flip the flow table fast lightweight policy preserving
play

FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN - PowerPoint PPT Presentation

Aug 27, 2022 β€’99 likes β€’812 views

FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Stefano Vissicchio (UCLouvain) stefano.vissicchio@uclouvain.be INFOCOM 13th April 2016 Joint work with Luca Cittadini (Roma Tre University) SDN controller Operators

  1. FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Stefano Vissicchio (UCLouvain) stefano.vissicchio@uclouvain.be INFOCOM 13th April 2016 Joint work with Luca Cittadini (Roma Tre University)

  2. SDN controller

  3. Operators’ requirements are an input for SDN controllers requirements packet delivery firewall traversal

  4. To satisfy input requirements, the controller programs rules on the switches requirements packet delivery firewall traversal match flow F out apply F: F: action v in z u F: F:

  5. By applying such rules, switches can process incoming packets requirements packet delivery firewall traversal applied rule out flow F F: F: v in z u F: F:

  6. Switch rules have to be (frequently) updated e.g., for traffic surges, maintenance, new policies requirements packet delivery firewall traversal out F: F: v in z u F: F:

  7. How to update rules on switches safely, robustly and efficiently?

  8. How to update rules on switches safely, robustly and efficiently? requirements are not violated during the update

  9. How to update rules on switches safely, robustly and efficiently? independently of uncontrollable factors (messages lost, switch installation time, etc.)

  10. How to update rules on switches safely, robustly and efficiently? quickly and with low resource utilization

  11. FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Limitations of prior works Additional degrees of freedom Our approach

  12. FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Limitations of prior works Additional degrees of freedom Our approach

  13. How to update rules on switches safely, robustly and efficiently? Previous techniques cannot do it!

  14. Previous techniques belong to two main families ordered rule replacements [McClurg15] replace initial with final rules in a carefully-computed order two-phase commit [Reitblatt12,Jin14] add final rules to initial ones apply rules consistently, with packet tags

  15. Previous techniques belong to two main families ordered rule replacements [McClurg15] not always replace initial with final rules applicable in a carefully-computed order two-phase commit [Reitblatt12,Jin14] add final rules to initial ones apply rules consistently, with packet tags

  16. Ordering rule replacements is not possible in our example requirements packet delivery firewall traversal out flow F initial v in z u final

  17. Final rules cannot be installed on any switch among u, v and z requirements packet delivery firewall traversal out flow F F: F: v in z u F:

  18. Case 1) Installing final rule at u would violate our security policy requirements packet delivery firewall traversal install final rule out flow F F: F: v in z u v

  19. Case 2) Installing final rule at v would violate our security policy requirements packet delivery firewall traversal install final rule out flow F F: F: v in z u z F:

  20. Case 3) Installing final rule at z would prevent packet delivery requirements packet delivery firewall traversal install final rule out flow F F: F: v in z u F:

  21. Simultaneous rule replacements are not robust e.g., like in time-based approaches [Mizrahi16]

  22. In our example, we could instruct u, v and z to replace their rules at the same time t requirements packet delivery firewall traversal install final rules at t out flow F F: F: v in z u F:

  23. However, this can lead to transient problems at t e.g., because of per-switch installation time requirements packet delivery firewall traversal up to several seconds [Jin14] out flow F v in z u

  24. Also, we can trigger permanent problems at t e.g., if a switch does not apply a command requirements packet delivery firewall traversal w flow F v in z u

  25. Previous techniques belong to two main families ordered rule replacements [McClurg15] replace initial with final rules in a carefully-computed order two-phase commit [Reitblatt12,Jin14] inefficient add final rules to initial ones apply rules consistently, with packet tags

  26. Two-phase commit techniques are not efficient in our example requirements packet delivery firewall traversal out flow F F: F: v in z u F: F:

  27. Indeed, they are based on maintaining both initial and final rules on internal switches requirements packet delivery firewall traversal if tag 𝝊 , use final rule out F, 𝝊 : F, 𝝊 : flow F F: F: v in z u F, 𝝊 : F: F:

  28. So that switches keep applying initial rules… requirements packet delivery firewall traversal out F, 𝝊 : F, 𝝊 : flow F F: F: v in z u F: F, 𝝊 : F:

  29. … as long as packets are not tagged at the ingress requirements packet delivery firewall traversal out F, 𝝊 : F, 𝝊 : use final rule and add tag 𝝊 flow F F: F: v in z u F: 𝝊 F, 𝝊 : F:

