Stochastic Pre-Classification for SDN Data Plane Matching

Transcription

1 Stochastic Pre-Classification for SDN Data Plane Matching Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson Presenter: Luke McHale Ph.D. Student, Texas A&M University Contact:

2 Motivation Switch Open SDN Data Plane Packet Arrival SDNs increase stress on Packet Classification Higher complexity compared to traditional networks Generalizing increases timing variability Denial of Service (DoS) attacks on SDN switches are a potential issue Wastes resources, crowding out legitimate s Inherent problem: traffic must be classified before it can be determined malicious 2

3 Motivation: Packet Classification Switch Packet Arrival eth.src eth.dst eth.type eth.vlan_id eth.vlan_p ipv4.tos proto.field... Classifier key & mask = value value mask policy policy policy policy key policy next stage Exact Matching Hash s Prefix Match Tries Arbitrary TCAM (limited in size/availability) 3

4 Motivation: Locality 35% of the flows contain 95% of the s The active-flow window is constantly changing 3 Cumulative Distribution of Unique s 25 Million Packets k 4.k 6.k 8.k.M.2M.4M # (sorted) CAIDA Trace: equinix-sanjose.dira

5 Outline. Motivation a. Packet Classification b. Locality 2. Taking Advantage of Locality a. Caching b. Pre-Classification 3. Evaluation a. Experimental Setup b. Firewall 4. Results 5. Conclusions 5

6 Caching Cache Locality -> Caching becomes fast-path Keeps high-throughput flows Lookup: exact-match using key (i.e. 5-tuple) Cache: action set Hits: bypass and selection Similar techniques: [I.L. Chvets et al., 22], [K. Li et al., 23] 6

7 Pre-Classification Known s Bloom Filter Priority Scheduler Hi Lo Unknown s Attacks aim to stress slow-path (classification) When stressed, prioritize established traffic Lookup: exact-match using key (i.e. 5-tuple) Cache: seen before Hits: higher classification priority 7

8 Bloom Filter Hit: flow likely seen within epoch Miss: flow definitely not seen within epoch O[] Lookups O[] Inserts False positive rate is proportional to fill level eth.src eth.dst eth.type eth.vlan_id eth.vlan_p ipv4.tos key key key seed Hash seed Hash seed 2 2 n idx idx Bloom Filter 2 Lookup Lookup 2 n member 2 n member member next stage Tradeoffs in design proto.field... Hash n idx n Lookup key 8

9 Bloom Filter: XOR Hash Function Bit-level XOR helps preserve entropy Avoid mixing heavily correlated bits 4-bit 5-tuple () XOR XOR XOR XOR XOR XOR XOR 6-bit Hash 9

10 Experimental Setup Cycle accurate simulator Frequency determined by array sizes using CACTI Data Plane Frequency Data Plane Queue Depth Bloom Filter Size Bloom Filter Clearing Interval Cache Size Cache Organization 2 GHz 2 high, 2 low 32Kb (5 arrays, each 64Kb) 6K insertions 69Kb (52 38-bit entries) 2-way set associative, LRU 8, entries PCAP Trace Time-Scaled Interface Classification Simulator Packet Collection & Statistics Gbps {,, 4, Gbps}

11 Firewall Simulated Firewall Access Control List (ACL) Protocol IP source/destination Port source/dest. ranges Test ACL Generation 95%: nominal network conditions 6%: network with significant malicious traffic 2%: network under attack Coverage (%) % Accept 6% Accept 2% Accept Rule No.

