Optimizing the ‘One Big Switch’ Abstraction in Software Defined Networks

Optimizing the ‘One Big Switch’

Abstraction in Software Defined Networks

Nanxi KangPrinceton University

in collaboration with Zhenming Liu, Jennifer Rexford, David Walker

Software Defined Network• Decouple data and control plane

• A logically centralized control plane (controller)

• Standard protocol• e.g., OpenFlow

2

Switch

Controllerprogram

Network policies

Switch rules

...

...

Existing control platform• Decouple data and control plane

• A logically centralized control plane (controller)

• Standard protocol• e.g., OpenFlow

3

Flexible policies✔✖Easy management

‘One Big Switch’ Abstraction

4

H1 H2

H3

H1 H2

H1H3

From H1, dstIP = 0* => go to H2

From H1, dstIP = 1* => go to H3

Endpoint policy Ee.g., ACL, Load Balancer

Routing policy Re.g., Shortest path routing

H1 H2H3

Automatic Rule Placement

Challenges of Rule Placement

5

H1 H2

H1H3

H1 H2H3

...

...

...

...

...

#rules >10k

TCAM size =1k ~ 2k

Automatic Rule Placement

Endpoint policy E Routing policy R

Past work

6

• Nicira• Install endpoint policies on ingress

switches• Encapsulate packets to the destination• Only apply when ingress are software

switches

• DIFANE• Palette

Contributions• Design a new rule placement algorithm

• Realize high-level network policies• Stay within rule capacity of switches

• Handle policy update incrementally

• Evaluation on real and synthetic policies

7

Contribution• Design a new rule placement algorithm

• Realize high-level network policies• Stay within rule capacity of switches

• Handle policy update incrementally

• Evaluation on real and synthetic policies

7

Problem Statement

8

...

...

...

...

...

Automatic Rule Placement

Endpoint policy E Routing policy RTopology

1. Stay within capacity2. Minimize total

1k 1k0.5k

0.5k

Algorithm Flow

Place rules over paths

Divide rule space across paths

Decompose the network into paths

9

1.

2.

3.

Algorithm Flow

Place rules over paths

Divide rule space across paths

Decompose the network into paths

9

1.

2.

3.

Single Path

• Routing policy is trivial

10

C1 C2 C3

Endpoint policy

11

R1: (srcIP = 0*, dstIP = 00), permitR2: (srcIP = 01, dstIP = 1* ), permitR3: (srcIP = **, dstIP = 11), denyR4: (srcIP = 11, dstIP = ** ), permitR5: (srcIP = 10, dstIP = 0* ), permitR6: (srcIP = **, dstIP = ** ), deny

Map rule to rectangle

00

01

10

110

0011011

srcIP

dstIP

12

R1: (0*, 00),PR2: (01, 1*),PR3: (**, 11),DR4: (11, **),PR5: (10, 0*),PR6: (**, **),D

00

01

10

110

0011011

R1

srcIP

dstIP

Map rule to rectangle

00

01

10

110

0011011

srcIP

dstIP

13

R1: (0*, 00),PR2: (01, 1*),PR3: (**, 11),DR4: (11, **),PR5: (10, 0*),PR6: (**, **),D

00

01

10

110

0011011

R1

R4R3

R2R5

srcIP

dstIP

C1 = 4

Pick rectangle for every switch

14

R1

R4R3

R2R5

Select a rectangle

• Overlapped rules:R2, R3, R4, R6

• Internal rules:R2, R3

#Overlapped rules ≤ C1

00 01 10 1100011011

R1

R4R3

R2R5

15C1 = 4

q

Install rules in first switch00

01

10

110

0011011 R’4

R3R2

16

00 01 10 1100011011

R1

R4R3

R2R5

C1 = 4

q

Rewrite policy00

01

10

110

0011011

R1

R4R5 q

Fwd everything in qSkip the original policy

17

00 01 10 1100011011

R1

R4R3

R2R5

q

Overhead of rules

18

• #Installed rules ≥ |Endpoint policy|

• Non-internal rules won’t be deleted

• Objective in picking rectangles• Max（#internal rules) /

(#overlap rules)

Algorithm Flow

Place rules over paths

Divide rule space across paths

Decompose the network into paths

19

1.

2.

3.

• Routing policy• Implement: install forwarding rules on

switches• Gives {Paths}

Topology = {Paths}

H1 H2

H3

H1 H2

H1H3

H1 H2

H1H3

20

• Enforce endpoint policy• Project endpoint policy to paths

• Only handle packets using the path• Solve paths independently

Project endpoint policy to paths

21

H1 H2

H3

H1 H2

H1H3

H1 H2

H1H3

Endpoint Policy E

E1

E2

E3

E4

What is next step ?

