A FRESH LOOK AT SCALABLE FORWARDING THROUGH ROUTER FIB CACHING. Kaustubh Gadkari, Dan Massey and Christos Papadopoulos

Similar documents
Scaling the Inter-Domain Routing System

Public Review for Efficient FIB Caching using Minimal Non-overlapping Prefixes. Yaoqing Liu, Syed Obaid Amin, and Lan Wang

PUSHING THE LIMITS, A PERSPECTIVE ON ROUTER ARCHITECTURE CHALLENGES

Performance and cost effectiveness of caching in mobile access networks

Computer Security: Principles and Practice

CS419: Computer Networks. Lecture 6: March 7, 2005 Fast Address Lookup:

Chapter 4: Memory Management. Part 1: Mechanisms for Managing Memory

!! What is virtual memory and when is it useful? !! What is demand paging? !! When should pages in memory be replaced?

Router Construction. Workstation-Based. Switching Hardware Design Goals throughput (depends on traffic model) scalability (a function of n) Outline

dfence: Transparent Network- based Denial of Service Mitigation

Lecture 12. Memory Design & Caches, part 2. Christos Kozyrakis Stanford University

Scalable Name-Based Packet Forwarding: From Millions to Billions. Tian Song, Beijing Institute of Technology

Routing Basics. ISP Workshops. Last updated 10 th December 2015

P51: High Performance Networking

Routing Basics. Campus Network Design & Operations Workshop

Cray XE6 Performance Workshop

Multipath Transport, Resource Pooling, and implications for Routing

Network Processors and their memory

EECS 122: Introduction to Computer Networks Switch and Router Architectures. Today s Lecture

Introduction to OpenMP. Lecture 10: Caches

Memory Hierarchy. Slides contents from:

Web Caching and Content Delivery

Reliably Scalable Name Prefix Lookup! Haowei Yuan and Patrick Crowley! Washington University in St. Louis!! ANCS 2015! 5/8/2015!

Routing Basics ISP/IXP Workshops

Network Layer. IP Protocol Stack: Key AbstracHons. Best- Effort Global Packet Delivery. Circuit Switching (e.g., Phone Network)

Denial of Service and Distributed Denial of Service Attacks

Robust TCP Stream Reassembly In the Presence of Adversaries

Lecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011

Dynamics of Hot-Potato Routing in IP Networks

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

Generic Architecture. EECS 122: Introduction to Computer Networks Switch and Router Architectures. Shared Memory (1 st Generation) Today s Lecture

A Configuration-only Approach to FIB Reduction. Paul Francis Hitesh Ballani, Tuan Cao Cornell

Switch and Router Design. Packet Processing Examples. Packet Processing Examples. Packet Processing Rate 12/14/2011

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing

Caches and Memory Hierarchy: Review. UCSB CS240A, Winter 2016

NET ID. CS519, Prelim (March 17, 2004) NAME: You have 50 minutes to complete the test. 1/17

Routing Basics. ISP Workshops

Revisiting router architectures with Zipf

A configuration-only approach to shrinking FIBs. Prof Paul Francis (Cornell)

1. Creates the illusion of an address space much larger than the physical memory

Choosing Switches and Routers for the Campus

Last Lecture: Network Layer

Measuring and Characterizing IPv6 Router Availability

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

Steven M. Bellovin AT&T Labs Research Florham Park, NJ 07932

Chapter 8. Virtual Memory

Topics in P2P Networked Systems

Caches and Memory Hierarchy: Review. UCSB CS240A, Fall 2017

Implications of Global IPv4/v6 Routing Table Growth

Check Point DDoS Protector Introduction

AERONAUTICAL COMMUNICATIONS PANEL (ACP) ATN and IP

Chapter 5A. Large and Fast: Exploiting Memory Hierarchy

Message Switch. Processor(s) 0* 1 100* 6 1* 2 Forwarding Table

CS Computer Architecture

Analyzing Cacheable Traffic in ISP Access Networks for Micro CDN applications via Content-Centric Networking

CS 31: Intro to Systems Virtual Memory. Kevin Webb Swarthmore College November 15, 2018

Donn Morrison Department of Computer Science. TDT4255 Memory hierarchies

Chapter 6 Objectives

Network Security - ISA 656 Routing Security

Scaling IGPs in ISP Networks. Philip Smith SANOG 8, Karachi 3rd August 2006

CDN TUNING FOR OTT - WHY DOESN T IT ALREADY DO THAT? CDN Tuning for OTT - Why Doesn t It Already Do That?

