[PPT] - Hierarchical Policies for Software Defined Networks Andrew PowerPoint Presentation

SLIDE 1

Hierarchical Policies for Software Defined Networks

Andrew Ferguson, Arjun Guha, Chen Liang, Rodrigo Fonseca, and Shriram Krishnamurthi

1

SLIDE 2

Particpatory Networking

2

SLIDE 3

3

SLIDE 4

4

SLIDE 5

5

SLIDE 6 TCP Nice: A Mechanism for Background Transfers Arun Venkataramani Ravi Kokku Mike Dahlin Laboratory of Advanced Systems Research Department of Computer Sciences University of Texas at Austin, Austin, TX 78712 arun, rkoku, dahlin @cs.utexas.edu Abstract Many distributed applications can make use of large background transfers transfers of data that humans are not waiting for to improve availability, reliability, latency or consistency. However, given the rapid fluc- tuations of available network bandwidth and changing resource costs due to technology trends, hand tuning the aggressiveness of background transfers risks (1) compli- cating applications, (2) being too aggressive and inter- fering with other applications, and (3) being too timid and not gaining the benefits of background transfers. Our goal is for the operating system to manage network resources in order to provide a simple abstraction of near zero-cost background transfers. Our system, TCP Nice, can provably bound the interference inflicted by background flows on foreground flows in a restricted network

model. And our microbenchmarks and case study appli-

cations suggest that in practice it interferes little with foreground flows, reaps a large fraction of spare network bandwidth, and simplifies application construction and deployment. For example, in our prefetching case study application, aggressive prefetching improves demand performance by a factor of three when Nice man- ages resources; but the same prefetching hurts demand performance by a factor of six under standard network congestion control. 1 Introduction Many distributed applications can make use of large background transfers transfers of data that humans are not waiting for to improve service quality. For example, a broad range of applications and services such as data backup [29], prefetching [50], enterprise data distribution [20], Internet content distribution [2], and peer- to-peer storage [16, 43] can trade increased network This work was supported in part by an NSF CISE grant (CDA- 9624082), the Texas Advanced Technology Program, the Texas Ad- vanced Research Program, and Tivoli. Dahlin was also supported by an NSF CAREER award (CCR-9733842) and an Alfred P. Sloan Re- search Fellowship. bandwidth consumption and possibly disk space for improved service latency [15, 18, 26, 32, 38, 50], improved availability [11, 53], increased scalability [2], stronger consistency [53], or support for mobility [28, 41, 47]. Many of these services have potentially unlimited bandwidth demands where incrementally more bandwidth consumption provides incrementally better service. For example, a web prefetching system can improve its hit rate by fetching objects from a virtually unlimited col- lection of objects that have non-zero probability of access [8, 10] or by updating cached copies more fre- quently as data change [13, 50, 48]; Technology trends suggest that “wasting” bandwidth and storage to improve latency and availability will become increasingly attractive in the future: per-byte network transport costs and disk storage costs are low and have been improv- ing at 80-100% per year [9, 17, 37]; conversely network availability [11, 40, 54] and network latencies improve slowly, and long latencies and failures waste hu- man time. Current operating systems and networks do not provide good support for aggressive background transfers. In particular, because background transfers compete with foreground requests, they can hurt overall performance and availability by increasing network congestion. Ap- plications must therefore carefully balance the benefits

f background transfers against the risk of both self-

interference, where applications hurt their own performance, and cross-interference, where applications hurt

ther applications’ performance. Often, applications at-

tempt to achieve this balance by setting “magic num- bers” (e.g., the prefetch threshold in prefetching algo- rithms [18, 26]) that have little obvious relationship to system goals (e.g., availability or latency) or constraints (e.g., current spare network bandwidth). Our goal is for the operating system to manage network resources in order to provide a simple abstraction of zero-cost background transfers. A self-tuning background transport layer will enable new classes of applications by (1) simplifying applications, (2) reduc- ing the risk of being too aggressive, and (3) making

6

SLIDE 7

7

SLIDE 8

7

SLIDE 9

8

SLIDE 10

9

SLIDE 11

9

SLIDE 12

10

SLIDE 13

11

SLIDE 14

11

SLIDE 15

12

SLIDE 16

12

SLIDE 17

12

SLIDE 18

13

SLIDE 19

13

SLIDE 20

13

SLIDE 21

Participatory Networking

14

SLIDE 22

15

SLIDE 23

SLIDE 24

17

SLIDE 25

Safe? Secure? Fair? Loop freedom?

Participatory Networking

Black holes?

18

SLIDE 26

Participatory Networking

19

1. semantics + protocol (Hot-ICE ’12)

SLIDE 27

Participatory Networking

20

1. semantics + protocol (Hot-ICE ’12)
2. implementation (this talk)

SLIDE 28

Participatory Networking

20

1. semantics + protocol (Hot-ICE ’12)
2. implementation (this talk) PANE

SLIDE 29

21

Hierarchical Flow Tables

SLIDE 30

22

SLIDE 31

22

SLIDE 32

23

root root adf

bandwidth 100Mbps bandwidth 50Mbps

Hierarchy of Privileges

SLIDE 33

24

Hierarchy of Policies

SLIDE 34

24

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Hierarchy of Policies

SLIDE 35

25

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

P a c k e t : s r c 1 . . . 1 d s t 1 . . . 2 : 8

Hierarchy of Policies

SLIDE 36

26

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

P a c k e t : s r c 1 . . . 1 d s t 1 . . . 2 : 8

Hierarchical Flow Table

SLIDE 37

27

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

P a c k e t : s r c 1 . . . 1 d s t 1 . . . 2 : 8

Hierarchical Flow Table

SLIDE 38

27

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

P a c k e t : s r c 1 . . . 1 d s t 1 . . . 2 : 8 Allow GMB=10

?

