FOUNDATIONS OF INTENT- BASED NETWORKING Loris DAntoni Aditya Akella - PowerPoint PPT Presentation

FOUNDATIONS OF INTENT- BASED NETWORKING Loris D’Antoni Aditya Akella Aaron Gember ‐ Jacobson

Cloud Network Enterprise Network Network Policies Enterprise Network 2

3 Tenant Network Policies Enterprise Network B A Reachability : A can talk to B Waypoints : C to B traffic goes C through a Firewall

4 Cloud Network Policies S 1 S 2 Tenant 1 Tenant 2 Network Network 100Gbps 100Gbps Policies Policies S 3 S 4 S 5 S 6 Network isolation : Tenant 1 and 2’s traffic must 100 Gbps 100Gbps 100Gbps not affect each other S S 1 S 7 S 9 Network resource management 8 0 Fault tolerance

5 Intent-based networking Policy ‐ compliant High ‐ level language Synthesize network to specify policies configurations INPUT OUTPUT

6 Kausik Subramanian GENESIS SYNTH SYNTHESI SIZI ZING NG FOR FORWARD ARDING NG TA TABLES IN IN MUL MULTI ‐ TENANT TENANT NETW NETWORKS [Subramanian, D’Antoni, Akella, POPL17]

7 Software-defined Networks SDN Controller Centralized controller enforces policies Programmable switch rules: Enforcing policies using conventional Match : Packet headers distributed networks is difficult S 1 S 2 Action : Forward to next switch S 3 S 4 S 5 S 6 SSH traffic at S 3 is SSH forwarded to S 7 S 7 S 8 S 9 S 10

8 Support for complex and diverse policies High ‐ level language Switch forwarding Genesis to specify policies tables Enforcing certain policies is NP ‐ complete Genesis uses Satisfiability Modulo Theories (SMT) solvers to synthesize forwarding tables

9 Outline of the Talk • Motivation • Synthesis of forwarding tables in Genesis • Scaling to large workloads: Tactics • Genesis extensions and conclusions

10 Synthesis Approach Abstract Representation High ‐ level Forwarding policies + (Fwd, Reach) tables Topology Constraints Paths from on Fwd and Fwd and Reach Reach solution INPUT OUTPUT

11 Semantics of (Fwd, Reach) Fwd(S 1 , ID) = S 2 : Switch S 1 forwards to S 2 Reach(S 2 , ID) = 1 : Specifies that S 2 is reachable in 1 step from source Reach(S 1 , ID) = 0 Reach(S 2 , ID) = 1 Reach(S 3 , ID) = 2 Fwd(S 1 , ID) = S 2 Fwd(S 2 , ID) = S 3 S 1 S 2 S 3

12 Reachability Constraints S 3 Fwd(S 3 , ID) = S 4 SRC Reach( S 3 , ID) = k ‐ 1 DST S 1 S 5 S 4 Reach( S 2 , ID) = k ‐ 1 Reach( S 4 , ID) = k S 2 If a switch is reachable in k steps, one of its neighbors must be reachable in k ‐ 1 steps

13 Policy Constraints Reach(S 4 , ID) = k Waypoint : Blue Tenant specifies path must traverse through S 4 S 4 S 2 Isolation : Blue Tenant and Red Tenant S 1 S 5 paths do not share any link S 3 Traffic Engineering : Using SMT ‐ OPT (S 3 , ID1) (S 3 , ID2)

14 THE END?

15 Baseline Synthesis Evaluation Setup • Genesis implemented in Python, uses Z3 SMT solver • Multi ‐ tenant isolation: Each tenant has a single reachability policy, and all tenant paths are mutually isolated • Medium ‐ sized fat ‐ tree datacenter topologies

16 16 Baseline Synthesis Evaluation To scale to large networks and workloads, Exponential Complexity we need to further algorithmic insights and optimizations Synthesis time for over 60 tenants takes >5000s

17 SCALING TO LARGE WORKLOADS TA TACTICS

18 18 Tactics: Motivation Core Edge ‐ to ‐ edge paths: 272 Large search space Aggregate Use network structure to specify path properties Edge

19 19 Tactics as regular expressions Core Aggregate No Edge Tactic: Not (Edge .* Edge .* Edge) Edge

20 Tactics: Constraint Reduction Genesis uses tactics as a search strategy to eliminate constraints Reach( C 1 ) = k ‐ 1 C 1 Reach(S) = k No Edge Tactic ensures no intermediate edge switch Reach( A 1 ) = k ‐ 1 A 1 S E 1 Reach( E 1 ) = k ‐ 1

21 Tactics: Algorithmic Properties • Specified using a restricted subset of regular expressions • Sou Sound and Com Comple lete algorithm for enforcing them • Policy ‐ agnostic • The operator can develop a repository of tactics based on their topology

22 22 Tactics: Evaluation Multi ‐ tenant isolation workload Valley ‐ Free Tactic and No Edge Tactic Valley ‐ Free Tactic speedup: 400x

23 Outline of the Talk • Motivation • Synthesis of forwarding tables in Genesis • Scaling Genesis: Tactics and Divide ‐ and ‐ Conquer • Genesis extensions and conclusions

24 Genesis Extensions Genesis Rich Policy Synthesis Language using SMT Resilient Network Paths Repair

25 Network Resilience Cloud network Single path: Not resilient Link failure S1 S2 S3 t ‐ resilience : For events under t arbitrary link failures, there exists a valid path

26 Policy-compliant Resiliency Cloud network Backup path Isolation policy 1 ‐ resilient S1 S2 S3 For 1 ‐ resilience, backup path must be edge ‐ disjoint from original path Sound transformation of input policies to provide t ‐ resilience

27 Minimal Reactive Network Repair Cloud network Policies Policies Best repair: Minimize change overhead Genesis uses MaxSMT

28 28 Network Repair Evaluation Multi ‐ tenant isolation workload One switch ‐ failure, network repair such that number of switches affected is minimized For larger workloads, repair is faster than re ‐ synthesis.

29 CONCLUSION

High ‐ level policies on Switch forwarding Genesis paths tables satisfying and switches policies INPUT OUTPUT OSPF and BGP configurations Efficient optimal repair 30