Policy-preserving Middlebox Placement in SDN-Enabled Data Centers

Bin Tang Computer Science Department

California State University Dominguez Hills Some slides are from www.cs.berkeley.edu/~randy/Courses/CS268.F08/lectures/22-policy_switching.ppt, and www.cs.yale.edu/homes/yu-minlan/talk/sigcomm13.pptx

Overview

•  What is middlebox?

•  What is SDN (Software Defined Network) and NFV (Network Function Virtulization)?

•  Policy-preserving middlebox placement problem in data centers –  Problems and preliminary solutions

•  Conclusions 2

Middleboxes

•  A middlebox, or network appliance, is a computer networking device that transforms, inspects, filters, or otherwise manipulates traffic for purposes other than packet forwarding. –  Intermediariesin-betweenthecommunica9nghosts–  O;enwithoutknowledgeofoneorbothpar9es

•  Examples–  Networkaddresstranslators–  Firewalls–  Loadbalancers–  Intrusiondetec9onsystems–  TransparentWebproxycaches 3

Problem: Middleboxes are hard to deploy

•  Place on network path

pkt network path

•  On path placement fails to achieve

Correctness Guaranteed middlebox traversal

Flexibility (Re)configurable network topology

Efficiency No middlebox resource wastage

Load BalancerFirewall

Common data center topology Internet

Servers

Layer-2 switch Access

Data Center

Layer-2/3 switch Aggregation

Layer-3 router Core

Firewall

Load Balancer

Inflexible topology

Internet

Intrusion Prevention Box

Firewall

Load Balancer

Inefficient - middlebox resource wastage

Internet

Process unnecessary traffic

Unutilized

Backup path

Policy-Preserving of MBs

S1 S2

8

Firewall Proxy IDS

Firewall IDS Proxy * Policy Chain:

Dst

TheInternet:ARemarkableStory

•  Tremendoussuccess–  Fromresearchexperimenttoglobalinfrastructure

•  Brillianceofunder-specifying–  Network:best-effortpacketdelivery–  Hosts:arbitraryapplica9ons

•  Enablesinnova9oninapplica9ons–  Web,P2P,VoIP,socialnetworks,virtualworlds

•  But,changeiseasyonlyattheedge…L

Insidethe‘Net:ADifferentStory…

•  Closedequipment–  So;warebundledwithhardware–  Vendor-specificinterfaces

•  Overspecified–  Slowprotocolstandardiza9on

•  Fewpeoplecaninnovate–  Equipmentvendorswritethecode–  Longdelaystointroducenewfeatures

Impacts performance, security, reliability, cost…

NetworksareHardtoManage

•  Opera9nganetworkisexpensive–  Morethanhalfthecostofanetwork–  Yet,operatorerrorcausesmostoutages

•  Buggyso;wareintheequipment–  Routerswith20+millionlinesofcode–  Cascadingfailures,vulnerabili9es,etc.

•  Thenetworkis“intheway”–  Especiallyaproblemindatacenters–  …andhomenetworks

Tradi9onalComputerNetworks

Data plane:Packet streaming

Forward, filter, buffer, mark, rate-limit, and measure packets

Tradi9onalComputerNetworks

Track topology changes, compute routes, install forwarding rules

Control plane:Distributed algorithms

So;wareDefinedNetworking(SDN)

API to the data plane(e.g., OpenFlow)

Logically-centralized control

Switches

Smart

Dumb,fast

Open Innovation

Network Functions

Virtualisation

Software Defined

Networks

Creates operational flexibility Reduces Reduces

CapEx, OpEx, space & power delivery time consumption

Creates control

abstractions to foster innovation.

Creates competitive supply of innovative applications by third parties

3 Complementary but Independent Networking Developments

Network Functions Virtualisation: Vision

Geneva, Switzerland, 4 June 2013

16

ClassicalNetworkApplianceApproach

BRAS

FirewallDPI

CDN

Tester/QoEmonitor

WANAccelera9onMessage

Router

Radio/FixedAccessNetworkNodes

CarrierGradeNAT

SessionBorderController

PERouterSGSN/GGSN

•  Fragmented, purpose-built hardware. •  Physical install per appliance per site. •  Hardware development large barrier to entry for

new vendors, constraining innovation & competition.

NetworkFunc9onsVirtualisa9onApproach

High volume Ethernet switches

High volume standard servers

High volume standard storage

Orchestrated, automatic & remote install.

