SDN abstraction and security: a database perspective

Transcription

1 June 17, 2016 SoSSDN SDN abstraction and security: a database perspective Anduo Wang * Jason Croft Xueyuan Mei Matthew Caesar Brighten Godfrey * Temple University University of Illinois Urbana-Champaign

2 software-defined network control applications of disparate nature forwarding service chain stateful middlebox controller OpenFlow network switch switch switch switch 1

3 software-defined network control applications of disparate nature forwarding service chain stateful middlebox controller controller (abstraction runtime) an insertion point for network abstractions OpenFlow network switch switch switch switch 1

4 abstractions what is the right abstraction? forwarding service chain stateful middlebox abstraction runtime OpenFlow rules 2

5 abstractions what is the right abstraction? functions routing service chain stateful middlebox abstraction Frenetic / Pyretic runtime [NSDI 13] [PLDI 13] OpenFlow rules 2

6 abstractions what is the right abstraction? functions routing graphs stateful middlebox abstraction PGAruntime [SIGCOMM 15] OpenFlow rules 2

7 abstractions what is the right abstraction? functions routing graphs automata abstraction Kinetic runtime [NSDI 15] OpenFlow rules 2

8 abstractions diverse abstractions functions graphs automata abstraction runtime OpenFlow rules 2

9 but network keeps evolving functions graphs automata new/changing requirements abstraction runtime OpenFlow rules 3

10 but network keeps evolving functions graphs automata new/changing new requirement structure add / re-engineer runtime OpenFlow rules 3

11 and applications (components) interact policies graphs automata PGA Kinetic functions Pyretic OpenFlow rules network 4

12 and applications (components) interact policies graphs automata language-level orchestration restricted to each abstraction PGA Kinetic composing (+) policy graph +PGA graph function +Pyretic function functions Pyretic OpenFlow rules network 4

13 and applications (components) interact policies graphs automata language-level orchestration restricted to each abstraction PGA Kinetic composing (+) policy graph +? automata functions how to integrate the runtime? hard-wire internals? Pyretic OpenFlow rules network 4

14 and applications (components) interact policies graphs automata language-level orchestration restricted to each abstraction PGA Kinetic functions Pyretic OpenFlow rules network abstraction-agonistic coordination often low-level Co-visor [NSDI 15] statesman [SIGCOMM 14] 4

15 current state of abstraction research structure structure runtime runtime structure runtime OpenFlow rules network 4

16 current state of abstraction research structure structure new structure enlarging body of abstractions runtime runtime new runtime structure runtime OpenFlow rules network 4

17 current state of abstraction research structure structure new structure enlarging body of abstractions runtime runtime new runtime structure fragmented orchestration runtime OpenFlow rules network 4

18 our perspective operator and/or application SDN control revolves around data representation high-level representation data new data -discard specialized, pre-compiled, fixed structures -adopt a plain data representation data low-level representation data data OpenFlow rules network 5

19 our perspective operator and/or application SDN control revolves around data representation high-level representation data new data -discard specialized, pre-compiled, fixed structures -adopt a plain data representation data -use a universal data language low-level representation data data OpenFlow rules network 5

20 a database-defined network high-level app s operator and/or application new -relation the plain data representation - stored relation - virtual relation low-level inventory s OpenFlow rules network 6

21 a database-defined network high-level app s operator and/or application new -relation the plain data representation - stored relation - virtual relation -SQL the universal data language - query, update, trigger, rule low-level inventory s OpenFlow rules network 6

22 Ravel: a realization with SQL database operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 6

23 Ravel: a realization with SQL database operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 6

24 Ravel: a realization with SQL database operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 6

25 Ravel: a realization with SQL database operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 6

26 Ravel: a realization with SQL database operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 6

27 Ravel: a realization with SQL database operator and/or application attractive features + new -abstraction -orchestration database runtime -SQL OpenFlow rules network 6

28 abstraction: network s reachability matrix fid src dst vol 1 h1 h4 5 2 h2 h3 9 topology sid nid S1 S1 S1 S2 S3 h1 configuration fid sid nid 1 S1 S4 1 S4 h4 flow 1 h1 S1 S4 h4 E flow 2 h2 S2 S3 h3 7

