SLIDE 1
FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN - - PowerPoint PPT Presentation
FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN - - PowerPoint PPT Presentation
FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates Stefano Vissicchio (UCLouvain) stefano.vissicchio@uclouvain.be INFOCOM 13th April 2016 Joint work with Luca Cittadini (Roma Tre University) SDN controller Operators
SLIDE 2
SLIDE 3
Operatorsβ requirements are an input for SDN controllers
requirements packet delivery firewall traversal
SLIDE 4
To satisfy input requirements, the controller programs rules on the switches
match flow F requirements packet delivery firewall traversal apply action
F: F: F: F:
v
- ut
z u in
SLIDE 5
By applying such rules, switches can process incoming packets
requirements packet delivery firewall traversal
v
- ut
z
flow F
F:
u
F: F: F:
applied rule
in
SLIDE 6
requirements packet delivery firewall traversal
F: F: F: F:
Switch rules have to be (frequently) updated e.g., for traffic surges, maintenance, new policies
v
- ut
z u in
SLIDE 7
How to update rules on switches safely, robustly and efficiently?
SLIDE 8
requirements are not violated during the update
How to update rules on switches safely, robustly and efficiently?
SLIDE 9
independently of uncontrollable factors (messages lost, switch installation time, etc.)
How to update rules on switches safely, robustly and efficiently?
SLIDE 10
quickly and with low resource utilization
How to update rules on switches safely, robustly and efficiently?
SLIDE 11
Limitations of prior works Additional degrees of freedom
FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates
Our approach
SLIDE 12
Limitations of prior works
FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates
Additional degrees of freedom Our approach
SLIDE 13
Previous techniques cannot do it!
How to update rules on switches safely, robustly and efficiently?
SLIDE 14
Previous techniques belong to two main families
add final rules to initial ones apply rules consistently, with packet tags replace initial with final rules in a carefully-computed order
- rdered rule replacements [McClurg15]
two-phase commit [Reitblatt12,Jin14]
SLIDE 15
Previous techniques belong to two main families
add final rules to initial ones apply rules consistently, with packet tags replace initial with final rules in a carefully-computed order
- rdered rule replacements [McClurg15]
two-phase commit [Reitblatt12,Jin14]
not always applicable
SLIDE 16
requirements packet delivery firewall traversal flow F
Ordering rule replacements is not possible in our example
initial final
v
- ut
z u in
SLIDE 17
requirements packet delivery firewall traversal
F: F: F:
Final rules cannot be installed
- n any switch among u, v and z
flow F
v
- ut
z u in
SLIDE 18
v
v
F:
flow F
F:
packet delivery requirements firewall traversal
Case 1) Installing final rule at u would violate our security policy
install final rule
- ut
z u in
SLIDE 19
z
z
F: F: F:
flow F
Case 2) Installing final rule at v would violate our security policy
install final rule packet delivery requirements firewall traversal
v
- ut
u in
SLIDE 20
- ut
firewall traversal flow F
Case 3) Installing final rule at z would prevent packet delivery
install final rule
F: F: F:
requirements packet delivery
v z u in
SLIDE 21
Simultaneous rule replacements are not robust e.g., like in time-based approaches [Mizrahi16]
SLIDE 22
- ut
in
F:
requirements packet delivery firewall traversal
F: F:
flow F install final rules at t
v z u
In our example, we could instruct u, v and z to replace their rules at the same time t
SLIDE 23
However, this can lead to transient problems at t e.g., because of per-switch installation time
packet delivery requirements firewall traversal flow F
v
- ut
z u in
up to several seconds [Jin14]
SLIDE 24
w firewall traversal
Also, we can trigger permanent problems at t e.g., if a switch does not apply a command
requirements packet delivery
v z u in
flow F
SLIDE 25
Previous techniques belong to two main families
add final rules to initial ones apply rules consistently, with packet tags replace initial with final rules in a carefully-computed order
- rdered rule replacements [McClurg15]
two-phase commit [Reitblatt12,Jin14]
inefficient
SLIDE 26
requirements packet delivery firewall traversal flow F
Two-phase commit techniques are not efficient in our example
F: F: F: F:
v
- ut
z u in
SLIDE 27
- ut
in
requirements packet delivery firewall traversal flow F
Indeed, they are based on maintaining both initial and final rules on internal switches
F: F,π: F: F,π: F,π: F: F:
if tag π, use final rule
v z u
SLIDE 28
requirements packet delivery firewall traversal flow F
So that switches keep applying initial rulesβ¦
F: F: F: F: F,π: F,π:
v
- ut
z u in
F,π:
SLIDE 29
v
- ut
z u
F: F: F,π: F: F,π: F,π:
requirements packet delivery firewall traversal flow F
β¦ as long as packets are not tagged at the ingress
F:
use final rule and add tag π
π
in
SLIDE 30
requirements packet delivery firewall traversal flow F
When packets are tagged at the ingress, all switches consistently use the final rules
F: F: F,π: F: F,π: F,π: F: π
π π π π
v
- ut
z u in
SLIDE 31
π π
- ut
in
π
F: π
requirements packet delivery firewall traversal flow F
However, these techniques consumes precious and expensive memory (TCAM) entries
F,π: F: F,π: F: F,π: F:
v z u
SLIDE 32
Limitations of prior works Additional degrees of freedom
FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates
Our approach
SLIDE 33
How to update rules on switches safely, robustly and efficiently?
