flip the flow table fast lightweight policy preserving
play

FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN - PowerPoint PPT Presentation

Aug 27, 2022 β€’99 likes β€’812 views

FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Stefano Vissicchio (UCLouvain) stefano.vissicchio@uclouvain.be INFOCOM 13th April 2016 Joint work with Luca Cittadini (Roma Tre University) SDN controller Operators

  1. FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Stefano Vissicchio (UCLouvain) stefano.vissicchio@uclouvain.be INFOCOM 13th April 2016 Joint work with Luca Cittadini (Roma Tre University)

  2. SDN controller

  3. Operators’ requirements are an input for SDN controllers requirements packet delivery firewall traversal

  4. To satisfy input requirements, the controller programs rules on the switches requirements packet delivery firewall traversal match flow F out apply F: F: action v in z u F: F:

  5. By applying such rules, switches can process incoming packets requirements packet delivery firewall traversal applied rule out flow F F: F: v in z u F: F:

  6. Switch rules have to be (frequently) updated e.g., for traffic surges, maintenance, new policies requirements packet delivery firewall traversal out F: F: v in z u F: F:

  7. How to update rules on switches safely, robustly and efficiently?

  8. How to update rules on switches safely, robustly and efficiently? requirements are not violated during the update

  9. How to update rules on switches safely, robustly and efficiently? independently of uncontrollable factors (messages lost, switch installation time, etc.)

  10. How to update rules on switches safely, robustly and efficiently? quickly and with low resource utilization

  11. FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Limitations of prior works Additional degrees of freedom Our approach

  12. FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Limitations of prior works Additional degrees of freedom Our approach

  13. How to update rules on switches safely, robustly and efficiently? Previous techniques cannot do it!

  14. Previous techniques belong to two main families ordered rule replacements [McClurg15] replace initial with final rules in a carefully-computed order two-phase commit [Reitblatt12,Jin14] add final rules to initial ones apply rules consistently, with packet tags

  15. Previous techniques belong to two main families ordered rule replacements [McClurg15] not always replace initial with final rules applicable in a carefully-computed order two-phase commit [Reitblatt12,Jin14] add final rules to initial ones apply rules consistently, with packet tags

  16. Ordering rule replacements is not possible in our example requirements packet delivery firewall traversal out flow F initial v in z u final

  17. Final rules cannot be installed on any switch among u, v and z requirements packet delivery firewall traversal out flow F F: F: v in z u F:

  18. Case 1) Installing final rule at u would violate our security policy requirements packet delivery firewall traversal install final rule out flow F F: F: v in z u v

  19. Case 2) Installing final rule at v would violate our security policy requirements packet delivery firewall traversal install final rule out flow F F: F: v in z u z F:

  20. Case 3) Installing final rule at z would prevent packet delivery requirements packet delivery firewall traversal install final rule out flow F F: F: v in z u F:

  21. Simultaneous rule replacements are not robust e.g., like in time-based approaches [Mizrahi16]

  22. In our example, we could instruct u, v and z to replace their rules at the same time t requirements packet delivery firewall traversal install final rules at t out flow F F: F: v in z u F:

  23. However, this can lead to transient problems at t e.g., because of per-switch installation time requirements packet delivery firewall traversal up to several seconds [Jin14] out flow F v in z u

  24. Also, we can trigger permanent problems at t e.g., if a switch does not apply a command requirements packet delivery firewall traversal w flow F v in z u

  25. Previous techniques belong to two main families ordered rule replacements [McClurg15] replace initial with final rules in a carefully-computed order two-phase commit [Reitblatt12,Jin14] inefficient add final rules to initial ones apply rules consistently, with packet tags

  26. Two-phase commit techniques are not efficient in our example requirements packet delivery firewall traversal out flow F F: F: v in z u F: F:

  27. Indeed, they are based on maintaining both initial and final rules on internal switches requirements packet delivery firewall traversal if tag 𝝊 , use final rule out F, 𝝊 : F, 𝝊 : flow F F: F: v in z u F, 𝝊 : F: F:

  28. So that switches keep applying initial rules… requirements packet delivery firewall traversal out F, 𝝊 : F, 𝝊 : flow F F: F: v in z u F: F, 𝝊 : F:

  29. … as long as packets are not tagged at the ingress requirements packet delivery firewall traversal out F, 𝝊 : F, 𝝊 : use final rule and add tag 𝝊 flow F F: F: v in z u F: 𝝊 F, 𝝊 : F:

