Flow Caching for High Entropy Packet Fields

Size: px

Start display at page:

Download "Flow Caching for High Entropy Packet Fields"

Dorthy Ryan
6 years ago
Views:

1 Flow Caching for High Entropy Packet Fields Nick Shelly Nick McKeown! Ethan Jackson Teemu Koponen Jarno Rajahalme

2 Outline Current flow classification in OVS Problems with high entropy packets Proposed ideas Benchmarking Why it works

3 Definitions Flow classification Header space and wildcard bits: for the rule with match 10xx, packets 1011 and 1010 have the same action. High vs low entropy fields: Packet 1 L2 L3 L4 Port MAC src MAC dst IP src IP dst TP src TP dst 2 00:11:22:33:44:55 00:11:22:33:44: Low entropy fields High entropy field Packet 2 L2 L3 L4 Port MAC src MAC dst IP src IP dst TP src TP dst 2 00:11:22:33:44:55 00:11:22:33:44:

4 Flow classification in OVS Slow path OpenFlow Pipeline! src= ,dst= ,tp_src=39245,tp_dst=80 L2 L3 ACL L3 L2 src= ,dst= ,tp_src=80,tp_dst=39245 src= ,dst= ,tp_src=2351,tp_dst=8080 src= ,dst= ,tp_src=40356,tp_dst=80 Fast path Exact Match Cache! src= ,dst= ,tp_src=39245,tp_dst=80 output:1 src= ,dst= ,tp_src=80,tp_dst=39245 output:2 src= ,dst= ,tp_src=2351,tp_dst=8080 drop src= ,dst= ,tp_src=40356,tp_dst=80 output:1

5 Megaflow Cache Slow path OpenFlow Pipeline! L2 L3 ACL L3 L2 src= ,dst= ,tp_src=39245,tp_dst=80 src= ,dst= ,tp_src=80,tp_dst=39245 L3 Table src= ,dst= ,tp_src=40356,tp_dst=80 src= ,dst= ,tp_src=2351,tp_dst=8080 MATCH ACTIONS nw_src == /8, nw_dst == /8 output:1 nw_src == /8, nw_dst == /8 output:2 Fast path Megaflow Cache! src= /8,dst= /8,tp_src=*,tp_dst=* src= /8,dst= /8,tp_src=*,tp_dst=* src= /8,dst= /8,tp_src=*,tp_dst=* output:1 output:2 drop

6 Megaflow Cache OpenFlow Pipeline! Slow path L2 L3 ACL L3 L2 L3 Table MATCH nw_src == /8, nw_dst == /8 nw_src == /8, nw_dst == /8 ACTIONS output:1 output:2 Fast path Megaflow Cache! src= /8,dst= /8,tp_src=*,tp_dst=* src= /8,dst= /8,tp_src=*,tp_dst=* src=*,dst= /8,tp_src=*,tp_dst=* drop output:1 output:2

7 OVS slow path Relies on OpenFlow table pipeline Must handle highly complicated lookups arbitrary packet metadata, recursion Computationally expensive Lots of repeat lookup sequences for packets that only differ by 1 or 2 bits

8 Ideal fast path! Constant time lookup Easy to compute entries (translate from OpenFlow tables) Flexible for any number of OpenFlow fields Reasonable memory (we cannot cache every single packet) Easy to implement and maintain (in software)

9 Proposal 1. Pro-active processing Table 1 Table 2 RULE PRIORITY MATCH ACTIONS 1 10 tp_dst == 80 drop RULE PRIORITY MATCH ACTIONS reg4 == 1 output:2 2 5 tp_dst == 443 drop 3 5 tp_dst == xx reg4 <= 1, resubmit: table 2 Cross-product Table MATCH ACTIONS tp_dst == 80 drop Table 1, Rule 1 tp_dst == 443 drop Table 1, Rule 2 Header space notation: tp_dst == xx - {80 U 443 } tp_dst == 0-79, , reg4 <= 1, output: 2 Table 1, Rule 3 then Table 2, Rule 1

10 Proposal 1. Pro-active processing But, how do we translate a header space, with a union, to wildcarded rules? RULE PRIORITY MATCH ACTIONS A 10 tp_dst == 0101 drop B 5 tp_dst == 0110 drop hc = C A B = C (A B) = C (A B) C 5 tp_dst == xxxx output: 2 Union minimization is an NP problem, so good heuristics is key

11 Proposal 2. Re-active processing Goal: For each new packet, install one wildcarded flow in the cache to match as many packets as possible RULE PRIORITY MATCH ACTIONS A 10 tp_dst == 0101 drop B 5 tp_dst == 0110 drop C 5 tp_dst == xxxx output: 2 New packet, p: p = 1010 New cached flow: MATCH ACTIONS tp_dst = 1xxxx output: 2 Doesn t cover the entire header space, hc, but a good heuristic (with 100 ACLs, ~80% of true header space)

12 Proposal 2. Re-active processing Problem: Too many flow masks for most rule sets (easier to hash just on a few masks) Fast path cache FLOW MASK xxx xxxx 0xxx xxxx RULES xx xxxx 10xx xxxx x xxxx 101x xxxx 111x xxxx 011x xxxx xxxx 0011 xxxx 1011 xxxx Use decision tree to un-wildcard flows in order, maximum of N masks (for N-bit high entropy field)

13 Comparison in performance COMMON MATCH DECISION TREE ACLS FLOWS MASKS % OPT FLOWS MASKS % OPT % % % % %

10000 5000 Common Match Megaflows LPM Megaflows 0 10 100 1000 10000 # of masks 1000 100 10 1 10

14 Comparison in cache size Can handle up to 1000 higher priority rules (ACLs) with only 5K entries Common Match Classifier LPM Classifier # of cache entries Common Match Megaflows LPM Megaflows # of masks # of ACLs # of ACLs Longest prefix (decision tree) is better with the number of masks

15 Future work! How does the number of hash masks affect run time? What is the effect of even more high entropy fields on the number of cache entries and coverage (optimal flow)? Can we adapt the classifier to different rule sets, exploiting traffic localities? Map one packet to more than one flow in the cache?

16 Questions?

Open vswitch is the most widely used virtual switch in cloud environments.

Open vswitch is the most widely used virtual switch in cloud environments. BEN PFAFF, JUSTIN PETTIT, TEEMU KOPONEN, ETHAN J. JACKSON, ANDY ZHOU, JARNO RAJAHALME, JESSE GROSS, ALEX WANG, JONATHAN STRINGER, PRAVIN SHELAR, KEITH AMIDON, AND MARTIN CASADO Ben Pfaff is a Lead Developer