Aaron Gember, Anand Krishnamurthy, Saul St. John University of.
Incremental Consistent Updates Naga Praveen Katta Jennifer Rexford, David Walker Princeton University.
1 Cheriton School of Computer Science 2 Department of Computer Science RemusDB: Transparent High Availability for Database Systems Umar Farooq Minhas 1,
Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
Distributed Systems Fall 2009 Replication Fall 20095DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
OpenFlow Switch Limitations. Background: Current Applications Traffic Engineering application (performance) – Fine grained rules and short time scales.
Toward Software-Defined Middlebox Networking Aaron Gember, Prathmesh Prabhu, Zainab Ghadiyali, Aditya Akella University of Wisconsin-Madison 1.
Sanjay Ghemawat, Howard Gobioff, and Shun-Tak Leung Google∗
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Cellular Core Network Architecture
Enabling Innovation Inside the Network Jennifer Rexford Princeton University
Server Load Balancing. Introduction Why is load balancing of servers needed? If there is only one web server responding to all the incoming HTTP requests.
Serval: Software Defined Service-Centric Networking Jen Rexford Erik Nordstrom, David Shue, Prem Gopalan, Rob Kiefer, Mat Arye, Steven Ko, Mike Freedman.
OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.
SEDA: An Architecture for Well-Conditioned, Scalable Internet Services
Software-Defined Networks Jennifer Rexford Princeton University.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Institute of Computer and Communication Network Engineering OFC/NFOEC, 6-10 March 2011, Los Angeles, CA Lessons Learned From Implementing a Path Computation.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
Protocol(TCP/IP, HTTP) 송준화 조경민 2001/03/13. Network Computing Lab.2 Layering of TCP/IP-based protocols.
Measuring Control Plane Latency in SDN-enabled Switches Keqiang He, Junaid Khalid, Aaron Gember-Jacobson, Sourav Das, Chaithan Prakash, Aditya Akella,
Othman Othman M.M., Koji Okamura Kyushu University 1.
Programmable Networks: Active Networks + SDN. How to Introduce new services Overlays: user can introduce what-ever – Ignores physical network  perf overhead.
Remote Procedure Calls Adam Smith, Rodrigo Groppa, and Peter Tonner.
Improving the Safety, Scalability, and Efficiency of Network Function State Transfers Aaron Gember-Jacobson & Aditya Akella 1.
Distributed File Systems Overview  A file system is an abstract data type – an abstraction of a storage device.  A distributed file system is available.
Cloud Scale Performance & Diagnosability Comprehensive SDN Core Infrastructure Enhancements vRSS Remote Live Monitoring NIC Teaming Hyper-V Network.
CloudNaaS: A Cloud Networking Platform for Enterprise Applications Theophilus Benson*, Aditya Akella*, Anees Shaikh +, Sambit Sahu + (*University of Wisconsin,
Aaron Gember, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
Ch 10 Shared memory via message passing Problems –Explicit user action needed –Address spaces are distinct –Small Granularity of Transfer Distributed Shared.
Fast Crash Recovery in RAMCloud. Motivation The role of DRAM has been increasing – Facebook used 150TB of DRAM For 200TB of disk storage However, there.
Distributed Information Systems. Motivation ● To understand the problems that Web services try to solve it is helpful to understand how distributed information.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
GLOBAL EDGE SOFTWERE LTD1 R EMOTE F ILE S HARING - Ardhanareesh Aradhyamath.
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
CellSDN: Software-Defined Cellular Core networks Xin Jin Princeton University Joint work with Li Erran Li, Laurent Vanbever, and Jennifer Rexford.
D-Link TSD 2009 workshop D-Link Net-Defends Firewall Training ©Copyright By D-Link HQ TSD Benson Wu.
AMQP, Message Broker Babu Ram Dawadi. overview Why MOM architecture? Messaging broker like RabbitMQ in brief RabbitMQ AMQP – What is it ?
SIMPLE-fying Middlebox Policy Enforcement Using SDN
1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.
NEWS: Network Function Virtualization Enablement within SDN Data Plane.
Slide 1/12 Network Function Virtualization and its Dependability Challenges Relevant papers: 1.Gember-Jacobson, Aaron, Raajay Viswanathan, Chaithan Prakash,
Presented by Shinae Woo Borrowed many of the original author’s slides Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid.
DISTRIBUTED FILE SYSTEM- ENHANCEMENT AND FURTHER DEVELOPMENT BY:- PALLAWI(10BIT0033)
Paving the Way for NFV: Simplifying Middlebox Modifications with StateAlyzr Junaid Khalid, Aaron Gember-Jacobson, Roney Michael, Archie Abhashkumar, Aditya.
SketchVisor: Robust Network Measurement for Software Packet Processing
Xin Li, Chen Qian University of Kentucky
Yotam Harchol The Hebrew University of Jerusalem
Abstractions for Network Functions
The DPIaaS Controller Prototype
NOX: Towards an Operating System for Networks
Overview of SDN Controller Design
of Dynamic NFV-Policies
Internet Networking recitation #12
Lecture 21, Computer Networks (198:552)
Authors: Helen J. Wang, Chuanxiong Guo, Daniel R
Presentation transcript:

