/
Software Defined Networking Software Defined Networking

Software Defined Networking - PowerPoint Presentation

yoshiko-marsland
yoshiko-marsland . @yoshiko-marsland
Follow
474 views
Uploaded On 2016-04-27

Software Defined Networking - PPT Presentation

COMS 6998 10 Fall 2014 Instructor Li Erran Li lierranlicscolumbiaedu httpwwwcscolumbiaedulierranlicoms699810SDNFall2014 11 24 2014 SDN Middleboxes and NFV ID: 295273

networking software 6998 defined software networking defined 6998 coms network nfv middlebox tag flowtags control plane policy controller data module switch clickos

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Software Defined Networking" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Software Defined NetworkingCOMS 6998-10, Fall 2014

Instructor: Li Erran Li (

lierranli@cs.columbia.edu

)

http://www.cs.columbia.edu/~lierranli/coms6998-10SDNFall2014/

11/

24/

2014: SDN

Middleboxes

and

NFVSlide2

OutlineReview of SDN

Wireless Networks

SDN

Middleboxes and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTags

2

11/24/14

Software Defined Networking (COMS 6998-10) Slide3

Mobile WANs Problems

Suboptimal routing in large carriers

L

ack of sufficiently close PGW is a major cause of path inflation (Path Inflation, PAM’14)Lack of support for seamless inter-region mobilityNo inter-PGW mobility support (DMM, Zuniga

et.al., 2013)

Scalability and reliability

Centralized policy enforcement

Ill-suited to adapt to new trends of mobile trafficSignaling storm problem

3

11/24/14

Software Defined Networking (COMS 6998-10) Slide4

What is SoftMoW?

Clean-slate architecture of cellular WANs

Scalable control plane and data plane

Millions of UEs and hundreds of thousands of BSsPerforms new global applicationsRuns Region optimizationSupports Seamless mobilityEnables optimal end to end paths

4

11/24/14

Software Defined Networking (COMS 6998-10) Slide5

SoftMoW Overview

Controller:

enforce service policies and run new apps

Core networks: Inter-connected SDN switches nationwide Sufficient egress points per region to avoid path inflationRadio networks: organized into base stations groups Fine-grained classifier access switch attached to each BS

Service policies: middle-boxes placed in edge networks

Any sophisticated network functions, e.g., billing and noise cancelation

5

SoftMOW

?

11/24/14

Software Defined Networking (COMS 6998-10) Slide6

SoftMoW Challenges

Distributed control plane

R

ecursively build up a hierarchical and reconfigurable control planePath setupKeep per packet overhead minimal on recursive abstractionsTopology discoveryCross

-region links are visible to only a non-leaf

controller

Global applications

O

ptimization without a global network state at each controller. 611/24/14

Software Defined Networking (COMS 6998-10) Slide7

Recursive and Reconfigurable Control Plane

Recursively partition the data plane network into logical regions and assign to control node

Recursively expose:

Gigantic Switch (G-switch), Gigantic Middlebox (G-middlebox), Gigantic Base station (G-BS) Reconfiguration: Each non-leaf controller can reconfigure logical entitiesOptimize hierarchy and data plane operations without a global state7

11/24/14

Software Defined Networking (COMS 6998-10) Slide8

SoftMoW Controller Architecture

Network operating system

Agnostic of cell apps

Operator appsE.g., region optimization, HSS, PCRF Recursive abstraction appEastbound API for operator appsAgent communicates with a parentExpose G

-switch, G-Bses, G-

Middleboxes

Management Plane

B

ootstraps the recursive control plane. E.g., IP assignment, tree configuration 8

11/24/14

Software Defined Networking (COMS 6998-10) Slide9

Core Service: Topology Discovery

Scalable and fast link and switch detection

Two challenges:

