OpenBox: A Software-Defined Framework for Developing, Deploying, - PowerPoint PPT Presentation

OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions Yotam Harchol The Hebrew University of Jerusalem Joint work with Anat Bremler-Barr and David Hay THE HEBREW This research was supported by the European Research Council ERC Grant agreement no 259085, the Israeli Centers of Research UNIVERSITY OF JERUSALEM Excellence (I-CORE) program (Center No. 4/11), and the Neptune Consortium.

Network Functions (Middleboxes) Monolithic closed black-boxes • ✘ High cost ✘ Limited provisioning and scalability Firewall Load Balancer Intrusion Prevention Network Function Virtualization (NFV): System ✔ Reduce cost (by moving to software) ✔ Improve provisioning and scalability (by virtualizing software NFs) 2

Network Functions (Middleboxes) ✘ High cost ✘ Limited provisioning and scalability ✘ Limited and separate management • Different vendors • No standards • Separate control plane 3

Network Functions (Middleboxes) • Actually, many of these black-boxes are very modular Network Function ✘ High cost ✘ Limited provisioning and scalability ✘ Limited and separate management ✘ Limited functionality and limited innovation (High entry barriers) ✘ Similar complex processing steps, no re-use 4

www.openboxproject.org OpenBox github.com/OpenBoxProject • OpenBox: A new software-defined framework for network functions • Decouples network function control from their data plane • Unifies data plane of multiple network functions Benefits: • Easier, unified control OpenBox Controller • Better performance • Scalability OBI • Flexible deployment • Inter-tenant isolation • Innovation OBI OBI

Software Defined Networking • High cost of middleboxes switches switches • Limited provisioning and scalability of middleboxes switches • Limited management of middleboxes • Limited functionality and limited innovation • Complex processing steps distributed algorithms OpenBox OpenFlow Controller Controller OBI 40%-60% of the appliances in large-scale networks are middleboxes! OBI [Sherry & Ratnasamy, ‘12] OBI 6

The OpenBox Framework Network Functions: OpenBox Applications Northbound API Logically-Centralized OpenBox Controller Control Plane OpenBox Protocol Data Plane OpenBox Service Instances Additionally: Isolation between NFs / multiple tenants • Support for hardware accelerators • 7 Dynamically extend the protocol •

Observ rvati tion: Mo Most netwo work fu functions do ver very y similar ar proces ocessing ng step eps But there is no re-use… The design the OpenBox framework is based on this observation 8

Network Function Decomposition Firewall: Drop Read Header Output Packets Classifier Alert Load Balancer: Read Header Output Packets Classifier Rewrite Header Intrusion Prevention System: DPI DPI Drop Read Header DPI Alert Output Packets Classifier 9

Northbound API Intrusion Prevention System Firewall Load Balancer DPI DPI Drop Drop Read Header Read Header Read Header DPI Alert Output Output Output Packets Classifier Packets Classifier Packets Classifier Rewrite Alert Header OpenBox Applications NB API Specify processing graph Events, and block configuration Load information OpenBox Controller Control Plane OpenBox Protocol Data Plane 10 OpenBox Service Instances

Logically-Centralized Controller Multiple tenants run multiple applications for multiple policies in the same network OpenBox Isolation between Applications applications and tenants NB API enforced by NB API SDN OpenBox Network-wide view Controller Controller Automatic scaling, provisioning, placement, and steering Control Plane SDN OpenBox Protocol Protocol Data Plane 11 OpenBox Service Instances SDN Switches

Naïve Graph Merge Firewall: Drop Read Header Output Packets Classifier Alert Concatenated Processing Graph: Drop DPI Alert DPI Drop (Firewall) 10μs Read Header Header Alert DPI Output Packets Classifier Classifier (IPS) Intrusion Prevention System: 10μs 30μs 2μs 2μs 30μs 50μs DPI Performance ≈ Diameter of Graph (# of classifiers) DPI Drop Total: 134μs Read Header DPI Alert Output Packets Classifier 12

Graph Merge Algorithm Merged Processing Graph: Algorithm and details are in the paper Alert DPI (Firewall) Alert DPI (Firewall) Read Header Alert Alert DPI Output Packets Classifier (Firewall) (IPS) 30μs 2μs 2μs 50μs 10μs Alert (Firewall) 10μs Drop Shorter Diameter (less classifiers) Total: 104μs (22% improvement) 13

