COMS 6998 10 Fall 2014 Instructor Li Erran Li lierranlicscolumbiaedu httpwwwcscolumbiaedulierranlicoms699810SDNFall2014 11 24 2014 SDN Middleboxes and NFV ID: 295273
Download Presentation The PPT/PDF document "Software Defined Networking" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Software Defined NetworkingCOMS 6998-10, Fall 2014
Instructor: Li Erran Li (
lierranli@cs.columbia.edu
)
http://www.cs.columbia.edu/~lierranli/coms6998-10SDNFall2014/
11/
24/
2014: SDN
Middleboxes
and
NFVSlide2
OutlineReview of SDN
Wireless Networks
SDN
Middleboxes and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTags
2
11/24/14
Software Defined Networking (COMS 6998-10) Slide3
Mobile WANs Problems
Suboptimal routing in large carriers
L
ack of sufficiently close PGW is a major cause of path inflation (Path Inflation, PAM’14)Lack of support for seamless inter-region mobilityNo inter-PGW mobility support (DMM, Zuniga
et.al., 2013)
Scalability and reliability
Centralized policy enforcement
Ill-suited to adapt to new trends of mobile trafficSignaling storm problem
3
11/24/14
Software Defined Networking (COMS 6998-10) Slide4
What is SoftMoW?
Clean-slate architecture of cellular WANs
Scalable control plane and data plane
Millions of UEs and hundreds of thousands of BSsPerforms new global applicationsRuns Region optimizationSupports Seamless mobilityEnables optimal end to end paths
4
11/24/14
Software Defined Networking (COMS 6998-10) Slide5
SoftMoW Overview
Controller:
enforce service policies and run new apps
Core networks: Inter-connected SDN switches nationwide Sufficient egress points per region to avoid path inflationRadio networks: organized into base stations groups Fine-grained classifier access switch attached to each BS
Service policies: middle-boxes placed in edge networks
Any sophisticated network functions, e.g., billing and noise cancelation
5
SoftMOW
?
11/24/14
Software Defined Networking (COMS 6998-10) Slide6
SoftMoW Challenges
Distributed control plane
R
ecursively build up a hierarchical and reconfigurable control planePath setupKeep per packet overhead minimal on recursive abstractionsTopology discoveryCross
-region links are visible to only a non-leaf
controller
Global applications
O
ptimization without a global network state at each controller. 611/24/14
Software Defined Networking (COMS 6998-10) Slide7
Recursive and Reconfigurable Control Plane
Recursively partition the data plane network into logical regions and assign to control node
Recursively expose:
Gigantic Switch (G-switch), Gigantic Middlebox (G-middlebox), Gigantic Base station (G-BS) Reconfiguration: Each non-leaf controller can reconfigure logical entitiesOptimize hierarchy and data plane operations without a global state7
11/24/14
Software Defined Networking (COMS 6998-10) Slide8
SoftMoW Controller Architecture
Network operating system
Agnostic of cell apps
Operator appsE.g., region optimization, HSS, PCRF Recursive abstraction appEastbound API for operator appsAgent communicates with a parentExpose G
-switch, G-Bses, G-
Middleboxes
Management Plane
B
ootstraps the recursive control plane. E.g., IP assignment, tree configuration 8
11/24/14
Software Defined Networking (COMS 6998-10) Slide9
Core Service: Topology Discovery
Scalable and fast link and switch detection
Two challenges:
Inter-region links visible to only a non-leaf controllerLeaf controllers with direct controlParallel- sequential periodical protocol: G-switch discovery Inter-Gswitch link
disocvery
Abstract
Gswitch
computation
9
SW1
SW2
C1
SW3
SW4
C2
C0
GS1
GS2
11/24/14
