Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley."— Presentation transcript:

1 1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley

2 Problem: Middleboxes are hard to deploy Place on network path Overload path selection mechanisms pkt network path On path placement fails to achieve CorrectnessGuaranteed middlebox traversal Flexibility(Re)configurable network topology EfficiencyNo middlebox resource wastage Load Balancer Firewall

3 Preview Problem –Middleboxes are hard to deploy Solution –Overview –Challenges –Limitations Implementation & evaluation Related work

4 Common data center topology Internet Servers Layer-2 switch Access Data Center Layer-2/3 switch Aggregation Layer-3 router Core Firewall Load Balancer

5 Inflexible topology Internet Intrusion Prevention Box Firewall Load Balancer

6 Inefficient - middlebox resource wastage Internet Process unnecessary traffic Unutilized Backup path

7 S1S2 Protect S1 ↔ S2 traffic Correctness is hard Internet Option 1 –Existing firewalls Newly blocked link

8 Correctness is hard Internet Option 1 –Existing firewalls Option 2 –New firewall S1S2 Protect S1 ↔ S2 traffic

9 Correctness is hard Internet Option 1 –Existing firewalls Option 2 –New firewall Option 3 –Separate VLANs S1S2 Protect S1 ↔ S2 traffic

10 Outline Problem Middleboxes are hard to deploy Solution –Overview –Challenges –Limitations Implementation & evaluation Related work

11 Policy-aware Switching Layer Policy-aware switching layer load balancer Existing mechanisms firewall 1Take middleboxes off-path Separate policy from reachability2 HTTP Firewall  Load balancer TCP port = 80 PSwitch load balancer firewall PPPPPPPPPPPPPPP

12 PSwitch explicitly forwards packets to middleboxes Firewall (F)Load Balancer (L) Core Router R PSwitch Web Server Data center Src:RSrc:L HeaderBody Rule table MatchNext Hop MAC R,port 80F Interface 1, port 80L MAC L,port 80FinalDest PPPPP 0 1 2 3 HTTPFirewall  Load balancer Centralized Policy Controller

13 Firewall Load Balancer PSwitch A Web Server Data center Custom Firewall Intrusion Prevention Box ERP Server Firewall PSwitch B HTTPFirewall  Load balancer ERPCustom Firewall  IPS Distributed forwarding Loadbalancing middleboxes Different policies for different traffic

14 Challenges 1.Minimizing infrastructure changes 2.Non-transparent middleboxes 3.Guaranteeing correctness under churn

15 Guarantees under Churn Network Middlebox Policy Packets never bypass middleboxes Some packets may be dropped

16 Limitations Indirect paths Policy specification complexity

17 Outline Problem Middleboxes are hard to deploy Solution Overview Challenges Limitations Implementation & evaluation Related work

18 Implementation PSwitches prototyped in PPPPP 750 Mbps 0.3 milliseconds 25 policies Compared to software Ethernet switch –82% TCP throughput –16% latency increase Exploring hardware options PSwitch

19 Validation of functionality 10 PCs with 4 network interfaces each PPPPPPPPPPPPPPPPPPPP iptables firewallswebservers BalanceNG Load balancer client Physical topology

20 Logical topologies on same physical topology X

21 Related Work 4D Routing Control Platform Ethane Indirection Internet Indirection Infrastructure Delegation Oriented Architecture Separation of policy and reachability High-end switches Cisco Catalyst 6500 SIGCOMM 2008 SEATTLE DCell Commodity DC Network Architecture

22 Conclusion Deploying middleboxes is hard A new layer-2 with explicit middlebox support –Middleboxes taken off network path –Policy separated from reachability

23 Questions?

24 Backup Slides

25 Policy churn Conflicting policy updates HTTPLoad balancer  Firewall Version 1 Firewall  Load balancerHTTP Version 2 FirewallLoad Balancer PPPPP Version 1Version 2 MatchNext Hop Interface 0, port 80L Interface 2, port 80F Interface 1, port 80FinalDest 0 12 3 MatchNext Hop Interface 0, port 80F Interface 2, port 80FinalDest Interface 1, port 80L

26 Intermediate middlebox types Guarantees traversal HTTPLoad balancer  Firewall Version 1 Firewall ’  Load balancer ’ HTTP Version 2 Firewall Load Balancer PPPPP Firewall ’ Load Balancer ’

Download ppt "1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley."

Similar presentations

EdgeNet2006 Summit1 Virtual LAN as A Network Control Mechanism Tzi-cker Chiueh Computer Science Department Stony Brook University.

EdgeNet2006 Summit1 Virtual LAN as A Network Control Mechanism Tzi-cker Chiueh Computer Science Department Stony Brook University.
New Directions in Enterprise Network Management Aditya Akella University of Wisconsin, Madison MSR Networking Summit June 2006.

New Directions in Enterprise Network Management Aditya Akella University of Wisconsin, Madison MSR Networking Summit June 2006.
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Introducing Campus Networks

Introducing Campus Networks
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Applying NOX to the Datacenter Arsalan Tavakoli, Martin Casado, Teemu Koponen, and Scott Shenker 10/22/2009Hot Topics in Networks Workshop 2009.

Applying NOX to the Datacenter Arsalan Tavakoli, Martin Casado, Teemu Koponen, and Scott Shenker 10/22/2009Hot Topics in Networks Workshop 2009.
Can the Production Network Be the Testbed? Rob Sherwood Deutsche Telekom Inc. R&D Lab Glen Gibb, KK Yap, Guido Appenzeller, Martin Cassado, Nick McKeown,

Can the Production Network Be the Testbed? Rob Sherwood Deutsche Telekom Inc. R&D Lab Glen Gibb, KK Yap, Guido Appenzeller, Martin Cassado, Nick McKeown,
OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA 2011. 04. 11 Presented.

OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.

Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
OpenFlow-Based Server Load Balancing GoneWild

OpenFlow-Based Server Load Balancing GoneWild
SDN and Openflow.

SDN and Openflow.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
MSIT 458: Information Security & Assurance By Curtis Pethley.

MSIT 458: Information Security & Assurance By Curtis Pethley.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.

1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
A Scalable, Commodity Data Center Network Architecture Mohammad Al-Fares, Alexander Loukissas, Amin Vahdat Presented by Gregory Peaker and Tyler Maclean.

A Scalable, Commodity Data Center Network Architecture Mohammad Al-Fares, Alexander Loukissas, Amin Vahdat Presented by Gregory Peaker and Tyler Maclean.
The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.

The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.

Similar presentations

Ads by Google