SNAP: Stateful Network-Wide Abstractions for Packet Processing Mina Tahmasbi Arashloo 1 , Yaron Koral 1 , Michael Greenberg 2 , Jennifer Rexford 1 , and David Walker 1 1 Princeton University, 2 Pomona College
Early SDN Switch Interfaces • Manipulate packet forwarding rules • Read predefined set of counters 2
Programmable Switch Interfaces • P4, OpenState, Open vSwitch, … – Programmable state (e.g. indexed arrays) – Basic arithmetic operations 3
SNAP: Stateful Network Wide Programming Language One big stateful switch 4
SNAP Contributions Modular Stateful Language One Big Stateful Switch Placement + Routing 5
Talk Outline Language through example Compiler Implementation Evaluation Related Work & Conclusion 6
Language through example Compiler Implementation Evaluation Related Work & Conclusion 7
Example - DNS Reflection Attacks DNS Spoofed DNS Resolvers Requests Attacker Botnet Victim DNS Responses 8
Detecting DNS Reflection Attacks 1. Log DNS requests 2. Match Log responses requests 3. Check unmatched count 9 Bohatei: flexible and elastic DDoS defense, Fayaz et.al., USENIX SECURITY 15
DNS Reflection Detection in SNAP • Seen: Keep track of DNS requests by client and DNS identifier • Unmatched: Count DNS responses that don’t match prior requests • Susp: Suspected victims receive many unmatched responses 10
OBSS Forwarding in SNAP ISP1 CS ISP2 EE 11
Single Network Policy DNS Reflection Detection Forwarding ; 12
SNAP Applications 13
Single Network Policy 14
Language through example Compiler Implementation Evaluation Related Work & Conclusion 15
SNAP Compiler Where to place state variables How to forward packets through them 16
Routing + Placement Jointly State Topology Dependency Packet- Traffic State Minimize Matrix Map congestion MILP Routing State Paths Placement 17
Intermediate Representation (IR) Maintain all programs in a single data structure Composable and easily partitioned IR Distribute the program to switches 18
xFDDs: Extended Forwarding Decision Diagrams True-Solid line False-Dashed • Intermediate node: test on header dstip = 10.0.0.1 fields and state • Leaf: set of action srcip = dstip sequences s[srcip] = 2 • Three kinds of tests – field = value – field 1 = field 2 {s[dstip] ← 2} {drop} – state_var[idx] = val 19
xFDD for DNS Reflection Detection Maintain all programs in a single data structure 20
xFDD for DNS Reflection Detection Fixes the order in which programs access state. We could distribute the programs by placing cuts 21
Partitioning to Sub-Programs Distribute the program to switches CS 22
Partitioning to Sub-Programs Distribute the program to switches CS 23
Putting It All Together ISP1 CS ISP2 EE 24
Putting It All Together ISP1 CS 4 ISP2 EE 25
Putting It All Together ISP1 CS 4 ISP2 EE 26
Putting It All Together ISP1 CS 4 ISP2 EE 27
Language through example Compiler Implementation Evaluation Related Work & Conclusion 28
SNAP Implementation • Compiler written in Python • MILP solver: Gurobi Optimizer • Resulting switch code NetASM (language + software switch) M. Shahbaz and N. Feamster. The case for an intermediate representation for programmable data planes. SOSR 2015. 29
Talk Outline Language through example Compiler Implementation Evaluation Related Work & Conclusion 30
Compiler Evaluation • 7 campus and ISP topologies • Order of 100s of switches and links • Scenarios – Cold start (freq. weeks) – Policy change (freq. days) – Topology/TM change (freq. minutes) 31
Compiler Evaluation - Results Planned in advance 5s-1m 0.5m-2m 1m-6m 32
Talk Outline Language through example Compiler Implementation Evaluation Related Work & Conclusion 33
Optimizing Stateful 34 Switch level placement languages mechanisms & routing Related Work
Conclusion - SNAP • A new modular stateful SDN programming language with: – One-big switch programming model – Persistent global arrays • Compiler implements algorithms that: – Jointly optimize routing and state placement – Use efficient IR based on FDDs • Evaluated about 20 applications 35
Recommend
More recommend
