1 / 25

OpenNF

OpenNF. Aaron Gember , Chaithan Prakash , Raajay Viswanathan , Robert Grandl , Junaid Khalid, Sourav Das, Aditya Akella. SDN + software NFs. NFs examine/modify packets at layers 3-7 Software NFs are replacing physical appliances

alijah
Download Presentation

OpenNF

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenNF Aaron Gember, ChaithanPrakash, RaajayViswanathan, Robert Grandl, Junaid Khalid, Sourav Das, AdityaAkella

  2. SDN + software NFs • NFs examine/modify packets at layers 3-7 • Software NFs are replacing physical appliances • SDN applications (PLayer, SIMPLE, Stratos, etc.) steer flows through NFs HomeUsers Web Server Firewall CachingProxy IntrusionPrevention Enables new applications that control the packet processing happening across instances of an NF

  3. Example: scaling & load balancing • Not moving flows => bottleneck persists • Naively moving flows => incorrect NF behavior HomeUsers Firewall CachingProxy IntrusionPrevention Web Server Requires a control planethat enables management of both internal NF state and network forwarding state

  4. Challenges • Dealing with race conditions • Packets may arrive while state is being moved, causing state updates to be lost or re-ordered • Giving applications flexibility • May need to move state at different granularities • Supporting many NFs with minimal changes • Undesirable to force NFs to conform to certain state structures or allocation/access strategies

  5. OpenNF Control Application Northbound API OpenNF Controller SDN Controller Southbound API

  6. Outline • Overview • Requirements • Design • Southbound API (addresses NF diversity) • Northbound API (addresses race conditions) • Evaluation

  7. Requirements • Move flow-specific NF state at various granularities • Copy and combine, or share, NFstate pertaining to multiple flows • Support key guarantees (no loss, order preserved) when needed • Track when/how state is updated

  8. Existing approaches • Control over routing (PLayer, SIMPLE, Stratos) • Virtual machine replication • Unneeded state => incorrect actions • Cannot combine => limited rebalancing • Split/Merge and Pico/Replication • Address specific problems => limited suitability • Require NFs to create/access state in specificways => significant NF changes

  9. NF state taxonomy • State created or updated by an NF applies to either a single flow or a collection of flows • Classify state based on scope • Flow provides a natural way for reasoning about which state to move, copy, or share Per-flow state Multi-flow state TcpAnalyzer Connection HttpAnalyzer ConnCount Connection TcpAnalyzer All-flows state Statistics HttpAnalyzer

  10. API to export/import state • Three simple functions: get, put, delete • Version for each scope (per-, multi-, all-flows) • Filter defined over packet header fields • NFs responsible for • Identifying and providing all state matching a filter • Combining provided state with existing state No need to expose internal state organization No changes to conform to a specific allocation strategy

  11. API to observe/prevent updates • Problem: need to prevent (e.g., during move) or observe (e.g., to trigger copy) state updates • Solution: event abstraction • Functions: enableEventsand disableEvents • Instruct NF to raise an event and process, buffer, or drop packets matching a filter Only need to change an NF’s receive packet function

  12. Move operation Control Application SDN Controller move (port=80,Inst1,Inst2) forward(port=80,Inst2) OpenNF Controller getPerflow(port=80) putPerflow(Chunk1) [Chunk1] delPerflow(port=80) putPerflow(Chunk2) [Chunk2] Inst1 Inst2

  13. Packet arrivals during move • Packets may arrive during a move operation • Fix: suspend traffic flow and buffer packets • May last 100s of ms => connection timeouts • Packets in-transit when buffering starts are dropped Inst2 ismissingupdates move(yellow,Inst1 ,Inst2 ) Loss-free: All state updates due to packet processing should be reflected in the transferred state, and all packets the switch receives should be processed 1 1 1 Inst1 Inst2

  14. Use events for loss-free move • enableEvents(blue,drop) on Inst1; • get/delete on Inst1; put on Inst2 • Buffer events at controller • Flush packets inevents to Inst2 • Update forwarding A S S+A S,S+A S,S+A,A S S Inst1 Inst2 S+A

  15. Re-ordering of packets Switch Inst2 Controller Inst1 Flush buffer S+A Request forwarding update A S+A S+A D1 A A D1 D2 D1 D2 D1 D1 Order-preserving: All packets should be processed in the order they were forwarded to the NF instances by the switch

  16. Order-preserving move • Flush packets in events to Inst2 • enableEvents(blue,buffer) on Inst2 • Forwarding update: send to Inst1& controller • Wait for packet from switch (remember last) • Forwarding update: send to Inst2 • Wait for event for last packet from Inst2 • Release buffer of packets on Inst2 A A D1 S,S+A,A,D1 S,S+A,A S S,S+A S S+A A

  17. Copy and share operations • Used when multiple instances need to access a particular piece of state • Copy – no or eventual consistency • Issue once, periodically, based on events, etc. • Share – strong or strict consistency • All packets reaching NF instances trigger an event • Packets in events are released one at a time • State is copied between packets

  18. Example app: Load balanced network monitoring movePrefix(prefix,oldInst,newInst): copy(oldInst,newInst,{nw_src:prefix},multi) move(oldInst,newInst,{nw_src:prefix},per,LF+OP) while (true): sleep(60) copy(oldInst,newInst,{nw_src:prefix},multi) copy(newInst,oldInst,{nw_src:prefix},multi) scan.bro vulnerable.bro weird.bro

  19. Example app: Selectively invoking advanced remote processing scan.bro vulnerable.bro weird.bro detect-MHR.bro scan.bro vulnerable.bro weird.bro enhanceProcessing(flowid,locInst): move(locInst,cloudInst,flowid,per,LF) !

  20. Implementation • OpenNFController (≈3.8K lines of Java) • Written atop Floodlight • Shared NF library (≈2.6K lines of C) • Modified NFs (3-8% increase in code) • Bro (intrusion detection) • PRADS (service/asset detection) • iptables (firewall and NAT) • Squid (caching proxy)

  21. End-to-end benefits • Load balanced monitoring with Bro IDS • Load: 10K pkts/sec cloud trace • After 180 sec: move HTTP flows (489) to new Bro • OpenNF: 260ms to move (optimized, loss-free) • Log entries equivalent to using one instance • VM replication: 3889 incorrect log entries • Forwarding control only: scale down delayed by > 1500 seconds

  22. Southbound API call processing Cost grows with state complexity Serialization/deserializationcosts dominate

  23. Efficiency with guarantees • State: 500 flows in PRADS; Load: 1000 pkts/s • Move • Copy – 176ms • Share – 7ms (or more) for every packet 130 pktsbufferedat dstInst 230 pktsin events 194 pktsdropped! Guarantees come at a cost!

  24. Controller performance Improve scalability with P2P state transfers

  25. Conclusion • Systematic engineered APIsimplemented by NFs and used by control applications • Enables rich control of the packet processing happening across instances of an NF • Provides key guarantees andrequires minimal NF modifications http://agember.com/go/opennf

More Related