Rethinking the SDN Abstraction: May the Flexibility, Scalability and Security be with Us. Chengchen Hu XJTU Oct. 15, 2016

Transcription

1 Rethinking the SDN Abstraction: May the Flexibility, Scalability and Security be with Us Chengchen Hu XJTU Oct. 15, 2016

2 2 Traditional Computer Networks Data plane: Packet streaming Table lookup, forward, filter, buffer, mark

3 3 Traditional Computer Networks Control plane: Distributed algorithms Track topology changes, compute routes, install forwarding path

4 4 Legacy Computer Networks Closed App App App App App App Operating System Operating System Specialized Packet Forwarding Hardware App App App Operating System Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware App App App Operating System Specialized Packet Forwarding Hardware

5 7 The Ossified Network Routing, management, mobility management, access control, VPNs, App Operating System App Million of lines of source code RFCs Barrier to entry Specialized Packet Forwarding Hardware Billions of gates Bloated Power Hungry Many complex functions baked into the infrastructure OSPF, BGP, VLAN, multicast, differentiated services, traffic engineering, NAT, firewalls, MPLS, An industry with a mainframe-mentality, reluctant to change 5

6 6 Software Defined Network (SDN) App App App App App App Operating System Specialized Packet Forwarding Hardware Operating System Specialized Packet Forwarding Hardware App App App App App App Operating System Specialized Packet Forwarding Hardware Operating System Specialized Packet Forwarding Hardware

7 7 3. Well-defined open API Software Defined Network (SDN) App App Global Network View App Network Operating System / Controller 2. At least one Network OS probably many Open- and closed-source 1. Open interface to packet forwarding Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware Specialized Packet Forwarding Hardware

8 Key Features of SDN Separate Control and Data Abstraction Smart,! slow! Global view API Logically-centralized control! (abstraction) to the data plane! (e.g., OpenFlow)! Switches! Dumb,! fast!

9 History Y2006 Openflow/ SDN concept GENI, Internet2 Y2012 Google B4, VMWare Nicira VN We;are;now; considering;; Openflow/SDN Architecture/ specifica6on Prototyping/ Tes6ng;Network Real; deployment More;Flexible,; Dependable,; Scalable,;secure; and;more;apps. Y2009 OpenFlow V1.0 Y Spanish/China Mobile Telecom/ AT&T/ Huawei built SDN-based IPRAN for testing Y2013 Microsoft SWAN for Inter-DC scheduling

10 OpenFlow What s next? Legacy POF/P4 POF/P4 is flexible enough?

11 Rethink Less Conflicts Network Function Easier Debugging More Secure Controller Less Talk Switch More Flexible

12 Case 0: programmable SDN Data Plane ONetCard 2012 Aug PCIe Card ONetSwitch 45 4*10G, 4*GE, wifi 2013 Aug ONetSwitch 20 4*GE, with ZEDboard 2013 Dec ONetSwitch 30 wifi/storage, 5*GE 2014 Dec. Sponsored by Xilinx

13 Chengchen Hu, Ji Yang, Zhimin Gong, Shuoling Deng, Hongbo Zhao. DesktopDC: Setting All Programmable Data Center Networking Testbed on Desk, Poster&Demo at SIGCOMM 2014, Chicago, IL, US, 2014 ONetSwitch: All programmable SDN Switch Chengchen Hu, Ji Yang, Hongbo Zhao, and Jiahua Lu. Design of all programmable innovation platform for software defined networking. Open Networking Summit (ONS) 2014, Santa Clara, CA, US, 2014

14 Users 400+ ONetSwitches deployed in China, Europe, US

15 Case1: Frequent protocols Control Case 1: ARP Gateway Physical Gateway usually doesn t exist in SDN Controller reply to server end hosts Data plane queries controller repeatedly Control DATA Case 2: LLDP (Link Layer Discovery Protocol) Get neighbor info. then keep watching Data plane packet goes to controller repeatedly even topology is stable Usually 2-5s per port per packet Case 3: LACP (Link aggregation Control Protocol) State maintenance Repeat the same work again and again after topology is stable Usually 8 packets to converge Usually 1/30s per port per packet after convergence DATA