Software Defined Networking (COMS 6998-10) Slide10
Core Service: Topology Discovery
D
iscovery message:
Meta data field: properties of the traversed physicalStack field: stores the traversed path
Format: (Controller ID, G-switch ID, G-switch port)
10
SW1
SW2
C1
SW3
SW4
C2
C0
(C0, GS1, p1)
(C0, GS1, p1)
(C1, SW2, p2)
(C0, GS1, p1)
(C1, SW2, p2)
(SW3, p3)
(C0, GS1, p1)
(GS2, p4)
(1)
(2)
(3)
(4)
GS1
GS2
Stack
Payload
11/24/14
Software Defined Networking (COMS 6998-10) Slide11
Core Service: Path Setup
Access switches perform fine-grained packet classification
Goal 1:
each controller should be able to make local decisions Goal 2: decisions made by an ancestor controller should be visible across links it discovers.Simple solution: label stacking has high per-packet overhead 11
L1, L2, L3, L4
Per packet stack
11/24/14
Software Defined Networking (COMS 6998-10) Slide12
Recursive Label Swapping
12
R
oot
has a single-path service policy for rate-
limiting
Any controller has its own local policy or label
Ingress switch:
Pop parent label,
Push
local labels
Egress switch:
Pop local labels, Push parent
label
11/24/14Slide13
App: Region Optimization and Reconfiguration
Inter region handovers increase “east-west” control plane load
R
equire the intervention of three controllers: the source and target leaf controllers, and the ancestor controller. Regions should be refined to reduce the load Handover patterns vary across time-of-day. Difficult to find static bordersDesign a greedy-iterative approachPriority top to bottom13
11/24/14
Software Defined Networking (COMS 6998-10) Slide14
App: Region Optimization and Reconfiguration
14
Reconfiguration mechanism for an initiator controller:
Find the highest gain gigantic base station
Contact the management plane
Management plane finds the leaf controllers
Seamless control transfer at the leaf using EQUAL ROLE
Reconfigure logical data planes from bottom up to the initiator controller
Root graph before optimization
Root graph after optimization
Two leaf regions
11/24/14
Software Defined Networking (COMS 6998-10) Slide15
OutlineReview of SDN Wireless Networks
SDN
Middleboxes
and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTags
15
11/24/14
Software Defined Networking (COMS 6998-10) Slide16
The Idealized Network
Physical
Datalink
Network
Transport
Application
Physical
Datalink
Network
Transport
Application
Physical
Datalink
Network
Physical
Datalink
Page
16
11/24/14
Software Defined Networking (COMS 6998-10)
16Slide17
A Middlebox World
Page
17
carrier-grade NAT
load balancer
DPI
QoE monitor
ad insertion
BRAS
session border
controller
transcoder
WAN accelerator
DDoS protection
firewall
IDS
11/24/14
Software Defined Networking (COMS 6998-10)
17Slide18
Need for Network Evolution
18
New devices
New applications
Evolving
threats
Policy
constraints
Performance, Security
11/24/14
Software Defined Networking (COMS 6998-10) Slide19
19
Type
of appliance
NumberFirewalls
166
NIDS
127
Media
gateways110Load balancers
67
Proxies
66
VPN
gateways
45
WAN Optimizers
44
Voice gateways
11
Total Middleboxes
636
Total routers
~900
Network Evolution today: Middleboxes!
Data from a large enterprise:
>80K users across tens of sites
Just network security
$10 billion
(Sherry et al, SIGCOMM’ 12)
11/24/14
Software Defined Networking (COMS 6998-10) Slide20
There are many middleboxes!
Survey across 57
enterprise networks
(Sherry et al, SIGCOMM’ 12)11/24/14Software Defined Networking (COMS 6998-10) 20Slide21
Things to keep in mind about middleboxes
A middlebox is any traffic processing device except for routers and switches.
Why do we need them?
