Network function virtualization

Transcription

1 Network function virtualization Ankit Singla ETH Zürich Spring 2017

2 News from SIGCOMM papers (out of 250 submissions) On every topic we covered / will cover 2 papers from ETH! 2

3 An update Beyond fat-trees without antennae, mirrors, and disco-balls 92, 12 pages + (1) references ACM SIGCOMM, 2017 Under submission Simon Kassing (MSc,

4 This lecture What are network functions? Why / how might we want to virtualize them? Intro: Generalizing congestion control TCP ex Machina: Computer-Generated Congestion Control 4

5 Our view of networks so far 5

6 Network functions / middleboxes ad insertion WAN accelerator Middleboxes vs. end-to-end principle? BRAS carrier-grade NAT transcoder session border controller IDS Middleboxes vs. fate-sharing principle? load balancer DDoS protection firewall QoE monitor DPI ClickOS and the Art of Network Function Virtualization, Usenix NSDI 14 Joao Martins, Mohamed Ahmed, Costin Raiciu, Roberto Bifulco, Vladimir Olteanu, Michio Honda, Felipe Huici 6

7 Middleboxes are ubiquitous Very Large Large Medium Small L3 Routers All Middleboxes L2 Switches IP Firewalls App. Firewalls Proxies Wan Opt. App. Gateways VPNs Load Balancers IDS/IPS ure 1: Box plot of middlebox deployments for small (fewer than 1k hosts), medium (1k-10k hosts), large (10k-100k hosts As many middleboxes as routers or switches! Making Middleboxes Someone Else s Problem: Network Processing as a Cloud Service, ACM SIGCOMM 12 Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, Vyas Sekar 7

8 Middleboxes are complex Misconfig. Overload Physical/Electric Firewalls 67.3% 16.3% 16.3% Proxies 63.2% 15.7% 21.1% IDS 54.5% 11.4% 34% 1-5 hours per week dealing with middlebox failures Making Middleboxes Someone Else s Problem: Network Processing as a Cloud Service, ACM SIGCOMM 12 Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, Vyas Sekar 8

9 Middleboxes are expensive 5 Year Expenditure $1M-50M $500K-1M $50K-500K $5K-50K <$5K Number of Middleboxes re 2: Administrator-estimated spending on midd Additional expense on specialist engineers to manage them Making Middleboxes Someone Else s Problem: Network Processing as a Cloud Service, ACM SIGCOMM 12 Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, Vyas Sekar 9

10 Wasteful replication of functionality Drop Firewall: Read Packets Header Classifier Output Alert Load balancer: Read Packets Header Classifier Output Rewrite Header Intrusion prevention system: DPI Drop Read Packets Header Classifier DPI Alert Output OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions, ACM SIGCOMM 16 Bremlar-Barr, Harchol, Hay 10

11 Middleboxes are black-boxes Firewall IDS Load balancer Monolithic hard to understand, debug, upgrade, provision Long deployment timelines No standards, vendor lock-in, slow innovation 11

12

13 As always: problems = opportunities! Software defined middleboxes? - Standardized low-level API? - Centralized, consolidated control? Consolidate middleboxes? Virtualized middleboxes? Offload middleboxes to the cloud? - Peak load average load 13

14 14

15 Consolidating middleboxes Normalized utilization WAN optimizer Proxy ,06: ,17:00 Load Balancer Firewall 07-10,04:00 Time (mm-dd,hr) 07-10,15: ,02:00 Peaks aren t aligned multiplexing can yield benefits Design and Implementation of a Consolidated Middlebox Architecture, Usenix NSDI 12 Vyas Sekar, Norbert Egi, Sylvia Ratnasamy, Michael K. Reiter, Guangyu Shi 15

16 Consolidating middleboxes VPN WanOpt IDS Proxy Firewall Protocol'Parsers' Session'Management' Re-use underlying machinery: packet I/O, parsing and processing Design and Implementation of a Consolidated Middlebox Architecture, Usenix NSDI 12 Vyas Sekar, Norbert Egi, Sylvia Ratnasamy, Michael K. Reiter, Guangyu Shi 16

17 Consolidating middleboxes Core 1 Core 2 Core 3 M1 M2 M3 M1 M4 M5 M1 M4 Hyper& Hyper& Hyper& Hyper& Hyper& App1& App2& App3& App4& App3& PShim& PShim& PShim& PShim& PShim& Q1 Q2 Q3 Q4 Q5 NIC hardware Design and Implementation of a Consolidated Middlebox Architecture, Usenix NSDI 12 Vyas Sekar, Norbert Egi, Sylvia Ratnasamy, Michael K. Reiter, Guangyu Shi 17

18 Network-wide coordination P1: N1! N2 T1 15 T2 30 T3 15 N1 N2 P3: N3! N1 T1 15 T2 15 T3 30 P2: N2! N3 T1 15 T2 15 T3 30 N3 N1 s assignment N2 s assignment N3 s assignment P1# P2# P3# T1# 15# 0# 5# 20# T2# 20# 0# 0# 20# T3# 15# 0# 5# 20# P1# P2# P3# T1# 0# 15# 5# 20# T2# 10# 10# 0# 20# T3# 0# 20# 0# 20# P1# P2# P3# T1# 0# 0# 20# 20# T2# 0# 5# 15# 20# T3# 0# 10# 10# 20# 18

19 Benefits of consolidation & spatial distribution 25 MaxLoad Today '/MaxLoad Consolidated '' Relative savings Abilene Geant Enterprise AS1221 AS3257 AS

20 Software-defined middleboxes Network functions: OpenBox apps Logically centralized controller Control plane Data plane Data packets OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions, ACM SIGCOMM 16 Bremlar-Barr, Harchol, Hay 20

21 Have the cloud take care of it? rise under different outsourcing options. APLOMB Control Plane Client Registration DNS IP Middlebox Monitoring & Invocation Redirection Client PoP Cloud Instances APLOMB Enterprise Site Making Middleboxes Someone Else s Problem: Network Processing as a Cloud Service, ACM SIGCOMM 12 Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, Vyas Sekar 21

22 Challenge: managing NF state OpenNF: Enabling Innovation in Network Function Control, ACM SIGCOMM 14 Aaron Gember-Jacobson, Raajay Viswanathan, Chaithan Prakash, Robert Grandl, Junaid Khalid, Sourav Das, and Aditya Akella 22

23 Looking to the future Wasteful replication of functionality Drop Firewall: Read Packets Header Classifier Alert Output Load balancer: Read Packets Header Classifier Rewrite Header Output Intrusion prevention system: Read Packets Header Classifier DPI DPI Drop Alert Output OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions, ACM SIGCOMM 16 Bremlar-Barr, Harchol, Hay What else shares the common parts of these pipelines? 23

24 Weekly reading guide

25 TCP falls short. Again. TCP ex Machina: Computer-Generated Congestion Control Keith Winstein and Hari Balakrishnan Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology, Cambridge, Mass. hw, ACM SIGCOMM, TCP s brittle rule-action design Can machine-generated congestion control work? Control / learning approaches to CC? 25