Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 28-29, 2002 1 DANCE Exposition Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Tal Lavian -

Published byMary Bryan Modified over 9 years ago

Similar presentations

Presentation on theme: "May 28-29, 2002 1 DANCE Exposition Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Tal Lavian -"— Presentation transcript:

1 May 28-29, 2002 1 DANCE Exposition Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Tal Lavian - tlavian@Nortelnetworks.comtlavian@Nortelnetworks.com Phil Wang, Ramesh Durairaj, Jennifer Rasimas, Doan Hoang, Franco Travostino. Nortel Networks, Advanced Technology Labs Open Source - http://www.openetlab.org

2 May 28-29, 2002 2 DANCE Exposition Outline of the talk AN technology Transfer Issues in the realization of AN technologies Main contributions of the paper. Commercial Active Services Platform Application Example 1 – SSL Application Example 2 – ASF A Demo Application Next Generation Active Services Platform Conclusion

3 May 28-29, 2002 3 DANCE Exposition AN Technology Transfer Great Ideas Usable/Realizable Mechanisms/Products Active Nets Community Active Nets Ideas Active Nets Community Active Nets Ideas Real Active Services Products Internet Current Technology Scan the technology horizon

4 May 28-29, 2002 4 DANCE Exposition AN issues AN requires substantial supports from a NOS AN introduces substantial software component, hence delay on the data path AN lacks adequate measures to addressing integrity and security of network devices. Lack of industrial-strength Active Network devices that dispel major concerns:

5 May 28-29, 2002 5 DANCE Exposition Main contributions of the paper Active Flow Manipulation Concept —Flow abstraction —Actions on Flows —Control/Data separation Openet Platform —Commercial Network Devices —Runtime Environment —Active Services Applications Dynamically control ASICs and MEMs

6 May 28-29, 2002 6 DANCE Exposition Active Flow Manipulation Forwarding Processor Forwarding Processor Packet PolicyFilters AFM Packet Filte r Packet Action A key enabling technology of Openet Two abstractions —Primitive flows —Primitive actions Customer network services exercise active network control —Identifying specific flows —Apply actions to alter network behavior in real- time AFM is well suited to work with underlying high-throughput ASICs

7 May 28-29, 2002 7 DANCE Exposition L2-L7 Filtering Capability Source Address Source Port Destination Address Destination Port Protocol VLAN Diffserv Code Points Content Filtering Cookies Filtering Flow redirection Stop/Forward flow Change DSCP field Set VLAN priority Adjust priority queue Modify session table Parsing request header Parsing application contents Active Flow Manipulation Dynamic L2-L7 Filtering

8 May 28-29, 2002 8 DANCE Exposition CPU JVM …MEM JNI/Native Code OREJFWD Filtered packets New forwarding rules Forwarding Engine Monitor status User Oplets OpletService, Shell, Logger Jcapture, HTTP, IpPacket Standard Services ANTS Firewall, DiffServ Application services Function Services Control Plane Data Plane Openet: An active service platform

9 May 28-29, 2002 9 DANCE Exposition Nortel Networks’ contributions to Active Services Practical Active Services Architecture on real network device. Commercial Active Services platform. —ASF - Product —SSL – Product —Open Active Architecture for more product —Alteon+iSD as a research platform —L3 programmable routing switch PP8600 – used by research community —Photonic Switch – Early prototype Identify Active applications (more than Ping ) —Active VPN – Carrier A —Active fault diagnostic – Carrier A —Active SLA reliability —Active Extranet on Demand – CeNTIE- Media post production industry —Early stages in disaster recovery and fault tolerant networks

10 May 28-29, 2002 10 DANCE Exposition Strong computation power inside network device. Intercepts selected flows and performs intelligent processing based on L2-L7 filtering The emphasis is on interception and processing transparently. Entities at both ends may not be aware of the existence of the Alteon in the path UsersServers Active Services Platform Forwarding Computation Up to 256 Linux based engines

11 May 28-29, 2002 11 DANCE Exposition Alteon Switched Firewall (ASF) A Real Product Servers Runtime Environment For Active Services AFM Action on the data Flow AFM Flow (Req.) Selection data for the session Active Services 1 st pkt 1 Active Service: Policy Checking Data2

