1 / 25

Ethane: Taking Control of the Enterprise

Ethane: Taking Control of the Enterprise. Authors: Martin Casado , Michael J. Freedman, Justin Pettit, Jianying Luo ,  Nick McKeown , Scott Shenker Publisher: ACM SIGCOMM Conference - SIGCOMM , 2007 Presenter: 楊皓 中 Date : 2013/10/09. Introduction.

verne
Download Presentation

Ethane: Taking Control of the Enterprise

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ethane: Taking Control of the Enterprise Authors: Martin Casado, Michael J. Freedman, Justin Pettit, Jianying Luo , Nick McKeown, Scott Shenker Publisher:ACM SIGCOMM Conference - SIGCOMM , 2007 Presenter: 楊皓中 Date: 2013/10/09

  2. Introduction • Enterprise networks are often large, run a wide variety of applications and protocols, and typically operate under strict reliability and security constraints; thus, they represent a challenging environment for network management. • Yet the current solutions are weak, making enterprise network management both expensive and error-prone. • 62% of network downtime in multi-vendor networks comes from human-error • 80% of IT budgets is spent on maintenance and operations . • How could we change the enterprise network architecture to make it more manageable? • Ethane

  3. Ethane is built around three fundamental principles • The network should be governed by policies declared over high level names • Policy should determine the path that packets follow • The network should enforce a strong binding between a packet and its origin.

  4. Overview of ethane It imposes this requirement through two main components. • Central Controller • containing the global network policy that determines the fate of all packets. • knows the global network topology and performs route computation for permitted flows. • Ethane Switches • Consisting of a simple flow table and a secure channel to the Controller • simply forward packets under the direction of the Controller. • When a packet arrives that is not in the flow table, they forward that packet to the Controller, along with information about which port the packet arrived on.

  5. Ethane in use --the five basic activities • Registration • Bootstrapping • Authentication • Flow Setup • Forwarding

  6. Ethane in more detail—An Ethane Network

  7. Ethane in more detail—Switch Ethane Switch VS Ethernet switch • A wired Ethane Switch is like a simplified Ethernet switch. • An Ethane Switch doesn’t need to learn addresses, support VLANs, check for source-address spoofing, or keep flow-level statistics,maintain forwarding tables,run routing protocols such as OSPF, ISIS, and RIP. • the flow table can be several orders-of-magnitude smaller than the forwarding table in an equivalent Ethernet switch

  8. Ethane in more detail—Switch • Flow Table and Flow Entries • contain a Header (to match packets against), an Action (to tell the switch what to do with the packet), and Per-Flow Data. • Local Switch Manager • monitor link status • establish and maintain the secure channel to the Controller • two ways a Switch can talk to the Controller. • within the same broadcast domain • Using our modified Minimum Spanning Tree • secure channel stretching through these intermediate Switches all the way to the Controller. • not within the same broadcast domain • IP tunnel

  9. Ethane in more detail—Controller The Controller is the brain of the network and has many tasks

  10. Ethane in more detail—Controller • Registration • All entities that are to be named by the network must be registered. • Authentication • a network could support multiple authenticationmethods • Tracking Bindings • One of Ethane’s most powerful features is thatit can easily track all the bindings between names, addresses, andphysical ports on the network. • Namespace Interface • it can make information availableto network managers, auditors, or anyone else who seeks tounderstand who sent what packet and when. • Permission Check and Access Granting • Enforcing Resource Limits

  11. Ethane in more detail—Handling Broadcast and Multicast • Multicast • The Switch keeps a bitmap for each flow to indicate which ports the packets are to be sent to along the path. • Broadcast • a host is trying to find a server or an address. Controller can reply to a request without creating a new flow and broadcasting the traffic • ARP could generate a huge load for the Controller • ARP server • it should bepossible to provide a direct way to query the network

  12. Ethane in more detail—Replicating the controller Fault-Tolerance and Scalability • Multiple Controllers may be desirable to provide fault-tolerance or to scale to very large networks. • cold-standby approach • having no network binding state • The warm-standby approach • having network binding state • The fully-replicated approach

  13. Ethane in more detail—Link Failures • When a link fails , the Switch removes all flow table entries tied to the failed port and sends its new link-state information to the Controller, and the Controller computes and installs a new path based on the new topology.

