Open Box A SoftwareDefined Framework for Developing Deploying
Open. Box: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions Yotam Harchol The Hebrew University of Jerusalem Joint work with Anat Bremler-Barr (IDC) and David Hay (HUJI) To appear in ACM SIGCOMM 2016 A preliminary version of this work was published in ACM SIGCOMM Hot. Middleboxes 2015
Software-Defined Networking 40%-60% of the appliances are not switches / routers! [Sherry & Ratnasamy, ‘ 12] Logically-centralized control: Smart, slow SDN Controller API to data plane (e. g. , Open. Flow) Control Plane: Distributed algorithms Data Plane: Packet streaming and processing Management Plane: Human time scale Firewalls Intrusion detection Network anti-virus Leakage prevention Caching Load balancing Billing NAT Encoders Gateways Switches: SSL termination Dumb, fast TCP optimization 2 …
Network Functions • Expensive to own and to operate • Hard to manage – separate vendors • No elastic scaling • Complex - dominate overall network performance 3
Software-Defined Solutions Forwarding plane (switches, routers): - High cost - Limited management - No multi-tenancy - Limited functionality and limited innovation - Complex distributed algorithms Solution: SDN / Open. Flow Network Functions (Middleboxes): - Higher cost - Limited and separate management - Limited provisioning and scalability - No multi-tenancy - Limited functionality and limited innovation - Similar processing steps, no re-use Our solution: Open. Box Controller SDN Controller OBI OBI 4
Challenges • Northbound API / language for specifying NF logic • Logically-centralized controller that unifies logic of multiple network functions from multiple tenants • Communication protocol between controller and data plane Network Functions Northbound API • Specification of data plane instances • Support for hardware accelerators Logically-Centralized Controller Control Plane Data Plane Southbound Protocol • Dynamically extend the protocol Data Plane Instances 5
Open. Box • Open. Box: A new protocol • Decouples network function control from their data plane • Unifies data plane of multiple network functions Benefits: • Easier, unified control • Better performance • Scalability • Flexible deployment • Multi-tenancy • Innovation Open. Box Applications Northbound API Open. Box Controller Control Plane Data Plane www. openboxproject. org github. com/Open. Box. Project Open. Box Protocol Open. Box Service Instances 6
A Different View of Network Functions • Previous works: Network Function = monolithic closed unit – Traffic Steering (e. g. , SIMPLE [Sigcomm ‘ 13]) – Placement and Virtualization (e. g. , Co. Mb [NSDI ’ 12]) – NFV orchestration (e. g. , Open. Stack, Open. Mano, Statos, E 2 [SOSP ‘ 15]) – State Management (e. g. , Open. NF [Sigcomm ‘ 14]) – Runtime Platform (e. g. , x. OMB [ANCS ‘ 12], SDM [INFOCOM ‘ 14]) • Open. Box: Network Function = logical application – Most processing steps are shared among many types of network functions – Some steps can be done once for multiple applications Open. Box Applications Open. Box Controller 7
What Network Functions Do? Firewall: Drop Read Packets Header Classifier Output Alert Load Balancer: Read Packets Header Classifier Output Rewrite Header Intrusion Prevention System: DPI Read Packets Header Classifier DPI Drop DPI Alert Output 8
Observation: Most network functions do very similar processing But there is no re-use… steps 9
What Network Functions Do? Read Packets Store Packet Output Restore Packet Drop Terminals Header Classifier Alert Java. Script Normalizer Log Caching XML Normalizer Reporting DPI Normalization Classification Gzip Decompress FIFO Queue Front Drop Queue Leaky Bucket RED Queue Management Gzip Compress De/compression HTML Normalizer Begin Transaction VLAN Push VLAN Pop Rewrite Header Modification Commit Transaction Rollback Transactions 10
