Abstractions for Network Functions
Aditya Akella
UW-Madison
Network functions (NFs):
Devices
custom
processing
Routersthat
andintroduce
switches do
simple packet
packet forwarding
into the network
Firewall
Proxy
Intrusion
Prevention
…
Load
balancer
SSL
Gateway
WAN
optimizer
Traffic
scrubber
NFV
SDN
dynamically allocate
(s/w) NF instances
dynamically reroute
flows
Dynamic reallocation
in distr. processing
Service chaining
3
NFV
SDN
dynamically allocate
(s/w) NF instances
dynamically reroute
flows
Dynamic reallocation
in distr. processing
Service chaining
complicated by
complicated by
statefulness
mangling
4
• What are these scenarios?
• How do NFs’ attributes impede them?
• Abstractions to overcome
• Some open questions
5
Dynamic reallocation in
distributed processing
Load balancing
Elastic scaling
High availability
Network migration
Remote invocation
Always updated NFs
6
Stateful operation
Per-flow state
Bro
IDS
TcpAnalyzer
Multi-flow state
Connection
HttpAnalyzer
ConnCount
Connection
TcpAnalyzer
All-flows state
HttpAnalyzer
Statistics
Dynamically updated
per packet
NF’s action for packet
depends on state
Output equivalence:
Multiple instances of an NF should collectively produce
the same output as a single instance
R2 R1
R2 B2 B1 R1
R2 B2 B1 R1
R2 B2 B1 R1
B2 B1
Difficult to achieve
– Output depends on state
– Desire for ↑ performance and ↓resource usage
8
?
Packet loss
SLO:
SLA:
<<1%
1%
Resource
Perform usage
Output
equiv.
Reroute new flows
Reroute existing flows
Wait for flows to die
9
Quickly move or copy NF state alongside updates
to network forwarding state
Safety guarantees on updates (none lost; no
reordering)



…
1
2
3
…
Performance + resource use + output cons.
10
OpenNF
Gember-Jacobson et al., SIGCOMM’14
Control Application
move(http, NF1, NF2)
OpenNF
NF State Manager
Flow Manager
Controller
get(http)
put(state)
state
State
NF1
NF2
Packet
Route
Update
forward(http, NF2)
11
Lost updates during move
move(red,Bro1 ,Bro2 )
Missing
state
R2
R3
detectMHR
Missing
updates
R1
R2
B1
Bro1
Bro2
Loss-free: All state updates should be reflected in the
transferred state, and all packets should be processed
12
EventsLoss
forfree
loss-free
move move
Order-preserving
1. enableEvents(red)
on Bro1 move
2. get/delete
on Bro1 strict, strong
Eventual,
3. Buffer consistency
events at controller
for state sharing
4. put on Bro2
R1
R3
R2
equiv.
5. Flush packetsOutput
in
events to Bro2 R1
R1,R2,R3
R1,R2
R2
Filter
Automatically det. Directly guarantee
6. Update
Bro1
Bro2
guarantees needed?
output equiv.?
forwarding
Initial work: Static NF code analysis (Khalid et. al)
13
Elastic scaling
Bro IDS @ 10K pkts/sec
– At 180 sec: move HTTP flows to new IDS
– At 360 sec: move back to old IDS
260ms for a loss-free move
Output cons.: same log entries as using one IDS
– VM replication: incorrect log entries
Resource eff.: 260ms to move state back; scale down soon after
– Wait for flows to die  delayed 25+ minutes
14
Service chaining
firewall
ISPs
scrub.
NAT
Cellular networks
Enterprise networks
Virtual networking
in the cloud
15
Mangling
NAT
Src = 12.0.0.3 : 5342
Dst = 128.0.0.5 : 80
Src = 156.0.0.9 : 1025
Dst = 128.0.0.5 : 80
Forwarding ambiguity:
Forwarding depends on packet headers,
which may be changed by mangling NFs
Web Server
Home
Users
Office
Users
srcIP = NAT
SIMPLE: heuristics  inaccurate
FlowTags: powerful, but custom NF modifications
17
Stratos: leverage compute for correctnesspreserving logical chain transformations
Identify manglingNFs
When downstream forwarding is ambiguous:
Clone and don’t share across chains
18
Composition ambiguity:
Web Server
Home Users
Mangling nature of NFs makes composition of
Firewall
independently
specified
chains difficult
Drop all traffic with certain signatures
VPN Gateway
Encrypt traffic on the wide-area
Profiler
Identify attributes of clients
Profiler and
firewall need
decrypted traffic
“Every packet that
hits web server
must be profiled”
“All incoming
packets must be
20
profiled”
NF transformation model
+
clear expression of intent
Open problem!
Initial work: PGM (Prakash et. al)
21
NFs in SDN: a rich space
NFs are complex – makes life interesting
Early days, no clear consensus – opportunity to
shape practice
22