Upload
moanna
View
31
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Real-Time Network Optimisation. Vic Grout Centre for Applied Internet Research ( CAIR ) University of Wales NEWI Plas Coch Campus, Mold Road Wrexham, LL11 2AW, UK [email protected] http://www.newi.ac.uk/Computing/Research. - PowerPoint PPT Presentation
Citation preview
Real-TimeNetwork Optimisation
Vic GroutCentre for Applied Internet Research (CAIR)University of WalesNEWI Plas Coch Campus, Mold RoadWrexham, LL11 2AW, [email protected]://www.newi.ac.uk/Computing/Research
NEWI North East Wales Institute of Higher Education - Centre for Applied Internet Research
Introduction/Overview
Real-time optimisation problems in networking routing queuing pattern-matching (eg, security) filtering
Very restricted performance constraints Multi-platform issues
Frame RelayATM
LAN LAN
LAN
Introduction/Overview
Real-time optimisation problems in networking routing queuing pattern-matching (eg, security) filtering
Very restricted performance constraints Multi-platform issues
Router
Interfaces
… various processing (optimisation) problems within router
Traffic (packets) in Traffic (packets) out
Introduction/Overview
Real-time optimisation problems in networking routing queuing pattern-matching (eg, security) filtering
Very restricted performance constraints Multi-platform issues
RTNO
Requirements of RTNO Software
Low space-complexity coded into router operating system (ROS) (or) embedded in hardware
Minimal time-complexity need to be re-run frequently must not add to inherent latency of processing traffic
Cross-platform interoperability simple implementation configurable to time/space resources/need (in development) to allow comparison
Cheap ‘n’ cheerful!
RTNO Software Design Principles
Fast approximations/heuristics modification of existing algorithms development of new techniques
Configurable by parameters – trade-off: (time/space) complexity accuracy
For example, search processes truncated in: time scope resolution degree/depth
Illustrated by example …
Example: Packet Filters (ACLs)
Filters applied on routers to implement policies security traffic shaping/queuing
Access Control Lists (ACLs) lists of (permit/deny) rules (each) packet compared with rules in order permit/deny packet according to first match
Example: Packet Filters (ACLs)
Filters applied on routers to implement policies security traffic shaping/queuing
Access Control Lists (ACLs) lists of (permit/deny) rules (each) packet compared with rules in order permit/deny packet according to first match
Pass or block this packet?
?
A Typical ACL
access-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq telnetaccess-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq ftpaccess-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq httpaccess-list 101 deny ip 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255access-list 101 permit icmp any 10.0.0.0 0.255.255.255 administratively-prohibitedaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 echo-replyaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 packet-too-bigaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 time-exceededaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 unreachableaccess-list 101 permit icmp 172.16.20.0 0.0.255.255access-list 101 deny icmp any anyaccess-list 101 permit ip 202.33.42.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.73.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.48.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.75.0 0.0.0.255 anyaccess-list 101 deny ip 202.33.0.0 0.0.255.255 anyaccess-list 101 deny tcp 210.120.122.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.183.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.114.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.175.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.136.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.177.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 permit tcp any 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp any any eq wwwaccess-list 101 permit tcp any anyaccess-list 101 deny ip 195.10.45.0 0.0.0.255 anyaccess-list 101 permit ip any any{access-list 101 deny all} {implicit}
Rules applied in order
‘implicit deny’ at end
A Typical ACL
