Incremental Consistent Updates Naga Praveen Katta Jennifer Rexford

  • Slides: 37
Download presentation
Incremental Consistent Updates Naga Praveen Katta Jennifer Rexford, David Walker Princeton University

Incremental Consistent Updates Naga Praveen Katta Jennifer Rexford, David Walker Princeton University

Network Policy • Policy : Collection of Openflow rules in the entire network ===

Network Policy • Policy : Collection of Openflow rules in the entire network === === === 2 1 1 2 1 2 === === 2

Policy Update • From old policy === === === 2 1 1 2 1

Policy Update • From old policy === === === 2 1 1 2 1 2 === === 3

Policy Update • From old policy to new policy === === === 2 1

Policy Update • From old policy to new policy === === === 2 1 1 2 1 2 === === 4

Inconsistent policy during transition === === === 2 1 1 2 1 2 ===

Inconsistent policy during transition === === === 2 1 1 2 1 2 === === 5

Inconsistent policy during transition Ø Per === Packet === === 2 Consistency (Reitblatt et.

Inconsistent policy during transition Ø Per === Packet === === 2 Consistency (Reitblatt et. al. 1 1 === SIGCOMM’ 12) === 1 • A packet sees either exclusively the old policy or 2 1 exclusively the new policy. 2 2 === === 6

Both old and new policy on the network 2 1 1 1 2 2

Both old and new policy on the network 2 1 1 1 2 2 1 2 7

100% space overhead in intermediate steps 2 1 1 1 2 2 1 2

100% space overhead in intermediate steps 2 1 1 1 2 2 1 2 8

100% space overhead in intermediate steps 2 Ø Problem Statement 1 1 1 •

100% space overhead in intermediate steps 2 Ø Problem Statement 1 1 1 • Can we do a consistent update with less space? 2 1 2 2 9

Trade Space for time Ø Less space overhead but more update time Ø Goals

Trade Space for time Ø Less space overhead but more update time Ø Goals • General : Works for any policy (with ternary matches) • Efficient : No packet-processing overhead on the controller 10

Trade Space for time Ø Less space overhead but more update time Ø Goals

Trade Space for time Ø Less space overhead but more update time Ø Goals • General : Works for any policy (with ternary matches) • Efficient : No packet-processing overhead on the controller Ø Divide entire update into multiple rounds 1. Each round is assigned a set of predicates (predicate : a symbolic ingress packet) 2. Each round updates policy slice for assigned predicates Ø Slice : rules effecting the packets of a predicate 11

Update the policy slice by slice === === === 2 1 1 2 1

Update the policy slice by slice === === === 2 1 1 2 1 2 === === 12

Update the policy slice by slice === === === 2 1 1 2 1

Update the policy slice by slice === === === 2 1 1 2 1 2 === === 13

Update the policy slice by slice === === === 2 1 1 2 1

Update the policy slice by slice === === === 2 1 1 2 1 2 === === 14

Update the policy slice by slice === === === 2 1 1 2 1

Update the policy slice by slice === === === 2 1 1 2 1 2 === === 15

Update the policy slice by slice === === === 2 1 1 2 1

Update the policy slice by slice === === === 2 1 1 2 1 2 === === 16

Update the policy slice by slice === === === 2 1 1 2 1

Update the policy slice by slice === === === 2 1 1 2 1 2 === === 17

Update the policy slice by slice === === Given=== a predicate, how do you

Update the policy slice by slice === === Given=== a predicate, how do you 2 compute the slice? === === How do you update the network with policy slices? === 1 Ø Ø Ø How do you assign predicates to slices? 1 2 1 1 2 2 === === 18

1. Computing a slice for a given predicate Collect matching rules from all switches?

1. Computing a slice for a given predicate Collect matching rules from all switches? 19

Challenges in computing a slice Ø Header Modifications 01 ->11 01 11 Ø Multiple

Challenges in computing a slice Ø Header Modifications 01 ->11 01 11 Ø Multiple predicates match a single rule 01 0* 11 Ø Packets of predicate never reach a switch. 01 01 20

