Embed Size (px)
Citation preview
THEHEBREWUNIVERSITYOFJERUSALEM
OpenBox:A Software-Defined Framework for Developing, Deploying, and Managing Network Functions
Yotam HarcholThe Hebrew University of Jerusalem
Joint work with Anat Bremler-Barr and David Hay
ThisresearchwassupportedbytheEuropeanResearchCouncilERCGrantagreementno259085,theIsraeliCentersofResearchExcellence(I-CORE)program(CenterNo.4/11),andtheNeptuneConsortium.
Network Functions (Middleboxes)
2
Firewall
LoadBalancer
IntrusionPreventionSystem
• Monolithicclosed black-boxes✘ Highcost✘ Limitedprovisioning andscalability
NetworkFunctionVirtualization(NFV):✔ Reducecost (bymovingtosoftware)✔ Improveprovisioning andscalability
(byvirtualizingsoftwareNFs)
Network Functions (Middleboxes)
✘Highcost✘ Limitedprovisioningandscalability✘ Limitedandseparatemanagement
• Differentvendors• Nostandards• Separatecontrolplane
3
Network Functions (Middleboxes)
• Actually,manyoftheseblack-boxesareverymodular
4
NetworkFunction
✘ Highcost✘ Limitedprovisioningandscalability✘ Limitedandseparatemanagement
✘ Limitedfunctionality andlimitedinnovation(Highentrybarriers)
✘ Similarcomplexprocessingsteps,nore-use
OpenBoxController
OBI
OBI
OBI
OpenBox
• OpenBox:Anewsoftware-definedframeworkfornetworkfunctions• Decouplesnetworkfunctioncontrolfromtheirdataplane• Unifiesdataplaneofmultiplenetworkfunctions
Benefits:• Easier,unifiedcontrol• Betterperformance• Scalability• Flexibledeployment• Inter-tenantisolation• Innovation
github.com/OpenBoxProject
www.openboxproject.org
• Highcostofmiddleboxes• Limitedprovisioning andscalability ofmiddleboxes• Limitedmanagement ofmiddleboxes• Limitedfunctionalityandlimitedinnovation
• Complexprocessingsteps
Software Defined Networking
6
OpenFlowController
OpenBoxController
OBI
OBI
OBI
switchesswitches
switches
distributedalgorithms
40%-60%oftheappliancesinlarge-scalenetworksaremiddleboxes![Sherry&Ratnasamy,‘12]
The OpenBox Framework
7
Logically-Centralized OpenBox Controller
Network Functions:OpenBox Applications
ControlPlane
DataPlane
OpenBox ServiceInstances
OpenBoxProtocol
NorthboundAPI
Additionally:• IsolationbetweenNFs/multipletenants• Supportforhardwareaccelerators• Dynamicallyextendtheprotocol
Most network functions do very similar processing steps
Observation:
8
But there is no re-use…
The design the OpenBox framework is based on this observation
Network Function Decomposition
9
Firewall:
ReadPackets
HeaderClassifier
Drop
Alert
Output
LoadBalancer:
ReadPackets
HeaderClassifier
RewriteHeader
Output
IntrusionPreventionSystem:
ReadPackets
HeaderClassifier
Drop
Alert
DPI
DPI
DPI Output
Northbound API
10
OpenBoxProtocol
OpenBoxServiceInstances
OpenBoxController
OpenBoxApplications
ControlPlane
DataPlane
NBAPI
ReadPackets
HeaderClassifier
Drop
Alert
OutputRead
PacketsHeaderClassifier
RewriteHeader
OutputRead
PacketsHeaderClassifier
Drop
Alert
DPI
DPI
DPI Output
Specifyprocessinggraphandblockconfiguration
Events,Loadinformation
IntrusionPreventionSystemLoadBalancerFirewall
Logically-Centralized Controller
11
OpenBoxProtocol
OpenBoxServiceInstances
OpenBoxController
OpenBoxApplications
ControlPlane
DataPlane
NBAPI
Multipletenantsrunmultipleapplicationsformultiplepoliciesinthesamenetwork
Isolationbetweenapplicationsand tenantsenforcedbyNBAPI
SDNProtocol
SDNSwitches
SDNControllerNetwork-wideview
Automaticscaling,provisioning,placement,and steering
Naïve Graph Merge
12
Firewall:
ReadPackets
HeaderClassifier
Drop
Alert
Output
IntrusionPreventionSystem:
ReadPackets
HeaderClassifier
Drop
Alert
DPI
DPI
DPI Output
HeaderClassifier
Drop
Alert(IPS)
DPI
DPI
DPI OutputReadPackets
HeaderClassifier
Drop
Alert(Firewall)
ConcatenatedProcessingGraph:
Performance≈DiameterofGraph(#ofclassifiers)Total:134μs
30μs
10μs
50μs 10μs2μs 2μs30μs
Graph Merge Algorithm
13
MergedProcessingGraph:
ReadPackets