Inter-region links visible to only a non-leaf controllerLeaf controllers with direct controlParallel- sequential periodical protocol: G-switch discovery Inter-Gswitch link

disocvery

Abstract

Gswitch

computation

9

SW1

SW2

C1

SW3

SW4

C2

C0

GS1

GS2

11/24/14

Software Defined Networking (COMS 6998-10) Slide10

Core Service: Topology Discovery

D

iscovery message:

Meta data field: properties of the traversed physicalStack field: stores the traversed path

Format: (Controller ID, G-switch ID, G-switch port)

10

SW1

SW2

C1

SW3

SW4

C2

C0

(C0, GS1, p1)

(C0, GS1, p1)

(C1, SW2, p2)

(C0, GS1, p1)

(C1, SW2, p2)

(SW3, p3)

(C0, GS1, p1)

(GS2, p4)

(1)

(2)

(3)

(4)

GS1

GS2

Stack

Payload

11/24/14

Software Defined Networking (COMS 6998-10) Slide11

Core Service: Path Setup

Access switches perform fine-grained packet classification

Goal 1:

each controller should be able to make local decisions Goal 2: decisions made by an ancestor controller should be visible across links it discovers.Simple solution: label stacking has high per-packet overhead 11

L1, L2, L3, L4

Per packet stack

11/24/14

Software Defined Networking (COMS 6998-10) Slide12

Recursive Label Swapping

12

R

oot

has a single-path service policy for rate-

limiting

Any controller has its own local policy or label

Ingress switch:

Pop parent label,

Push

local labels

Egress switch:

Pop local labels, Push parent

label

11/24/14Slide13

App: Region Optimization and Reconfiguration

Inter region handovers increase “east-west” control plane load

R

equire the intervention of three controllers: the source and target leaf controllers, and the ancestor controller. Regions should be refined to reduce the load Handover patterns vary across time-of-day. Difficult to find static bordersDesign a greedy-iterative approachPriority top to bottom13

11/24/14

Software Defined Networking (COMS 6998-10) Slide14

App: Region Optimization and Reconfiguration

14

Reconfiguration mechanism for an initiator controller:

Find the highest gain gigantic base station

Contact the management plane

Management plane finds the leaf controllers

Seamless control transfer at the leaf using EQUAL ROLE

Reconfigure logical data planes from bottom up to the initiator controller

Root graph before optimization

Root graph after optimization

Two leaf regions

11/24/14

Software Defined Networking (COMS 6998-10) Slide15

OutlineReview of SDN Wireless Networks

SDN

Middleboxes

and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTags

15

11/24/14

Software Defined Networking (COMS 6998-10) Slide16

The Idealized Network

Physical

Datalink

Network

Transport

Application

Physical

Datalink

Network

Transport

Application

Physical

Datalink

Network

Physical

Datalink

Page

16

11/24/14

Software Defined Networking (COMS 6998-10)

16Slide17

A Middlebox World

Page

17

carrier-grade NAT

load balancer

DPI

QoE monitor

ad insertion

BRAS

session border

controller

transcoder

WAN accelerator

DDoS protection

firewall

IDS

11/24/14

Software Defined Networking (COMS 6998-10)

17Slide18

Need for Network Evolution

18

New devices

New applications

Evolving

threats

Policy

constraints

Performance, Security

11/24/14

Software Defined Networking (COMS 6998-10) Slide19

19

Type

of appliance

NumberFirewalls

166

NIDS

127

Media

gateways110Load balancers

67

Proxies

66

VPN

gateways

45

WAN Optimizers

44

Voice gateways

11

Total Middleboxes

636

Total routers

~900

Network Evolution today: Middleboxes!

Data from a large enterprise:

>80K users across tens of sites

Just network security

$10 billion

(Sherry et al, SIGCOMM’ 12)

11/24/14

Software Defined Networking (COMS 6998-10) Slide20

There are many middleboxes!

Survey across 57

enterprise networks

(Sherry et al, SIGCOMM’ 12)11/24/14Software Defined Networking (COMS 6998-10) 20Slide21

Things to keep in mind about middleboxes

A middlebox is any traffic processing device except for routers and switches.