Compute policy slice using symbolic execution Similar to Header Space Analysis (NSDI 2012) 2

Compute policy slice using symbolic execution Similar to Header Space Analysis (NSDI 2012) 2 1 1 1 2 21

Compute policy slice using symbolic execution 2 1 1 1 2 22

Compute policy slice using symbolic execution 2 1 1 1 2 22

Compute policy slice using symbolic execution === === === 2 1 1 2 1

Compute policy slice using symbolic execution === === === 2 1 1 2 1 2 === === 23

Similarly compute the old slice === === === 2 1 1 2 1 2

Similarly compute the old slice === === === 2 1 1 2 1 2 === === 24

2. Update policy slice – Add the new slice === === === 2 1

2. Update policy slice – Add the new slice === === === 2 1 1 2 1 2 === === 25

Then remove the old slice? === === === 2 1 1 2 1 2

Then remove the old slice? === === === 2 1 1 2 1 2 === === 26

Difficult with multiple dependent predicates • Cannot remove 1* rule till both 10 and

Difficult with multiple dependent predicates • Cannot remove 1* rule till both 10 and 11 migrate 10 -> 2 10 -> 1 11 -> 2 1* -> 1 2 1 1 1 2 2 11 -> 2 27

Difficult with multiple dependent predicates • Cannot remove 1* rule till both 10 and

Difficult with multiple dependent predicates • Cannot remove 1* rule till both 10 and 11 migrate -> 2 Ø Keep track of all 00 dependent predicates 00 • -> 1 Add 01 -> 2 a new rule as soon as 2 any new slice needs 0*it-> 1 1 • Delete an old rule as soon as no old slice needs it 1 1 2 2 11 -> 2 28

3. Choosing the predicates? Ø Optimal order of updates • How many slices in

3. Choosing the predicates? Ø Optimal order of updates • How many slices in total? • Which predicates in which slice? 29

Choosing the predicates Ø Divide N ingress predicates into K ordered slices optimally •

Choosing the predicates Ø Divide N ingress predicates into K ordered slices optimally • Avoid exponential preprocessing • Cannot consider slices in isolation 30

Choosing the predicates Ø Divide N ingress predicates into K ordered slices optimally •

Choosing the predicates Ø Divide N ingress predicates into K ordered slices optimally • Avoid exponential preprocessing • Cannot consider slices in isolation Ø Pose it as a Mixed Integer Program • Combine individual predicate symbolic analyses • Encode dependency counting Ø Trade-off dimensions • Rule space overhead • Update time (# rounds/slices) • Traffic volume of migrated rules 31

Evaluation Ø Fattree topology - 24 Switches, 576 hosts Ø Load Balancer Policy •

Evaluation Ø Fattree topology - 24 Switches, 576 hosts Ø Load Balancer Policy • Each client chooses server randomly • Packet modification at the ingress • Shortest path forwarding to servers Ø Optimization solver • Always within 1% in few (~5) seconds 32

Overhead decreases significantly with increased rounds Space Overhead (%) Consistent Updates Total number of

Overhead decreases significantly with increased rounds Space Overhead (%) Consistent Updates Total number of slices 33

Minimizing update times finishes in just 9 slices Number of slices updated Switch space

Minimizing update times finishes in just 9 slices Number of slices updated Switch space overhead capped at 5% 34

80% traffic migrates in slice 1 and 99% in 3 slices Number of slices

80% traffic migrates in slice 1 and 99% in 3 slices Number of slices updated Switch space overhead capped at 5% 35

Conclusion u Policy abstractions come with a cost Ø How to implement efficiently? Ø

Conclusion u Policy abstractions come with a cost Ø How to implement efficiently? Ø Keeping the essence of abstraction u Optimizing consistent updates Ø Slice by slice policy update Ø Symbolic execution and MIP reduction • Uses less rule space • Moves high volume flows early 36

Questions? Naga Praveen Katta nkatta@cs. princeton. edu

Questions? Naga Praveen Katta [email protected] princeton. edu