Real-Time Network Optimisation

Real-TimeNetwork Optimisation

Vic GroutCentre for Applied Internet Research (CAIR)University of WalesNEWI Plas Coch Campus, Mold RoadWrexham, LL11 2AW, [email protected]://www.newi.ac.uk/Computing/Research

NEWI North East Wales Institute of Higher Education - Centre for Applied Internet Research

Introduction/Overview

Real-time optimisation problems in networking routing queuing pattern-matching (eg, security) filtering

Very restricted performance constraints Multi-platform issues

Frame RelayATM

LAN LAN

LAN




Router

Interfaces

… various processing (optimisation) problems within router

Traffic (packets) in Traffic (packets) out




RTNO

Requirements of RTNO Software

Low space-complexity coded into router operating system (ROS) (or) embedded in hardware

Minimal time-complexity need to be re-run frequently must not add to inherent latency of processing traffic

Cross-platform interoperability simple implementation configurable to time/space resources/need (in development) to allow comparison

Cheap ‘n’ cheerful!

RTNO Software Design Principles

Fast approximations/heuristics modification of existing algorithms development of new techniques

Configurable by parameters – trade-off: (time/space) complexity accuracy

For example, search processes truncated in: time scope resolution degree/depth

Illustrated by example …

Example: Packet Filters (ACLs)

Filters applied on routers to implement policies security traffic shaping/queuing

Access Control Lists (ACLs) lists of (permit/deny) rules (each) packet compared with rules in order permit/deny packet according to first match

Example: Packet Filters (ACLs)

Filters applied on routers to implement policies security traffic shaping/queuing

Access Control Lists (ACLs) lists of (permit/deny) rules (each) packet compared with rules in order permit/deny packet according to first match

Pass or block this packet?

?

A Typical ACL

access-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq telnetaccess-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq ftpaccess-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq httpaccess-list 101 deny ip 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255access-list 101 permit icmp any 10.0.0.0 0.255.255.255 administratively-prohibitedaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 echo-replyaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 packet-too-bigaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 time-exceededaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 unreachableaccess-list 101 permit icmp 172.16.20.0 0.0.255.255access-list 101 deny icmp any anyaccess-list 101 permit ip 202.33.42.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.73.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.48.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.75.0 0.0.0.255 anyaccess-list 101 deny ip 202.33.0.0 0.0.255.255 anyaccess-list 101 deny tcp 210.120.122.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.183.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.114.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.175.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.136.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.177.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 permit tcp any 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp any any eq wwwaccess-list 101 permit tcp any anyaccess-list 101 deny ip 195.10.45.0 0.0.0.255 anyaccess-list 101 permit ip any any{access-list 101 deny all} {implicit}

Rules applied in order

‘implicit deny’ at end

A Typical ACL

access-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq telnetaccess-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq ftpaccess-list 101 permit tcp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255 eq httpaccess-list 101 deny ip 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255access-list 101 permit icmp any 10.0.0.0 0.255.255.255 administratively-prohibitedaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 echo-replyaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 packet-too-bigaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 time-exceededaccess-list 101 permit icmp any 10.0.0.0 0.255.255.255 unreachableaccess-list 101 permit icmp 172.16.20.0 0.0.255.255access-list 101 deny icmp any anyaccess-list 101 permit ip 202.33.42.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.73.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.48.0 0.0.0.255 anyaccess-list 101 permit ip 202.33.75.0 0.0.0.255 anyaccess-list 101 deny ip 202.33.0.0 0.0.255.255 anyaccess-list 101 deny tcp 210.120.122.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.183.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.114.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.175.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.136.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp 210.120.177.0 0.0.0.255 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 permit tcp any 10.2.2.0 0.255.255.255 eq wwwaccess-list 101 deny tcp any any eq wwwaccess-list 101 permit tcp any anyaccess-list 101 deny ip 195.10.45.0 0.0.0.255 anyaccess-list 101 permit ip any any{access-list 101 deny all} {implicit}