SecurityPerformanceDeployments of middlebox functionalities:Embedded in switches and routers (e.g., packet filtering)Specialized devices with hardware support of SSL acceleration, DPI, etc.Virtual vs. Physical AppliancesLocal (i.e., in-site) vs. Remote (i.e., in-the-cloud) deploymentsThey can break end-to-end semantics (e.g., load balancing)21
11/24/14Software Defined Networking (COMS 6998-10) Slide22
Controller Platform
Switch API
Controller
Switches
App
Runtime
SDN Stack
Control Flow, Data Structures, etc.
Applications
Where do middleboxes
logically
fit in?Slide23
Hardware Middleboxes - Drawbacks
Expensive equipment/power costs
Difficult to add new features (vendor lock-in)
Difficult to manage
Cannot be scaled on demand (peak planning)
Page
23
11/24/14
Software Defined Networking (COMS 6998-10)
23Slide24
OutlineReview of SDN Wireless Networks
SDN
Middleboxes
and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTags
24
11/24/14
Software Defined Networking (COMS 6998-10) Slide25
Middlebox Virtualization
V
irtual network function (VNF):software implementation of a network function capable of running over NFV infrastructureAdvantage of NFVuse standard COTS hardware (e.g., high volume servers, storage)reduces CAPEX and OPEXfully implement functionality in softwarereducing development and deployment cycle times, opening up the R&D marketconsolidate equipment types reducing power consumptionoptionally concentrate network functions in datacentersobtaining further economies of scale and enabling rapid scale-up and scale-down25
11/24/14Software Defined Networking (COMS 6998-10) Slide26
Potential VNFs
Potential
Virtual
Network Functions (from NFV ISG whitepaper)Switching elements: Ethernet switch, Broadband Network Gateway, CG-NAT, routerMobile network nodes: HLR/HSS, MME, SGSN, GGSN/PDN-GW, RNC, NodeB, eNodeBResidential nodes: home router and set-top box functions Tunnelling gateway elements: IPSec
/SSL VPN gatewaysTraffic analysis: DPI, QoE measurement
QoS:
service assurance, SLA monitoring, test and diagnostics
NGN
signaling: SBCs, IMSConverged and network-wide functions: AAA servers, policy control, charging platformsApplication-level optimization: CDN, cache server, load balancer, application acceleratorSecurity functions: firewall, virus scanner, IDS/IPS, spam protection26
11/24/14
Software Defined Networking (COMS 6998-10) Slide27
Potential VNFs (Cont’d)
11/24/14
Software Defined Networking (COMS 6998-10)
27Slide28
OutlineReview of SDN Wireless Networks
SDN
Middleboxes
and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTags
28
11/24/14
Software Defined Networking (COMS 6998-10) Slide29
NFV Use CasesNFV Infrastructure as a service
VNF as a service
Virtual network platform as a service
Virtualization of mobile core networks and IMSVirtualization of mobile base stationVirtualization of home environmentVirtualization of CDNFixed access network function virtualization2911/24/14Software Defined Networking (COMS 6998-10) Slide30
NFV Use Case Example
30
Virtualization of Evolved Packet Core (cellular core networks)
11/24/14
Software Defined Networking (COMS 6998-10) Slide31
NFV Use Case Example (Cont’d)31
VNF relocation
11/24/14
Software Defined Networking (COMS 6998-10) Slide32
NFV High Level Architecture
Virtualized Network Functions (VNFs)
NFV Infrastructure (NFVI)
Ph
ysical Infrastructure
Virtual
Infrastructure
Compute
Storage
Network
Virtual Computing
Virtual Storage
Virtual Networking
NFV Management and
Orchestration
(MANO)
VNF
VNF
VNF
VNF
NFV Scope
OSS /
BSS: (operation/Business Support)
Service
End-Points
(End-users,
Other Services)
Other Networks
11/24/14
Software Defined Networking (COMS 6998-10)
32Slide33
