Genesis: Synthesizing Forwarding Tables in Multi-tenant Networks - PowerPoint Presentation

Genesis: Synthesizing Forwarding Tables in Multi-tenant Networks Kausik SubramanianLoris D’Antoni, Aditya Akella 1

Enterprise NetworkEnterpriseNetwork Network Policies Cloud Network 2

Tenant Network Policies EnterpriseNetworkABReachability: A can talk to B C Waypoints : C to B traffic goes through a Firewall 3

Cloud Network Policies S7S8S9S10S3 S 4 S 5 S 6 S 1 S 2 Tenant 1 Network Policies Tenant 2 Network Policies Network isolation : Tenant 1 and 2’s traffic must not affect each other Network r esource m anagement Fault tolerance 100Gbps 100Gbps 100Gbps 100 Gbps 100Gbps 4

Software-defined Networks S7S8S9S10S3 S 4 S 5 S 6 S 1 S 2 SDN Controller 5 SSH Programmable switch rules: Match : Packet headers Action : Forward to next switch SSH traffic at S 3 is forwarded to S 7 Centralized controller e nforces policies Enforcing policies using conventional distributed networks is difficult.

State of the ArtFrenetic [ICFP11] Program individual switch behaviors in SDNHard to express network-wide behaviorNetKAT [POPL14]Network-wide policies like regular paths (waypoints)Cannot express hyperproperties like isolationMerlin [CONEXT14] SIMPLE [SIGCOMM13] Complex network-wide policies like waypoints and bandwidth guarantees Tailor-made and not easily extensible to new policies 6

High-level language to specify policies Switch forwarding tablesGenesisINPUTOUTPUTExtensible and generalized searchSupport for complex and diverse policiesGenesis uses Satisfiability Modulo Theories (SMT) solvers to synthesize forwarding tablesEnforcing certain policies is NP-complete7

Outline of the TalkMotivationSynthesis of forwarding tables in GenesisScaling to large workloads: Tactics and Divide-and-conquerGenesis extensions: Handling failures8

Genesis Policy Support S7S8S9S10S3S4 S5 S 6 S 1 S 2 G 1 G 2 Reachability : G 1 can talk to G 2 B 1 B 2 Waypoints : B 1 can talk to B 2 Through FW ( NP-complete) FW Tenant isolation : No shared links (NP-complete) Traffic engineering 9

Synthesis Approach High-level policies +TopologyForwarding tablesINPUTOUTPUT(Fwd, Reach)Constraints on Fwd and ReachPaths from Fwd and Reach solution Abstract Representation 10

Semantics of (Fwd, Reach) S1S2S3 Fwd (S 1 , ID) = S 2 : Switch S 1 forwards to S 2 Fwd (S 1 , ID) = S 2 Fwd (S 2 , ID) = S 3 Reach(S 2 , ID) = 1 : Specifies that S 2 is reachable in 1 step from source Reach(S 1 , ID) = 0 Reach(S 2 , ID) = 1 Reach(S 3 , ID) = 211 Paths extracted from the values of Fwd and Reach

Reachability Constraints S1S4S5If a switch is reachable in k steps, one of its neighbors must be reachable in k - 1 steps 12 S 2 S 3 SRC DST Reach( S 4 , ID) = k Reach( S 3 , ID) = k - 1 Reach( S 2 , ID) = k - 1   Fwd (S 3 , ID) = S 4

Policy Constraints S1S2S3S5 S 4 Waypoint: Blue Tenant 🀫 specifies path must traverse through S 4 Reach(S 4 , ID) = k   Isolation: Blue Tenant 🀫 and Red Tenant 🀫 paths do not share any link (S 3 , ID1) (S 3 , ID2)   Traffic Engineering: Using SMT-OPT 13

THE END?14

Baseline Synthesis Evaluation SetupGenesis implemented in Python, uses Z3 SMT solver Multi-tenant isolation: Each tenant has a single reachability policy, and all tenant paths are mutually isolatedMedium-sized fat-tree datacenter topologies15

Baseline Synthesis Evaluation Synthesis time for over 60 tenants takes >5000sExponentialComplexityTo scale to large networks and workloads, we need to further optimize synthesis performance.16

Scaling to Large WorkloadsTactics Divide-and-Conquer 17

Tactics: Motivation Use network structure to specify path properties Regular expressions using hierarchies Edge Aggregate Core Edge-to-edge paths: 272 Large search s pace 18