UDP, TCP, IP multicast

More Specific Announcements in BGP. Geoff Huston APNIC

Virtual Memory. Kevin Webb Swarthmore College March 8, 2018

Memory Hierarchy. Slides contents from:

Cisco ASR 1000 Series Routers Embedded Services Processors

DRAM Main Memory. Dual Inline Memory Module (DIMM)

Introduction to IP Routing. Geoff Huston

Physical characteristics (such as packaging, volatility, and erasability Organization.

Security Whitepaper. DNS Resource Exhaustion

Service Provider Multihoming

OpenFlow DDoS Mitigation

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

TOC: Switching & Forwarding

TOC: Switching & Forwarding

Routers: Forwarding EECS 122: Lecture 13

Performance Analysis and Culling Algorithms

E : Internet Routing

Fast and Evasive Attacks: Highlighting the Challenges Ahead

CSE 565 Computer Security Fall 2018

internet technologies and standards

Routers: Forwarding EECS 122: Lecture 13

PacketShader: A GPU-Accelerated Software Router

Cache Memory COE 403. Computer Architecture Prof. Muhamed Mudawar. Computer Engineering Department King Fahd University of Petroleum and Minerals

Hot Potatoes Heat Up BGP Routing

Caches. See P&H 5.1, 5.2 (except writes) Hakim Weatherspoon CS 3410, Spring 2013 Computer Science Cornell University

15-441: Computer Networks Homework 3

R/Kademlia: Recursive and Topology-aware Overlay Routing

Illegitimate Source IP Addresses At Internet Exchange Points

perfsonar Deployment on ESnet

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2014 Lecture 14

Chapter 6 Memory 11/3/2015. Chapter 6 Objectives. 6.2 Types of Memory. 6.1 Introduction

Basic Memory Management. Basic Memory Management. Address Binding. Running a user program. Operating Systems 10/14/2018 CSC 256/456 1

Advanced Multihoming. BGP Traffic Engineering

Caches. See P&H 5.1, 5.2 (except writes) Hakim Weatherspoon CS 3410, Spring 2013 Computer Science Cornell University

CSCD 330 Network Programming

Dixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites

100 GBE AND BEYOND. Diagram courtesy of the CFP MSA Brocade Communications Systems, Inc. v /11/21

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

Troubleshooting Cisco Express Forwarding Routing Loops

Transcription:

A FRESH LOOK AT SCALABLE FORWARDING THROUGH ROUTER FIB CACHING Kaustubh Gadkari, Dan Massey and Christos Papadopoulos

Problem: RIB/FIB Growth Global RIB directly affects FIB size FIB growth is a big concern: Lookups need to keep up with increasing line speeds FIB memory is small, expensive Makes network provisioning hard IPv6 growth may make things worse Prefixes Date The obligatory Geoff Huston plot, http://bgp.potaroo.net 2

Why Cache? Performance! (cost too) Two potential benefits: Reduce the memory bandwidth required for FIB accesses When FIB is accessed on forwarding decisions Better FIB compression on forwarding chips Less compression (faster access) for the cache More compression (slower access) for the rest Potentially needed for Tb/s chips 3

Is There Traffic Locality? Traces from our local friendly ISP, FRGP: Thanks guys! Average Packet Rate Test subjects: two 24H traces at two tier-1 provider links (1Gb/s) at a regional ISP Link Number of Packets ISP-1 2,084,398,007 ISP-2 2,050,990,835 4