Why do we need them?

SecurityPerformanceDeployments of middlebox functionalities:Embedded in switches and routers (e.g., packet filtering)Specialized devices with hardware support of SSL acceleration, DPI, etc.Virtual vs. Physical AppliancesLocal (i.e., in-site) vs. Remote (i.e., in-the-cloud) deploymentsThey can break end-to-end semantics (e.g., load balancing)21

11/24/14Software Defined Networking (COMS 6998-10) Slide22

Controller Platform

Switch API

Controller

Switches

App

Runtime

SDN Stack

Control Flow, Data Structures, etc.

Applications

Where do middleboxes

logically

fit in?Slide23

Hardware Middleboxes - Drawbacks

Expensive equipment/power costs

Difficult to add new features (vendor lock-in)

Difficult to manage

Cannot be scaled on demand (peak planning)

Page

23

11/24/14

Software Defined Networking (COMS 6998-10)

23Slide24

OutlineReview of SDN Wireless Networks

SDN

Middleboxes

and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTags

24

11/24/14

Software Defined Networking (COMS 6998-10) Slide25

Middlebox Virtualization

V

irtual network function (VNF):software implementation of a network function capable of running over NFV infrastructureAdvantage of NFVuse standard COTS hardware (e.g., high volume servers, storage)reduces CAPEX and OPEXfully implement functionality in softwarereducing development and deployment cycle times, opening up the R&D marketconsolidate equipment types reducing power consumptionoptionally concentrate network functions in datacentersobtaining further economies of scale and enabling rapid scale-up and scale-down25

11/24/14Software Defined Networking (COMS 6998-10) Slide26

Potential VNFs

Potential

Virtual

Network Functions (from NFV ISG whitepaper)Switching elements: Ethernet switch, Broadband Network Gateway, CG-NAT, routerMobile network nodes: HLR/HSS, MME, SGSN, GGSN/PDN-GW, RNC, NodeB, eNodeBResidential nodes: home router and set-top box functions Tunnelling gateway elements: IPSec

/SSL VPN gatewaysTraffic analysis: DPI, QoE measurement

QoS:

service assurance, SLA monitoring, test and diagnostics

NGN

signaling: SBCs, IMSConverged and network-wide functions: AAA servers, policy control, charging platformsApplication-level optimization: CDN, cache server, load balancer, application acceleratorSecurity functions: firewall, virus scanner, IDS/IPS, spam protection26

11/24/14

Software Defined Networking (COMS 6998-10) Slide27

Potential VNFs (Cont’d)

11/24/14

Software Defined Networking (COMS 6998-10)

27Slide28

OutlineReview of SDN Wireless Networks

SDN

Middleboxes

and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTags

28

11/24/14

Software Defined Networking (COMS 6998-10) Slide29

NFV Use CasesNFV Infrastructure as a service

VNF as a service

Virtual network platform as a service

Virtualization of mobile core networks and IMSVirtualization of mobile base stationVirtualization of home environmentVirtualization of CDNFixed access network function virtualization2911/24/14Software Defined Networking (COMS 6998-10) Slide30

NFV Use Case Example

30

Virtualization of Evolved Packet Core (cellular core networks)

11/24/14

Software Defined Networking (COMS 6998-10) Slide31

NFV Use Case Example (Cont’d)31

VNF relocation

11/24/14

Software Defined Networking (COMS 6998-10) Slide32

NFV High Level Architecture

Virtualized Network Functions (VNFs)

NFV Infrastructure (NFVI)

Ph

ysical Infrastructure

Virtual

Infrastructure

Compute

Storage

Network

Virtual Computing

Virtual Storage

Virtual Networking

NFV Management and

Orchestration

(MANO)

VNF

VNF

VNF

VNF

NFV Scope

OSS /

BSS: (operation/Business Support)

Service

End-Points

(End-users,

Other Services)

