improve network performance
play

Improve Network Performance Yotam Harchol Research (This work was - PowerPoint PPT Presentation

Reusing Network Services Logic to Improve Network Performance Yotam Harchol Research (This work was done while at the Hebrew University) Joint work with Anat Bremler-Barr and David Hay Appeared in ACM SIGCOMM 2016 THE HEBREW This research


  1. Reusing Network Services Logic to Improve Network Performance Yotam Harchol Research (This work was done while at the Hebrew University) Joint work with Anat Bremler-Barr and David Hay Appeared in ACM SIGCOMM 2016 THE HEBREW This research was supported by the European Research Council ERC Grant agreement no 259085, the Israeli Centers of Research UNIVERSITY OF JERUSALEM Excellence (I-CORE) program (Center No. 4/11), and the Neptune Consortium.

  2. Network Functions (Middleboxes) • Monolithic closed black-boxes ✘ High cost ✘ Limited provisioning and scalability Firewall Load Balancer Intrusion Prevention Network Function Virtualization (NFV): ✔ Reduce cost (by moving to software) System ✔ Improve provisioning and scalability At the cost of: ✘ Reduced performance (by virtualizing software NFs) (mainly latency ) 2

  3. Network Functions (Middleboxes) ✘ High cost ✘ Limited provisioning and scalability ✘ Limited and separate management • Different vendors • No standards • Separate control plane 3

  4. Network Functions (Middleboxes) • Actually, many of these black-boxes are very modular Network Function ✘ High cost ✘ Limited provisioning and scalability ✘ Limited and separate management ✘ Limited functionality and limited innovation (High entry barriers) ✘ Similar complex processing steps, no re-use 4

  5. www.openboxproject.org OpenBox github.com/OpenBoxProject • OpenBox: A new software-defined framework for network functions • Decouples network function control from their data plane • Unifies data plane of multiple network functions Benefits:  Easier, unified control OpenBox Controller  Better performance (improved latency) OBI  Scalability  Flexible deployment  Inter-tenant isolation OBI  Innovation OBI

  6. Software Defined Networking • High cost of middleboxes switches • Limited provisioning and scalability of middleboxes switches • Limited management of middleboxes switches • Limited functionality and limited innovation • Complex processing steps distributed algorithms OpenBox OpenFlow Controller Controller OBI 40%-60% of the appliances in large-scale networks are middleboxes! OBI [Sherry & Ratnasamy , ‘ 12] OBI 6

  7. The OpenBox Framework Network Functions: OpenBox Applications Northbound API Logically-Centralized OpenBox Controller Control Plane OpenBox Protocol Data Plane OpenBox Service Instances Additionally:  Isolation between NFs / multiple tenants  Support for hardware accelerators  Dynamically extend the protocol 7

  8. Observation: Most network functions do very similar processing steps But there is no re- use… The design the OpenBox framework is based on this observation 8

  9. Network Function Decomposition Firewall: Drop Read Header Output Packets Classifier Alert Load Balancer: Read Header Output Packets Classifier Rewrite Header Intrusion Prevention System: DPI DPI Drop Read Header DPI Alert Output Packets Classifier 9

  10. Northbound API Intrusion Prevention System Firewall Load Balancer DPI DPI Drop Drop Read Header Read Header Read Header Output DPI Alert Output Output Packets Classifier Packets Classifier Packets Classifier Rewrite Alert Header OpenBox Applications Specify processing graph NB API Events, and block configuration Load information OpenBox Controller Control Plane OpenBox Protocol Data Plane 10 OpenBox Service Instances

  11. Logically-Centralized Controller Multiple tenants run multiple applications for multiple policies in the same network OpenBox Isolation between Applications applications and tenants NB API enforced by NB API SDN OpenBox Network-wide view Controller Controller Automatic scaling, provisioning, placement, and steering Control Plane SDN OpenBox Protocol Protocol Data Plane 11 OpenBox Service Instances SDN Switches

  12. Naïve Graph Merge Firewall: Drop Read Header Output Packets Classifier Alert Concatenated Processing Graph: Drop DPI Alert DPI Drop (Firewall) 10 μs Read Header Header Alert DPI Output Packets Classifier Classifier (IPS) Intrusion Prevention System: 10μs 30 μs 2 μs 2 μs 30 μs 5 0μs DPI Performance ≈ Diameter of Graph (# of classifiers) DPI Drop Total: 134 μs Read Header DPI Alert Output Packets Classifier 12

  13. Graph Merge Algorithm ? Input Graphs: Firewall: Drop Read Header Output Packets Classifier Alert Intrusion Prevention System: DPI DPI Drop Read Header DPI Alert Output Packets Classifier 13

  14. Graph Merge Algorithm Step 1: Normalize graphs to trees Firewall: Drop Read Header Output Packets Classifier Alert Output Output Drop Intrusion Prevention System: Alert Output DPI Drop Output DPI Alert Output Read Header DPI Packets Classifier Output Drop Output 14 Alert Output

