Open Box A SoftwareDefined Framework for Developing Deploying
Open. Box: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions Yotam Harchol The Hebrew University of Jerusalem Joint work with Anat Bremler-Barr and David Hay THE HEBREW UNIVERSITY OF JERUSALEM This research was supported by the European Research Council ERC Grant agreement no 259085, the Israeli Centers of Research Excellence (I-CORE) program (Center No. 4/11), and the Neptune Consortium.
Network Functions (Middleboxes) • Monolithic closed black-boxes ✘ High cost ✘ Limited provisioning and scalability Firewall Load Balancer Network Function Virtualization (NFV): ✔ Reduce cost (by moving to software) ✔ Improve provisioning and scalability (by virtualizing software NFs) Intrusion Prevention System 2
Network Functions (Middleboxes) ✘High cost ✘Limited provisioning and scalability ✘Limited and separate management • Different vendors • No standards • Separate control plane 3
Network Functions (Middleboxes) • Actually, many of these black-boxes are very modular Network Function ✘ High cost ✘ Limited provisioning and scalability ✘ Limited and separate management ✘ Limited functionality and limited innovation (High entry barriers) ✘ Similar complex processing steps, no re-use 4
www. openboxproject. org Open. Box github. com/Open. Box. Project • Open. Box: A new software-defined framework for network functions • Decouples network function control from their data plane • Unifies data plane of multiple network functions Benefits: ü Easier, unified control ü Better performance ü Scalability ü Flexible deployment ü Inter-tenant isolation ü Innovation Open. Box Controller OBI OBI
Software Defined Networking High cost of middleboxes switches Limited provisioning and scalability of middleboxes switches Limited management of middleboxes switches Limited functionality and limited innovation • Complex processing steps Open. Box Open. Flow distributed algorithms Controller • • OBI 40%-60% of the appliances in large-scale networks are middleboxes! [Sherry & Ratnasamy, ‘ 12] OBI 6
The Open. Box Framework Network Functions: Open. Box Applications Northbound API Logically-Centralized Open. Box Controller Control Plane Data Plane Open. Box Protocol Open. Box Service Instances Additionally: ü Isolation between NFs / multiple tenants ü Support for hardware accelerators ü Dynamically extend the protocol 7
Observation: Most network functions do very similar processing But there is no re-use… steps The design the Open. Box framework is based on this observation 8
Network Function Decomposition Firewall: Drop Read Packets Header Classifier Output Alert Load Balancer: Read Packets Header Classifier Output Rewrite Header Intrusion Prevention System: DPI Read Packets Header Classifier DPI Drop DPI Alert Output 9
Northbound API Firewall Intrusion Prevention System Load Balancer DPI Drop DPI Alert Drop Read Packets Header Classifier Read Packets Output Header Classifier Output Rewrite Header Alert Open. Box Applications Specify processing graph and block configuration Control Plane Data Plane NB API Open. Box Controller Events, Load information Open. Box Protocol Open. Box Service Instances 10
Logically-Centralized Controller Multiple tenants run multiple applications for multiple policies in the same network Isolation between applications and tenants enforced by NB API Open. Box Applications NB API Control Plane Data Plane SDN Controller Open. Box Controller Network-wide view Automatic scaling, provisioning, placement, and steering Open. Box Protocol SDN Protocol Open. Box Service Instances SDN Switches 11
Naïve Graph Merge Firewall: Drop Read Packets Header Classifier Output Alert Concatenated Processing Graph: Read Packets Header Classifier Drop DPI Alert (Firewall) DPI Drop Header Classifier DPI Alert (IPS) 30μs 50μs 10μs Intrusion Prevention System: 30μs 2μs DPI 10μs Output 2μs Performance ≈ Diameter of Graph (# of classifiers) Read Packets Header Classifier DPI 134μs Total: Drop DPI Alert Output 12
Graph Merge Algorithm Merged Processing Graph: Read Packets Header Classifier 2μs 30μs Algorithm and details are in the paper Alert (Firewall) DPI Alert (IPS) 50μs 10μs Alert (Firewall) Output 2μs 10μs Drop Shorter Diameter (less classifiers) Total: 104μs (22% improvement) 13