Other Networks

11/24/14

Software Defined Networking (COMS 6998-10)

32Slide33

ETSI NFV Reference Architecture

33

C

omputing

Hardware

Storage

Hardware

Network

Hardware

Hardware resources

Virtualisation

Layer

Virtualised

Infrastructure

Manager(s)

VNF

Manager(s)

VNF 2

Orchestrator

OSS/BSS

NFVI

VNF 3

VNF 1

Execution reference points

Main

NFV reference

points

Other reference points

Virtual Computing

Virtual Storage

Virtual Network

NFV Management and Orchestration

EMS 2

EMS 3

EMS 1

Service and Infrastructure Requirements

Or-Vi

Or-

Vnfm

Vnfm

-Vi

Os

-Ma

Se-Or

Ve-Vnfm

Nf

-Vi

Vn-Nf

Vi-Ha

Software Defined Networking (COMS 6998-10) Slide34

Implementation of Reference Architecture

C

omputing

Hardware

Storage

Hardware

Network

Hardware

Hardware resources

Virtualisation

Layer

Virtualised

Infrastructure

Manager(s)

VNF

Manager(s)

VNF 2

OSS/BSS

NFVI

VNF 3

VNF 1

Execution reference points

Main NFV reference points

Other reference points

Virtual Computing

Virtual Storage

Virtual Network

EMS 2

EMS 3

EMS 1

Service, VNF and Infrastructure Description

Or-Vi

Or-Vnfm

Vi-Vnfm

Os-Ma

Se-Ma

Ve-Vnfm

Nf-Vi

Vn-Nf

Vl-Ha

Service Orchestrator

KVM,

ESXi

Openstack

Intel

Mellanox

NetApps

DPDK

vPE

Redhat

Linux

OpenDayLight

Modular L2/3

OVS

11/24/14

Software Defined Networking (COMS 6998-10)

34Slide35

Dell ETSI NFV POC#1 experiences

11/24/14

35Slide36

KPI Monitoring and Enforcement

Virtual Network Function

Intel® Architecture CPU

Host OS Enabled with Virtualization:

Linux

Software

Hardware

QEMU/KVM

CPU Pinning

Ctrls

Real-Time Patch PREMEPT_RT

Intel 10Gbe NIC

DPDK

Rx

VNF Specific Processing

Tx

Mgt

Agent

(

eg

SNMP)

Reporting/

Querying Interfaces

1

Interface exposure of MAC/PHY Level Counters

Interface for Time stamp on RX

Interface for Time stamp on TX

Traffic Monitoring reports: Packet Delay Variation, Drops, Uni-directional Delays

Per subscriber SLA measurement/enforcement provided by the specific VNF (e.g. HQOS)

Performance Monitoring Detects

and report violations

Performance

Monitoring

2

3

Traffic Monitoring

Note: These

are common utilities that can be used by all VNFs, they are not VNF specific

By: Mike Lynch, John Browne (Intel)

36Slide37

DPDK and Acceleration of Standard Interfaces

Goal:

Define & implement a common API for data path configuration, control/status and I/O functionality

Terms of Reference:Existing Enterprise platform software interfaces (OS/VMM) insufficient for evolving application (VNF) performance needsCreate a performant open source reference implementation by using DPDK to accelerate these existing standard interfaces/APIs (Sockets, RDMA, OpenSSL, zLib, VirtIO, …)Support multiple accelerated APIs - Let VNFs choose which accelerated interface is needed based on VNF requirements.