OpenNF: Enabling Innovation in Network Function Control Aditya Akella With: Aaron Gember, Raajay Vishwanathan, Chaithan Prakash, Sourav Das, Robert Grandl, and Junaid Khalid University of Wisconsin—Madison

Network functions, or middleboxes Caching Proxy Intrusion Prevention Firewall WAN optimizer Traffic scrubber SSL Gateway Introduce custom packet processing functions into the network Load balancer … [Sherry et al., SIGCOMM 2012] Common in enterprise, cellular, ISP networks Stateful: detailed book-keeping for network flows

Network functions virtualization (NFV) – Lower cost – Easy prov., upgrades Software-defined networking (SDN) – Decouple from physical – Better performance, chaining 3 Xen/KVM State-of-the-art

Extract maximal performance at a given $$ SDN Controller MBox Load balancing Dynamic reallocation to coordinate processing across instances NFV + SDN: distributed processing

SDN Controller MBox Key abstractions 1. Elastic 2. Always updated 3. Dynamic enhancement MBox Hand-off processing for a traffic subset MBox Dynamic reallocation to coordinate processing across instances SDN Controller MBox Load balancing Extract maximal performance at a given $$ NFV + SDN: distributed processing

What’s missing? The ability to simultaneously… Meet SLAs – E.g., ensure deployment throughput > 1Gpbs Ensure accuracy/efficacy – E.g., IDS raises alerts for all HTTP flows containing known malware packages Keep costs low, efficiency high – E.g., shut down idle resources when not needed … needs more control than NFV + SDN

Example Not moving flows  bottleneck persists  SLAs! Naively move flows  no associated state  Accuracy! Scale down: wait for flow drain out  Efficiency! Transfer live state while updating n/w forwarding 7 FirewallCaching Proxy Intrusion Prevention Web Server Home Users Scaling in/out sustain thr’put at low $

OpenNF Quick and safe dynamic reallocation of processing across NF instances Quick: Any reallocation decision invoked any time finishes predictably soon Safe: Key semantics for live state transfers  No state updates missed, order preserved, etc. Rich distributed processing based applications to flexibly meet cost, performance, security objectives

Outline Overview and challenges Design – Requirements – Key ideas – Applications Evaluation

OpenNF OpenNF Controller SDN Controller Elastic scaling Hot standby Dynamic enhancement MBox NF APIs and control plane for joint control over internal NF state and network forwarding state Overview and challenges Reallocation operations State import/ export Coordination w/ network

1: Many NFs, minimal changes – Avoid forcing NFs to use special state structures/ allocation/access strategies  Simple NF-facing API; relegates actions to NFs 2: Reigning in race conditions – Packets may arrive while state is being moved; Updates lost or re-ordered; state inconsistency  Lock-step NF state/forwarding update 3: Bounding overhead – State transfers impose CPU, memory, n/w overhead  Applications control granularity, guarantees 11 Challenges Overview and challenges

State created or updated by an NF applies to either a single flow or a collection of flows Classify state based on scope Flow provides a natural way for reasoning about which state to move, copy, or share NF state taxonomy 12 Connection TcpAnalyzer HttpAnalyzer TcpAnalyzer HttpAnalyzer Per-flow state ConnCount Multi-flow state All-flows state Statistics C1: Minimal NF Changes

API to export/import state Three simple functions: get, put, delete(f) – Version for each scope (per-, multi-, all-flows) – Filter f defined over packet header fields NFs responsible for – Identifying and providing all state matching a filter – Combining provided state with existing state 13 No need to expose internal state organization No changes to conform to a specific allocation strategy C1: Minimal NF Changes

Operations move flow-specific NF state at various granularities copy and combine, or share, NF state pertaining to multiple flows Semantics for move (loss-free, order-preserving), copy/share (various notions of consistency) 14 “Reallocate port 80 to NF2”

Move 15 OpenNF Controller Control Application move (port=80,Inst 1,Inst 2, LF&OP) getPerflow(port=80) [ID1,Chunk1] putPerflow(ID1,Chunk1) delPerflow(port=80) [ID2,Chunk2] putPerflow(ID2,Chunk2) forward(port=80,Inst 2 ) SDN Controller Inst 2 Inst 1

Load-balanced network monitoring vulnerable.bro  reconstruct MD5’s for HTTP responses – Not robust to losses weird.bro  SYN and data packets seen in unexpected order – Not robust to reordering HTTP req vulnerable.bro weird.bro vulnerable.bro weird.bro move C2: Race conditions Moving live state: some updates (packets) may be lost, or arrive out of order

Packets may arrive during a move operation Fix: suspend traffic flow and buffer packets – May last 100s of ms – Packets in-transit when buffering starts are dropped Lost updates during move 17 R1 B1 B2 Inst 2 is missing updates Inst 2 Inst 1 move(blue,Inst 1,Inst 2 ) Loss-free: All state updates due to packet processing should be reflected in the transferred state, and all packets the switch receives should be processed Key idea: Event abstraction to prevent, observe and sequence state updates C2: Race conditions

