ORange: Multi Field OpenFlow based Range Classifier Liron Schiff Tel Aviv University Yehuda Afek Tel Aviv University Anat Bremler-Barr Inter Disciplinary Center The 11th ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS '15) Supported by the European Research Council (ERC) Starting Grant no and by the Israel Science Foundation Grant no. 1386/11. Presenter: Netanel Cohen Inter Disciplinary Center

ActionEndStart Server r Server r Server r Drop ……………….. Source IP Address replicas Internet … Firewalls Forwarding Load Balancers DDoS mitigation ……. Range-based packet classification ActionEndStart Server r Server r Server r Drop ……………….. Destination IP Address

But OpenFlow matches can not be ranges! – Only masked values No consistent multi switch update ActionsMatch Flow Table: Flow Entry Field k…Field 2Field 1 Packet header :

Contributions Ranges classification in OpenFlow: ORange1 – Costs 2 entries per range (instead of linear with field size, usually 16 or 32) Multi Field ranges classification: ORange-k Update consistency (with ranges) – Per packet, per flow and cross-entrance

Single Field Ranges classification in OpenFlow ORange1

Ranges by Naive Prefix Expansion ActionEndStart Server A Server B w – 2 entries per range 62 entries per IPv4 range 254 entries per IPv6 range

Associative Memory chips: Properties: –Ternary values (‘0’,’1’ and ‘*’) –High throughput (300M ops per sec for 1Mb TCAM) –Used in routers (IP lookup, classification) –Expensive, high power consumption -> limited size –Sometimes used to implement Flow Tables Ternary CAMs (TCAMs) 0 * 10 ** 1 * *** in m out

A non OpenFlow Approach - PIDR [Panigrahy&Sharma2003] 1-ELCPs 0011**** … 0-ELCPs 0010**** … TCAMs: Longest common prefix (LCP):

A non OpenFlow Approach - PIDR [Panigrahy&Sharma2003] (TCAM) Query Compare Read Range Bound (TCAM) Query Read Range Bound

Adapting PIDR to OpenFlow Special hardware design – Parallel TCAMs – Query and read range bounds – Comparing with bounds Static configuration – No online updates New OpenFlow design – OpenFlow pipeline – Match+Action sets field – Compare by flow table and metadata field Dynamic configuration – Consistent updates ORange1 PIDR

A non OpenFlow Approach - PIDR [Panigrahy&Sharma2003] (TCAM) Query Compare Read Range Bound (TCAM) Query Read Range Bound

Adapting PIDR to OpenFlow Even Comparisons are Flow-Table based! Query Compare Flow Table based comparisons Read Range Bound Query Read Range Bound Flow Table match + action

Converting TCAM to Flow Table ActionsMatch (on q) Write rid,55 to metadata 0011**** q Packet: 51 qmaxrid ELCPs Flow Table

Adapting PIDR to OpenFlow ELCP1s (size n TCAM) Compare max≥q (size 2w TCAM) q qmax ELCP0s (size n TCAM) qmax RIDs (size n CAM) q max/ min rid False no match Compare min≤q (size 2w TCAM) False True qminrid Packet: Range Action Drop / controller no match True Range 0 Action

OpenFlow based Comparison patterns 0*******1******* 0******* *0*******1****** *0****** *******0*******1 *******0 ******** Result m>q m<q m>q m<q m>q m<q m=q qm Packet header 2w+1 entries w is the field's width (32 for IPv4)

Reducing Pipeline Length ELCP1s (size n TCAM) Compare max≥q (size 2w TCAM) q qmax ELCP0s (size n TCAM) qmax RIDs (size n CAM) q max/ min rid False no match Compare min≤q (size 2w TCAM) False True qminrid Packet: Range Action Drop / controller no match True No need if ranges span the entire space No need if ranges span the entire space Can be implemented by the groups table

ORange1 Implementation Space Complexity (entries per range) – Naive Approach: 2w-2 – Our work: 2 e.g. for 100 IPv4 ranges: 6,200 vs 265 entries Limitation – only disjoint ranges 2 per range + 65 for comparison table

k field Ranges Classification ORange-k

Multi Dimensional Ranges Naive expansion: #entries exponentially grows with the dimension k: Naive expansion: #entries exponentially grows with the dimension k: entries per range Bigger problem!

Field Reduction Given k-dimensional ranges:

Field Reduction We project them on each axis

Field Reduction We compose each axis to disjoint intervals [1,3] [4,6] [7,10] [11,13]

Field Reduction We re-encode the ranges according to intervals ids

Field Reduction For each packet we re-encode its field values

Field Reduction Smaller fields make much smaller k-dimensional encoding

ORange-k Implementation Re-encode each field in the metadata field Then classify by new (smaller) k field ranges MetadataPacket header fk…f2f1field k…field2field1 ORange1 Classifier #1 ORange1 Classifier #2 ORange1 Classifier #k … k dims. Classifier

ORange-k Implementation

ORange-k Space Improvement 1000 Random ranges 16bit fields

ORange-k Space Improvement Total space for 100 Random 4-dimensional ranges. Naïve expansion ORange

Consistency As time permits

Update Consistency Consistency of adding, changing and deleting ranges Three levels of consistency: Per-Packet Per-Flow Cross-Entrance

Per-Packet consistency Change affects several entries ActionEndStart Server A Server B Flow table:

Per-Packet consistency Change affects several entries Need atomicity (while traffic passes thru) Existing solutions implemented using Packet buffering, or duplicating and switching tables time Flow Table Accesses modify entry modify entry modify entry modify entry modify entry modify entry Packet match Single range update

Per-Flow Consistency [Reitblatt, Foster, Rexford, Schlesinger, Walker 2012] Internet replicas client’s IPs … ActionEndStart Server Server

Internet replicas client’s IPs Change in weights  Change in ranges … ActionEndStart Server Server But existing flow shouldn’t change Per-Flow Consistency [Wang, Butnariu, Rexford, 2011]

replicas client’s IPs … ActionEndStart Server Server Per-Flow Consistency [Wang, Butnariu, Rexford, 2011] New flow

Cross-Entrance Consistency replicas … client’s IPs Internet X SDN Network

summary Efficient Ranges implementation in OpenFlow – One dimensional – ORange1 – Multi-dimensional – ORange-k Update Consistency – Per packet – Per flow – Cross-entrance

Questions ?