1 / 56

Outline

This course covers high-level programming techniques for network systems, including reactive and proactive logic-driven user programming, as well as automatic programming using compilers.

rcheney
Download Presentation

Outline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS434/534: Topics in Network Systems High-Level Programming for Programmable Networks: Runtime and CompilerYang (Richard) YangComputer Science DepartmentYale University208A WatsonEmail: yry@cs.yale.eduhttp://zoo.cs.yale.edu/classes/cs434/

  2. Outline • Admin and recap • Datapath programming • Reactive, high level logic driven user programming • Reactive, high level automatic programming • Proactive, high level automatic programming (aka compiler)

  3. Recap: Visualize a Real Network using Tables Internet Assignment: - Identify requirements - Write downtable(s) for each device CE F2 F1 (Firewall) S2 S1 R1 LB2 LB1 (Load balancer) IPS2 IPS3 IPS1 (Intrusion prevention) S6 S4 S5 S3 tier-1 H2 H5 H4 H3 H1 H6 Logger VLAN 300 VLAN 400 Tier-3 Tier-1 Tier-2

  4. Recap: OpenFlow Datapath Model • A set of flow tables forming a directed acyclic graph (DAG) • A set of group tables • Each flow table consists of a set of flow entries/rules • match • actions Google SD-WAN Control: B4, sigcom’13 Broadcom OF-DPA Chip

  5. Recap: Two Basic Types of Programming Reactive • First packet of flow triggers controller to insert flow entries • Pros • Efficient use of flow table • Cons • Every flow incurs additional flow setup time • If control connection lost, switch has limited utility • Proactive • Controller pre-populates flow table in switch • Pro • Zero additional flow setup time • Loss of control connection does not disrupt traffic • Con • Need large flow table • Many entries maybe cold

  6. Recap: Reactive User-Driven Programming badPort = 22 // policyhostTbl = {A:1,B:2, C:3,D:4} // net view defonPacketIn(p): if badPort == p.tcp_dst:// drop computerule else:// forward([hostTbl(p.eth_dst)]) computerule 1 4 3 2 A D B C

  7. Recap: Reactive, Higher-level Logic Driven User Programming hostTbl = {A:1,B:2,C:3,D:4} defonPacketIn(p): if 22 == p.tcp_dst: drop installRule({‘priority’:1, ‘match’:{'tcp_dst':22}, ‘action’:[]}) else:forward([hostTbl(p.eth_dst)]) installRule({‘priority’:0, ‘match’: {‘eth_dst’:p.eth_dst}, ‘action’:[hostTbl(p.eth_dst)]})

  8. Outline • Admin and recap • Datapath programming • Reactive, high level logic driven user programming • Reactive, high level logic driven automatic programming

  9. Goal Programmers write only the logic (=> data path independent) code: System automatically generates correct, optimized data path defonPacketIn(p) if 22 == p.tcp_dst: drop else:forward([hostTbl(p.eth_dst)])

  10. Programming Model: Programmer’s View • Conceptually programmer’s network control function f is invoked on every packet entering the network. • f expressed in an existing, general purpose language (e.g., Java, Python), describing how a packet should be routed, not how data path flow tables are configured f: packet route

  11. Example High-level Program Route f(Packet p) { if (p.tcpDstIs(22)) returnnull(); else { Locationsloc = hostTable(p.ethSrc()); Locationdloc = hostTable(p.ethDst()); Route path = myRoutingAlg(topology(),sloc,dloc); returnpath; } } Route myRoutingAlg(Topologytopo, Location sLoc, Location dloc) { if ( isSensitive(sLoc) || isSensitive(dLoc) ) returnsecureRoutingAlg(topo, sloc, dloc); elsereturnstandardRoutingAlg(topo, sloc, dloc); }

  12. Basic Ideas of Datapath Generation • Insight • Although the decision function f does not specify how flow tables are configured, if for a given decision (e.g., drop), one can know the dependency on the input (pkt attributes) of the decision, one can construct the flow table. • Requirement • Program f uses a library to access pkt attributes • Library provides both convenience and more importantly, decision dependency • Basic data structure • Trace tree

  13. EthSrc:1, EthDst:2, TcpDst:80 Trace Trace Tree Policy Route f(Packet p) { if (p.tcpDstIs(22)) returnnull(); else { Locationsloc = hostTable(p.ethSrc()); Locationdloc = hostTable(p.ethDst()); Route path = myRoutingAlg( topology(),sloc,dloc); return path; } } Assert:TcpDst==22 false Read:EthSrc 1 Read:EthDst Ex: What is the trace tree after this first packet? 2 path1

  14. Trace Trace Tree Policy Assert:TcpDst==22 Route f(Packet p) { if (p.tcpDstIs(22)) returnnull(); else { Locationsloc = hostTable(p.ethSrc()); Locationdloc = hostTable(p.ethDst()); Route path = myRoutingAlg( topology(),sloc,dloc); return path; } } true false Read:EthSrc ? 1 Read:EthDst 2 path1

