OpenNF - PowerPoint Presentation

Slide1

OpenNF: Enabling Innovation in Network Function Control

Aditya AkellaWith: Aaron Gember, Raajay Vishwanathan, Chaithan Prakash, Sourav Das, Robert Grandl, and Junaid KhalidUniversity of Wisconsin—MadisonSlide2

Network functions, or middleboxes

CachingProxyIntrusionPrevention

Firewall

WAN

optimizer

Traffic

scrubber

SSL

Gateway

Introduce custom packet processing functions into the network

Load

balancer

…

[Sherry et al., SIGCOMM 2012]

Common in enterprise, cellular, ISP networks

Stateful

: detailed book-keeping for network flowsSlide3

Network functions

virtualization (NFV)Lower costEasy prov., upgrades Software-defined networking (SDN)Decouple from physicalBetter performance, chaining3

Xen

/KVM

State-of-the-artSlide4

Extract maximal performance

at a given $$SDN Controller

MBox

MBox

Load balancing

Dynamic reallocation

to c

oordinate processing across instances

NFV + SDN:

d

istributed

processingSlide5

SDN

Controller

MBox

Key abstractions

1. Elastic

2. Always

updated

3. Dynamic

enhancement

MBox

MBox

MBox

Hand-off

processing for

a traffic subset

MBox

Dynamic reallocation to

c

oordinate processing across instances

SDN

Controller

MBox

MBox

Load balancing

Extract

maximal performance

at a given $$

NFV + SDN:

d

istributed

processingSlide6

What’s missing?

The ability to simultaneously…Meet SLAsE.g., ensure deployment throughput > 1GpbsEnsure accuracy/efficacyE.g., IDS raises alerts for all HTTP flows containing known malware packagesKeep costs low, efficiency highE.g., shut down idle resources when not needed… needs more control than NFV + SDNSlide7

Example

Not moving flows  bottleneck persists  SLAs! Naively move flows  no associated state  Accuracy!

Scale down: wait for flow drain out



Efficiency!

Transfer live state while updating

n/w

forwarding

7

Firewall

Caching

Proxy

Intrusion

Prevention

Web Server

Home

Users

Scaling in/out

sustain

thr’put

at low $Slide8

OpenNF

Quick and safe dynamic reallocation of processing across NF instancesQuick: Any reallocation decision invoked any time finishes predictably soonSafe: Key semantics for live state transfers  No state updates missed, order preserved, etc.Rich distributed processing based applications toflexibly meet cost, performance, security objectivesSlide9

Outline

Overview and challenges DesignRequirementsKey ideasApplications EvaluationSlide10

OpenNF

OpenNF ControllerSDN ControllerElastic scaling

Hot standby

Dynamic enhancement

MBox

MBox

NF APIs and control plane for joint control over internal NF state and network forwarding state

Overview and challenges

Reallocation

operations

State import/

export

Coordination

w

/ networkSlide11

1:

Many NFs, minimal changesAvoid forcing NFs to use special state structures/ allocation/access strategies Simple NF-facing API; relegates actions to NFs2: Reigning in race conditionsPackets may arrive while state is being moved; Updates lost or re-ordered; state inconsistency Lock-step NF state/forwarding update3: Bounding overheadState transfers impose CPU, memory, n/w overhead



Applications control granularity, guarantees

11

Challenges

Overview and challengesSlide12

State created or updated by an NF applies to either a single flow or a collection of flows

Classify state based on scope Flow provides a natural way for reasoning about which state to move, copy, or shareNF state taxonomy12

Connection

Connection

TcpAnalyzer

HttpAnalyzer

TcpAnalyzer

HttpAnalyzer

Per-flow state

ConnCount

Multi-flow state

All-flows state

Statistics

C1: Minimal NF ChangesSlide13

API to export/import state

Three simple functions: get, put, delete(f)Version for each scope (per-, multi-, all-flows)Filter f defined over packet header fieldsNFs responsible forIdentifying and providing all state matching a filterCombining provided state with existing state13

No need to expose internal state organization

No changes to conform to a specific allocation strategy

C1: Minimal NF ChangesSlide14

Operations

move flow-specific NF state at various granularities copy and combine, or share, NF state pertaining to multiple flows Semantics for move (loss-free, order-preserving), copy/share (various notions of consistency)14

“Reallocate port 80 to NF2”Slide15

Move

15OpenNF Controller

Control Application

move (port=80,Inst

1

,Inst

2,

LF&OP)

getPerflow

(port=80)

[ID1,Chunk1]

putPerflow(ID1,Chunk1)

delPerflow

(port=80)

[ID2,Chunk2]

putPerflow(ID2,Chunk2)

forward(port=80,Inst

2

)

SDN Controller

Inst

2

Inst

1Slide16

Load-balanced network monitoring

vulnerable.bro  reconstruct MD5’s for HTTP responsesNot robust to losses weird.bro  SYN and data packets seen in unexpected order Not robust to reordering

HTTP

req

HTTP

req

vulnerable.bro

weird.bro

move

C2: Race conditions

Moving

liv

e

state: some updates (packets) may be lost, or arrive out of orderSlide17

Packets may arrive during a move operation

Fix: suspend traffic flow and buffer packetsMay last 100s of msPackets in-transit when buffering starts are droppedLost updates during move17

R1

B1

B2

B2

Inst

2

is missing updates

Inst

2

Inst

1

move(blue,Inst

1

,Inst

2

)

Loss-free

:

All state updates due to packet processing should be reflected in the transferred state, and all packets the switch receives should be processed