ETSI NFV Reference Architecture
33
C
omputing
Hardware
Storage
Hardware
Network
Hardware
Hardware resources
Virtualisation
Layer
Virtualised
Infrastructure
Manager(s)
VNF
Manager(s)
VNF 2
Orchestrator
OSS/BSS
NFVI
VNF 3
VNF 1
Execution reference points
Main
NFV reference
points
Other reference points
Virtual Computing
Virtual Storage
Virtual Network
NFV Management and Orchestration
EMS 2
EMS 3
EMS 1
Service and Infrastructure Requirements
Or-Vi
Or-
Vnfm
Vnfm
-Vi
Os
-Ma
Se-Or
Ve-Vnfm
Nf
-Vi
Vn-Nf
Vi-Ha
Software Defined Networking (COMS 6998-10) Slide34
Implementation of Reference Architecture
C
omputing
Hardware
Storage
Hardware
Network
Hardware
Hardware resources
Virtualisation
Layer
Virtualised
Infrastructure
Manager(s)
VNF
Manager(s)
VNF 2
OSS/BSS
NFVI
VNF 3
VNF 1
Execution reference points
Main NFV reference points
Other reference points
Virtual Computing
Virtual Storage
Virtual Network
EMS 2
EMS 3
EMS 1
Service, VNF and Infrastructure Description
Or-Vi
Or-Vnfm
Vi-Vnfm
Os-Ma
Se-Ma
Ve-Vnfm
Nf-Vi
Vn-Nf
Vl-Ha
Service Orchestrator
KVM,
ESXi
Openstack
Intel
Mellanox
NetApps
DPDK
vPE
Redhat
Linux
OpenDayLight
Modular L2/3
OVS
11/24/14
Software Defined Networking (COMS 6998-10)
34Slide35
Dell ETSI NFV POC#1 experiences
11/24/14
35Slide36
KPI Monitoring and Enforcement
Virtual Network Function
Intel® Architecture CPU
Host OS Enabled with Virtualization:
Linux
Software
Hardware
QEMU/KVM
CPU Pinning
Ctrls
Real-Time Patch PREMEPT_RT
Intel 10Gbe NIC
DPDK
Rx
VNF Specific Processing
Tx
Mgt
Agent
(
eg
SNMP)
Reporting/
Querying Interfaces
1
Interface exposure of MAC/PHY Level Counters
Interface for Time stamp on RX
Interface for Time stamp on TX
Traffic Monitoring reports: Packet Delay Variation, Drops, Uni-directional Delays
Per subscriber SLA measurement/enforcement provided by the specific VNF (e.g. HQOS)
Performance Monitoring Detects
and report violations
Performance
Monitoring
2
3
Traffic Monitoring
Note: These
are common utilities that can be used by all VNFs, they are not VNF specific
By: Mike Lynch, John Browne (Intel)
36Slide37
DPDK and Acceleration of Standard Interfaces
Goal:
Define & implement a common API for data path configuration, control/status and I/O functionality
Terms of Reference:Existing Enterprise platform software interfaces (OS/VMM) insufficient for evolving application (VNF) performance needsCreate a performant open source reference implementation by using DPDK to accelerate these existing standard interfaces/APIs (Sockets, RDMA, OpenSSL, zLib, VirtIO, …)Support multiple accelerated APIs - Let VNFs choose which accelerated interface is needed based on VNF requirements.
Over time, this work would evolve to become a new “normalized” OS/VMM Data Plane APIMulti-vendor support
Support different/multi-vendor NIC and SOC hardware
Configuration API for supporting varied/enhanced offload capabilities for data path in a standardized fashion
Multiple standardized control/status API choices depending on level of functionality
HW Offload – various depending on functionality supported on NICForwarding engines (L3) - OpenFlow, OVSDB …Netlink, netfilterNeed to recommend a subset that can form a baseline
By: Venky Venkatesan, Pranav Mehta (Intel)
37Slide38
OutlineReview of SDN Wireless Networks
SDN
Middleboxes
and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTags
38
11/24/14
Software Defined Networking (COMS 6998-10) Slide39
Shifting Middlebox Processing to Software
Can share the same hardware across multiple users/tenants
Reduced equipment/power costs through consolidation
Safe to try new features on a operational network/platform
But can it be built using commodity hardware while still achieving high performance?