HeaderClassifier
Drop
Alert(IPS)
DPI
DPI
DPI Output
Alert(Firewall)
Alert(Firewall)
Alert(Firewall)
Alert(Firewall)
ShorterDiameter(lessclassifiers)
Algorithmanddetailsareinthepaper
30μs
10μs
50μs 10μs
Total:104μs(22%improvement)
2μs 2μs
OpenBox Data Plane Processing
14
ReadPackets
HeaderClassifier
DPI
Classification
VLANPop
VLANPushRewriteHeader
HeaderModification
BeginTransaction
RollbackTransaction
CommitTransaction
Transactions
GzipDecompress
GzipCompress
De/compression
HTMLNormalizer
JavaScriptNormalizer
XMLNormalizer
Normalization
StorePacket
RestorePacket
Caching
Alert
Log
Reporting
Output
Drop
Terminals
FIFOQueue FrontDropQueue
REDQueueLeakyBucket
QueueManagement
OpenBox Data Plane Processing
15
ReadPackets
HeaderClassifier
DPI
Classification
VLANPop
VLANPushRewriteHeader
HeaderModification
BeginTransaction
RollbackTransaction
CommitTransaction
Transactions
GzipDecompress
GzipCompress
De/compression
HTMLNormalizer
JavaScriptNormalizer
XMLNormalizer
Normalization
StorePacket
RestorePacket
Caching
Alert
Log
Reporting
Output
Drop
Terminals
FIFOQueue FrontDropQueue
REDQueueLeakyBucket
QueueManagement
OpenBoxServiceInstance
VirtualorPhysical
• Providesdataplaneservicestorealizethelogicofnetworkfunctions
• Controlledbythelogically-centralizedOpenBox controller
Distributed Data Plane
OpenBoxServiceInstance
Software
OpenBoxServiceInstance
Hardware(TCAM)
E.g.,anOpenFlow switchwithencapsulationfeatures(e.g.,NSH,Geneve,FlowTags)
HeaderClassifier
Alert
DPI
RewriteHeader
Metadata
Split Processing Graph
17
ReadPackets
HeaderClassifier
Drop
OutputWriteMetadata
EncapsulateMetadata
ReadPackets
Drop
Alert
DPI
DPI
DPI OutputDecapsulateMetadata
ReadMetadata
HWInstance:
SWInstance:
Extensible Data Plane
18
OpenBoxProtocol
OpenBoxServiceInstances
OpenBoxController
ControlPlane
DataPlane
NBAPI
MediaEncoder
Option1:NewhardwareimplementationSupportsencapsulation
Option2:Softwaremoduleinjection
NEWAPP
Customsoftwaremodule(signed)
OntheflyNoneedtorecompileNoneedtoredeploy
Scalable & Reliable Data Plane
19
OBI OBI
OBI
OBI OBI
Scalability Provisioning Reliability
OBI OBIOBI OBIOBI OBIOBI OBIOBI OBIOBI OBIOBI OBI
OpenBoxController
OBI
Hypervisor
Hypervisor
Implementation
20
Java-basedOpenBox Controller
SoftwareOpenBoxServiceInstance
Genericwrapperforexecutionengines(Python)
FW
NorthboundAPIREST
client/serverGraph
AggregatorManagement
APINetworkManager
TranslationEngine
github.com/OpenBoxProject
REST
IPS LoadBalancer ...
Click-basedexecution engine(C++)
ControlPlane
DataPlaneRESTAPI
(Plughereotherexecutionengines.E.g.,ClickNP)
Performance Improvement
21
VM1Firewall
VM2IPS
WithoutOpenBoxVM1
OBI1:FW+IPS
VM2OBI2:FW+IPS
WithOpenBox
01020304050607080
0100200300400500600700800900
Firewall IPS
Latency[µs]
Throughp
ut[M
bps]
StandaloneVM
0
20
40
60
80
100
120
140
0100200300400500600700800900
1 2
Latency[µs]
Throughp
ut[M
bps]
NFPipeline
WithoutOpenBox
WithOpenBox
Related Work
• OrthogonaltoOpenBox:– NFtrafficsteering(e.g.,SIMPLE[SIGCOMM’14])– NForchestration(e.g.,Stratos,OpenMano,OpenStack)– Runtimeplatforms(e.g.,xOMB [ANCS‘12],ClickNP [SIGCOMM‘16])
• SimilarMotivation:– CoMb [NSDI‘12]– focusesonresourcesharingandplacement– E2[SOSP‘15]– compositionframeworkforvirtualNFs– Slick[SOSR’15]– focusesontheplacementofdataplaneunits
• OnlyOpenBox provides:– Coreprocessingdecompositionandreuse– StandardizationandfulldecouplingofNFcontrolanddataplanes
22
Conclusions
• Networkfunctionsarecurrentlyarealchallengeinlargescalenetworks
• OpenBoxdecouplesthedataplaneprocessingfromnetworkfunctioncontrollogicand:– Reducescosts– Enhancesperformance– Improvesscalability– Increasesreliability– Providesinter-tenantisolation– Allowseasierinnovation
23
OpenBoxProtocol
OpenBoxServiceInstances
OpenBoxController
OpenBoxApplications
ControlPlane
DataPlane
NBAPI
THANK YOU!Questions?
24