  15. EthDst:1, TcpDst:22 Trace Trace Tree Policy Assert:TcpDst==22 Route f(Packet p) { if (p.tcpDstIs(22)) returnnull(); else { Locationsloc = hostTable(p.ethSrc()); Locationdloc = hostTable(p.ethDst()); Route path = myRoutingAlg( topology(),sloc,dloc); return path; } } Assert:TcpDst==22 true true false null Read:EthSrc ? 1 Read:EthDst 2 path1

  16. EthDst:1, TcpDst:22 Trace Trace Tree Policy Assert:TcpDst==22 Route f(Packet p) { if (p.tcpDstIs(22)) returnnull(); else { Locationsloc = hostTable(p.ethSrc()); Locationdloc = hostTable(p.ethDst()); Route path = myRoutingAlg( topology(),sloc,dloc); return path; } } true false Read:EthSrc null 1 Read:EthDst 2 path1

  17. Trace Tree Formalism Assert:TcpDst==22 • A tree w/ 4 types of nodes T node: assertion on packet attributes V node: multi-way branching on a packet attribute L node: leaf node labeled w/ action ? node: unknown true false Read:EthSrc ? 1 Read:EthDst • If there is a match on the trace tree, the tree and the program give the same result, true or false? 2 path1

  18. Question • Is the trace tree for a single device or it can do multiple devices?

  19. Trace Tree => Datapath tcpDst==22 True False ethDst drop match:{tcpDst==22} 4 2 ethSrc drop match:{tcpDst!=22,ethDst:2} 6 port 30 match:{tcpDst!=22,ethDst:4,ethSrc:6}

  20. Trace Tree => Datapath tcpDst==22 True False ethDst drop match:{tcpDst==22} 4 2 ethSrc drop match:{tcpDst!=22,ethDst:2} 6 port 30 barrier rule: match:{tcpDst!=22,ethDst:4,ethSrc:6} match:{tcpDst==22} action:ToController Priority

  21. Exercise: Write a FW Interpreter and Construct TT • Assume Linux iptables format • Match • -p protocol • -s address/mask • -d address/mask • --sports port • --dports port • Action • -j ACCEPT | REJECT • Example: allow only http (tcp port 80) traffic, block all others • -p tcp --dports 80 –j ACCEPT • -j REJECT

  22. Outline • Admin and recap • Datapath programming • Reactive, high level logic driven user programming • Reactive, high level logic driven automatic programming • Basic idea • Optimizations

  23. Trace Tree => Datapath Inefficiency/optimization of TT and gen rules over the basic idea? tcpDst==22 True False ethDst drop Pri: 3 match:{tcpDst==22} 4 2 ethSrc drop 6 Pri: 1 match:{tcpDst!=22,ethDst:2} port 30 barrier rule: Pri: 2 match:{tcpDst==22} Pri:0match:{tcpDst!=22,ethDst:4,ethSrc:6} action:ToController Priority

  24. Problem: Optimizing Traces

  25. Example: Trace Reduction

  26. Problem: Optimizing (Reducing) Rule Updates disjoint, could use same priority.

  27. Outline • Admin and recap • Datapath programming • Reactive, higher-level logic driven user programming • Reactive, higher-level logic driven automatic programming • Basic idea • Optimizations • Trace tree in a dynamic environment

  28. Ex: What is in the Environment in this Program? badPort = 22 // policyhostTbl = {A:1,B:2, C:3,D:4} // net view defonPacketIn(p): if badPort == p.tcp_dst:drop else:forward([hostTbl(p.eth_dst)]) 1 4 3 2 A D B C

  29. Program and Environment State Has physical states physical states in environment Map<MAC, Location> hostTable;List<ACLItem> acls; Route f(Packet p) { hostTable.put(p.ethSrc(), p.ingressPort()); if ( !permit(p, acls) ) return drop; Location src = p.ingressPort(); Location dst = hostTable.get( p.ethDst() ); Route path = myRoutingAlg(topology(), src, dst); return path; } External process may change the state External process may change environment state policy state in environment

  30. Potential Approaches on Handling Dynamic Environment State • Timeout • Wait for timeout of existing rules (e.g., Floodlight) • Problem: long delay; may not even be correct • Rerun • Completely rerun program and then compare the differences (e.g., Pyretic) • Problem: low efficiency

  31. Discussion: Potential Another Approach? Assert:TcpDst==22 Route f(Packet p) { if (p.tcpDstIs(badPort)) returnnull(); else { Locationsloc = hostTable(p.ethSrc()); Locationdloc = hostTable(p.ethDst()); Route path = myRoutingAlg( topology(),sloc,dloc); return path; } } true false Read:EthSrc ? 1 Read:EthDst 2 path1

  32. Unified Dependency Tracking • Control program f uses simple library wrappers to access pkt attributes and state variables • Reason: Provides both convenient data structures and importantly, again, decision dependency!

