SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring...
-
Upload
justin-mccormick -
Category
Documents
-
view
217 -
download
0
Transcript of SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring...
![Page 1: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/1.jpg)
SDN Abstractions
Lecture 20Aditya Akella
![Page 2: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/2.jpg)
• Going beyond defining a virtual network, configuring specific network functions
• Application interface– PANE: Participatory networking
• Management– HFT: Delegation and conflict resolution– Splendid isolation: Slicing/isolation
![Page 3: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/3.jpg)
Participatory networking and HFT
• PANE: user interface for the network control plane– End-users, devices or applications
• Key components:– Privilege delegation to reconcile requests and
network constraints– A protocol and API to interaction– A suitable control logic
![Page 4: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/4.jpg)
Privilege delegation
• Hierarchy of shares
• All shares can sub-delegate– Subsets defined on subset
of parent’s flow group– May not have more permissive
privileges
Which speakers canissue which messageson which flowgroups
![Page 5: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/5.jpg)
“API”• Requests allow/deny, reserve, limit
– Could be associated with time– “Come back later”
• Hints for traffic prioritization, future traffic patterns
• Queries read network state
• Accept a message if – it passes privilege check, – referenced flowgroup is subset of
share’s group, – if the request can co-exist with
previously accepted requests
![Page 6: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/6.jpg)
HFT
• Hierarchy of privileges hierarchy of policies
![Page 7: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/7.jpg)
HFT
• Conflict resolution operators: node-internal, inter-sibling and parent-child
![Page 8: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/8.jpg)
HFT
• Conflict resolution operators: node-internal, inter-sibling and parent-child
![Page 9: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/9.jpg)
HFT
![Page 10: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/10.jpg)
HFT Operators
• D and S identical. • Deny overrides Allow.• GMB combines as max
• Child overrides Parent for Access Control GMB combines as max
Only Requirements: Associative, 0-identity
![Page 11: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/11.jpg)
HFT and PANE
![Page 12: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/12.jpg)
Critique of PANE + HFT?
![Page 13: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/13.jpg)
Isolation
![Page 14: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/14.jpg)
• Traffic isolation• Physical isolation• Control isolation
![Page 15: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/15.jpg)
Some possibilities
• VLANs obviously bad (why?)• Flowvisor• “Splendid”
![Page 16: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/16.jpg)
Flowvisor
Intercepts/analyzes/multiplexes events
![Page 17: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/17.jpg)
Slices in Splendid
• Make isolation part of the language. – For security and modularity.
• Give each client a slice of the network which they can assume complete control over, as if they were alone on the network.
• Given a set of slices and a policy for each slice, compile them into one whole network program that enforces isolation.
![Page 18: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/18.jpg)
Slices
![Page 19: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/19.jpg)
Slices
Outgoing pkts
![Page 20: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/20.jpg)
Implementation
Input: a set of slices and policies. (Must be VLAN- independent.) ‐
Output: a single, global policythat enforces isolation.
![Page 21: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/21.jpg)
Issues with Splendid
• Read-only slices. • Consider an admin/billing slice that monitors
use. Isolation is too strong• Isolation as the way to “enforce” program
modularity?
![Page 22: SDN Abstractions Lecture 20 Aditya Akella. Going beyond defining a virtual network, configuring specific network functions Application interface – PANE:](https://reader036.fdocuments.net/reader036/viewer/2022070415/56649e5d5503460f94b557a5/html5/thumbnails/22.jpg)
Flowvisor vs. Splendid
Why is FV better? Why is Splendid better?