  30. When packets are tagged at the ingress, all switches consistently use the final rules requirements packet delivery firewall traversal out F, 𝝊 : F, 𝝊 : flow F 𝝊 F: F: 𝝊 𝝊 v in z u 𝝊 F: 𝝊 F, 𝝊 : F:

  31. However, these techniques consumes precious and expensive memory (TCAM) entries requirements packet delivery firewall traversal out F, 𝝊 : F, 𝝊 : flow F 𝝊 F: F: 𝝊 v in z u 𝝊 F, 𝝊 : F: 𝝊 F:

  32. FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Limitations of prior works Additional degrees of freedom Our approach

  33. How to update rules on switches safely, robustly and efficiently? We can do it!

  34. The key intuition is to combine rule replacement and additions

  35. Let’s take back our example and start from the initial state requirements packet delivery firewall traversal out flow F F: F: v in z u F: F:

  36. We can start tagging packets at v, at the very beginning of the update requirements packet delivery firewall traversal add tag 𝝊 out flow F F: F: v in z u 𝝊 F:

  37. This does not change the applied rules (since no switch matches the tag yet) requirements packet delivery firewall traversal out 𝝊 flow F F: F: v in z u 𝝊 𝝊 F:

  38. We can then match the tag at z, still without changing the forwarding requirements packet delivery firewall traversal use initial rule, if and only if tag 𝝊 out F, 𝝊 : 𝝊 flow F F: F: v in z u 𝝊 𝝊 F:

  39. Tagging at v and matching at z unlock rule replacement at u requirements packet delivery firewall traversal install final rule out F, 𝝊 : 𝝊 flow F F: F: v in z u 𝝊 𝝊 F:

  40. Indeed, the resulting forwarding loop is traversed only once by packets requirements packet delivery firewall traversal used for packets from v out F, 𝝊 : 𝝊 flow F F: F: v in z u used for 𝝊 𝝊 F: packets from u

  41. We can then instruct v to apply its final rule (even in parallel with u) requirements packet delivery firewall traversal use final rule out F, 𝝊 : flow F F: F: v in z u F:

  42. and complete the update by cleaning z’s configuration requirements packet delivery firewall traversal use final rule out flow F F: F: v in z u F:

  43. Using both rule replacements and additions is more powerful than restricting to any of them solves our update problem contrary to ordered rule replacement ensures robustness rollbacking before affecting safety uses additional rules only on z 33% with respect to two-phase commit

  44. Using both rule replacements and additions makes the update problem more challenging larger search space we must consider combinations of rule replacements and additions tricky interactions in intermediate states e.g., we must distinguish loops that prevent packet delivery from the good ones

  45. FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Limitations of prior works Additional degrees of freedom Our approach

  46. We propose a framework to systematically combine rule replacements and additions formalization & modeling of problem, search space, and solutions FLIP algorithm to compute safe operational sequences evaluation including a comparison with the state of the art

  47. We released a prototype implementation of our approach compute sequence (input) (output) for flow 1 safe update operational … divide merge problem sequence compute sequence for flow N FLIP code available at http://inl.info.ucl.ac.be/softwares/flip

  48. In our formalization, we allow complex policies… compute sequence (input) (output) for flow 1 safe update operational … divide merge problem sequence compute sequence for flow N initial and final rules forwarding correctness policies: a flow must traverse path P1 or path P2 or … Pn

  49. … and combinations of rule replacements and additions compute sequence (input) (output) for flow 1 safe update operational … divide merge problem sequence compute sequence for flow N Each step includes replacements and additions safe to apply in any relative order before the next step

  50. FLIP is based on a divide-and-conquer approach compute sequence (input) (output) for flow 1 safe update operational … divide merge problem sequence compute sequence for flow N

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Two Birds, One Stone: A Fast, yet Lightweight, Indexing Scheme for Modern Database Systems Jia Yu

Two Birds, One Stone: A Fast, yet Lightweight, Indexing Scheme for Modern Database Systems Jia Yu

Two Birds, One Stone: A Fast, yet Lightweight, Indexing Scheme for Modern Database Systems Jia Yu and Mohamed Sarwat Arizona State University Motivation Tree index Fast index search Large storage overhead: 5% - 15% additional

371 views β€’ 23 slides
New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007 Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES?