  15. Graph Merge Algorithm Output Drop Alert Output (IPS) DPI Step 2: Concatenate graphs Drop Output DPI Alert Output (IPS) Header Drop DPI Classifier Drop Output Output Alert Output (IPS) Read Header Output Packets Classifier Drop Alert Alert Output (Firewall) (IPS) DPI Drop Output DPI Alert Output (IPS) Header DPI Classifier Output Drop Output Alert 15 Output (IPS)

  16. Graph Merge Algorithm Output Drop Alert Output (IPS) DPI Step 3: Merge classifiers Drop Output DPI Alert Output (IPS) Header Drop DPI Classifier Drop Output Output Alert Output (IPS) Read Header Output Packets Classifier Drop Alert Alert Output (Firewall) (IPS) DPI Drop Output DPI Alert Output (IPS) Header DPI Classifier Output Drop Output Alert 16 Output (IPS)

  17. Graph Merge Algorithm Output Drop Alert Output (IPS) DPI Step 3: Merge classifiers Drop Output DPI Alert Output (IPS) Drop DPI Drop Output Output Alert Output (IPS) Read Header Output Packets Classifier Drop Alert Alert Output (Firewall) (IPS) DPI Drop Output DPI Alert Output (IPS) Header Can we change block order? DPI Classifier Output Drop Output Alert 17 Output (IPS)

  18. Graph Merge Algorithm Output Drop Alert Output (IPS) DPI Step 3: Merge classifiers Drop Output DPI Alert Output (IPS) Drop DPI Drop Output Output Alert Output (IPS) Read Header Output Packets Classifier Drop Alert Output Alert (IPS) DPI (Firewall) Drop Output Alert DPI (Firewall) Alert Output (IPS) Alert DPI (Firewall) Output Drop Alert Output Alert 18 (Firewall) Output (IPS)

  19. Graph Merge Algorithm Output Drop Alert Output (IPS) DPI Step 4: Remove redundant block copies Drop Output (and rewire connectors accordingly) DPI Alert Output (IPS) Drop DPI Drop Output DPI Alert Output (IPS) Read Header Output Packets Classifier Drop Alert Output Alert (IPS) DPI (Firewall) Drop Output Alert DPI (Firewall) Alert Output (IPS) Alert DPI (Firewall) Output Drop Alert Output Alert 19 (Firewall) Output (IPS)

  20. Graph Merge Algorithm Merged Processing Graph: Alert DPI (Firewall) Alert DPI (Firewall) Read Header Alert Alert DPI Output Packets Classifier (Firewall) (IPS) 30 μs 2 μs 2 μs 50 μs 10 μs Alert (Firewall) 10 μs Drop Shorter Diameter (less classifiers) Total: 104 μs (22% improvement) 20

  21. When NOT to Merge? ? When cross product is too large: • Two d-dimensional classifiers: A – n rules, B – m rules • Classification is logarithmic with # of rules, exponential with dimension • Serial classification time: (log 𝑜) 𝑒−1 + (log 𝑛) 𝑒−1 • Cross product: 𝑜 ∙ 𝑛 rules (worst case) • Single classifier worst case time: 𝑒−2 𝑒 − 1 log(𝑜 ∙ 𝑛) 𝑒−1 = (log 𝑜) 𝑒−1 +(log 𝑛) 𝑒−1 + (log 𝑜) 𝑗 + (log 𝑛) 𝑒−𝑗−1 𝑗 𝑗=1 > (log 𝑜) 𝑒−1 + (log 𝑛) 𝑒−1 When most packets won’t go through both classifiers: ? Output Classifier A Classifier Drop B 21

  22. OpenBox Data Plane Processing Read Store HTML Packets Normalizer Packet Alert Restore JavaScript Output Normalizer Packet Log Header Caching Classifier XML Drop Reporting Normalizer DPI Terminals Normalization Classification Front Drop FIFO Queue Queue Leaky Gzip RED Queue Bucket Decompress Queue Management Gzip Begin Compress Transaction VLAN Push De/compression Rewrite Commit Rollback Header Transaction Transaction VLAN Pop Transactions Header Modification 22

  23. OpenBox Data Plane Processing Read Store HTML Packets Packet Normalizer Alert Restore JavaScript Output Packet Normalizer Log Header Classifier Caching XML Drop Reporting Normalizer DPI Terminals Normalization Classification Front Drop FIFO Queue Queue OpenBox Service Instance Leaky Gzip RED Queue Bucket Virtual or Physical Decompress Queue Management Gzip Begin Compress Transaction • Provides data plane services to realize the logic of network functions VLAN Push De/compression Rewrite Commit Rollback • Header Controlled by the logically-centralized OpenBox controller Transaction Transaction VLAN Pop Transactions Header Modification 23

  24. Distributed Data Plane Alert DPI Rewrite Header Classifier Header Metadata OpenBox Service Instance OpenBox Service Instance Hardware Software (TCAM) E.g., an OpenFlow switch with encapsulation features (e.g., NSH, Geneve, FlowTags)

Recommend


More recommend