Aaron Gember, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF.

Slides:



Advertisements
Similar presentations
Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.
Advertisements

Live Migration of an Entire Network (and its Hosts) Eric Keller, Soudeh Ghorbani, Matthew Caesar, Jennifer Rexford HotNets 2012.
OpenNF: Enabling Innovation in Network Function Control Aditya Akella With: Aaron Gember, Raajay Vishwanathan, Chaithan Prakash, Sourav Das, Robert Grandl,
Stratos: A Network-Aware Orchestration Layer for Middleboxes in the Cloud Aditya Akella, Aaron Gember, Anand Krishnamurthy, Saul St. John University of.
1 Cheriton School of Computer Science 2 Department of Computer Science RemusDB: Transparent High Availability for Database Systems Umar Farooq Minhas 1,
Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
OpenFlow Switch Limitations. Background: Current Applications Traffic Engineering application (performance) – Fine grained rules and short time scales.
Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.
Toward Software-Defined Middlebox Networking Aaron Gember, Prathmesh Prabhu, Zainab Ghadiyali, Aditya Akella University of Wisconsin-Madison 1.
A Brief Taxonomy of Firewalls
Enabling Innovation Inside the Network Jennifer Rexford Princeton University
Lect3..ppt - 09/12/04 CIS 4100 Systems Performance and Evaluation Lecture 3 by Zornitza Genova Prodanoff.
1 Proceeding the Second Exercises on Computer and Systems Engineering Professor OKAMURA Laboratory. Othman Othman M.M.
XOMB Incrementally scalable architecture for middleboxes Presenter : Donghwi Kim.
Software-Defined Networks Jennifer Rexford Princeton University.
Internet Traffic Management. Basic Concept of Traffic Need of Traffic Management Measuring Traffic Traffic Control and Management Quality and Pricing.
Institute of Computer and Communication Network Engineering OFC/NFOEC, 6-10 March 2011, Los Angeles, CA Lessons Learned From Implementing a Path Computation.
Measuring Control Plane Latency in SDN-enabled Switches Keqiang He, Junaid Khalid, Aaron Gember-Jacobson, Sourav Das, Chaithan Prakash, Aditya Akella,
Othman Othman M.M., Koji Okamura Kyushu University 1.
Remote Procedure Calls Adam Smith, Rodrigo Groppa, and Peter Tonner.
Improving the Safety, Scalability, and Efficiency of Network Function State Transfers Aaron Gember-Jacobson & Aditya Akella 1.
Cloud Scale Performance & Diagnosability Comprehensive SDN Core Infrastructure Enhancements vRSS Remote Live Monitoring NIC Teaming Hyper-V Network.
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.
1 File Systems: Consistency Issues. 2 File Systems: Consistency Issues File systems maintains many data structures  Free list/bit vector  Directories.
Efficient RDF Storage and Retrieval in Jena2 Written by: Kevin Wilkinson, Craig Sayers, Harumi Kuno, Dave Reynolds Presented by: Umer Fareed 파리드.
SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
VMware vSphere Configuration and Management v6
GLOBAL EDGE SOFTWERE LTD1 R EMOTE F ILE S HARING - Ardhanareesh Aradhyamath.
CellSDN: Software-Defined Cellular Core networks Xin Jin Princeton University Joint work with Li Erran Li, Laurent Vanbever, and Jennifer Rexford.
Improving Network Management with Software Defined Network Group 5 : z Xuling Wu z Haipeng Jiang z Sichen Wu z Aparna Sanil.
AMQP, Message Broker Babu Ram Dawadi. overview Why MOM architecture? Messaging broker like RabbitMQ in brief RabbitMQ AMQP – What is it ?
FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.
Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:
1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.
Logically Centralized? State Distribution Trade-offs in Software Defined Networks.
Slide 1/12 Network Function Virtualization and its Dependability Challenges Relevant papers: 1.Gember-Jacobson, Aaron, Raajay Viswanathan, Chaithan Prakash,
Presented by Shinae Woo Borrowed many of the original author’s slides Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid.
Paving the Way for NFV: Simplifying Middlebox Modifications with StateAlyzr Junaid Khalid, Aaron Gember-Jacobson, Roney Michael, Archie Abhashkumar, Aditya.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
SDN controllers App Network elements has two components: OpenFlow client, forwarding hardware with flow tables. The SDN controller must implement the network.
Xin Li, Chen Qian University of Kentucky
CompTIA Security+ Study Guide (SY0-401)
Yotam Harchol The Hebrew University of Jerusalem
Abstractions for Network Functions
Multi-layer software defined networking in GÉANT
The DPIaaS Controller Prototype
Reddy Mainampati Udit Parikh Alex Kardomateas
NOX: Towards an Operating System for Networks
Overview of SDN Controller Design
of Dynamic NFV-Policies
SDN Overview for UCAR IT meeting 19-March-2014
Internet Networking recitation #12
CompTIA Security+ Study Guide (SY0-401)
Northbound API Dan Shmidt | January 2017
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Software Defined Networking (SDN)
Software Defined Networking
Network Core and QoS.
VNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon.
CSE 451: Operating Systems Winter Module 22 Distributed File Systems
Network Core and QoS.
Presentation transcript:

