OpenState demo @ ONS/SOSR 2015

OpenState(demoSOSR$‘15,$Santa$Clara$(CA),$USA

OpenState$5 Statefull$SDN$data$plane

Stateless(vs.(Stateful in(SDN


Switch

Stateless

Controller

Global$+$local$states

Switch

Local$states

Controller

Global$states

Control

enforcing

Control

delegation

Stateless/data/plane/model

(e.g./OpenFlow)Stateful/data/plane/model

SMART!

DUMB! SMART!

SMART!

Auto5adaption

Event

notifications

“Almost/classic”/OpenFlowOpenState

OpenState(architecture


pkt headers+ next_state + timeouts

………

timeouts

n/a…

…

DEFAULT

…

✳ "any#

…

statekey

…

……

……

Key extractor<lookup-scope>

Key extractor<update-scope>

State table Flow table

pkt headerspkt headers+ state

pkt headers+ actions

………

…

actions

…… …

……

headers statematch

set_state(…)

OpenState(pipeline


Table 0 Table 1 Table 2 Table N…

Controller

packets

1)/Set/stateful configuration/flag

2)/Set/lookupHscope

3)/Set/updateHscope

OpenState

stateful stage

Classic/OpenFlow/

table/(stateless)

Tables$are$stateless/at/switch/boot.

The$controller$can$then$configure$one$

or$more$tables$as$stateful.

Flow(scope(/(key(extractors

• Used$to$match$the$state$table

• Lookup$and$update$phase• Input:$packet$headers• Output:$variable$length$bit$sequence

• Concatenated$header$fields• Scope$=$ordered$list$of$header$fields

• E.g.${ip_src}$→$32$bit$key

• E.g.${eth_src,$eth_dst}$→$96$bit$key


Key extractor<scope>

pkt headers key

Lookup/update(scope


pkt headers + next_state

…

DEFAULT

…

✳

…

statematch key

…

……

……

Key extractor<lookup-scope>

Key extractor<update-scope>

State table Flow table

pkt headerspkt headers+ state

pkt headers+ actions

………

…

actions

…… …

……

headers statematch fields

SET_STATE next-state

flow-modCONTROLLER

state-modSame/packet/headers/can/lookup/update/different/state/entries

Example(applicationsImplementation$details$&$demo


Distant(failure(recovery…or,$how$to$use$tags$to$perform$simple$switch5to5switch$signaling


Weak!$What$if$a$

local$reroute$in$not$

available?

1 2

7 8

PKT primary path

3 4 5 6

“FastHfailover”:

Local$reroute$based$

on$port$status

(OpenFlow 1.1+)

Failure(recovery(in(OpenFlow


Backup/path

Link/status

change

1 2

7 8

PKT

3 4 5 6

Failure(recovery(in(OpenFlow..(Weak!

Can$rely$on$controller$intervention,$but:

• Long$recovery$latency• detection$+$signaling$+$flow$update

• Failure$of$control$channel$(controller$unreachable)• Signaling$congestion$(controller$unresponsive)


controller

Flow/entries

update

⚠️ Single/point/of/failure!

Failure(recovery(with(OpenState

• Signaling$using$same$data$packets

• Tag$=$unreachable$node$

• Packets$“bounced$back”$until$a$convenient$redirect$point

• Flow5states$used$to$update$the$routing


! No/extra/signaling/

! No/packet/loss/after/failure/detection

! Controller/not/involved

1 2 3 4 5

7 8

6

PKT

TAG PKT

match tagstate transition!

//port down

Failure(recovery(

Example

1 2

7 8

PKT

state = 0

primary path

3 4 5 6

Normal/conditions/(no/failures)

Match Instructionssrc=1, dst=6, state=0 fwd(3)… …… …

Key State… …… …* (any) 0

lookup5scope=[eth_src,$eth_dst]

update5scope=[eth_src,$eth_dst]

State'table Flow'table

L2$flows

Failure(recovery(

ExamplePackets/“bounced/back”/in/case/of/failure

Match Instructionssrc=1, dst=6 group(A)… …… …

ID Type Action bucketsA FAST-FAILOVER <output(2)>,

<push_tag(F4), output(1)>,… … …

Group table

1 2 3 4 5

7 8

6

PKT

F4 PKT

match tag F4state → F4

//port down

1 2 3 4 5

7 8

6

PKT

F4 PKT

match tag F4state → F4

//port down

Failure(recovery(

Example


0 Fi(link i down)

Pi(link i probe)

tag=Fi<fwd(detour i-th)>

any packet<push_tag(Fi), fwd(detour i-th)>

hard_timeout=δ

any packet<push_tag(Fi), fwd(detour i-th)><push_tag(Pi); fwd(primary path)>

tag=Pi<drop()>

any packet<fwd(primary path)>

… …

State/transition/at/a/predetermined/reroute/node

Match Instructions… …… …tag=F4 set_state(F4, hard_to=10s,

hard_rollback=P4)fwd(7)