ClickOS
:
tiny
Xen
-based virtual machine that runs Click
39
Software Defined Networking (COMS 6998-10) Slide40
From Thought to Reality - Requirements
30 msec boot times
ClickOS
5MB when running
provided by Xen
10Gb/s line rate*
45
μ
sec delay
* for most packet sizes
provided by Click
Fast Instantiation
Small footprint
Isolation
Performance
Flexibility
40
Software Defined Networking (COMS 6998-10) Slide41
What's ClickOS ?
domU
paravirt
apps
guest
OS
ClickOS
paravirt
Click
mini
OS
Work consisted of:
Build system to create ClickOS images (5 MB in size)
Emulating a Click control plane over MiniOS/Xen
Reducing boot times (roughly 30 milliseconds)
Optimizations to the data plane (10 Gb/s for almost all pkt sizes)
Implementation of a wide range of middleboxes
41
Software Defined Networking (COMS 6998-10) Slide42
netback
packet size (bytes)
10 Gbit/s
rate
64
14.88 Mp/s
128
8.4 Mp/s
256
4.5 Mp/s
512
2.3 Mp/s
1024
1.2 Mp/s
1500
810 Kp/s
Performance analysis
Driver Domain (or Dom 0)
ClickOS Domain
Xen bus/store
Event channel
netfront
Xen ring API
(data)
NW driver
OVS
300* Kp/s
350 Kp/s
225 Kp/s
* - maximum-sized packets
vif
Click
ToDevice
FromDevice
42
Software Defined Networking (COMS 6998-10) Slide43
Performance analysis
Copying packets between guests greatly affects packet I/O
(1)
Packet metadata allocations
(2)
Backend switch is slow
(3)
MiniOS
netfront
not as good as Linux
netback
Driver Domain (or Dom 0)
ClickOS Domain
Xen bus/store
Event channel
netfront
Xen ring API
NW driver
OVS
vif
Click
ToDevice
FromDevice
772 ns
(1)
~600 ns
(2)
~3.4 us
(3)
43
Software Defined Networking (COMS 6998-10) Slide44
Optimizing Network I/O – Backend Switch
VALE
netback
Driver Domain (or Dom 0)
ClickOS Domain
netfront
Xen bus/store
Event channel
Xen ring API
(data)
NW driver
(netmap mode)
port
Click
FromDevice
ToDevice
Reuse Xen page permissions (frontend)
Introduce VALE[1] as the backend switch
Increase I/O requests batch size
OVS
[1] VALE, a switched ethernet for virtual machines, ACM CoNEXT'2012
Luigi Rizzo, Giuseppe Lettieri
Universita di Pisa
44
Software Defined Networking (COMS 6998-10) Slide45
VALE
Optimizing Network I/O
Driver Domain (or Dom 0)
ClickOS Domain
netfront
NW driver
Click
FromDevice
ToDevice
netback
Netmap API
(data)
Minimal memory requirements
For max. throughput a guest only needs 4 MB of memory
Breaks other (non-MiniOS) guests
But we have implemented Linux netfront driver
slots
KB
(per ring)
# grants
(per ring)
64
135
33
128
266
65
256
528
130
512
1056
259
1024
2117
516
2048
4231
1033
netback
port
Xen bus/store
Event channel
Xen ring API
(data)
45
Software Defined Networking (COMS 6998-10) Slide46
ClickOS Prototype Overview
Click changes are minimal ~600 LoC
New toolstack for fast boot times
Cross compile toolchain for MiniOS-based apps
netback
changes comprise ~500 LoC
netfront
(Linux/MiniOS) around ~600 LoC
VALE switch extended to:
Connect NIC ports and modular switching
46
Software Defined Networking (COMS 6998-10) Slide47
Experiments
ClickOS Instantiation
State reading/insertion performance
Delay compared with other systems
Memory footprint
Switch performance for 1+ NICs
ClickOS/MiniOS performance
Chaining experiments
Scalability over multiple guests
Scalability over multiple NICs
Implementation and evaluation of middleboxes
Linux Performance
47
Software Defined Networking (COMS 6998-10) Slide48
ClickOS Base Performance
Intel Xeon E1220 4-core 3.2GHz (Sandy bridge)
16GB RAM, 1x Intel x520 10Gb/s NIC.