1. enableEvents(blue,drop) on Inst 1 ; 2. get / delete on Inst 1 3. Buffer events at controller 4. put on Inst 2 5. Flush packets in events to Inst 2 6. Update forwarding Controller Loss-free move using events 18 R1 Inst 2 Inst 1 B3B1 drop B1 B1,B2 B2 B1,B2,B3 C2: Race conditions Stop processing; buffer at controller

19 Order-preserving: All packets should be processed in the order they were forwarded to the NF instances by the switch Controller Switch Inst 2 5. Flush buffer 6. Issue fwd update Inst 1 B2 B3B4 B3 B2 B4 B3 C2: Race conditions Re-ordering of updates Two-stage update to track last packet at NF1

Flush packets in events to Inst 2 w/ “do not buffer” enableEvents(blue,buffer) on Inst 2 Forwarding update: send to Inst 1 & controller Wait for packet from switch (remember last) Forwarding update: send to Inst 2 Wait for event from Inst 2 for last Inst 1 packet Release buffer of packets on Inst 2 Order-preserving move 20 R1 drop B1 B1,B2 B2 B1,B2,B3 buf B3 B4 B1,B2, B3, B4 C2: Race conditions Track last packet; sequence updates

Bounding overhead Apps decide, based on NF type, objective: granularity of reallocation operations move, copy or share filter, scope guarantees desired move: no-guarantee, loss-free, loss-free + order-preserving copy: no or eventual consistency share: strong or strict consistency C3: Applications

HTTP req Load-balanced network monitoring movePrefix(prefix,oldInst,newInst): copy(oldInst,newInst,{nw_src:prefix},multi) move(oldInst,newInst,{nw_src:prefix},per,LF+OP) while (true): sleep(60) copy(oldInst,newInst,{nw_src:prefix},multi) copy(newInst,oldInst,{nw_src:prefix},multi) scan.bro vulnerable.bro weird.bro scan.bro vulnerable.bro weird.bro C3: Applications scan.bro vuln.broweird.bro

Implementation OpenNF Controller (≈4.7K lines of Java) – Written atop Floodlight Shared NF library (≈2.6K lines of C) Modified NFs (4-10% increase in code) – Bro (intrusion detection) – PRADS (service/asset detection) – iptables (firewall and NAT) – Squid (caching proxy) Testbed: HP ProCurve connected to 4 servers 23 Impl & Eval

Microbenchmarks: NFs 24 Serialization/deserialization costs dominate Cost grows with state complexity Impl & Eval

State: 500 flows in PRADS; Traffic: 5000 pkts/sec Move per-flow state for all flows Microbenchmarks: operations 25 Packets dropped! packets in events Guarantees come at a cost! Copy (MF state) – 111ms Share (strong) – 13ms per pkt D = f(load,state,speed) Impl & Eval 1120 packets buffered at Inst packets in events +

Macrobenchmarks: end-to-end benefits Load balanced monitoring with Bro IDS – Load: replay cloud trace at 10K pkts/sec – At 180 sec: move HTTP flows (489) to new Bro – At 360 sec: move HTTP flows back to old Bro OpenNF scaleup: 260ms to move (optimized, loss-free) – Log entries equivalent to using a single instance VM replication: 3889 incorrect log entries – Cannot support scale-down Forwarding control only: scale down delayed by more than 1500 seconds Impl & Eval

Wrap up! OpenNF enables rich control of the packet processing happening across instances of an NF Quick, key safety guarantees, Low overhead, minimal NF modifications 27

Backup

Copy and share Used when multiple instances need to access a particular piece of state Copy – eventual consistency – Issue once, periodically, based on events, etc. Share – strong – All packets reaching NF instances trigger an event – Packets in events are released one at a time – State is copied between packets 29 C2: Race conditions

Example app: Selectively invoking advanced remote processing enhanceProcessing(flowid,locInst): move(locInst,cloudInst,flowid,per,LF) scan.bro vulnerable.bro weird.bro scan.bro vulnerable.bro weird.bro scan.bro vulnerable.bro weird.bro detect-MHR.bro scan.bro vulnerable.bro weird.bro detect-MHR.bro! C3: Applications HTTP req Enterprise n/w Internet checks md5sum of HTTP reply No need for: (1) order-preservation (2) copying multi-flow state

Existing approaches Control over routing (PLayer, SIMPLE, Stratos) Virtual machine replication – Unneeded state => incorrect actions – Cannot combine => limited rebalancing Split/Merge and Pico/Replication – Address specific problems => limited suitability – Require NFs to create/access state in specific ways => significant NF changes 31

Controller performance Improve scalability with P2P state transfers 32

Macrobenchmarks: Benefits of Granular Control Two clients make HTTP requests – 40 unique URLs Initially, both go to Squid1 20s later  reassign client 1 to Squid2 MetricIgnoreCopy-clientCopy-all S1117 S2crashed3950 State transferred 04MB54MB Granularities of copy Impl & Eval