Tactics: Examples Valley-Free Tactic : Edge Agg Core Agg Edge No Edge Tactic: Not (Edge .* Edge .* Edge) Edge Aggregate Core 19 Very restrictive; short paths L ess restrictive; l onger paths

Tactics: Constraint Reduction20 A1SE1C1Genesis uses tactics as a search strategy to eliminate constraints Reach(S) = k Reach( C 1 ) = k - 1 Reach( A 1 ) = k - 1 Reach( E 1 ) = k - 1     No Edge Tactic ensures no intermediate edge switch

Tactics: PropertiesSpecified using a restricted regular expression syntax Sound heuristic (paths satisfy tactic regular expression) Complete (if a solution exists where the paths satisfy the regular expressions, Genesis will return one)Policy-agnostic optimizationsThe operator can develop a repository of tactics based on their topology structure for reuse21

Tactics: EvaluationMulti-tenant isolation workload Valley-Free Tactic and No Edge TacticValley-Free Tactic speedup: 400x22

Divide-and-Conquer:Policy Graph Components ≫   ≫   ≫   23 Synthesis Isolation ≫   ≫   ≫   Reachability Policy Policy Graph

Divide-and-Conquer Synthesis            Synthesized path for   Synthesize partition 1 Synthesize partition 2 24 Min-cut partitioning 2x speedup for 40% of workloads with isolation Multiple solutions exist due to dense topology Unsatisfiable cores for iterating solutions

Outline of the TalkMotivation Synthesis of forwarding tables in GenesisScaling Genesis: Tactics and Divide-and-ConquerGenesis extensions: Handling failures25

Genesis Extensions26 GenesisRich PolicyLanguageSynthesis using SMTResilient PathsNetwork Repair

Network Resilience Cloud network S1S2S3 Single path: Not resilient t-resilience : For events under t arbitrary link failures, there exists a valid path Link failure 27

Policy-compliant Resiliency Cloud network S1S2S3 Backup path 1-resilient For 1-resilience, backup path must be edge-disjoint from original path Isolation policy 28 Sound transformation of input policies to provide t-resilience

Minimal Reactive Network Repair PoliciesPoliciesBest repair: Minimize change overheadGenesis uses MaxSMTCloud network 29

Network Repair EvaluationMulti-tenant isolation workload One switch-failure, network repair such that number of switches affected is minimizedFor larger workloads, repair is faster than re-synthesis.30

High-level policies on pathsa nd switchesSwitch forwarding tables satisfying policiesGenesisINPUTOUTPUT31TacticsDivide-and-conquerT-resilience Network repair Optimizations Extensions

Valid Path Constraints S1S2S3S5 S4 Blue Tenant 🀫 Reachability policy: S1 >> S5 Source Destination Reach(S5, k, 🀫 )   Reach(S1, 0, 🀫 ) Reach(S4, k, 🀫 ) S4 Reach(S2, k-1, 🀫 ) Reach(S5, k-1, 🀫 ) S2 S5 Fwd (S2,S4, 🀫 ) Fwd (S5,S4, 🀫 ) , k , …) …)   32

Synthesis AlgorithmInitialize networking model relations Fwd and Reach in Z3 SolverAdd constraints for the input policies to the solver Solve and extract the set of paths from the solution model33

Reachability ConstraintsPolicy: (s >> d, pc) Source Constraint : ∃n ∈ N (s). Fwd(s, n, pc) ∧ Reach(n, pc, 1) (There is a forwarding rule for source)Destination Constraint : ∃k. Reach(d, pc, k) (Destination is reachable)Backward Reachability Propagation Constraints : ∀,k. Reach(, pc, k) ⇒ ∃. ∈N() ∧ Reach(, pc, k − 1) ∧ Fwd( , , pc)   34

Unicast Forwarding?No restriction on number of forwarding rules at a switch! Not a problem, we need just one simple path from source to destinationPerform a breadth-first search on the reachability graph induced by the solution to extract shortest simple path Directed edge exists if ( , , pc) ∈ Fwd Optimization : constraints needed for unicast forwarding 35

Waypoint Constraints Policy: s >> >> d are sets of waypointsPath must traverse all waypoints in , then and so on.Waypoint traversal constraints: ∀w ∈. ∃k. Reach(w, pc, k) Ordering constraints: ∀ ∈ , ∀ . Reach ( , pc, ) ⇒ ∀ ∈ . ∃ . < ∧ Reach( , pc , )   36