We can do it!
SLIDE 34
The key intuition is to combine rule replacement and additions
SLIDE 35
requirements packet delivery firewall traversal flow F
Letβs take back our example and start from the initial state
F: F: F: F:
v
- ut
z u in
SLIDE 36
- ut
z u in
requirements packet delivery firewall traversal flow F
We can start tagging packets at v, at the very beginning of the update
F: F:
add tag π
F: π
v
SLIDE 37
requirements packet delivery firewall traversal flow F
This does not change the applied rules (since no switch matches the tag yet)
F: F: F: π
π π
v
- ut
z u in
SLIDE 38
requirements packet delivery firewall traversal flow F
We can then match the tag at z, still without changing the forwarding
F: F: π
π π
F: F,π:
use initial rule, if and only if tag π
v
- ut
z u in
SLIDE 39
v
- ut
z in
π
F: π
π
F: F,π:
requirements packet delivery firewall traversal flow F
Tagging at v and matching at z unlock rule replacement at u
F:
install final rule
u
SLIDE 40
F: π
π
F: F,π:
requirements packet delivery firewall traversal flow F
Indeed, the resulting forwarding loop is traversed only once by packets
F:
π used for packets from v used for packets from u
v
- ut
z u in
SLIDE 41
F: F: F,π:
requirements packet delivery firewall traversal flow F
We can then instruct v to apply its final rule (even in parallel with u)
F:
use final rule
v
- ut
z u in
SLIDE 42
F: F:
requirements packet delivery firewall traversal flow F
and complete the update by cleaning zβs configuration
F:
use final rule
v
- ut
z u in
SLIDE 43
contrary to ordered rule replacement solves our update problem rollbacking before affecting safety ensures robustness
Using both rule replacements and additions is more powerful than restricting to any of them
33% with respect to two-phase commit uses additional rules only on z
SLIDE 44
Using both rule replacements and additions makes the update problem more challenging
e.g., we must distinguish loops that prevent packet delivery from the good ones we must consider combinations of rule replacements and additions larger search space tricky interactions in intermediate states
SLIDE 45
Limitations of prior works Additional degrees of freedom
FLIP the (Flow) Table: Fast LIghtweight Policy-preserving SDN Updates
Our approach
SLIDE 46
We propose a framework to systematically combine rule replacements and additions
to compute safe operational sequences including a comparison with the state of the art FLIP algorithm
- f problem, search space, and solutions
formalization & modeling evaluation
SLIDE 47
safe update problem
- perational
sequence divide compute sequence for flow 1 compute sequence for flow N
β¦
merge (input) (output) FLIP
We released a prototype implementation of our approach
code available at http://inl.info.ucl.ac.be/softwares/flip
SLIDE 48
safe update problem
- perational
sequence divide compute sequence for flow 1 compute sequence for flow N
β¦
merge (input) (output)
initial and final rules forwarding correctness policies: a flow must traverse path P1 or path P2 or β¦ Pn
In our formalization, we allow complex policiesβ¦
SLIDE 49
β¦ and combinations of rule replacements and additions
- perational
sequence (output)
Each step includes replacements and additions safe to apply in any relative order before the next step
safe update problem divide compute sequence for flow 1 compute sequence for flow N
β¦
merge (input)
SLIDE 50
FLIP is based on a divide-and-conquer approach
safe update problem
- perational
sequence divide compute sequence for flow 1 compute sequence for flow N
β¦
merge (input) (output)
SLIDE 51
safe update problem
- perational
sequence compute sequence for flow 1 compute sequence for flow N
β¦
merge (input) (output) divide
each time, consider rules for a single flow
Breaking down the input problem is easy
SLIDE 52
divide safe update problem
- perational
sequence compute sequence for flow 1 compute sequence for flow N
β¦
(input) (output)
merge corresponding steps of per-flow sequences
merge
Merging per-flow operational sequences is also easy
SLIDE 53
merge divide safe update problem
- perational
sequence compute sequence for flow 1
β¦
(input) (output) compute sequence for flow N
The heart of FLIP is computing per-flow sequences
maps violations to constraints swaps alternative constraints always finds a satisfiable set of constraints
SLIDE 54
As an example, we now apply FLIP to our update problem scenario
extract constraints linear program solve per-flow update constraint relations swap constraints
initial final requirements packet delivery firewall traversal
per-flow problem v
- ut
z u
SLIDE 55
u per-flow problem linear program solve per-flow update constraint relations swap constraints
w
extract constraints
requirements
For every possible requirement violation, FLIP extracts operation constraints
replace(v) < replace(z) OR tag(v) & match(z) OR tag(z) & match(v) packet delivery firewall traversal