Over time, this work would evolve to become a new “normalized” OS/VMM Data Plane APIMulti-vendor support

Support different/multi-vendor NIC and SOC hardware

Configuration API for supporting varied/enhanced offload capabilities for data path in a standardized fashion

Multiple standardized control/status API choices depending on level of functionality

HW Offload – various depending on functionality supported on NICForwarding engines (L3) - OpenFlow, OVSDB …Netlink, netfilterNeed to recommend a subset that can form a baseline

By: Venky Venkatesan, Pranav Mehta (Intel)

37Slide38

OutlineReview of SDN Wireless Networks

SDN

Middleboxes

and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTags

38

11/24/14

Software Defined Networking (COMS 6998-10) Slide39

Shifting Middlebox Processing to Software

Can share the same hardware across multiple users/tenants

Reduced equipment/power costs through consolidation

Safe to try new features on a operational network/platform

But can it be built using commodity hardware while still achieving high performance?

ClickOS

:

tiny

Xen

-based virtual machine that runs Click

39

Software Defined Networking (COMS 6998-10) Slide40

From Thought to Reality - Requirements

30 msec boot times

ClickOS

5MB when running

provided by Xen

10Gb/s line rate*

45

μ

sec delay

* for most packet sizes

provided by Click

Fast Instantiation

Small footprint

Isolation

Performance

Flexibility

40

Software Defined Networking (COMS 6998-10) Slide41

What's ClickOS ?

domU

paravirt

apps

guest

OS

ClickOS

paravirt

Click

mini

OS

Work consisted of:

Build system to create ClickOS images (5 MB in size)

Emulating a Click control plane over MiniOS/Xen

Reducing boot times (roughly 30 milliseconds)

Optimizations to the data plane (10 Gb/s for almost all pkt sizes)

Implementation of a wide range of middleboxes

41

Software Defined Networking (COMS 6998-10) Slide42

netback

packet size (bytes)

10 Gbit/s

rate

64

14.88 Mp/s

128

8.4 Mp/s

256

4.5 Mp/s

512

2.3 Mp/s

1024

1.2 Mp/s

1500

810 Kp/s

Performance analysis

Driver Domain (or Dom 0)

ClickOS Domain

Xen bus/store

Event channel

netfront

Xen ring API

(data)

NW driver

OVS

300* Kp/s

350 Kp/s

225 Kp/s

* - maximum-sized packets

vif

Click

ToDevice

FromDevice

42

Software Defined Networking (COMS 6998-10) Slide43

Performance analysis

Copying packets between guests greatly affects packet I/O

(1)

Packet metadata allocations

(2)

Backend switch is slow

(3)

MiniOS

netfront

not as good as Linux

netback

Driver Domain (or Dom 0)

ClickOS Domain

Xen bus/store

Event channel

netfront

Xen ring API

NW driver

OVS

vif

Click

ToDevice

FromDevice

772 ns

(1)

~600 ns

(2)

~3.4 us

(3)

43

Software Defined Networking (COMS 6998-10) Slide44

Optimizing Network I/O – Backend Switch

VALE

netback

Driver Domain (or Dom 0)

ClickOS Domain

netfront

Xen bus/store

Event channel

Xen ring API

(data)

NW driver

(netmap mode)

port

Click

FromDevice

ToDevice

Reuse Xen page permissions (frontend)

Introduce VALE[1] as the backend switch

Increase I/O requests batch size

OVS

[1] VALE, a switched ethernet for virtual machines, ACM CoNEXT'2012

Luigi Rizzo, Giuseppe Lettieri

Universita di Pisa

44

Software Defined Networking (COMS 6998-10) Slide45

VALE

Optimizing Network I/O

Driver Domain (or Dom 0)

ClickOS Domain

netfront

NW driver

Click

FromDevice

ToDevice

netback

Netmap API

(data)

Minimal memory requirements

For max. throughput a guest only needs 4 MB of memory

Breaks other (non-MiniOS) guests

But we have implemented Linux netfront driver

slots

KB

(per ring)

# grants

(per ring)

64

135

33

128

266

65

256

528

130

512

1056

259

1024

2117

516

2048

4231

1033

netback

port

Xen bus/store

Event channel

Xen ring API

(data)