access-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq telnetaccess-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq ftpaccess-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq httpaccess-list 101 deny ip 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255access-list 101 permit icmp any 10.0.0.0 0.255.255.255 administratively-prohibitedaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 echo-replyaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 packet-too-bigaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 time-exceededaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 unreachableaccess-list 101 permit icmp 172.16.20.0 0.0.255.255access-list 101 deny icmp any anyaccess-list 101 permit ip 202.33.42.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.73.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.48.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.75.0 0.0.0.255 anyaccess-list 101 deny ip 202.33.0.0 0.0.255.255 anyaccess-list 101 deny tcp 210.120.122.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.183.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.114.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.175.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.136.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.177.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 permit tcp any 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp any any eq wwwaccess-list 101 permit tcp any anyaccess-list 101 deny ip 195.10.45.0 0.0.0.255 anyaccess-list 101 permit ip any any{access-list 101 deny all} {implicit}
ACL Optimisation
The time taken to process a packet against an ACL will depend upon which rule matches the packet hit rate
• the probability that a packet will match a given rule latency
• the time taken to process a rule cumulative latency
• the time taken to process rules up to a given rule expected latency
• of the list as a whole The objective is to minimise the time taken to process
each packet. To do this, we want rules with high hit-rates towards the top of the list but those with high latencies towards the bottom. Clearly, these objectives may conflict/compete. And there is another problem …
Dependent Rules in ACLs
: :: :
access-list 102 permit ip 192.168.16.0 0.0.0.255 any: :: :
access-list 102 deny ip any 10.0.0.0 0.255.255.255: :: :
{access-list 102 deny all} {implicit}
: :: :
access-list 102 deny ip any 10.0.0.0 0.255.255.255: :: :
access-list 102 permit ip 192.168.16.0 0.0.0.255 any: :: :
{access-list 102 deny all} {implicit}
Dependent Rules in ACLs
: :: :
access-list 102 permit ip 192.168.16.0 0.0.0.255 any: :: :
access-list 102 deny ip any 10.0.0.0 0.255.255.255: :: :
{access-list 102 deny all} {implicit}
: :: :
access-list 102 deny ip any 10.0.0.0 0.255.255.255: :: :
access-list 102 permit ip 192.168.16.0 0.0.0.255 any: :: :
{access-list 102 deny all} {implicit}
From:192.168.16.1
To:10.0.0.1
Passed by
Blockedby
Formulisation of ACL RTNO Problem: Packets and Flows
Define A* to be the set of all addresses available within a given system, define B* to be the set of all protocols recognised bythe system and define F* = {0, 1}m to be the set of m flagvectors ({0, 1} m-tuples acting on B* ) valid for the system.For completeness, X* represents the set of payloads.
A packet, pk = (Sak, Dak, bk, fk, Xk), is defined by its constituents:
Sak A*: the source address, Dak A*: the destination address,
bk B*: the protocol, fk F*: the flags vector, and Xk X*: the payload.
A traffic flow, T = [p1, p2, ..., pq], is a sequence of q packets. For
sufficiently large q, this may be regarded as a distributionof packets and we simply refer to the traffic, T.
Formulisation of ACL RTNO Problem: Rules and Policies
A rule, ri = (ti, SAi, DAi, Bi, i), consists of: a type, ti (permit, deny},SAi A*: the source range, DAi A*: the destination range,Bi B*: the protocol range, and a flags predicate,i: F* {true, false}. Only ti is a required component. If anyother components are absent then SAi = A*, DAi = A*, Bi = B* ori true by default.
A policy, Z = [r1, r2, ..., rn] is an (ordered) sequence of n rules to achieve some purpose. The last rule denies all traffic, ie,tn = deny, SAn = A*, DAn = A*, Bn = B* and n true.
A packet, pk, matches a rule, ri (for which we write pk ri), if its addresses and protocols are within the range of the rule andif its flags vector satisfies the rule’s flags predicate. That is,pk ri (Sak SAi) (Dak DAi) (bk Bi) i (fk), in which casethe packet will be permitted or denied according to ti.
Formulisation of ACL RTNO Problem: Dependencies
A dependency exists between two rules, ri and rj, if theyare of opposite type and it is possible that there existsa packet, pk, that matches both rules ((pk ri) (pk rj)), that is ri and rj are dependent if pk such that
(ti ≠ tj) (Sak SAi SAj) (Dak DAi DAj) (bk Bi Bj) i(fk) j(fk).
Eliminating the packet, pk, from this expression, allowsa {0, 1} dependency matrix, D = (dij: 1i,jn), to be defined:
dij (ti ≠ tj) (SAi SAj ) (DAi DAj ) (Bi Bj ) (i j).
Formulisation of ACL RTNO Problem: Redundancies
A rule, rj, in a policy, Z, is redundant (written ri rj) if there
exists a rule, ri (i < j), in Z, such that all packets matching rj
will be matched by ri.
ri rj (ti = tj) (SAi SAj) (DAi DAj) (Bi Bj) (i j).
