orange: multi field openflow based range classifier liron schiff tel aviv university yehuda afek tel...
TRANSCRIPT
ORange: Multi Field OpenFlow based Range Classifier
Liron Schiff Tel Aviv University
Yehuda Afek Tel Aviv University
Anat Bremler-Barr Inter Disciplinary Center
The 11th ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS '15)
Supported by the European Research Council (ERC) Starting Grant no. 259085 and by the Israel Science Foundation Grant no. 1386/11.
Presenter: Netanel Cohen Inter Disciplinary Center
Action End StartServer r3 61.26.188.55 0.0.0.0Server r1 61.37.255.0 61.26.188. 56Server r2 93.2.100.50 61.37.255.1
Drop 127.0.64.40 93.2.100.51…… ……… …..
Source IP Address
replicas
Internet
…
FirewallsForwardingLoad BalancersDDoS mitigation
.……
Range-based packet classification
Action End StartServer r3 192.168.15.7 192.168.1.1Server r1 192.168.99.1 192.168.1.1Server r2 10.5.0.127 10.0.0.1
Drop 10.40.5.77 10.12.0.100…… ……… …..
Destination IP Address
But
• OpenFlow matches can not be ranges!– Only masked values
• No consistent multi switch update
Actions MatchFlow Table: Flow Entry
Flow Entry
Field k … Field 2 Field 1Packet header:
Contributions
• Ranges classification in OpenFlow: ORange1– Costs 2 entries per range
(instead of linear with field size , usually 16 or 32)
• Multi Field ranges classification: ORange-k
• Update consistency (with ranges)– Per packet, per flow and cross-entrance
Single Field Ranges classification in OpenFlow
ORange1
Ranges by Naive Prefix Expansion
Action End StartServer A 125.37.255.0 125.26.188. 56Server B 126.2.100.50 125.37.255.1
• 2w – 2 entries per range62 entries per IPv4 range254 entries per IPv6 range
ActionPattern
Server A125.26.188. [00111***]
Server A125.26.188. [01******]
Server A125.26.188. [1*******]
Server A125. [00011011].*.*
Server A125. [000111**].*.*
Server A125. [001000**].*.* Server A125.[00100100].*.*
Server A125.37.[0*******].*
Server A125.37.[10******].*
Server A125.37.[110*****].*
Server A125.37.[1110****].*
Server A125.37.[11110***].*
Server A125.37.[111110**].*
Server A125.37.[1111110*].*
Server A125.37.[11111110].*
Server A125.37. 255.0
Server B125.37. 255.1 Server B125.37. 255.[0000001*]Server B125.37. 255.[000001**]Server B125.37. 255.[00001***]Server B125.37. 255.[0001****]Server B125.37. 255.[001*****]Server B125.37. 255.[01******]Server B125.37. 255.[1*******]Server B125.[0010011*].*.*Server B125.[00101***].*.*Server B125.[0011****].*.*Server B125.[01******].*.*Server B125.[1*******].*.*Server B126. [0000000*].*.*Server B126. 2. [00******].*Server B126. 2. [010*****].*Server B126. 2. [011000**].*Server B126. 2. 100.[0010****]Server B126. 2. 100.[00110001]Server B126. 2. 100.[00110010]
• Associative Memory chips:
• Properties:
– Ternary values (‘0’,’1’ and ‘*’)
– High throughput (300M ops per sec for 1Mb TCAM)
– Used in routers (IP lookup, classification)
– Expensive, high power consumption -> limited size
– Sometimes used to implement Flow Tables
Ternary CAMs (TCAMs)
0*10**1*0010011111***011
01010110
in
012
m
0001001
11out
entry data entry index
A non OpenFlow Approach - PIDR[Panigrahy&Sharma2003]
𝑅=[ 34 ,55 ]=[0010 0010𝑏 ,001 10111𝑏]
1-ELCPs
0011****…
0-ELCPs0010****
…TCAMs:
001Longest common prefix (LCP):
A non OpenFlow Approach - PIDR[Panigrahy&Sharma2003]
(TCAM )Query
Compare
Compare
Read Range Bound
(TCAM )Query
Read Range Bound
𝟓𝟏>𝟔𝟐?
𝟓𝟏<𝟓𝟓?
