Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stochastic Pre-Classification for SDN Data Plane Matching Author : Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson Conference: 2014 IEEE 22nd.

Published byAdelia Caldwell Modified over 9 years ago

Similar presentations

Presentation on theme: "Stochastic Pre-Classification for SDN Data Plane Matching Author : Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson Conference: 2014 IEEE 22nd."— Presentation transcript:

1 Stochastic Pre-Classification for SDN Data Plane Matching Author : Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson Conference: 2014 IEEE 22nd International Conference on Network Protocols Presenter: Tung-yin Chi Date: 2015/7/22 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.

2 Motivation SDNs increase stress on Packet Classification Higher complexity compared to traditional networks Generalizing increases timing variability Denial of Service (DoS) attacks on SDN switches are a potential issue Wastes resources, crowding out legitimate packets Inherent problem: traffic must be classified before it can be determined malicious National Cheng Kung University CSIE Computer & Internet Architecture Lab 2

3 Packet Classification Exact Matching Hash Tables Prefix Match Tries Arbitrary TCAM (limited in size/availability) National Cheng Kung University CSIE Computer & Internet Architecture Lab 3

4 Packet Classification National Cheng Kung University CSIE Computer & Internet Architecture Lab 4

5 Flow Locality 35% of the flows contain 95% of the packets The active-flow window is constantly changing National Cheng Kung University CSIE Computer & Internet Architecture Lab 5

6 Flow Caching Flow Locality -> Caching becomes fast-path Keeps high-throughput flows Lookup: exact-match using key (i.e. 5-tuple) Cache: action set Hits: bypass Table and Flow selection National Cheng Kung University CSIE Computer & Internet Architecture Lab 6

7 Pre-Classification Attacks aim to stress slow-path (classification) When stressed, prioritize established traffic Lookup: exact-match using key (i.e. 5-tuple) Cache: seen before Hits: higher classification priority National Cheng Kung University CSIE Computer & Internet Architecture Lab 7

8 Bloom Filter Hit: flow likely seen within epoch Miss: flow definitely not seen within epoch O[1] Lookups O[1] Inserts National Cheng Kung University CSIE Computer & Internet Architecture Lab 8

9 Bloom Filter: XOR Hash Function Bit-level XOR helps preserve entropy Avoid mixing heavily correlated bits National Cheng Kung University CSIE Computer & Internet Architecture Lab 9

10 Experimental Setup National Cheng Kung University CSIE Computer & Internet Architecture Lab 10

11 Firewall Application Simulated Firewall Application Access Control List (ACL) Protocol IP source/destination Port source/dest. ranges Test ACL Generation 95%: nominal network conditions 60%: network with significant malicious traffic 20%: network under attack National Cheng Kung University CSIE Computer & Internet Architecture Lab 11

12 Results: Throughput 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 N ormalize d Throughpu t Baseline - 95% Baseline - 60% Baseline - 20% packet Key Extraction packet Table Selection Flow Selection Action Application packet 11040 Interface Speed (Gbps) 100 12 ❇ Stressed >1 Gbps

13 Results: Throughput 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 N ormalize d Throughpu t Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% miss hit packet Key Extraction Flow Cache packet Table Selection Flow Selection Action Application packet update 11040 Interface Speed (Gbps) 100 13 ❇ Stressed >1 Gbps □ Throughput proportional to unauthorized traffic

14 Results: Throughput 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 N ormalize d Throughpu t Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% hit miss Priority Scheduler Filter packet Extraction Known Flows Unknown Flows packet Selection Application packet update 11040 Interface Speed (Gbps) 100 14 Lo ❇ Stressed >1 Gbps □ Throughput proportional to unauthorized traffic ▲ Unauthorized traffic has less impact on throughput

15 Results: Throughput miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Priority Scheduler Hi Lo Bloom Filter packet Key Extraction Known Flows Unknown Flows update 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 N ormalize d Throughpu t Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% Partition+Caching - 95% Partition+Caching - 60% Partition+Caching - 20% ❇ Stressed >1 Gbps □ Throughput proportional to unauthorized traffic ▲ Unauthorized traffic has less impact on throughput  More consistent throughput 11040 Interface Speed (Gbps) 100 15

16 Results: Latency 0 1 2 3 4 5 6 7 8 9 Mea n La te nc y (µs ) Baseline - 95% Baseline - 60% Baseline - 20% packet Key Extraction packet Table Selection Flow Selection Action Application packet 11040 Interface Speed (Gbps) 100 16 ❇ Queue saturation causes high latency >1 Gbps

17 Results: Latency 0 1 2 3 4 5 6 7 8 9 Mea n La te nc y (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% miss hit packet Key Extraction Flow Cache packet Table Selection Flow Selection Action Application packet update 11040 Interface Speed (Gbps) 100 17 ❇ Queue saturation causes high latency >1 Gbps □ Hits improve average latency

18 Results: Latency 1 2 3 4 5 6 7 8 9 Mea n La te nc y (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% hit miss Priority Scheduler Filter packet Extraction Known Flows Unknown Flows packet Selection Application packet update 0 11040 Interface Speed (Gbps) 100 18 Lo ❇ Queue saturation causes high latency >1 Gbps □ Hits improve average latency ▲ Authorized traffic not yet seen incurs higher latency ▲ Once flow is learned, latency consistent with Baseline

