Reflections on Data In Integration for SDN Anduo Wang† Jason Croft* Eduard Dragut† †Temple University *University of Illinois at Urbana-Champaign SDN- NFV Security ’17 March 24, 2017
SDN Design Principles • SDN builds off principles from other areas of research to simplify control: • Programming languages • Operating systems • Distributed systems • Contributes to design of network control via high level abstractions • We propose: building on principles from databases, namely data integration 2
Composing SDN Application is Still Hard Control Applications Routing Firewall Load Balancer Block traffic Install route Balance traffic to s2 from s1 to s2 to s2 Controller Network Integration Problem: How to combine into a coherent whole? OpenFlow Network s1 s2 3
Example: Firewall and Load Balancer Firewall: Blacklist (public IP, client IP) Load Balancer: r1 Translate destination public IPs private IPs 192.168.1.1 Translate source private IPs public IPs (private) c1 10.0.0.1 192.168.0.1 r2 (public) 192.168.1.2 (private) Correct composition: if(from_client, fw>>lb, lb>>fw) 4
Building on Data In Integration • Data integration: combining data from multiple sources to create a unified whole • Data integration system : I = <G, S, M> • G: global schema • S: data sources • M: semantic mappings Queries Global Mappings Source 1 Source 2 Source 3 Source 4 5
Network In Integration Problem • Network integration system : I N = <G N , S N , M N > • G N : consistent dataplane, with integrity constraints • S N : network states contributed by applications • M N : mapping synchronizing application states and dataplane under integrity constraints • Two challenges: 1. Performance: fast updates of global data arbitrarily complex integrity constraints 2. Correctness: behavioral dependency between sources 6
Challenge #1: : Performance • SDN applications have rich semantics, complex integrity constraints • Dataplane must support these arbitrarily complex constraints • Each update must be checked against constraints, rolled back if violated • Problem: fast writes and constraint checking • Solution: baseline design Data Data Data Table Table View View App 1 App 2 Sources Sources Sources Global Global Global View Table Dataplane Schema Schema Schema Global-as-view Local-as-view Baseline 7
Baseline Design • Global dataplane ( G N ) modeled as: topology reachability_matrix configuration sid nid fid src dst vol ... fid sid nid s1 s2 1 h1 h4 1 1 s1 s4 s1 h1 2 h2 h3 1 1 s4 h4 ... ... s1 s4 ... Flow 1 h1 s1 s4 h4 h2 s2 s3 h3 Flow 2 8
View-Based Applications • Control applications as data sources • Partial view and control of global schema G N • Easily extensible • SDN control software coded as a control loop with a monitor- reconfigure pattern Application Violation View Repair Rule Violation Update Computation Monitor Reconfigure Network 9
Fast Updates with Violation Views • Firewall example: Policy Definition Violation View CREATE TABLE fw_blacklist ( CREATE VIEW fw_violation AS ( end1 integer, SELECT fid FROM reachability_matrix end2 integer WHERE (src, dst) NOT IN ); (SELECT end1, end2 FROM acl) ); • Disable default constraint checking, rollbacks • Instead, applications make smart updates that are guaranteed to respect constraints in the first place 10
Challenge #2: : Correctness • Complex interactions between applications • Applications require orchestration to resolve conflicts • Dependency: one module’s update may trigger violation of another • If an operation in A depends on an operation in B, then A activates B Activates Firewall Load Balancer match match match client, public ip private srcip public dstip Activates rewrite -> rewrite -> block public srcip private dstip 11
Looking Forward: Building on Ir Irrelevant Updates • Cast as database irrelevant updates problem for views • Can an update to a base table (dataplane) affect a view (an application)? • Statically analyze application and examine attributes • Solve dependency as SAT problem A B Irrelevant Update View UNSAT Relevant Update View SAT Activates 12
Recommend
More recommend
