Scalable and Flexible Network Functions using SDN White-Boxes - … · 2018. 9. 2. · [8] M. Lyu,...

ScalableandFlexibleNetworkFunctionsusingSDNWhite-Boxes

VijaySivaraman,Professor,UNSW

WhoamI?•  PhDfromUCLAin2000•  Packetschedulinganalysis(BellLabs)•  ThesishadmoreGreekthanEnglish!•  Silicon-valleystart-up2000-2003•  L1-L4opticalswitch-router;$64.5mburnt•  100k+linesofcode;NPU-code,L2/L3protocols,…•  Gapbetweenacademiaandindustry•  Depthvsbreadth;optimalvssimple;innovativevspractical•  SoftwareDefinedNetworking(SDN):rayofhope?•  Software“brain”separatedfromhardware“brawn”•  ANZ-SDNAlliance:communitytofosterSDNecosystem

2

Let’stalkNetworkFunctions(NFs)

• Special-purposeoperationsonpackets• ServiceProviders:DPI,load-balancer,…• Enterprises:Firewalls,NAT,…

• Physicalappliances(middle-boxes)areexpensive

• Virtualappliances(VNFsonx86)difficulttoscale

3

HowcanSDNHelp?

Hardware:dumb+faston“flows”•  Abstraction:match+action+counter•  Match:anyheaderfield(s)•  Action:out-port,mirror,drop,edit

•  Multi-vendor“white-box”•  Scalable:400Gbps–6.4Tbps•  1m+flowtableentries(FIB)

•  Cost-effective:$20-40K4

Software:smart+slowon“packets”•  Deepinspection/statefuloperations•  Intelligence(e.g.optimization,ML/AI)

•  Commodityserverscheap•  Elasticscale-out,DPDKsupport•  Flexibleandagile•  Softwaredevenvironments/tools

Sohowtoputthetwotogether?•  NF:Operateonflowswhenyoucanandpacketswhenyoumust•  75-80%ofnetworktrafficiscarriedintop1-5%(“long”)flows•  AtUNSW:~600Kconcurrentflowsatpeakhour;~6kflowstransfer>4MB[1]•  Corroborateswithpriormice/elephantstudiesinenterpriseandcarriernetworks[2]

•  Here’sasimpleidea:•  Operateonmicepacketsinsoftware(VNF)•  Operateonelephantflowsinhardware(SDN)

•  Potentialbenefitsof“SDNAcceleratedNF”(SANF):•  SoftwareVNFloadreducesby4xàlowercost•  Hardwareflowtable(FIB)issmallàbetterscalability

5

[1] S. Madanapalli, M. Lyu, H. Kumar, H. Habibi Gharakheili, V. Sivaraman, “Real-time Detection, Isolation and Monitoring of Elephant Flows using Commodity SDN System”, IEEE/IFIP NOMS workshop on Experience Sessions, Taipei, Taiwan, Apr 2018.

[2] T. Mori et al, “Identifying elephant flows through periodically sampled packets”, ACM IMC, Taormina, Sicily, Italy, 2004.

ExampleUses•  Example1:Load-Balancer•  HandlefirstpacketofflowinVNF,theninsertflowtableruletosendtoselectedoutport

•  Example2:NAT•  DetermineportmappingsinVNFbasedonfirstpacketofflow;subsequentpacketsinh/w

•  Example3:Trafficclassifier•  KeepstateonflowvolumeinVNF;Insertflowtableruleinh/wonreachingthreshold•  Extractflowtelemetryandclassifybasedonbehavioralprofile

•  Example4:Statefulfirewall•  Determinestateonoutboundflowbasedonfirstpacket;insertflowruleforreturntraffic

•  Theseexamplesandtheircomplexity/scalabilitymodeledin[3]

6

[3] V. Sivaraman, H. Habibi Gharakheili, M. Lyu, H. Kumar, C. Russell, “Scaling Network Functions via SDN Acceleration”, under review with IEEE Journal on Selected Areas in Communications (JSAC), 2018.

