Date post: | 31-Dec-2015 |
Category: |
Documents |
Upload: | milo-kelley-thompson |
View: | 216 times |
Download: | 0 times |
Oct 11, 2000 1OpenSig , Napa, California
Silicon-based Programmable Routers: What have we learned?Tal Lavian - Nortel Networks [email protected] 408-495-3062
More info: http://www.openetlab.org
Franco Travostino, Phil Wang, Rob Duncan
Oct 11, 2000 2OpenSig , Napa, California
We are part of research organization.
This talk describes exploratory research.
• Nortel makes no commitment to turn this technology into products.
• Nortel makes no commitment to do anything with the ideas described in this talk.
Usual Disclaimer
Oct 11, 2000 3OpenSig , Napa, California
What have we learned?
• We have implemented programmable (Java) Gigabit Routing Switch (backplane 256 Gbs)
• Infinite Bandwidth , Wire speed routing & Streaming media, drive New Types of intelligence on programmable network device
• Dynamic monitoring and modification of silicon knobs— The granularity is streams and not packets
— Short time granularity (part of apps and not human intervention, keyboard, telnet, cli, snmp)
Oct 11, 2000 4OpenSig , Napa, California
Agenda
• Programmability - market drivers
• Infinite bandwidth drives the need for programmability
• Architecture
• Separation of Control and Data planes
• Example - Dynamic Classification
• Summary
Oct 11, 2000 5OpenSig , Napa, California
IBM CDC Digital Amdel
Applications
OSs
Peripherals
Hardware
1980s - Vertical Industry 2000s - Horizontal Industry
Industry Movement from Vertical toward Horizontal Markets
Oct 11, 2000 6OpenSig , Napa, California
Incomplete transformation; the inflection point is quickly approaching …
Cisco Nortel Juniper 3Com
Network &Mgmt services
EmbeddedOS
System
ASICs
“00 Vertical Network Industry Horizontal Network Industry
Inflection Points Ahead of Us Inflection Points Ahead of Us
Oct 11, 2000 7OpenSig , Napa, California
Infinite BandwidthInfinite BandwidthWhy this change the playground?
•Are we ready for streaming media on the net?
– Peer to Peer – Napster, 6000 radio stations
– Streaming video, multicast, Napster video is coming
– Web traffic will be minor (streaming is constant)
•3-4 orders of magnitudes bandwidth growth in many dimensions
– Access – Cable, DSL, 3G – (28kbs10mbs, 1.5mbs, 384kbs)
– Core – Optical bandwidth - (155mbs 1Tbs)
– LAN – (10mbps 10Gbps)
•Silicon Wire-speed routing
Oct 11, 2000 8OpenSig , Napa, California
Bottlenecks in Programmable Bottlenecks in Programmable Routing Routing •The streaming media demand & the infinite
bandwidth will drive the need for programmability and dynamic services on the net
•Need programmability to drive this booming demand. Software based routers can’t do it.
•Unlike Linux routers and software based routers, we can’t add software to the data plane
—Data plane : Wire speed silicon forwarding, multi Gigabit
—Control plane :
– Can’t see the data in wire speed.
– Can dynamically modify the silicon knobs
Oct 11, 2000 9OpenSig , Napa, California
Programmable Services - Programmable Services - LocationsLocations•Service-enablement will prove most effective
where “impedance mismatches” occur in the network
— Optical vs. Wireline (3-4 oom)
— Wireline vs. wire-less (3-4 oom)
— Secure vs. non-secure
— Customer-premises vs. Content-provider-land (3-4 oom)
— SLA (x) vs. SLA (y)
— Resource-constrained vs. unwashed unlimited computing
•A service-enabled box can wear multiple hatoom – Order of Magnitude
Oct 11, 2000 10OpenSig , Napa, California
Emancipation of a Emancipation of a RouterRouter
It all started from old-world, vertically-integrated code.
ASICs/Processors
ProprietaryApps
ProprietaryNOS
Oct 11, 2000 11OpenSig , Napa, California
Routers EmancipationRouters Emancipation
Extroverted APIs extend a commodity Java runtime.
