[PPT] - Network Function Control Aaron Gember-Jacobson , Chaithan Prakash, PowerPoint Presentation

SLIDE 1

Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella

1

OpenNF: Enabling Innovation in Network Function Control

SLIDE 2

Network functions (NFs)

Perform sophisticated stateful

actions on packets/flows

Important goals:
1. Satisfy SLAs
2. Minimize costs
3. Act correctly

2

SLIDE 3

NF trends

Network Functions Virtualization (NFV)

3

Intrusion detection system (IDS) Caching proxy WAN

ptimizer

SLIDE 4

NF trends

Network Functions Virtualization (NFV)

→ dynamically allocate NF instances

3

Hypervisor

SLIDE 5

NF trends

Network Functions Virtualization (NFV)

→ dynamically allocate NF instances

Software-defined Networking

→ dynamically reroute flows

3

Hypervisor

SLIDE 6

NF trends

Network Functions Virtualization (NFV)

→ dynamically allocate NF instances

Software-defined Networking

→ dynamically reroute flows Dynamic reallocation

f packet processing

e.g., elastic NF scaling

3

Hypervisor

SLIDE 7

Why NFV + SDN falls short

1. SLAs 2. Cost 3. Accuracy

Reroute new flows Reroute existing flows Wait for flows to die

4

Packet loss

SLIDE 8

Why NFV + SDN falls short

1. SLAs 2. Cost 3. Accuracy

Reroute new flows Reroute existing flows Wait for flows to die

4

Packet loss SLA: <1%

SLIDE 9

Why NFV + SDN falls short

1. SLAs 2. Cost 3. Accuracy

Reroute new flows Reroute existing flows Wait for flows to die

4

?

Packet loss SLA: <1%

SLIDE 10

Why NFV + SDN falls short

1. SLAs 2. Cost 3. Accuracy

Reroute new flows Reroute existing flows Wait for flows to die

4

?

Packet loss SLA: <1%

SLIDE 11

Why NFV + SDN falls short

1. SLAs 2. Cost 3. Accuracy

Reroute new flows Reroute existing flows Wait for flows to die

4

?

Packet loss

SLIDE 12

Why NFV + SDN falls short

1. SLAs 2. Cost 3. Accuracy

Reroute new flows Reroute existing flows Wait for flows to die

4

?

Packet loss

SLIDE 13

Why NFV + SDN falls short

1. SLAs 2. Cost 3. Accuracy

Reroute new flows Reroute existing flows Wait for flows to die

4

?

Packet loss

SLIDE 14

SLAs + cost + accuracy: What do we need?

Quickly move, copy, or share internal NF state

alongside updates to network forwarding state

Guarantees: loss-free, order-preserving, …

5

   … 1 2 3 …

Also applies to other scenarios

SLIDE 15

Outline

Motivation and requirements
Challenges
OpenNF architecture
Evaluation

6

SLIDE 16

1. Supporting many NFs with minimal changes
2. Dealing with race conditions
3. Bounding overhead

Challenges

7

SLIDE 17

OpenNF overview

8

NF State Manager Flow Manager

OpenNF Controller

Control Application

move/copy/share state export/import State

SLIDE 18

State created or updated by an NF applies to either a single flow or a collection of flows

NF state taxonomy

9

Connection Connection TcpAnalyzer HttpAnalyzer TcpAnalyzer HttpAnalyzer

Per-flow state

ConnCount

Multi-flow state All-flows state

Statistics

SLIDE 19

NF API: export/import state

Functions: get, put, delete

10

No need to expose/change internal state organization! Filter

Per Multi All

Scope NF get put

SLIDE 20

Control operations: move

11

NF State Manager Control Application

move (port=80, IDS1, IDS2)

Flow Manager IDS2 IDS1

SLIDE 21

Control operations: move

11

NF State Manager Control Application

move (port=80, IDS1, IDS2) get(per, port=80) [Chunk1] [Chunk2]

Flow Manager IDS2 IDS1

SLIDE 22

Control operations: move

11

NF State Manager Control Application

move (port=80, IDS1, IDS2) get(per, port=80) [Chunk1] del(per, port=80) [Chunk2]

Flow Manager IDS2 IDS1

SLIDE 23

Control operations: move

11

NF State Manager Control Application

move (port=80, IDS1, IDS2) get(per, port=80) [Chunk1] put (per, Chunk1) del(per, port=80) [Chunk2] put (per, Chunk2)