  30. When packets are tagged at the ingress, all switches consistently use the final rules requirements packet delivery firewall traversal out F, 𝝊 : F, 𝝊 : flow F 𝝊 F: F: 𝝊 𝝊 v in z u 𝝊 F: 𝝊 F, 𝝊 : F:

  31. However, these techniques consumes precious and expensive memory (TCAM) entries requirements packet delivery firewall traversal out F, 𝝊 : F, 𝝊 : flow F 𝝊 F: F: 𝝊 v in z u 𝝊 F, 𝝊 : F: 𝝊 F:

  32. FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Limitations of prior works Additional degrees of freedom Our approach

  33. How to update rules on switches safely, robustly and efficiently? We can do it!

  34. The key intuition is to combine rule replacement and additions

  35. Let’s take back our example and start from the initial state requirements packet delivery firewall traversal out flow F F: F: v in z u F: F:

  36. We can start tagging packets at v, at the very beginning of the update requirements packet delivery firewall traversal add tag 𝝊 out flow F F: F: v in z u 𝝊 F:

  37. This does not change the applied rules (since no switch matches the tag yet) requirements packet delivery firewall traversal out 𝝊 flow F F: F: v in z u 𝝊 𝝊 F:

  38. We can then match the tag at z, still without changing the forwarding requirements packet delivery firewall traversal use initial rule, if and only if tag 𝝊 out F, 𝝊 : 𝝊 flow F F: F: v in z u 𝝊 𝝊 F:

  39. Tagging at v and matching at z unlock rule replacement at u requirements packet delivery firewall traversal install final rule out F, 𝝊 : 𝝊 flow F F: F: v in z u 𝝊 𝝊 F:

  40. Indeed, the resulting forwarding loop is traversed only once by packets requirements packet delivery firewall traversal used for packets from v out F, 𝝊 : 𝝊 flow F F: F: v in z u used for 𝝊 𝝊 F: packets from u

  41. We can then instruct v to apply its final rule (even in parallel with u) requirements packet delivery firewall traversal use final rule out F, 𝝊 : flow F F: F: v in z u F:

  42. and complete the update by cleaning z’s configuration requirements packet delivery firewall traversal use final rule out flow F F: F: v in z u F:

  43. Using both rule replacements and additions is more powerful than restricting to any of them solves our update problem contrary to ordered rule replacement ensures robustness rollbacking before affecting safety uses additional rules only on z 33% with respect to two-phase commit

  44. Using both rule replacements and additions makes the update problem more challenging larger search space we must consider combinations of rule replacements and additions tricky interactions in intermediate states e.g., we must distinguish loops that prevent packet delivery from the good ones

  45. FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Limitations of prior works Additional degrees of freedom Our approach

  46. We propose a framework to systematically combine rule replacements and additions formalization & modeling of problem, search space, and solutions FLIP algorithm to compute safe operational sequences evaluation including a comparison with the state of the art

  47. We released a prototype implementation of our approach compute sequence (input) (output) for flow 1 safe update operational … divide merge problem sequence compute sequence for flow N FLIP code available at http://inl.info.ucl.ac.be/softwares/flip

  48. In our formalization, we allow complex policies… compute sequence (input) (output) for flow 1 safe update operational … divide merge problem sequence compute sequence for flow N initial and final rules forwarding correctness policies: a flow must traverse path P1 or path P2 or … Pn

  49. … and combinations of rule replacements and additions compute sequence (input) (output) for flow 1 safe update operational … divide merge problem sequence compute sequence for flow N Each step includes replacements and additions safe to apply in any relative order before the next step

  50. FLIP is based on a divide-and-conquer approach compute sequence (input) (output) for flow 1 safe update operational … divide merge problem sequence compute sequence for flow N

Recommend

Two Birds, One Stone: A Fast, yet Lightweight, Indexing Scheme for Modern Database Systems Jia Yu

Two Birds, One Stone: A Fast, yet Lightweight, Indexing Scheme for Modern Database Systems Jia Yu

Two Birds, One Stone: A Fast, yet Lightweight, Indexing Scheme for Modern Database Systems Jia Yu and Mohamed Sarwat Arizona State University Motivation Tree index Fast index search Large storage overhead: 5% - 15% additional

371 views β€’ 23 slides
New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007 Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES?