12 May 28-29, 2002 12 DANCE Exposition 1 st pkt 1 1 Add Conn. 1 Data for the session2 Delete Conn. after UDP timeout if session is inactive 3 Servers AFM Flow Selection Active Service: Policy Checking AFM Action on the Flow Active Services Runtime Environment For Active Services Alteon Switched Firewall (ASF) A Real Product

13 May 28-29, 2002 13 DANCE Exposition Secure XL & NAAP in Action TCP session SYN 1 Policy Check 1 1 Add Conn. (F2F) 1 SYN/ACK2 Update Conn. 3 TCP 3-way handshake complete, data for the session accelerated4 FIN-1 5 Update Conn. 5 FIN-26 ACK7 Update Conn. 6 Delete Conn. 7 Alteon Switched Firewall (ASF) Clients Servers ACK3 (TCP 3-way handshake complete )

14 May 28-29, 2002 14 DANCE Exposition ASF as an Active Service Technology The Alteon selectively redirects new connection requests to the Alteon Switched Firewall Director to perform policy checking. The Director runs the Check Point FireWall-1 engine as an Active Service. The Active Service manages the connection table, specifies rules for handling packets in the session, passes the connection table to the Alteon Switched Accelerator. 90% of traffic is accelerated, supporting a throughput of 3.2 Gbps.

15 May 28-29, 2002 15 DANCE Exposition How Does the iSD-SSL Accelerator work? SSL Acceleration How Does the iSD-SSL Accelerator work? HTTPS, SMTP-S, POP3-S and IMAP-S services Client sends an HTTPS request Switch redirects request on port 443 to iSD-SSL iSD-SSL completes SSL handshake iSD-SSL initiates HTTP connection to server on port 80 Switch selects real server based on configured LB policy Server responds to HTTP request and replies to the iSD-SSL iSD-SSL encrypts session and sends HTTPS response to client

16 May 28-29, 2002 16 DANCE Exposition SSL Acceleration Cont Servers Policy Check Conn. Splice Encrypt Decrypt Server Selection AFM Action on the data Flow AFM Flow (Req.) Selection data for the session accelerated Active Services Runtime Environment For Active Services Data Accelar

17 May 28-29, 2002 17 DANCE Exposition Active Services: Surviving Disasters When a disaster strikes, there are a few seconds left to evacuate any and all data out of the disaster area. A huge bolus of data drops unannounced at the network edge Data Evacuation —Data collection (e.g., data since last backup, sensor data, top-secret data) —Automated network setup and data transport  Disaster sensor acts as service trigger  Policy elements (e.g., what, where to)  Secure data carriage —Active control of both legacy and optical networks  Cannot have all circuits to all potential disaster areas pinned all the time!  Fast route setup, end-to-end. Bandwidth on demand  Secure access to exclusive high-priority service (akin to GETS in telephony) Data Recovery —Service restoration from the safe site —Active control of both optical and legacy networks  Fast re-route setup  Bandwidth and priority Active Service Creation: With the right service platform and APIs, we were able to set the prototype in just few weeks

18 May 28-29, 2002 18 DANCE Exposition Control Mesg Disaster Recovery concept Active Services on 10GE All-Optical Switch 8600 MEMs Switch Prototype 8600 1G 10G 1G A B C D X Y Z B2 B3 Nortel’s Active Services Alteon NAS Alteon NAS Alteon NAS EvaQ8 OG - 1 EvaQ8 OG -2 EvaQ8 OG - 3 1.Normal App flow : Client X -> Server Z 2.Disaster Strikes at Location Z 3.EvaQ8 OG 3 sends a signal to OG1 4.OG1 instructs Photonic Switch to connect B2 & B3 ; Server Z and Server Y data syncd 5.On successful sync, OG2 instructs Photonic switch to connect B1->B2. 6.Service Restored for Client X ->server Y Disaster Event/ Environ. Sensor B1 Control Mesg NAS 1G

19 May 28-29, 2002 19 DANCE Exposition AN Collaboration: CeNTIE – CSRIO- Nortel Tele-Health Focus Group Royal Australian College of Surgeons Medic Vision University of Sydney NSW Health Royal Prince Alfred Interactive Virtual Environment Centre (IVEC). Centre for Medical and Surgical Skills (CTEC). Media Systems Focus Group Fox Studios Animal Logic GMD Film Industry Broadband Resource Ambience Enterprise (FIBRE) WAM!NET Australian Broadcasting Corporation (ABC) ScreenWest Center for Networking Technologies for Information Economy (CeNTIE) - a CSIRO-led consortium including Nortel Networks, Amcom Telecommunications, the UNSW, UTS and the WA Interactive Virtual Environments Centre (IVEC). www.centie.net