  14. Ethane in more detail—Bootstrapping • When the network starts, the Switches must connect to and authenticate with the Controller • On startup, the network creates a minimum spanning tree with the Controller advertising itself as the root. • Each Switch has been configured with the Controller’s credentials • If a Switch finds a shorter path to the Controller, it attempts two way authentication with it before advertising that path as a valid route.

  15. The POL-ETH policy language

  16. The POL-ETH policy language—Implementation • Creating a lookup table for all possible flows specified in the policy would be impractical. • Our Pol-Eth implementation combines compilation and just-in-time creation of search functions • have implemented a source-to-source compiler that generates C++ from a Pol-Eth policy file. The resulting source is then compiled and linked into the Ethane binary. As a consequence, policy changes currently require relinking the Controller. We are currently upgrading the policy compiler so that policy changes can be dynamically loaded at runtime.

  17. Prototype and Deployment • At university , over 300 host , several hundred users. • Deployed a remote switch in private residence. • The whole network is managed by single PC-based Controller. • Includes 19 switches of three different types. • Ethane Wireless Access Point • wireless router(266MHz MIPS, 32MB RAM) • talks to the Controller using the native Linux TCP stack • Ethane 4-port Gigabit Ethernet Switch: Hardware Solution. • implemented on NetFPGA • 4MB of SRAM for packet buffers and the flow table • Ethane 4-port Gigabit Ethernet Switch: Software Solution. • built a Switch from a regular desktop PC (1.6GHz Celeron CPU and 512MB of DRAM)

  18. Prototype and Deployment • Controller • A standard Linux PC(1.6GHz Celeron CPU and 512MB of DRAM) • 100MB/s Ethernet network • 11 wired and 8 wireless Ethane switch • average of 120 hosts active in a 5-minute window

  19. Performance and scalability--primary question • How many Controllers are needed for a network of a given size? • How big does the flow table need to be in the Switch?

  20. Performance and scalability

  21. Performance and scalability— • Figure 7 : 8000 host • never exceeded 1,200 per second • across all nodes • Figure 8 : 22000 host • under 9,000 new flow-requests per second • suggest that a single Controller could comfortably manage a network with over 20,000 hosts.

  22. Performance and scalability—Performance During Failures • cold-standby failure recovery • we measuredthe completion time of 275 consecutive HTTP requests

  23. Performance and scalability—Performance During Failures • Failures were simulated by physically unplugging a link • In all cases, the path reconverges in under 40ms, but a packet couldbe delayed up to a second while the Controller handles the flurry ofrequests.

  24. Performance and scalability—Flow Table Sizing • Auniversity sized network • flow table capable of holding 8K–16K entries. If we assume that each entry is 64B, such a table requires about 1MB of storage • A typical commercial enterprise Ethernet • switch today holds 1 million Ethernet addresses (6MBif hashing is used) • 1 million IP addresses (4MB of TCAM), • 1-2 million counters (8MB of fast SRAM) • several thousand ACLs (more TCAM). • the memory requirements of an Ethane Switch are quite modest in comparison to today’s Ethernet switches.

  25. ETHANE’S SHORTCOMINGS • Broadcast and Service Discovery • on our network, Broadcast discovery protocols constituted over 90% of the flows • Application-layer routing • For example, if A is allowed to talkto B but not C, and if B can talk to C, then B can relay messagesfrom A to C • Knowing what the user is doing. • Ethane’s policy assumes thatthe transport port numbers indicate what the user is doing: port80 means HTTP, port 25 is SMTP, and so on. • Spoofing Ethernet addresses • If auser spoofs a MAC address, it might be possible to fool Ethaneinto delivering packets to an end-host

More Related