Enforcing Customizable Consistency Properties in Software-Defined Networks. Wenxuan Zhou, Dong Jin, Jason Croft, Matthew Caesar, Brighten Godfrey

Transcription

1 Enforcing Customizable Consistency Properties in Software-Defined Networks Wenxuan Zhou, Dong Jin, Jason Croft, Matthew Caesar, Brighten Godfrey 1

2 Network changes control applications, changes in traffic load, system upgrades, Keeping network correct consistently over time. -- Network Consistency 2

3 1. Correctness at every step 2. Customizable properties 3. With efficient update installation What is Correctness? firewall traversal, access control, balanced load, loop freedom, 3

4 Problem Statement 1. Consistency at every step 2. Customizable consistency properties 3. Efficient updates installation Is it possible to efficiently ensures customizable correctness properties as the network evolves? 4

5 Prior Work Network Verification Dionysus Fixed Consistency Property Consistent Updates

6 Ideally given arbitrary invariants, a sequence with minimized overhead is produced Controller Magic engine Stream of Updates No loop, no black hole, Resource isolation, No suboptimal routing,... 6

7 Our design: Customizable Consistency Generator Key insight: Synthesis Verification Controller Stream of Updates CCG Buffer of pending updates Network Fail Model Verification Engine Pass Confirmations No loop/black hole, Resource isolation, No suboptimal routing, No VLAN leak,... 7

8 Our design: Customizable Consistency Generator Challenges: Stream of Updates CCG Buffer of pending updates Network Fail Model Verification Engine Pass Confirmations Greedy algorithm may get stuck identify the scope of cases that guarantees no deadlock For other cases, a more heavyweight update technique as a fallback, triggered rarely in practice Distributed nature of networks (uncertainty) compact uncertain forwarding graph verification optimization 8

9 Network Uncertainty The uncertainty of an observation point tasked with instilling updates in knowing the current network state. May deviate network behavior away from desired properties. 0$2"1$%#34$%.% 5-$467$-8% ;",)#"44$#% <,&)644%#34$%/%!"#$%&' #34$%.% +'()!*%9% #34$%/% +'()!*%:% 9

10 Uncertainty-aware Modeling Basis: VeriFlow Controller VeriFlow 10

11 Uncertainty-aware Modeling Basis: VeriFlow VeriFlow Generate Generate Updates Equivalence Forwarding Run Queries Classes Graphs Equivalence class: Packets experiencing the same forwarding actions throughout the network. Forwarding graphs: 11

12 Uncertainty-aware Modeling Naively, represent every possible network state O(2^n) Uncertain graph: represent all possible combinations The model captures packets view of the network, assuming controller initiates changes. When to change uncertain to certain? How to verify the network under uncertainty? 12

13 Consistency under Uncertainty Enforcing consistency with max parallelism heuristically CCG Uncertainty -aware Model Stream of Updates Confirmations Buffer of pending updates Fail Verification Engine Pass Waypoint Properties: flows are required to traverse a set of waypoints connectivity, waypointing, access control, service chaining, Theorem: Segment independent properties is guaranteed by the heuristic. 13

14 Consistency under Uncertainty CCG Uncertaintyaware Network Model Stream of Updates Buffer of pending updates Fail Verification Engine FallBack Mechanism Confirmations Pass Even with FB triggered, CCG achieves better efficiency than using FB alone. 14

15 System Structure CCG Controller Stream of Updates Uncertainty-aware Network Model Confirmations Buffer of pending Fail Verification Engine Pass Fallback Mechanism No loop/black hole, Resource isolation, No suboptimal routing, No VLAN leak,... 15

16 Evaluation Can CCG verify network invariants in real time? Can CCG achieve performance gain during network transitions with its algorithm for maximizing the parallelism of applying updates? Segment-independent Policies Non-segment-independent Policies Emulations Testbed experiments 16

17 Speed Analysis 1 Fraction of trials Uncertain-100 Uncertain-1000 Uncertain VeriFlow e+06 Microsecond 15X less memory overhead (540MB vs. 9GB) Simulated network: BGP RIBs and update trace from RouteViews injected into 172-router AS 1755 topology, checking reachability invariant 17

18 Emulation: Segment-independent Policies Controller-switch delay = network delay + processing delay Local (4ms) Wide area (100ms) Measure: path completion time NOX (Shortest path & load balancing) CCG Mininet 18

19 Emulation: Segment-independent Policies Fraction of trials Optimal CCG CCG-waypoint Dionysus Consistent Updates Incremental CU No fallback triggered No additional memory Local Millisecond 1 Wide area Fraction of trials Optimal CCG CCG-waypoint Dionysus Consistent Updates Incremental CU Millisecond 19

20 Emulation: Non-segment-independent Policies Traces from a enterprise network with 200+ layer-3 devices. One day, one snapshot per hour, 24 transitions, 4ms delay. New rules were added first, then old rules deleted. Rules overlapped with longest prefix match, not segment-independent. Number$of$Rules$ in$the$network$ 25000$ 20000$ 15000$ 10000$ 5000$ 0$ 7/22/2014$ 22:00:00$ 7/22/2014$ 22:00:02$ //$ //$ 7/22/2014$ 23:00:00$ 7/22/2014$ 23:00:02$ //$ //$ Time$ 7/23/2014$ 0:00:00$ //$ Immediate Update GCC CCG Consistent Updates //$ 7/23/2014$ 0:00:02$ 7/23/2014$ 1:00:00$ Comple?on$ } Time$ 7/23/2014$ 1:00:02$ Fallbacks happened rarely. Overhead close to Immediate Update, with no transient connectivity violations. 20

21 Conclusion Uncertainty problem with network control Uncertainty-aware network model GCC, a system that enforces customizable network consistency properties with heuristically optimized efficiency. Ongoing work: Study the generality of segment independency Test with more data traces, and compare against the original implementation of Dionysus Handle changes initiated from the network. 21