ACL Optimisation

The time taken to process a packet against an ACL will depend upon which rule matches the packet hit rate

• the probability that a packet will match a given rule latency

• the time taken to process a rule cumulative latency

• the time taken to process rules up to a given rule expected latency

• of the list as a whole The objective is to minimise the time taken to process

each packet. To do this, we want rules with high hit-rates towards the top of the list but those with high latencies towards the bottom. Clearly, these objectives may conflict/compete. And there is another problem …

Dependent Rules in ACLs

: :: :

access-list 102 permit ip 192.168.16.0 0.0.0.255 any: :: :

access-list 102 deny ip any 10.0.0.0 0.255.255.255: :: :

{access-list 102 deny all} {implicit}

: :: :




Dependent Rules in ACLs

: :: :




: :: :




From:192.168.16.1

To:10.0.0.1

Passed by

Blockedby

Formulisation of ACL RTNO Problem: Packets and Flows

Define A* to be the set of all addresses available within a given system, define B* to be the set of all protocols recognised bythe system and define F* = {0, 1}m to be the set of m flagvectors ({0, 1} m-tuples acting on B* ) valid for the system.For completeness, X* represents the set of payloads.

A packet, pk = (Sak, Dak, bk, fk, Xk), is defined by its constituents:

Sak A*: the source address, Dak A*: the destination address,

bk B*: the protocol, fk F*: the flags vector, and Xk X*: the payload.

A traffic flow, T = [p1, p2, ..., pq], is a sequence of q packets. For

sufficiently large q, this may be regarded as a distributionof packets and we simply refer to the traffic, T.

Formulisation of ACL RTNO Problem: Rules and Policies

A rule, ri = (ti, SAi, DAi, Bi, i), consists of: a type, ti (permit, deny},SAi A*: the source range, DAi A*: the destination range,Bi B*: the protocol range, and a flags predicate,i: F* {true, false}. Only ti is a required component. If anyother components are absent then SAi = A*, DAi = A*, Bi = B* ori true by default.

A policy, Z = [r1, r2, ..., rn] is an (ordered) sequence of n rules to achieve some purpose. The last rule denies all traffic, ie,tn = deny, SAn = A*, DAn = A*, Bn = B* and n true.

A packet, pk, matches a rule, ri (for which we write pk ri), if its addresses and protocols are within the range of the rule andif its flags vector satisfies the rule’s flags predicate. That is,pk ri (Sak SAi) (Dak DAi) (bk Bi) i (fk), in which casethe packet will be permitted or denied according to ti.

Formulisation of ACL RTNO Problem: Dependencies

A dependency exists between two rules, ri and rj, if theyare of opposite type and it is possible that there existsa packet, pk, that matches both rules ((pk ri) (pk rj)), that is ri and rj are dependent if pk such that

(ti ≠ tj) (Sak SAi SAj) (Dak DAi DAj) (bk Bi Bj) i(fk) j(fk).

Eliminating the packet, pk, from this expression, allowsa {0, 1} dependency matrix, D = (dij: 1i,jn), to be defined:

dij (ti ≠ tj) (SAi SAj ) (DAi DAj ) (Bi Bj ) (i j).

Formulisation of ACL RTNO Problem: Redundancies

A rule, rj, in a policy, Z, is redundant (written ri rj) if there

exists a rule, ri (i < j), in Z, such that all packets matching rj

will be matched by ri.

ri rj (ti = tj) (SAi SAj) (DAi DAj) (Bi Bj) (i j).

A redundant rule may be removed from the policy withoutchanging its purpose. A rule, ri, in a policy, Z, is potentially redundant if there exists a rule, rj (i < j), in Z, such that all packets matching ri will be matched by rj. A redundant rulemay be removed from the policy without changing its purpose provided that no other rules between ri and rj are dependent upon rj, that is,

ri rj (ti = tj) (SAi SAj) (DAi DAj)

(Bi Bj) (i j) v (i < v < j), dvj = 0.

