DIFANE MinlanYu PrincetonUniversity Joint work with Mike - - PowerPoint PPT Presentation

difane
SMART_READER_LITE
LIVE PREVIEW

DIFANE MinlanYu PrincetonUniversity Joint work with Mike - - PowerPoint PPT Presentation

Aug 21, 2023 322 likes •617 views

ScalableFlowBasedNetworkingwith DIFANE MinlanYu PrincetonUniversity Joint work with Mike Freedman, Jennifer Rexford and Jia Wang 1 WhatsDIFANE? Tradi?onalenterprise

slide-1
SLIDE 1

Scalable
Flow‐Based
Networking
with
 DIFANE


1

Minlan
Yu 
 Princeton
University 


Joint work with Mike Freedman, Jennifer Rexford and Jia Wang

slide-2
SLIDE 2

2

What’s
DIFANE? 


  • Tradi?onal
enterprise


– Hard
to
manage
 – Limited
policies
 – Distributed


  • Flow‐based
networking


– Easy
to
manage
 – Support
fine‐grained
policy
 – Scalability
remains
a
challenge


DIFANE:
 A
scalable
way
to
apply
fine‐grained
 policies
in
enterprises



slide-3
SLIDE 3

HTTP

  • Access
control



– Drop
packets
from

 malicious
hosts


  • Customized
rou?ng


– Direct
Skype
calls
on

 a
low‐latency
path


  • Measurement


– Collect
detailed
HTTP
 traffic
sta?s?cs


Flexible
Policies
in
Enterprises 


3

HTTP

slide-4
SLIDE 4

Flow‐based
Switches 


  • Install
rules
in
flow‐based
switches


– Store
rules
in
high
speed
memory
(TCAM)


  • Perform
simple
ac?ons
based
on
rules


– Rules:
Match
on
bits
in
the
packet
header
 – Ac?ons:
Drop,
forward,
count



4

drop
 forward
via
 link
1


Flow space src. dst.

slide-5
SLIDE 5

Challenges
of
Policy‐Based
Management 


  • Policy‐based
network
management


– Specify
high‐level
policies
in
a
management
system

 – Enforce
low‐level
rules
in
the
switches


  • Challenges


– Large
number
of
hosts,
switches
and
policies
 – Limited
TCAM
space
in
switches
 – Support
host
mobility
 – No
hardware
changes
to
commodity
switches


5

slide-6
SLIDE 6

Pre‐install
Rules
in
Switches 


6

Packets hit the rules Forward

  • Problems:


– No
host
mobility
support
 – Switches
do
not
have
enough
memory


Pre-install rules

Controller

slide-7
SLIDE 7

Install
Rules
on
Demand
(Ethane,
NOX) 


7

First packet misses the rules Buffer and send packet header to the controller Install rules Forward

Controller

  • Problems:


– Delay
of
going
through
the
controller
 – Switch
complexity
 – Misbehaving
hosts



slide-8
SLIDE 8

DIFANE:
Combining
Proac?ve
&
Reac?ve 


8

Features
 Proactive Reactive( Ethane) DIFANE Host mobility Memory usage Keep packet in data plane Install rules

slide-9
SLIDE 9

DIFANE
Architecture 
 (two
stages) 


9

DIstributed
Flow
Architecture
 
 for
Networked
Enterprises 


slide-10
SLIDE 10

Stage
1 


10

The
controller
proac2vely
generates
the
 rules
and
distributes
them
to
 authority
switches.
 


slide-11
SLIDE 11

Par??on
and
Distribute
the
Flow
Rules


11

Ingress Switch Egress Switch

Distribute partition information Authority Switch A AuthoritySwitch B Authority Switch C reject
 accept


Flow space Controller

Authority Switch A Authority Switch B Authority Switch C

slide-12
SLIDE 12

Stage
2 


12

The
authority
switches
keep
packets
 always
in
the
data
plane
and
 reac2vely
cache
rules.
 


slide-13
SLIDE 13

Following packets

Packet
Redirec?on
and
Rule
Caching 


13

Ingress Switch Authority Switch Egress Switch

First packet Hit cached rules and forward

A
slightly
longer
path
in
the
data
plane
is
faster
 than
going
through
the
control
plane


slide-14
SLIDE 14

Locate
Authority
Switches 


  • Par??on
informa?on
in
ingress
switches


– Using
a
small
set
of
coarse‐grained
wildcard
rules
 – …
to
locate
the
authority
switch
for
each
packet


  • Distributed
directory
service
but
not
DHT


– Hashing
does
not
work
for
wildcards
 – Keys
can
have
wildcards
in
arbitrary
bit
posi?ons