364 views β€’ 12 slides
Digital Design Discussion: Flip-Flops D-Latch Design Latch vs. Flip-Flop Timing D-latch Design

Digital Design Discussion: Flip-Flops D-Latch Design Latch vs. Flip-Flop Timing D-latch Design

Principles Of Digital Design Discussion: Flip-Flops D-Latch Design Latch vs. Flip-Flop Timing D-latch Design Design a gated D-latch using NAND gates and inverters. Draw the schematic and create a truth table for it. An implementation of

54 views β€’ 4 slides
4/19/2013 Fast and reliable Portable and easy to install PRESERVING, GENERATING, AND

4/19/2013 Fast and reliable Portable and easy to install PRESERVING, GENERATING, AND

4/19/2013 Fast and reliable Portable and easy to install PRESERVING, GENERATING, AND VISUALIZING KNOWLEDGE OF ARCHITECTURALLY SIGNIFICANT REQUIREMENTS IN SOURCE CODE Institute for Software Research Distinguished Speaker Series University

534 views β€’ 25 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views β€’ 43 slides
Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background: Lightweight Encryption Lightweight: Meant to be fast. Symmetric key: Same key used for encryption and decryption. Used in embedded systems, browsers,

300 views β€’ 12 slides
Ice Streams und Isbr 1 Ice Streams: Causes for Rapid Ice Flow Fast ice flow is controlled by

Ice Streams und Isbr 1 Ice Streams: Causes for Rapid Ice Flow Fast ice flow is controlled by

Ice Streams und Isbr 1 Ice Streams: Causes for Rapid Ice Flow Fast ice flow is controlled by many different factors which change on different time scales. Panel Controlling Factor Time Scale 7 meltwater fluxes short < 1 - 100 a 4

589 views β€’ 14 slides
Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross

Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross

Efficient Lightweight Compression Alongside Fast Scans Orestis Polychroniou Kenneth A. Ross DaMoN 2015, Melbourne, Victoria, Australia Databases & Compression Process data on disk Nearly unlimited capacity Affects query

490 views β€’ 48 slides
Fast lightweight accurate xenograft sorting (Faster xenograft sorting with 3-way bucketed Cuckoo

Fast lightweight accurate xenograft sorting (Faster xenograft sorting with 3-way bucketed Cuckoo

Fast lightweight accurate xenograft sorting (Faster xenograft sorting with 3-way bucketed Cuckoo hashing of k -mers) Sven Rahmann & Jens Zentgraf Genome Informatics, Institute of Human Genetics University of Duisburg-Essen, Essen, Germany

463 views β€’ 29 slides
On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1 AIST, Japan Kolkata, India (16 November 2018) 1 / 38 Table of contents 1 Introduction 2 Lightweight Crypto Stack for Circuit/RAM Size Requirement

670 views β€’ 38 slides
INTEGRA: INTEGRA: Fast Multi-Bit Flip-Flop Clustering for Clock Power Saving Based on g

INTEGRA: INTEGRA: Fast Multi-Bit Flip-Flop Clustering for Clock Power Saving Based on g

INTEGRA: INTEGRA: Fast Multi-Bit Flip-Flop Clustering for Clock Power Saving Based on g Interval Graphs I RIS H UI -R U J IANG C HIH -L ONG C HANG Y U M ING Y ANG Y U -M ING Y ANG NCTU NCTU E VAN Y U -W EN T SAI L ANCER S HENG -F ONG C HEN L

598 views β€’ 44 slides
Tidy Table Tidy Table | The Problem Food courts and fast food restaurants are often full of empty,

Tidy Table Tidy Table | The Problem Food courts and fast food restaurants are often full of empty,

Purple B Sketch Model Review Tidy Table Tidy Table | The Problem Food courts and fast food restaurants are often full of empty, but dirty/trash-covered tables . McDonalds Lobdell Tidy Table | Design Goal Design a new table to simply and

690 views β€’ 13 slides
Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley & Oasis Labs with support from the TVM team and community! Ideal: data providers pool data to train a large, complex

1.41k views β€’ 58 slides
Fast Anisotropic Smoothing of Multi-Valued Images using Curvature-Preserving PDEs David

Fast Anisotropic Smoothing of Multi-Valued Images using Curvature-Preserving PDEs David

Fast Anisotropic Smoothing of Multi-Valued Images using Curvature-Preserving PDEs David Tschumperl CNRS UMR 6072 (GREYC/ENSICAEN) - Image Team MIA2006, Paris/France, Sept. 2006 Presentation Layout Diffusion PDEs for Multi-Valued