NFUse-Case1:TrafficClassification

7

• Motivation:Understandbandwidthusagepattern•  Break-downofbrowsing,video,anddownloadsessionsoveraday•  Compositionofvideotrafficbyprovider(Youtube,Netflix,…)

TrafficClassification(contd.)• Motivation:Managedemandvariability(peakprovisioning)

8

DPIvsFlowClassification• Approach:Classifylongflowsbasedonbehavioralprofile[4],[5]•  Noinspectionofpackets(exceptDNS)•  VNFtracks“short”flows,pushes“long”flowsintohardware•  Extractsstatisticalprofileoflongflowsanddoesmachineclassification

9

[4] T. Bujlow et al, “Independent comparison of popular DPI tools for traffic classification”, Computer Networks, 76(c):75 – 89, Jan 2015. [5] A. Dainotti et al., “Issues and future directions in traffic classification”, IEEE Network, 26(1): 35–40, Jan 2012.

Time (sec)0 60 120 180

Ra

te (

Mb

ps)

0

10

20

30

40

50

60σ/µ = 2.76 ; fraction of idle-time = 85.59%

X: σ1/µ

0 2 4 6 8

Pro

ba

bili

ty:

P(σ

1/µ

= x

)

0

0.1

0.2

0.3

0.4

0.5

0.6Ultra-highHighMediumLow

99.36

0.08

0.00

0.00

0.64

99.90

1.21

0.14

0.00

0.02

98.72

0.28

0.00

0.00

0.07

99.58

low med high ultra-high

low

med

high

ultra-high

0.00

10.00

20.00

30.00

40.00

50.00

60.00

70.00

80.00

90.00

TeleScope:FlowClassificationatLineSpeed•  Fullyimplementedandoperationaltoday[6]•  UsesNoviFlowSDNswitch,RyuController,NFF-GODPDK,Weka/SciKitML,…•  Real-timeUI,loggingofeverylongflow,analysis/insightseachmidnight•  Operatingon10GbpsmirrortrafficatUNSWforpast6months

10

[6] H. Habibi Gharakheili, M. Lyu, Y. Wang, H. Kumar, V. Sivaraman, “iTeleScope: Intelligent Video Telemetry and Classification in Real-time using Software Defined Networking”, under review with IEEE/ACM Transactions on Networking, 2018.

TeleScope:Commercialoffering•  IPlicensedtoCanopusNetworks•  IncommercialtrialswithmultipleTier-1ISPs•  Showinginsightsintovideoconsumption(real-time/hourly/daily)–  Identifies300+videocontentproviders,includingrate,resolution,duration

•  Showinginsightsintolargedownloads(real-time/hourlydaily)–  Storage,CDNs,games(Fortnite),…

•  Developingsignaturesforinteractivevideo,streamingmusic,gaming,VR,…•  Partneringwithwhite-boxBNGvendorsforin-lineb/wmanagement•  Frameworkforcustomerexperienceoptimizationbasedontheoryof“marginalutility”•  Open,flexible,andverifiableframeworkthataddressesnetneutralityconcerns[7]

11

[7] V. Sivaraman, H. Habibi Gharakheili, S. Madanapalli, H. Kumar, C. Russell, “Competing on User Experience in a Post-Neutral World”, under preparation for submission to ACM SOSR, 2019.

• Appliancebasedsecuritysolutionsare:•  Expensiveà10G/100Gservicemaybecheaperthanthesecurityappliance!•  Bundledàcan’tcombine“best-of-breed”orget“secondopinion”•  Performance-limitedàfeatureshavetobeturnedoffforline-rateperformance• Ourgoal:buildplatform(Nozzle)toaugmentcurrentsolutions:•  Leverageswhite-boxSDNhardwareandcommodityserver-classcompute•  isscalable(modularexpansionofcapacityasneeded)•  isflexible(best-of-breedcomponents)•  islow-cost(commoditycomponents)–  setof“workers”extractattributesßSDN–  setof“inferenceengines”makedeductionsßAI

12

NFUse-Case2:Cyber-Security

WhatNozzlelookslike

SDNdataplane

FaucetSDNcontrollerflowdetectorapi(suppressflows)

api(flowactionsandstats)

api(mitigateattacks)

scalableworkers

attributes

AIinferenceengines

Messagingsystemwithchannels

Sowhatare“attributes”?

14

•  DNSattributes•  query&responsevolume,solicitedvs.unsolicited•  #RRs,TTL,sub-domainlength,udppayloadsize,…•  Hostattributes• #TCP-connections,volume,connection-rate,…•  Flowattributes•  long-flowdatavolume,5-tupleend-points,SSL/TLScipher-suites,…•  Intra-flowprofile•  inter-packetgaps,packetsizedistribution,…•  Othersignalingattributes• NTP,DHCP,SNMP,SSDP,SIP,etc.

