Paving the Way for NFV Simplifying Middlebox Modifications

  • Slides: 22
Download presentation
Paving the Way for NFV: Simplifying Middlebox Modifications with State. Alyzr Junaid Khalid, Aaron

Paving the Way for NFV: Simplifying Middlebox Modifications with State. Alyzr Junaid Khalid, Aaron Gember-Jacobson, Roney Michael, Archie Abhashkumar, Aditya Akella 1

Middleboxes Perform sophisticated operations on network traffic Firewall Intrusion detection system (IDS) Caching proxy

Middleboxes Perform sophisticated operations on network traffic Firewall Intrusion detection system (IDS) Caching proxy Maintain state about connections and hosts 2

Network Function Virtualization (NFV) NFV enables elastic scaling and high availability state existing Reroute

Network Function Virtualization (NFV) NFV enables elastic scaling and high availability state existing Reroute new connections 3

State taxonomy State created or updated by a middlebox applies to either a single

State taxonomy State created or updated by a middlebox applies to either a single connection or a set of connections Per-conn state Tcp. Analyzer Connection Http. Analyzer Connection Tcp. Analyzer Cross-conn state Conn. Count Http. Analyzer Input state Config + Sig All-conns state Statistics 4

NFV state management -> middlebox modification Frameworks for transferring, or sharing live middlebox state

NFV state management -> middlebox modification Frameworks for transferring, or sharing live middlebox state Pre-flow state Cross-flow state Split/Merge [NSDI 2013] Shared Library Init state Shared Library • Require modifications or annotation to middlebox code Required modifications: 1. State allocation 2. State access 3. State merge 5

NFV state management -> middlebox modification Frameworks for transferring, or sharing live middlebox state

NFV state management -> middlebox modification Frameworks for transferring, or sharing live middlebox state • Require modifications or annotation to middlebox code Framework Split/Merge [NSDI 2013] State Allocation State Access Serialization Open. NF [SIGCOMM 2014] FTMB [SIGCOMM 2015] Merge State Pico Rep. [So. CC 2013] Stateless NF [Hot. Middlebox 2015] 6

Why is modifying a middlebox hard? Output equivalence: for any input the aggregate output

Why is modifying a middlebox hard? Output equivalence: for any input the aggregate output Middleboxes are complex, diverse and have a variety of state of a dynamic set of instances should be equivalent to the output produced by single instance. MB LOC Classes/ Level of Number of (C/C++) Structs pointers Procedures PRADS 10 K 40 4 297 Open. VPN 62 K 194 2 2023 HAProxy 63 K 191 8 2560 Bro IDS 97 K 1798 - 3034 Squid 166 K 875 - 2133 Snort IDS 275 K 898 10 4617 Missing a change to some structure, class or function, may violate output equivalence. 7

State. Alyzr: program analysis to the rescue required for output equivalence A system that

State. Alyzr: program analysis to the rescue required for output equivalence A system that relies on data and control-flow analysis to automatically identify state objects that need explicit Soundness means that the system must not miss any handling critical types, storage locations, allocations, or uses of source code state State. Alyzr required for performant state transfers annotated code Leverage middlebox code structure to improve Precision means that the system identifies the minimal precision without compromising soundness set of state that requires special handling. 8

Fault tolerance IDS Per flow state Multi flow state All state Config state Primary

Fault tolerance IDS Per flow state Multi flow state All state Config state Primary Hot standby updated The primary sends a copy of the state to ^ the hot standby after each packet 9

State. Alyzr Per-/Cross. All State Flow State Output. Impacting State Updateable State 10

State. Alyzr Per-/Cross. All State Flow State Output. Impacting State Updateable State 10

Logical structure of middlebox code Main init() loop. Procedure() Packet processing loop while (!done)

Logical structure of middlebox code Main init() loop. Procedure() Packet processing loop while (!done) packet = receive() raise. Event() process(packet) send(packet) write(log) foo() Packet processing procedures 11

1. Per-/cross-flow state identification Variables corresponding to per-/cross-flow state must be persistent Persistent state

1. Per-/cross-flow state identification Variables corresponding to per-/cross-flow state must be persistent Persistent state can be stored in 1. Global variables 2. Static variables 3. Local variables declared in loop proc. 4. Formal Params of loop proc. Stack frame of main x a b x Stack frame of foo Stack frame of loop. Procedure int loop. Procedure(int *threshold) { int count = 0; while(1) { struct pcap_pkthdr pcap. Hdr; char *pkt = pcap_next(ext. Pcap, &pcap. Hdr); . . Stack origin parameters return address local variables parameters return address a b local variables x parameters return address a b local variables 12

How to identify packet processing code? 1. Per-/cross-flow state identification Per Multi All Improve

