Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
OpenBox – Enabling Innova2on in Middlebox Applica2ons
Yotam Harchol Hebrew University of Jerusalem, Israel Joint work with: Anat Bremler-‐Barr (Interdisciplinary Center Herzliya, Israel) David Hay (Hebrew University of Jerusalem, Israel)
This research was supported by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-‐2013)/ERC Grant agreement no 259085.
ACM SIGCOMM HotMiddleboxes 2015
So^ware-‐Defined Solu2ons
2
SDN Controller
OpenBox Controller
OBI
OBI
OBI
Forwarding plane (switches, routers): -‐ High cost -‐ Limited management -‐ No mul--‐tenancy -‐ Limited func-onality and limited innova-on -‐ Complex distributed algorithms
Forwarding plane (switches, routers): -‐ High cost -‐ Limited management -‐ No mul--‐tenancy -‐ Limited func-onality and limited innova-on -‐ Complex distributed algorithms
Solu&on: SDN / OpenFlow
Middleboxes: -‐ Higher cost -‐ Limited and separate management -‐ Limited provisioning and scalability -‐ No mul--‐tenancy -‐ Limited func-onality and limited innova-on -‐ Similar processing steps, no re-‐use
Middleboxes: -‐ Higher cost -‐ Limited and separate management -‐ Limited provisioning and scalability -‐ No mul--‐tenancy -‐ Limited func-onality and limited innova-on -‐ Similar processing steps, no re-‐use
Our solu&on: OpenBox
OpenBox
• OpenBox: A new protocol • Decouples middleboxes control from their data plane • Unifies data plane of mul2ple middleboxes
Benefits: • Easier, unified control • Beber performance • Scalable • Flexible • Mul2-‐tenancy • Innova2on
3
OpenBox Protocol
OpenBox Service Instances
OpenBox Controller
OpenBox Applica2ons
Control Plane
Data Plane
A Different View of Middleboxes
• Previous works: Middlebox = monolithic closed unit – Middlebox Traffic Steering (e.g., SIMPLE [Sigcomm ‘13], Stratos) – Middlebox Virtualiza2on (e.g., ComB [NSDI ’12]) – Middlebox State Management (e.g., OpenNF [Sigcomm ‘14]) – Middlebox Run2me Plakorm (e.g., xOMB [ANCS ‘12], SDM [INFOCOM ‘14])
• OpenBox: Middlebox = logical applica2on – Most processing steps are shared among many types of middlebox
applica2ons – Some steps can be done once for mul2ple applica2ons
4
OpenBox Controller
OpenBox Applica2ons
Typical Middlebox Processing
5
Header Lookup
Modify Header Output
Header Lookup
Session Analysis
Protocol Analysis
Decomp-‐ression
Payload Lookup
Alert / Log
Output/Drop
Header Lookup
Payload Lookup
Alert / Log
Output/Drop
Header Lookup
Session Analysis
Payload Lookup
Modify Header Output
Header Lookup
Session Analysis
Protocol Analysis
Decomp-‐ression
Payload Lookup
Alert / Log
Output/Drop
Session Analysis
Header Lookup
Modify Header Output
L7 Load Balancer
Intrusion Preven2on
Web App. Firewall
NAT
IPv6 Translator
Leakage Preven2on
WAN Op2mizer
Header Lookup
Session Analysis
Protocol Analysis
Payload Lookup
Output/Drop
Specialized Payload Rewrite
Unified Processing in Data Plane
6
Header Lookup
Session Analysis
Protocol Analysis
Decomp-‐ression
Payload Lookup
Alert / Log
Output/Drop
Header Lookup
Session Analysis
Payload Lookup
Modify Header Output L7 Load
Balancer
Intrusion Preven2on
Header Lookup
Alert / Log
Output/Drop Firewall
Header Lookup
Session Analysis
Protocol Analysis
Decomp-‐ression
Payload Lookup
Alert / Log
Output/Drop
Modify Header
OpenBox Service Instance
Virtual or Physical
MiddleBox è OpenBox Applica2on
• Each applica2on defines: – Processing path (of processing stages) – Rules:
<priority, header match, metadata match, payload match, ac2ons>
• Northbound API basic building blocks: – Specify processing path and rules – Customize specific processing stages – Metadata: informa2on passing
between processing stages – Session based storage