Yes, There is Locality! ~80k prefixes carry 99% of all traffic. ~1K prefixes carry 90% of the traffic (but we already knew that, see Rexford s work and others) 5

Caching Results - LRU Hit rate 96-99% 24H trace, 5min intervals Close to optimal performance Even at cache warm up hit rate = ~87-91% Caching works! Great! Now how do we build gear that use it? Cache hit rate, LRU size: 10K 6

Barriers to FIB Caching Three barriers to FIB caching Cache hiding Handling cache misses Robustness 7

Secret Sauce: Cacheable FIB LINE CARD Packets In Route Updates RIB Cacheable FIB FIB Lookup Cache Cache now preserves forwarding correctness Packets Out 8

The Cache Hiding Problem Consider the following snippet of a FIB The /16 covers (hides) the /24 Prefix Interface.... 12.13/16 1 12.13.14/24 2.... 9

Cache Hiding Impairs Forwarding FIB Cache Prefix Interface Prefix IFF 12.13.1.1 12.13/16 12.13.14/24 1 2 12.13/16 1 1 12.13.14.1 12.13.1.1 12.13.14.1 2 Packet 12.13.14.1 is forwarded incorrectly: 12.13/16 in the cache hides the true match 10

Solving Cache Hiding Hole Filling Non-cacheable FIB 12.13/16, IFF 1 12.13.0/17, IFF 1 12.13.128/17, IFF 1 12.13.0/18, IFF 1 12.13.64/18, IFF 1 12.13.0/19, IFF 1 12.13.32/19, IFF 1 12.13.14/23, IFF 1 Cacheable FIB 12.13.128/17, IFF 1 12.13.64/18, IFF 1 12.13.32/19, IFF 1 12.13.16/20, IFF 1 12.13.0/21, IFF 1 12.13.8/22, IFF 1 12.13.12/23, IFF 1 12.13.14/24, IFF 2 12.13.15/24, IFF 1 12.13.14/24, IFF 2 12.13.15/24, IFF 1 11

Have We Exploded the FIB? Actually, NO! At FRGP, we go from 397,878 to 432,422 entries 6.5% increase in size Other ISPs are similar (Route Views data) Caching makes this increase irrelevant anyway Peer Name % Increase GBLNETRU 6.8% CENIC 6.8% Sprint 6.6% APAN 6.6% ESNet 6.6% AOL 6.5% Hurricane- Electric 6.5% Sprint Canada 6.4% Level3 6.4% AT&T 6.4% 12

The Happy 99% vs. the Sad 1% What happens to the 1% of packets that miss the cache? They are queued until the cache is updated But what does that queue look like? 13

Queuing Simulator Packets In Lookup time = 100ns (probably high estimate) YES Cache Output Iface Buffer Packets Out Prefix Fetch on Cache Miss Lookup time = 100s (ridiculously high!) NO Cacheable FIB Cache Miss Buffer Queued packets sent out after prefix fetch Simulator built for simplicity, not for optimal performance. 14

Cache Miss Buffer Utilization No data packets queued! 956K total misses, 752K SYNs, rest SYNACKs Buffer utilization is very low approx. 10 packets in any given interval Small buffers needed to queue packets Cache Warm-up 15

Attacking the Cache Attacking a LRU cache is trivial :-( Just send a train of packets to N idle prefixes Should have simulated LFU.. (next step) Research question: what is the appropriate cache replacement algorithm? we plan to take a shot But with LFU, what rate does an attacker need to send packets to blow the cache? 16

Attack on an LFU Cache Most Popular N=10K Attack Prefix Prefix i Attacker picks an idle prefix and sends more pps than most popular prefix Least Popular 1 17

Result of the Attack Attacker prefix becomes top prefix Prefix 1 becomes prefix 2 Least popular prefix is evicted To evict all prefixes from cache attacker has to use N idle prefixes each at a rate higher than the most popular prefix Attack Prefix Prefix 1->2 Prefix i N=10K 1 Least Popular 18