Unicast ConstraintsWaypoints : Need to ensure a single path from source to destination Forwarding Set of switch sw is the set of switches the packet is forwarded to: FwdSet(sw, pc) = {k | Fwd(sw, k, pc)} Forwarding rules for pc at a switch must not be greater than 1 : ∀sw, pc. |FwdSet(sw, pc)|≤ 1 Expressed using SAT 37

Isolation ConstraintsPolicy: || Paths for and do not share a link in the same directionConstraints: ∀. ¬(∃. Fwd(, , ) ∧ Fwd( , , )) At any switch, both classes should not be forwarded to the same switch U nicast constraints for a reachability policy without waypoints ?NO, Solver would discard the additional rules conflicting with another packet class   38

Link Capacity ConstraintsPolicy: → : ω C(, , pc) : Cumulative capacity function of the link used by all packet classes less than equal to pc. W(pc) : Weight function of packet classInductive constraints for the capacity function : ∀pc > 0. Fwd( , , pc) ⇒ C( , , pc ) = C( , , pc − 1) + W ( pc ) ( Similarly for the case of ¬Fwd ( , , pc) ) λ is the greatest packet class. Capacity Constraint using LIA : C( , , λ) ≤ ω   39

Restricted Tactic Syntax ∈ Lb, : source label, : destination labelRegular expressions are negated at the outer level to specify blacklists ¬(e c e) : No core at the (i+1)th step ¬(e e) : Length < i + 1 Conjuction of regexes : ¬(e e e) ≡   40

Tactic Synthesis AlgorithmConstraints responsible for path: ∀,k. Reach(, pc, k) ⇒ ∃. ∈ N() ∧ Reach(, pc, k − 1) ∧ Fwd(, , pc) (1) Prune these constraints to ensure path satisfies tactic regular expressionCase I : ¬( ) Example : ¬(e ) For all switches, ( sw , pc, k) Reach for k > i For tuples Reach, we don’t need to add the constraints of (1)   41

Tactic Synthesis AlgorithmConstraints responsible for path: ∀,k. Reach(, pc, k) ⇒ ∃. ∈ N() ∧ Reach(, pc, k − 1) ∧ Fwd(, , pc) (1)Case II : ¬( ) Example : ¬(e ) For switches with label e : ( sw , pc, i + 1) Reach   42

Tactic Synthesis AlgorithmConstraints responsible for path: ∀,k. Reach(, pc, k) ⇒ ∃. ∈ N() ∧ Reach(, pc, k − 1) ∧ Fwd(, , pc) (1)Case III : ¬( ) Example: ¬(e ) Aggregate switch at (i+1) th step cannot be succeeded by a core switch at i+2 steps Prune (1) such that for core switches at (i+2) th step is not preceeded by aggregate switch ( Remove all aggregate switches from N ( ) )   43

E1 E2E3E4A1A2 A3 A4 C1 C2 SDN Controller Network Operator FW Tenant Specifications Operator Specifications IDS ? Reachability Waypoints Isolation Link Capacity Switch Table Size Traffic Engineering Genesis Genesis Policies Forwarding Tables 44

Tactics The restricted grammar comes from the structure of the reachability constraints (1) ¬(e a c a .∗ e) cannot be satisfied without adding extra constraints Reach(..i+3) only depends on Reach(..i+2), not both Reach(..i+1) and Reach(..i+2)Tactics are sound but incompleteDue to vast interconnect in datacenters, operators can design tactics which are complete for all practical purposes   45

Synthesis ProcedurePolicy Graph : Vertices are packet classes and edges are isolation policiesRecursively partition each connected component in two : min-cut partitioning/ equi-sized partitioning Maximize isolation inside partitionsSynthesize P1, and provide the solution of P1 to P2 as constraints for synthesis46

Recovery Mechanisms Path1 SynthesisSynthesisPath1 Path247

Recovery MechanismsSolver-guided enumeration : Obtain unsatisfiable cores which are paths of P1 Resynthesize P1 to get a different solutionEnumeration ineffective with dense graphs, bound of number of enumerationsFor completeness, perform multiple iterations of optimistic synthesis: Each iteration, double the base threshold partition sizeFinal case : threshold = graph size (normal synthesis)48