Frenetic: Functional Reactive Programming for Networks Nate Foster - PowerPoint PPT Presentation

. . Frenetic: Functional Reactive Programming for Networks Nate Foster (Cornell) Mike Freedman (Princeton) Rob Harrison (Princeton) Matthew Meola (Princeton) Jennifer Rexford (Princeton) David Walker (Princeton) . . . IBM PLDay 2010

. . Photocredit:http://www.�ickr.com/photos/adrianblack

Why Programmable Networks? Security Monitoring Features . . 3 • Access control • Traffic isolation • Usage / billing • Anomaly detection • Virtual Private Networks • Content Distribution • Resource Indirection • Anycast

Current State of Play It’s a mess! [Caldwell et al. ’03, Oppenheimer et al. ’03] Con�guration is vendor speci�c and complicated Hodgepodge of mechanisms: OSPF / BGP for routing ACLs for security Net�ow for monitoring Operator errors common and costly Outages Degraded performance Security vulnerabilities Con�guration checkers and lint-like tools help a bit... but they are only a “band-aid” , not a robust solution 4

Current State of Play It’s a mess! [Caldwell et al. ’03, Oppenheimer et al. ’03] Con�guration is vendor speci�c and complicated Hodgepodge of mechanisms: Operator errors common and costly Con�guration checkers and lint-like tools help a bit... but they are only a “band-aid” , not a robust solution 4 • OSPF / BGP for routing • ACLs for security • Net�ow for monitoring • Outages • Degraded performance • Security vulnerabilities

This Talk 1. OpenFlow 2. Examples 3. Frenetic 4. Implementation 5. Current and Ongoing work 5

OpenFlow

Traditional Switch . . Control Plane data plane Data Plane 7 • General-purpose hardware • Runs (distributed) routing protocols • Manipulates the forwarding table in the • Special-purpose hardware • Implements high-speed forwarding table • Processes packets at line speed

OpenFlow Key Ideas . . http://www.openflowswitch.org/ 8 • Move control from switch to a stock machine • Standardize interface between switches and controller Controller Switches

(OFPAT OUTPUT, CONTROLLER) ] (3,1455) OpenFlow Switch in port=2, trans src=80 (20,12480) [ (OFPAT OUTPUT, PORT 1) ] LOW in port=2 [ (OFPAT OUTPUT, PORT 1) HIGH Counters Switches process packets using rules described by: Priority Actions Pattern Example (OpenFlow Rules) 9 • pattern – identify a set of packets • priority – disambiguate rules with overlapping patterns • actions – specify processing of packets • counters – track number and size of packets processed

OpenFlow Switch Priority Actions (20,12480) [ (OFPAT OUTPUT, PORT 1) ] LOW [ (OFPAT OUTPUT, PORT 1) Switches process packets using rules described by: Counters Pattern Example (OpenFlow Rules) 9 • pattern – identify a set of packets • priority – disambiguate rules with overlapping patterns • actions – specify processing of packets • counters – track number and size of packets processed { in port=2, trans src=80 } HIGH (OFPAT OUTPUT, CONTROLLER) ] (3,1455) { in port=2 }

OpenFlow Controller Controller runs a program that responds to events in the network by installing / uninstalling rules and collecting statistics from counters. Event Handlers Messages 10 • switch join(switch) • switch leave(switch) • packet in(switch, inport, packet) • stats in(switch, pattern, stats) • install(switch, pattern, priority, action) • uninstall(switch, pattern) • query stats(switch, pattern)

Examples

Topology . . 12 Controller 1 2 Switch

Static Forwarding a1 = [(OFPAT OUTPUT, PORT 2)] . . install(switch, p2, HIGH, a2) install(switch, p1, HIGH, a1) . # install rules # actions # patterns def static forwarding(): . 13 Controller p1 = { IN PORT:1 } p2 = { IN PORT:2 } 1 2 a2 = [(OFPAT OUTPUT, PORT 1)] Switch

pweb = DL DST:dstmac(packet), DL TYPE:IP, Forwarding + Per-Host Monitoring # patterns . . query stats(switch, pweb) # query counters install(switch, p, MEDIUM, a) install(switch, pweb, HIGH, a) # install rules a = [(OFPAT OUTPUT, PORT 1)] # action NW PROTO:TCP, TP SRC:80 . p = DL DST:dstmac(packet) def packet in(switch, inport, packet): # actions . def static forwarding per host monitoring(): # patterns . 14 a1 = [(OFPAT OUTPUT, PORT 2)] # install rules install(switch, p1, HIGH, a2) install(switch, p2, LOW, a2) . p1 = { IN PORT:1 } Controller p2 = { IN PORT:2 } 1 2 a2 = [(OFPAT OUTPUT, CONTROLLER)] Switch

