The Next Big Challenge? Gianni Antichi, Gbor Rtvri Disclaimer - - PowerPoint PPT Presentation

the next big challenge
SMART_READER_LITE
LIVE PREVIEW

The Next Big Challenge? Gianni Antichi, Gbor Rtvri Disclaimer - - PowerPoint PPT Presentation

Apr 25, 2023 132 likes •391 views

Full-stack SDN: The Next Big Challenge? Gianni Antichi, Gbor Rtvri Disclaimer This is a "Challenge" paper Dont expect answers, only some (hopefully) interesting questions TLDR; Ethernet bridges handle packets at

slide-1
SLIDE 1

Full-stack SDN: The Next Big Challenge?

Gianni Antichi, Gábor Rétvári

slide-2
SLIDE 2

Disclaimer

  • This is a "Challenge" paper
  • Don’t expect answers, only some (hopefully) interesting questions
slide-3
SLIDE 3

Switch

TLDR;

Application Transport Network Link Ethernet bridges handle packets at L2, IP routers at L3, and middleboxes add L4 processing capability

slide-4
SLIDE 4

Switch

TLDR;

Application Transport Network Link Ethernet bridges handle packets at L2, IP routers at L3, and middleboxes add L4 processing capability Software Defined Networking (SDN): impose L2-L4 network policies centrally SDN Controller

slide-5
SLIDE 5

Switch

TLDR;

Application Transport Network Link Ethernet bridges handle packets at L2, IP routers at L3, and middleboxes add L4 processing capability Software Defined Networking (SDN): impose L2-L4 network policies centrally We argue it is time to extend SDN up into the Application layer (L7) SDN Controller

slide-6
SLIDE 6

TLDR;

Questions? :D

slide-7
SLIDE 7

Cloud 1.0: Monolithic apps deployed into VMs

Fabric

Virtual Switch Virtual Machine

Server

Virtual Machine Virtual Switch Virtual Machine

Server

Virtual Machine

Full app instances deployed into VMs Exchange traffic over L2 and L3 protocols

Ethernet, IP

slide-8
SLIDE 8

Fabric

Virtual Switch Virtual Machine

Server

Virtual Machine Virtual Switch Virtual Machine

Server

Virtual Machine

Cloud 2.0: Microservices

Micro- service Container Micro- service Container Micro- service Container Micro- service Container

HTTP, gRPC SOAP, WebSocket..

Fine-grained decompo- sition of business logic into loosely coupled microservices Lightweight isolation in Linux containers Expose/consume services over application-layer (L7) protocols

slide-9
SLIDE 9

Takeaway 1 With the transition to the microservice architecture, the main network communication pattern becomes application-layer (L7) protocols

slide-10
SLIDE 10

Looking glass on microservices

Micro- service Container

L7 L4 L3 L2 App logic Network stack

RDMA

Virtual Port Virtual Port Virtual Switch

Microservice communication relies on critical L7 network functions that are hardcoded into applications Examples: Load-balancing, L7 ACLs, circuit breaking, L7 health-checking, encryption, policing, observability, authentication and authorization Cannot impose L7 network policies centrally

slide-11
SLIDE 11

Example 1: Filter HTTP REST API calls

Microservices typically expose/consume services over RESTful HTTP APIs These look the same for a conventional L2-L4 SDN switch (TCP, port=80/443) The network SHOULD be able to filter connections based on HTTP header fields The control plane SHOULD be able to set L7-ACLs in switches

HTTP POST

Micro- service query Micro- service read-only

Virtual network

HTTP GET

slide-12
SLIDE 12

Example 2: Differentiate/route based on VXLAN ID

Micro- service Micro- service production Micro- service test Normal traffic Test traffic VXLAN Network Identifier?

If a new service version is deployed alongside production code.. VXLAN tunnels look the same for an L2- L4 SDN switch (UDP port is 4789) The network SHOULD be able to handle traffic at the granularity of VXLAN Network Identifier! The control plane SHOULD be able to install VXLAN routing rules in the dataplane Virtual network

slide-13
SLIDE 13

Example 3: Police RTP streams by user ID

Micro- service Micro- service Micro- service Micro- service User 2: 100 Kbps User 1: 10 Kbps

RTP streams look the same for an L2-L4 SDN switch The network SHOULD be able to rate-limit RTP streams based on user ID (SSRC) The control plane SHOULD be able to set/query counters at the granularity of individual RTP streams Virtual network

slide-14
SLIDE 14

Takeaway 2 Application-layer network functions SHOULD be moved out from applications into the dataplane to allow the enforcement of L7 network policies centrally

slide-15
SLIDE 15

State-of-the-art: The service mesh

Istio Kubernetes

Microservice Container

Virtual Port Application Virtual Switch L2-L3 policies Service Proxy L4-L7 policies Business Logic

The service mesh is an L7- SDN to manage HTTP-based microservice communication Achieved by injecting an HTTP service proxy to each microservice

slide-16
SLIDE 16

State-of-the-art: The sidecar proxy model

Virtual Switch L2-L3 policies

Microservice Container

Application Service Proxy L4-L7 policies Business Logic

Microservice Container

Application Service Proxy L4-L7 policies Business Logic

The proxy runs side-by-side with the app and intercepts all ingress/egress traffic

slide-17
SLIDE 17

State-of-the-art: The sidecar proxy model

Virtual Switch L2-L3 policies

Microservice Container

Application Service Proxy L4-L7 policies Business Logic

Microservice Container

Application Service Proxy L4-L7 policies Business Logic

Even a local packet exchange requires stitching 3 connections one after the other This is 6 kernel-space--user-space context switches (remote calls are even worse)

slide-18
SLIDE 18

State-of-the-art: The sidecar proxy model

Virtual Switch L2-L3 policies

Microservice Container

Application Service Proxy L4-L7 policies Business Logic

Microservice Container

Application Service Proxy L4-L7 policies Business Logic

Check the paper for some numbers on how this architecture might affect network function performance!

slide-19
SLIDE 19

Takeaway 3 The state-of-the-art L7 SDN is restricted to HTTP and runs on top

  • f the inefficient sidecar-proxy

model

slide-20
SLIDE 20

The challenge: Full-stack SDN

Virtual Switch L2-L3 policies

Microservice Container

Application Service Proxy L4-L7 policies Business Logic

Microservice Container

Application Service Proxy L4-L7 policies Business Logic

slide-21
SLIDE 21

The challenge: Full-stack SDN

Full-Stack Virtual Switch L2-L7 policies

Microservice Container

Application Business Logic

Microservice Container

Application Business Logic

A local packet exchange would require now only 1 simple connection This is only 2 kernel-space--user-space context switches!!!!

slide-22
SLIDE 22

Full-stack SDN: How?

Process traffic at any layer in the protocol stack (UDP, TCP, RTP, WebSocket, Ethernet, IP, etc..) Key components:

○ Full-stack SDN switch ○ Full-stack SDN control plane

See a couple of initial ideas in the paper

slide-23
SLIDE 23

Conclusions

Takeaway 1 With the transition to the microservice architecture, the main network communication pattern becomes application-layer (L7) protocols Takeaway 2 Application-layer network functions SHOULD be moved out from applications into the dataplane to allow the enforcement of L7 network policies centrally Takeaway 3 The state-of-the-art L7 SDN is restricted to HTTP and runs on top of the inefficient sidecar-proxy model Challenge: Full-stack SDN

slide-24
SLIDE 24

Thanks!