Hierarchical Flow Table

SLIDE 39

27

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

P a c k e t : s r c 1 . . . 1 d s t 1 . . . 2 : 8 Allow GMB=10

?

+S

Hierarchical Flow Table

SLIDE 40

27

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

P a c k e t : s r c 1 . . . 1 d s t 1 . . . 2 : 8 Allow GMB=10

?

+S +P

Hierarchical Flow Table

SLIDE 41

27

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

P a c k e t : s r c 1 . . . 1 d s t 1 . . . 2 : 8 Allow GMB=10

?

+S

GMB=10

+P

Hierarchical Flow Table

SLIDE 42

27

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

P a c k e t : s r c 1 . . . 1 d s t 1 . . . 2 : 8 Allow GMB=10

?

+S

GMB=10 GMB=30

+P

Hierarchical Flow Table

SLIDE 43

27

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

P a c k e t : s r c 1 . . . 1 d s t 1 . . . 2 : 8 Allow GMB=10

?

+S

GMB=10 GMB=30

+P

GMB=30

Hierarchical Flow Table

SLIDE 44

28

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10 GMB=10 GMB=30 GMB=30

Hierarchical Flow Table

+P +S

+D

SLIDE 45

28

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10 GMB=10 GMB=30 GMB=30

Hierarchical Flow Table

+P +S

+D

Only Requirements: Associative, 0-identity

SLIDE 46

29

+D

+P +S Sibling

Parent-Sibling In node D and S identical. Deny overrides Allow. GMB combines as max Child overrides Parent for Access Control GMB combines as max

PANE’s HFT Operators

SLIDE 47

30

Implementation

SLIDE 48

31

(d (d (d (s (d (d (d (s (d (d (d (s (d (d (d (s (d (d (d (s

PANE

SLIDE 49

32

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

SLIDE 50

32

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

SLIDE 51

33

PANE

SLIDE 52

33

PANE

SLIDE 53

34

                   



    

PANE

SLIDE 54

34

                   



    

PANE

SLIDE 55

35

                   



    

PANE

SLIDE 56

35

                   



    

PANE

SLIDE 57

36

PANE

SLIDE 58

36

PANE

SLIDE 59

36

PANE

SLIDE 60

36

PANE

SLIDE 61

37

PANE

SLIDE 62

37

24Mbps

PANE

SLIDE 63

37

5Mbps

PANE

SLIDE 64

37

8Mbps

PANE

SLIDE 65

37

24Mbps

PANE

SLIDE 66

38

24Mbps

PANE

SLIDE 67

39

                   



    

PANE

SLIDE 68

39

                   



    

PANE

SLIDE 69

39

                   



    

PANE

SLIDE 70

39

                   



    

PANE

SLIDE 71

40

Proof of Correctness

SLIDE 72

41

P a c k e t : s r c 1 . . . 1 d s t 1 . . . 2 : 8

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10

+S

GMB=10 GMB=30

+P

GMB=30

Hierarchical Flow Tables

SLIDE 73

Compiler Correctness

42

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10

+S

GMB=10 GMB=30

+P

GMB=30

SLIDE 74

Compiler Correctness

42

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10

+S

GMB=10 GMB=30

+P

GMB=30

SLIDE 75

Compiler Correctness

42

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10

+S

GMB=10 GMB=30

+P

GMB=30

SLIDE 76

Coq Proof Assistant

43

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10

+S

GMB=10 GMB=30

+P

GMB=30

SLIDE 77

44

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10

+S

GMB=10 GMB=30

+P

GMB=30

Packet: src 10.0.0.1 dst 10.0.0.2:80

Theorem

SLIDE 78

44

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10

+S

GMB=10 GMB=30

+P

GMB=30

Packet: src 10.0.0.1 dst 10.0.0.2:80

Theorem

SLIDE 79

44

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10

+S

GMB=10 GMB=30

+P

GMB=30

Packet: src 10.0.0.1 dst 10.0.0.2:80

GMB 30

Theorem

SLIDE 80

44

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10

+S

GMB=10 GMB=30

+P

GMB=30

Packet: src 10.0.0.1 dst 10.0.0.2:80

GMB 30 compile

Theorem

SLIDE 81

44

(dstPort = 22, Deny) (dstIP=10.0.0.2, GMB=30) (dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)

Allow GMB=10

+S

GMB=10 GMB=30

+P

GMB=30

Packet: src 10.0.0.1 dst 10.0.0.2:80

GMB 30 compile

Theorem

SLIDE 82

45

Current Status

SLIDE 83

46

SLIDE 84

47

Current Status

1. working controller

SLIDE 85

47

Current Status

2. client libraries
1. working controller

SLIDE 86

48

Current Status

2. client libraries
3. pane.cs.brown.edu
1. working controller

SLIDE 87

49

Current Status

2. client libraries
3. pane.cs.brown.edu
4. github.com/brownsys/pane
1. working controller

SLIDE 88

Questions?

50

Andrew Ferguson adf@cs.brown.edu

SLIDE 89

Questions?

51

Andrew Ferguson adf@cs.brown.edu

Arjun Guha
Chen Liang
Rodrigo Fonseca
Shriram Krishnamurthi

Co-authors

SLIDE 90

Backup Slides

52