Generalizing the Cache Attack To evict prefix i the attacker must send: P attack >= P i * i Most Popular N=10K where P i is the packet rate for prefix i From our trace: Attack Prefix i = 100, P attack >= 5500 pps Prefix i I = 5K, P attack >= 8.76Mpps I = 10K, P attack >= 17.52Mpps Flooding attack, not a cache attack! Least Popular 1 19

Limitations Future Work Do these observations carry to the core? Need a trace from the core to investigate Can you give us one? :-)..but recent trends point towards a traffic concentration to datacenters LRU, LFU cache replacement tradeoff between performance and robustness? Better analysis of cache misses Memory bandwidth demand Who suffers from misses? 20

Conclusions Yet another reminder of traffic locality and that caching works 96-99% hit rate with a 10K cache at edge no cache hiding problem low queuing delay while updating the cache cache fairly robust attacks against top prefixes infeasible? So let s build gear with caches! Unless we change physics, may be the only way forward with Tb/s speeds and large Global RIB (IPv6) 21

Thank You! Work funded by the DHS PREDICT project Data provided by Front Range GigaPop (FRGP) Thanks to the following people for fruitful discussions: Jon Turner Washington University, St. Louis Will Eatherton Juniper Networks Chang-Hong Wu Juniper Networks 22

Start Backup slides 23

One Solution: Cache the FIB Locality of network traffic is well-known LRU caching of /24s shown to provide 99%+ hit rate with a 100k entry cache Us: 99%+ hit rates with a 10k entry cache without de-aggregating prefixes We also investigate effects of cache misses and cache attacks 24

Solution: Making FIB Cacheable Main idea: Start with existing FIB Process FIB to replace all hidden prefixes with prefixes that cannot be hidden Produce new, cacheable FIB Serve the cache from the cacheable FIB 25

Current FIB Architecture LINE CARD Packets In BGP Route Updates RIB FIB FIB Lookup Packets Out FIB contains ALL routes 26

Current FIB Not Cacheable! LINE CARD Packets In BGP Route Updates RIB FIB FIB Lookup Cache Cache Hiding Problem leads to incorrect forwarding Packets Out 27

Evaluation N Cache i Prefix Rank 1 Prefixes to evict Least Popular Most Popular To i th prefix and all prefixes below it from cache, the required attack rate is P attack >= P i * i Assuming N = 10K entries, and k being the number of prefixes to evict For k = 1, P attack >= 1 pps For k = 5K, P attack > = 8.76M pps For k = 10K, P attack >= 17.52M pps 28

Queuing Delay Queued packets should not incur large delays Cache Warmup Average delay is 1.1 ms. Not counting cache warmup 29

TCAM Limitations TCAMs can do ~1.6B searches per second 800M searches per second in the worst case Line cards typically have enough TCAM memory to store 512K IPv4 entries and 256K IPv6 entries TCAM lookups are fast (<20ns), but can they keep up with increasing line speeds (>= 100Gbps)? 8,333,333 lookups per second, assuming all 1500 byte packets 223,696,213 lookups per second, assuming all 60 byte packets 30

Implications of FIB Growth Routers can crash when they run out of memory (Chang02 et. al.) Some operators filtering out small prefixes (mostly / 24s) rather than upgrade (Ballani09 et.al.) Some parts of the Internet may become unreachable Network provisioning is harder Difficult to estimate usable lifetime of routers and upgrade costs. 31

Impact of Cache Hiding Have to treat related prefixes at atomic blocks All cache operations performed on entire block Largest atomic block size is 2557 prefixes Leads to cache thrashing Increases cache sizes Cache operations now more complex 32

Our proposal - Hole Filling Fill in holes between prefixes to eliminate cache hiding Add additional entries to the FIB Trade FIB size for FIB cacheability Basic idea: Every prefix block is covered by nonoverlapping prefixes This set is optimal (adds minimum number of prefixes required to cover the address space) 33