29 abstraction: application firewall : monitoring unsafe flows violating acl policy CREATE VIEW acl_violation AS ( SELECT fid FROM rm WHERE FW = 1 AND (src, dst) NOT IN (SELECT end1, end2 FROM acl WHERE allow = 1) ); firewall control: repairing violation CREATE RULE acl_repair AS ON DELETE TO acl_violation DO INSTEAD DELETE FROM rm WHERE fid = OLD.fid; CREATE TABLE acl ( end1 integer, end2 integer, allow integer ); 8

30 abstraction: application firewall : monitoring unsafe flows violating acl policy CREATE VIEW acl_violation AS ( SELECT fid FROM rm WHERE FW = 1 AND (src, dst) NOT IN (SELECT end1, end2 FROM acl WHERE allow = 1) ); firewall control: repairing violation CREATE RULE acl_repair AS ON DELETE TO acl_violation DO INSTEAD DELETE FROM rm WHERE fid = OLD.fid; CREATE TABLE acl ( end1 integer, end2 integer, allow integer ); many more - routing, stateful firewall, service chain policy between subdomains 8

31 orchestration across representations routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology shortest path configuration orchestrated Ravel runtime topology shortest path configuration Mininet 9

32 orchestration across representations app routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology shortest path configuration orchestrated Ravel runtime topology sid nid active shortest path configuration link down Mininet Mininet link (172,39) down 9

33 orchestration across representations app routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology shortest path configuration orchestrated Ravel runtime shortest path path - {,172,39,156, } topology configuration sid nid active link down Mininet Mininet link (172,39) down 9

34 orchestration across representations app routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology shortest path configuration orchestrated Ravel runtime topology sid nid active shortest path path - {,172,39,156, } + {,172,38,148, } configuration link down Mininet Mininet link (172,39) down 9

35 orchestration across representations app routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology link down shortest path configuration Mininet orchestrated Ravel runtime topology sid nid active shortest path path - {,172,39,156, } + {,172,38,148, } Mininet link (172,39) down 9 configuration fid sid nid

36 orchestration across representations apps routing app: check broken path, re-route SQL rule: upon broken path, re-route network app topology link down shortest path configuration Mininet add_flow del_flow orchestrated Ravel runtime topology sid nid active shortest path path - {,172,39,156, } + {,172,38,148, } Mininet link (172,39) down 9 configuration fid sid nid orchestrated updates: re-route via (172, 38)

37 orchestration across applications apps priority: low high firewall balance load maintain path load balancer access control shortest path network app load balancer reachability matrix access control tenant virtual net shortest path configuration orchestrated database runtime reachability matrix tenant virtual net configuration Mininet 10

38 orchestration across applications apps priority: low high firewall balance load maintain path load balancer access control shortest path network app tenant request load balancer reachability matrix access control tenant virtual net shortest path configuration orchestrated database runtime tenant request host 1238 to server 1003 reachability matrix tenant virtual policy net host server configuration Mininet 10

39 orchestration across applications app network app tenant request priority: low high firewall balance load load balancer reachability matrix access control tenant virtual net maintain path shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability matrix access control tenant virtual policy net host server configuration shortest path Mininet 10

40 orchestration across applications app network app tenant request priority: low high re-load firewall maintain path load balancer reachability matrix access control tenant virtual net shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability matrix access control tenant virtual policy net host server configuration shortest path Mininet 10

41 orchestration across applications app network app tenant request priority: low high re-load check maintain path load balancer reachability matrix access control tenant virtual net shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability matrix access control src dst allow tenant virtual policy net host server configuration shortest path Mininet 10

42 orchestration across applications app network app tenant request priority: low high re-load check maintain path load balancer reachability matrix access control tenant virtual net Mininet shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability traffic matrix matrix fid sid nid access control src dst allow tenant policy tenant virtual net host server configuration shortest path 10

