Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.

Published byJamya Whirley Modified over 9 years ago

Similar presentations

Presentation on theme: "Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network."— Presentation transcript:

1 Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network Function Control

2 Network functions (NFs) Perform sophisticated stateful actions on packets/flows 2 Intrusion detection system (IDS) Caching proxy WAN optimizer

3 NF trends NFV → dynamically allocate NF instances SDN → dynamically reroute flows Dynamic reallocation of packet processing 3 Intrusion detection system (IDS) Caching proxy WAN optimizer Xen/KVM

4 Example: elastic NF scaling 1.Satisfy performance SLAs 2.Minimize operating costs 3.Accurately monitor traffic 4 CPU Packet loss

5 Example: elastic NF scaling 1.Satisfy performance SLAs 2.Minimize operating costs 3.Accurately monitor traffic 5 CPU Packet loss To simultaneously… Problem: NFV+SDN is insufficient Cannot effectively implement new services or abstractions!

6 Why NFV + SDN falls short 1. SLAs2. Cost3. Accuracy Reroute new flows [Stratos - arXiv:1305.0209] Reroute existing flows [SIMPLE - SIGCOMM ‘13] Wait for flows to die [Stratos - arXiv:1305.0209] 6 ? Packet loss SLA: <1%

7 SLAs + cost + accuracy: What do we need? Quickly move, copy, or share internal NF state alongside updates to network forwarding state Guarantees: loss-free, order-preserving, … 7 … 123 … Also applies to other scenarios

8 Outline Motivation and requirements Challenges OpenNF architecture – State export/import – State operations – Guarantees Evaluation 8

9 1.Supporting many NFs with minimal changes 2.Dealing with race conditions 3.Bounding overhead Challenges 9 State Packet Route Update

10 OpenNF overview 10 NF State Manager Flow Manager OpenNF Controller Control Application move/copy/share state export/import State

11 State created or updated by an NF applies to either a single flow or a collection of flows NF state taxonomy 11 Connection TcpAnalyzer HttpAnalyzer TcpAnalyzer HttpAnalyzer Per-flow state ConnCount Multi-flow state All-flows state Statistics

12 NF API: export/import state Functions: get, put, delete 12 No need to expose/change internal state organization! Filter Per Multi All Scope NF get put

13 Control operations: move 13 NF State Manager Control Application move (port=80, Bro 1, Bro 2 ) get(per, port=80) [Chunk1] put (per, Chunk1) del(per, port=80) [Chunk2] put (per, Chunk2) forward(port=80, Bro 2 ) Flow Manager Bro 2 Bro 1 Also provide copy and share

14 detect- MHR Split/Merge [NSDI ‘13] : pause traffic, buffer packets – Packets in-transit when buffering starts are dropped Lost updates during move 14 B1 R1 R2 Missing state Bro 2 Bro 1 move(red,Bro 1,Bro 2 ) Missing updates Loss-free: All state updates should be reflected in the transferred state, and all packets should be processed R3

15 NF API: observe/prevent updates using events 15 Only need to change an NF’s receive packet function! R1 R2 B1 R1 NF

16 1. enableEvents(red,drop) on Bro 1 2. get / delete on Bro 1 3.Buffer events at controller 4. put on Bro 2 5.Flush packets in events to Bro 2 6.Update forwarding Use events for loss-free move 16 Bro 2 Bro 1 R3R1 Drop R1 R1,R2 R2 R1,R2,R3

17 False positives from Bro’s weird script Re-ordering of packets 17 Order-preserving: All packets should be processed in the order they were forwarded by the switch Order-preserving: All packets should be processed in the order they were forwarded by the switch Controller Switch Bro 2 5. Flush buffer 6. Request forwarding update Bro 1 R2 R4 R3 R2 R4 R3

18 1.Dealing with diversity 2.Dealing with race conditions OpenNF: SLAs + cost + accuracy 18 Export/import state based on its association with flows Events Lock-step forwarding updates +

19 Implementation Controller (3.8K lines of Java) Communication library (2.6K lines of C) Modified NFs (3-8% increase in code) 19 Bro IDS iptables Squid CachePRADS