v z
SLIDE 56
linear program extract constraints
The extracted constraints and their relations are stored in a table
per-flow problem solve per-flow update swap constraints cause loop v-z active constraints replace(v) < replace(z) alternatives match(z) match(v) constraint relations
SLIDE 57
linear program extract constraints per-flow problem solve per-flow update swap constraints cause loop v-z firewall active constraints replace(v) < replace(z) alternatives match(z) match(v) match(z) match(v) constraint relations replace(u) < replace(v) replace(z) < replace(u) firewall
The extracted constraints and their relations are stored in a table
SLIDE 58
firewall constraint relations extract constraints
The active constraints for rule replacements are translated into a linear program
per-flow problem solve per-flow update swap constraints cause loop v-z firewall alternatives match(z) match(v) match(z) match(v) linear program active constraints replace(v) < replace(z) min u+v+z v<z u<v z<u u,v,z integer replace(u) < replace(v) replace(z) < replace(u)
SLIDE 59
firewall replace(u) < replace(v) replace(z) < replace(u) active constraints replace(v) < replace(z) linear program constraint relations extract constraints
Then, FLIP tries to solve the generated linear program
per-flow problem per-flow update swap constraints cause loop v-z firewall alternatives match(z) match(v) match(z) match(v) min u+v+z v<z u<v z<u u,v,z integer solve
unsolvable!
SLIDE 60
solve linear program constraint relations extract constraints
If the linear program is unsolvable, FLIP selects
- ne constraints in a set of unsatisfiable active ones
per-flow problem per-flow update cause loop v-z firewall alternatives match(z) match(v) match(z) match(v) swap constraints firewall active constraints replace(v) < replace(z) replace(u) < replace(v) replace(z) < replace(u)
SLIDE 61
solve active constraints replace(v) < replace(z) linear program constraint relations extract constraints
The selected constraint is swapped with one of its alternatives
per-flow problem per-flow update cause loop v-z firewall alternatives match(z) match(v) match(z) match(v) swap constraints replace(u) < replace(v) replace(z) < replace(u) firewall
SLIDE 62
solve active constraints replace(u) < replace(v) replace(z) < replace(u) linear program constraint relations extract constraints
The effects of the swap are also propagated to other active constraints
per-flow problem per-flow update cause loop v-z firewall alternatives match(z) match(v) match(z) match(v) swap constraints firewall replace(v) < replace(z)
SLIDE 63
swap constraints solve match(z) linear program extract constraints
This phase leads to a new set of active constraints
per-flow problem per-flow update cause loop v-z firewall alternatives match(z) match(v) active constraints replace(u) < replace(v) firewall constraint relations
SLIDE 64
solve swap constraints constraint relations extract constraints
In turn, the new set of active constraints is translated into a new linear program
per-flow problem per-flow update linear program match(z) cause loop v-z firewall alternatives match(z) match(v) firewall active constraints replace(u) < replace(v) min u+v u<v u,v integer
SLIDE 65
linear program swap constraints constraint relations extract constraints
When the set of active constraints is satisfiable, a consistent sequence is generated
per-flow problem per-flow update solve cause loop v-z firewall alternatives match(v) replace(u) < replace(v) firewall u=1 v=2 match(z) match(z) active constraints
SLIDE 66
solve linear program swap constraints constraint relations extract constraints
If the active constraints are satisfiable, a consistent sequence is generated
per-flow problem per-flow update cause loop v-z firewall alternatives match(v) replace(u) < replace(v) firewall u=1 v=2 match(z) match(z) active constraints [tag(v), match(z), replace(u), replace(v), replace(z)]
SLIDE 67
FLIP also manages many algorithmic details and complications
with propagation of constraint-swap effects with a heuristic approach dependency between constraints for middleboxing, NFV and performance support for complex policies assemble operations in one update step
SLIDE 68
We thoroughly evaluate FLIP with 50,000 simulations on Rocketfuel topologies
with sub-paths longer than 2 consider complex policies sources are 10% of the nodes select one destination and several sources In each simulation, we randomly significantly modify paths changing the weights of 80% of the links
SLIDE 69
FLIP overcomes limitations of state-of-the-art techniques
90% less than two-phase commit techniques 4-8 update steps computed in sub-second (95th perc.) needs a few additional rules 75% more than ordered-replacement techniques solves all update scenarios quickly produces fast updates
SLIDE 70