43 orchestration across applications app network app tenant request priority: low high re-load check maintain path load balancer reachability matrix access control tenant virtual net Mininet shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability traffic matrix matrix fid sid nid access control src dst allow tenant virtual policy net host server configuration shortest path path + {1238,,1034} 10

44 orchestration across applications app network app tenant request priority: low high re-load check maintain path load balancer reachability matrix access control tenant virtual net Mininet shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability traffic matrix matrix fid sid nid access control src dst allow tenant virtual policy net host server shortest path path + {1238,,1034} configuration fid sid nid

45 orchestration across applications app network app tenant request priority: low high re-load check maintain path load balancer reachability matrix access control tenant virtual net Mininet shortest path configuration orchestrated database runtime load balancer sid load tenant request host 1238 to server 1003 reachability traffic matrix matrix fid sid nid access control src dst allow tenant virtual policy net host server configuration fid sid nid shortest path path + {1238,,1034} orchestrated updates: install alternative route that is load-balanced and safe

46 achieving Ravel advantages operator and/or application attractive features -ad-hoc programmable + new abstraction via s database runtime -orchestration across abstractions via mechanism -orchestration across applications via data mediation -network control via SQL OpenFlow rules network 11

47 runtime maintenance notification operation via SQL interface optimizer ad-hoc programmable abstraction via s - challenge: inefficient user - solution: optimizer - materialize user with fast maintenance algorithm - one order of magnitude faster access with small maintenance overhead 0.01~10ms network 11

48 runtime update maintenance notification orchestration operation via SQL interface optimizer orchestration across applications - challenge: database lacking inter- support - solution: mediation protocol - translate app priority into updates that dynamically merge into a coherent data plane network 11

49 runtime update maintenance notification orchestration operation via SQL interface optimizer PostgreSQL Ravel runtime SDN control via SQL - challenge: database lacks connection to network data plane - solution: SQL trigger + OF manager control events SQL trigger OpenFlow manager network 11

50 runtime update maintenance notification orchestration operation via SQL interface optimizer PostgreSQL Ravel runtime a high-performance runtime - PostgreSQL - orchestration - optimizer - SQL trigger and OF manager control events SQL trigger OpenFlow manager network 11

51 evaluation deletion (ms) insertion (ms) text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text 12

52 evaluation deletion (ms) insertion (ms) text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text 12

53 evaluation deletion (ms) insertion (ms) text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text 12

54 evaluation deletion (ms) insertion (ms) 4 10 text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text 12

55 evaluation deletion (ms) insertion (ms) text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text 12

56 evaluation deletion (ms) insertion (ms) text text text text profile end to end delay (normalized per-rule, 30 rounds) for route insertion and deletion Rocketfuel ISP topology AS# nodes links compute path lookup ports write to trigger/rule text similar profile on fat-tree topology (fewer nodes, more links) - total delay < 30ms for fat-tree with 5120 switches and links 12

57 evaluation CDF orchestration delay (ms) normalized per-rule for 3 scenarios: access control and routing (acl+rt), load balancing and routing (lb+rt), access control, load balancing, and routing (acl+lb+rt) 13

58 evaluation CDF 10 orchestration delay (ms) normalized per-rule for 3 scenarios: access control and routing (acl+rt), load balancing and routing (lb+rt), access control, load balancing, and routing (acl+lb+rt) 13

59 evaluation CDF 10 orchestration delay (ms) normalized per-rule for 3 scenarios: access control and routing (acl+rt), load balancing and routing (lb+rt), access control, load balancing, and routing (acl+lb+rt) orchestration also scales gracefully on fat-tree - < 30ms for fat-tree with 5120 switches and links 13

60 demo 15

61 demo 15

62 towards a secure Ravel improper modification of data -unauthorized modification -one-directional information flow 14

63 towards a secure Ravel expectation of data quality improper medication of data -unauthorized modification access control (ACL) -one-directional information flow 14

64 ACL in Ravel notification operation via SQL interface update maintenance control events orchestration optimizer SQL trigger OpenFlow manager PostgreSQL Ravel runtime network 15

65 ACL in Ravel notification operation via SQL interface update maintenance control events orchestration optimizer SQL trigger OpenFlow manager PostgreSQL Ravel runtime network 15

