1 / 38

Lithium: Event-Driven Network Control

Lithium: Event-Driven Network Control. OpenFlow /Software Defined Networking. Nick Feamster Georgia Tech (some slides courtesy Nick McKeown ). Nick Feamster, Hyojoon Kim, Russ Clark Georgia Tech Andreas Voellmy Yale University. Pre-GENI Thinking : Network as Artifact.

rupali
Télécharger la présentation

Lithium: Event-Driven Network Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lithium: Event-Driven Network Control OpenFlow/Software Defined Networking Nick FeamsterGeorgia Tech(some slides courtesy Nick McKeown) Nick Feamster, Hyojoon Kim, Russ ClarkGeorgia Tech Andreas VoellmyYale University

  2. Pre-GENI Thinking: Network as Artifact “There is a tendency in our field to believe that everything we currently use is a paragon of engineering, rather than a snapshot of our understanding at the time.  We build great myths of spin about how what we have done is the only way to do it to the point that our universities now teach the flaws to students (and professors and textbook authors) who don't know better.” -- John Day

  3. What if we could change the network as easily as applications? TCP/IP Header in Lego Format.

  4. Now, We Can: Software-Defined Networking • Before: Network devices closed, proprietary • Now: A single software program can control the behavior of entire networks.

  5. Software-Defined Networking • Distributed configuration is a bad idea • Instead: Control the network from a logically centralized system 2004 2005 2008 Decision Dissemination RCP Discovery Data Network Feamster et al.The Case for Separating Routing from Routers. Proc. SIGCOMM FDNA, 2004 Caesar et al. Design and implementation of a Routing Control Platform. Proc NSDI, 2005

  6. Software Defined Networking

  7. Background: OpenFlowSwitching OpenFlow Switch OpenFlow Switch specification PC OpenFlow Protocol SSL Controller Secure Channel sw Flow Table hw

  8. Key Idea: Control/Data Separation

  9. OpenFlow Forwarding Abstraction

  10. OpenFlow 1.0 Flow Table Entry Rule Action Stats Packet + byte counters • Forward packet to port(s) • Encapsulate and forward to controller • Drop packet • Send to normal processing pipeline Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport + mask

  11. OpenFlow Forwarding Abstraction • Match • Match on any header or new header • Allows any flow granularity • Action • Forward to port(s), drop, send to controller • Overwrite the header • Forward at a specific bitrate

  12. OpenFlow Forwarding Abstraction • Protocol independent • Construct Ethernet, IPv4, VLAN, MPLS • Construct new forwarding methods • Backwards compatible • Run in existing networks • Technology independent • Switches, routers, WiFi APs • Cellular basestations • WDM/TDM circuits

  13. Software Defined Network Management • Software defined networking (SDN) makes it easier for network operators to evolve network capabilities • Can SDN also help network operators manage their networks, once they are deployed? • Campus/Enterprise networks • Home networks

  14. Big Problem: Configuration Changes Frequently • Changes to the network configuration occur daily • Errors are also frequent • Operators must determine • What will happen in response to a configuration change • Whether the configuration is correct

  15. But, Network Configuration is Really Just Event Processing! • Rate limit all Bittorrent traffic between the hours of 9 a.m. and 5 p.m. • Do not use more than 100 GB of my monthly allocation for Netflix traffic • If a host becomes infected, re-direct it to a captive portal with software patches • …

  16. Lithium: Event-Based Network Control Main Idea: Express network policies as event-based programs. Resonance: Inference-Based Access Control for Enterprise Networks.Nayak, Reimers, Feamster, Clark. ACM SIGCOMM Workshop on Enterprise Networks. August 2009.