Aaron Gember, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF

SDN + software NFs NFs examine/modify packets at layers 3-7 Software NFs are replacing physical appliances SDN applications (PLayer, SIMPLE, Stratos, etc.) steer flows through NFs 2 Web Server Home Users Caching Proxy Intrusion Prevention Firewall Enables new applications that control the packet processing happening across instances of an NF

Not moving flows => bottleneck persists Naively moving flows => incorrect NF behavior Example: scaling & load balancing 3 FirewallCaching Proxy Intrusion Prevention Web Server Home Users Requires a control plane that enables management of both internal NF state and network forwarding state

Challenges 1.Dealing with race conditions – Packets may arrive while state is being moved, causing state updates to be lost or re-ordered 2.Giving applications flexibility – May need to move state at different granularities 3.Supporting many NFs with minimal changes – Undesirable to force NFs to conform to certain state structures or allocation/access strategies 4

OpenNF 5 OpenNF Controller SDN Controller Control Application Northbound API Southbound API

Outline Overview Requirements Design – Southbound API (addresses NF diversity) – Northbound API (addresses race conditions) Evaluation 6

Requirements Move flow-specific NF state at various granularities Copy and combine, or share, NF state pertaining to multiple flows Support key guarantees (no loss, order preserved) when needed Track when/how state is updated 7

Existing approaches Control over routing (PLayer, SIMPLE, Stratos) Virtual machine replication – Unneeded state => incorrect actions – Cannot combine => limited rebalancing Split/Merge and Pico/Replication – Address specific problems => limited suitability – Require NFs to create/access state in specific ways => significant NF changes 8

State created or updated by an NF applies to either a single flow or a collection of flows Classify state based on scope Flow provides a natural way for reasoning about which state to move, copy, or share NF state taxonomy 9 Connection TcpAnalyzer HttpAnalyzer TcpAnalyzer HttpAnalyzer Per-flow state ConnCount Multi-flow state All-flows state Statistics

API to export/import state Three simple functions: get, put, delete – Version for each scope (per-, multi-, all-flows) – Filter defined over packet header fields NFs responsible for – Identifying and providing all state matching a filter – Combining provided state with existing state 10 No need to expose internal state organization No changes to conform to a specific allocation strategy

API to observe/prevent updates Problem: need to prevent (e.g., during move) or observe (e.g., to trigger copy) state updates Solution: event abstraction – Functions: enableEvents and disableEvents – Instruct NF to raise an event and process, buffer, or drop packets matching a filter 11 Only need to change an NF’s receive packet function