12 Results: Throughput.9.8 Baseline - 6% Baseline - 2% Stressed > Gbps Normalized Throughput

13 Results: Throughput Cache Normalized Throughput Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Stressed > Gbps Throughput proportional to unauthorized traffic

14 Results: Throughput Known s Priority Scheduler Bloom Filter Hi Lo Unknown s Normalized Throughput Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Partition - 95% Partition - 6% Partition - 2% Stressed > Gbps Throughput proportional to unauthorized traffic Unauthorized traffic has less impact on throughput

15 Results: Throughput Known s Priority Scheduler Bloom Filter Hi Lo Cache Unknown s Normalized Throughput Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Partition - 95% Partition - 6% Partition - 2% Partition+Caching - 95% Partition+Caching - 6% Partition+Caching - 2% u Stressed > Gbps Throughput proportional to unauthorized traffic Unauthorized traffic has less impact on throughput More consistent throughput

16 Results: Latency Baseline - 6% Baseline - 2% 9 8 Queue saturation causes high latency > Gbps 7 Mean Latency (µs)

17 Results: Latency Cache Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Queue saturation causes high latency > Gbps Hits improve average latency Mean Latency (µs)

18 Results: Latency Bloom Filter Known s Priority Scheduler Hi Lo Unknown s Mean Latency (µs) Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Partition - 95% Partition - 6% Partition - 2% Queue saturation causes high latency > Gbps Hits improve average latency Authorized traffic not yet seen incurs higher latency Once flow is learned, latency consistent with Baseline 2 4 8

19 Results: Latency Bloom Filter Known s Priority Scheduler Hi Lo Cache Unknown s Mean Latency (µs) Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Partition - 95% Partition - 6% Partition - 2% Partition+Caching - 95% Partition+Caching - 6% Partition+Caching - 2% 4 u Queue saturation causes high latency > Gbps Hits improve average latency Authorized traffic not yet seen incurs higher latency Once flow is learned, latency consistent with Cache Higher latency at start of flow u Latency is constant with cache thereafter 9

20 Results: Jitter Baseline - 6% Baseline - 2% 9 Peaks at saturation point Jitter (µs)

21 Results: Jitter Cache Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% 9 Peaks at saturation point Difference in fast vs. slow path increases variance Jitter (µs)

22 Results: Jitter Known s Priority Scheduler Bloom Filter Hi Lo Unknown s Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Partition - 95% Partition - 6% Partition - 2% 35 Peaks at saturation point 3 25 Difference in fast vs. slow path increases variance Jitter (µs) 2 5 Learning path incurs higher latency -> jitter 5 Once flow is learned, jitter consistent with Caching 4 22

23 Results: Jitter Known s Priority Scheduler Bloom Filter Hi Lo Cache Unknown s Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Partition - 95% Partition - 6% Partition - 2% Partition+Caching - 95% Partition+Caching - 6% Partition+Caching - 2% 35 Peaks at saturation point 3 25 Difference in fast vs. slow path increases variance Jitter (µs) 2 5 Learning path incurs higher latency -> jitter 5 4 u Once flow is learned, jitter consistent with Caching Improves jitter incurred by priority mechanism 23

24 Conclusions Known s Priority Scheduler Bloom Filter Hi Lo Cache Unknown s SDN complexity increases stress on Classification Cache minimizes the effect of repeatedly classifying high-throughput flows Increases effective throughput Pre-Classification prioritizes known traffic Reduces effect of malicious traffic Combined arcecture provides orthogonal benefit Helps decouple legitimate and malicious traffic 24

25 Results: Throughput Bloom Filter Known s Priority Scheduler Hi Lo Cache Unknown s Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Partition - 95% Partition - 6% Partition - 2% Partition+Caching - 95% Partition+Caching - 6% Partition+Caching - 2%.9.8 Normalized Throughput

26 Results: Latency Bloom Filter Known s Priority Scheduler Hi Lo Cache Unknown s Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Partition - 95% Partition - 6% Partition - 2% Partition+Caching - 95% Partition+Caching - 6% Partition+Caching - 2% Mean Latency (µs)

27 Results: Jitter Bloom Filter Known s Priority Scheduler Hi Lo Cache Unknown s Baseline - 6% Baseline - 2% Caching - 95% Caching - 6% Caching - 2% Partition - 95% Partition - 6% Partition - 2% Partition+Caching - 95% Partition+Caching - 6% Partition+Caching - 2% Jitter (µs)