45

Software Defined Networking (COMS 6998-10) Slide46

ClickOS Prototype Overview

Click changes are minimal ~600 LoC

New toolstack for fast boot times

Cross compile toolchain for MiniOS-based apps

netback

changes comprise ~500 LoC

netfront

(Linux/MiniOS) around ~600 LoC

VALE switch extended to:

Connect NIC ports and modular switching

46

Software Defined Networking (COMS 6998-10) Slide47

Experiments

ClickOS Instantiation

State reading/insertion performance

Delay compared with other systems

Memory footprint

Switch performance for 1+ NICs

ClickOS/MiniOS performance

Chaining experiments

Scalability over multiple guests

Scalability over multiple NICs

Implementation and evaluation of middleboxes

Linux Performance

47

Software Defined Networking (COMS 6998-10) Slide48

ClickOS Base Performance

Intel Xeon E1220 4-core 3.2GHz (Sandy bridge)

16GB RAM, 1x Intel x520 10Gb/s NIC.

One CPU core assigned to VMs, the rest to the Domain-0

Linux 3.6.10

ClickOS

Measurement Box

10Gb/s direct cable

48

Software Defined Networking (COMS 6998-10) Slide49

ClickOS Base TX Performance

49

Software Defined Networking (COMS 6998-10) Slide50

ClickOS (virtualized) Middlebox Performance

ClickOS

Host 2

Host 1

10Gb/s direct cable

10Gb/s direct cable

Intel Xeon E1220 4-core 3.2GHz (Sandy bridge)

16GB RAM, 2x Intel x520 10Gb/s NIC.

One CPU core assigned to Vms, 3 CPU cores Domain-0

Linux 3.6.10

50

Software Defined Networking (COMS 6998-10) Slide51

ClickOS (virtualized) Middlebox Performance

51

Software Defined Networking (COMS 6998-10) Slide52

Linux Guest Performance

Note that our Linux optimizations apply only to netmap-based applications

52

Software Defined Networking (COMS 6998-10) Slide53

It's Open Source!

Checkout

ClickOS

, Backend Switch,

Xen

optimizations and more!

Github

(

)

Tutorials

Better performance

!

53

Software Defined Networking (COMS 6998-10) Slide54

Conclusions

Virtual machines can do flexible high speed networking

ClickOS:

Tailor-made operating system

for network processing

Small is better:

Low footprint is the key to heavy consolidation

Memory footprint:

5MB

Boot time:

30ms

Future work:

Massive consolidation of VMs (thousands)

Improved Inter-VM communication for service chaining

Reactive VMs (e.g., per-flow)

54

Software Defined Networking (COMS 6998-10) Slide55

OutlineReview of SDN

Wireless Networks

SDN

Middleboxes and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTagsMotivation and High Level IdeasDesign and Evaluation

55

11/24/14

Software Defined Networking (COMS 6998-10) Slide56

Network OS

Data Plane

Control Apps

Policy:

E.g., service chaining,

access control

Middleboxes

complicate

policy enforcement in SDN

56

Dynamic and

t

raffic-dependent

modifications!

e.g., NATs, proxies

11/24/14

Software Defined Networking (COMS 6998-10) Slide57

Modifications  Attribution is hard

57

S

1

S

2

Firewall

NAT

Internet

H

1

Block the access of H

2

to certain websites.

H

2

11/24/14

Software Defined Networking (COMS 6998-10) Slide58

Dynamic actions  Policy violations

S

1

S

2

Proxy

Internet

H

2

H

1

Web ACL

Block H

2

xyz.com

1. Get xyz.com

3. Get xyz.com

4. Cached response

2. Response

58

Cached

response

11/24/14

Software Defined Networking (COMS 6998-10) Slide59

FlowTags

59

FlowTags provides an architectural solution:

 Enables policy enforcement and diagnosis despite dynamic middlebox actions.Some candidate (non-)solutions: Placement, tunneling, consolidation, correlation

Address some symptoms but not root cause

OriginBinding

and

PathsFollowPolicy violations11/24/14Software Defined Networking (COMS 6998-10) Slide60

