View
100
Download
0
Category
Preview:
DESCRIPTION
Participatory Networking: An API for Application Control of SDNs. Andrew Ferguson, Arjun Guha, Chen Liang, Rodrigo Fonseca, and Shriram Krishnamurth i. Cornell. Participatory Networking. 1. SSHGuard. 2. Ekiga. 3. ZooKeeper. 4. Hadoop. Motivation. 1. SSHGuard. - PowerPoint PPT Presentation
Citation preview
1
Participatory Networking:
An API for Application Control of SDNs
Andrew Ferguson, Arjun Guha, Chen Liang,Rodrigo Fonseca, and Shriram Krishnamurthi
Cornell
2
Participatory Networking
3
Motivation
2. Ekiga3. ZooKeeper4. Hadoop
1. SSHGuard
4
2. Ekiga3. ZooKeeper4. Hadoop
1. SSHGuard
blocks hosts in response to login attempts
uses knowledge from host OS
prefers to deny traffic close to source
SSHGuarSSHGuardd
SSHGuarSSHGuardd
SSHGuarSSHGuarddSSHGuarSSHGuar
dd
SSHGuarSSHGuardd
SSHGuarSSHGuardd
SSHGuarSSHGuardd
5
2. Ekiga3. ZooKeeper4. Hadoop
1. SSHGuard
open source VOIP client
network needs dictated by end-user
prefers to reserve bandwidth
EkigaEkiga
EkigaEkiga
6
2. Ekiga3. ZooKeeper4. Hadoop
1. SSHGuard
Paxos-like coordination service
network needs dictated by placement
prefers high-priority switch queues
ZooKeepeZooKeeperr ZooKeepeZooKeepe
rr
ZooKeepeZooKeeperr
7
2. Ekiga3. ZooKeeper4. Hadoop
1. SSHGuard
open source data processing platform
network weights known by scheduler
prefers to reserve bandwidth
HadoopHadoop
HadoopHadoop
HadoopHadoop
HadoopHadoop
HadoopHadoop
HadoopHadoop
HadoopHadoop
HadoopHadoop
HadoopHadoop
HadoopHadoop
HadoopHadoop
HadoopHadoop
8
SDN ControllersSDN Controllers
SSHGuarSSHGuardd
SSHGuarSSHGuarddSSHGuardSSHGuard EkigaEkiga ZooKeepeZooKeepe
rrHadoopHadoopEkigaEkiga
9
10
1. decompose control and visibility2. resolve conflicts between requests
Challenges
11
Participatory
Networking
12
PANE
Participatory
Networking1. Requests 2. Hints3. Queries
13
Participatory
Networking• End-user API for SDNs• Exposes existing mechanisms• No effect on
unmodified applications
14
Decomposing Control
15
Shares
Hadoop
16
root
root adf
bandwidth100Mbps
bandwidth50Mbps
Share Tree
17
PANE
Reserve 2 Mbpsfrom now to +5min?
Yes
This traffic will be
short and bursty
OKHow much web trafficin the last hour?
67,560 bytes
18
bandwidth100Mbps
bandwidth100Mbps
bandwidth100Mbps
PANE
Current: 0 Mbps Current: 0 Mbps
Current: 0 Mbps
Reserve 80 Mbps?
Current: 80 Mbps
Yes
Current: 80 Mbps
Res
erve
50
Mbp
s?
No
ShareA
ShareB
19
Resolving Conflicts
20
root
root adf
bandwidth100Mbps
bandwidth50Mbps
Share Tree
21
(dstPort = 22, Deny)
(dstIP=10.0.0.2, GMB=30)
(dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)
Policy Trees
(srcIP=10.0.0.2, GMB=20)
22
(dstPort = 22, Deny)
(dstIP=10.0.0.2, GMB=30)
(dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)
Packet:
src 10.0.0.1
dst 10.0.0.2:80
Packet:
src 10.0.0.1
dst 10.0.0.2:80
Policy Trees
(srcIP=10.0.0.2, GMB=20)
23
(dstPort = 22, Deny)
(dstIP=10.0.0.2, GMB=30)
(dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)
Packet:
src 10.0.0.1
dst 10.0.0.2:80
Packet:
src 10.0.0.1
dst 10.0.0.2:80
Allow?++SS
GMB=10GMB=30
0 ++PP
GMB=30
Packet Evaluation
(srcIP=10.0.0.1, GMB=20) GMB=10
++DD
HierarchicalFlow Tables
24
GMB=10GMB=30
GMB=30
Conflict Resolution
Only Requirements:Associative, 0-
identity
GMB=10(dstPort=80, GMB=10)
Allow(srcIP=10.0.0.1,
Allow)
(srcIP=10.0.0.1, GMB=20)
(dstIP=10.0.0.2, GMB=30)
++PP
++DD++
SS
HierarchicalFlow Tables
25
++DD
++PP
++SS
Sibling
Parent-Sibling
In nodeD and S identical.