Forwarding + Per-Host Monitoring def packet in(switch, inport, packet): . . query stats(switch, pweb) # query counters install(switch, p, MEDIUM, a) install(switch, pweb, HIGH, a) # install rules a = [(OFPAT OUTPUT, PORT 1)] # action . # patterns 14 . install(switch, p2, LOW, a2) install(switch, p1, HIGH, a2) . def static forwarding per host monitoring(): # install rules # patterns a1 = [(OFPAT OUTPUT, PORT 2)] # actions . p1 = { IN PORT:1 } p = { DL DST:dstmac(packet) } Controller p2 = { IN PORT:2 } pweb = { DL DST:dstmac(packet), DL TYPE:IP, NW PROTO:TCP, TP SRC:80 } 1 2 a2 = [(OFPAT OUTPUT, CONTROLLER)] Switch

OpenFlow Limitations Low-level interface to switch hardware Two-tier programming model Program pieces don’t compose forwarding + monitoring + access control the rules manipulated by each module will overlap 15 • priorities used to disambiguate overlapping rules • no support for negation • wildcard vs. exact-match rules • controller program manipulates rules • asynchronous callbacks • tricky race conditions • many programs decompose naturally into modules—e.g., • but difficult to program in a compositional style because in general

Frenetic

Frenetic Ingredients High-level pattern algebra Uni�ed programming model Fully compositional Main Challenge: having all these features without sacri�cing performance. 17 • Hides details of how rules are implemented on switches • Includes standard logical operators (e.g., negation) • Programs “see every packet” • Based on FRP → no asynchronous callbacks • Programs can operate on overlapping subsets of the traffic • Run-time system handles switch-level implementation details

Frenetic Ingredients High-level pattern algebra Uni�ed programming model Fully compositional Main Challenge: having all these features without sacri�cing performance. 17 • Hides details of how rules are implemented on switches • Includes standard logical operators (e.g., negation) • Programs “see every packet” • Based on FRP → no asynchronous callbacks • Programs can operate on overlapping subsets of the traffic • Run-time system handles switch-level implementation details

Frenetic Core Lift Ungroup Regroup Group Filter EF a a Calm LoopPre Merge . First |O| 18 Apply . Packets E packet Seconds E int . . E α event stream carrying values of type α EF α β operator that transforms an E α into an E β ∈ ∈ ∈ ( EF a b × E a ) → E b ∈ ( a → b ) → EF a b ∈ EF a b → EF b c → EF a c ∈ EF a b → EF ( a × c ) ( b × c ) ∈ ( E a × E b ) → E ( a option × b option ) ∈ ( c × EF ( a × c ) ( b × c )) → EF a b ∈ ∈ ( a → bool ) → EF a a ∈ ( a → b ) → EF a ( b × E a ) ∈ (( a × a ) → bool ) → EF ( b × E a ) ( b × E a ) ∈ int option × ( b × a → b ) → b → EF ( c × E a ) ( c × b )

Forwarding + Per-Host Monitoring . print stream(stats) register static(rules) def per host monitoring(): # main function rules = [Rule(inport fp(1), [output(2)]), # rules: (rule list) # E (mac * int) Lift(lambda (m,l):(m,sum sizes(l)))) # E (mac * packet list) ReGroupByTime(30) |O| # E (mac * E packet) Group(dstmac gp()) |O| # E packet def per host monitoring ef(): # per host monitoring ef: EF packet (mac * int) return (reduce(lambda n,p:n + size(p),l,0)) def sum sizes(l): # sum sizes: (packet list) -> int . 19 return (Filter(inport fp(2) & srcport fp(80)) |O| Rule(inport fp(2), [output(1)])] stats = Apply(Packets(), per host monitoring ef())

Ethernet Learning . register stream(rules) def learning switch(): # main function # E (rule list) Lift(complete rules)) # E ((mac * rule) list) # E (mac * packet) Ungroup(1, lambda n,p:p, None) |O| # E (mac * E packet) Regroup(inport rf()) |O| # E (mac * E packet) def learning switch ef(): # learning switch ef: EF packet def complete rules(t): . . . # complete rules: ((mac * rule) list) -> (rule list) def add rule(((m,p),t)): . . . # add rule: (mac * packet) * ((mac * rule) list) -> ((mac * rule) list) * ((mac * rule) list) . 20 return (Group(srcmac gp()) |O| LoopPre( {} , Lift(add rule)) |O| rules = Apply(Packets(), learning switch ef())

Per-Host Monitoring + Learning . . def per host monitoring learning switch(): # ethernet learning rules = Apply(Packets(), learning switch ef()) # per-host monitoring stats = Apply(Packets(), per host monitoring ef()) 21 register stream(rules) print stream(stats)

Implementation . . 22 Frenetic Program subscribe Packets register Run-Time System install packet_in uninstall NOX OpenFlow Switches