A redundant rule may be removed from the policy withoutchanging its purpose. A rule, ri, in a policy, Z, is potentially redundant if there exists a rule, rj (i < j), in Z, such that all packets matching ri will be matched by rj. A redundant rulemay be removed from the policy without changing its purpose provided that no other rules between ri and rj are dependent upon rj, that is,
ri rj (ti = tj) (SAi SAj) (DAi DAj)
(Bi Bj) (i j) v (i < v < j), dvj = 0.
Formulisation of ACL RTNO Problem: Lists
An access list, or simply list, L, implements a policy,Z = [r1, r2, ..., rn], if it is a permutation of the rules of Z
such that the order of dependencies is preserved. Let ri(L) be the rule at position i in L. A special case of a
list implementing a policy, Z, is the identity list,IZ = [r1, r2, ..., rn], for which ri(IZ) = ri i (1 i n).
Let m be the number of dependencies:
1
1 1
n
i
n
ijijdm
Formulisation of ACL RTNO Problem: Latencies and Hit Rates
The latency, ( ri), of a rule ri is the time taken to (independently) process ri. The cumulative latency,
( ri(L)), of ri in a list L, is the time taken to process ri
and all rules preceding it in L.
The hit-rate, h(ri(L),T), of rule ri in a list L, is the probability that a packet from a traffic flow T will match ri in L.
The expected latency, E(L,T), of a list L, in traffic T, is then given by
i
i LrLr1
))(())((
n
i
i
ii
n
iii LrTLrhLrTLrhTLE
1 11
))(()),(())(()),((),(
Formulisation of ACL RTNO Problem: Objective and Complexity
For a given policy Z applied to traffic T, Find the list Lmin, implementing Z, such that
E(Lmin , T) = min L E(L , T)
subject to the dependency constraintsri(L) < rj(L) dij = 1 1 i < j n
Solution space (n-1)! (unconstrained). NP-complete, by polynomial translation to
[SS4] Sequencing to Minimize Weighted Completion Time [SS7] Sequencing to Minimize Maximum Cumulative Cost
(Garey and Johnson, 1979)
Truncated Local-Search Optimisation
Truncated in time conceptually simple but requires timers lack of control (for comparison) no (cross-platform) flexibility
Truncated Scope/Resolution/Degree(Depth)
Search space
Solution space
timedegree/depth
resolution
scopesearch/solution sequence
k-Opt Search
Swap/permute k rules in ACL mark savings/maximise improvement
Particularly suited to RTNO Simple (minimal) ROS code Effective hardware implementation (‘wires’)
Fixed k-opt 2-opt, 3-opt, 4-opt (?), etc.
Variable k-opt eg, Lin-Kernighan
Combine using variable parameters scope (k), resolution, degree
(Example) 3-Opt Resolution
i i+1, j j+1, k k+1
i i+1, j j+1 k k+1
i i+1 j j+1 k k+1
3(i,1,1)-OPT
3(i,1,3)-OPT
3(i,2,2)-OPT
(Example) 3-Opt Resolution
i i+1, j j+1, k k+1
i i+1, j j+1 k k+1
i i+1 j j+1 k k+1
3(i,1,1)-OPT
3(i,1,3)-OPT
3(i,2,2)-OPT
X XX
X X X
X X X
Scope and Resolution
R = 0 R = 1 R = 2 R = 3 R = 4 …
S = 2 2(i,j) 2(i,j) 2(i,j)
S = 3 3(i,j,k) 3(i,j,k) 3(i,j,k) 3(i,j,k)
S = 4 4(i,j,k,l) 4(i,j,k,l) 4(i,j,k,l) 4(i,j,k,l) 4(i,j,k,l)
: : : : : :
i: best path recorded through searchi: all paths recorded through search
R = 0 R = 1 R = 2 R = 3 R = 4 …
S = 2 2(0) 2(1) 2(2)
S = 3 3(0) 3(1) 3(2) 3(3)
S = 4 4(0) 4(1) 4(2) 4(3) 4(4)
: : : : : :
Scope and Resolution
S: ScopeR: Resolution