19 Results: Latency 1 2 3 4 5 6 7 8 9 Mea n La te nc y (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% Partition+Caching - 95% Partition+Caching - 60% Partition+Caching - 20% miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss packet Unknown Flows Priority Scheduler Hi Lo Bloom Filter Key Extraction Known Flows update thereafter 0 11040 Interface Speed (Gbps) 100 19 ❇ Queue saturation causes high latency >1 Gbps □ Hits improve average latency ▲ Authorized traffic not yet seen incurs higher latency ▲ Once flow is learned, latency consistent with Cache  Higher latency at start of flow  Latency is constant with cache

20 Results: Jitter 0 1 2 3 4 5 6 7 8 9 Jitte r (µs ) Baseline - 95% Baseline - 60% Baseline - 20% packet Key Extraction packet Table Selection Flow Selection Action Application packet 11040 Interface Speed (Gbps) 100 20 ❇ Peaks at saturation point

21 Results: Jitter 0 1 2 3 4 5 6 7 8 9 Jitte r (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% miss hit packet Key Extraction Flow Cache packet Table Selection Flow Selection Action Application packet update 11040 Interface Speed (Gbps) 100 21 ❇ Peaks at saturation point □ Difference in fast vs. slow path increases variance

22 Results: Jitter 0 5 10 15 20 25 30 Jitte r (µs ) hit miss Priority Scheduler Filter packet Extraction Known Flows Unknown Flows packet Selection Application packet update 11040 Interface Speed (Gbps) 100 22 Lo ❇ Peaks at saturation point □ Difference in fast vs. slow path increases variance ▲ Learning path incurs higher latency -> jitter ▲ Once flow is learned, jitter consistent with Caching Baseline - 95% Caching - 95%Partition - 95% Baseline - 60% Caching - 60%Partition - 60% 35 Baseline - 20% Caching - 20%Partition - 20%

23 Results: Jitter 5 10 15 20 25 30 Jitte r (µs ) miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Bloom Filter packet Key Extraction Unknown Flows update Priority Scheduler Hi Lo Known Flows update 0 priority mechanism 11040 Interface Speed (Gbps) 100 23 ❇ Peaks at saturation point □ Difference in fast vs. slow path increases variance ▲ Learning path incurs higher latency -> jitter ▲ Once flow is learned, jitter consistent with Caching  Improves jitter incurred by Baseline - 95% Caching - 95%Partition - 95%Partition+Caching - 95% Baseline - 60% Caching - 60%Partition - 60%Partition+Caching - 60% 35 Baseline - 20% Caching - 20%Partition - 20%Partition+Caching - 20%

24 Conclusions Unknown Flows update SDN complexity increases stress on Classification Flow Cache minimizes the effect of repeatedly classifying high-throughput flows –Increases effective throughput Pre-Classification prioritizes known traffic –Reduces effect of malicious traffic Combined architecture provides orthogonal benefit – Helps decouple legitimate and malicious traffic miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Bloom Filter packet Key Extraction Priority Scheduler Hi Lo 24 Known Flows update

25 Results: Throughput miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Priority Scheduler Hi Lo Bloom Filter packet Key Extraction Known Flows Unknown Flows update 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 11040 Interface Speed (Gbps) 100 N ormalize d Throughpu t Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% Partition+Caching - 95% Partition+Caching - 60% Partition+Caching - 20% 25

26 Results: Latency 0 1 2 3 4 5 6 7 8 9 11040100 Mea n La te nc y (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% Partition+Caching - 95% Partition+Caching - 60% Partition+Caching - 20% miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Bloom Filter packet Key Extraction Unknown Flows update Priority Scheduler Hi Lo Interface Speed (Gbps) Known Flows update 26

27 Results: Jitter 0 5 10 15 20 25 30 35 11040100 Jitte r (µs ) Baseline - 95% Baseline - 60% Baseline - 20% Caching - 95% Caching - 60% Caching - 20% Partition - 95% Partition - 60% Partition - 20% Partition+Caching - 95% Partition+Caching - 60% Partition+Caching - 20% miss hit Flow Cache packet Table Selection Flow Selection Action Application packet hit miss Bloom Filter packet Key Extraction Unknown Flows update Priority Scheduler Hi Lo Known Flows update Interface Speed (Gbps) 27

Download ppt "Stochastic Pre-Classification for SDN Data Plane Matching Author : Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson Conference: 2014 IEEE 22nd."

Similar presentations

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:
1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
1 Route Table Partitioning and Load Balancing for Parallel Searching with TCAMs Department of Computer Science and Information Engineering National Cheng.

1 Route Table Partitioning and Load Balancing for Parallel Searching with TCAMs Department of Computer Science and Information Engineering National Cheng.
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.

High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.
Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.

Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.
Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.

Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.
Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.

Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Author: Haoyu Song, Fang Hao, Murali Kodialam, T.V. Lakshman Publisher: IEEE INFOCOM 2009 Presenter: Chin-Chung Pan Date: 2009/12/09.

Author: Haoyu Song, Fang Hao, Murali Kodialam, T.V. Lakshman Publisher: IEEE INFOCOM 2009 Presenter: Chin-Chung Pan Date: 2009/12/09.
Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:

Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:
A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,

A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,
EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.

EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.
Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.

Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.
1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,

1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,
IPv6-Oriented 4 OC768 Packet Classification with Deriving-Merging Partition and Field- Variable Encoding Scheme Mr. Xin Zhang Undergrad. in Tsinghua University,

IPv6-Oriented 4 OC768 Packet Classification with Deriving-Merging Partition and Field- Variable Encoding Scheme Mr. Xin Zhang Undergrad. in Tsinghua University,
DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : 2009 15th.

DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : th.
Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM 2007. 26th IEEE International.

Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.

Similar presentations

Ads by Google