14

Authority Switch A AuthoritySwitch B Authority Switch C

X:0‐1
Y:0‐3

A
 X:2‐5
Y:
0‐1B
 X:2‐5
Y:2‐3

C


slide-15
SLIDE 15

Following packets

Packet
Redirec?on
and
Rule
Caching 


15

Ingress Switch Authority Switch Egress Switch

First packet Hit cached rules and forward Cache
Rules
 Par??on
Rules
 Auth.
Rules


slide-16
SLIDE 16

Three
Sets
of
Rules
in
TCAM 


Type
 Priority
 Field
1
 Field
2
 AcAon
 Timeout


Cache
 Rules


210
 00**
 111*
 Forward
to
Switch
B
 10
sec
 209
 1110
 11**
 Drop
 10
sec
 …
 …
 …
 …
 …


Authority
 Rules


110
 00**
 001*
 Forward
 Trigger
cache
manager
 Infinity
 109
 0001
 0***
 Drop,

 Trigger
cache
manager
 …
 …
 …
 …
 …


Par??on
 Rules


15
 0***
 000*
 Redirect
to
auth.
switch
 14
 …
 …
 …
 …
 …
 …


16

In
ingress
switches
 reac2vely
installed
by
authority
switches
 In
authority
switches
 proac2vely
installed
by
controller

 In
every
switch
 proac2vely
installed
by
controller


slide-17
SLIDE 17

Cache
Rules


DIFANE
Switch
Prototype 


Built
with
OpenFlow
switch 


17

Data Plane Control Plane Cache
 Manager
 Send Cache Updates Recv Cache Updates Only
in
 Auth.
 Switches
 Authority
Rules
 Par??on
Rules
 Just
sogware
modifica?on
for
authority
switches


Notification

slide-18
SLIDE 18

Caching
Wildcard
Rules 


  • Overlapping
wildcard
rules


– Cannot
simply
cache
matching
rules


18

slide-19
SLIDE 19

Caching
Wildcard
Rules 


  • Mul?ple
authority
switches



– Contain
independent
sets
of
rules
 – Avoid
cache
conflicts
in
ingress
switch


19

Authority switch 1 Authority switch 2

slide-20
SLIDE 20

Par??on
Wildcard
Rules 


  • Par??on
rules


– Minimize
the
TCAM
entries
in
switches
 – Decision‐tree
based
rule
par??on
algorithm


20

Cut A Cut B Cut B is better than Cut A

slide-21
SLIDE 21

Handling
Network
Dynamics
 


21

Network
 dynamics
 Cache
rules
 Authority
 Rules
 ParAAon
 Rules
 Policy
changes
 at
controller
 Timeout
 Change
 Mostly
no
 change
 Topology
 changes
at
 switches
 
No
change
 No
change
 Change
 Host
mobility
 Timeout
 No
change
 No
change


slide-22
SLIDE 22

Prototype
Evalua?on 


  • Evalua?on
setup


– Kernel‐level
Click‐based
OpenFlow
switch
 – Traffic
generators,
switches,
controller
run
on
 separate
3.0GHz
64‐bit
Intel
Xeon
machines


  • Compare
delay
and
throughput



– NOX:
Buffer
packets
and
reac?vely
install
rules
 – DIFANE:
Forward
packets
to
authority
switches



22

slide-23
SLIDE 23

Delay
Evalua?on 


  • Average
delay
(RTT)
of
the
first
packet


– NOX:
10
ms
 – DIFANE:
0.4
ms


  • Reasons
for
performance
improvement


– Always
keep
packets
in
the
data
plane
 – Packets
are
delivered
without
wai?ng
for
rule
 caching
 – Easily
implemented
in
hardware
to
further
 improve
performance


23

slide-24
SLIDE 24

Peak
Throughput 


  • One
authority
switch;
Single‐packet
flow


24

1K
 10K
 100K
 1,000K
 1K
 10K
 100K
 1000K
 Throughput
(flows/sec)
 Sending
rate
(flows/sec)
 DIFANE
 NOX
 2 3 4 1
ingress
 switch
 Controller
 Bolleneck
(50K)
 DIFANE
 
(800K)
 Ingress
switch
 Bolleneck
 (20K)


DIFANE
further
increases
the
throughput
linearly
with
 the
number
of
authority
switches.


slide-25
SLIDE 25

Scaling
with
Many
Rules 


  • How
many
authority
switches
do
we
need?


– Depends
on
total
number
of
rules

 …
and
the
TCAM
space
in
these
authority
switches


25

Campus
 IPTV
 #
Rules
 30K
 5M
 #
Switches
 1.7K
 3K
 Assumed
Authority
 Switch
TCAM
size
 160
KB
 1.6
MB
 Required

 #
Authority
Switches
 5
(0.3%)
 100

(3%)


slide-26
SLIDE 26

Stepping
back
… 


26

slide-27
SLIDE 27

Distributed
or
Centralized? 


27

logically-centralized in the management system Distributed amongst the network elements

All
func?ons
in
 switches
 OpenFlow/NOX
 DIFANE
 Controller
is
s?ll
in
charge
 Switches
host
a
distributed
 directory
of
the
rules


slide-28
SLIDE 28

Thanks! 


28