1boku Adv many a lot Beau Coup 1

1[bo’ku] Adv. many, a lot. Beau. Coup: 1 Answering one many network traffic queries, memory update at a time! Xiaoqi Chen, Shir Landau-Feibish, Mark Braverman, Jennifer Rexford

Network traffic query DDo. S: Are there many Source IPs sending to one particular Destination IP? Internet Key Select Dst. IP where distinct(Src. IP)>1000 2 Attribute Threshold

Many network traffic queries DDo. S? Worm? Port Scan? … Different keys/attrs, need multiple data structures Internet Query Key 3 Attribute Threshold DDo. S Dst. IP Src. IP 1000 Worm Src. IP Dst. IP 300 Dst. Port 100 … … Port. Scan Src. IP, Dst. IP … …

Many network traffic queries I have 42 queries Run 42 data structures? Spec for today’s commodity programmable switch: I can’t… • XX Tbps aggregated throughput • YY MB data-plane memory • Can only access ZZ bytes of memory per packet 4 (True for CPU, FPGA, etc. , as well… Moore’s law!)

One memory update at a time? • Constant memory update per packet, regardless of the number of queries? • Game plan: 1. Each query uses only o(1) memory update per packet on average 2. Combine many different queries, on average uses O(1) 3. Coordinate, at most O(1) per packet 5

Today’s talk • Challenge: many queries, few memory updates • Achieving o(1) memory access: coupon collectors • System design: query compiler + data plane program • Evaluation 6

The coupon collector problem • 4 different coupons, collect all of them • Random draws • How many total draws are required? ? A 7 B C D

Beau. Coup coupon collector f(Src. IP) -> Coupon Src. IP Mapping ? Select Dst. IP where distinct( Key: A B C D 162. 249. 4. 107 Coupons: 8 )>100 Collect different coupons • f(10. 0. 1. 15) • f(10. 0. 1. 33) • f(10. 0. 1. 15) • f(10. 0. 1. 42) Coupon -> -> Coupon. C Coupon. B Coupon. C No

Beau. Coup coupon collector ? f(Src. IP) -> • Generalization: (m, p, n)-coupon collector Coupon • m*p<1, most packets collect no coupon Example: (m=8, p=1%, n=4) Given a new Src. IP, each coupon is drawn with probability 1% 9 m=8 coupons in total stop at n=4 different coupons

System design • Query compiler: finds coupon collector configurations • Stops near query thresholds, minimize error • Hardware limits (e. g. , memory access limit) • Fairness across queries • Data plane program: collect coupons into in-memory table • Simultaneously run many queries • At most one coupon per packet • Update queries on-the-fly 10

Query compiler Query set Q = {q 1, q 2, …} Query qi Key, Attribute, Key, Threshold Attribute, Threshold 11 Total memory update limit: Γ per packet Per-query limit: γq per packet Compiler γq= Γ / |Q| (fair allocation) qi’s Collector qi. Configuration ’s Collector q. Configuration i’s Collector Total coupons: Total. Configuration coupons: m coupons: Total m m Each probability: p probability: Each p p Coupons to collect: n Coupons to collect: Goal: I. Stop near Threshold II. Update limit m*p≤γq III. HW limit, e. g. , m≤ 32 For more detail on compiler heuristics,

Query compiler Query set Q = {q 1, q 2, …} 12 Total coupons: Query m Compiler Each probability: p Coupons to collect: n Threshold=1000, γq =0. 01 (m=20, p=1/2048, n=8) P 4 Program Threshold=1000 Switch Data Plane

Stacking queries: same attribute. ? . … q 1: f(Src. IP) -> Coupon m 1=4, p 1=1/8 q 2: f(Src. IP) -> Coupon m 2=3, p 2=1/16 ? Hash function 0 h 1(Src. IP) -> [0, 1) 13 q 1 #1 q 1 #2 q 1 #3 1/4 4 coupons for q 1 #4 q 2 q 2 #1 #2 #3 1/2 … 3/4 3 coupons for q 2 1

One hash function for each attribute q 1: f(Src. IP) -> Coupon ? . q 6: g(Dst. IP) -> Coupon ? . m 1=4, p 1=1/8 m 6=3, p 6=1/8 h 1(Src. IP) -> h 2(Dst. IP) -> 14 q 1 #1 q 1 #2 q 1 #3 q 1 #4 0 1/4 q 6 #1 q 6 #2 q 6 #3 0 1/4 … 1/2 3/4 1 …

TCAM for selecting a coupon Match h. A(Src. Port) Query#, Coupon# (5, 1) 000***** Match h. B(Dst. Port) Query#, Coupon# (5, 2)… 001***** … h. C(Src. IP) Match Query#, Coupon# 010***** … … h. D(Dst. IP) (5, 3) Match Query#, Coupon# (9, 1) (6, 1) 01101*** 000***** … 001***** … (6, 2) (6, 3) (8, 1) … 010***** 01101*** … Packet Src. Port: 25012 Dst. Port: 443 Src. IP: 10. 0. 1. 15 Dst. IP: 162. 249. 4. 107 15 No coupon h. A(Src. Port)=101010… No coupon h. B(Dst. Port)=111010… No coupon h. C(Src. IP)=1010111… q #3 Collect coupon h. D(Dst. IP)=0101011… 6 Random tiebreak if >1 coupons (q 6, #3)