Ext
rove
rted
A
PIs
Intr
over
ted
AP
Is
APIs
ASICs/Processors
Forwarding Engine
Syste
m Se
rvice
s Fram
ewo rk
RoutingProtocol
1N
RoutingTableManager
Forwarding EngineInterface
SystemManager
ManagementInterfaceAgents
1N
M
MM
N
O1
ON
C
C
FC
1N
FM
JVM
JAPIs
ISV’s SoftwareISV’s Software
Oct 11, 2000 12OpenSig , Napa, California
Java-enabled Device Architecture Java-enabled Device Architecture
Operation System
JVM
Oplet
Oplet Runtime Env
Download
Hardware
Routing Code
Native APIs
OpletOpletOplet
Oct 11, 2000 13OpenSig , Napa, California
Network Device
Dynamicloading
Example: Downloading Example: Downloading IntelligenceIntelligence
HWOS
JVM
React
MonitorA
uthe
ntic
atio
n
Sec
urity
Intelligenceapplication
Oct 11, 2000 14OpenSig , Napa, California
Separation of Control and Forwarding Planes
Centralized, Centralized, CPU-based RouterCPU-based Router
Forwarding-ProcessorsForwarding-Processors Based RouterBased Router
Control + ForwardingControl + ForwardingFunctions combinedFunctions combined
Control separatedControl separatedfrom forwardingfrom forwarding
CPU
Routing SW
CPU
Control Plane
Forwarding Processor
Forwarding Processor
Forwarding Processor
Slow Wire Speed
Oct 11, 2000 15OpenSig , Napa, California
Switching Fabric
CPU System
Forwarding Plane(Wire Speed Forwarding)
ForwardingProcessor
Forwarding
Rules
Statistics &Monitors
ForwardingProcessor
Forwarding
Rules
Statistics&Monitors
ForwardingProcessor
Forwarding
Rules
Statistics &Monitors
. . .
Programmable NetworkingProgrammable Networking
Control Plane ORE
Network Services
Traffic Packets
Filtered packets New rules
JFWD
Oct 11, 2000 16OpenSig , Napa, California
But Java is Slooowwwww• Not appropriate in the fast-path data
forwarding plane
—forwarding is done by ASICs or NPUs
—packet processing not affected
• Java applications run on the CPU
—Packets designated for Java application are pushed into the control plane
Oct 11, 2000 17OpenSig , Napa, California
Simple Example: Fine grain monitoring• Imagine a SNMP-based network with:
— 100 nodes
— each node with 100 ports
— each port with 100 conditions
— all being checked 100 times a second
• That’s 10 billion SNMP variable accesses every second.
• And that’s a significant load on the NMS and the network as a whole. It’s not going to work.
Oct 11, 2000 18OpenSig , Napa, California
Switching Fabric
CPU
Wire SpeedForwarding
ForwardingProcessor
Forwarding
Rules
Statistics &Monitors
ForwardingProcessor
Forwarding
Rules
Statistics&Monitors
ForwardingProcessor
Forwarding
Rules
Statistics &Monitors
Control Plane
. . .
Silicon-based Forwarding EnginesSilicon-based Forwarding Engines
Oct 11, 2000 19OpenSig , Napa, California
Real-time Forwarding Stats and Real-time Forwarding Stats and Monitors Monitors
CPU
SW
HW
Apps
ForwardingProcessor
ForwardingRules
Statistics &Monitors
ForwardingProcessor
ForwardingRules
Statistics &Monitors
ForwardingProcessor
ForwardingRules
Statistics &Monitors
Oct 11, 2000 20OpenSig , Napa, California
Dynamic Classification Objectives
• Implement flow performance enhancement mechanisms without introducing software into data forwarding path— Service defined packet processing in a silicon-
based forwarding engine
— Dynamic packet classifier
•
Oct 11, 2000 21OpenSig , Napa, California
Dynamic - On the Fly Dynamic - On the Fly ConfigurationConfiguration
ForwardingProcessor
ForwardingProcessor
Pac
ket
Policy
Filters
Dynamic Apps
Packet
Pack
et Filte
r
Oct 11, 2000 22OpenSig , Napa, California
5-tuple Filtering List• Source Address
• Source Port
• Destination Address
• Destination Port
• Protocol
• Copy the packet to the control plane
• Don't forward the packet
• Set TOS field
• Set VLAN priority
• Adjust priority queue
JFWD 5-tuple Filtering
Dynamic Filtering
Layer 4-7 in new hardwareUtilize Network Processors capabilities
Oct 11, 2000 23OpenSig , Napa, California
Experimental Setup
100 Mbps
Source 2 tcp_send()
100 Mbps
Destination1. tcp_recv()2. tcp_recv()
Source 1 tcp_send() Acclear
1100BRoutingSwitch 100 Mbps
•Rob Jaeger, Jeff Hollingsworth, Bobby Bhattacharjee - University of Maryland
Oct 11, 2000 24OpenSig , Napa, California
0
20
40
60
80
100
0 1 2 3 4 5 6 7 8 9 10
Seconds
Mbp
s
Low Priority
High Priority
Start2nd Flow
ChangePriority
End2nd Flow
Streams Programmability