Move operation 12 OpenNF Controller Control Application move (port=80,Inst 1,Inst 2 ) getPerflow(port=80) [Chunk1] putPerflow(Chunk1) delPerflow(port=80) [Chunk2] putPerflow(Chunk2) forward(port=80,Inst 2 ) SDN Controller Inst 2 Inst 1

Packet arrivals during move Packets may arrive during a move operation Fix: suspend traffic flow and buffer packets – May last 100s of ms => connection timeouts – Packets in-transit when buffering starts are dropped Inst 2 is missing updates Inst 2 Inst 1 move(yellow,Inst 1,Inst 2 ) Loss-free: All state updates due to packet processing should be reflected in the transferred state, and all packets the switch receives should be processed

Use events for loss-free move enableEvents(blue,drop) on Inst 1 ; get / delete on Inst 1 ; put on Inst 2 Buffer events at controller Flush packets in events to Inst 2 Update forwarding 14 S Inst 2 Inst 1 AS S S,S+A S+A S,S+A,A

Re-ordering of packets 15 Order-preserving: All packets should be processed in the order they were forwarded to the NF instances by the switch Controller Switch Inst 2 Flush buffer Request forwarding update Inst 1 S+A A A D1D2 D1 S+A A D2 D1

Flush packets in events to Inst 2 enableEvents(blue,buffer) on Inst 2 Forwarding update: send to Inst 1 & controller Wait for packet from switch (remember last) Forwarding update: send to Inst 2 Wait for event for last packet from Inst 2 Release buffer of packets on Inst 2 Order-preserving move 16 S S S,S+A S+A S,S+A,A A AAD1 S,S+A, A,D1

Copy and share operations Used when multiple instances need to access a particular piece of state Copy – no or eventual consistency – Issue once, periodically, based on events, etc. Share – strong or strict consistency – All packets reaching NF instances trigger an event – Packets in events are released one at a time – State is copied between packets 17

Example app: Load balanced network monitoring movePrefix(prefix,oldInst,newInst): copy(oldInst,newInst,{nw_src:prefix},multi) move(oldInst,newInst,{nw_src:prefix},per,LF+OP) while (true): sleep(60) copy(oldInst,newInst,{nw_src:prefix},multi) copy(newInst,oldInst,{nw_src:prefix},multi) scan.bro vulnerable.bro weird.bro scan.bro vulnerable.bro weird.bro

Example app: Selectively invoking advanced remote processing enhanceProcessing(flowid,locInst): move(locInst,cloudInst,flowid,per,LF) scan.bro vulnerable.bro weird.bro scan.bro vulnerable.bro weird.bro scan.bro vulnerable.bro weird.bro detect-MHR.bro scan.bro vulnerable.bro weird.bro detect-MHR.bro!

Implementation OpenNF Controller (≈3.8K lines of Java) – Written atop Floodlight Shared NF library (≈2.6K lines of C) Modified NFs (3-8% increase in code) – Bro (intrusion detection) – PRADS (service/asset detection) – iptables (firewall and NAT) – Squid (caching proxy) 20

End-to-end benefits Load balanced monitoring with Bro IDS – Load: 10K pkts/sec cloud trace – After 180 sec: move HTTP flows (489) to new Bro OpenNF: 260ms to move (optimized, loss-free) – Log entries equivalent to using one instance VM replication: 3889 incorrect log entries Forwarding control only: scale down delayed by > 1500 seconds

Southbound API call processing 22 Serialization/deserialization costs dominate Cost grows with state complexity

Efficiency with guarantees State: 500 flows in PRADS; Load: 1000 pkts/s Move Copy – 176ms Share – 7ms (or more) for every packet pkts dropped! 130 pkts buffered at dstInst 230 pkts in events Guarantees come at a cost!

Controller performance Improve scalability with P2P state transfers 24

Systematic engineered APIs implemented by NFs and used by control applications Enables rich control of the packet processing happening across instances of an NF Provides key guarantees and requires minimal NF modifications Conclusion 25