OpenBox: A Software-Defined
Framework for Developing, Deploying,
and Managing Network Functions
Yotam Harchol
The Hebrew University of Jerusalem
Joint work with Anat Bremler-Barr (IDC) and David Hay (HUJI)
To appear in ACM SIGCOMM 2016
A preliminary version of this work was published in ACM SIGCOMM HotMiddleboxes 2015
Software-Defined Networking
40%-60% of the appliances are not switches / routers!
[Sherry & Ratnasamy, ‘12]
Logically-centralized control:
Smart, slow
SDN
Controller
API to data plane
(e.g., OpenFlow)
Control Plane:
Distributed algorithms
Data Plane:
Packet streaming
Data Plane:
Packet streaming and processing
Management Plane:
Human time scale
Firewalls
Intrusion detection
Network anti-virus
Leakage prevention
Caching
Load balancing
Billing
NAT
Encoders
Gateways
Switches: SSL termination
Dumb, fast TCP optimization
2
…
Network Functions
• Expensive to own and to operate
• Hard to manage – separate vendors
• No elastic scaling
• Complex - dominate overall network performance
3
Software-Defined Solutions
Forwarding plane (switches, routers):
- High cost
- Limited management
- No multi-tenancy
- Limited functionality and limited innovation
- Complex distributed algorithms
Solution: SDN / OpenFlow
Network Functions (Middleboxes):
- Higher cost
- Limited and separate management
- Limited provisioning and scalability
- No multi-tenancy
- Limited functionality and limited innovation
- Similar processing steps, no re-use
Our solution:
OpenBox
OpenBox
Controller
SDN
Controller
OBI
OBI
OBI
4
Challenges
• Northbound API / language for specifying NF logic
• Logically-centralized controller
that unifies logic of multiple
network functions from
multiple tenants
• Communication protocol between
controller and data plane
Network
Functions
Northbound
API
• Specification of data plane
instances
• Support for hardware
accelerators
Logically-Centralized
Controller
Control Plane
Data Plane
Southbound
Protocol
• Dynamically extend the protocol
Data Plane Instances
5
OpenBox
• OpenBox: A new protocol
• Decouples network function control from their data plane
• Unifies data plane of multiple network functions
Benefits:
• Easier, unified control
• Better performance
• Scalability
• Flexible deployment
• Multi-tenancy
• Innovation
OpenBox
Applications
Northbound
API
OpenBox
Controller
Control Plane
Data Plane
www.openboxproject.org
github.com/OpenBoxProject
OpenBox
Protocol
OpenBox Service Instances
6
A Different View of Network Functions
• Previous works: Network Function = monolithic closed unit
– Traffic Steering (e.g., SIMPLE [Sigcomm ‘13])
– Placement and Virtualization (e.g., CoMb [NSDI ’12])
– NFV orchestration (e.g., OpenStack, OpenMano, Statos,
E2 [SOSP ‘15])
– State Management (e.g., OpenNF [Sigcomm ‘14])
– Runtime Platform (e.g., xOMB [ANCS ‘12], SDM [INFOCOM ‘14])
• OpenBox: Network Function = logical application
– Most processing steps are shared among many types of network functions
– Some steps can be done once for multiple applications
OpenBox
Applications
OpenBox
Controller
7
What Network Functions Do?
Firewall:
Drop
Read
Packets
Header
Classifier
Output
Alert
Load Balancer:
Read
Packets
Header
Classifier
Output
Rewrite
Header
Intrusion Prevention System:
DPI
Read
Packets
Header
Classifier
DPI
Drop
DPI
Alert
Output
8
Observation:
Most network functions do
very similar processing
But there is no re-use…
steps
9
What Network Functions Do?