Formulisation of ACL RTNO Problem: Lists

An access list, or simply list, L, implements a policy,Z = [r1, r2, ..., rn], if it is a permutation of the rules of Z

such that the order of dependencies is preserved. Let ri(L) be the rule at position i in L. A special case of a

list implementing a policy, Z, is the identity list,IZ = [r1, r2, ..., rn], for which ri(IZ) = ri i (1 i n).

Let m be the number of dependencies:

1

1 1

n

i

n

ijijdm

Formulisation of ACL RTNO Problem: Latencies and Hit Rates

The latency, ( ri), of a rule ri is the time taken to (independently) process ri. The cumulative latency,

( ri(L)), of ri in a list L, is the time taken to process ri

and all rules preceding it in L.

The hit-rate, h(ri(L),T), of rule ri in a list L, is the probability that a packet from a traffic flow T will match ri in L.

The expected latency, E(L,T), of a list L, in traffic T, is then given by

i

i LrLr1

))(())((

n

i

i

ii

n

iii LrTLrhLrTLrhTLE

1 11

))(()),(())(()),((),(

Formulisation of ACL RTNO Problem: Objective and Complexity

For a given policy Z applied to traffic T, Find the list Lmin, implementing Z, such that

E(Lmin , T) = min L E(L , T)

subject to the dependency constraintsri(L) < rj(L) dij = 1 1 i < j n

Solution space (n-1)! (unconstrained). NP-complete, by polynomial translation to

[SS4] Sequencing to Minimize Weighted Completion Time [SS7] Sequencing to Minimize Maximum Cumulative Cost

(Garey and Johnson, 1979)

Truncated Local-Search Optimisation

Truncated in time conceptually simple but requires timers lack of control (for comparison) no (cross-platform) flexibility

Truncated Scope/Resolution/Degree(Depth)

Search space

Solution space

timedegree/depth

resolution

scopesearch/solution sequence

k-Opt Search

Swap/permute k rules in ACL mark savings/maximise improvement

Particularly suited to RTNO Simple (minimal) ROS code Effective hardware implementation (‘wires’)

Fixed k-opt 2-opt, 3-opt, 4-opt (?), etc.

Variable k-opt eg, Lin-Kernighan

Combine using variable parameters scope (k), resolution, degree

(Example) 3-Opt Resolution

i i+1, j j+1, k k+1

i i+1, j j+1 k k+1

i i+1 j j+1 k k+1

3(i,1,1)-OPT

3(i,1,3)-OPT

3(i,2,2)-OPT

(Example) 3-Opt Resolution

i i+1, j j+1, k k+1

i i+1, j j+1 k k+1

i i+1 j j+1 k k+1

3(i,1,1)-OPT

3(i,1,3)-OPT

3(i,2,2)-OPT

X XX

X X X

X X X

Scope and Resolution

R = 0 R = 1 R = 2 R = 3 R = 4 …

S = 2 2(i,j) 2(i,j) 2(i,j)

S = 3 3(i,j,k) 3(i,j,k) 3(i,j,k) 3(i,j,k)

S = 4 4(i,j,k,l) 4(i,j,k,l) 4(i,j,k,l) 4(i,j,k,l) 4(i,j,k,l)

: : : : : :

i: best path recorded through searchi: all paths recorded through search

R = 0 R = 1 R = 2 R = 3 R = 4 …

S = 2 2(0) 2(1) 2(2)

S = 3 3(0) 3(1) 3(2) 3(3)

S = 4 4(0) 4(1) 4(2) 4(3) 4(4)

: : : : : :

Scope and Resolution

S: ScopeR: Resolution

Search Degree

S(R)

S(R) S(R) S(R) S(R) S(R)

S(R) S(R) S(R) … S(R) S(R) S(R)

S(R) S(R) S(R) … … S(R) S(R) S(R)

… S(R) S(R) S(R)

d

d

d: depth (degree) of search

Projected solution

Use standard tree-search algorithm with parameters:

n S R 1 d 1

Select S, R & d to suit platform can be calculated in real-time (dynamically)