20 Overall benefits for elastic scaling Bro IDS processing 10K pkts/sec – At 180 sec: move HTTP flows (489) to new IDS – At 360 sec: move back to old IDS SLAs: 260ms to move (loss-free) Accuracy: same log entries as using one IDS – VM replication: incorrect log entries Cost: scale down after state is moved – Stratos: scale down delayed 25+ minutes 20 [arXiv:1305.0209]

21 Evaluation: state export/import 21 Serialization/deserialization costs dominate Cost grows with state complexity

22 PRADS asset detector processing 5K pkts/sec Move per-flow state for 500 flows Evaluation: operations 22 Packets dropped! 686462 881 packets in events Operations are efficient, but guarantees come at a cost! Operations are efficient, but guarantees come at a cost! 1120 pkts buffered 838 pkts in events + Bro: 5% of alerts missed! NG NG PL LF PL+ER OP PL+ER

23 Dynamic reallocation of packet processing enables new services Realizing SLAs + cost + accuracy requires quick, safe control of internal NF state OpenNF provides flexible and efficient control with few NF modifications Conclusion 23 http://opennf.cs.wisc.edu

24 Backup Related work Copy and share Order-preserving move Bounding overhead Example control application Evaluation: controller scalability Evaluation: importance of guarantees Evaluation: benefits of granular control 24

25 Virtual machine replication – Unneeded state → incorrect actions – Cannot combine → limited reallocation Split/Merge [NSDI’13] – State allocations and accesses occur via library – Addresses a specific problem → limited suitability – Packets may be dropped or re-ordered → wrong NF behavior 25 Existing approaches

26 Copy and share operations Used when multiple instances need some state Copy – no or eventual consistency – Once, periodically, based on events, etc. Share – strong or strict consistency – Events are raised for all packets – Events are released one at a time – State is copied before releasing the next event 26 Copy (multi-flow): 111ms Share (strong): 13ms/packet Copy (multi-flow): 111ms Share (strong): 13ms/packet

27 Flush packets in events to Inst 2 enableEvents(blue,buffer) on Inst 2 Forwarding update: send to Inst 1 & controller Wait for packet from switch (remember last) Forwarding update: send to Inst 2 Wait for event for last packet from Inst 2 Release buffer of packets on Inst 2 Order-preserving move 27 B1 Drop B1B1,B2 B2 B1,B2, B3 Buf B3 B4 B1,B2, B3,B4

28 Applications decide (based on NF & objectives): 1.Granularity of operations 2.Guarantees desired Bounding overhead 28 Filter Per Multi All Scope … LF LF+OP 123 … … + None

29 Example app: elastic NF scaling movePrefix(prefix,oldInst,newInst): copy(oldInst,newInst,{nw_src:prefix},multi) move(oldInst,newInst,{nw_src:prefix},per,LF+OP) while (true): sleep(60) copy(oldInst,newInst,{nw_src:prefix},multi) copy(newInst,oldInst,{nw_src:prefix},multi) scan.bro vulnerable.bro weird.bro scan.bro vulnerable.bro weird.bro 29

30 Evaluation: controller scalability Improve scalability with P2P state transfers 30

31 Evaluation: importance of guarantees Bro 1 processing malicious trace @ 1K pkts/sec After 14K packets: move active flows to Bro 2 AlertBaselineNFLFLF+OP Incorrect file type26252426 MHR Match31282731 MD5116111106116 Total173164157173

32 Evaluation: benefits of granular control HTTP requests from 2 clients (40 unique URLs) Initially: both go to Squid 1 20s later: reassign Client 1 to Squid 2 IgnoreCopy-clientCopy-all Hits @ Squid 1 117 Hits @ Squid 2 Crash!3950 State transferred0 MB4 MB54 MB

Download ppt "Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network."

Similar presentations

SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
Anand Krishnamurthy, Shoban P. Chandrabose and Aaron Gember-Jackobson 1 Pratyaastha: An Efficient Elastic Distributed SDN Control Plane.