Northbound API Drop Read Packets Header Classifier DPI Drop DPI Alert Output Read Packets Alert Read Packets Header Classifier Output Rewrite Header Open. Box Applications Specify processing graph and block configuration Control Plane Data Plane NB API Open. Box Controller Events, Load information Open. Box Protocol Open. Box Service Instances 11
Logically-Centralized Controller Multiple tenants run multiple applications for multiple policies in the same network No data sharing between applications Open. Box Applications NB API Network-wide view Automatic scaling, provisioning, placement, and steering Control Plane Data Plane SDN Controller Open. Box Protocol SDN Protocol Open. Box Service Instances SDN Switches 12
Open. Box Data Plane Read Packets Store Packet Output Restore Packet Drop Terminals Header Classifier Alert Java. Script Normalizer Log Caching XML Normalizer Reporting DPI Normalization Classification Gzip Decompress HTML Normalizer FIFO Queue Open. Box Service Instance Leaky Bucket Virtual or Physical Front Drop Queue RED Queue Management Gzip Compress Begin Transaction VLAN Push • Provides data plane services to realize the logic of network functions De/compression Rewrite Header • Controlled by the logically-centralized Open. Box controller VLAN Pop Header Modification Commit Transaction Rollback Transactions 13
Distributed Data Plane Alert DPI Header Classifier Open. Box Service Instance Hardware (TCAM) E. g. , an Open. Flow switch with encapsulation features Metadata Rewrite Header Open. Box Service Instance Software
Split Processing Graph HW Instance: Read Packets Header Classifier Write Metadata Encapsulate Metadata Output Drop SW Instance: DPI Read Packets Decapsulate Metadata Read Metadata DPI Drop DPI Alert Output 15
Extensible Data Plane Media Encoder Open. Box Controller Open. Box Service Instance Hardware Implementation Supports encapsulation Open. Box Service Instance Software A new software module can be injected from control plane without modifying or re-deploying software in data plane
Scalable & Reliable Data Plane Scalability Reliability Provisioning Open. Box Controller OBI OBI OBI OBI n o iv si ro OBI P OBI OBI 17
Naïve Graph Merge Firewall: Drop Read Packets Header Classifier Output Alert Concatenated Processing Graph: Read Packets Drop DPI Alert (Firewall) DPI Drop DPI Alert (IPS) Header Classifier Intrusion Prevention System: Header Classifier Output DPI Performance ≈ Diameter of Graph (# of classifiers) Read Packets Header Classifier DPI Drop DPI Alert Output 18
Graph Merge Algorithm Merged Processing Graph: Read Packets Header Classifier Alert (Firewall) DPI Alert (IPS) Output Alert (Firewall) Drop Shorter Diameter (less classifiers) 19
Implementation github. com/Open. Box. Project Java-based Controller REST client/server App Northbound API Network Graph Manager Aggregator App Management API REST API Generic wrapper for execution engines (Python) Click-based execution engine (C++) Translation Engine TCP Software Open. Box Service Instance 20
Performance Improvement Without Open. Box VM 1 Firewall With Open. Box VM 1 OBI 1: FW+IPS VM 2 OBI 2: FW+IPS 70 60 50 40 30 20 10 0 Firewall IPS 900 800 700 600 500 400 300 200 100 0 140 -3 5% 120 100 80 % 6 +8 60 40 Latency [µs] 80 Throughput [Mbps] 900 800 700 600 500 400 300 200 100 0 NF Pipeline Latency [µs] Throughput [Mbps] Standalone VM 20 0 VM Chain Open. Box 21
Conclusions • Network functions are currently a real challenge in large scale networks • Open. Box decouples the data plane processing from network function control logic and: – Reduces costs – Enhances performance – Improves scalability – Increases reliability – Provides multi-tenancy – Allows easier innovation Open. Box Applications NB API Open. Box Controller Control Plane Data Plane Open. Box Protocol Open. Box Service Instances 22
Questions? THANK YOU! 23
- Slides: 23