Presentation is loading. Please wait.

Presentation is loading. Please wait.

Xin Li, Chen Qian University of Kentucky

Published byAbraham Townsend Modified over 7 years ago

Similar presentations

Presentation on theme: "Xin Li, Chen Qian University of Kentucky"— Presentation transcript:

1 Xin Li, Chen Qian University of Kentucky
An NFV Orchestration Framework for Interference-free Policy Enforcement Xin Li, Chen Qian University of Kentucky

2 Network Function Network Function A.k.a. Middlebox
Networking device that perform functions other than packet forwarding Build in proprietary hardware

3 Network Function Security Network Function
Firewall IDS Acceleration Network Function WAN Optimizer Proxy

4 Policy Chain Http Correctness: sequential order
Efficiency: not traverse unnecessary ones Http Firewall IDS Proxy Non http Firewall

5 Network Functions Placement
Policy chain Placement not easy to re-deploy Firewall IDS Proxy Http S1 S2 S4 S3 Proxy Firewall

6 Placement: Hardware Network Functions
Traffic Steering Simple [Sigcomm’13] Firewall IDS Proxy Policy Chain: Http Firewall Proxy IDS S1 S2 Dst Image from

7 Drawbacks of Traffic Steering
Modified routing path Conflicting with other applications e.g. Traffic engineering Additional path length more latency, bandwidth Complex routing rules More forwarding table entries Loop Additional mechanism (e.g. tag)

8 Network Functions Virtualizaiton
IDS Hardware Software WAN Optimizer More flexible and cheaper New opportunity: interference-free policy enforcement Proxy Virtual Network Function (VNF)

9 NFV Orchestration Properties
Policy enforcement Sequence order should be respect Interference-freedom Not changing the routing path Isolation: security and performance Virtual machine

10 NFV Orchestration Framework
Core idea Network Functions are contained in VMs for isolation. Places the required VNFs on the path of each traffic flow Not changing routing path

11 Challenges Resource-efficient way to place VNFs while enforcing policies. Optimization problem Traffic is highly dynamic. Fast failover Scale in/out

12 Framework Overview Inputs to Opt Engine: Flow spec. & available rsc.
Traffic 1k 0.5k http FW Proxy ... Policy Path SDN controller Resource Orchestrator Optimization Engine ... App1 App2 Dynamic Handler Rule Generator Inputs to Opt Engine: Flow spec. & available rsc. Take outputs from diff apps as input Generate routing rules (sw & vsw) Fast failover if overloaded Take Opt Engine output as input Install VNFs in APPLE hosts Core. Co-exist with other apps normal app from SDN controller’s view Hosts VNFs Once overloaded, send ntf. to Dyn. Hdl.

13 Framework Overview SDN controller ... Traffic Policy Path Resource
http FW Proxy ... Policy Path SDN controller Resource Orchestrator Optimization Engine ... App1 App2 Dynamic Handler Rule Generator

14 Optimization Engine Input granularity Benefits:
flows having the same path and policy chain are aggregated into a class Benefits: Reduce input size Wildcard rules instead of exact match: reduce forwarding table entry consumption

15 Optimization Engine Spatial Distribution Load balance
Handle jumbo classes Firewall IDS Policy Chain:

16 Optimization Engine Algorithm Objective Algorithm Input
Minimize # of VNFs Algorithm Input VNF capacity : the max traffic rate it can process Available Resource & VNF resource consumption Policy chain Routing path Traffic matrix: estimated by other application Algorithm Output The place and quantify of each VNF (Placement) The portion of traffic to be processed in each VNF instance for each class (Rule generation)

17 Optimization Engine Integer Linear Programming (ILP) # VNFs
CPLEX to solve NP-hard Reduced to Set Cover Problem Approximation algorithm: LP relax # VNFs Topology Nodes Links Time Internet2 12 15 0.08 Sec GEANT 23 74 0.42 Sec UNIV1 43 0.59 Sec AS-3679 79 147 Sec Appr. Algorithm Time 0.029 Sec 0.1 Sec 0.235 Sec 3.013 Sec