16 Communication overhead reduced: 50%-100% Controller CPU work load reduced: 80%-98% ARP response time: from 10+ms to us FOCUS: Function Offloading from a Controller to Utilize Switch Power. NSDI 16 SDN/NFV workshop 16

17 Case2: Table-miss Repeated flowmod message: 68%-98% when flow table with1k-50k entries. Eat either fast path memory or bandwidth between switch and controller Becomes bottleneck between Slow path and fast path in switch Small flows make the problem worse. CoSwitch: A Cooperative Switching Design for Software Defined Data Center 2014 ( best paper award) Co-Work with IBM Research Lab Taming the Flow Table Overflow in OpenFlow Switch. Poster at SIGCOMM 16.

18 Case 3: Rules Conflicts B A D 1 2 C A DstIP , FORWARD 2 B DstIP , FORWARD 3 D DstIP , FORWARD 2 A DstIP , FORWARD 3 C DstIP , FORWARD 2 D DstIP , FORWARD 2 Modular SDN Compiler Design with Intermediate Representation. SIGCOMM 16.

19

20 Case 4: Rule update Flowtable update bottleneck 10s to 100s of rule edits per second Full refresh of 5K entries takes minutes Pattern' Priority' <1,$2>$ 3$ <*,$2>$ 2$ <*,$*>$ 1$ Old$ Pattern' Priority' <1,$2>$ 5$ <2,$*>$ 4$ <1,$*>$ 3$ <*,$2>$ 3$ <3,$*>$ 2$ <*,$*>$ 1$ New$ Priority$Updates$ 3 rule adds + 2 priority updates Unmodified$fields$ Modified$fields$

21 Try to minimize the update Xitao Wen, Bo Yang, Yan Chen, Li Erran Li, Kai Bu, Peng Zheng, Yang Yang, Chengchen Hu, RuleTris: Minimizing Rule Update Latency for TCAM-based SDN Switches, ICDCS 2016, Nara, Japan, June 27 June 30, 2016.

22 Ji Yang, Chengchen Hu, Peng Zheng, Ruilong Wang, Peng Zhang, Xiaohong Guan, Rethinking the Design of OpenFlow Switch Counters, poster at SIGCOMM 2016, Florianpolis, Brazil, Aug , 2016 Case 5: SDN Counters OpenFlow%Controller OpenFlow)Switch) Slow)Path) OpenFlow%Channel Hardware%Management%% Driver%/%Control%Algorithm CPU) 30.00%% 20.00%% 20.00%% 10.00%% 10%% 10.00%% 0.00%% Usage% CPU%2GHz% DRAM%2GB% SRAM/OCM%512K% Fast)Path) FPGA/ASIC) Chip%Size Parser Counter Group%Table Meter 54.3%%Match%Memory 37%%IO,%Buffer,%Queue 7.4%%Ac(on%Engine 1.3%%Parser +Extra%49.6%%Counter Flow%Table% 0 Flow%Table% 1 Flow%Table% N

23 CACTI: CAche CounTIng

24 Case 6: L7 Abstraction Parsing Application Layer Protocol with Commodity Hardware for ANCS 2015

25 Case 7: Vulnerabilities Flow table attack Secure Channel attack Session Hijacking Policy bypass. On Denial of Service Attacks in Software Defined IEEE Network SDNShield: Reconciliating Configurable Application Permissions for SDN App DSN 2016 Mind the Gap: Monitoring the Control-Data Plane Consistency in Software Defined CoNext 2016

26 Open Questions How to make data plane programable? Match-Action abstraction? Fully Centralization? Forwarding Switch, Control Controller? Anything between high level intents and low level rules? How to co-design Fast Path & Slow Path in Switch?

27 Thank you