For example (extreme), to ensure optimality, n1(1), n-12(2), etc. (all exponential)

Sd(R) Search

Scope Degree Resolution

Sd(R)

Look-up tables in ROS or logic circuitry in hardware

c: (router) clock cycles available

Calculating Sd(R)

c S R d

<1,000 1 1 1

<1,500 2 1 1

<2,000 2 2 1

<2,500 3 1 1

<3,000 3 1 2

<4,000 3 2 1

<5,000 3 3 1

<6,000 3 1 2

: : : :

Typical Resultsn m cZO cO2 2 S2 cOLK LK SLK

10 0 29.84 0.00 100 6.60 0.00 100 20.56

5 21.11 2.36 36 5.84 2.11 45 18.02

10 14.28 0.87 56 4.92 0.80 61 16.23

15 12.13 3.40 44 4.16 2.93 54 13.09

20 8.22 0.67 72 3.20 0.59 78 9.97

25 6.87 0.79 68 2.68 0.69 76 8.41

25 0 36.02 0.00 100 31.50 0.00 100 76.48

10 25.66 5.22 24 28.00 3.46 44 67.24

20 17.68 4.86 8 23.24 3.80 14 59.92

30 15.88 3.34 0 21.28 3.10 2 50.56

40 10.04 3.78 0 19.90 3.24 0 59.22

50 8.80 2.04 0 18.48 1.78 0 46.38

n: number of rules. m: number of dependencies.cZO: mean (%) saving of optimal solution over original policy.

cO2: mean (%) increase of 2-OPT solution over optimum.

2: mean (%) optimum found by 2-OPT. S2: mean number of iterations for 2-OPT to converge.

cOLK: mean (%) increase of LK-OPT solution over optimum.

LK: mean (%) optimum found by LK-OPT. SLK: mean number of iterations for LK-OPT to converge.

Typical Resultsn m cZO cO2 2 S2 cOLK LK SLK

50 0 43.80 0.00 100 204.30 0.00 100 432.50

20 30.00 7.80 0 187.90 6.90 20 346.20

40 20.20 6.70 10 170.20 5.50 20 335.10

60 18.60 5.90 0 164.30 4.80 0 326.60

80 13.70 4.20 0 150.30 3.60 0 305.60

100 12.30 3.40 0 136.50 3.00 0 283.70

100 0 50.80 0.00 100 1389.40 0.00 100 2095.60

50 35.80 8.60 20 1320.40 5.60 20 1976.40

100 23.20 8.40 0 1193.00 5.20 0 1739.20

150 20.80 6.80 0 1150.20 4.80 0 1603.60

200 15.60 7.80 0 1003.80 4.80 0 1447.40

250 14.40 5.60 0 988.60 4.40 0 1404.20

n: number of rules. m: number of dependencies.cZO: mean (%) saving of optimal solution over original policy.

cO2: mean (%) increase of 2-OPT solution over optimum.

2: mean (%) optimum found by 2-OPT. S2: mean number of iterations for 2-OPT to converge.

cOLK: mean (%) increase of LK-OPT solution over optimum.

LK: mean (%) optimum found by LK-OPT. SLK: mean number of iterations for LK-OPT to converge.

Other ‘Issues’ and Conclusions

How to detect dependencies? How to calculate hit rates? How to detect equivalence? When to optimise? Where to place ACLs?

RTNO is worthwhile ‘Keeping it simple’ is a complicated business! ‘Cheap ‘n’ cheerful works well!

Where to place ACLs?



Optimal? No – considerable duplication


True optimum can only comefrom taking a ‘global’ view

Any questions?

Vic GroutCentre for Applied Internet Research (CAIR)University of WalesNEWI Plas Coch Campus, Mold RoadWrexham, LL11 2AW, [email protected]://www.newi.ac.uk/Computing/Research

Thank you

NEWI North East Wales Institute of Higher Education - Centre for Applied Internet Research

Documents

Real-Time Network Optimisation