State Synchronization for Fast Failover of Stateful Firewall VNF

Transcription

1 Institute of Computer Science Chair of Communication Networks Prof. Dr.-Ing. P. Tran-Gia State Synchronization for Fast Failover of Stateful Firewall VNF, Claas Lorenz, Alexander Müssig, Steffen Gebert, Thomas Zinner, Phuoc Tran-Gia rdine ne-project.org comnet.informatik.uni-wuerzburg.de

2 Motivation u Traditional deployment: Single hardware device separates networks Internal Network xternal etwork 2

3 Motivation u Traditional deployment: Single hardware device separates networks u Resilience: Secondary instance as hot standby Hot Standby Internal Network xternal etwork Active StandBy 3

4 Motivation u Traditional deployment: Single hardware device separates networks u Resilience: Secondary instance as hot standby u Softwarization: Firewall software running in virtual machine Hot Standby xternal etwork Active Internal Network StandBy 4

5 Motivation u Traditional deployment: Single hardware device separates networks u Resilience: Secondary instance as hot standby u Softwarization: Firewall software running in virtual machine u NFV: Multiple active VNF instances scaling horizontally xternal etwork Internal Network 5

6 Motivation u First approaches described by the research community u Demands: Horizontal scalability: Scale in and scale out Resilience: Failover mechanisms u Open questions: Detailed design specifications Suitable synchronization mechanisms Performance evaluations à No existing firewall VNF meets these requirements 6

7 Agenda u Motivation u Background u Concept of a cloud-based firewall Failover Scale in/out Synchronization u Implementation VNF firewall module Test bed configuration u Evaluation 7

8 Firewalling Packet Filter OSI-Layer 3 (L4) *:* à :80 *:* à *:* (implicite) X CLOSED Stateful Firewall OSI-Layer 4 *:*, TCP-SYN à :80 *:*, TCP-ACK :80 X SYN SYN SYN- ACK SYN-SENT SYN-ACK-SENT SYN ACK Application Layer Firewall OSI-Layer 7 *:*, HTTP GET /index.html *:*, HTTP GET /evil.html ACK ACK ESTABLISHED Client Firewall S X 8

9 Concept Management Layer Coordination Cluster health Management Layer Master Master Master Data Plane Layer Load balancing Traffic redirection Packet inspection VNF VNF VNF Data Plane Layer Load Balancer 9

10 Example: Traffic Flow Master Key n 1 n 2 Value Established SYN-ACK Established 1 Key Conn 1 Conn 2 Value Established Established 2 3 Key Conn 1 Conn 2 Value Established Established te Table State Table State Table ACK SYN SYN- ACK 10

11 Example: Fail over Master X Key Value Key Value n 1 Established 1 Conn 1 Established 2 3 n 2 Established Conn 2 Established te Table State Table Key Conn 1 Conn 2 State Table Value Established Established 11

12 Example: Scale Out Master W Key Conn 1 Conn 2 Value Established Established 2 3 Key Conn 1 Conn 2 Value Established Established State Table State Table 12

13 Implementation u Erlang is a functional programming language by Ericsson: Provides high availability Specialized for multithreading u Prototypical implementation: Stateful firewall: Every state is logged and packets are inspected Cluster size expands dynamically u Parameter configuration: Synchronization level Data access Synchronization strategy 13

14 Firewall Modules Firewall VNF Firewall VNF Shared State Table Firewall VN CP states to nchronize Sync. Level tateful packet filtering 14

15 Synchronization Levels u Propagating levels for TCP states: NONE: No changes are propagated ESTABLISHED: Only essential state changes Established and Closed are propagated FULL: All changes are propagated to the network CLOSED SYN SYN SYN-SENT VNF VNF VNF VNF SYN- ACK SYN-ACK-SENT SYN- ACK VNF VNF ACK ACK ESTABLISHED External Network Internal Network lient Firewall Server 15

16 Firewall Modules Firewall VNF Firewall VNF Shared State Table Firewall VN rite mode to shared state Data Access None Est Full None Est Fu CP states to nchronize None Est Full Sync. Level tateful packet filtering 16