High-level idea

Middleboxes need to restore SDN tenets

Possibly only option for

correctnessMinimal changes to middleboxesAdd missing contextual information as TagsNAT gives IP mappings, Proxy provides cache hit/miss infoFlowTags controller configures tagging logic6011/24/14Software Defined Networking (COMS 6998-10) Slide61

Control Apps

e.g., steering, verification

Control Apps

Network OS

Control plane

Data plane

SDN

Switches

FlowTable

Middleboxes

FlowTags

Tables

New control

a

pps

e.g., policy steering, verification

Admin

Mbox

Config

FlowTags

APIs

Existing AP

I

s

e.g., OpenFlow

FlowTags architecture

61

FlowTags

Enhanced

Policy

11/24/14

Software Defined Networking (COMS 6998-10) Slide62

Web ACL

Block: 10.1.1.2

xyz.comConfig w.r.t original principalsFlowTags in action62

S

1

S

2

Proxy

Internet

H

1

10.1.1.1

H

2

10.1.1.2

xyz.com

xyz.com

2

<

SrcIP,Cache

Hit>

Tag

10.1.1.2

, Hit

2

Tag

Fwd

2

S

2

Tag

Fwd

2

ACL

Tag

OrigSrcIP

2

10.1.1.2

DROP

11/24/14

Software Defined Networking (COMS 6998-10) Slide63

OutlineReview of SDN

Wireless Networks

SDN

Middleboxes and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTagsMotivation and High Level Ideas

Design and Evaluation

63

11/24/14

Software Defined Networking (COMS 6998-10) Slide64

Challenge 1: Tag Semantics

64

S

1

S

2

Proxy

Internet

H

1

10.1.1.1

H

2

10.1.1.2

Add Tag

Decode Tag

Tag

Forward

Tag

Forward

Control plane

Data plane

FlowTags

-enhanced

SDN Controller

Web ACL

11/24/14Slide65

Challenge 2: New APIs, control apps

65

Add Tag

Decode Tag

Tag

Forward

Tag

Forward

FlowTags

-enhanced

SDN Controller

S

1

S

2

Proxy

Internet

H

1

10.1.1.1

H

2

10.1.1.2

Web ACL

Control plane

Data plane

11/24/14

Software Defined Networking (COMS 6998-10) Slide66

Challenge 3: Middlebox Extensions

66

Add Tag

Decode Tag

Tag

Forward

Tag

Forward

FlowTags

-enhanced

SDN Controller

S

1

S

2

Proxy

Internet

H

1

10.1.1.1

H

2

10.1.1.2

Web ACL

Control plane

Data plane

11/24/14

Software Defined Networking (COMS 6998-10) Slide67

FlowTags DesignTag semantics

Controller and APIs

Middlebox

modification6711/24/14Software Defined Networking (COMS 6998-10) Slide68

Semantics: Dynamic Policy Graph (DPG)

68

S

1

S

2

Proxy

Internet

H

2

H

1

Web ACL: Block H

2

xyz.com

Proxy

ACL

Internet

{H

2

}; Blocked

H

1

H

2

{H

1

}; -

{H

2

}; -

{H

2

}; Hit

{H

2

}; Miss

{H

2

}; <

Allowed,Miss

>

{H

1

}; Miss

{H

2

}; <

Allowed,Hit

>

Drop

{H

1

}; Hit

11/24/14

Software Defined Networking (COMS 6998-10) Slide69

Semantics: Dynamic Policy Graph (DPG)