  33. EthSrc:1, EthDst:2, TcpDst:80 Policy Route f(Packet p) { if (p.tcpDstIs(22)) returnnull(); else { Locationsloc = hostTable(p.ethSrc()); Locationdloc = hostTable(p.ethDst()); Route path = myRoutingAlg( topology(),sloc,dloc); returnpath; } } Assert:TcpDst==22 false Read:EthSrc Dependency table (aka inverted index) 1 (hostTable, 1)

  34. EthSrc:1, EthDst:2, TcpDst:80 Policy Route f(Packet p) { if (p.tcpDstIs(22)) returnnull(); else { Locationsloc = hostTable(p.ethSrc()); Locationdloc = hostTable(p.ethDst()); Route path = myRoutingAlg( topology(),sloc,dloc); returnpath; } } Assert:TcpDst==22 false Read:EthSrc Dependency table (aka inverted index) 1 (hostTable, 1)

  35. EthSrc:1, EthDst:2, TcpDst:80 Policy Route f(Packet p) { if (p.tcpDstIs(22)) returnnull(); else { Locationsloc = hostTable(p.ethSrc()); Locationdloc = hostTable(p.ethDst()); Route path = myRoutingAlg( topology(),sloc,dloc); returnpath; } } Assert:TcpDst==22 false Read:EthSrc Dependency table (aka inverted index) 1 (hostTable, 1) Read:EthDst 2 (hostTable, 2)

  36. EthSrc:1, EthDst:2, TcpDst:80 Policy Route f(Packet p) { if (p.tcpDstIs(22)) returnnull(); else { Locationsloc = hostTable(p.ethSrc()); Locationdloc = hostTable(p.ethDst()); Route path = myRoutingAlg( topology(),sloc,dloc); returnpath; } } Assert:TcpDst==22 false Read:EthSrc Dependency table (aka inverted index) 1 (hostTable, 1) Read:EthDst 2 (hostTable, 2) topology path1

  37. Example Dependency Table Dependency table (aka inverted index) Assert:TcpDsd==22 false true Read:EthSrc ? 1 3 (hostTable, 3) (hostTable, 1) Read:EthDst Read:EthDst 4 2 (hostTable, 2) (topology()) (hostTable, 4) (topology()) path2 path1

  38. Tradeoffs Between Tracking Overhead and Precision host 1 Assert:TcpDsd==22 link[2]: 2 link[1]: 1 false true Read:EthSrc ? link[3]: 1 1 3 link[4]: 2 (hostTable, 1) Read:EthDst Read:EthDst host 2 (hostTable, 2) Assume Dijkstra. 4 2 Dijkstra will visit only 3 links. There is no dependency on link[4]. (topology()) (links, {1,2,3}) path2 path1

  39. Using Dependency Table Dependency table (aka inverted index) Assert:TcpDsd==22 false true Read:EthSrc ? 1 3 (hostTable, 3) (hostTable, 1) Read:EthDst Read:EthDst host 4 changes location => - Uses dependency table to locate dependent entries 4 2 (hostTable, 2) (topology()) (hostTable, 4) (topology()) path2 path1

  40. Using Dependency Table Dependency table (aka inverted index) Assert:TcpDsd==22 false true Read:EthSrc ? 1 3 (hostTable, 3) (hostTable, 1) Read:EthDst Read:EthDst host 4 changes location => - Uses dependency table to locate dependent entries 4 2 (hostTable, 2) (topology()) (hostTable, 4) (topology()) Discussion: What can the system do? path2 path1

  41. Discussion: Trace Tree Programming • Pros • Simple, language independent • Cons • Quality: compiles to only a single flow table • Latency: A reactive approach that waits for punted packets to begin unfolding the trace tree and generating rules

  42. Outline • Admin and recap • Datapath programming • Reactive, high level logic driven user programming • Reactive, high level automatic programming • Proactive, high level automatic programming (aka High level SDN compiler)

  43. Objective • Proactive, fully generated datapath • Objective of today’s class: See if we can make progress in compiling a general program to datapath • Traditionally considered too hard to compile a high-level program to a datapath as they have quite different programming models • algorithm vs lookup tables • Ongoing work, welcome to pick it as a class project

  44. Objective: Generate Datapath Pipeline Map<MAC, Switch> hostTable; 0. RouteonPacketIn(Packet p) { 1. Switch srcSw = hostTable.get( p.ethSrc() ); 2. SwitchdstSw = hostTable.get( p.ethDst() ); Route aRoutes = AllPairRoutes(); return aRoutes.get(srcSw, dstSw); Note: if srcSwordstSw empty, drop. Table 3 Table 1 Table 2 Any pattern of the pipeline?

  45. Outline • Admin and recap • Datapath programming • Reactive, higher-level logic driven user programming • Reactive, higher-level logic driven automatic programming • Proactive, high-level automatic programming • compact per-instruction table (PIT) pipeline

More Related