How to identify packet processing code? 1. Per-/cross-flow state identification Per Multi All Improve precision by considering variables which are used in packet processing code Conf Initialization Init 13 6 9

How to identify packet processing code? Main 1. Per-/cross-flow state identification Event thread init()

How to identify packet processing code? Main 1. Per-/cross-flow state identification Event thread init() loop. Procedure() while (event = dequeue()) process. Indirect(event) Packet processing loop while (!done) process. Indirect(event) packet = receive() Indirect call raise. Event() process(packet) send(packet) write(log) foo() Packet processing procedures structslice from packet recv function. Any procedure pkt. Hdr *pkt = recv(ext. Pcap); Computes a forward src_ip = pkt->ip_src_addr; appearing in thepacket_count slice is considered as packet processing procedure. ++; index = src_ip + offset 14

2. Identify updateable state Whether the state is updated while processing the packet ?

2. Identify updateable state Whether the state is updated while processing the packet ? • Strawman approach • Identify top-level variable on the left-hand-side(LHS) of assignment statement Per State Multi All Conf Read-only Updateable per-/cross-flow var in_port = pkt. src_port; State. Alyzr employs flow-, context-, and fieldint *index = &tail; Falls short due to *index = identify updateable (*index + 1)%100; insensitive pointer analysis to aliasing variables 15 11 6

3. Identify states’ flowspace dimensions Per Updateable State Identify a set of packet header

3. Identify states’ flowspace dimensions Per Updateable State Identify a set of packet header fields that delineate the subset of traffic that relates to the state Program chopping to determine relevant header value key & value fields Linked Hashtable List Common access patterns 1. Square brackets 2. entry Pointer arithmetic = table[index]; entry = head + offset; 3. Iteration struct host Multi All [Src IP, Dst IP, Src Port, Dst_Port, proto] Read-only Conf [Src IP, Dst IP] key *lookup(uint ip) { struct host *pkt *curr hosts; struct pkt. Hdr = = recv(ext. Pcap); while != NULL) { src_ip = (curr pkt->ip_src_addr; if (curr->ip == ip) packet_count ++; return curr; index = src_ip + offset curr = curr->next; } = host_map[index] entry } 16

State. Alyzr steps Per 1. 2. 3. 4. Identify Per-/Cross-flow state Identify Updateable State

State. Alyzr steps Per 1. 2. 3. 4. Identify Per-/Cross-flow state Identify Updateable State Identify States’ Flowspace Dimensions Output Impacting State • Identify the type of output (log or packet) that updateable state affects 5. Tracking Run-time Update • Insert statements to do run time monitoring to track whether a variable is updated Multi All Conf Read-only Updateable Flowspace Per [Src IP, Dst IP, Src Port, Dst_Port, proto] Multi [Src IP, Dst IP] 6 17

Implementation Used Code. Surfer to implement State. Alyzr • Code. Surfer has built-in support

Implementation Used Code. Surfer to implement State. Alyzr • Code. Surfer has built-in support for • Control flow graph construction • Flow and context-insensitive pointer analysis • Forward/backward slice and chop computation Analyzed four open-source middleboxes 1. 2. 3. 4. PRADS – a monitoring middlebox Snort – an IDS HAProxy – a load balancing proxy Open. VPN – a VPN gateway 18

Evaluation • Precision • Performance benefits at run time 19

Evaluation • Precision • Performance benefits at run time 19

Evaluation: effectiveness Step 1 Step 0 Step 2 MB All variables Persistent variables per-/cross.

Evaluation: effectiveness Step 1 Step 0 Step 2 MB All variables Persistent variables per-/cross. Updateable flow variables PRADS 1529 61 29 10 Snort IDS 18393 507 333 148 HAproxy 7876 272 176 115 Open. VPN 8704 156 131 106 State. Alyzr offers useful improvements in precision Theoretically proved the soundness of our algorithms 20

Highly available PRADS State transfer after each packet per pkt state transfer (KB) 10000

Highly available PRADS State transfer after each packet per pkt state transfer (KB) 10000 1000 • State. Alyzr reduced the manual effort of modifying PRADS All persistant state from 120 hrs to 6 hrs 100 All updatable state • State. Alyzr found a compound variable which we missed in Hot standby Primary Flowspace our prior modification. 10 1 0 0 k 0 k 0 k packet number 0 k Reduction in the state transfer by 305 x 21

Summary • Goal is to aid middlebox developers to identify state objects that need

Summary • Goal is to aid middlebox developers to identify state objects that need explicit handling • Novel state characterization algorithms that adapt standard program analysis tools • Ensure soundness and high precision • Ultimate goal is to fully automate the process 22