Com

petitive &

Innovative O

pen Ecosystem

Independent Software Vendors

Policy-Preserving MB Placement Problem in Data Centers

CoreSwitches

Aggrega9onSwitches

EdgeSwitches

:PM

:VM

1 2 5 3 4 7 8 9 10 11 12 6 15 16 13 14

v2’v1’v2v1

MBPlacementProblems

§  Manycommunica9onpairsinthenetwork§  SingleMBType

§  OneMBtype,sayfirewall,butmul9pleinstances

§  Mul9pleMBsType§  eachhasoneinstance§  OrderedServiceChaining§  UnorderedServerChaining

§  Goal:Minimizetotalcommunica9oncost§  Constraint:CapacityofMB(eachcanonlyprocesslimitednumberofpairs)

19

SingleMBCase

§  GivenadatacentergraphG(V,E) §  There are m instances of a MB, placed at different

node in V §  Asetofpcommunica9ngnodepairsP,eachpair(s,t)inPneedstotraversetoaninstanceofaMB

§  Eachmiddleboxcanonlybetraversedbyatmostkpairs

§  Whenp=(s,t)traversesanMBinstancem,itscostc(p,m)=d(s,sw(m))+d(sw(m),t)

§  Goal:assignallthepairsinP,eachtraversesoneMBinstance,s.t.thetotalcostisminimized,subjecttothateachMBinstancetakesatmostkpairs.

subjecttocost(A) < B

20

Solu9on–minimumcostflow

21

p Communication Pairs

s' t'

(s1, t1) 1

m

m MB instances

Sink

(1, 0)

(1, 0)

(1, 0)

(k, 0)

(k, 0) 2

3

(k, 0)

(k, 0)

(1, c(1,sw(1)))

(1, c(p, m))

(1, c(1,sw(2)))

Source

(s2, t2)

(sp, tp)

(1, c(p, 1))

OrderedMul9pleMBsCase

§  GivenadatacentergraphG(V,E) §  There are m MBs M={mb1, mb2, …, mbm} to be

placed inside the data center §  Asetofpcommunica9ngnodepairsP,eachpair(s,t)inPneedstotraversemb1, mb2, …, mbm inthatorder

§  Thecostforp=(s,t)isc(p)=d(s, mb1)+d(mb1, mb2)+…+d(mbm-1, mbm)+d(mbm, t)

§  Goal:wheretoplacethemMBs,s.t.thetotalcostofallppairsisminimized

23

OrderedMul9pleMBsCase:Solu9on

§  NP-hard§  Random:randomlyplacethemMBsinsidethedatacenter

§  Greedy:takesplaceinmrounds§  Inroundi,itplacesmbiatanodethatminimizesthetotalcommunica9oncostsofar

§  LoadBalancing:eachswitchcanonlyaccommodatelimitednumberofcommunica9onpairs

24

Un-OrderedMul9pleMBsCase

§  GivenadatacentergraphG(V,E) §  There are m MBs M={mb1, mb2, …, mbm} to to be

placed inside the data center §  Asetofpcommunica9ngnodepairsP,eachpair(s,t)inPneedstotraversemb1, mb2, …, mbm , butnotnecessarilyinthatorder

§  Thecostforp=(s,t)isc(p)=d(s, mbi,1)+d(mbi,1, mbi,2)+…+d(mbi,m-1, mbi, m)+d(mbi, m, t)

§  Goal:wheretoplacethemMBs,s.t.thetotalcostofallppairsisminimized

25

Un-OrderedMul9pleMBsCase:Solu9on

§  EvenmorecomplicatedthatOrderedMul9pleMBcase

26

MBMigra9onProblems

§  Manycommunica9onpairsinthenetwork§  MoveMBsfromtheirini9alloca9ontootherloca9ons

§  Goal:Minimizetotalcommunica9oncost§  Constraint:CapacityofMB(eachcanonlyprocesslimitednumberofpairs)

27

MBReplica9onProblems

§  Manycommunica9onpairsinthenetwork§  Mul9pleMBtypes,eachhasoneinstance§  Goal:HowtoreplicatetheMBs,inordertominimizetotalcommunica9oncost

§  Constraint:Capacityofswitch(eachcanonlystorelimitednumberofMBinstances)

28

Conclusions

•  Deploying middleboxes is hard, but SDN and NFV makes it easier

•  Middleboxes management in SDN-enabled data center is a new and exciting research fields

•  Many new algorithmic problems that have not been solved

•  Need your participation!

Questions?