Search Degree
S(R)
S(R) S(R) S(R) S(R) S(R)
S(R) S(R) S(R) … S(R) S(R) S(R)
S(R) S(R) S(R) … … S(R) S(R) S(R)
… S(R) S(R) S(R)
d
d
d: depth (degree) of search
Projected solution
Use standard tree-search algorithm with parameters:
n S R 1 d 1
Select S, R & d to suit platform can be calculated in real-time (dynamically)
For example (extreme), to ensure optimality, n1(1), n-12(2), etc. (all exponential)
Sd(R) Search
Scope Degree Resolution
Sd(R)
Look-up tables in ROS or logic circuitry in hardware
c: (router) clock cycles available
Calculating Sd(R)
c S R d
<1,000 1 1 1
<1,500 2 1 1
<2,000 2 2 1
<2,500 3 1 1
<3,000 3 1 2
<4,000 3 2 1
<5,000 3 3 1
<6,000 3 1 2
: : : :
Typical Resultsn m cZO cO2 2 S2 cOLK LK SLK
10 0 29.84 0.00 100 6.60 0.00 100 20.56
5 21.11 2.36 36 5.84 2.11 45 18.02
10 14.28 0.87 56 4.92 0.80 61 16.23
15 12.13 3.40 44 4.16 2.93 54 13.09
20 8.22 0.67 72 3.20 0.59 78 9.97
25 6.87 0.79 68 2.68 0.69 76 8.41
25 0 36.02 0.00 100 31.50 0.00 100 76.48
10 25.66 5.22 24 28.00 3.46 44 67.24
20 17.68 4.86 8 23.24 3.80 14 59.92
30 15.88 3.34 0 21.28 3.10 2 50.56
40 10.04 3.78 0 19.90 3.24 0 59.22
50 8.80 2.04 0 18.48 1.78 0 46.38
n: number of rules. m: number of dependencies.cZO: mean (%) saving of optimal solution over original policy.
cO2: mean (%) increase of 2-OPT solution over optimum.
2: mean (%) optimum found by 2-OPT. S2: mean number of iterations for 2-OPT to converge.
cOLK: mean (%) increase of LK-OPT solution over optimum.
LK: mean (%) optimum found by LK-OPT. SLK: mean number of iterations for LK-OPT to converge.
Typical Resultsn m cZO cO2 2 S2 cOLK LK SLK
50 0 43.80 0.00 100 204.30 0.00 100 432.50
20 30.00 7.80 0 187.90 6.90 20 346.20
40 20.20 6.70 10 170.20 5.50 20 335.10
60 18.60 5.90 0 164.30 4.80 0 326.60
80 13.70 4.20 0 150.30 3.60 0 305.60
100 12.30 3.40 0 136.50 3.00 0 283.70
100 0 50.80 0.00 100 1389.40 0.00 100 2095.60
50 35.80 8.60 20 1320.40 5.60 20 1976.40
100 23.20 8.40 0 1193.00 5.20 0 1739.20
150 20.80 6.80 0 1150.20 4.80 0 1603.60
200 15.60 7.80 0 1003.80 4.80 0 1447.40
250 14.40 5.60 0 988.60 4.40 0 1404.20
n: number of rules. m: number of dependencies.cZO: mean (%) saving of optimal solution over original policy.
cO2: mean (%) increase of 2-OPT solution over optimum.
2: mean (%) optimum found by 2-OPT. S2: mean number of iterations for 2-OPT to converge.
cOLK: mean (%) increase of LK-OPT solution over optimum.
LK: mean (%) optimum found by LK-OPT. SLK: mean number of iterations for LK-OPT to converge.
Other ‘Issues’ and Conclusions
How to detect dependencies? How to calculate hit rates? How to detect equivalence? When to optimise? Where to place ACLs?
RTNO is worthwhile ‘Keeping it simple’ is a complicated business! ‘Cheap ‘n’ cheerful works well!
Where to place ACLs?
Where to place ACLs?
Where to place ACLs?
Optimal? No – considerable duplication
Where to place ACLs?
True optimum can only comefrom taking a ‘global’ view
Any questions?
Vic GroutCentre for Applied Internet Research (CAIR)University of WalesNEWI Plas Coch Campus, Mold RoadWrexham, LL11 2AW, [email protected]://www.newi.ac.uk/Computing/Research
Thank you
NEWI North East Wales Institute of Higher Education - Centre for Applied Internet Research