Anand Krishnamurthy, Shoban P. Chandrabose and Aaron Gember-Jackobson 1 Pratyaastha: An Efficient Elastic Distributed SDN Control Plane.
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.

Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
OpenNF: Enabling Innovation in Network Function Control Aditya Akella With: Aaron Gember, Raajay Vishwanathan, Chaithan Prakash, Sourav Das, Robert Grandl,

OpenNF: Enabling Innovation in Network Function Control Aditya Akella With: Aaron Gember, Raajay Vishwanathan, Chaithan Prakash, Sourav Das, Robert Grandl,
Stratos: A Network-Aware Orchestration Layer for Middleboxes in the Cloud Aditya Akella, Aaron Gember, Anand Krishnamurthy, Saul St. John University of.

Stratos: A Network-Aware Orchestration Layer for Middleboxes in the Cloud Aditya Akella, Aaron Gember, Anand Krishnamurthy, Saul St. John University of.
ECOS: Leveraging Software-Defined Networks to Support Mobile Application Offloading Aaron Gember, Christopher Dragga, Aditya Akella University of Wisconsin-Madison.

ECOS: Leveraging Software-Defined Networks to Support Mobile Application Offloading Aaron Gember, Christopher Dragga, Aditya Akella University of Wisconsin-Madison.
Copyright Sasol Synfuels Sasol Synfuels’ Site-Wide IT Health monitoring 1 Presenter: Johan de Waal.

Copyright Sasol Synfuels Sasol Synfuels’ Site-Wide IT Health monitoring 1 Presenter: Johan de Waal.
Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.

Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.
Better-Behaved Better- Performing Multimedia Networking Jae Chung and Mark Claypool (Avanish Tripathi) Computer Science Department Worcester Polytechnic.

Better-Behaved Better- Performing Multimedia Networking Jae Chung and Mark Claypool (Avanish Tripathi) Computer Science Department Worcester Polytechnic.
Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.

Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.
Toward Software-Defined Middlebox Networking Aaron Gember, Prathmesh Prabhu, Zainab Ghadiyali, Aditya Akella University of Wisconsin-Madison 1.

Toward Software-Defined Middlebox Networking Aaron Gember, Prathmesh Prabhu, Zainab Ghadiyali, Aditya Akella University of Wisconsin-Madison 1.
DRFQ: Multi-Resource Fair Queueing for Packet Processing Ali Ghodsi 1,3, Vyas Sekar 2, Matei Zaharia 1, Ion Stoica 1 1 UC Berkeley, 2 Intel ISTC/Stony.

DRFQ: Multi-Resource Fair Queueing for Packet Processing Ali Ghodsi 1,3, Vyas Sekar 2, Matei Zaharia 1, Ion Stoica 1 1 UC Berkeley, 2 Intel ISTC/Stony.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Enabling Innovation Inside the Network Jennifer Rexford Princeton University

Enabling Innovation Inside the Network Jennifer Rexford Princeton University
Software-Defined Networks Jennifer Rexford Princeton University.

Software-Defined Networks Jennifer Rexford Princeton University.
Internet Traffic Management. Basic Concept of Traffic Need of Traffic Management Measuring Traffic Traffic Control and Management Quality and Pricing.

Internet Traffic Management. Basic Concept of Traffic Need of Traffic Management Measuring Traffic Traffic Control and Management Quality and Pricing.
Aditya Akella (Based on slides from Aaron Gember and Nick McKeown)

Aditya Akella (Based on slides from Aaron Gember and Nick McKeown)
Adaptive software in cloud computing Marin Litoiu York University Canada.

Adaptive software in cloud computing Marin Litoiu York University Canada.
Measuring Control Plane Latency in SDN-enabled Switches Keqiang He, Junaid Khalid, Aaron Gember-Jacobson, Sourav Das, Chaithan Prakash, Aditya Akella,

Measuring Control Plane Latency in SDN-enabled Switches Keqiang He, Junaid Khalid, Aaron Gember-Jacobson, Sourav Das, Chaithan Prakash, Aditya Akella,
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Chris Shenefiel.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Chris Shenefiel.

Similar presentations

Ads by Google