Effecient Network Policy Enforcement for Heterogeneous ...

Motivation The Problem Our Solution Conclusion

Effecient Network Policy Enforcementfor Heterogeneous Data Centres

Posco Tso7@drscake | �http://www.poscotso.com

This work is to appear in IFIP/IEEE IM 2017

http://www.poscotso.com


Outline

1 Motivation

2 The Problem

3 Our Solution

4 Conclusion

Posco Tso Hooc 1


Two strands of research

1 Low-power & Low-cost (Raspberry Pi) Cloud

‘scale’ modelsimulation‘small’ big dataedge computing

2 Data Centre Networking

server managementtraffic engineering & schedulingnetwork policy managementbig data systemsbuilding trust

Posco Tso Hooc 2


Effecient Network Policy Enforcement for Heterogeneous Data Centres

Posco Tso Hooc 3


Network policies

All networks, including cloud data centre networks, are governed byhigh-level policies derived from network-wide requirements. Upondeployment, a high-level policy is realised as a chain of low-level trafficprocessing rules, e.g. forward, drop, modify etc.

“We must ensure file servers are not overloaded, free from external trafficand only reachable through TCP port 80”

Intranet

File servers

Internet Firewall Router Firewall Load balancer

Posco Tso Hooc 4


Effecient Network Policy Enforcement for Heterogeneous Data Centres

Posco Tso Hooc 5


Data centre topology

Spine-leaf structure, consisting of network switches and servers . . .

anything else?

Posco Tso Hooc 6


Data centre topology

Spine-leaf structure, consisting of network switches and servers . . .anything else?

Posco Tso Hooc 6


Network functions

Data centres – enterprise, cloud or service provider – deploy network functionboxes

I at various points in the network topology.

exactly where?

I provide a range of network functions to enforce network policies.

e.g., Firewall, Load balancer, Proxy, Video transcoder, IntrusionDetection/Prevention System (ID/PS), etc.

Posco Tso Hooc 7


NFBs at various points in the network topology - Example

Internet

We trust no one on the Internet – we employ firewall to protect our internalnetworks.

Posco Tso Hooc 8



Internet

Some malicious traffic might have been disguised as legitimate traffic – weemploy Intrusion Detection System to scrutinise traffic.

Posco Tso Hooc 9



Internet

Clean traffic, we now need to distribute the workload using load balancer(s).

Posco Tso Hooc 10



Internet

Network function boxes could exist at core, aggregation and/or edge layer. . .

and somewhere else?

Posco Tso Hooc 11



Internet

Network function boxes could exist at core, aggregation and/or edge layer. . . and somewhere else?

Posco Tso Hooc 11



Internet

Network functions can also be deployed in network switches (see SoftwareDefined Networking) and general purpose servers (see Network Function

Virtualisation).

Posco Tso Hooc 12


Network functions & network function boxes

I Network function boxes (NFBs) are physical elements

I Network functions are software running atop one or more NFBs

NFBNFB

NFB

FWLB

IDS

(a) Hardware NFB

VM1

VM2VM3

NFB

FW

LBIDS

(b) General purpose server asNFB

Posco Tso Hooc 13


Heterogeneity in data centres

Two dimensions of Heterogeneity for NFBs:

1 location – in the network and servers

NFV

Server

IPS

LB Mon

FW

FW

hardware

Middleboxes

Openflow

Switches

LB

Mon

IPS

NF

Instances

NFBs

Posco Tso Hooc 14


Heterogeneity in data centres

Two dimensions of Heterogeneity for NFBs:

2 performance – physical and virtual form factors

0 1 2 3 4 5

x 10−3

0

0.2

0.4

0.6

0.8

1

Round Trip Time (s)

CD

F

pfSense 1 vCPU 2GB RAM

pfSense 1 vCPU 4GB RAM

(c) NAT on virtualNFB

0 2 4 6 8 10 120

0.2

0.4

0.6

0.8

1

Round Trip Time (s)

CD

F

Snort 1 vCPU 2 GB RAM

Snort 1 vCPU 4 GB RAM

(d) IDS/IPS onvirtual NFB

0 1 2 3 4 5

x 10−3

0

0.2

0.4

0.6

0.8

1

Round Trip Time (s)

CD

F

pfSense 1 vCPUpfSense 2 vCPUsHardware (Pronto 3295)

(e) NAT on virtualNFB

0 2 4 6 8 100

0.2

0.4

0.6

0.8

1

Round Trip Time (s)

CD

F

Snort 1 vCPUSnort 2 vCPUs

(f) IDS/IPS onvirtual NFB

Variance in locations and form factors of NFBs could have significant impacton network policy enforcement.

Posco Tso Hooc 15


Heterogeneous Network Policy Enforcement problem

Definition

Given the set of flows F, policies P, NFBs B and delay matrix D, we need tofind an appropriate allocation of network functions A, which minimises thetotal expected end-to-end delays of the network:

min∑pk∈P

T (pk)

s.t. pk is satisfied,∀pk ∈ PA(ni ) 6= ∅ && |A(ni )| = 1,∀ni ∈ pk .chain,∀pk ∈ P∑

ni∈A(bj )ni .cap < bj .cap,∀bj ∈ B

(1)

Posco Tso Hooc 16


So we want to minimise end-to-end latency

I Latency = Transmission delay + Propagation delay+ Processing delay + Queuing delay

I Transmission delay + Propagation delay is negligible in data centreenvironment as link speed is high (tens of µs).

I Processing delay:t is = 1/ni .cap, ni .cap is processing capacity of NFB ni .

I Queuing delay:

t iw = t is∗ρ2(1−ρ) = λi∗t is

2

2(1−λi∗t is)

Posco Tso Hooc 17


Example of service chain network with length of 3

I We can construct a Service Chain Network, G , for a policy, pi .

I edges are delays.

bx

bybj

bi

bn

bm

Source

(f.src)

Sink

(f.dst)

D(bx , f.dst)

...

...

...

D(by, f.dst)

D(bm, bx)+tp(bx)

D(f.src,b i)+tp(b i)

D(f.src, bx)+tp(b

j)

D(bi, bm)+tp(bm)

D(bi , bm )+t

p (bn )

D(bj,b m)+t p(b m)

D(bm , b

y )+tp (by )

D(bn, bx)+t p(b x)

D(bj, bn)+tp(bn) D(bn, by)+tp(by)

The route with smallest expected latency for a flow is the shortest path fromsource to sink

Posco Tso Hooc 18


Results – Latency of service chain for length = 4

0 5 10 15 20 250

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Latency of service chain (ms)

CD

F

HOOCGreedy

Hooc is 21% better than the state of the art.

Posco Tso Hooc 19


Results – Average runtime on testbed

4 6 8 10 12 14 16 18 20

Factor K

10-2

10-1

100

101

102

Avera

ge r

unnin

g tim

e (

s)

Greedy

HOOC

Constructing Service Chain Network

I Hooc is efficient enough for a production data centre.

I vast amount of time used to construct cost network G – room forimprovement

Posco Tso Hooc 20


Conclusion

I Network functions are ubiquitous in all types of networks.

I SDN and NFV ‘softwarises’ network provisioning but adds complexitytoo.

I Hooc deploys network policies onto networks by considering all types ofnetwork function boxes at all possible locations.

Posco Tso Hooc 21


Thank you for listening!also thanks @Robert for this lovely beamer template.

Posco Tso Hooc 22

Effecient Network Policy Enforcement for Heterogeneous ...

Documents

Transcript of Effecient Network Policy Enforcement for Heterogeneous ...