20 May 28-29, 2002 20 DANCE Exposition Summary of Our Work We have inspired ourselves to active networks concepts Capable of dynamic monitoring, controlling and modification of ASICs and MEMs Demonstrate Active Networks technology transfer through Nortel Active Services platform. We have implemented programmable Gigabit Routing Switch (backplane 256 Gbs) —New Active Services platform: Openet + Alteon + iSD Active Services in the control plane (slows down in the data plane) —AFM abstraction The granularity is streams and not packets —Short time granularity (part of apps and not human intervention, keyboard, telnet, cli, snmp)

21 May 28-29, 2002 21 DANCE Exposition Summary of Our Our Work (cont.) Enabling New Types of intelligence on programmable network device to handle Infinite Bandwidth resources, Wire speed routing capability, and nontrivial Streaming media application.

22 May 28-29, 2002 22 DANCE Exposition Q&A OpenetLab – Nortel Networks: http://www.openetlab.org/

23 May 28-29, 2002 23 DANCE Exposition Client And Server Authentication User opens session 1 2 Sends server certificateRequests client certificate 3 Serves request/response 7 Send encrypted data to back end 6 Validates the client certificate info. 5 Private key Confidential Client sends the certificate with public key 4 Public key Published

24 May 28-29, 2002 24 DANCE Exposition User connections Intelligent Processing such As Load Balancing, Optimizing Bandwidth, Specialized services Server Balancing servers Connections terminate at the Alteon iSD Balancing iSDs Balancing can be based on load, or Functionality Powerful generic processors do not have the filtering capability of the Alteon. That is if they have to do the same thing as the Alteons, they have to do filtering in software, hence slow. An API is needed for exploring this filtering capacity Strong computation power inside network device. Load balance of iSDs (and servers)

25 May 28-29, 2002 25 DANCE Exposition Content Re-route Optical Ring Mirror Server Data Server Resource optimization (route 2) —Alternative lightpath Route to mirror sites (route 3) —Lightpath setup failed —Load balancing —Long response time –Congestion –Fault Route 1 Route 2 Route 3

Download ppt "May 28-29, 2002 1 DANCE Exposition Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Tal Lavian -"

Similar presentations

Application of GMPLS technology to traffic engineering Shinya Tanaka, Hirokazu Ishimatsu, Takeshi Hashimoto, Shiro Ryu (1), and Shoichiro Asano (2) 1:

Application of GMPLS technology to traffic engineering Shinya Tanaka, Hirokazu Ishimatsu, Takeshi Hashimoto, Shiro Ryu (1), and Shoichiro Asano (2) 1:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Application Layer – Lecture.

Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Application Layer – Lecture.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Enabling Active Networks Services on A Gigabit Routing Switch Tal Lavian and the Openetlab Team.

Enabling Active Networks Services on A Gigabit Routing Switch Tal Lavian and the Openetlab Team.
Open Innovation via Java-enabled Network Devices Tal Lavian

Open Innovation via Java-enabled Network Devices Tal Lavian
An Active Networking Testbed for Storage Presenter Mel Tsai People Mel Tsai Anshi Liang Paul Huang Perry Dong and Tal Lavian.

An Active Networking Testbed for Storage Presenter Mel Tsai People Mel Tsai Anshi Liang Paul Huang Perry Dong and Tal Lavian.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Transmission Control Protocol (TCP) and Packet-Switching Hardware Devang Parekh EE290F 4/15/04.

Transmission Control Protocol (TCP) and Packet-Switching Hardware Devang Parekh EE290F 4/15/04.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Edge Device Multi-unicasting for Video Streaming T. Lavian, P. Wang, R. Durairaj, F. Travostino Advanced Technology Lab, Nortel Networks D. B. Hoang University.

Edge Device Multi-unicasting for Video Streaming T. Lavian, P. Wang, R. Durairaj, F. Travostino Advanced Technology Lab, Nortel Networks D. B. Hoang University.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Cisco Discovery Working at a Small-to-Medium Business or ISP CHAPTER 7 ISP Services Jr.

Cisco Discovery Working at a Small-to-Medium Business or ISP CHAPTER 7 ISP Services Jr.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

Similar presentations

Ads by Google