Deny overrides Allow.GMB combines as max
Rate-limit combines as min
Child overrides Parentfor Access Control
GMB combines as maxRate-limit combines as min
PANE’s Conflict Resolution Operators
26
Implementation
27
(dstPort = 22, Deny)
(dstIP=10.0.0.2, G
MB=30)
(dstPort=80, GMB=10)
(srcIP=10.0.0.1, Allow)
(dstPort = 22, Deny)
(dstIP=10.0.0.2, G
MB=30)
(dstPort=80, GMB=10)
(srcIP=10.0.0.1, Allow)
(dstPort = 22, Deny)
(dstIP=10.0.0.2, G
MB=30)
(dstPort=80, GMB=10)
(srcIP=10.0.0.1, Allow)
(dstPort = 22, Deny)
(dstIP=10.0.0.2, G
MB=30)
(dstPort=80, GMB=10)
(srcIP=10.0.0.1, Allow)
(dstPort = 22, Deny)
(dstIP=10.0.0.2, G
MB=30)
(dstPort=80, GMB=10)
(srcIP=10.0.0.1, Allow)PA
NE
28
(dstPort = 22, Deny)
(dstIP=10.0.0.2, GMB=30)
(dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)
(srcIP=10.0.0.2, GMB=20)
29
PANE
30
PANE
31
PANE
32
PANE
33
24Mbps5Mbps8Mbps24Mbps
PANE
34
24Mbps
PANE
35
PANE
0.6
0.6
36
Evaluation
37
38
Evaluation
2. Ekiga3. ZooKeeper4. Hadoop
1. SSHGuard
access controlbandwidth
reservationsqueues for low latency
centralized traffic weights
39
Three equal-sized sort jobs:•Two Low Priority with 25% weight•One High Priority with 50% weight
Dynamically apply QoS to High Priority flows using PANE.
PANE2
2Hosts
40
Hadoop’s OpenFlow rules
PANE2
2Hosts
41
Conclusion
1.For applications that know what they want from the network
• Allows these applications to co-exist
42
Andrew Fergusonadf@cs.brown.edupane.cs.brown.edu
43
Andrew Fergusonadf@cs.brown.edu
• Arjun Guha
• Chen Liang
• Rodrigo
Fonseca
• Shriram
Krishnamurthi
Co-
auth
or
s
pane.cs.brown.edu
Brown ↦ Cornell ↦ UMass Amherst
Brown ↦ Duke
Brown
Brown
44
BackupSlides
45
Proof of Correctness
46
Packet:
src 10.0.0.1
dst 10.0.0.2:80
Packet:
src 10.0.0.1
dst 10.0.0.2:80(dstPort = 22, Deny)
(dstIP=10.0.0.2, GMB=30)
(dstPort=80, GMB=10) (srcIP=10.0.0.1, Allow)
AllowGMB=10
++SS
GMB=10GMB=30++PP
GMB=30
Hierarchical Flow Tables
47
Compiler Correctness
48
Coq Proof Assistant
49
Packet:
src 10.0.0.1
dst 10.0.0.2:80
Packet:
src 10.0.0.1
dst 10.0.0.2:80GMB 30compile
Theorem
50
Protocol
51
NewShare aBW for (user=Alice) [reserve <=
10Mb]on rootShare.
PANE
OK
Grant aBW to Alice.
OK
reserve(user=Alice,dstPort=80) = 5Mb on aBW
from now to +10min.
reserve(user=Alice,dstPort=80) = 5Mb on aBW
from now to +10min.
reserve(user=Alice,dstPort=80) = 5Mb on aBW
from now to +10min.
NewShare aBW for (user=Alice) [reserve <=
10Mb]on rootShare.
Root
Alice
52
PANE
reserve(user=Alice,dstPort=80) = 5Mb on aBW
from now to +10min.
53
PANE
reserve(user=Alice,dstPort=80) = 5Mb on aBW
from now to +10min.
54
PANE
reserve(user=Alice,dstPort=80) = 5Mb on aBW
from now to +10min.
55
PANE
reserve(user=Alice,dstPort=80) = 5Mb on aBW
from now to +10min.
56
PANE
reserve(user=Alice,dstPort=80) = 5Mb on aBW
from now to +10min.NO
reserve(user=Alice,dstPort=80) = 5Mb on aBWfrom +20min to +30min.
Alice
57
PANE
reserve(user=Alice,dstPort=80) = 5Mb on aBWfrom +20min to +30min.
58
PANE
reserve(user=Alice,dstPort=80) = 5Mb on aBWfrom +20min to +30min.
59
PANE
reserve(user=Alice,dstPort=80) = 5Mb on aBWfrom +20min to +30min.
60
PANE
reserve(user=Alice,dstPort=80) = 5Mb on aBW
from now to +10min.NO
reserve(user=Alice,dstPort=80) = 5Mb on aBWfrom +20min to +30min.
OKAlice
61
NewShare aAC for (dstHost=10.0.0.2) [deny =
True]on rootShare.
PANE
OK
Grant aAC to Alice.
OK
10.0.0.2Alice
Root
62
10.0.0.3 Eve
PANE
10.0.0.2
deny(dstHost=10.0.0.2, srcHost=10.0.0.3) on
aACfrom now to +5min.
OK
Alice
63
Netflix
64
6565
66
67
68
69
Datacenter
70
Based on “Delusional Boot: Securing Cloud Hypervisors without Massive Re-Engineering” (EuroSys 2012)
ProductionPlatform
BootService
71
Based on “Delusional Boot: Securing Cloud Hypervisors without Massive Re-Engineering” (EuroSys 2012)
ProductionPlatform
BootService
72
Based on “Delusional Boot: Securing Cloud Hypervisors without Massive Re-Engineering” (EuroSys 2012)
ProductionPlatform
BootService
73
Based on “Delusional Boot: Securing Cloud Hypervisors without Massive Re-Engineering” (EuroSys 2012)
ProductionPlatform
BootService
74
Enterprise
75
76
77
78
79
A problem in the datacenter
80
81
82
Participatory
Networking
8383Ken Thompson & Dennis Ritchie
Jon Postel
8585
86
Safe?Secure? Fair?Loop freedom
?
Participatory
NetworkingBlack holes?
Recommended