One CPU core assigned to VMs, the rest to the Domain-0
Linux 3.6.10
ClickOS
Measurement Box
10Gb/s direct cable
48
Software Defined Networking (COMS 6998-10) Slide49
ClickOS Base TX Performance
49
Software Defined Networking (COMS 6998-10) Slide50
ClickOS (virtualized) Middlebox Performance
ClickOS
Host 2
Host 1
10Gb/s direct cable
10Gb/s direct cable
Intel Xeon E1220 4-core 3.2GHz (Sandy bridge)
16GB RAM, 2x Intel x520 10Gb/s NIC.
One CPU core assigned to Vms, 3 CPU cores Domain-0
Linux 3.6.10
50
Software Defined Networking (COMS 6998-10) Slide51
ClickOS (virtualized) Middlebox Performance
51
Software Defined Networking (COMS 6998-10) Slide52
Linux Guest Performance
Note that our Linux optimizations apply only to netmap-based applications
52
Software Defined Networking (COMS 6998-10) Slide53
It's Open Source!
Checkout
ClickOS
, Backend Switch,
Xen
optimizations and more!
Github
(
)
Tutorials
Better performance
!
53
Software Defined Networking (COMS 6998-10) Slide54
Conclusions
Virtual machines can do flexible high speed networking
ClickOS:
Tailor-made operating system
for network processing
Small is better:
Low footprint is the key to heavy consolidation
Memory footprint:
5MB
Boot time:
30ms
Future work:
Massive consolidation of VMs (thousands)
Improved Inter-VM communication for service chaining
Reactive VMs (e.g., per-flow)
54
Software Defined Networking (COMS 6998-10) Slide55
OutlineReview of SDN
Wireless Networks
SDN
Middleboxes and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTagsMotivation and High Level IdeasDesign and Evaluation
55
11/24/14
Software Defined Networking (COMS 6998-10) Slide56
Network OS
Data Plane
Control Apps
Policy:
E.g., service chaining,
access control
Middleboxes
complicate
policy enforcement in SDN
56
Dynamic and
t
raffic-dependent
modifications!
e.g., NATs, proxies
11/24/14
Software Defined Networking (COMS 6998-10) Slide57
Modifications Attribution is hard
57
S
1
S
2
Firewall
NAT
Internet
H
1
Block the access of H
2
to certain websites.
