Enforcing Customizable Consistency Properties in Software-Defined Networks Wenxuan Zhou , Dong Jin, Jason Croft, Matthew Caesar, Brighten Godfrey 1
Network changes • control applications, • changes in traffic load, • system upgrades, • … Keeping network correct consistently over time. -- Network Consistency 2
What is Correctness? 1. Correctness at every step • firewall traversal, 2. Customizable properties • access control, 3. With efficient update installation • balanced load, • loop freedom, • … 3
Problem Statement 1. Consistency at every step 2. Customizable consistency properties 3. Efficient updates installation Is it possible to efficiently ensures customizable correctness properties as the network evolves ? 4
Prior Work Fixed Network Consistency Verification Property Consistent Dionysus Updates
Ideally given arbitrary invariants, a sequence with minimized overhead is produced Controller Stream of Updates No loop, no black hole, Magic engine Resource isolation, No suboptimal routing, ... 6
Our design: Customizable Consistency Generator Key insight: Synthesis Verification Controller Stream of Updates CCG Buffer of pending updates Network No loop/black hole, Fail Model Resource isolation, Verification No suboptimal routing, Engine No VLAN leak, Pass ... Confirmations 7
Our design: Customizable Consistency Generator Challenges: • Greedy algorithm may get stuck Stream of Updates identify the scope of cases that ✴ guarantees no deadlock CCG Buffer of pending updates For other cases, a more heavyweight ✴ Network Fail update technique as a fallback, triggered Model Verification rarely in practice Engine • Distributed nature of networks Pass (uncertainty) Confirmations compact uncertain forwarding graph ✴ verification optimization ✴ 8
Network Uncertainty The “uncertainty” of an observation point tasked with instilling updates in knowing the current network state. May deviate network behavior away from desired properties. ;",)#"44$#% 0$2"1$%#34$%.% <,&)644%#34$%/% 5-$467$-8% #34$%.% !"#$%&' #34$%/% +'()!*%:% +'()!*%9% 9
Uncertainty-aware Modeling Basis: VeriFlow Controller VeriFlow VeriFlow 10
Uncertainty-aware Modeling Basis: VeriFlow VeriFlow Generate Generate Updates Equivalence Forwarding Run Queries Classes Graphs Forwarding graphs: Equivalence class: Packets experiencing the same forwarding actions throughout the network. 11
Uncertainty-aware Modeling Naively, represent every possible network state O(2^n) Uncertain graph: represent all possible combinations The model captures packets’ view of the network, assuming controller initiates changes. When to change “uncertain” to “certain”? How to verify the network under “uncertainty”? 12
Consistency under Uncertainty Enforcing consistency with max parallelism heuristically Waypoint Properties: flows are Stream of Updates required to traverse a set of waypoints CCG • connectivity, Buffer of pending updates • waypointing, Uncertainty • access control, Fail -aware • service chaining, … Model Verification Engine Theorem: Segment independent Pass properties is guaranteed by the Confirmations heuristic. 13
Consistency under Uncertainty Stream of Updates CCG Buffer of pending F all B ack updates Mechanism Uncertainty- Fail aware Network Model Verification Engine Pass Confirmations Even with FB triggered, CCG achieves better efficiency than using FB alone. 14
System Structure Controller Stream of CCG Updates Buffer of Fallback pending Mechanism Uncertainty-aware Fail Network Model Verification No loop/black hole, Engine Resource isolation, No suboptimal routing, Pass Confirmations No VLAN leak, ... 15
Evaluation Can CCG verify network invariants in real time ? Can CCG achieve performance gain during network transitions with its algorithm for maximizing the parallelism of applying updates? • Segment-independent Policies • Non-segment-independent Policies • Emulations • Testbed experiments 16
Speed Analysis 1 0.8 Fraction of trials 0.6 Uncertain-100 0.4 Uncertain-1000 0.2 Uncertain-10000 VeriFlow 0 1 10 100 1000 10000 100000 1e+06 Microsecond 15X less memory overhead (540MB vs. 9GB) Simulated network: BGP RIBs and update trace from RouteViews injected into 172-router AS 1755 topology, checking reachability invariant 17
Emulation: Segment-independent Policies Controller-switch delay = network delay + processing delay • Local (4ms) • Wide area (100ms) Measure: path completion time NOX (Shortest path & load balancing) CCG Mininet … … … … 18
Emulation: Segment-independent Policies 1 No fallback triggered No additional memory 0.8 Fraction of trials Optimal 0.6 CCG Local CCG-waypoint 0.4 Dionysus 0.2 Consistent Updates Incremental CU 0 0 50 100 150 200 250 Millisecond 1 0.8 Fraction of trials Optimal 0.6 CCG Wide area CCG-waypoint 0.4 Dionysus 0.2 Consistent Updates Incremental CU 0 0 200 400 600 800 1000 1200 1400 1600 1800 2000 Millisecond 19
Emulation: Non-segment-independent Policies Traces from a enterprise network with 200+ layer-3 devices. One day, one snapshot per hour, 24 transitions, 4ms delay. • New rules were added first, then old rules deleted. Rules overlapped with longest prefix match, not segment-independent. 25000$ //$ //$ //$ Number$of$Rules$ in$the$Network$ 20000$ 15000$ 10000$ } Immediate Update Comple?on$ 5000$ CCG GCC Time$ Consistent Updates 0$ //$ //$ //$ 7/22/2014$ 7/22/2014$ 7/22/2014$ 7/23/2014$ 7/22/2014$ 7/23/2014$ 7/23/2014$ 7/23/2014$ 22:00:00$ 22:00:02$ 23:00:00$ 23:00:02$ 1:00:02$ 0:00:02$ 1:00:00$ 0:00:00$ Time$ Fallbacks happened rarely. Overhead close to Immediate Update, with no transient connectivity violations. 20
Conclusion Uncertainty problem with network control Uncertainty-aware network model GCC, a system that • enforces customizable network consistency properties with • heuristically optimized efficiency. Ongoing work: • Study the generality of segment independency • Test with more data traces, and compare against the original implementation of Dionysus • Handle changes initiated from the network. 21
Recommend
More recommend