Adapting PIDR to OpenFlow
• Special hardware design– Parallel TCAMs– Query and read range bounds– Comparing with bounds
• Static configuration– No online updates
• New OpenFlow design– OpenFlow pipeline– Match+Action sets field– Compare by flow table
and metadata field
• Dynamic configuration– Consistent updates
ORange1PIDR
A non OpenFlow Approach - PIDR[Panigrahy&Sharma2003]
(TCAM )Query
Compare
Compare
Read Range Bound
(TCAM )Query
Read Range Bound
Adapting PIDR to OpenFlow
• Even Comparisons are Flow-Table based!Query
Compare
Compare
Flow Table based comparisons
ReadRangeBound
Query
ReadRangeBound
Flow Table match + action
Adapting PIDR to OpenFlow
ELCP1s(size n
TCAM)
Comparemax≥q
(size 2w TCAM)
q qmax
ELCP0s(size n
TCAM)
qmax
RIDs(size n
CAM)
qmax/min
rid rid rid<tmp>
False
no match
Comparemin≤q
(size 2w TCAM)
False
True
qminrid
Packet:
Range Action
Drop/ controller
no match
True
51 51550
Range 0
Action
Reducing Pipeline Length
ELCP1s(size n
TCAM)
Comparemax≥q
(size 2w TCAM)
q qmax
ELCP0s(size n
TCAM)
qmax
RIDs(size n
CAM)
qmax/min
rid rid rid<tmp>
False
no match
Comparemin≤q
(size 2w TCAM)
False
True
qminrid
Packet:
Range Action
Drop/ controller
no match
TrueNo need if ranges span
the entire space
Can be implemented by the groups table
ORange1 Implementation
• Space Complexity (entries per range)
– Naive Approach: 2w-2
– Our work: 2
e.g. for 100 IPv4 ranges: 6,200 vs 265 entries
• Limitation
– only disjoint ranges
2 per range+ 65 for comparison table
k field Ranges Classification
ORange-k
Multi Dimensional Ranges• Naive expansion: #entries exponentially grows
with the dimension k:
entries per range
Bigger problem!
(2𝑤−2)𝑘
rangexy10001000110001001*10001010*1000101101001*00011001*001*1001*010*1001*01101010*00011010*001*1010*010*1010*011010110000110110001*10110010*101100110310**0111310**10**310**110*2001101**20011100*200111010201**01**201**100*201**1010210**01**210**100*210**10102110001**21100100*211001010
Field Reduction• Given k-dimensional ranges:
𝑟1=[ 1 ,6 ] 𝑥 [1 ,6 ]
𝑟2=[ 4 ,10 ] 𝑥 [3 ,12]
𝑟3=[ 7 ,13 ] 𝑥 [8 ,11 ]
Field Reduction• We project them on each axis
Field Reduction• We compose each axis to disjoint intervals
[1,3]
[4,6]
[7,10]
[11,13]
Field Reduction• We re-encode the ranges according to intervals ids
𝑟 ′ 1=[ 0 ,1 ] 𝑥[0 ,1]
𝑟 ′ 2=[ 1 ,2 ] 𝑥 [1 ,4 ]
𝑟 ′ 3= [2 ,3 ] 𝑥 {3 }
Field Reduction• For each packet we re-encode its field values
𝑟 ′ 1=[ 0 ,1 ] 𝑥[0 ,1]
𝑟 ′ 2=[ 1 ,2 ] 𝑥 [1 ,4 ]
𝑟 ′ 3= [2 ,3 ] 𝑥 {3 }
(𝑦 , 𝑥 )=(8 ,4 ) (𝑦 ′ ,𝑥 ′ )=(2 ,1)
Field Reduction• Smaller fields make much smaller k-dimensional
encoding
𝑟 ′ 1=[ 0 ,1 ] 𝑥[0 ,1]
𝑟 ′ 2=[ 1 ,2 ] 𝑥 [1 ,4 ]
𝑟 ′ 3= [2 ,3 ] 𝑥 {3 }
rangexy10001000110001001*10001010*1000101101001*00011001*001*1001*010*1001*01101010*00011010*001*1010*010*1010*011010110000110110001*10110010*101100110310**0111310**10**310**110*2001101**20011100*200111010201**01**201**100*201**1010210**01**210**100*210**10102110001**21100100*211001010
𝑟1=[ 1 ,6 ] 𝑥 [1 ,6 ]
𝑟2=[ 4 ,10 ] 𝑥 [3 ,12]
𝑟3=[ 7 ,13 ] 𝑥 [8 ,11 ]
rangex'y'100*00*10010011001010301101*201*001201*01021000012100010
ORange-k Implementation• Re-encode each field in the metadata field• Then classify by new (smaller) k field ranges
Metadata Packet headerfk … f2 f1 field k … field2 field1
ORange1Classifier
#1
ORange1Classifier
#2
ORange1Classifier
#k…k dims. Classifier
8 4 2 1
ORange-k Implementation• Space Complexity (entries per range)
– Naive expansion: – Our approach:
e.g. for 100 2-dimensional IPv4 ranges: 20k vs 380k entries in the worst case
• Pipeline length
• Atomic updates (next slides)
• Works well with overlapping ranges
ORange-k Space Improvement
• 1000 Random ranges• 16bit fields
1 2 3 40%
10%20%30%40%50%60%
w=16
# dimensions
Impr
ovm
ent (
%)
ORange-k Space Improvement
• Total space for 100 Random 4-dimensional ranges.