Coupon collector table Packet Src. Port: 27000 Dst. Port: 443 Src. IP: 10. 0. 1. 33 Dst. IP: 4. 3. 2. 1 Packet Src. Port: 25012 Dst. Port: 443 Src. IP: 10. 0. 1. 15 Dst. IP: 162. 249. 4. 107 q 6 #1 q 6 #3 q 6: Src. IP 16 q 6 Coupon #1 Key: 10. 0. 1. 33 q 6 Coupon #3 Key: 10. 0. 1. 15 Q , Key q 4: 8. 8: 53 q 4: 1. 1: 53 q 5: 10. 0. 0. 1 q 6: 10. 0. 1. 33 q 6: 10. 0. 1. 15 Coupons 1 2 33 4 1 2 3 44 1 2 3 Query q 6 Key 10. 0. 1. 33 Space efficiency: q 6: Src. IP 10. 0. 1. 33 is sending • Keys from all queries Dst. IP, multiplexed into one table to >1000 distinct Dst. IPs. 1000 • Only keep rows for “active keys” (at least one coupon)

Installing queries into switches Query set Q = {q 1, q 2, …} Header field Key, Attribute, Threshold tuples Dynamic Static program Code Generator Query Compiler P 4 Compiler Rules Generator code Data plane program rules (m, p, n) Table rules Packets 17 Programmable Switch Alerts • The installed rules represent query set Q • Update queries on the fly, without recompiling P 4

Evaluation highlights • How efficient is Beau. Coup? We uses 4 x~10 x fewer memory access than the state-of-the-art to achieve the same accuracy. • What about fairness? Equalized accuracy for same-threshold queries. • How much hardware resource? On the Barefoot Tofino programmable switch, Beau. Coup occupies <50% of each resource 18

Accuracy metric: Mean Relative Error Threshold Wider x = Actual # of distinct • Error=|x - Threshold| • MRE= Error / Threshold Narrow 19

Comparing accuracy Mean Relative Error for distinct(Src. IP, Dst. IP) Memory Access Word Per Packet Sampling 1 Nitro. Sketch 2 +Univ. Mon 3 γq=1/10 82% 33% X 17% γq=1/42 290% 84% X 31% Hyper. Log Beau. Coup 1 On 20 estimating the number of flows. Spang & Mc. Keown, Buffer Sizing Workshop 2019 2 Nitro. Sketch: Robust and General Sketch-based Monitoring in Software Switches. Liu et al. , SIGCOMM 2019 3 One Sketch to Rule Them All: Rethinking Network Flow Monitoring with Univ. Mon. Liu et al. , SIGCOMM 2016

Single-query accuracy Nitro. Sketch-Univmon 1 Beau. Coup Better Stricter 21 Sampling 2 Hyper. Log Be tte r 4 x~10 x 1 Nitro. Sketch: Robust and General Sketchbased Monitoring in Software Switches. Liu et al. , SIGCOMM 2019 2 On estimating the number of flows. Spang & Mc. Keown, Buffer Sizing Workshop

Across multiple queries • Run |Q|=26 queries simultaneously • Fairness among queries: same accuracy Key=Src. IP Attribute= Dst. IP+Dst. Port Threshold=1000 Key=Dst. IP+Dst. Port Attribute= Src. IP Threshold=1000 Mean Relative Error Key=Src. IP Attribute= Dst. IP Threshold=1000 22 Total memory access per packet Key=Dst. IP+Dst. Port Attribute= Src. IP+Src. Port Threshold=1000

Across multiple queries • Run |Q|=26 queries simultaneously • Intuition: high-threshold query is ”easier”, low-threshold query benefits from more memory access Threshold=5000 Mean Relative Error Threshold=100 23 Total memory access per packet Threshold=10000

Hardware resource utilization (Tofino v 1) h(Attribute)-> 0 1/4 … 1/2 Matching Coupons q 6 : Src. IP Key: 10. 0. 1. 15 Extracting Query Key Q , Key Coupons q 1: 8. 8 1 2 3 Alerts! q 1: 1. 1 1 2 3 Collecting Coupons Teardown Overall TCAM 39. 6% 2. 3% 0% 0% 13. 2% SRAM 9. 1% 26. 3% 0% 12. 3% Instruction 25. 0% 7. 3% 5. 4% 3. 1% 12. 8% Hash Unit 50. 0% 61. 1% 29. 1% 0% 41. 7% 24

Beau. Coup: many one Answering network traffic queries, memory update at a time! • Scalable: built upon collectors, runs many queries simultaneously • Versatile: change queries on the fly, without recompiling P 4 program • Efficient: achieve the same accuracy using 4 x-10 x fewer Merci Beaucoup! Thank you! memory accesses 25 Q&A on Slack Our code is open-source! github. com/Princeton-Cabernet/Beau. Coup

Face 26