17 Database Write Clean transaction context Dirty transaction context Lock database Write to database Unlock database Write to database Maintains data consistency: Only one process can update a record Low performance: Requires locking and unlocking the database + - High performance: Directly update the record No data consistency guarantee: Ignore side effects of concurrent acces 17

18 Firewall Modules Firewall VNF Firewall VNF Firewall VN Shared State Table rite confirmation ong the cluster rite mode shared state Sync. Strategy Dirty Clean Data Access Dirty Clean None Est Full Dirty Clea None Est Fu CP states to nchronize None Est Full Sync. Level tateful packet filtering 18

19 Confirmation Strategies Synchronized confirmation strategy Asynchronized confirmation strategy Instruct Write Forward packet Instruct Write Forward packet Write to database Confirm Write Confirm Instruction Write to database + - Maintains data consistency: Throughout the entire cluster Low performance: Wait for all nodes to confirm write + - High performance: Concurrent write and packet forwarding No data consistency: A successful write cannot be ensured 19

20 Firewall Modules Firewall VNF Firewall VNF Firewall VN Shared State Table rite confirmation ong the cluster rite mode to shared state Async. Sync. Sync. Strategy Dirty Clean Data Access Async. Sync. Dirty Clean None Est Full Async. Sync Dirty Clean None Est Ful CP states to nchronize None Est Full Sync. Level tateful packet filtering 20

21 Test Bed Configuration Master SDN Controller: RYU (REST API)... VNF VNF VNF Internal Network ternal twork Client Open vswitch Web Server 21

22 Methodology u Test bed setup: One Monitoring node One active firewall node One backup firewall node u Scenario: Downloading index.html (1 Byte) from web server Different load levels of 25 and 100 concurrent connections 10 runs with 10,000 downloads each u Parameter configuration: Synchronization level Data access Synchronization strategy u Objective: TCP connection setup times Asynchronous Dirty NONE Performance Consistency ESTABLISHED Firewall VNF State Table Async. Dirty None Est Sync. Clean Full Synchr Cle FU 22

23 Database Access Strategies Concurrency Level 25 Concurrency Level 100 Load Level 25 Load Level 100 u Load level 25: Minor difference up to 2ms u Load level 100: Significant difference up to 15ms u Increased impact for higher concurrency leve u Dirty context significantly faster than transacti Async. Sync. Async. Sync. Synchronization Method u Contrary to all expectations, synchronous transactions faster than asynchronous transa Context Dirty Transaction 23

24 Synchronization Level Concurrency Load Level Level Concurrency Concurrency Load Level Level 25 Level Concurrency Level 100 Async. Dirty Sync. Dirty Connection Setup Time [ms] Async. Trans Sync. Async. Async. Sync. Async. Sync. Async. Sync. Trans. Dirty Dirty Trans. Dirty Trans. Database Access Sync. Async. Trans. Dirty Database Access Sync. Level None Sync. Established Level Full None Established Full u Dirty context: More synchronization leads to higher connection setup times u Transaction context: ESTABLISHED faster than NONE à More balanced database tables u Synchronization levels show higher impact at higher concurrency levels u Increased connection setup times for FULL synchronization Sync. Dirty Async. Trans. Sync. Trans. 24

25 Cluster Sizes nodes on physical KVM server ditional nodes connected via OpenStack Master VNF... VNF VNF VNF VNF Physical Server OpenStack Clou 25

26 Cluster Sizes nodes on physical KVM server ditional nodes connected via OpenStack rty context: rger Cluster Slower connection setup Load Level 25 Load Level 100 ansaction context: Load level 25: Cluster size 3 with highest setup times Load level 100: Larger cluster à Slower connection setup 6 26

27 u Concept of a stateful firewall VNF Horizontal scalability Failover Conclusion and Outlook u Prototypical implementation of a stateful firewall VNF Different database access strategies Varying synchronization levels u Test bed setup Multiple VMs running firewall VNF Connection to OpenStack cloud to increase cluster size u Investigation of TCP connection setup times w.r.t. consistency and performance Synchronizing all states leads to 19-26% slower connection setup times 20% faster connection setup times when focusing on performance Cluster sizes of 6 and 9 adds delay of 7% and 10% in comparison to a size of 3 u Future work: Alternative data stores Firewall VNF State Table Async. Dirty None Est Sync. Clean Full 27