NetEgg: Scenario-based Programming for SDN Policies Yifei Yuan, University of Pennsylvania
advertisement
NetEgg: Scenario-based Programming for SDN Policies Yifei Yuan, Dong Lin, Rajeev Alur, Boon Thau Loo University of Pennsylvania 1 Software-Defined Networking (SDN) App App Programmability APIs distributed protocols e.g. POX, NOX, Floodlight, etc. Controller Openflow Dst NextHop A 2 … … Control plane Data plane Match Action Src=A drop … … 2 Programming Abstractions General-purpose Programming Languages • • • • C/C++ (NOX) Python (POX) Java (Floodlight) … Domain Specific Languages • Declarative Networking [CACM’09] • Frenetic [ICFP’11] • NetCore [POPL’12] • Pyretic [NSDI’13] • NetKAT [POPL’14] • … Target: Engineers with good programing skills 3 How about network operators? • Do network operators need to program the network? • How well can they master programming skills? 4 Industry Interviews • Interviewed 74 network operators/architects/ engineers in telcos, banks, service providers, campus IT, and router vendors • Need for programming skills among network operators • (Lack of) programming expertise 5 Programming Need Need for programming skills among network operators 17.57% Strong need 21.62% 60.81% Good to have Don't care 6 Lack of Programming Expertise • Hard to hire people who know have good knowledge in both programming and network operations • Retraining operation teams on programming • Hiring software developers who know networking 7 8 9 Goal of NetEgg: intuitive & concise programming abstractions targeting non-programmers 10 Programming Policies Today Policy Work hard! Controller Examples behaviors 11 Programming Policies Today Policy Work HARDER! Test examples Examples behaviors Controller Test/verify/debug Counter examples Bad behaviors 12 Programming Policies Today Policy Work HARDER! Test examples Examples behaviors Controller Test/verify/debug Counter examples Bad behaviors 13 Programming Policies Today Policy Work HARDER, HARDER .. ! Test examples Examples behaviors Controller Test/verify/debug Counter examples Bad behaviors 14 Programming Policies Today Policy Work HARDER, HARDER .. ! Test examples Examples behaviors Controller Test/verify/debug Counter examples Bad behaviors 15 NetEgg Overview Policy Synthesizer Interpreter Controller conflicts Example behaviors Action Instructions / Rule installation Network events Bad behaviors 16 Example Learning switch: 1. Learn the mapping between hosts and ports 2. Forward packets according to the learnt mapping <port, src, dst > <p1, hA, hB > B <p2, hC, hA > 2 A 1 <p3, hB, hC > 3 C flood fwd(p1) fwd(p2) 17 A Stateful Policy Model • Intuition: states + cases • Learning switch: – States: Mapping between hosts and ports – Case 1. Flood packets if the destination is unknown; store the port for the source – Case 2. Forward packets otherwise; store port for source in packets 18 Policy Table: State Table (ST): MAC State State Value Value Match Test Action Update A 11 11 * ST(dst).state=0 flood ST(src):=(1,port) C 1 3 * ST(dst).state=1 fwd(ST(dst).value) ST(src):=(1,port) Controller B 2 A 1 3 C 19 Synthesizer . . . Match Test Action Update * ST(dst) .state=0 flood ST(src):= (1,port) * ST(dst) .state=1 fwd(ST(dst) .value) ST(src):= (1,port) Synthesizer 20 Synthesis Algorithm • Goal: – Consistent with all scenarios – Minimize the number of rules • Approach: 1. Greedy search over policy templates 2. Backtrack with pruning 21 Synthesis Algorithm Illustration Increasing # rules … Match Test * ST(dst).state =0 * ST(dst).state =1 Test Action Update * ST(dst) .state=0 flood ST(src):= (1,port) * ST(dst) .state=1 fwd(ST(dst) .value) ST(src):= (1,port) Match Backtrack & pruning Backtrack & pruning Action Update Details in the paper 22 Rule Installation • Idea: Keep rules not updating state tables on the switch MAC State Value A 1 2 B 1 3 <inport=3, srcmac=B, dstmac=A> Match Test Action Update * ST(dstmac) .state=0 flood ST(srcmac): =(1,port) * ST(dstmac) .state=1 fwd(ST(dstmac). ST(srcmac): value) =(1,port) Match Action inport=3, srcmac=B, dstmac=A fwd(2) … … 23 Evaluation • Is scenario-based programming feasible? – Expressiveness – Programming time – Efficiency • Is the performance of synthesized implementations comparable to hand-crafted implementation? – Controller response latency – End-to-end performance 24 Expressiveness & Efficiency 25 Programming Time • 12 graduate students (good in programming) • 3 programming assignments: – Mac learner – Stateful firewall – TCP firewall • Programming using: – POX – NetEgg 26 User Study: Programming Time Programming Time (Hour) 3.5 POX 50 % less NetEgg 3 2.5 6 % more 2 72 % less 1.5 1 0.5 0 State firewall Firewall Macls Learner TCP tcp Firewall 27 Pox Code: Stateful firewall 28 NetEgg Scenarios: Stateful firewall <port, ether_type, srcip, dstip > 29 Synthesized Policy Table: Stateful firewall 30 Response Time Response time (ms) 2.5 2 1.5 netegg pox 1 0.5 0 mac learner stateful firewall tcp firewall 31 End-to-end performance • Topology: fattree, 20 switches, 16 hosts • Policy: learning switch • Setup: – 1 host as HTTP server – other hosts send HTTP requests to the server – benchmark connection time (i.e. time between a request is issued and it is finished.) 32 HTTP connection time (ms) End-to-end performance 3200 1600 800 netegg pox 400 200 0 10 20 Connection rate (req/s) 33 Conclusion • Scenario-based programming for SDN policies: – Expressive to program a range of policies – Concise in code size – Comparable performance to hand-crafted implementations • Future work: – Expanded user study – Objective-oriented policies: TE, Shorted-path routing – Combine with network monitoring 34 Questions? yifeiy@cis.upenn.edu 35