  17. Extending the Control Model • OpenFlow only operates on flow properties • Lithium extends the control model so that actions can be taken on time, history, and user

  18. Event-Driven Control Domains Domain: A condition on which traffic forwarding rules can be expressed.

  19. Dynamic Event Handler • Reacts to domain events • Determines event source • Updates state based on event type • Can process both internal and external events

  20. Representing Network State:Finite State Machine • State:A set of domain values represents a state. Representation of network state. • Events:Event-driven control domains invoke events, which trigger state transitions in the controller’s finite state machine. • Intrusions • Traffic fluctuations • Arrival/departure of hosts

  21. Current Implementation • NOX Version 0.6.0 • Lithium plumbing: About 1,300 lines of C++ • Policies • Enterprise network access control: 145 lines of C++ • Home network usage cap management: 130 lines • Ongoing: Policies without general-purpose programming

  22. Two Real-World Deployments • Access control in enterprise networks • Re-implementation of access control on the Georgia Tech campus network • Today: Complicated, low-level • With SDN: Simpler, more flexible • Usage control in home networks • Implementation of user controls (e.g., usage cap management, parental controls) in home networks • Today: Not possible • With SDN: Intuitive, simple

  23. Example from Campus Network: Enterprise Access Control 3. VLAN with Private IP 7. REBOOT Switch 1. New MAC Addr 2. VQP 6. VLAN with Public IP VMPS New Host 4. Web Authentication 5. Authentication Result ta Web Portal

  24. Problems with Current Approach • Access control is too coarse-grained • Static, inflexible and prone to misconfigurations • Need to rely on VLANs to isolate infected machines • Cannot dynamically remaphosts to different portions of the network • Needs a DHCP request which for a windows user would mean a reboot • Cannot automatically process changes to network conditions.

  25. Lithium: State Machine-Based Control for Campus Networks Infection removed or manually fixed Quarantined Registration Failed Authentication Successful Authentication Still Infected after an update Operation Clean after update Authenticated Vulnerability detected

  26. Requirements: Policy Language • Network policies • Are dynamic • Depend on temporal conditions defined in terms of external events • Need a way to configure these policies without resorting to general-purpose programming of a network controller • Intuitive user interfaces can ultimately be built on top of this language

  27. Language Design Goals • Declarative Reactivity: Describing when events happen, what changes they trigger, and how permissions change over time. • Expressive and Compositional Operators: Building reactive permissions out of smaller re- active components. • Well-defined Semantics: Simple semantics, simplifying policy specification. • Error Checking & Conflict Resolution:Leveraging well-defined, mathematical semantics.

  28. The Need for Reactive Control • Simple policies are doable in FML: “Ban the device if usage exceeds 10 GB in the last 5 days” • But, adding temporal predicates is difficult! • “Remove the ban if usage drops below 10 GB.” • “Remove the ban when an administrator resets.” • Each condition requires a new predicate.

  29. Procera: Programming Reactive, Event-Based Network Control Define a signal function for a device going over (or under) the usage cap: • Controller: signal functions and a flow constraint function • Receives input signals from environment • Periodically updates a flow constraint function that controls the forwarding elements Define the set of devices over the cap:

  30. Deployment: Campus Network • Software-defined network in use across three buildings across the university • Redesign of network access control • Also deployed at other universities

  31. Example From Home Networks:Usage Control • Network management in homes is challenging • One aspect of management: usage control • Usage cap management • Parental control • Bandwidth management • Idea: Outsource network management/control • Home router runs OpenFlow switch • Usage reported to off-site controller • Controller adjusts behavior of traffic flows

  32. Example From Home Networks:Usage Control

  33. Deployment: Home Networks(Outsourced Home Network Management) • User monitors behavior and sets policies with UI(next slide) • Lithium controller manages policies and router behavior

  34. uCap: Intuitive Management Interface Joint work with Boris de Souza, Bethany Sumner, MarshiniChetty.

  35. Frontier #1: GENI/SDN @ Home • OpenFlow deployments in home networks: Slicing all the way to the end user in the home! • BISmark (http://projectbismark.net/)

  36. Frontier #2: Programmable Substrate • Augment OpenFlow switches with custom packet processors • Device abstraction layer to allow programmability of this substrate • Single device • Network wide • Applications • Big data applications • On-the fly encryption, transcoding, classification • Selective deep packet inspection

  37. Frontier #3: Policy Languages • Today’s configuration languages are error-prone, distributed, low-level • Functional reactive programming • Support for “boxes and arrows” (or signals and systems) style programming • Can support much more complicated conditions • Procera/Lithium is one example

  38. Summary • Network management is difficult and error-prone • Lithium: Event-based network control • Deployment in two real-world settings (campus and home network) • Developing a high-level control language that enables reactive control

More Related