How (Not) to Shoot in Your Foot with SDN Local Fast ... · Local fast failover E.g., since OpenFlow 1.1 (but already MPLS,...) Failover in data plane: given failed incident links,

How (Not) to Shoot in Your Footwith SDN Local Fast Failover

A Load-Connectivity Tradeoff

Michael Borokhovich, Stefan Schmid

Communication Systems Engineering, Ben-Gurion University, Israel

Internet Network Architectures, TU Berlin & T-Labs, Germany

OPODIS 2013Nice, France

Motivation: SDN Local Fast Failover

Michael Borokhovich How (Not) to Shoot in Your Foot with SDN Local Fast Failover Slides by Stefan Schmid 1 / 12

Failures: a disadvantage of OpenFlow?

Indirection via controller (reactive control)an overhead?Or even full disconnect from controller?

Local fast failover

E.g., since OpenFlow 1.1 (but alreadyMPLS,...)Failover in data plane: given failedincident links, decide what to do with flow(header, failed links) −→ (backup port)React quickly, controller can improvelater!

Threat: local failover may introduce loopor be inefficient in other ways (high load)

How not to shoot in your foot?!



Failures: a disadvantage of OpenFlow?Indirection via controller (reactive control)an overhead?Or even full disconnect from controller?

Local fast failover

E.g., since OpenFlow 1.1 (but alreadyMPLS,...)Failover in data plane: given failedincident links, decide what to do with flow(header, failed links) −→ (backup port)React quickly, controller can improvelater!






Local fast failoverE.g., since OpenFlow 1.1 (but alreadyMPLS,...)Failover in data plane: given failedincident links, decide what to do with flow(header, failed links) −→ (backup port)React quickly, controller can improvelater!















Model: General Failover Rules


Flows can be treatedindividually!Depending on failure set,(A,C) is forwarded differently!

if (B,C) fails:fwd (A,C) to port 3fwd (A,D) to port 2

if (B,C) and (B,D) fail:fwd (A,C) to port 2fwd (A,D) to port 2fwd (E,D) to port 1








Flows can be treatedindividually!

Depending on failure set,(A,C) is forwarded differently!










Flows can be treatedindividually!

Depending on failure set,(A,C) is forwarded differently!



Model: Destination-Based Failover Rules



if (B,C) and (B,D) fail:fwd (A,C) to port 2fwd (A,D) to port xfwd (E,D) to port x

Same destination requiressame forwarding port.

Model: Destination-Based Failover Rules



if (B,C) and (B,D) fail:fwd (A,C) to port 2fwd (A,D) to port xfwd (E,D) to port x

Same destination requiressame forwarding port.

Negative Result: You must shoot in your foot!


if Event then try otherport (set of failures,per flow, ...)


Loop!

Unnecessary: Manypaths left!But do not knowremote state...

A simple example: full mesh (clique) & all-to-one communication





Loop!







Loop!







Loop!







Loop!







Loop!







Loop!





TheoremNo local failover scheme can tolerate n − 1 or more linkfailures, even though the graph is still n/2-connected.

How bad can it get?

Proof idea:

Fail any link which would directly leadto destination node v until (n/2− 1)links failed

Fail links from x to (n − n/2) othernodes

x only has links to already visitednodes: loop unavoidable!

But all nodes still have degree at leastn/2− 1 (x and v have the lowest)

(n/2− 1) failurestowards v

(n − n/2) failuresfrom x




How bad can it get?

Proof idea:










How bad can it get?

Proof idea:










How bad can it get?

Proof idea:










How bad can it get?

Proof idea:









TheoremFor any local failover scheme, there exists a failure scenariowhich uses ϕ failures and yields max link load of at least

√ϕ,

while the mincut is at least n − ϕ− 1.

Another consequence: high load!

TheoremFor any local destination-based failover scheme, there existsa failure scenario which uses ϕ failures and yields max linkload of at least ϕ, while the mincut is still at least n − ϕ− 1.

If rules failover destination-based only, the load is much higher.




√ϕ,








√ϕ,








√ϕ,







Theorem

For any local failover scheme, there exists a failure scenariowhich yields max link load of at least

√ϕ.

Consider the following failover paths:

(vi → vn), now let’s fail (vi , vn)

(vi → · · · → v1i → vn), now let’s fail (v1

i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).

The last hop v ji (j ∈ [1, . . . , ϕ]) is unique for every path.

Consider the set Ai = {vi , v1i , . . . , v

√ϕ

i } (set of possible last hops on the path to vn).

Consider a multiset of∣∣⋃

i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.

By a counting argument, there exists a node x ∈⋃

i Ai which appears in at least√ϕ sets Ai .

For each such Ai , the adversary can route vi → vn via x by failing links to vn.

The adversary will fail√ϕ×√ϕ = ϕ links incident to vn; load of link (x , vn) becomes

√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem


√ϕ.




i , vn)

(vi → · · · → v1i → · · · → v2

i → vn),

. . .

(vi → · · · → v1i → · · · → v2

i → · · · → vϕi → vn).



√ϕ



i Ai∣∣ = (n − 1)(

√ϕ+ 1) nodes.





√ϕ.

vn

vi

vn

v1i

vi

vn

v1i

vi

v2i

vn

v1i

v3i

vi

v2i



Theorem

For any local destination-based failover scheme, there existsa failure scenario which yields max link load of at least ϕ.