523 views β€’ 51 slides
Generation of Flow-Preserving Orocos Implementations of Simulink/Scicos Models Matteo Morelli and

Generation of Flow-Preserving Orocos Implementations of Simulink/Scicos Models Matteo Morelli and

Generation of Flow-Preserving Orocos Implementations of Simulink/Scicos Models Matteo Morelli and Marco Di Natale IEEE-ICRA 2013, Workshop On Software Development and Integration in Robotics May 6th, 2013 TeCIP Institute, Scuola Superiore

733 views β€’ 23 slides
Privacy Preserving Privacy Preserving Netw ork Flow Netw ork Flow Recording Recording Bilal

Privacy Preserving Privacy Preserving Netw ork Flow Netw ork Flow Recording Recording Bilal

Privacy Preserving Privacy Preserving Netw ork Flow Netw ork Flow Recording Recording Bilal Shebaro Shebaro (Computer Science (Computer Science- - UNM) UNM) Bilal Jedidiah R. Crandall R. Crandall (Computer Science (Computer Science- -

464 views β€’ 33 slides
Fast Software Cache Design for Network Appliances Dong Zhou, Huacheng Yu, Michael Kaminsky,

Fast Software Cache Design for Network Appliances Dong Zhou, Huacheng Yu, Michael Kaminsky,

Fast Software Cache Design for Network Appliances Dong Zhou, Huacheng Yu, Michael Kaminsky, David G. Andersen Flow Caching in Open vSwitch Microflow Cache Exact Match Single Hash Table 2 Flow Caching in Open vSwitch srcAddr=10.1.2.3,

571 views β€’ 28 slides
Lightweight Concurrency Primitives for GHC Peng Li Simon Peyton Jones Andrew Tolmach Simon

Lightweight Concurrency Primitives for GHC Peng Li Simon Peyton Jones Andrew Tolmach Simon

Lightweight Concurrency Primitives for GHC Peng Li Simon Peyton Jones Andrew Tolmach Simon Marlow The Problem GHC has rich support for concurrency & parallelism: Lightweight threads ( fast ) Transparent scaling on a

463 views β€’ 30 slides
Fast data reading with fread() DATA MAN IP ULATION W ITH DATA.TABLE IN R Matt Dowle, Arun

Fast data reading with fread() DATA MAN IP ULATION W ITH DATA.TABLE IN R Matt Dowle, Arun

Fast data reading with fread() DATA MAN IP ULATION W ITH DATA.TABLE IN R Matt Dowle, Arun Srinivasan Instructors, DataCamp Blazing FAST! Fast and parallel le reader Argument nThread controls the number of threads to use DATA

433 views β€’ 27 slides
IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos Augusto Suruagy Monteiro Centro de Informtica - UFPE IoT-Flows: US Subteam (PIs) Prof. Atul Prakash (UMich) Expert on security and IoT Prof. Darko

455 views β€’ 24 slides
Atomic page flip and mode setting Hardware structure and abstraction Atomic page flip The

Atomic page flip and mode setting Hardware structure and abstraction Atomic page flip The

Atomic page flip and mode setting Hardware structure and abstraction Atomic page flip The hardware will compose the final image from two layers. Atomic page flip Animating the scene Atomic page flip There are problems with

620 views β€’ 18 slides
Bob Martinez & Eddie Tchertchian Pierce College FTLA 2018 Do A Flip! How to set up and run

Bob Martinez & Eddie Tchertchian Pierce College FTLA 2018 Do A Flip! How to set up and run

Bob Martinez & Eddie Tchertchian Pierce College FTLA 2018 Do A Flip! How to set up and run a Flip Math class Guiding principle: Your flip must be ridiculously organized (or it will not work) Follow the sections youll be using in

795 views β€’ 45 slides
ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC

ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC

ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2016 ACORN 1 Different Design Approaches: AES-NI (AEGIS) Fast SIMD (MORUS) Mode (JAMBU) Lightweight Dedicated ( ACORN ) DIAC 2016 ACORN 2

358 views β€’ 15 slides
FLiMS: Fast Lightweight Merge Sorter 2018 International Conference on Field-Programmable

FLiMS: Fast Lightweight Merge Sorter 2018 International Conference on Field-Programmable

FLiMS: Fast Lightweight Merge Sorter 2018 International Conference on Field-Programmable Technology (FPT) P h i l i p p o s P a p a p h i l i p p o u C h r i s B r o o k s Wa y n e L u k D e p t . o f

655 views β€’ 40 slides

More recommend