Publications Dynamics of Prefix Usage at an Edge Router, Kaustubh Gadkari, Dan Massey and Christos Papadopoulos, 12th Passive and Active Measurements Conference (PAM 2011), March 2011 Fingerprinting Custom Botnet Protocol Stacks, Steve DiBenedetto, Kaustubh Gadkari, Nicholas Diel, Andrea Steiner, Dan Massey and Christos Papadopoulos, Workshop on Secure Network Protocols (NPSec 2010) (in conjunction with ICNP 2010), October 2010 Dynamics of RIB Usage at an Edge Router (Poster), Kaustubh Gadkari, Steve DiBenedetto, Dan Massey and Christos Papadopoulos, 18th International Conference on Network Protocols (ICNP 2010), October 2010 Characterizing TCP Resets in Established Connections, Nicholas Diel, Kaustubh Gadkari, Steve DiBenedetto, Andrea Steiner and Christos Papadopoulos, Technical Report CS-08-102. 34

Quantifying Cache Hiding Treat prefix groups as atomic blocks. Peer Name Number of Prefixes in Table Size of Largest Atomic Block GBLNETRU 345643 2557 CENIC 341122 2557 Sprint 338169 2557 APAN 344810 2557 ESNet 340874 2556 AOL 338247 2556 Hurricane- Electric 340402 2556 Sprint Canada 339509 2556 Level3 337701 2555 AT&T 338368 2552 35

Line Card Memory Limitations RIB stored in RAM (DRAM) Large : N GB Cheap : Approx. $200 per GB Scaling not considered a problem FIB stored on line cards (SRAM/TCAM) Small : N MB Expensive : Approx. $4000 per GB FIB is the union of all RIBs Scaling is considered a problem IPv6 impact is unknown Size of FIB after IPv6? Lookups at speeds of 100G+? 36

Addressing Cache Hiding Cache FIB 12.13.1.1 12.13/16,1 12.13.14/24,2 12.13/16,1 12.13/16,1 12.13.14.1 12.13.14/24,2 12.13.14/24,2 All packets are forwarded correctly. 37

Solution Space Method Table (FIB/RIB) FIB RIB Architectural Caching Edge-core separation Configuration-only Aggregation Aggregation 2/6/13 38

Uni-class Caching Kim et. al. show that route caching is feasible, and may be necessary. Cache only /24 prefixes. This mitigates the cache hiding problem. Achieves 99%+ hit rates with cache sizes of 100k entries. 39

Aggregation Better than the naïve solution leads to smaller FIBs. Compress FIB entries based on next-hop information. Can achieve 30 70% compression, based on aggregation algorithm. 40

Cache Miss Evaluation Built simulator to evaluate effect of cache misses. Simulator built for simplicity, not for optimal performance. 41

Handling Dynamic Route Updates Investigate how dynamic updates affect route caches Cache entries can be invalidated How many updates actually affect cache entries? How do we handle those updates that do affect cache entries? 42

Implementing Caching on Current Hardware Investigate whether we can implement the caching scheme in current router hardware. Ideally, routers should not need new hardware to use our caching solution. 43

Evaluation To evict N th entry from cache, attacker must send enough packets to that prefix and all cache entries below it To evict i entries, attack rate required is P attack >= P i * i In low traffic interval, most popular prefix received 240K packet in 5 mins, at an avg. packet rate of 803 pps Assuming cache size of 10K, attacker needs to send 8M pps to blow away cache 17.52M pps in high traffic interval This traffic rate is higher than the line speed at our capture point (2M pps, assuming 60 byte packets) 44

Threat Model Attacker knows, or can determine, set of popular and unpopular aggregates Attacker can send packets at line speed Attacker aims only to replace legitimate cache entries with bogus ones Attacks on other infrastructure (e.g. DDoS) will trigger other defenses Attack cannot be stealthy Attack rate must compete with legitimate traffic What is the packet rate required? 45

Future Work We will investigate how to handle dynamic route updates Further, we will investigate whether our caching solution can be implemented on existing router hardware 46

What is Optimal Caching? Defined on a cache size N, finite network trace When evicting a prefix choose the one that will not be used for the longest time in the future This includes the current prefix! Robust against one-off packets Theoretical algorithm please do not try to implement in practice 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback