Embed Size (px)
Citation preview
Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson
Stochastic Pre-Classification for SDN Data Plane Matching
Contact: [email protected] Presenter: Luke McHale Ph.D. Student, Texas A&M University
Motivation
• SDNs increase stress on Packet Classification – Higher complexity compared to traditional networks – Generalizing increases timing variability
• Denial of Service (DoS) attacks on SDN switches are a potential issue – Wastes resources, crowding out legitimate packets – Inherent problem: traffic must be classified before it
can be determined malicious
Switch
packet packetPacket Arrival
Key Extraction
Table Selection
Flow Selection
Action Application
packet
2
OpenFlow SDN Data Plane
Motivation: Packet Classification
• Exact Matching – Hash Tables
• Prefix Match – Tries
• Arbitrary – TCAM (limited in
size/availability)
Switch
packet packetPacket Arrival
Key Extraction
Table Selection
Flow Selection
Action Application
packet
eth.src
eth.dst
eth.type
eth.vlan_id
eth.vlan_p
ipv4.tos
proto.field
Key
...
nextstage
key & mask = valueClassifier
value mask policy
101110 111000 policy
011011 100111 policy
000000 000000 policy
Flow Table
key
policy
3
Motivation: Flow Locality • 35% of the flows contain 95% of the packets
– The active-flow window is constantly changing
0
5
10
15
20
25
30
0.0 200.0k 400.0k 600.0k 800.0k 1.0M 1.2M 1.4M
Mill
ion
Pack
ets
Flow # (sorted)
CAIDA Trace: equinix-sanjose.dirA20120119-125903 4
Cumulative Distribution of Unique Flows
Outline
1. Motivation a. Packet Classification b. Flow Locality
2. Taking Advantage of Flow Locality a. Flow Caching b. Pre-Classification
3. Evaluation a. Experimental Setup b. Firewall Application
4. Results 5. Conclusions
5
Flow Caching
• Flow Locality -> Caching becomes fast-path – Keeps high-throughput flows – Lookup: exact-match using key (i.e. 5-tuple) – Cache: action set – Hits: bypass Table and Flow selection
miss
hit
packet Key Extraction
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packet
update
6 Similar techniques: [I.L. Chvets et al., 2002], [K. Li et al., 2003]
Pre-Classification
• Attacks aim to stress slow-path (classification) – When stressed, prioritize established traffic – Lookup: exact-match using key (i.e. 5-tuple) – Cache: seen before – Hits: higher classification priority
hit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flows
packetTable Selection
Flow Selection
Action Application
packet
update
HiLo
7
Bloom Filter
• O[1] Lookups • O[1] Inserts
• False positive rate is proportional to fill level
• Tradeoffs in design
eth.src
eth.dst
eth.type
eth.vlan_id
eth.vlan_p
ipv4.tos
proto.field
Key
...
nextstage
key
Table
Hash Lookupidx
seed
Table
Hash Lookupidx
seed
Table
Hash Lookupidx
seed
Bloom Filter
key
key
keymember
member
member
1
12n
2
n
1
2
n
1
2
n
1
2
n
• Hit: flow likely seen within epoch • Miss: flow definitely not seen within epoch
8
Bloom Filter: XOR Hash Function • Bit-level XOR helps preserve entropy • Avoid mixing heavily correlated bits
9
104-bit 5-tuple (Key)
16-bit Hash
XOR XOR
XOR
XOR XOR
XOR
XOR
Experimental Setup • Cycle accurate simulator • Frequency determined by array sizes using CACTI
Data Plane Frequency 2 GHz Data Plane Queue Depth 2 high, 2 low Bloom Filter Size 320Kb (5 arrays, each 64Kb) Bloom Filter Clearing Interval 60K insertions Flow Cache Size 69Kb (512 138-bit entries) Flow Cache Organization 2-way set associative, LRU Flow Selection 8,000 entries
10 10 Gbps
Time-Scaled Interface
Classification Simulator
Packet Collection & Statistics
PCAP Trace
{1, 10, 40, 100 Gbps}
Firewall Application
• Simulated Firewall Application • Access Control List (ACL)
– Protocol – IP source/destination – Port source/dest. ranges
• Test ACL Generation – 95%: nominal network conditions – 60%: network with significant malicious traffic – 20%: network under attack
0
10
20
30
40
50
60
70
80
90
100
0 1000 2000 3000 4000 5000 6000 7000 8000
Cove
rage
(%)
Rule No.
95% Accept60% Accept20% Accept
11
Results: Throughput
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 10 40 100
Norm
aliz
ed T
hrou
ghpu
t
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
packet Key Extraction packetTable
SelectionFlow
SelectionAction
Application
packet
12
❇ Stressed >1 Gbps
Results: Throughput
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 10 40 100
Norm
aliz
ed T
hrou
ghpu
t
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
miss
hit
packet Key Extraction
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packet
update
13
❇ Stressed >1 Gbps Throughput proportional to
unauthorized traffic
Results: Throughput
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 10 40 100
Norm
aliz
ed T
hrou
ghpu
t
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
Partition - 95%Partition - 60%Partition - 20%
hit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flows
packetTable Selection
Flow Selection
Action Application
packet
update
HiLo
14
❇ Stressed >1 Gbps Throughput proportional to
unauthorized traffic
▲ Unauthorized traffic has less impact on throughput
Results: Throughput
miss
hit
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packethit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flowsupdate
update
HiLo
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 10 40 100
Norm
aliz
ed T
hrou
ghpu
t
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
Partition - 95%Partition - 60%Partition - 20%
Partition+Caching - 95%Partition+Caching - 60%Partition+Caching - 20%
15
❇ Stressed >1 Gbps Throughput proportional to
unauthorized traffic
▲ Unauthorized traffic has less impact on throughput
u More consistent throughput
Results: Latency
0
1
2
3
4
5
6
7
8
9
1 10 40 100
Mea
n La
tenc
y (µ
s)
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
packet Key Extraction packetTable
SelectionFlow
SelectionAction
Application
packet
16
❇ Queue saturation causes high latency >1 Gbps
Results: Latency
0
1
2
3
4
5
6
7
8
9
1 10 40 100
Mea
n La
tenc
y (µ
s)
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
miss
hit
packet Key Extraction
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packet
update
17
❇ Queue saturation causes high latency >1 Gbps
Hits improve average latency
Results: Latency
0
1
2
3
4
5
6
7
8
9
1 10 40 100
Mea
n La
tenc
y (µ
s)
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
Partition - 95%Partition - 60%Partition - 20%
hit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flows
packetTable Selection
Flow Selection
Action Application
packet
update
HiLo
18
❇ Queue saturation causes high latency >1 Gbps
Hits improve average latency ▲ Authorized traffic not yet seen
incurs higher latency ▲ Once flow is learned, latency
consistent with Baseline
Results: Latency
0
1
2
3
4
5
6
7
8
9
1 10 40 100
Mea
n La
tenc
y (µ
s)
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
Partition - 95%Partition - 60%Partition - 20%
Partition+Caching - 95%Partition+Caching - 60%Partition+Caching - 20%
miss
hit
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packethit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flowsupdate
update
HiLo
19
❇ Queue saturation causes high latency >1 Gbps
Hits improve average latency ▲ Authorized traffic not yet seen
incurs higher latency ▲ Once flow is learned, latency
consistent with Cache u Higher latency at start of flow
u Latency is constant with cache thereafter
Results: Jitter
0
1
2
3
4
5
6
7
8
9
1 10 40 100
Jitte
r (µs
)
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
packet Key Extraction packetTable
SelectionFlow
SelectionAction
Application
packet
20
❇ Peaks at saturation point
Results: Jitter
0
1
2
3
4
5
6
7
8
9
1 10 40 100
Jitte
r (µs
)
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
miss
hit
packet Key Extraction
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packet
update
21
❇ Peaks at saturation point Difference in fast vs. slow
path increases variance
Results: Jitter
0
5
10
15
20
25
30
35
1 10 40 100
Jitte
r (µs
)
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
Partition - 95%Partition - 60%Partition - 20%
hit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flows
packetTable Selection
Flow Selection
Action Application
packet
update
HiLo
22
❇ Peaks at saturation point Difference in fast vs. slow
path increases variance ▲ Learning path incurs higher
latency -> jitter ▲ Once flow is learned, jitter
consistent with Caching
Results: Jitter
0
5
10
15
20
25
30
35
1 10 40 100
Jitte
r (µs
)
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
Partition - 95%Partition - 60%Partition - 20%
Partition+Caching - 95%Partition+Caching - 60%Partition+Caching - 20%
miss
hit
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packethit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flowsupdate
update
HiLo
23
❇ Peaks at saturation point Difference in fast vs. slow
path increases variance ▲ Learning path incurs higher
latency -> jitter ▲ Once flow is learned, jitter
consistent with Caching u Improves jitter incurred by
priority mechanism
Conclusions
• SDN complexity increases stress on Classification • Flow Cache minimizes the effect of repeatedly
classifying high-throughput flows – Increases effective throughput
• Pre-Classification prioritizes known traffic – Reduces effect of malicious traffic
• Combined architecture provides orthogonal benefit – Helps decouple legitimate and malicious traffic
24
miss
hit
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packethit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flowsupdate
update
HiLo
Results: Throughput
miss
hit
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packethit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flowsupdate
update
HiLo
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 10 40 100
Norm
aliz
ed T
hrou
ghpu
t
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
Partition - 95%Partition - 60%Partition - 20%
Partition+Caching - 95%Partition+Caching - 60%Partition+Caching - 20%
25
Results: Latency
0
1
2
3
4
5
6
7
8
9
1 10 40 100
Mea
n La
tenc
y (µ
s)
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
Partition - 95%Partition - 60%Partition - 20%
Partition+Caching - 95%Partition+Caching - 60%Partition+Caching - 20%
miss
hit
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packethit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flowsupdate
update
HiLo
26
Results: Jitter
0
5
10
15
20
25
30
35
1 10 40 100
Jitte
r (µs
)
Interface Speed (Gbps)
Baseline - 95%Baseline - 60%Baseline - 20%
Caching - 95%Caching - 60%Caching - 20%
Partition - 95%Partition - 60%Partition - 20%
Partition+Caching - 95%Partition+Caching - 60%Partition+Caching - 20%
miss
hit
Flow Cache packetTable
SelectionFlow
SelectionAction
Application
packet
packethit
miss
PriorityScheduler
Bloom Filterpacket Key
Extraction
Known Flows
Unknown Flowsupdate
update
HiLo
27
