Open Box A SoftwareDefined Framework for Developing Deploying
Open. Box: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions Yotam Harchol The Hebrew University of Jerusalem Joint work with Anat Bremler-Barr and David Hay THE HEBREW UNIVERSITY OF JERUSALEM This research was supported by the European Research Council ERC Grant agreement no 259085, the Israeli Centers of Research Excellence (I-CORE) program (Center No. 4/11), and the Neptune Consortium.
Network Functions (Middleboxes) • Monolithic closed black-boxes ✘ High cost ✘ Limited provisioning and scalability Firewall Load Balancer Network Function Virtualization (NFV): ✔ Reduce cost (by moving to software) ✔ Improve provisioning and scalability (by virtualizing software NFs) Intrusion Prevention System 2
Network Functions (Middleboxes) ✘High cost ✘Limited provisioning and scalability ✘Limited and separate management • Different vendors • No standards • Separate control plane 3
Network Functions (Middleboxes) • Actually, many of these black-boxes are very modular Network Function ✘ High cost ✘ Limited provisioning and scalability ✘ Limited and separate management ✘ Limited functionality and limited innovation (High entry barriers) ✘ Similar complex processing steps, no re-use 4
www. openboxproject. org Open. Box github. com/Open. Box. Project • Open. Box: A new software-defined framework for network functions • Decouples network function control from their data plane • Unifies data plane of multiple network functions Benefits: ü Easier, unified control ü Better performance ü Scalability ü Flexible deployment ü Inter-tenant isolation ü Innovation Open. Box Controller OBI OBI
The Open. Box Framework Network Functions: Open. Box Applications Northbound API Logically-Centralized Open. Box Controller Control Plane Data Plane Open. Box Protocol Open. Box Service Instances Additionally: ü Isolation between NFs / multiple tenants ü Support for hardware accelerators ü Dynamically extend the protocol 6
Observation: Most network functions do very similar processing But there is no re-use… steps The design the Open. Box framework is based on this observation 7
Network Function Decomposition Firewall: Drop Read Packets Header Classifier Output Alert Load Balancer: Read Packets Header Classifier Output Rewrite Header Intrusion Prevention System: DPI Read Packets Header Classifier DPI Drop DPI Alert Output 8
Northbound API Firewall Intrusion Prevention System Load Balancer DPI Drop DPI Alert Drop Read Packets Header Classifier Read Packets Output Header Classifier Output Rewrite Header Alert Open. Box Applications Specify processing graph and block configuration Control Plane Data Plane NB API Open. Box Controller Events, Load information Open. Box Protocol Open. Box Service Instances 9
Logically-Centralized Controller Multiple tenants run multiple applications for multiple policies in the same network Isolation between applications and tenants enforced by NB API Open. Box Applications NB API Control Plane Data Plane SDN Controller Open. Box Controller Network-wide view Automatic scaling, provisioning, placement, and steering Open. Box Protocol SDN Protocol Open. Box Service Instances SDN Switches 10
Naïve Graph Merge Firewall: Drop Read Packets Header Classifier Output Alert Concatenated Processing Graph: Read Packets Header Classifier Drop DPI Alert (Firewall) DPI Drop Header Classifier DPI Alert (IPS) 30μs 50μs 10μs Intrusion Prevention System: 30μs 2μs DPI 10μs Output 2μs Performance ≈ Diameter of Graph (# of classifiers) Read Packets Header Classifier DPI 134μs Total: Drop DPI Alert Output 11
Graph Merge Algorithm Merged Processing Graph: Read Packets Header Classifier 2μs 30μs Algorithm and details are in the paper Alert (Firewall) DPI Alert (IPS) 50μs 10μs Alert (Firewall) Output 2μs 10μs Drop Shorter Diameter (less classifiers) Total: 104μs (22% improvement) 12
Open. Box Data Plane Processing Read Packets Store Packet Output Restore Packet Drop Terminals Header Classifier Alert Java. Script Normalizer Log Caching XML Normalizer Reporting DPI Normalization Classification Gzip Decompress FIFO Queue Front Drop Queue Leaky Bucket RED Queue Management Gzip Compress De/compression HTML Normalizer Begin Transaction VLAN Push VLAN Pop Rewrite Header Modification Commit Transaction Rollback Transactions 13
Open. Box Data Plane Processing Open. Box Service Instance Virtual or Physical • Provides data plane services to realize the logic of network functions • Controlled by the logically-centralized Open. Box controller 14
Distributed Data Plane Alert DPI Header Classifier Open. Box Service Instance Hardware (TCAM) E. g. , an Open. Flow switch with encapsulation features (e. g. , NSH, Geneve, Flow. Tags) Metadata Rewrite Header Open. Box Service Instance Software
Split Processing Graph HW Instance: Read Packets Header Classifier Write Metadata Encapsulate Metadata Output Drop SW Instance: DPI Read Packets Decapsulate Metadata Read Metadata DPI Drop DPI Alert Output 16
Extensible Data Plane Media Encoder NEW APP NB API Open. Box Controller Control Plane Data Plane Open. Box Protocol Option 2: Software module injection Custom software module (signed) On the fly No need to recompile No need to redeploy Open. Box Service Instances Option 1: New hardware implementation Supports encapsulation 17
Scalable & Reliable Data Plane Scalability Reliability Provisioning Open. Box Controller OBI OBI OBI OBI n o iv si ro OBI P OBI Hypervisor 18
Implementation github. com/Open. Box. Project Java-based Open. Box Controller 7500 Lo. Cs (Java) Control Plane Data Plane Software Open. Box Service Instance REST client/server FW IPS Northbound API Network Graph Manager Aggregator Load Balancer . . . Management API REST API Generic wrapper for execution engines (Python) Translation Engine 5500 Lo. Cs (Python) Click-based execution engine (C++) 2400 Lo. Cs for plugin (C++) (Plug here other execution engines. E. g. , Click. NP) 19
Performance Improvement Without Open. Box VM 1 Firewall With Open. Box VM 1 OBI 1: FW+IPS VM 2 OBI 2: FW+IPS 70 60 50 40 30 20 10 0 Firewall IPS 900 800 700 600 500 400 300 200 100 0 140 -3 5% 120 100 80 % 6 +8 Without 1 Open. Box 60 40 Latency [µs] 80 Throughput [Mbps] 900 800 700 600 500 400 300 200 100 0 NF Pipeline Latency [µs] Throughput [Mbps] Standalone VM 20 With 2 Open. Box 0 20
Conclusions • Network functions are currently a real challenge in large scale networks • Open. Box decouples the data plane processing from network function control logic and: – Reduces costs – Enhances performance – Improves scalability – Increases reliability – Provides inter-tenant isolation – Allows easier innovation Open. Box Applications NB API Open. Box Controller Control Plane Data Plane Open. Box Protocol Open. Box Service Instances 21
Limitations 22
State Management • Glosses over state management • No Detail about API Implementation • State Replication, latency etc 23
Fault Tolerance • State Replication • Traffic Steering • NF Replication 24
Implementation • Code is still under development • Incomplete Components • Mininet Implementation does not work 25
Further Work • Use P 4 to extend the Open. Box system to become protocol agnostic. 26
Questions? 27
- Slides: 27