66 ACL in Ravel alice bob carol??? Ravel runtime PostgreSQL orchestration optimizer SQL trigger OpenFlow manager network 15

67 example scenario a SDN network and multiple tenants -admin can see/modify all resources, see/modify the network -tenants can only see the resources they pay -tenants can only manage their portions of network under contract SLA (service level agreement) tenant switches rate limit connectivity alice {1,2,3,4} 20 {alice} bob {51,52,53, } 50 {bob, alice} carol {100,101, } 10 {carol, alice} 16

68 explicit access control list (ACL) <principal, subject, operation> ACL on topology users switches privilege alice 1 read alice 2 read alice read bob read carol read admin read,write users ACL on configuration flows (source, destination, rate) privilege alice (1,2,<20) read,write alice (2,3,<20) read,write alice bob -very low-level -update ACL as tenant contract evolves 17

69 ACL in Ravel alice bob carol authenticate at database login Ravel runtime PostgreSQL orchestration optimizer higher-level finer-grained authorization via SQL authorization s SQL trigger OpenFlow manager network 18

70 ACL in Ravel Ravel runtime secure PostgreSQL orchestration SQL trigger authori zation s optimizer OpenFlow manager network 18

71 authorization s: a strawman solution associate each with an ACL -<principal, allowed operation> create a separate -if only a portion of a is granted to a principal -benefit: dynamic, content-based 19

72 authorization s: a strawman solution -- admin policy GRANT SELECT, UPDATE, INSERT, DELETE ON topology TO admin; GRANT SELECT, UPDATE, INSERT, DELETE ON configuration TO admin; -- alice policy CREATE OR REPLACE VIEW topology_alice AS ( SELECT sid, nid FROM topology WHERE (topology.sid = 1 OR topology.sid = 2 OR ); CREATE OR REPLACE VIEW configuration_alice AS ( SELECT fid, sid, nid FROM configuration WHERE ((topology.sid = 1 AND topology.nid = 2) OR (topology.sid = 1 AND topology.nid = 2) OR ) AND rate < 20); GRANT SELECT ON topology_alice TO alice; GRANT SELECT, INSERT, DELETE, UPDATE ON configuration_alice TO alice; -- bob policy, carol policy... 20

73 limitations many tenants -for each tenant, create a separate? dynamic tenant membership -add/remove s? SLAs evolving -update tenant s? more examples: -tenants can only access the resources the pay -raise tenant rate limit to100 21

74 finer-grained, higher-level ACL capture the intent rather than extent dynamic, context-based a network of arity n p(_,_,,_) SQL query over data in p and other parts of the network database access control of n+1 arity p_acl (principal, _,_,,_) 22

75 finer-grained, higher-level ACL - a tenant can only access the leased network topology - admin can access the whole topology CREATE VIEW topology_acl AS ( -- admin policy (SELECT 'admin' as principal, sid, nid FROM topology) UNION CREATE VIEW topology_public AS ( SELECT sid, nid FROM topology_acl WHERE principal = current_user') GRANT SELECT ON topology_public TO public; -- tenant policy (SELECT tenant as principal, sid, nid FROM topology, SLA WHERE topology.sid IN SLA.switches AND topology.nid IN SLA.switches)); 23

76 looking forward data integration as a networking service app s authorization s integrator (orchestration, optimization) coherent network states processing traffic 24

77 looking forward data integration as a networking service app s authorization s power load balancer conflict (cyclic update dependency) by formal analysis coherent network states processing traffic 24

78 looking forward data integration as a networking service app s authorization s server back-up cross-layer independent failure by multiple- constraint coherent network states processing traffic 24

79 looking forward data integration as a networking service app s untrusted authorization s automatic security enforcement by query rewrite coherent network states processing traffic 24

80 conclusion Ravel runtime secure PostgreSQL orchestration authori zation s optimizer this talk: via SQL - orchestra abstraction - finer-grained access control looking forward - data integration as a networking service SQL trigger OpenFlow manager network 25

81 playtime download Ravel ravel-net.org/download start playing: tutorials, add your own app ravel-net.org explore more github.com/ravel-net 26