Ranges & Cross-Entrance Consistency

with OpenFlowLiron Schiff (TAU)

Joint work with

Yehuda Afek (TAU) Anat Bremler-Barr (IDC)

Israel Networking Day 2014

Issue 1: Ranges

Start End Action0.0.0.0 61.26.188.55 Server r361.26.188. 56 61.37.255.0 Server r1

61.37.255.1 93.2.100.50 Server r2

93.2.100.51 127.0.64.40 Drop….. ……… ……

Source IP Address

replicas

InternetInternet…

FirewallsLoad BalancersDDoS mitigationForwarding…….

Issue 2: Cross-Entrance Consistency

replicas…

client’s IPs

InternetInternet

SDN Network

Contributions• Ranges: Efficient implementation w/ OpenFlow

– 2 entries per range; total, 2n vs. Previously n w ∙ table entries (n number of intervals, w field size, usually 16 or 32)

• Consistent & Atomic ranges update– Per packet, and per flow consistency

• Cross entrance consistency (with ranges)

Ranges Current Solution: Expansion

Start End Action125.26.188. 56 125.37.255.0 Server A125.37.255.1 126.2.100.50 Server B

Pattern Action125.26.188. [00111***] Server A

125.26.188. [*1******] Server A

125.26.188. [10******] Server A

125. [00011011].*.* Server A

125. [000111**].*.* Server A

125. [001000**].*.* Server A

125.[00100100].*.* Server A

125.[00100101]. 255.0 Server A

125.[00100101]. 255.* Server B

125.[00100101]. *.* Server A

125.[001*****].*.* Server B

126. 1.*.* Server B

126. 2. [00******].* Server B

126. 2. [010*****].* Server B

126. 2. [011000**].* Server B

126. 2. 100.[0010****] Server B

126. 2. 100.[00110001] Server B

126. 2. 100.[00110010] Server B

2w – 4 entries per range

Current Solution: Range Update• Change affects several entries• Need atomicity (while traffic passes thru)• Packet buffering, or duplicating and switching tables

Pattern Action125.26.188. [00111***] Server A

125.26.188. [*1******] Server A

125.26.188. [10******] Server A

125. [00011011].*.* Server A

125. [000111**].*.* Server A

125. [001000**].*.* Server A

125.[00100100].*.* Server A

125.[00100101].255.0 Server A

125.[00100101]. 255.* Server B

125.[00100101]. *.* Server A

125. [001*****].*.* Server B

126. 1.*.* Server B

126. 2. [00******].* Server B

126. 2. [010*****].* Server B

126. 2. [011000**].* Server B

126. 2. 100.[0010****] Server B

126. 2. 100.[00110001] Server B

126. 2. 100.[00110010] Server B

Start End Action125.26.188. 56 125.37.255.0 Server A125.37.255.1 126.2.100.50 Server B

36

36

Flow table

Pattern Action

<EMPTY>

125.[00100100].255.0 Server A125.[00100100]. 255.* Server B125.[00100100]. *.* Server A

Our Ranges Implementation• 2 entries per range

• Atomic (create, delete, split, merge) with O(1) control message complexity. merge

split

[Panigrahy&Sharma2003] TCAM range implementation

TCAM Query

TCAM Query

Compare

Compare

Adapting [PS2003] to OpenFlow

• Even Comparisons are Flow-Table based!

Flow TableQuery

Flow TableQuery

Compare

Compare

Flow Table based comparisonsFlow Table based comparisons

OpenFlow based Comparison

patterns

1******* 0*******

0******* 1*******

*1****** *0******

*0****** *1******...

.

.

.

******** ********

Result

m>q

m<q

m>q

m<q...

m=q

qmPacketheader

Issue 2: Cross Entrance Consistency

Per-Flow Consistency[Reitblatt, Foster, Rexford, Schlesinger, Walker 2012]

InternetInternet

replicas

client’s IPs

…

InternetInternet

replicas

client’s IPs

Change in weights Change in ranges

…Start End Action

125.26.188. 56 125.37.255.0 Server 2125.37.255.1 126.2.100.50 Server 3

36

36

But existing flow shouldn’t change

Per-Flow Consistency[Wang, Butnariu, Rexford, 2011]

Per-Flow Consistency solution [Wang et.al.]

InternetInternet

replicas

client’s IPs

…ControllerController

Start End Action

125.26.188. 56 125.37.255.0 Server 2125.37.255.1 126.2.100.50 Server 3

36

36

1 .Send flows in affected sub range to

controller

InternetInternet

replicas

client’s IPs

…ControllerController

Start End Action125.37.1.1 125.37.1.1 Server 2125.26.188. 56 125.37.255.0 Server 2125.37.255.1 126.2.100.50 Server 3

36

36

2 .Add specific rules for existing flows

Per-Flow Consistency solution [Wang et.al.]

InternetInternet

replicas

client’s IPs

…Richer OpenFlow interface (e.g. DevoFlow) can solve this locally in the switch and save control communication.Richer OpenFlow interface (e.g. DevoFlow) can solve this locally in the switch and save control communication.

ControllerController

DevoFlowDevoFlow

Per-Flow Consistency solution [Wang et.al.]

DevoFlow

Src IP Dst IP Action

10.0.0.2 10.*.*.* Forward port 3

Src IP Dst IP Action

Devo Rules

Standard Rules

Src IP Dst IP

10.0.0.2 10.0.1.2

Packet 10.0.0.2 10.0.1.2 Forward port 3

[Mogul, Tourrilhes, Yalagandula, Sharma, Curtis, Banerjee 2010]

DevoFlow

Src IP Dst IP Action

10.0.0.2 10.*.*.* Forward port 5

Src IP Dst IP Action

10.0.0.2 10.0.1.2 Forward port 3

Devo Rules

Standard Rules

Src IP Dst IP

10.0.0.2 10.7.1.5

Packet10.0.0.2 10.7.1.5 Forward port 5

InternetInternet

replicas

client’s IPs

…Richer OpenFlow interface (e.g. DevoFlow) can solve this locally in the switch and save control communication.Richer OpenFlow interface (e.g. DevoFlow) can solve this locally in the switch and save control communication.

ControllerController

DevoFlowDevoFlow

Per-Flow Consistency solution [Wang et.al.]

Cross-Entrance Consistency

replicas…

client’s IPs

InternetInternetX

ControllerController

SDN Network

Local solution is not possibleWe must sync between entrances

Local solution is not possibleWe must sync between entrances

Implementing Cross-Entrance Consistency

replicas…

client’s IPs

InternetInternet ControllerController

DevoFlow + SYN match

DevoFlow + SYN match

Richer OpenFlow interface (e.g. DevoFlow and SYN matching) can reduce control communication.Richer OpenFlow interface (e.g. DevoFlow and SYN matching) can reduce control communication.

DevoFlow + SYN match

DevoFlow + SYN match

summary• Efficient Ranges implementation

• Multi-entrance consistency

Questions?