-
HUAWEI TECHNOLOGIES CO., LTD.
Fast Configuration Change Impact Analysis for Network Overlay
DCNs
Lizhao You, Hao Tang, Jiahua Zhang, Xiao Li
Huawei Technologies
[email protected]
APNET’20, August 3-4, 2020
-
APNET’20, August 3-4, 2020
35pt
32pt
) :18pt
Network Overlay DCNs
Page 2
ToR Leaf
Border Leaf
& Spine
PE Router
Server
FW,
LB,
…
B C D
ToR switches: VxLAN tunnel endpoints and
distributed gateways
Layer 2: bridge-domain interface (BDIF)
Layer 3: virtual BDIF (VBDIF)
Distributed protocol: BGP EVPN
Policies: ACLs, micro-segmentation (MCS)
To deploy/update services, users design the VPC
network, and specify policies through the controller
Delta configurations are generated, and pushed to
the fabric
A
DCN Fabric
Delta Configurations
-
APNET’20, August 3-4, 2020
35pt
32pt
) :18pt
Problem: All-Pair Reachability Changes
Page 3
All-Pair Reachability Matrix
A
B C
Unexpected
Expected
All-Pair Reachability Matrix
A
B C
DCN Fabric
ToR Leaf
Border Leaf
& Spine
PE Router
Server
B C D
Delta Configurations
A
Delta
Changes
Re-computing full matrix is not scalable
Incremental: find possibly changed pairs, and re-
compute their reachability only
Existing incremental approaches do not address the
new challenges introduced by network overlay DCNs
FW,
LB,
…
Before Deployment
-
APNET’20, August 3-4, 2020
35pt
32pt
) :18pt
Challenges #I: Model Expressiveness
Page 4
Existing BDD-based EC approaches (APV[ICNP’13,
APKeep[NSDI’20])
and TBV-based EC approaches (VeriFlow[NSDI’13],
DeltaNet[NSDI’17])
• Current EC computation does not support tunneling
• Extensive packet rewrites Performance degradation
• The TBV model relies on IP rules instead of Group ID rules
• Conversion Excessive IP rules
• Invalid: some SRCs may not reach DSTs
Feature 1: tunneling with overlay/underlay traffic
Feature 2: packet rewrites for multiple tunnels
Feature 3: MCS, group definitions are distributed
A: 1.1.1.0/24, 1.1.2.0/24 Group ID: 10
B: 1.1.3.0/24 Group ID: 10
C: 1.1.4.0/24 Group ID: 20
Policy on groups:
SRC ID 10, DST ID 20, SRC PORT 80, DENY
VRF2VRF1
A B C D
Cross-VRF static route: two tunnels
VPC1/VRF1 VPC2/VRF2
Border Leaf
ToR Leaf
Tunnel Header
Packet Rewrite
-
APNET’20, August 3-4, 2020
35pt
32pt
) :18pt
Challenges #2: Completeness of Indexing Methods
Page 5
A B
B1
D
Add a static route
L1 L2 L3 L4
C
Indexing method (e.g., TenantGuard [NDSS’17])
Compute a reachable path
Associate the visited device with the reachable pair
B1 {(A,B), (A,C)}
Any changes on device B1
Re-compute (A,B) and (A,C)
Device-level association is coarse-grained and inefficient
• E.g., E only changes (A,C), no need to re-compute (A,B)
• Interface-level association may be preferable
Can not find new reachable pairs
• E.g., B2 adds a static route for A D, and
B has no association with (A,D) initially
EB2
-
APNET’20, August 3-4, 2020
35pt
32pt
) :18pt
Our Solutions
Page 6
BDD Predicate Model Fine-Grained Indexing Table
We follow the control-plane verification approach:
protocol simulation reachability analysis
1 2
3
Waypoint to find relevant (new) reachable pairs
-
APNET’20, August 3-4, 2020
35pt
32pt
) :18pt
Port-Predicate Model
Page 7
Forwarding ports of devices
Symbolic Packet & Boolean Formula (Predicate)
𝑥𝑖
Outer IP HDs
GroupID VNI Inner IP HDs
VxLAN header
64bits 16bits 24bits 64bits
∀𝑥, 𝑥v𝑛𝑖 == 𝑓𝑎𝑙𝑠𝑒
Underlay Packet
𝑓 𝑥 = 𝑓(𝑥1, … , 𝑥168)
i-th bit: 1
i-th bit: 0 𝑥𝑖
i-th bit: 0 or 1 𝑥𝑖 ∪ 𝑥𝑖 = 𝑡𝑟𝑢𝑒 universal quantifierOverlay
Packet
else
Underlay or Overlay: general if
∃𝑥, 𝑥v𝑛𝑖 ∩ 𝑥𝑣𝑛𝑖𝑛𝑒𝑤
existence quantifier == erase
Rewrite: erase-and-set
Each IP/Prefix
𝑔ACL𝐵𝐷𝐼𝐹1 𝑥 ∩ 𝑔𝐹𝐼𝐵(𝑥) ∩ 𝑔ACL
𝑁𝑉𝐸 𝑥
Header Space 𝑔 𝑥 = 𝑔(𝑓1 𝑥 , … , 𝑓𝑘 𝑥 )
All Boolean formulas are represented by BDD
ifthen
Predicate quantifiers improve our model expressiveness
(union, intersection, difference)
Aggregation of allowed space of ACLs and FIB
-
APNET’20, August 3-4, 2020
35pt
32pt
) :18pt
All-Pair Reachability Matrix
Page 8
Start End
DFS for each starting endpoint
A
B
If1If1
If2
If2
A B
All-Pair Reachability Matrix
A
B C
Forwarding Graph
If1=(L1,NVE), If2=(L2,NVE)
Indexing Table
EndpointsA
B
If1
If2
-
APNET’20, August 3-4, 2020
35pt
32pt
) :18pt
Change-Impact Analysis
Page 9
ForwardBackward
Step 2: Waypoint ComputationStep 1: Changed Interface
Detection
Changed
Interfaces
DEL
Reachable Pairs
Reachable
Pairs
Step 3: Comparison
MOD ADD
DEL MOD ADD
Indexing
DEL MOD ADD
Comparison
Old forwarding graph New forwarding graph
-
APNET’20, August 3-4, 2020
35pt
32pt
) :18pt
Preliminary Evaluation
Page 10
Implementation
Based on Batfish*
Support Huawei CLI/YANG
BGP EVPN protocol
JavaBDD
Synthesized Datasets (similar to real networks)
Base dataset (20Leafs ~ 100Leafs)
Inter-VPC traffic
Intra-VPC (inter-subnet) traffic
1 Leaf has 20 endpoints (subnets)
Metric: new graph modeling, detection, waypoint computation and
comparison time
Different service update cases
Case A/B: ADD SUBNET/ADD VPC
Case C: ADD cross-VRF Static Routes
Case D: MOD MCS
Cases A-C: increase
is due to modeling,
detection, comparison
Case D: increase is
mostly due to waypoint.
To be optimized.
Less than 25s
for 2k EPs (4 mill. Pairs)
Case C
6X
* https://github.com/batfish/batfish
2X
-
APNET’20, August 3-4, 2020
Conclusion
Page 11
We are the first to design and demonstrate an incremental
configuration verifier
for network overlay DCNs.
We design a fast incremental verification algorithm that
leverages fine-grained
indexing and waypoint computation methods to find all-pair
reachability changes.
In the future, we will further explore new forwarding features:
policy-based
routing, firewall zone policies, NAT policies, etc.
-
Copyright©2011 Huawei Technologies Co., Ltd. All Rights
Reserved.The information in this document may contain predictive
statements including, without limitation, statements regarding
thefuture financial and operating results, future product
portfolio, new technology, etc. There are a number of factors
thatcould cause actual results and developments to differ
materially from those expressed or implied in the predictive
statements.Therefore, such information is provided for reference
purpose only and constitutes neither an offer nor an acceptance.
Huaweimay change the information at any time without notice.
Thank youwww.huawei.com
