aaron gember, chaithan prakash, raajay viswanathan, robert grandl, junaid khalid, sourav das, aditya...
TRANSCRIPT
1
Aaron Gember, Chaithan Prakash, Raajay Viswanathan, Robert Grandl,
Junaid Khalid, Sourav Das, Aditya Akella
OpenNF
2
SDN + software NFs• NFs examine/modify packets at layers 3-7
• Software NFs are replacing physical appliances• SDN applications (PLayer, SIMPLE, Stratos, etc.)
steer flows through NFs
Web ServerHomeUsers
CachingProxy
IntrusionPrevention
Firewall
Enables new applications that control the packet processing happening across instances of an NF
3
• Not moving flows => bottleneck persists• Naively moving flows => incorrect NF behavior
Example: scaling & load balancing
Firewall CachingProxy
IntrusionPrevention
Web ServerHomeUsers
Requires a control plane that enables management of both internal NF state and network forwarding state
4
Challenges
1. Dealing with race conditions– Packets may arrive while state is being moved,
causing state updates to be lost or re-ordered
2. Giving applications flexibility– May need to move state at different granularities
3. Supporting many NFs with minimal changes– Undesirable to force NFs to conform to certain
state structures or allocation/access strategies
5
OpenNF
OpenNF Controller SDN Controller
Control Application
Northbound API
Southbound API
6
Outline
• Overview• Requirements• Design– Southbound API (addresses NF diversity)– Northbound API (addresses race conditions)
• Evaluation
7
Requirements
• Move flow-specific NF state at various granularities
• Copy and combine, or share, NFstate pertaining to multiple flows
• Support key guarantees (no loss, order preserved) when needed
• Track when/how state is updated
8
Existing approaches
• Control over routing (PLayer, SIMPLE, Stratos)• Virtual machine replication– Unneeded state => incorrect actions– Cannot combine => limited rebalancing
• Split/Merge and Pico/Replication– Address specific problems => limited suitability– Require NFs to create/access state in specific
ways => significant NF changes
9
• State created or updated by an NF applies to either a single flow or a collection of flows
• Classify state based on scope• Flow provides a natural way for reasoning
about which state to move, copy, or share
NF state taxonomy
Connection
Connection
TcpAnalyzer
HttpAnalyzer
TcpAnalyzer
HttpAnalyzer
Per-flow state
ConnCount
Multi-flow state
All-flows stateStatistics
10
API to export/import state
• Three simple functions: get, put, delete– Version for each scope (per-, multi-, all-flows)– Filter defined over packet header fields
• NFs responsible for– Identifying and providing all state matching a filter– Combining provided state with existing state
No need to expose internal state organization No changes to conform to a specific allocation strategy
11
API to observe/prevent updates
• Problem: need to prevent (e.g., during move) or observe (e.g., to trigger copy) state updates
• Solution: event abstraction– Functions: enableEvents and disableEvents– Instruct NF to raise an event and process, buffer,
or drop packets matching a filter
Only need to change an NF’s receive packet function
12
Move operation
OpenNF Controller
Control Application
move (port=80,Inst1,Inst2)
getPerflow(port=80)
[Chunk1] putPerflow(Chunk1)delPerflow(port=80)[Chunk2] putPerflow(Chunk2)
forward(port=80,Inst2)
SDN Controller
Inst2Inst1
13
Packet arrivals during move
• Packets may arrive during a move operation
• Fix: suspend traffic flow and buffer packets– May last 100s of ms => connection timeouts– Packets in-transit when buffering starts are dropped
111
Inst2 ismissingupdates
Inst2Inst1
move(yellow,Inst1 ,Inst2 )
Loss-free: All state updates due to packet processing should be reflected in the transferred state, and all
packets the switch receives should be processed
Use events for loss-free move
• enableEvents(blue,drop) on Inst1;
• get/delete on Inst1; put on Inst2
• Buffer events at controller• Flush packets in
events to Inst2
• Update forwarding
14
SInst2Inst1
AS
S S,S+AS+A
S+A
S,S+A,A
15
Re-ordering of packets
Order-preserving: All packets should be processed in the order they were forwarded
to the NF instances by the switch
Controller Switch Inst2
Flush buffer
Request forwarding update
Inst1
S+A
S+AA
AD1
D2D1
D1
D1
S+AA
D2
D1
• Flush packets in events to Inst2
• enableEvents(blue,buffer) on Inst2
• Forwarding update: send to Inst1 & controller• Wait for packet from
switch (remember last)• Forwarding update:
send to Inst2
• Wait for event for last packet from Inst2
• Release buffer of packets on Inst2
Order-preserving move
16
S
SS,S+A
S+A
S,S+A,AA
AAD1
S,S+A,A,D1
17
Copy and share operations
• Used when multiple instances need to access a particular piece of state
• Copy – no or eventual consistency– Issue once, periodically, based on events, etc.
• Share – strong or strict consistency– All packets reaching NF instances trigger an event– Packets in events are released one at a time– State is copied between packets
Example app: Load balanced network monitoring
movePrefix(prefix,oldInst,newInst): copy(oldInst,newInst,{nw_src:prefix},multi) move(oldInst,newInst,{nw_src:prefix},per,LF+OP) while (true): sleep(60) copy(oldInst,newInst,{nw_src:prefix},multi) copy(newInst,oldInst,{nw_src:prefix},multi)
scan.brovulnerable.broweird.bro
Example app: Selectively invoking advanced remote processing
enhanceProcessing(flowid,locInst): move(locInst,cloudInst,flowid,per,LF)
scan.brovulnerable.broweird.bro
scan.brovulnerable.broweird.brodetect-MHR.bro!
20
Implementation
• OpenNF Controller (≈3.8K lines of Java)– Written atop Floodlight
• Shared NF library (≈2.6K lines of C)• Modified NFs (3-8% increase in code)– Bro (intrusion detection)– PRADS (service/asset detection)– iptables (firewall and NAT)– Squid (caching proxy)
End-to-end benefits
• Load balanced monitoring with Bro IDS– Load: 10K pkts/sec cloud trace– After 180 sec: move HTTP flows (489) to new Bro
• OpenNF: 260ms to move (optimized, loss-free)– Log entries equivalent to using one instance
• VM replication: 3889 incorrect log entries• Forwarding control only: scale down delayed
by > 1500 seconds
22
Southbound API call processing
Serialization/deserialization costs dominate
Cost grows with state complexity
Efficiency with guarantees• State: 500 flows in PRADS; Load: 1000 pkts/s• Move
• Copy – 176ms• Share – 7ms (or more) for every packet
23
194 pktsdropped!
130 pktsbufferedat dstInst
230 pktsin events
Guarantees come at a cost!
24
Controller performance
Improve scalability with P2P state transfers
25
• Systematic engineered APIsimplemented by NFs and used by control applications
• Enables rich control of the packet processing happening across instances of an NF
• Provides key guarantees andrequires minimal NF modifications
Conclusion
http://agember.com/go/opennf