Flow Manager IDS2 IDS1

SLIDE 24

Control operations: move

11

NF State Manager Control Application

move (port=80, IDS1, IDS2) get(per, port=80) [Chunk1] put (per, Chunk1) del(per, port=80) [Chunk2] put (per, Chunk2) forward(port=80, IDS2)

Flow Manager IDS2 IDS1 Also provide copy and share

SLIDE 25

Malware hash check

Lost updates during move

12

B1 R1

IDS2 IDS1

move(red,Bro1 ,Bro2 )

SLIDE 26

Malware hash check

Lost updates during move

12

B1 R1

IDS2 IDS1

move(red,Bro1 ,Bro2 )

SLIDE 27

Malware hash check

Lost updates during move

12

B1 R1 R2

Missing state

IDS2 IDS1

move(red,Bro1 ,Bro2 )

SLIDE 28

Malware hash check

Lost updates during move

12

B1 R1 R2

Missing state

IDS2 IDS1

move(red,Bro1 ,Bro2 )

SLIDE 29

Malware hash check

Lost updates during move

12

B1 R1 R2

Missing state

IDS2 IDS1

move(red,Bro1 ,Bro2 )

SLIDE 30

Malware hash check

Lost updates during move

12

B1 R1 R2

Missing state

IDS2 IDS1

move(red,Bro1 ,Bro2 ) Missing updates

R3

SLIDE 31

Malware hash check

Lost updates during move

12

B1 R1 R2

Missing state

IDS2 IDS1

move(red,Bro1 ,Bro2 ) Missing updates

Loss-free: All state updates should be reflected in the transferred state, and all packets should be processed

R3

SLIDE 32

NF API: observe/prevent updates using events

13

Only need to change an NF’s receive packet function!

R1

NF

SLIDE 33

Use events for loss-free move

14

IDS2 IDS1

R1

SLIDE 34

1. enableEvents(red,noproc) on IDS1

Use events for loss-free move

14

IDS2 IDS1

NoProc R1

SLIDE 35

1. enableEvents(red,noproc) on IDS1
2. get/delete on IDS1

Use events for loss-free move

14

IDS2 IDS1

NoProc R1

SLIDE 36

1. enableEvents(red,noproc) on IDS1
2. get/delete on IDS1

Use events for loss-free move

14

IDS2 IDS1

NoProc R1 R2

SLIDE 37

1. enableEvents(red,noproc) on IDS1
2. get/delete on IDS1
3. Buffer events at controller

Use events for loss-free move

14

IDS2 IDS1

NoProc R1 R2

SLIDE 38

1. enableEvents(red,noproc) on IDS1
2. get/delete on IDS1
3. Buffer events at controller
4. put on IDS2

Use events for loss-free move

14

IDS2 IDS1

NoProc R1 R2

SLIDE 39

1. enableEvents(red,noproc) on IDS1
2. get/delete on IDS1
3. Buffer events at controller
4. put on IDS2
5. Flush packets in

events to IDS2

Use events for loss-free move

14

IDS2 IDS1

NoProc R1 R1,R2

SLIDE 40

1. enableEvents(red,noproc) on IDS1
2. get/delete on IDS1
3. Buffer events at controller
4. put on IDS2
5. Flush packets in

events to IDS2

6. Update

forwarding

Use events for loss-free move

14

IDS2 IDS1

NoProc R1 R1,R2

SLIDE 41

1. enableEvents(red,noproc) on IDS1
2. get/delete on IDS1
3. Buffer events at controller
4. put on IDS2
5. Flush packets in

events to IDS2

6. Update

forwarding

Use events for loss-free move

14

IDS2 IDS1

NoProc R1 R1,R2 R1,R2,R3

SLIDE 42

Implementation

Controller (3.8K lines of Java)
Communication library (2.6K lines of C)
Modified NFs (3-8% increase in code)

15

Bro IDS iptables Squid Cache PRADS

SLIDE 43

Evaluation: benefits for elastic scaling

Bro IDS processing 10K pkts/sec

– At 180 sec: move HTTP flows (489) to new IDS – At 360 sec: move back to old IDS

SLAs: 260ms to move (loss-free)
Accuracy: same log entries as using one IDS

– VM replication: incorrect log entries

Cost: scale in after state is moved

– Wait for flows to die: scale in delayed 25+ minutes

16

SLIDE 44

Realizing SLAs + cost + accuracy

requires quick, safe control of internal network function state

OpenNF provides flexible and efficient

control with few modifications to NFs

Conclusion

17