Read
Packets
Store
Packet
Output
Restore
Packet
Drop
Terminals
Header
Classifier
HTML
Normalizer
Alert
JavaScript
Normalizer
Log
Caching
XML
Normalizer
Reporting
DPI
Normalization
Classification
Gzip
Decompress
FIFO Queue
Front Drop
Queue
Leaky
Bucket
RED Queue
Queue Management
Gzip
Compress
De/compression
Begin
Transaction
VLAN Push
Rewrite
Header
VLAN Pop
Commit
Transaction
Rollback
Transaction
Transactions
Header Modification
10
Northbound API
DPI
Drop
Read
Packets
Header
Classifier
DPI
Drop
DPI
Alert
Output
Read
Packets
Alert
Read
Packets
Header
Classifier
Header
Classifier
Output
Output
Rewrite
Header
OpenBox
Applications
Specify processing graph
and block configuration
Control Plane
Data Plane
NB API
OpenBox
Controller
Events,
Load information
OpenBox
Protocol
OpenBox Service Instances
11
Logically-Centralized Controller
Multiple tenants
run multiple applications
for multiple policies
in the same network
OpenBox
Applications
No data sharing
between applications
NB API
Network-wide view
Automatic scaling, provisioning,
placement, and steering
Control Plane
Data Plane
SDN
Controller
OpenBox
Controller
OpenBox
Protocol
OpenBox Service Instances
SDN
Protocol
SDN Switches
12
OpenBox Data Plane
Read
Packets
Store
Packet
Output
Restore
Packet
Drop
Terminals
Header
Classifier
Alert
JavaScript
Normalizer
Log
Caching
XML
Normalizer
Reporting
DPI
Normalization
Classification
Gzip
Decompress
HTML
Normalizer
FIFO Queue
OpenBox Service Instance
Leaky
Bucket
Front Drop
Queue
RED Queue
Virtual or Physical
Queue Management
Gzip
Compress
Begin
Transaction
VLAN Push
•
Provides
data
plane
services to realize the logic of network functions
De/compression
Rewrite
Header
• Controlled by the
logically-centralized OpenBox controller
VLAN Pop
Commit
Transaction
Rollback
Transaction
Transactions
Header Modification
13
Distributed Data Plane
Alert
DPI
Header
Classifier
OpenBox Service Instance
Hardware
(TCAM)
E.g., an OpenFlow switch
with encapsulation features
Metadata
Rewrite
Header
OpenBox Service Instance
Software
Split Processing Graph
HW Instance:
Read
Packets
Header
Classifier
Write
Metadata
Encapsulate
Metadata
Output
Drop
SW Instance:
DPI
Read
Packets
Decapsulate
Metadata
Read
Metadata
DPI
Drop
DPI
Alert
Output
15
Extensible Data Plane
Media
Encoder
OpenBox
Controller
OpenBox Service Instance
Hardware
Implementation
Supports encapsulation
OpenBox Service Instance
Software
A new software module
can be injected from
control plane without
modifying or re-deploying
software in data plane
Scalable & Reliable Data Plane
Scalability
Provisioning
Reliability
OpenBox
Controller
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
OBI
17
Naïve Graph Merge
Firewall:
Drop
Read
Packets
Header
Classifier
Output
Alert
Concatenated Processing Graph:
Read
Packets
Drop
DPI
Alert
(Firewall)
DPI
Drop
DPI
Alert
(IPS)
Header
Classifier
Intrusion Prevention System:
Header
Classifier
Output
DPI
Performance ≈ Diameter of Graph (# of classifiers)
Read
Packets
Header
Classifier
DPI
Drop
DPI
Alert
Output
18
Graph Merge Algorithm
Merged Processing Graph:
Read
Packets
Header
Classifier
Alert
(Firewall)
DPI
Alert
(Firewall)
DPI
Alert
(Firewall)
DPI
Alert
(IPS)
Output
Alert
(Firewall)
Drop
Shorter Diameter (less classifiers)
19
Implementation
github.com/OpenBoxProject
Java-based Controller
REST
client/server
App
App
Northbound API
Network
Graph
Manager
Aggregator
App
App
Management
API
REST
REST API
Generic wrapper for execution engines (Python)
Click-based execution engine (C++)
Translation
Engine
TCP
Software OpenBox Service Instance
20
Performance Improvement
Without OpenBox
VM1
Firewall
With OpenBox
VM1
OBI1: FW+IPS
VM2
IPS
VM2
OBI2: FW+IPS
80
60
50
40
30
20
10
0
Firewall
IPS
Throughput [Mbps]
70
900
800
700
600
500
400
300
200
100
0
140
120
100
80
60
40
Latency [µs]
900
800
700
600
500
400
300
200
100
0
NF Pipeline
Latency [µs]
Throughput [Mbps]
Standalone VM
20
0
VM Chain
OpenBox
21
Conclusions
• Network functions are currently a real challenge in large scale
networks
• OpenBox decouples the data plane processing from network
function control logic and:
– Reduces costs
– Enhances performance
– Improves scalability
– Increases reliability
– Provides multi-tenancy
– Allows easier innovation
OpenBox
Applications
NB API
OpenBox
Controller
Control Plane
Data Plane
OpenBox
Protocol
22
OpenBox Service Instances
Questions?
THANK YOU!
23