H
2
11/24/14
Software Defined Networking (COMS 6998-10) Slide58
Dynamic actions Policy violations
S
1
S
2
Proxy
Internet
H
2
H
1
Web ACL
Block H
2
xyz.com
1. Get xyz.com
3. Get xyz.com
4. Cached response
2. Response
58
Cached
response
11/24/14
Software Defined Networking (COMS 6998-10) Slide59
FlowTags
59
FlowTags provides an architectural solution:
Enables policy enforcement and diagnosis despite dynamic middlebox actions.Some candidate (non-)solutions: Placement, tunneling, consolidation, correlation
Address some symptoms but not root cause
OriginBinding
and
PathsFollowPolicy violations11/24/14Software Defined Networking (COMS 6998-10) Slide60
High-level idea
Middleboxes need to restore SDN tenets
Possibly only option for
correctnessMinimal changes to middleboxesAdd missing contextual information as TagsNAT gives IP mappings, Proxy provides cache hit/miss infoFlowTags controller configures tagging logic6011/24/14Software Defined Networking (COMS 6998-10) Slide61
Control Apps
e.g., steering, verification
Control Apps
Network OS
Control plane
Data plane
SDN
Switches
FlowTable
Middleboxes
FlowTags
Tables
New control
a
pps
e.g., policy steering, verification
Admin
Mbox
Config
FlowTags
APIs
Existing AP
I
s
e.g., OpenFlow
FlowTags architecture
61
FlowTags
Enhanced
Policy
11/24/14
Software Defined Networking (COMS 6998-10) Slide62
Web ACL
Block: 10.1.1.2
xyz.comConfig w.r.t original principalsFlowTags in action62
S
1
S
2
Proxy
Internet
H
1
10.1.1.1
H
2
10.1.1.2
xyz.com
xyz.com
2
<
SrcIP,Cache
Hit>
Tag
10.1.1.2
, Hit
2
Tag
Fwd
2
S
2
Tag
Fwd
2
ACL
Tag
OrigSrcIP
2
10.1.1.2
DROP
11/24/14
Software Defined Networking (COMS 6998-10) Slide63
OutlineReview of SDN
Wireless Networks
SDN
Middleboxes and NFVMiddlebox NFV (Middlebox Virtualization)NFV Use CasesNFV Architecture, Proof-of-Concept Implementation, Monitoring and DPDKVirtualization Optimization: ClickOSEnforcing Network-Wide Policy: FlowTagsMotivation and High Level Ideas
Design and Evaluation
63
11/24/14
Software Defined Networking (COMS 6998-10) Slide64
Challenge 1: Tag Semantics
64
S
1
S
2
Proxy
Internet
H
1
10.1.1.1
H
2
10.1.1.2
Add Tag
Decode Tag
Tag
Forward
Tag
Forward
Control plane
Data plane
FlowTags
-enhanced
SDN Controller
Web ACL
11/24/14Slide65
Challenge 2: New APIs, control apps
65
Add Tag
Decode Tag
Tag
Forward
Tag
Forward
FlowTags
-enhanced
SDN Controller
S
1
S
2
Proxy
Internet
H
1
10.1.1.1
H
2
10.1.1.2
Web ACL
Control plane
Data plane
11/24/14
Software Defined Networking (COMS 6998-10) Slide66
Challenge 3: Middlebox Extensions
66
Add Tag
Decode Tag
Tag
Forward
Tag
Forward
FlowTags
-enhanced
SDN Controller
S
1
S
2
Proxy
Internet
H
1
10.1.1.1
H
2
10.1.1.2
Web ACL
Control plane
Data plane
11/24/14
Software Defined Networking (COMS 6998-10) Slide67
FlowTags DesignTag semantics
Controller and APIs
Middlebox
modification6711/24/14Software Defined Networking (COMS 6998-10) Slide68
Semantics: Dynamic Policy Graph (DPG)
68
S
1
S
2
Proxy
Internet
H
2
H
1
Web ACL: Block H
2
xyz.com
Proxy
ACL
Internet
{H
2
}; Blocked
H
1
H
2
{H
1
}; -
{H
2
}; -
{H
2
}; Hit
{H
2
}; Miss
{H
2
}; <
Allowed,Miss
>
{H
1
}; Miss
{H
2
}; <
Allowed,Hit
>
Drop
{H
1
}; Hit
11/24/14
Software Defined Networking (COMS 6998-10) Slide69
Semantics: Dynamic Policy Graph (DPG)
69
Intuitively, need a Tag <per flow, per-edge> in DPG