18 Framework Overview SDN controller ... Traffic Policy Path Resource
http FW Proxy ... Policy Path SDN controller Resource Orchestrator Optimization Engine ... App1 App2 Dynamic Handler Rule Generator

19 Rule generator Optimization Engine Output
The portion of traffic to be processed in each VNF instance for each class (Rule generation) Cannot generate rules directly

20 Rule generator Sub-class: aggregation of flows within a class that traverse the same VNF instances The workload assignment to each sub-class is accepted as long as the result of Optimization Engine is preserved Firewall IDS Policy Chain: FW FW IDS IDS

21 Rule generator Consistent hashing Split rules
Ways to enforce the workload assignment Consistent hashing E.g. < /24, h ∈[0, 0.75]> No available API in commodity switches Split rules E.g. < /25, /26> Multiple rules

22 Framework Overview SDN controller ... Traffic Policy Path Resource
http FW Proxy ... Policy Path SDN controller Resource Orchestrator Optimization Engine ... App1 App2 Dynamic Handler Rule Generator

23 Overload notification Using ClickOS: lightweight
Dynamic Handler Firewall IDS Policy Chain: Overload notification New FW Install new forwarding rules Initiate new VM Using ClickOS: lightweight

24 XEN VMs can’t be connected to OpenVswitch directly
Implementation Core: Stand-alone REST API XEN VMs can’t be connected to OpenVswitch directly Network Controller Resource Orchestrator ClickOS ClickOS Linux-br

25 Prototype Emulation Dynamic Handler overload roll back

26 Simulation Evaluation
Methodology The input to Optimization Engine is the average traffic matrix. See the performance of APPLE with time-varying traffic matrix.

27 Simulation Evaluation
Topologies Campus network, enterprise network, data center Network Functions Each host have 64 cores 4 network functions (FW, IDS, Proxy, IDS) Different core # requirement and capacity Policy Synthesize network policy chains

28 Simulation Evaluation

29 Simulation Evaluation
Less packet loss

30 Conclusion We design and implement an interference-free NFV Orchestraton Framework Resource efficient Incorporate network dynamics Integrate ClickOS and OpenStack

31 Thank you!

32 Backup slides

33 Optimization Engine: Policy enforcement
Policy enforcement. To enforce policies, the requirements are two-folded for each flow. For each network function specified by the policy for a flow, at least one instance is on the network path. For any VNF instance n, there should be at lease one instance of the VNFs succeeding n on the same switch of n or the downstream switches on the path. (recursive)

Download ppt "Xin Li, Chen Qian University of Kentucky"

Similar presentations

Software-defined networking: Change is hard Ratul Mahajan with Chi-Yao Hong, Rohan Gandhi, Xin Jin, Harry Liu, Vijay Gill, Srikanth Kandula, Mohan Nanduri,

Software-defined networking: Change is hard Ratul Mahajan with Chi-Yao Hong, Rohan Gandhi, Xin Jin, Harry Liu, Vijay Gill, Srikanth Kandula, Mohan Nanduri,
Dynamic Scheduling of Network Updates Xin Jin Hongqiang Harry Liu, Rohan Gandhi, Srikanth Kandula, Ratul Mahajan, Ming Zhang, Jennifer Rexford, Roger Wattenhofer.

Dynamic Scheduling of Network Updates Xin Jin Hongqiang Harry Liu, Rohan Gandhi, Srikanth Kandula, Ratul Mahajan, Ming Zhang, Jennifer Rexford, Roger Wattenhofer.
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
SDN Applications Jennifer Rexford Princeton University.

SDN Applications Jennifer Rexford Princeton University.
VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.

VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Nanxi Kang Princeton University

Nanxi Kang Princeton University
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,

Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.

Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
OpenFlow-Based Server Load Balancing GoneWild

OpenFlow-Based Server Load Balancing GoneWild
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.

Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.
1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.

1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Cellular Core Network Architecture

Cellular Core Network Architecture
Enabling Innovation Inside the Network Jennifer Rexford Princeton University

Enabling Innovation Inside the Network Jennifer Rexford Princeton University
Software-Defined Networks Jennifer Rexford Princeton University.

Software-Defined Networks Jennifer Rexford Princeton University.
Higher-Level Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.

Higher-Level Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.

Similar presentations

Ads by Google