8 16 24 32 40 48 56 641.00E+03
1.00E+04
1.00E+05
1.00E+06
1.00E+07
1.00E+08
1.00E+09
width (bits)
Spac
e (b
its) Naïve expansion
ORange
Consistency As time permits
Update Consistency
Consistency of adding, changing and deleting ranges
Three levels of consistency:• Per-Packet• Per-Flow• Cross-Entrance
Per-Packet consistency• Change affects several entries
Action End StartServer A 125.37.255.0 125.26.188. 56
Server B 126.2.100.50 125.37.255.1
36
36
Flow table:
ActionPattern
Server A125.26.188. [00111***]
Server A125.26.188. [01******]
Server A125.26.188. [1*******]
Server A125. [00011011].*.*
Server A125. [000111**].*.*
Server A125. [001000**].*.* Server A125.[00100100].*.*
Server A125.37.[0*******].*
Server A125.37.[10******].*
Server A125.37.[110*****].*
Server A125.37.[1110****].*
Server A125.37.[11110***].*
Server A125.37.[111110**].*
Server A125.37.[1111110*].*
Server A125.37.[11111110].*
Server A125.37. 255.0
Server B125.37. 255.1 Server B125.37. 255.[0000001*]Server B125.37. 255.[000001**]Server B125.37. 255.[00001***]Server B125.37. 255.[0001****]Server B125.37. 255.[001*****]Server B125.37. 255.[01******]Server B125.37. 255.[1*******]Server B125.[0010011*].*.*Server B125.[00101***].*.*Server B125.[0011****].*.*Server B125.[01******].*.*Server B125.[1*******].*.*Server B126. [0000000*].*.*Server B126. 2. [00******].*Server B126. 2. [010*****].*Server B126. 2. [011000**].*Server B126. 2. 100.[0010****]Server B126. 2. 100.[00110001]Server B126. 2. 100.[00110010]
<empty>
Server A125.36.[0*******].*
Server A125.36.[10******].*
Server A125.36.[110*****].*
Server A125.36.[1110****].*
Server A125.36.[11110***].*
Server A125.36.[111110**].*
Server A125.36.[1111110*].*
Server A125.36.[11111110].*
Server A125.36. 255.0
Server B125.36. 255.1 Server B125.36. 255.[0000001*]Server B125.36. 255.[000001**]Server B125.36. 255.[00001***]Server B125.36. 255.[0001****]Server B125.36. 255.[001*****]Server B125.36. 255.[01******]Server B125.36. 255.[1*******]Server B125.[00100101].*.*
Per-Packet consistency• Change affects several entries• Need atomicity (while traffic passes thru)• Existing solutions implemented using
Packet buffering, or duplicating and switching tables
time
Flow Table Accesses
modifyentry
modifyentry
modifyentry
Packet match
Single range update
Per-Flow Consistency[Reitblatt, Foster, Rexford, Schlesinger, Walker 2012]
Internet
replicas
client’s IPs
…Action End Start
Server 2 125.37.255.0 125.26.188. 56
Server 3 126.2.100.50 125.37.255.1
Internet
replicas
client’s IPs
Change in weights
Change in ranges
…Action End Start
Server 2 125.37.255.0 125.26.188. 56
Server 3 126.2.100.50 125.37.255.1
36
36
But existing flow shouldn’t change
Per-Flow Consistency[Wang, Butnariu, Rexford, 2011]
replicas
client’s IPs
…Action End Start
Server 2 125.37.255.0 125.26.188. 56
Server 3 126.2.100.50 125.37.255.1
36
36
Per-Flow Consistency[Wang, Butnariu, Rexford, 2011]
New flow
Cross-Entrance Consistency
replicas
…
client’s IPs
Internet
?
XSDN Network
summary
• Efficient Ranges implementation in OpenFlow– One dimensional – ORange1– Multi-dimensional – ORange-k
• Update Consistency– Per packet– Per flow– Cross-entrance
Questions?