S
1
S
2
Proxy
Internet
H
2
H
1
Web ACL: Block H
2
xyz.com
Proxy
ACL
Internet
{H
2
}; Blocked
H
1
H
2
{H
1
}; -
{H
2
}; -
{H
2
}; Hit
{H
2
}; Miss
{H
2
}; <
Allowed,Miss
>
{H
1
}; Miss
{H
2
}; <
Allowed,Hit
>
Drop
{H
1
}; Hit
11/24/14
Software Defined Networking (COMS 6998-10) Slide70
FlowTags APIs
70
S
1
S
2
Internet
H
1
10.1.1.1
H
2
10.1.1.2
<
SrcIP,Cache
Hit>
Tag
Tag
OrigSrcIP
Tag
Fwd
Tag
Fwd
<
SrcIP,Cache
Hit>
Tag
10.1.1.2
, Hit
2
Tag
Fwd
2
S2
Tag
Fwd
2
ACL
Tag
OrigSrcIP
2
10.1.1.2
FlowTags
-enhanced
SDN Controller
OpenFlow
FlowTags
Generate Tag
Consume Tag
Web ACL
Proxy
11/24/14
Software Defined Networking (COMS 6998-10) Slide71
71
FlowTags-enhanced controller
Policy DPG
Physicalrealization
S
1
S
2
S
3
S
4
Reactive
Middlebox Event Handlers
Tag generate and consume
Switch Event
Handlers
Flow expiry
Flow rules
11/24/14
Software Defined Networking (COMS 6998-10) Slide72
Middlebox extension strategies to add FlowTags support
72
Pro: One shot
Con: Hard to get internal contextinput traffic
o
utput
traffic
Light-weight packet
rewriting shims
Middlebox
Strategy 1: Packet Rewriting
module
module
module
module
module
module
11/24/14
Software Defined Networking (COMS 6998-10) Slide73
Middlebox extension strategies to add FlowTags support
73
Pro: More change is needed
Con: Suited for getting internal contextinput traffic
o
utput
traffic
Middlebox
Strategy 2: Module Modification
module
module
module
module
module
module
11/24/14
Software Defined Networking (COMS 6998-10) Slide74
Middlebox extension strategies to add FlowTags support
74
Our Strategy:
Packet rewriting for Tag consumptionModule modification for Tag generation
input traffic
o
utput
traffic
MiddleboxShim
Tag generation
Tag consumption
module
module
module
module
module
module
11/24/14
Software Defined Networking (COMS 6998-10) Slide75
Key evaluation questions
Feasibility of middlebox modification
FlowTags overhead
Number of Tag bitsNew capabilities7511/24/14Software Defined Networking (COMS 6998-10) Slide76
FlowTags needs minimal middlebox modifications
76
Middlebox
Total LOC
Modified LOC
Squid
216,000
75
Snort
336,000
45
Balance
2,000
60
iptables
42,000
55
PRADS
15,000
25
11/24/14
Software Defined Networking (COMS 6998-10) Slide77
FlowTags adds low overhead
77
Breakdown of flow processing
time (
ms
)
Abilene
Geant
Telstra Sprint Verizon AT&T
11 22 44 52 70 115
1.4
1.2
1
0.8
0.6
0.4
0.2
0
Controller Processing
Middlebox Tag Processing
Switch Setup
#
PoPs
:
11/24/14
Software Defined Networking (COMS 6998-10) Slide78
Summary of other resultsAdds < 1% overhead to middlebox processing
Tags can be encoded in ~ 15 bits
E.g., IP-ID, IPv6
FlowLabel, EncapHeaders (NVP)Can enable new capabilitiesExtended header space analysisDiagnosing network bottlenecks7811/24/14Software Defined Networking (COMS 6998-10) Slide79
Conclusions
Middleboxes complicate enforcement
E.g., NAT/LB rewrite headers, proxy sends cached responseRoot cause: Violation of the SDN tenetsOrigin Binding and Paths-Follow-PolicyFlowTags extends SDN with new middlebox APIsRestores tenets using new DPG abstractionNo changes to switches and switch APIsFlowTags is practical Minimal middlebox changes, low overheadAn enabler for verification, testing, and diagnosis
79
11/24/14
Software Defined Networking (COMS 6998-10)