Why worse for destination-based? Intuition:

At B, flow (A,C) getscombined with flow (B,C)and never splits again. Etc.!

Positive Result: Make the best out of the situation!


A general failover scheme:

δ1,1, δ1,2, . . . , δ1,n−2

. . .

δi,1, δi,2, . . . , δi,n−2

. . .

δn−1,1, δn−1,2, . . . , δn−1,n−2

Matrix δi,j : if node vi cannot reach destination directly,try node δi,1; if not reachable either, try node δi,2, ...

Choosing random permutations:

Theorem

Random Failover Scheme (RFS) can tolerate ϕ failures (0 < ϕ < n)with load no more than

√ϕ log n.




δ1,1, δ1,2, . . . , δ1,n−2

. . .

δi,1, δi,2, . . . , δi,n−2

. . .

δn−1,1, δn−1,2, . . . , δn−1,n−2



Theorem


√ϕ log n.




δ1,1, δ1,2, . . . , δ1,n−2

. . .

δi,1, δi,2, . . . , δi,n−2

. . .

δn−1,1, δn−1,2, . . . , δn−1,n−2



Theorem


√ϕ log n.



Can also be achieved deterministically, as long as numberof failures bounded by log n:

δ1,1, δ1,2, . . . , δ1,n−2

. . .

δi,1, δi,2, . . . , δi,n−2

. . .

δn−1,1, δn−1,2, . . . , δn−1,n−2

1, 2, 4, 8, . . . ,(

0 + 2blog nc)

mod n

2, 3, 5, 9, . . . ,(

1 + 2blog nc)

mod n

3, 4, 6, 10 . . . ,(

2 + 2blog nc)

mod n

. . .

−→δi,j = (i − 1) + 2j−1

Theorem

Deterministic Failover Scheme (DFS) can tolerate ϕ failures(0 < ϕ < log n) with load no more than

√ϕ.

Proof idea:

There are no repetitions in the matrix columns. Thus any node appearsexactly once at the first position, exactly once at the second, and so on...

For any node index `, all `-prefixes (sets of indices preceding ` in thesequences) are disjoint.




δ1,1, δ1,2, . . . , δ1,n−2

. . .

δi,1, δi,2, . . . , δi,n−2

. . .

δn−1,1, δn−1,2, . . . , δn−1,n−2

1, 2, 4, 8, . . . ,(

0 + 2blog nc)

mod n

2, 3, 5, 9, . . . ,(

1 + 2blog nc)

mod n

3, 4, 6, 10 . . . ,(

2 + 2blog nc)

mod n

. . .

−→δi,j = (i − 1) + 2j−1

Theorem


√ϕ.

Proof idea:






δ1,1, δ1,2, . . . , δ1,n−2

. . .

δi,1, δi,2, . . . , δi,n−2

. . .

δn−1,1, δn−1,2, . . . , δn−1,n−2

1, 2, 4, 8, . . . ,(

0 + 2blog nc)

mod n

2, 3, 5, 9, . . . ,(

1 + 2blog nc)

mod n

3, 4, 6, 10 . . . ,(

2 + 2blog nc)

mod n

. . .

−→δi,j = (i − 1) + 2j−1

Theorem


√ϕ.

Proof idea:



Simulations: Beyond Worst-Case Failures


2

10

100

60000 120000 180000

MA

X L

OA

D

NUM OF FAILED LINKS

n=500, single dest, random attack

ROBRFSDFS

Better in reality (i.e., under random failures):

ROB is a simple destination-basedscheme.

In ROB, when a link fails, use nextavailable link.

Only small fraction of links highly loaded:

1

10

100

1000

10 100 1

FR

EQ

LOAD

n=500, single dest, eclipse, 150 failures

ROBRFSDFS

1

10

100

1000

10000

10 100 1

FR

EQ

LOAD


ROBRFS

Simulations: Beyond Worst-Case Failures


2

10

100

60000 120000 180000

MA

X L

OA

D

NUM OF FAILED LINKS

n=500, single dest, random attack

ROBRFSDFS

Better in reality (i.e., under random failures):

ROB is a simple destination-basedscheme.

In ROB, when a link fails, use nextavailable link.

Only small fraction of links highly loaded:

1

10

100

1000

10 100 1

FR

EQ

LOAD


ROBRFSDFS

1

10

100

1000

10000

10 100 1

FR

EQ

LOAD


ROBRFS

Summary


How to shoot in your foot:

No local failover scheme can tolerate more than n − 1 failures.Any local failover scheme can yield a max load of

√ϕ, where ϕ < n.

Any destination-based local failover scheme can yield a max load of ϕ,where ϕ < n.

How not to shoot in your foot:

Random local failover scheme (RFS) yields a max load of at most√ϕ log n, where ϕ ≤ n.

Deterministic local failover scheme (DFS) yields a max load of at most√ϕ, where ϕ ≤ log n.

A simple destination-based local failover scheme (ROB) performs wellunder random failures.

Extensions and future work:

For random failures, RFS yields a max load of at most√ϕ.

All-to-all communication.

THANK YOU!

Summary













THANK YOU!

Summary













THANK YOU!

Summary













THANK YOU!

Documents

How (Not) to Shoot in Your Foot with SDN Local Fast ... · Local fast failover E.g., since OpenFlow 1.1 (but already MPLS,...) Failover in data plane: given failed incident links,