Key idea

: Event abstraction to prevent, observe

and sequence state updates

C2: Race conditionsSlide18

enableEvents(blue,drop) on Inst1; get/delete on Inst1 Buffer events at controller put on Inst2 Flush packets in events to Inst2 Update

forwarding

Controller

Loss-free move using events

18

R1

Inst

2

Inst

1

B3

B1

drop

B1

B1,B2

B2

B2

B1,B2,B3

C2: Race conditions

Stop processing; buffer at controllerSlide19

19

Order-preserving: All packets should be processed in the order they were forwarded to the NF instances by the switch

Controller

Switch

Inst

2

5. Flush buffer

6. Issue fwd

update

Inst

1

B2

B2

B3

B4

B3

B3

B3

B2

B4

B3

C2: Race conditions

Re-ordering of updates

Two-stage update to track last packet at NF1Slide20

Flush packets in events to

Inst2 w/ “do not buffer”enableEvents(blue,buffer) on Inst2Forwarding update: send to Inst1 & controllerWait for packet from switch (remember last)Forwarding update: send to Inst2

Wait

for

event from

Inst

2

for last Inst

1

packet

Release

buffer of packets on Inst

2

Order-preserving move

20

R1

drop

B1

B1,B2

B2

B1,B2,B3

buf

B3

B3

B3

B4

B1,B2,

B3, B4

C2: Race conditions

Track last packet; sequence updatesSlide21

Bounding overhead

Apps decide, based on NF type, objective: granularity of reallocation operations move, copy or share filter, scope guarantees desired move: no-guarantee, loss-free, loss-free + order-preserving copy: no or eventual consistency share: strong or strict consistencyC3: ApplicationsSlide22

HTTP

reqHTTP req

Load-balanced network monitoring

movePrefix

(

prefix,oldInst,newInst

):

copy(

oldInst,newInst

,{

nw_src:prefix

},multi)

move(

oldInst,newInst

,{

nw_src:prefix

},

per,LF+OP

)

while (true):

sleep(60)

copy(

oldInst,newInst

,{

nw_src:prefix

},multi

)

copy(

newInst,oldInst

,{

nw_src:prefix

},multi)

scan.bro

v

ulnerable.bro

weird.bro

C3: Applications

scan.bro

scan.bro

vuln.bro

weird.broSlide23

Implementation

OpenNF Controller (≈4.7K lines of Java)Written atop FloodlightShared NF library (≈2.6K lines of C)Modified NFs (4-10% increase in code)Bro (intrusion detection)PRADS (service/asset detection)iptables (firewall and NAT)Squid (caching proxy)Testbed: HP ProCurve connected to 4 servers23Impl &

EvalSlide24

Microbenchmarks

: NFs24Serialization/deserialization

costs dominate

Cost grows with

state complexity

Impl

&

EvalSlide25

State: 500 flows in PRADS; Traffic: 5000

pkts/secMove per-flow state for all flowsMicrobenchmarks: operations25Packetsdropped!686 462

881 packets

in events

Guarantees come at a cost!

Copy (MF state) – 111ms

Share (strong) – 13ms

per

pkt

D =

f(load,state,speed

)

Impl

&

Eval

1120 packets

buffered at Inst

2

838 packets

in events

+Slide26

Macrobenchmarks: end-to-end benefits

Load balanced monitoring with Bro IDSLoad: replay cloud trace at 10K pkts/secAt 180 sec: move HTTP flows (489) to new BroAt 360 sec: move HTTP flows back to old BroOpenNF scaleup: 260ms to move (optimized, loss-free)Log entries equivalent to using a single instanceVM replication: 3889 incorrect log entriesCannot support scale-downForwarding control only: scale down delayed by more than 1500 seconds

Impl

&

EvalSlide27

Wrap up!

OpenNF enables rich control of the packet processing happening across instances of an NFQuick, key safety guarantees, Low overhead, minimal NF modifications27http://opennf.cs.wisc.eduSlide28

BackupSlide29

Copy and share

Used when multiple instances need to access a particular piece of stateCopy – eventual consistencyIssue once, periodically, based on events, etc.Share – strongAll packets reaching NF instances trigger an eventPackets in events are released one at a timeState is copied between packets29C2: Race conditionsSlide30

Example app: Selectively

invoking advanced remote processing

enhanceProcessing

(

flowid,locInst

):

move(

locInst,cloudInst,flowid,per,LF

)

scan.bro

v

ulnerable.bro

weird.bro

scan.bro

vulnerable.bro

weird.bro

detect-

MHR.bro

!

C3: Applications

HTTP

req

HTTP

req

Enterprise

n/w

Internet

checks md5sum

of HTTP reply

No need for:

(1) order-preservation (2) copying multi-flow stateSlide31

Existing approaches

Control over routing (PLayer, SIMPLE, Stratos)Virtual machine replicationUnneeded state => incorrect actionsCannot combine => limited rebalancingSplit/Merge and Pico/ReplicationAddress specific problems => limited suitabilityRequire NFs to create/access state in specificways => significant NF changes31Slide32

Controller performance

Improve scalability with P2P state transfers32Slide33

Macrobenchmarks: Benefits of Granular Control

Two clients make HTTP requests40 unique URLsInitially, both go to Squid120s later  reassign client 1 to Squid2MetricIgnoreCopy-clientCopy-allHits @ S1117117117

Hits @

S2

crashed

39

50

State transferred

0

4MB

54MB

Granularities

of copy

Impl

&

Eval