Gember Chaithan Prakash Raajay Viswanathan Robert Grandl Junaid Khalid Sourav Das Aditya Akella 1 OpenNF SDN software NFs NFs examinemodify packets at layers 37 ID: 407636
Download Presentation The PPT/PDF document "Aaron" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Aaron Gember, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella
1
OpenNFSlide2
SDN + software NFsNFs examine/modify packets at layers 3-7Software NFs are replacing physical appliancesSDN applications (PLayer, SIMPLE, Stratos, etc.) steer flows through NFs2
Web Server
Home
Users
Caching
Proxy
Intrusion
Prevention
Firewall
Enables new applications that
control the packet processing happening across instances of an NFSlide3
Not moving flows => bottleneck persistsNaively moving flows => incorrect NF behaviorExample: scaling & load balancing3
Firewall
Caching
Proxy
Intrusion
Prevention
Web Server
Home
Users
Requires a
control plane
that enables management of both internal NF state and network forwarding stateSlide4
ChallengesDealing with race conditionsPackets may arrive while state is being moved, causing state updates to be lost or re-orderedGiving applications flexibilityMay need to move state at different granularitiesSupporting many NFs with minimal changesUndesirable to force NFs to conform to certain state structures or allocation/access strategies4Slide5
OpenNF5
OpenNF
Controller
SDN Controller
Control Application
Northbound API
Southbound APISlide6
OutlineOverviewRequirementsDesignSouthbound API (addresses NF diversity)Northbound API (addresses race conditions)Evaluation6Slide7
RequirementsMove flow-specific NF state at various granularitiesCopy and combine, or share, NFstate pertaining to multiple flowsSupport key guarantees (no loss, order preserved) when neededTrack when/how state is updated7Slide8
Existing approachesControl over routing (PLayer, SIMPLE, Stratos)Virtual machine replicationUnneeded state => incorrect actionsCannot combine => limited rebalancingSplit/Merge and Pico/ReplicationAddress specific problems => limited suitabilityRequire NFs to create/access state in specificways => significant NF changes
8Slide9
State created or updated by an NF applies to either a single flow or a collection of flowsClassify state based on scopeFlow provides a natural way for reasoning about which state to move, copy, or shareNF state taxonomy9
Connection
Connection
TcpAnalyzer
HttpAnalyzer
TcpAnalyzer
HttpAnalyzer
Per-flow state
ConnCount
Multi-flow state
All-flows state
StatisticsSlide10
API to export/import stateThree simple functions: get, put, deleteVersion for each scope (per-, multi-, all-flows)Filter defined over packet header fieldsNFs responsible forIdentifying and providing all state matching a filterCombining provided state with existing state10
No need to expose internal state organization
No changes to conform to a specific allocation strategySlide11
API to observe/prevent updatesProblem: need to prevent (e.g., during move) or observe (e.g., to trigger copy) state updates Solution: event abstractionFunctions: enableEvents and disableEventsInstruct NF to raise an event and process, buffer, or drop packets matching a filter11
Only need to change an NF’s receive packet functionSlide12
Move operation12
OpenNF Controller
Control Application
move (port=80,Inst1
,Inst2)
getPerflow
(port=80)
[Chunk1]
putPerflow
(Chunk1)
delPerflow
(port=80)
[Chunk2]
putPerflow
(Chunk2)
forward(port=80,Inst
2
)
SDN Controller
Inst
2
Inst
1Slide13
Packet arrivals during movePackets may arrive during a move operation Fix: suspend traffic flow and buffer packetsMay last 100s of ms => connection timeoutsPackets in-transit when buffering starts are dropped13
1
1
1
Inst
2
is
missing
updates
Inst
2
Inst
1
move(yellow,Inst
1
,Inst
2
)
Loss-free
:
All state updates due to packet processing should be reflected in the transferred state, and all packets the switch receives should be processedSlide14
Use events for loss-free move enableEvents(blue,drop) on Inst1;
get/delete on Inst
1; put on Inst2Buffer events at controllerFlush packets inevents to Inst2Update forwarding
14
S
Inst
2
Inst
1
A
S
S
S,S+A
S+A
S+A
S,S+A,ASlide15
Re-ordering of packets15Order-preserving: All packets should be processed in the order they were forwarded to the NF instances by the switch
Controller
Switch
Inst
2
Flush buffer
Request forwarding
update
Inst
1
S+A
S+A
A
A
D1
D2
D1
D1
D1
S+A
A
D2
D1Slide16
Flush packets in events to Inst2 enableEvents(blue,buffer) on Inst2Forwarding update: send to Inst1 &
controllerWait for packet from switch (remember last
)Forwarding update: send to Inst2Wait for event for last packet from Inst2Release buffer of packets on Inst2
Order-preserving move
16
S
S
S,S+A
S+A
S,S+A,A
A
A
A
D1
S,S+A,A,D1Slide17
Copy and share operationsUsed when multiple instances need to access a particular piece of stateCopy – no or eventual consistencyIssue once, periodically, based on events, etc.Share – strong or strict consistencyAll packets reaching NF instances trigger an eventPackets in events are released one at a timeState is copied between packets17Slide18
Example app: Load balanced
network monitoring
movePrefix
(
prefix,oldInst,newInst
):
copy(
oldInst,newInst
,{
nw_src:prefix
},multi)
move(
oldInst,newInst
,{
nw_src:prefix
},
per,LF+OP
)
while (true):
sleep(60)
copy(
oldInst,newInst
,{
nw_src:prefix
},multi
)
copy(
newInst,oldInst,{
nw_src:prefix},multi)
scan.bro
vulnerable.bro
weird.broSlide19
Example app: Selectively invoking advanced remote processing
enhanceProcessing
(
flowid,locInst
):
move(
locInst,cloudInst,flowid,per,LF
)
scan.bro
v
ulnerable.bro
weird.bro
scan.bro
vulnerable.bro
weird.bro
detect-
MHR.bro
!Slide20
ImplementationOpenNF Controller (≈3.8K lines of Java)Written atop FloodlightShared NF library (≈2.6K lines of C)Modified NFs (3-8% increase in code)Bro (intrusion detection)PRADS (service/asset detection)iptables (firewall and NAT)Squid (caching proxy)20Slide21
End-to-end benefitsLoad balanced monitoring with Bro IDSLoad: 10K pkts/sec cloud traceAfter 180 sec: move HTTP flows (489) to new BroOpenNF: 260ms to move (optimized, loss-free)Log entries equivalent to using one instanceVM replication: 3889 incorrect log entriesForwarding control only: scale down delayed by
> 1500 secondsSlide22
Southbound API call processing22
Serialization/
deserialization costs dominate
Cost grows with
state complexitySlide23
Efficiency with guaranteesState: 500 flows in PRADS; Load: 1000 pkts/sMoveCopy – 176msShare – 7ms (or more) for every packet23
194
pkts
dropped!
1
30
pkts
buffered
at
dstInst
230
pkts
in events
Guarantees come at a cost!Slide24
Controller performanceImprove scalability with P2P state transfers24Slide25
Systematic engineered APIsimplemented by NFs and used by control applicationsEnables rich control of the packet processing happening across instances of an NF
Provides key guarantees andrequires minimal NF modifications
Conclusion25
http://agember.com/go/opennf