OpenBox Data Plane Processing Read Store HTML Packets Normalizer Packet Alert Restore JavaScript Output Normalizer Packet Log Header Caching Classifier XML Drop Reporting Normalizer DPI Terminals Normalization Classification Front Drop FIFO Queue Queue Leaky RED Queue Gzip Bucket Decompress Queue Management Gzip Begin Compress Transaction VLAN Push De/compression Rewrite Commit Rollback Header Transaction Transaction VLAN Pop Transactions Header Modification 14

OpenBox Data Plane Processing Read Store HTML Packets Packet Normalizer Alert Restore JavaScript Output Normalizer Packet Log Header Caching Classifier XML Drop Reporting Normalizer DPI Terminals Normalization Classification Front Drop FIFO Queue Queue OpenBox Service Instance Leaky RED Queue Gzip Bucket Virtual or Physical Decompress Queue Management Gzip Begin Compress Transaction Provides data plane services to realize the logic of network functions • VLAN Push De/compression Rewrite Commit Rollback Header Controlled by the logically-centralized OpenBox controller • Transaction Transaction VLAN Pop Transactions Header Modification 15

Distributed Data Plane Alert DPI Rewrite Header Header Classifier Metadata OpenBox Service Instance OpenBox Service Instance Hardware Software (TCAM) E.g., an OpenFlow switch with encapsulation features (e.g., NSH, Geneve, FlowTags)

Split Processing Graph HW Instance: Read Header Write Encapsulate Output Packets Classifier Metadata Metadata Drop SW Instance: DPI DPI Drop Read Decapsulate Read DPI Alert Output Packets Metadata Metadata 17

Extensible Data Plane Media Encoder Option 2: Software module injection NEW APP Custom NB API software module (signed) OpenBox Controller On the fly No need to recompile Control Plane OpenBox No need to redeploy Protocol Data Plane Option 1: OpenBox Service Instances New hardware implementation Supports encapsulation 18

Scalable & Reliable Data Plane Scalability Provisioning Reliability OpenBox Controller OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI OBI Hypervisor OBI OBI 19 Hypervisor

Implementation github.com/OpenBoxProject Load FW IPS . . . Balancer Java-based OpenBox Controller Northbound API REST Graph Network Management REST client/server Aggregator Manager API Control Plane REST API Data Plane Generic wrapper for execution engines (Python) Software OpenBox Translation Engine Service Instance Click-based execution engine (C++) (Plug here other execution engines. E.g., ClickNP) 20

Performance Improvement Without OpenBox With OpenBox VM1 OBI1: FW+IPS VM1 VM2 Firewall IPS VM2 OBI2: FW+IPS Standalone VM NF Pipeline 900 80 900 140 800 800 70 120 Throughput [Mbps] 700 Throughput [Mbps] 700 60 100 600 600 Latency [µs] Latency [µs] 50 80 500 500 40 400 400 60 30 300 300 40 20 200 200 20 10 100 100 0 0 0 0 With Without 1 2 Firewall IPS 21 OpenBox OpenBox

Related Work • Orthogonal to OpenBox: – NF traffic steering (e.g., SIMPLE [SIGCOMM ’14]) – NF orchestration (e.g., Stratos, OpenMano, OpenStack) – Runtime platforms (e.g., xOMB [ANCS ‘12], ClickNP [SIGCOMM ‘16]) • Similar Motivation: – CoMb [NSDI ‘12] – focuses on resource sharing and placement – E2 [SOSP ‘15] – composition framework for virtual NFs – Slick [SOSR ’15] – focuses on the placement of data plane units • Only OpenBox provides: – Core processing decomposition and reuse – Standardization and full decoupling of NF control and data planes 22

Conclusions • Network functions are currently a real challenge in large scale networks • OpenBox decouples the data plane processing from network function control logic and: OpenBox – Reduces costs Applications – Enhances performance NB API – Improves scalability OpenBox – Increases reliability Controller – Provides inter-tenant isolation – Allows easier innovation Control Plane OpenBox Protocol Data Plane 23 OpenBox Service Instances

Questions? THANK YOU! 24