H1H2

H3

Decomposition to paths

✔

？ Divide rule space across paths• Estimate the rules needed by each

path• Partition rule space by Linear

ProgrammingSolve rule placement over paths✔ 22

Algorithm Flow

Place rules over paths

Divide rule space across paths

Decompose the network into paths

Success

Fail

23

1.

2.

3.

Roadmap• Design a new rule placement algorithm

• Stay within rule capacity of switches• Minimize the total number of installed

rules

• Handle policy update incrementally• Fast in making changes, • Compute new placement in

background• Evaluation on real and synthetic

policies24

Insert a rule to a path• Path

25

Limited impact• Path

• Update a subset of switches

26

R R R

Limited impact• Path

• Update a subset of switches• Respect original rectangle

selection

27

R’ R

Roadmap• Design a new rule placement algorithm

• Stay within rule capacity of switches• Minimize the total number of installed

rules

• Handle policy update incrementally

• Evaluation on real and synthetic policies• ACLs(campus network), ClassBench• Shortest-path routing on GT-ITM

topology

28

Path• Assume switches have the same

capacity• Find the minimum #rules/switch that

gives a feasible rule placement

• Overhead =

29

|E| #switch #rules / switch

#total rules #extra rules Overhead

13985 4 3646 14584

#rule/switch x #switches

Path• Assume switches have the same

capacity• Find the minimum #rules/switch that

gives a feasible rule placement

• Overhead =

30

|E| #switches #rules / switch

#total rules #extra rules Overhead

13985 4 3646 14584 599

#rule/switch x #switches - |E|

Path• Assume switches have the same

capacity• Find the minimum #rules/switch that

gives a feasible rule placement

• Overhead =

31

|E| #switch #rules / switch

#total rules #extra rules Overhead

13985 4 3646 14584 599 4.3%

#rule/switch x #switches - |E| |E|

#Extra installed rules vs. length

32

1 2 3 4 5 6 7 8 90

0.02

0.04

0.06

0.08

0.1

Path Length

Norm

alize

d #e

xtra

ru

les

|E| #switches #rules / switch

#total rules Overhead

13985 4 3646 14584 4.3%

#Extra installed rules vs. length

33

1 2 3 4 5 6 7 8 90

0.02

0.04

0.06

0.08

0.1

Path Length

Norm

alize

d #e

xtra

ru

les

|E| #switches #rules / switch

#total rules Overhead

13985 4 3646 14584 4.3%13985 8 1895 15160 8.4%

Data set matters

1 2 3 4 5 6 7 80

0.05

0.1

0.15

0.2

0.25

0.3

0.35

Path Length

Norm

alize

d #e

xtra

ru

les

• Real ACL policies 34

Many rule overlaps

Few rule overlaps

Place rules on a graph• #Installed rules

• Use rules on switches efficiently

• Unwanted traffic• Drop unwanted traffic early

• Computation time• Compute rule placement quickly

35

Place rules on a graph• #Installed rules

• Use rules on switches efficiently

• Unwanted traffic• Drop unwanted traffic early

• Computation time• Compute rule placement quickly

36

Carry extra traffic along the path• Install rules along the path

• Not all packets are handled by the first hop

• Unwanted packets travel further

• Quantify effect of carrying unwanted traffic

• Assume uniform distribution of traffic with drop action

37

When unwanted traffic is dropped• An example single path

• Fraction of path travelled

38

#hops Fraction of path travelled

Unwanted traffic dropped at this

switch

Unwanted traffic dropped until this

switch

1 25%2 50%3 75%4 100%

When unwanted traffic is dropped• An example single path

• Fraction of path travelled • Unwanted traffic dropped until the

switch

39

#hops Fraction of path travelled

Unwanted traffic dropped at this

switch

Unwanted traffic dropped until this

switch

1 25% 30% 30%2 50% 10% 40%3 75% 5% 45%4 100% 5% 50%

Aggregating all paths

40

Fraction of path travelled Unwanted traffic dropped

20% 64%75% 70%

100% 100%

• Min #rules/switch for a feasible rule placement

Give a bit more rule space

41

Fraction of path travelled

Min #rules/switch 10% more #rules/switch

20% 64% 84%75% 70% 90%

100% 100% 100%

• Put more rules at the first several switches along the path

Take-aways

42

• Path: low overhead in installing rules.

• Rule capacity is efficiently shared by paths.

• Most unwanted traffic is dropped at the edge.

• Fast algorithm, easily parallelized• < 8 seconds to compute the all

paths

Summary• Contribution

• An efficient rule placement algorithm• Support for incremental update• Evaluation on real and synthetic data

• Future work• Integrate with SDN controllers, e.g.,

Pyretic• Combine rule placement with rule

caching43

THANKS!