•  DNS:•  comprises<0.1%oftrafficvolume;oftenallowedthroughfirewalls• wealthofinformationonexternalservicesaccessed&internalservers•  usedforDoS,dataexfiltration,reflection/amplificationattacks

•  DNSworkerinNozzle•  SDNflow-rule+Elasticsearch;IntelDPDKwithRUST/Golang•  publishesaggregatedDNSrecordstoNATSeverysecond

15

AdeeperlookattheDNSAttribute

•  Lessthan10Mbps(port53)•  Extracted4attributesper-host:•  Outboundqueries/inboundqueries•  #externalservers,#externalclients,fractionofactivetime•  Builtsimpleclustering-basedMLclassifier:•  UNSW:40nameservers;14resolvers;368public-servers

•  Result:automated,dynamic,dailyinventoryofkeyassets•  DNSresolvers,DNSnameservers,external-facingweb-servers

16

Analysisofoneday’sDNSTrafficatUNSW

[8]M.Lyu,H.HabibiGharakheili,C.RussellandV.Sivaraman,”MappinganEnterpriseNetworkByAnalysingDNSTraffic”,underreviewatACMCoNEXT,Dec2018.

•  Evidenceofattackvectors(whatandhow):•  DNSscanofnetwork•  Recursiveresolversusedforreflectionattacks•  Public-serverDoS-sedwithDNSresponses

•  DNSexfiltrationpossibleandhappening• MLbuiltusingattributes:[9]•  length,entropy,numerical,capital,dots,longestlabel,reputation•  Ourmachinedetectsexfiltration(e.g.cnr.io)inreal-time

17

DNSAttacksandThreats

[9]J.Ahmed,H.Habibi,C.Russell,V.Sivaraman,”Real-TimeDetectionofDNSExfiltrationandTunnellingfromEnterpriseNetworks”,underreviewatIFIPIM,2018.

Anotheruseof“attributes”– IoT

•  EachIoTdevicehasits“signature”ofnetworkbehaviour•  Enforcenetworkbehaviourpolicy(MUD)usingSDN

18

[10]A.Hamza,H.HabibiGharakheiliandV.Sivaraman,”DetectingVolumetricAttacksonIoTDevicesviaSDN-BasedmonitoringofMUDActivity”,submittedtoACMCoNEXT,Dec2018.

AutomaticdetectionofIoTassets

19

[11]A.Sivanathan,D.Sherratt,H.HabibiGharakheili,A.Radford,C.Wijenayake,A.VishwanathandV.Sivaraman,"CharacterizingandClassifyingIoTTrafficinSmartCitiesandCampuses",IEEEInfocomSmartCity17WorkshoponSmartCitiesandUrbanComputing,Atlanta,GA,USA,May2017.

Potentialmodeloftrial:Augmentcurrentappliance

20

Internet Enterprise

firewalltap

api(mitigateattacks)

UI/insights

Conclusions•  SDN-Accelerated-NFhasastrongvalueproposition•  Commodityhardwareàlowercost• Multi-vendoràchoiceofportspeedsanddensities• Modularandelasticàscalableinperformance•  Unbundledàmoreinnovativeandagile“state-of-art”software(ML/AI)

•  Lookingforoperatorswithcuriosityandappetite•  Co-developandtestinnovativesolutions(journey/learningsareimportant)•  Gainnewinsightsthatwouldnotemergeotherwise•  Developskillsinemergingareas(software/ML)inwork-force•  SupportAustralianinnovationandeducationeco-system

21

Sponsors•  SDNResearchandEducationatUNSWhasbeensupportedby:•  AustralianResearchCouncil(ARC)•  Google•  Optus•  Telstra•  AARNet•  Cisco•  HP•  NoviFlow•  OpenNetworkingFoundation(ONF)

22

Scalable and Flexible Network Functions using SDN White-Boxes - … · 2018. 9. 2. · [8] M. Lyu,...

Documents

Transcript of Scalable and Flexible Network Functions using SDN White-Boxes - … · 2018. 9. 2. · [8] M. Lyu,...