364 views β€’ 12 slides
Digital Design Discussion: Flip-Flops D-Latch Design Latch vs. Flip-Flop Timing D-latch Design

Digital Design Discussion: Flip-Flops D-Latch Design Latch vs. Flip-Flop Timing D-latch Design

Principles Of Digital Design Discussion: Flip-Flops D-Latch Design Latch vs. Flip-Flop Timing D-latch Design Design a gated D-latch using NAND gates and inverters. Draw the schematic and create a truth table for it. An implementation of

54 views β€’ 4 slides
4/19/2013 Fast and reliable Portable and easy to install PRESERVING, GENERATING, AND

4/19/2013 Fast and reliable Portable and easy to install PRESERVING, GENERATING, AND

4/19/2013 Fast and reliable Portable and easy to install PRESERVING, GENERATING, AND VISUALIZING KNOWLEDGE OF ARCHITECTURALLY SIGNIFICANT REQUIREMENTS IN SOURCE CODE Institute for Software Research Distinguished Speaker Series University

534 views β€’ 25 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views β€’ 43 slides
Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background: Lightweight Encryption Lightweight: Meant to be fast. Symmetric key: Same key used for encryption and decryption. Used in embedded systems, browsers,

300 views β€’ 12 slides
Ice Streams und Isbr 1 Ice Streams: Causes for Rapid Ice Flow Fast ice flow is controlled by

Ice Streams und Isbr 1 Ice Streams: Causes for Rapid Ice Flow Fast ice flow is controlled by

Ice Streams und Isbr 1 Ice Streams: Causes for Rapid Ice Flow Fast ice flow is controlled by many different factors which change on different time scales. Panel Controlling Factor Time Scale 7 meltwater fluxes short < 1 - 100 a 4

589 views β€’ 14 slides
Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross

Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross

Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross DaMoN 2015, Melbourne, Victoria, Australia Databases & Compression Process data on disk Nearly unlimited capacity Affects query

490 views β€’ 48 slides
Fast lightweight accurate xenograft sorting (Faster xenograft sorting with 3-way bucketed Cuckoo

Fast lightweight accurate xenograft sorting (Faster xenograft sorting with 3-way bucketed Cuckoo

Fast lightweight accurate xenograft sorting (Faster xenograft sorting with 3-way bucketed Cuckoo hashing of k -mers) Sven Rahmann & Jens Zentgraf Genome Informatics, Institute of Human Genetics University of Duisburg-Essen, Essen, Germany

463 views β€’ 29 slides
On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1 AIST, Japan Kolkata, India (16 November 2018) 1 / 38 Table of contents 1 Introduction 2 Lightweight Crypto Stack for Circuit/RAM Size Requirement

670 views β€’ 38 slides
INTEGRA: INTEGRA: Fast Multi-Bit Flip-Flop Clustering for Clock Power Saving Based on g

INTEGRA: INTEGRA: Fast Multi-Bit Flip-Flop Clustering for Clock Power Saving Based on g

INTEGRA: INTEGRA: Fast Multi-Bit Flip-Flop Clustering for Clock Power Saving Based on g Interval Graphs I RIS H UI -R U J IANG C HIH -L ONG C HANG Y U M ING Y ANG Y U -M ING Y ANG NCTU NCTU E VAN Y U -W EN T SAI L ANCER S HENG -F ONG C HEN L

598 views β€’ 44 slides
Tidy Table Tidy Table | The Problem Food courts and fast food restaurants are often full of empty,

Tidy Table Tidy Table | The Problem Food courts and fast food restaurants are often full of empty,

Purple B Sketch Model Review Tidy Table Tidy Table | The Problem Food courts and fast food restaurants are often full of empty, but dirty/trash-covered tables . McDonalds Lobdell Tidy Table | Design Goal Design a new table to simply and

690 views β€’ 13 slides
Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley & Oasis Labs with support from the TVM team and community! Ideal: data providers pool data to train a large, complex

1.41k views β€’ 58 slides
Fast Anisotropic Smoothing of Multi-Valued Images using Curvature-Preserving PDEs David

Fast Anisotropic Smoothing of Multi-Valued Images using Curvature-Preserving PDEs David

Fast Anisotropic Smoothing of Multi-Valued Images using Curvature-Preserving PDEs David Tschumperl CNRS UMR 6072 (GREYC/ENSICAEN) - Image Team MIA2006, Paris/France, Sept. 2006 Presentation Layout Diffusion PDEs for Multi-Valued

523 views β€’ 51 slides
Generation of Flow-Preserving Orocos Implementations of Simulink/Scicos Models Matteo Morelli and

Generation of Flow-Preserving Orocos Implementations of Simulink/Scicos Models Matteo Morelli and