Open. Box Data Plane Processing Read Packets Store Packet Output Restore Packet Drop Terminals Header Classifier Alert Java. Script Normalizer Log Caching XML Normalizer Reporting DPI Normalization Classification Gzip Decompress FIFO Queue Front Drop Queue Leaky Bucket RED Queue Management Gzip Compress De/compression HTML Normalizer Begin Transaction VLAN Push VLAN Pop Rewrite Header Modification Commit Transaction Rollback Transactions 14
Open. Box Data Plane Processing Read Packets Store Packet Output Restore Packet Drop Terminals Header Classifier Alert Java. Script Normalizer Log Caching XML Normalizer Reporting DPI Normalization Classification Gzip Decompress HTML Normalizer FIFO Queue Open. Box Service Instance Leaky Bucket Virtual or Physical Front Drop Queue RED Queue Management Gzip Compress Begin Transaction VLAN Push • Provides data plane services to realize the logic of network functions De/compression Rewrite Header • Controlled by the logically-centralized Open. Box controller VLAN Pop Header Modification Commit Transaction Rollback Transactions 15
Distributed Data Plane Alert DPI Header Classifier Open. Box Service Instance Hardware (TCAM) E. g. , an Open. Flow switch with encapsulation features (e. g. , NSH, Geneve, Flow. Tags) Metadata Rewrite Header Open. Box Service Instance Software
Split Processing Graph HW Instance: Read Packets Header Classifier Write Metadata Encapsulate Metadata Output Drop SW Instance: DPI Read Packets Decapsulate Metadata Read Metadata DPI Drop DPI Alert Output 17
Extensible Data Plane Media Encoder NEW APP NB API Open. Box Controller Control Plane Data Plane Open. Box Protocol Option 2: Software module injection Custom software module (signed) On the fly No need to recompile No need to redeploy Open. Box Service Instances Option 1: New hardware implementation Supports encapsulation 18
Scalable & Reliable Data Plane Scalability Reliability Provisioning Open. Box Controller OBI OBI OBI OBI n o iv si ro OBI P OBI Hypervisor 19
Implementation github. com/Open. Box. Project Java-based Open. Box Controller 7500 Lo. Cs (Java) Control Plane Data Plane Software Open. Box Service Instance REST client/server FW IPS Northbound API Network Graph Manager Aggregator Load Balancer . . . Management API REST API Generic wrapper for execution engines (Python) Translation Engine 5500 Lo. Cs (Python) Click-based execution engine (C++) 2400 Lo. Cs for plugin (C++) (Plug here other execution engines. E. g. , Click. NP) 20
Performance Improvement Without Open. Box VM 1 Firewall With Open. Box VM 1 OBI 1: FW+IPS VM 2 OBI 2: FW+IPS 70 60 50 40 30 20 10 0 Firewall IPS 900 800 700 600 500 400 300 200 100 0 140 -3 5% 120 100 80 % 6 +8 Without 1 Open. Box 60 40 Latency [µs] 80 Throughput [Mbps] 900 800 700 600 500 400 300 200 100 0 NF Pipeline Latency [µs] Throughput [Mbps] Standalone VM 20 With 2 Open. Box 0 21
Related Work • Orthogonal to Open. Box: – NF traffic steering (e. g. , SIMPLE [SIGCOMM ’ 14]) – NF orchestration (e. g. , Stratos, Open. Mano, Open. Stack) – Runtime platforms (e. g. , x. OMB [ANCS ‘ 12], Click. NP [SIGCOMM ‘ 16]) • Similar Motivation: – Co. Mb [NSDI ‘ 12] – focuses on resource sharing and placement – E 2 [SOSP ‘ 15] – composition framework for virtual NFs – Slick [SOSR ’ 15] – focuses on the placement of data plane units • Only Open. Box provides: – Core processing decomposition and reuse – Standardization and full decoupling of NF control and data planes 22
Conclusions • Network functions are currently a real challenge in large scale networks • Open. Box decouples the data plane processing from network function control logic and: – Reduces costs – Enhances performance – Improves scalability – Increases reliability – Provides inter-tenant isolation – Allows easier innovation Open. Box Applications NB API Open. Box Controller Control Plane Data Plane Open. Box Protocol Open. Box Service Instances 23
Questions? THANK YOU! Play with Open. Box on a Mininet VM: github. com/Open. Box. Project/openbox-mininet 24
- Slides: 24