Verifiable Network Function Outsourcing

Seyed K. Fayazbakhsh Michael K. Reiter Vyas Sekar

1

Case for Network Function Outsourcing (NFO)

Internet

Cloud Provider

+ Economies of scale, pay-per use+ Simplifies configuration & deployment

2

Today:High CapEx, OpEx, Delay in innovation

Concerns with ceding control

Internet

Cloud Provider

e.g., Is this equivalent to in-house?e.g., Am I really getting cost reduction?

3

Our Vision: Verifiable NFO

4

• Our focus is meeting customer expectations

• Key correctness properties:– Behavior– Performance– Accounting

• Other issues outside our scope: isolation, privacy, bandwidth costs ..

What makes this challenging?

• Lack of visibility into the workload

• Dynamic, traffic-dependent, and potentially proprietary actions of the middleboxes

• Stochastic effects introduced by the network

5

6

Outline

• Motivation for verifiable NFO

• Formalizing properties

• A roadmap for vNFO

• Ongoing work and discussion

Formal Framework

ManagementInterface

f1 fn

….σ1

σn

BCPU, BMem, BNet

Customer

CPU,Mem

Net CPU,Mem

π1in, π2

in,… π1out, π2

out,...

State SpacePacket Space Reference implementation

7

Behavioral equivalence?

8

Are packets being modified or incorrectly processed?

Cloud IPS

Customer

Blackbox Behavioral Correctness

….σ1

σn

π1in π1

out

visible to customer

….σ’1 σ’n

π1in

Is there some viable state?

π1out

? ?

9

Snapshot Behavioral Correctness

….σ1

σn

π1in π1

out

visible to customer

….σ1

σn

π1in

Would I get the same output?

π1out?

10

Performance impact?

11

Is the cloud processing introducing delays?

11

Cloud IPS

t1t2t3

Customer

Performance Correctness

….σ1

σn

π1in, π2

in,… π1out, π2

out,...

….σ1

σn

π1in, π2

in,…

π1out, π2

out,...

Would it reallytake this long?

t1out, t2

out,...

t’1out, t’2

out,...

observed provider performance ≈ reference performance12

Accounting correctness?

Is the provider overcharging me?

Cloud IPS

Customer

13

“Did-It” Accounting Correctness

….σ1

σn

π1in, π2

in,… π1out, π2

out,...

Did It actuallyconsume?

Charged value of resource r ≈ Consumption of resource r by provider

14

“Should-It” Accounting Correctness

….σ1

σn

π1in, π2

in,… π1out, π2

out,...

Should It reallycost this much?

15

Consumption of resource r by provider ≈ Consumption of resource r by reference implementation

16

Summarizing Correctness Properties

• Behavioral correctness– Blackbox: Function states are not visible to customer.– Snapshot: Function states are visible to customer

• Performance correctness– Is performance metric within Δ (SLA) of reference?

• Accounting correctness– Did-It: Were resources actually consumed?– Should-It: Was the consumption necessary?

17

Outline

• Motivation for NFO + vNFO

• Formalizing vNFO properties

• A roadmap for vNFO

• Ongoing work and discussion

Verifiable NFO (vNFO) OverviewManagement

Interface BCPU, BMem, BNet

Customer

CPU,Mem

Net CPU,Mem

π1in, π2

in,… π1out, π2

out,...Cloud OS

Trusted Shim

Cloud Platform

VM1

Cloud OS

Trusted Shim

Cloud Platform

VMn….

Each function is implemented as a virtual appliance.NFO provider deploys a trusted shim for logging.

18

Idealized viewManagement

Interface BCPU, BMem, BNet

Customer

CPU,Mem

Net CPU,Mem

π1in, π2

in,… π1out, π2

out,...Cloud OS

Trusted Shim

Cloud Platform

VM1

Cloud OS

Trusted Shim

Cloud Platform

VMn….

Shim logs every packet, instantaneous VM state, and resource usage, timestamps per packet

19

Challenges with Idealized viewManagement

Interface BCPU, BMem, BNet

Customer

CPU,Mem

Net CPU,Mem

π1in, π2

in,… π1out, π2

out,...Cloud OS

Trusted Shim

Cloud Platform

VM1

Cloud OS

Trusted Shim

Cloud Platform

VMn….

1. Middlebox actions make it difficult to correlate logs2. Scalability and performance impact due to logging

20

21

Potential solutions to challenges

1. Lack of visibility into middlebox actions:– Packets may be modified by middleboxes.

2. Scalability– Infeasible to log all packets and processing stats.

FlowTags

Trajectory Sampling

22

Ongoing work

• Leveraging nested virtualization– NFO provider does not need any platform change

• Adding hooks to KVM– Trustworthy accounting (CPU, memory)– Trajectory sampling + FlowTags– Instantaneous snapshotting

• Benchmark memory/time overheads associate with:– Packet sampling– Resource consumption calculations– Snapshotting

Discussion

• Does the customer trust the NFO provider?

• Is the NFO provider willing to deploy the shim layer?– Market forces: Premium service, competitive edge, etc.

• What are the market factors for customers?– Can customer easily switch to a different NFO provider?

• What is the role of SLA?– Can the billed amount always be formulated in terms of

resource consumption?

• …23