Presentation is loading. Please wait.

Presentation is loading. Please wait.

of Dynamic NFV-Policies

Published byDebra Gilbert Modified over 6 years ago

Similar presentations

Presentation on theme: "of Dynamic NFV-Policies"— Presentation transcript:

1 of Dynamic NFV-Policies
SDNs for Enforcement of Dynamic NFV-Policies Ashwin Rao 04 / 11 / 2015

2 Background Increasing presence of Network Functions (NF)
Sherry et al. "Making Middleboxes Someone Else's Problem: Network Processing as a Cloud Service." In SIGCOMM '12. Need for dynamic policies ”The current service function deployment models are relatively static … greatly reducing the ability of an operator to introduce new services...” J. Halpern et al. RFC ”Service Function Chaining (SFC) Architecture.” October 2015.

3 Challenges in Policy Enforcement
NF Composition Resource Management Packet Modification What must S2 do for a packet from S1? Policy: Egress → Firewall → IDS → Proxy → Ingress Firewall Proxy IDS Egress Ingress S1 S2

4 Outline Background SIMPLE-fying Middlebox Policy Enforcement Using SDN
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags IETF Protocols: NSH and others

5 SIMPLE Approach Packet modifications by NFs
Traffic Matrix Topology Policy Resource Constraints Packet modifications by NFs Flow correlation to support off-the-shelf NFs Collect Pkts Calculate similarity Update rules Resource Manager Dynamics Manager Offline-Online Decomposition Offline: Switch constraints Online: Load Balancing ILP formulation Unambiguous Forwarding In-port and Out-port Adding Processing State (ProcState) in headers Compacting Forwarding Rules Rule Manager Flow Action Counter ... ... ...

6 SIMPLE Contributions SDN based Policy Enforcement Layer for NF-specific traffic steering Supports off-the-shelf NFs Leverages tunnels between switches and SDN capabilities to modify packet headers Decompose optimization problem Offline component for switch capabilities Online component for load balancing Learns packet modifications by NFs

7 Discussion on SIMPLE Benefits Flexibility in NF placement
Reconfigure rules on NF failure Takes ≈ 1 second for large AS topology Issues Flow correlation Latency & True-Positive/False-Positive Rates of popular NFs unknown Short-term solution Will networks have SDN switches with legacy NFs? What if NFs can be modified?

8 SDN Tenets violated by NFs
ORIGINBINDING Strong binding between packet and its origin Example culprit: NAT, load balancers PATHSFOLLOWPOLICY Explicit policies should determine the packet path Example culprit: Caches HIGHLEVELNAMES Network policies should be expressed in terms of high-level names. Example culprit: NAT

9 Concept of FlowTags Assumptions
NFs add tags that contain Missing Bindings to ensure ORIGINBINDINGS Missing Context to ensure PATHFOLLOWPOLICY Assumptions Adequate header bits available Possibility to modify/extend NF software

10 Tag Generation 1) Static Policy Graph (DPG) Traffic ↔ Chain to NFs
2) Dynamic Policy Graph (DPG) IN and OUT Nodes NF Nodes Unique Tag for a packet on the edge of the graph Internet Proxy ACL Host 2 {H2} {H2}, HIT {H2}, MISS , allow {H2}, MISS DROP {H2}, * , block {H2}, HIT, allow

11 FlowTags Components API
FlowTags Controller SDN Capable Switch FlowTags-capable NF API FT_GENERATE_QRY & FT_GENERATE_RSP – for Tag generation FT_CONSUME_QRY & FT_CONSUME_RSP - for Tag consumption OFPT_PACKET_IN - switch notifying reception of Tag'ed packet Modifications to NFs Modify internal functions to generate and consume Tags Shim layer for Tag generation and consumption

12 FlowTags Contribution
Propose Tagging for ORIGINBINDINGS and PATHSFOLLOWPOLICY Paper details the tagging mechanism Rule generation, policy abstraction, & controller interface Open avenues for verification and network diagnosis What if additional header(s) are available for Tags?

13 Outline Background SIMPLE-fying Middlebox Policy Enforcement Using SDN
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags IETF Protocols: NSH and others

14 Network Service Header (NSH)
A dataplane header for carrying information along a service path NSH Header Base NSH Header (version, length, ...) Service Path ID Service Index Network Platform Context Network Shared Context Service Platform Context Service Shared Context

15 Summary SIMPLE Works with Off-the-shelf NFs
Suffers from uncertainty on policy realization FlowTags Tagging flows as they traverse NFs NFs need to be modified Existing headers can be used IETF proposals like NSH Context information can be shared

16 Thank You!

Download ppt "of Dynamic NFV-Policies"

Similar presentations

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes

Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
SDN Applications Jennifer Rexford Princeton University.

SDN Applications Jennifer Rexford Princeton University.
Composing Software-Defined Networks Princeton*Cornell^ Chris Monsanto*, Joshua Reich* Nate Foster^, Jen Rexford*, David Walker* www.frenetic-lang.org/pyretic.

Composing Software-Defined Networks Princeton*Cornell^ Chris Monsanto*, Joshua Reich* Nate Foster^, Jen Rexford*, David Walker*
Nanxi Kang Princeton University

Nanxi Kang Princeton University
Jennifer Rexford Princeton University

Jennifer Rexford Princeton University
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.

Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,

Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Network Service Header (NSH) draft-quinn-sfc-nsh IETF 90

Network Service Header (NSH) draft-quinn-sfc-nsh IETF 90
Network Based Services in Mobile Networks Context, Typical Use Cases, Problem Area, Requirements IETF 87 Berlin, 29 July 2013 BoF Meeting on Network Service.

Network Based Services in Mobile Networks Context, Typical Use Cases, Problem Area, Requirements IETF 87 Berlin, 29 July 2013 BoF Meeting on Network Service.
Generalized Virtual Networking: an enabler for Service Centric Networking and Network Function Virtualization Stefano Salsano (1), Nicola Blefari-Melazzi.

Generalized Virtual Networking: an enabler for Service Centric Networking and Network Function Virtualization Stefano Salsano (1), Nicola Blefari-Melazzi.
Programming Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.

Programming Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.
Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.

Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.
Policy Based Routing using ACL & Route Map By Group 7 Nischal (304360958) Pranali (304378534)

Policy Based Routing using ACL & Route Map By Group 7 Nischal ( ) Pranali ( )
1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.

1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Similar presentations

Ads by Google