1 / 26

A Policy-aware Switching Layer for Data Centers

A Policy-aware Switching Layer for Data Centers. Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley. Flexibility. (Re)configurable network topology. Efficiency. No middlebox resource wastage. Correctness. Guaranteed middlebox traversal.

demetriusn
Télécharger la présentation

A Policy-aware Switching Layer for Data Centers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley

  2. Flexibility (Re)configurable network topology Efficiency No middlebox resource wastage Correctness Guaranteed middlebox traversal Problem: Middleboxes are hard to deploy • On path placement fails to achieve • Place on network path • Overload path selection mechanisms pkt network path Firewall Load Balancer

  3. Preview • Problem • Middleboxes are hard to deploy • Solution • Overview • Challenges • Limitations • Implementation & evaluation • Related work

  4. Internet Layer-3 router Core Firewall Aggregation Layer-2/3 switch Load Balancer Access Layer-2 switch Servers Common data center topology Data Center

  5. Internet Inflexible topology Intrusion Prevention Box Firewall Load Balancer

  6. Internet Process unnecessary traffic Unutilized Inefficient - middlebox resource wastage Backup path

  7. Protect S1 ↔ S2 traffic Internet Newly blocked link S1 S2 Correctness is hard • Option 1 • Existing firewalls

  8. Internet Correctness is hard Protect S1 ↔ S2 traffic • Option 1 • Existing firewalls • Option 2 • New firewall S1 S2

  9. Internet Correctness is hard Protect S1 ↔ S2 traffic • Option 1 • Existing firewalls • Option 2 • New firewall • Option 3 • Separate VLANs S1 S2

  10. Outline • Problem • Middleboxes are hard to deploy • Solution • Overview • Challenges • Limitations • Implementation & evaluation • Related work

  11. HTTP Firewall  Load balancer TCP port = 80 firewall P P P P P P P P P P P P P P P load balancer load balancer firewall Existing mechanisms Policy-aware Switching Layer 1 Take middleboxes off-path 2 Separate policy from reachability PSwitch Policy-aware switching layer

  12. Centralized Policy Controller Header Body P P P P P Src:R Src:L HTTP Firewall  Load balancer PSwitch explicitly forwards packets to middleboxes Data center Firewall (F) Load Balancer (L) 1 2 0 3 Core Router R PSwitch Web Server Rule table

  13. Intrusion Prevention Box Custom Firewall Firewall HTTP Firewall  Load balancer ERP Custom Firewall  IPS ERP Server • Distributed forwarding • Loadbalancing middleboxes • Different policies for different traffic Data center Load Balancer Firewall Web Server PSwitch B PSwitch A

  14. Challenges • Minimizing infrastructure changes • Non-transparent middleboxes • Guaranteeing correctness under churn

  15. Guarantees under Churn Network Packets never bypass middleboxes Middlebox Some packets may be dropped Policy

  16. Limitations • Indirect paths • Policy specification complexity

  17. Outline • Problem • Middleboxes are hard to deploy • Solution • Overview • Challenges • Limitations • Implementation & evaluation • Related work

  18. P P P P P Implementation • PSwitches prototyped in • Compared to software Ethernet switch • 82% TCP throughput • 16% latency increase 750 Mbps PSwitch 0.3 milliseconds 25 policies • Exploring hardware options

  19. P P P P P P P P P P P P P P P P P P P P Validation of functionality • 10 PCs with 4 network interfaces each BalanceNG Load balancer iptables firewalls webservers client Physical topology

  20. Logical topologies on same physical topology X

  21. Related Work Internet Indirection Infrastructure Delegation Oriented Architecture Indirection 4D Routing Control Platform Ethane Separation of policy and reachability High-end switches Cisco Catalyst 6500 SEATTLE DCell Commodity DC Network Architecture SIGCOMM 2008

  22. Conclusion • Deploying middleboxes is hard • A new layer-2 with explicit middlebox support • Middleboxes taken off network path • Policy separated from reachability

  23. Questions?

  24. Backup Slides

  25. HTTP HTTP Load balancer  Firewall Firewall  Load balancer Version 1 Version 2 Policy churn • Conflicting policy updates Firewall Load Balancer 1 2 3 0 P P P P P Version 1 Version 2

  26. HTTP Load balancer  Firewall Version 1 Firewall’ Load balancer’ HTTP Version 2 P P P P P Intermediate middlebox types • Guarantees traversal Load Balancer’ Load Balancer Firewall’ Firewall

More Related