Enhancing Export competitiveness through effecient Packaging
Effecient Network Policy Enforcement for Heterogeneous ...
Transcript of Effecient Network Policy Enforcement for Heterogeneous ...
Motivation The Problem Our Solution Conclusion
Effecient Network Policy Enforcementfor Heterogeneous Data Centres
Posco Tso7@drscake | �http://www.poscotso.com
This work is to appear in IFIP/IEEE IM 2017
Motivation The Problem Our Solution Conclusion
Outline
1 Motivation
2 The Problem
3 Our Solution
4 Conclusion
Posco Tso Hooc 1
Motivation The Problem Our Solution Conclusion
Two strands of research
1 Low-power & Low-cost (Raspberry Pi) Cloud
‘scale’ modelsimulation‘small’ big dataedge computing
2 Data Centre Networking
server managementtraffic engineering & schedulingnetwork policy managementbig data systemsbuilding trust
Posco Tso Hooc 2
Motivation The Problem Our Solution Conclusion
Effecient Network Policy Enforcement for Heterogeneous Data Centres
Posco Tso Hooc 3
Motivation The Problem Our Solution Conclusion
Network policies
All networks, including cloud data centre networks, are governed byhigh-level policies derived from network-wide requirements. Upondeployment, a high-level policy is realised as a chain of low-level trafficprocessing rules, e.g. forward, drop, modify etc.
“We must ensure file servers are not overloaded, free from external trafficand only reachable through TCP port 80”
Intranet
File servers
Internet Firewall Router Firewall Load balancer
Posco Tso Hooc 4
Motivation The Problem Our Solution Conclusion
Network policies
All networks, including cloud data centre networks, are governed byhigh-level policies derived from network-wide requirements. Upondeployment, a high-level policy is realised as a chain of low-level trafficprocessing rules, e.g. forward, drop, modify etc.
“We must ensure file servers are not overloaded, free from external trafficand only reachable through TCP port 80”
Intranet
File servers
Internet Firewall Router Firewall Load balancer
Posco Tso Hooc 4
Motivation The Problem Our Solution Conclusion
Network policies
All networks, including cloud data centre networks, are governed byhigh-level policies derived from network-wide requirements. Upondeployment, a high-level policy is realised as a chain of low-level trafficprocessing rules, e.g. forward, drop, modify etc.
“We must ensure file servers are not overloaded, free from external trafficand only reachable through TCP port 80”
Intranet
File servers
Internet Firewall Router Firewall Load balancer
Posco Tso Hooc 4
Motivation The Problem Our Solution Conclusion
Effecient Network Policy Enforcement for Heterogeneous Data Centres
Posco Tso Hooc 5
Motivation The Problem Our Solution Conclusion
Data centre topology
Spine-leaf structure, consisting of network switches and servers . . .
anything else?
Posco Tso Hooc 6
Motivation The Problem Our Solution Conclusion
Data centre topology
Spine-leaf structure, consisting of network switches and servers . . .anything else?
Posco Tso Hooc 6
Motivation The Problem Our Solution Conclusion
Network functions
Data centres – enterprise, cloud or service provider – deploy network functionboxes
I at various points in the network topology.
exactly where?
I provide a range of network functions to enforce network policies.
e.g., Firewall, Load balancer, Proxy, Video transcoder, IntrusionDetection/Prevention System (ID/PS), etc.
Posco Tso Hooc 7
Motivation The Problem Our Solution Conclusion
NFBs at various points in the network topology - Example
Internet
We trust no one on the Internet – we employ firewall to protect our internalnetworks.
Posco Tso Hooc 8
Motivation The Problem Our Solution Conclusion
NFBs at various points in the network topology - Example
Internet
Some malicious traffic might have been disguised as legitimate traffic – weemploy Intrusion Detection System to scrutinise traffic.
Posco Tso Hooc 9
Motivation The Problem Our Solution Conclusion
NFBs at various points in the network topology - Example
Internet
Clean traffic, we now need to distribute the workload using load balancer(s).
Posco Tso Hooc 10
Motivation The Problem Our Solution Conclusion
NFBs at various points in the network topology - Example
Internet
Network function boxes could exist at core, aggregation and/or edge layer. . .
and somewhere else?
Posco Tso Hooc 11
Motivation The Problem Our Solution Conclusion
NFBs at various points in the network topology - Example
Internet
Network function boxes could exist at core, aggregation and/or edge layer. . . and somewhere else?
Posco Tso Hooc 11
Motivation The Problem Our Solution Conclusion
NFBs at various points in the network topology - Example
Internet
Network functions can also be deployed in network switches (see SoftwareDefined Networking) and general purpose servers (see Network Function
Virtualisation).