• E.g., gzip window for decompression
– Content storage • E.g., for caching and quaran2ne
7
OpenBox Protocol
OpenBox Service Instances
OpenBox Controller
OpenBox Applica2ons
Control Plane
Data Plane
NB API
(Logically-‐)Centralized Control • Aggregates mul2ple OpenBox applica2ons
– Creates a Processing Graph that aggregates mul2ple processing paths
– Aggregates rules based on priority and network loca2on
• Provides a central management
– Mul&ple tenants run mul&ple applica&ons for mul&ple policies in the same network
8
OpenBox Protocol
OpenBox Service Instances
OpenBox Controller
OpenBox Applica2ons
Control Plane
Data Plane
Header Lookup
Session Analysis
Protocol Analysis Deep
Packet Inspec2on
Modify Header
Alert / Log
Output / Drop
Deep Packet
Inspec2on IP Dst =
10.0.0.10
TCP Dst = 80
Decomp-‐ression
OpenBox Service Instance (OBI)
• Receives processing graph and rules from controller – executes them on data path
• Hardware or so^ware based – Room for innova2on – Proac2ve rule spawning
• Centralized or
• Distributed – E.g., performs all or just part
of the processing stages – Results of each stage are
passed as metadata for next stages • Use NSH / Geneve /
VXLAN-‐GPE (IETF dra^s) with jumbo frames for metadata passing
9
Session / Protocol Analyzer OBI
Payload Handler
OBI
Decision Maker OBI
Header lookup (on SDN switch)
Via OpenFlow
controller
OpenBox Controller
Packet
Metadata
Packet
Metadata
Packet
Packet
Can re-‐use: • SDN switches for header lookup • Programmable packet processors (P4) • Click / DPDK plakorms
OpenBox Protocol
OpenBox Service Instances
OpenBox Controller
OpenBox Applica2ons
Control Plane
Data Plane
Performance Gain
10
1000 Rules log(1000) latency
1000 Rules log(1000) latency
Time for most processing stages is sublinear with # of rules (or even constant)
2000 Rules log(2000) latency
OpenBox Service Instance
< 2 × log(1000) Was shown for DPI in [Bremler-‐Barr et al., CoNEXT ‘14]
Also improves throughput when re-‐using resources
Innova2on in Data Plane
• OpenBox provides a set of required processing steps • Vendors can provide enhanced OBIs along with their OpenBox
applica2ons: – Can place these enhanced processors
only where needed – No need the whole network to comply
with a specific vendor – Vendors may cooperate
11
WAN Opt.
OBI
OBI
OBI
Scalable & Reliable Data Plane
• Easy provisioning of new OBIs by simply running more VMs (VNFs) – Even for hardware-‐assisted tasks, can use so^ware VMs as a backup for
peak 2mes
• OBIs can report load informa2on to controller, to allow centralized control over provisioning
• Increases reliability – quickly respond to crashes
12
OBI OBI
OBI
OBI OBI
Conclusions
• Middleboxes are currently a real challenge in datacenter, operator, and enterprise networks
• OpenBox decouples the data plane processing from middlebox applica2ons logic and: – Reduces costs of management – Enhances performance – Improves scalability – Increases reliability – Provides mul2-‐tenancy – Allows easier innova2on and
lets new players into the game
13
OpenBox Protocol
OpenBox Service Instances
OpenBox Controller
OpenBox Applica2ons
Control Plane
Data Plane
Status & Future Work
Current Status: • Ongoing development of control plane and data plane
– Along with some sample applica2ons such as NIPS, Load Balancer, NAT – Looking at Click/DPDK as a possible plakorm
• Working on defining the OpenBox protocol Future Work: • Algorithms for smart aggrega2on of OpenBox applica2ons • Algorithms for smart placement and provisioning of OpenBox service
instances • Distributed data plane, possibly coopera2ng with SDN/P4 switches • New OpenBox applica2ons
14
Ques2ons?
Thank you.
15