Generation of Flow-Preserving Orocos Implementations of Simulink/Scicos Models Matteo Morelli and Marco Di Natale IEEE-ICRA 2013, Workshop On Software Development and Integration in Robotics May 6th, 2013 TeCIP Institute, Scuola Superiore

733 views β€’ 23 slides
Privacy Preserving Privacy Preserving Netw ork Flow Netw ork Flow Recording Recording Bilal

Privacy Preserving Privacy Preserving Netw ork Flow Netw ork Flow Recording Recording Bilal

Privacy Preserving Privacy Preserving Netw ork Flow Netw ork Flow Recording Recording Bilal Shebaro Shebaro (Computer Science (Computer Science- - UNM) UNM) Bilal Jedidiah R. Crandall R. Crandall (Computer Science (Computer Science- -

464 views β€’ 33 slides
A modified form of Cheneys Algorithm to allow mutator to progress during a GC cycle Main idea

A modified form of Cheneys Algorithm to allow mutator to progress during a GC cycle Main idea

A modified form of Cheneys Algorithm to allow mutator to progress during a GC cycle Main idea of Bakers algorithm Dont let the mutator see a white object Cannot disrupt collect During collection each mutator read from

392 views β€’ 16 slides
Shohreh Sharif Mansouri and Elena Dubrova Department of Electronic Systems Royal Institute of

Shohreh Sharif Mansouri and Elena Dubrova Department of Electronic Systems Royal Institute of

An Improved Hardware Implementation of the Grain-128a Stream Cipher Shohreh Sharif Mansouri and Elena Dubrova Department of Electronic Systems Royal Institute of Technology (KTH), Stockholm Email:{shsm,dubrova}@kth.se Overview Motivation

556 views β€’ 24 slides
SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of: Christoph Dobraunig, Maria Eichlseder, Hannes Gro, Thomas Korak, Stefan Mangard, Florian Mendel, Robert Primas Are Protected Implementations Hard to

413 views β€’ 17 slides
Local Search Techniques Marijn J.H. Heule Warren A. Hunt Jr. The University of Texas at Austin

Local Search Techniques Marijn J.H. Heule Warren A. Hunt Jr. The University of Texas at Austin

Local Search Techniques Marijn J.H. Heule Warren A. Hunt Jr. The University of Texas at Austin Heule & Hunt (UT Austin) Local Search Techniques 1 / 8 Local Search: Generic structure Generic structure of local search Sat solvers 1: for i

759 views β€’ 16 slides
Chapter 3 Learn how to design simple logic circuits. Understand how digital circuits work

Chapter 3 Learn how to design simple logic circuits. Understand how digital circuits work

Chapter 3 Objectives Understand the relationship between Boolean logic and digital computer circuits. Chapter 3 Learn how to design simple logic circuits. Understand how digital circuits work together to Boolean Algebra and form

448 views β€’ 19 slides
State Prof. Hakim Weatherspoon CS 3410 Computer Science Cornell University [Weatherspoon,

State Prof. Hakim Weatherspoon CS 3410 Computer Science Cornell University [Weatherspoon,

State Prof. Hakim Weatherspoon CS 3410 Computer Science Cornell University [Weatherspoon, Bala, Bracy, and Sirer] Goals for Today State How do we store one bit? Attempts at storing (and changing) one bit - Set-Reset Latch - D Latch

736 views β€’ 38 slides
Lesson 9 Clocks, Memory elements, (Flip-flops, Latches and Registers) And Processors A A basic

Lesson 9 Clocks, Memory elements, (Flip-flops, Latches and Registers) And Processors A A basic

Lesson 9 Clocks, Memory elements, (Flip-flops, Latches and Registers) And Processors A A basic MIPS implementation We examine implementation of the following instructions o The memory-reference instructions load word (lw) and store word

885 views β€’ 19 slides
Chapter 5 Synchronous Sequential Logic 5-1 Outline ! Sequential Circuits ! Latches ! Flip-Flops

Chapter 5 Synchronous Sequential Logic 5-1 Outline ! Sequential Circuits ! Latches ! Flip-Flops

Chapter 5 Synchronous Sequential Logic 5-1 Outline ! Sequential Circuits ! Latches ! Flip-Flops ! Analysis of Clocked Sequential Circuits ! State Reduction and Assignment ! Design Procedure 5-2 1 Sequential Circuits ! Consist of a

595 views β€’ 30 slides

More recommend