1 / 23

Verifiable Network Function Outsourcing

Verifiable Network Function Outsourcing. Seyed K. Fayazbakhsh Michael K. Reiter Vyas Sekar. Case for Network Function Outsourcing (NFO). Today: High CapEx , OpEx , Delay in innovation. Cloud Provider. Internet. + Economies of scale, pay-per use + Simplifies configuration & deployment.

karim
Download Presentation

Verifiable Network Function Outsourcing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Verifiable Network Function Outsourcing Seyed K. FayazbakhshMichael K. Reiter Vyas Sekar

  2. Case for Network Function Outsourcing (NFO) Today:High CapEx, OpEx, Delay in innovation Cloud Provider Internet + Economies of scale, pay-per use + Simplifies configuration & deployment

  3. Concerns with ceding control Cloud Provider Internet e.g., Is this equivalent to in-house? e.g., Am I really getting cost reduction?

  4. Our Vision: Verifiable NFO • Our focus is meeting customer expectations • Key correctness properties: • Behavior • Performance • Accounting • Other issues outside our scope: isolation, privacy, bandwidth costs ..

  5. What makes this challenging? Lack of visibility into the workload Dynamic, traffic-dependent, and potentially proprietary actions of the middleboxes Stochastic effects introduced by the network

  6. Outline Motivation for verifiable NFO Formalizing properties A roadmap for vNFO Ongoing work and discussion

  7. Formal Framework Management Interface BCPU, BMem, BNet CPU, Mem CPU, Mem Net f1 fn σn σ1 …. π1in, π2in,… π1out, π2out,... Customer Packet Space State Space Reference implementation

  8. Behavioral equivalence? Cloud IPS Customer Are packets being modified or incorrectly processed?

  9. Blackbox Behavioral Correctness σn σ1 …. visible to customer Is there some viable state? π1in π1in π1out ? ? σ’1 σ’n …. π1out

  10. Snapshot Behavioral Correctness σn σ1 …. visible to customer Would I get the same output? π1in π1in π1out σn σ1 …. π1out?

  11. Performance impact? Cloud IPS Customer t3 t2 t1 Is the cloud processing introducing delays? 11

  12. Performance Correctness σn σ1 …. t1out, t2out,... Would it really take this long? π1in, π2in,… π1in, π2in,… π1out, π2out,... σn π1out, π2out,... σ1 …. t’1out, t’2out,... observed provider performance ≈ reference performance

  13. Accounting correctness? Cloud IPS Customer Is the provider overcharging me? 13

  14. “Did-It” Accounting Correctness σn σ1 …. Did It actually consume? π1in, π2in,… π1out, π2out,... Charged value of resource r≈ Consumption of resource r by provider

  15. “Should-It” Accounting Correctness π1in, π2in,… π1out, π2out,... σn σ1 …. Consumption of resource r by provider ≈ Consumption of resource r by reference implementation Should It really cost this much?

  16. Summarizing Correctness Properties • Behavioral correctness • Blackbox: Function states are not visible to customer. • Snapshot: Function states are visible to customer • Performance correctness • Is performance metric within Δ (SLA) of reference? • Accounting correctness • Did-It: Were resources actually consumed? • Should-It: Was the consumption necessary?

  17. Outline Motivation for NFO + vNFO Formalizing vNFO properties A roadmap for vNFO Ongoing work and discussion

  18. Verifiable NFO (vNFO) Overview Management Interface BCPU, BMem, BNet CPU, Mem CPU, Mem Net …. VM1 VMn Cloud OS Cloud OS π1in, π2in,… π1out, π2out,... Trusted Shim Trusted Shim Cloud Platform Cloud Platform Customer Each function is implemented as a virtual appliance. NFO provider deploys a trusted shim for logging.

  19. Idealized view Management Interface BCPU, BMem, BNet CPU, Mem CPU, Mem Net …. VM1 VMn Cloud OS Cloud OS π1in, π2in,… π1out, π2out,... Trusted Shim Trusted Shim Cloud Platform Cloud Platform Customer Shim logs every packet, instantaneous VM state, and resource usage, timestamps per packet

  20. Challenges with Idealized view Management Interface BCPU, BMem, BNet CPU, Mem CPU, Mem Net …. VM1 VMn Cloud OS Cloud OS π1in, π2in,… π1out, π2out,... Trusted Shim Trusted Shim Cloud Platform Cloud Platform Customer 1. Middlebox actions make it difficult to correlate logs 2. Scalability and performance impact due to logging

  21. Potential solutions to challenges FlowTags Trajectory Sampling • Lack of visibility into middlebox actions: • Packets may be modified by middleboxes. • Scalability • Infeasible to log all packets and processing stats.

  22. Ongoing work • Leveraging nested virtualization • NFO provider does not need any platform change • Adding hooks to KVM • Trustworthy accounting (CPU, memory) • Trajectory sampling + FlowTags • Instantaneous snapshotting • Benchmark memory/time overheads associate with: • Packet sampling • Resource consumption calculations • Snapshotting

  23. Discussion • Does the customer trust the NFO provider? • Is the NFO provider willing to deploy the shim layer? • Market forces: Premium service, competitive edge, etc. • What are the market factors for customers? • Can customer easily switch to a different NFO provider? • What is the role of SLA? • Can the billed amount always be formulated in terms of resource consumption? • …

More Related