… …

1 2 3 4 5

7 8

6

PKT

F4 PKT

PKT

//detour 4state = F4

Failure(recovery(

Example


0 Fi(link i down)

Pi(link i probe)



hard_timeout=δ


tag=Pi<drop()>


… …

Detour/path/enabled

Match Instructions… …src=1, dst=6, state=F4 push_tag(F4), fwd(7)… …… …

1 2 3 4 5

7 8

6

PKT P4 PKT

timeoutstate → P4

F4 PKT

//drop

Failure(recovery(

Example


0 Fi(link i down)

Pi(link i probe)



hard_timeout=δ


tag=Pi<drop()>


… …

State/hard/timeout/to/generate/probe/packets

Match… …… …… …src=1, dst=6, state=P4 set_state(F4, hard_to=10s,

hard_rollback=P4),<push_tag(F4), fwd(7)><push_tag(P4), fwd(3)>

1 2 3 4 5

7 8

6

PKT

P4 PKT

match tag P4state → 0

drop

Failure(recovery(

Example


0 Fi(link i down)

Pi(link i probe)



hard_timeout=δ


tag=Pi<drop()>


… …

Primary/path/reHestablished

Match… …… …… …… …tag=P4 set_state(0), drop()

Failure(recovery(

Example


1 2

7 8

PKT

state = 0

primary path

3 4 5 6

Failure/solved

Match Instructionssrc=1, dst=6, state=0 fwd(3)… …… …

Failure(recovery(

Demo(setup


primary

1 2 3 4 5

7 8

6

TAG=16

TAG=17tcpdump

//port down

TAG=100

fault/detour

probe

tcpdump

state tabledump

DDoS(mitigation(building(blocks


• GOAL:/measure/the/rate/of/new/flows/toward/a/given/target

1. Block$new$connections$initiated$after$a$given$threshold$is$reached$

2. Keep$forwarding$of$all$previous$connections$

• From$this$simple$mechanism$we$can$create$a/more/complex/DDoS

detection/and/mitigation/scenario

Threshold[new flows per second] Drop flows over rate

drop

Maintainpre-existing flows

OpenState switch

B

DDoS building(blocks


2/stateful stages

1. Measurement/stage

A. All$“first$packets”$of$any$TCP$flows$are$given$as$input$ to$a$DSCP$meter

B. The$flow$state$is$changed$from$0$(i.e.$new$flow)$to$1$

C. If$the$meter$exceeds$a$threshold$ the$packet$is$marked

2. Forwarding/stage/

A. The$first$packet$of$a$new$flow$set$the$verdict$for$that$flow

B. If$the$packet$is$not$marked$ the$flow$status$is$set$to$0$(i.e.$a$flow$generated$

in$a$normal$state)

C. If$the$packet$is$marked$ the$flow$status$is$set$to$1$(i.e.$$A$flow$generated$

after$the$threshold$ is$reached)

D. All$packets$$whose$flow$is$in$state$1$are$DROPED,$FORWARDED$otherwise

DDoS

Behavioral(model


0 1

ip_dst=B<meter(1), go_to(1)>

dst_ip=B<go_to(1)>

idle_timeout=5s

Stage 0

0 1

dscp=1<drop>

any packet<drop>

idle_timeout=5s

dscp=0<fwd(B)>DSCP remark meter

<10 pps>state=0

state=1

First packet of a new flow

Stage 1

state=1 drop

state=0pkt

BA

port 1 port 2

DDoS

Table(configurationStage(1:(Measurement


Match Instructions/Actions

First packet'of'a'TCP'flow'towards'B ip_dst=B,$state=0$ set_state(1, idle_to=5s);

meter(1);$goto(1)

Subsequent'packets towards'B ip_dst=B,$state=1 go_to(1)

Packet'towards A ip_dst=A output(1)

Flow/table/(table_id/=/0)

Key/extractors:

Lookup5scope$=${ip_src,$ip_dst,$tcp_src,$tcp_dst}

Update5scope$=${ip_src,$ip_dst,$tcp_src,$tcp_dst}Flow/identification:

L35L4$45tuple

DDoS

Table(configurationStage(2:(Forwarding


Match Instructions/Actions

First packet$of$a$TCP$flow$$when$

destination$ is$already$$“under$attack”

dscp=1 set_state(1, idle_to=5s);

drop()

Subsequent$ packets of$a$TCP$flow$when$

destination$ is$already$“under$$attack”

dscp=0, state=1 drop()

Packets$of$a$flow$

generated “before$the$attack”$

dscp=0, state=0 output(2)

Flow/table/(table_id/=/1)

Key/extractors:

Lookup5scope$=${ip_src,$ip_dst,$tcp_src,$tcp_dst}

Update5scope$=${ip_src,$ip_dst,$tcp_src,$tcp_dst}

Documents

OpenState demo @ ONS/SOSR 2015