Oct 11, 2000 25OpenSig , Napa, California
Dynamic Classification
• Identify real-time flows (e.g. packet signature or flowId )1 Use CarbonCopy filters to deliver multimedia control
protocols to control plane – e.g. SIP, H.323. RTCP – Determine dynamically assigned ports from control
msgs
2 Use CarbonCopy filters to sample a number of packets from the physical port and identify RTP packets/signature
• Set a packet processing filter for packet signature to:— adjust DS-byte OR— adjust priority queue
Oct 11, 2000 26OpenSig , Napa, California
Dynamic Classification
• Without introducing software into data path we performed Dynamic Classification of flows in a Silicon-Based Gigabit Routing Switch— Introduced a new service to a Gigabit Routing Switch— Identified real-time flows — Performed policy-based flow behavior classification— Adjusted DS-byte value — Showed that flow performance can be improved
• Let Open Programmability and Innovation to build end-to-end network solutions and services
Oct 11, 2000 27OpenSig , Napa, California
Nortel’s Openet.labNortel’s Openet.lab• It’s an incubator for service-enabled network
nodes and sample services
• It provides:
— JVM-emancipated prototypes of Nortel routers
— Java APIs to MIBs
— Java APIs to Forwarding Planes, packet capturing
— A runtime environment for downloaded code
• Open Source at http://www.openetlab.org
Oct 11, 2000 28OpenSig , Napa, California
Closing remark
Back then, thrust wasn’t a problem; control was.
Likewise, network bandwidth isn’t the problem, control is. It demands our collective efforts
Wright brothers 1904
Oct 11, 2000 31OpenSig , Napa, California
Multiple points of view
NMS
A B
• It is possible for node A to lose network “visibility” to node B, even though the NMS has visibility to both
• The NMS is the traditional PoV for observing the network
• Being able to move the management PoV out of the NMS and into the managed nodes would help
Oct 11, 2000 32OpenSig , Napa, California
Mobile diagnostics
• Similar to multiple points of view
• Blocking DoS at ingress into the network is best
• Inject mobile agent into the network at the node where the DoS is first detected
• The agent moves from node to node towards the DoS traffic source
• A bit like an immune system
Oct 11, 2000 33OpenSig , Napa, California
Active Intrusion Detection
• Intruder is identified by Intrusion Detection software
• Intruder signature is identified
• Mobile agent is dispatched in direction of intruder (based on physical port of entry)
• Mobile agent “chases” and terminates intruder (shuts down link, reboot host, notify NMS)
Oct 11, 2000 34OpenSig , Napa, California
Diagnostic Mobile Agents
• Automatic trace-route from edge router where problem exists—Each node reached generates a report to NMS
—Trace-route code “moves” to next node in path
—Mobile agents identify router health
—Create logs for NMS
Oct 11, 2000 35OpenSig , Napa, California
Apps - Routing Relationship
• Download Oplet Service to the router.
• Monitor router locally
• Report “events” to App server
• Allow Service to take action
• Download application
• Adjust parameters based on direction from app server
Monitor
AppropriateApplication
Download
Download
Complex Condition Exceeded
App Server
router
Extensive access to internal resources
Oct 11, 2000 36OpenSig , Napa, California
Collaboration with Applications
• New paradigm of distributed applications
• Network devices collaborating with applications
• Application aware routing
JVM
Servers
RMI, XML, CORBAApps
RoutersSwitches
JVM
Apps
Apps Server
Oplet Oplet
Oct 11, 2000 37OpenSig , Napa, California
Router Server Collaboration
• Supports distributed computing applications in which network devices participate— router to router
— server to router
• Supports Intelligent Agents
• Supports Mobile Agents
Java-basedApplication
Java-basedApplication
Java-basedApplication
Oct 11, 2000 38OpenSig , Napa, California
Strong Security in the New Model
• The new concept is secure to add 3rd party code to network devices—Digital Signature—Administrative “Certified Optlet”—No access out of the JVM space —No pointers that can do harm —Access only to the published API—Verifier - only correct code can be loaded—Class loader access list—JVM has run time bounds, type, and
execution checking