NetEgg: Scenario-based Programming for SDN Policies Yifei Yuan, Dong Lin, Rajeev Alur, Boon Thau Loo University of Pennsylvania 1

Software-Defined Networking (SDN) 2 Controller App DstNextHop A2 …… MatchAction Src=Adrop …… Openflow e.g. POX, NOX, Floodlight, etc. APIs distributed protocols Control plane Data plane Programmability

Programming Abstractions Declarative Networking [CACM’09] Frenetic [ICFP’11] NetCore [POPL’12] Pyretic [NSDI’13] NetKAT [POPL’14] … 3 C/C++ (NOX) Python (POX) Java (Floodlight) … General-purpose Programming Languages Domain Specific Languages Target: Engineers with good programing skills

How about network operators? Do network operators need to program the network? How well can they master programming skills? 4

Industry Interviews Interviewed 74 network operators/architects/ engineers in telcos, banks, service providers, campus IT, and router vendors Need for programming skills among network operators (Lack of) programming expertise 5

Programming Need 6

Lack of Programming Expertise Hard to hire people who know have good knowledge in both programming and network operations Retraining operation teams on programming Hiring software developers who know networking 7

8

9

10 Goal of NetEgg: intuitive & concise programming abstractions targeting non-programmers

Controller 11 Policy Work hard! Programming Policies Today Examples behaviors

Test examples Controller 12 Test/verify/debug Policy Bad behaviors Work HARDER! Counter examples Programming Policies Today Examples behaviors

Test examples Controller 13 Test/verify/debug Policy Bad behaviors Work HARDER! Counter examples Programming Policies Today Examples behaviors

Test examples Controller 14 Test/verify/debug Policy Bad behaviors Work HARDER, HARDER.. ! Counter examples Programming Policies Today Examples behaviors

Test examples Controller 15 Test/verify/debug Policy Bad behaviors Work HARDER, HARDER.. ! Counter examples Programming Policies Today Examples behaviors

NetEgg Overview Example behaviors Controller 16 Action Instructions / Rule installation Network events Synthesizer Interpreter Policy Bad behaviors conflicts

Example 17 Learning switch: 1.Learn the mapping between hosts and ports 2.Forward packets according to the learnt mapping 3 A 2 1 B 17 flood fwd( p 1 ) fwd( p 2 ) C

A Stateful Policy Model Intuition: states + cases Learning switch: – States: Mapping between hosts and ports – Case 1. Flood packets if the destination is unknown; store the port for the source – Case 2. Forward packets otherwise; store port for source in packets 18

19 MatchTestActionUpdate *ST(dst).state=0floodST(src):=(1,port) *ST(dst).state=1fwd(ST(dst).value)ST(src):=(1,port) MACStateValue A11 MACStateValue A11 C13 Controller 3 A 2 1 C B State Table (ST): Policy Table:

Synthesizer MatchTestActionUpdate *ST(dst).state=0 floodST(src):= (1,port) *ST(dst).state=1 fwd(ST(dst).value) ST(src):= (1,port) 20

Synthesis Algorithm Goal: – Consistent with all scenarios – Minimize the number of rules Approach: 1.Greedy search over policy templates 2.Backtrack with pruning 21

Synthesis Algorithm Illustration 22 MatchTestActionUpdate *ST(dst).state =0 *ST(dst).state =1 … Increasing # rules Backtrack & pruning Backtrack & pruning MatchTestActionUpdate *ST(dst).state=0 floodST(src):= (1,port) *ST(dst).state=1 fwd(ST(dst).value) ST(src):= (1,port) Details in the paper

Rule Installation Idea: Keep rules not updating state tables on the switch 23 MACStateValue A12 B13 MatchTestActionUpdate *ST(dstmac).state=0 floodST(srcmac): =(1,port) *ST(dstmac).state=1 fwd(ST(dstmac). value) ST(srcmac): =(1,port) MatchAction inport=3, srcmac=B, dstmac=Afwd(2) ……

Evaluation Is scenario-based programming feasible? – Expressiveness – Programming time – Efficiency Is the performance of synthesized implementations comparable to hand-crafted implementation? – Controller response latency – End-to-end performance 24

Expressiveness & Efficiency 25

Programming Time 12 graduate students (good in programming) 3 programming assignments: – Mac learner – Stateful firewall – TCP firewall Programming using: – POX – NetEgg 26

User Study: Programming Time 50 % less 72 % less 6 % more 27 State Firewall Mac Learner TCP Firewall

Pox Code: Stateful firewall 28

NetEgg Scenarios: Stateful firewall 29

Synthesized Policy Table: Stateful firewall 30

Response Time 31

End-to-end performance Topology: fattree, 20 switches, 16 hosts Policy: learning switch Setup: – 1 host as HTTP server – other hosts send HTTP requests to the server – benchmark connection time (i.e. time between a request is issued and it is finished.) 32

End-to-end performance 33

Conclusion Scenario-based programming for SDN policies: – Expressive to program a range of policies – Concise in code size – Comparable performance to hand-crafted implementations Future work: – Expanded user study – Objective-oriented policies: TE, Shorted-path routing – Combine with network monitoring 34

Questions? 35