69

Intuitively, need a Tag <per flow, per-edge> in DPG

S

1

S

2

Proxy

Internet

H

2

H

1

Web ACL: Block H

2

xyz.com

Proxy

ACL

Internet

{H

2

}; Blocked

H

1

H

2

{H

1

}; -

{H

2

}; -

{H

2

}; Hit

{H

2

}; Miss

{H

2

}; <

Allowed,Miss

>

{H

1

}; Miss

{H

2

}; <

Allowed,Hit

>

Drop

{H

1

}; Hit

11/24/14

Software Defined Networking (COMS 6998-10) Slide70

FlowTags APIs

70

S

1

S

2

Internet

H

1

10.1.1.1

H

2

10.1.1.2

<

SrcIP,Cache

Hit>

Tag

Tag

OrigSrcIP

Tag

Fwd

Tag

Fwd

<

SrcIP,Cache

Hit>

Tag

10.1.1.2

, Hit

2

Tag

Fwd

2

S2

Tag

Fwd

2

ACL

Tag

OrigSrcIP

2

10.1.1.2

FlowTags

-enhanced

SDN Controller

OpenFlow

FlowTags

Generate Tag

Consume Tag

Web ACL

Proxy

11/24/14

Software Defined Networking (COMS 6998-10) Slide71

71

FlowTags-enhanced controller

Policy DPG

Physicalrealization

S

1

S

2

S

3

S

4

Reactive

Middlebox Event Handlers

Tag generate and consume

Switch Event

Handlers

Flow expiry

Flow rules

11/24/14

Software Defined Networking (COMS 6998-10) Slide72

Middlebox extension strategies to add FlowTags support

72

Pro: One shot

Con: Hard to get internal contextinput traffic

o

utput

traffic

Light-weight packet

rewriting shims

Middlebox

Strategy 1: Packet Rewriting

module

module

module

module

module

module

11/24/14

Software Defined Networking (COMS 6998-10) Slide73

Middlebox extension strategies to add FlowTags support

73

Pro: More change is needed

Con: Suited for getting internal contextinput traffic

o

utput

traffic

Middlebox

Strategy 2: Module Modification

module

module

module

module

module

module

11/24/14

Software Defined Networking (COMS 6998-10) Slide74

Middlebox extension strategies to add FlowTags support

74

Our Strategy:

Packet rewriting for Tag consumptionModule modification for Tag generation

input traffic

o

utput

traffic

MiddleboxShim

Tag generation

Tag consumption

module

module

module

module

module

module

11/24/14

Software Defined Networking (COMS 6998-10) Slide75

Key evaluation questions

Feasibility of middlebox modification

FlowTags overhead

Number of Tag bitsNew capabilities7511/24/14Software Defined Networking (COMS 6998-10) Slide76

FlowTags needs minimal middlebox modifications

76

Middlebox

Total LOC

Modified LOC

Squid

216,000

75

Snort

336,000

45

Balance

2,000

60

iptables

42,000

55

PRADS

15,000

25

11/24/14

Software Defined Networking (COMS 6998-10) Slide77

FlowTags adds low overhead

77

Breakdown of flow processing

time (

ms

)

Abilene

Geant

Telstra Sprint Verizon AT&T

11 22 44 52 70 115

1.4

1.2

1

0.8

0.6

0.4

0.2

0

Controller Processing

Middlebox Tag Processing

Switch Setup

#

PoPs

:

11/24/14

Software Defined Networking (COMS 6998-10) Slide78

Summary of other resultsAdds < 1% overhead to middlebox processing

Tags can be encoded in ~ 15 bits

E.g., IP-ID, IPv6

FlowLabel, EncapHeaders (NVP)Can enable new capabilitiesExtended header space analysisDiagnosing network bottlenecks7811/24/14Software Defined Networking (COMS 6998-10) Slide79

Conclusions

Middleboxes complicate enforcement

E.g., NAT/LB rewrite headers, proxy sends cached responseRoot cause: Violation of the SDN tenetsOrigin Binding and Paths-Follow-PolicyFlowTags extends SDN with new middlebox APIsRestores tenets using new DPG abstractionNo changes to switches and switch APIsFlowTags is practical Minimal middlebox changes, low overheadAn enabler for verification, testing, and diagnosis

79

11/24/14

Software Defined Networking (COMS 6998-10)