Posco Tso Hooc 12
Motivation The Problem Our Solution Conclusion
Network functions & network function boxes
I Network function boxes (NFBs) are physical elements
I Network functions are software running atop one or more NFBs
NFBNFB
NFB
FWLB
IDS
(a) Hardware NFB
VM1
VM2VM3
NFB
FW
LBIDS
(b) General purpose server asNFB
Posco Tso Hooc 13
Motivation The Problem Our Solution Conclusion
Heterogeneity in data centres
Two dimensions of Heterogeneity for NFBs:
1 location – in the network and servers
NFV
Server
IPS
LB Mon
FW
FW
hardware
Middleboxes
Openflow
Switches
LB
Mon
IPS
NF
Instances
NFBs
Posco Tso Hooc 14
Motivation The Problem Our Solution Conclusion
Heterogeneity in data centres
Two dimensions of Heterogeneity for NFBs:
2 performance – physical and virtual form factors
0 1 2 3 4 5
x 10−3
0
0.2
0.4
0.6
0.8
1
Round Trip Time (s)
CD
F
pfSense 1 vCPU 2GB RAM
pfSense 1 vCPU 4GB RAM
(c) NAT on virtualNFB
0 2 4 6 8 10 120
0.2
0.4
0.6
0.8
1
Round Trip Time (s)
CD
F
Snort 1 vCPU 2 GB RAM
Snort 1 vCPU 4 GB RAM
(d) IDS/IPS onvirtual NFB
0 1 2 3 4 5
x 10−3
0
0.2
0.4
0.6
0.8
1
Round Trip Time (s)
CD
F
pfSense 1 vCPUpfSense 2 vCPUsHardware (Pronto 3295)
(e) NAT on virtualNFB
0 2 4 6 8 100
0.2
0.4
0.6
0.8
1
Round Trip Time (s)
CD
F
Snort 1 vCPUSnort 2 vCPUs
(f) IDS/IPS onvirtual NFB
Variance in locations and form factors of NFBs could have significant impacton network policy enforcement.
Posco Tso Hooc 15
Motivation The Problem Our Solution Conclusion
Heterogeneous Network Policy Enforcement problem
Definition
Given the set of flows F, policies P, NFBs B and delay matrix D, we need tofind an appropriate allocation of network functions A, which minimises thetotal expected end-to-end delays of the network:
min∑pk∈P
T (pk)
s.t. pk is satisfied,∀pk ∈ PA(ni ) 6= ∅ && |A(ni )| = 1,∀ni ∈ pk .chain,∀pk ∈ P∑
ni∈A(bj )ni .cap < bj .cap,∀bj ∈ B
(1)
Posco Tso Hooc 16
Motivation The Problem Our Solution Conclusion
So we want to minimise end-to-end latency
I Latency = Transmission delay + Propagation delay+ Processing delay + Queuing delay
I Transmission delay + Propagation delay is negligible in data centreenvironment as link speed is high (tens of µs).
I Processing delay:t is = 1/ni .cap, ni .cap is processing capacity of NFB ni .
I Queuing delay:
t iw = t is∗ρ2(1−ρ) = λi∗t is
2
2(1−λi∗t is)
Posco Tso Hooc 17
Motivation The Problem Our Solution Conclusion
Example of service chain network with length of 3
I We can construct a Service Chain Network, G , for a policy, pi .
I edges are delays.
bx
bybj
bi
bn
bm
Source
(f.src)
Sink
(f.dst)
D(bx , f.dst)
...
...
...
D(by, f.dst)
D(bm, bx)+tp(bx)
D(f.src,b i)+tp(b i)
D(f.src, bx)+tp(b
j)
D(bi, bm)+tp(bm)
D(bi , bm )+t
p (bn )
D(bj,b m)+t p(b m)
D(bm , b
y )+tp (by )
D(bn, bx)+t p(b x)
D(bj, bn)+tp(bn) D(bn, by)+tp(by)
The route with smallest expected latency for a flow is the shortest path fromsource to sink
Posco Tso Hooc 18
Motivation The Problem Our Solution Conclusion
Results – Latency of service chain for length = 4
0 5 10 15 20 250
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Latency of service chain (ms)
CD
F
HOOCGreedy
Hooc is 21% better than the state of the art.
Posco Tso Hooc 19
Motivation The Problem Our Solution Conclusion
Results – Average runtime on testbed
4 6 8 10 12 14 16 18 20
Factor K
10-2
10-1
100
101
102
Avera
ge r
unnin
g tim
e (
s)
Greedy
HOOC
Constructing Service Chain Network
I Hooc is efficient enough for a production data centre.
I vast amount of time used to construct cost network G – room forimprovement
Posco Tso Hooc 20
Motivation The Problem Our Solution Conclusion
Conclusion
I Network functions are ubiquitous in all types of networks.
I SDN and NFV ‘softwarises’ network provisioning but adds complexitytoo.
I Hooc deploys network policies onto networks by considering all types ofnetwork function boxes at all possible locations.
Posco Tso Hooc 21
Motivation The Problem Our Solution Conclusion
Thank you for listening!also thanks @Robert for this lovely beamer template.
Posco Tso Hooc 22