lithium: event-driven network control
DESCRIPTION
Lithium: Event-Driven Network Control. OpenFlow /Software Defined Networking. Nick Feamster Georgia Tech (some slides courtesy Nick McKeown ). Nick Feamster, Hyojoon Kim, Russ Clark Georgia Tech Andreas Voellmy Yale University. Pre-GENI Thinking : Network as Artifact. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/1.jpg)
Lithium: Event-Driven Network ControlNick Feamster, Hyojoon Kim, Russ Clark
Georgia TechAndreas VoellmyYale University
OpenFlow/Software Defined Networking
Nick FeamsterGeorgia Tech
(some slides courtesy Nick McKeown)
![Page 2: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/2.jpg)
Pre-GENI Thinking: Network as Artifact
2
“There is a tendency in our field to believe that everything we currently use is a paragon of engineering, rather than a snapshot of our understanding at the time. We build great myths of spin about how what we have done is the only way to do it to the point that our universities now teach the flaws to students (and professors and textbook authors) who don't know better.”
-- John Day
![Page 3: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/3.jpg)
What if we could change the network as easily as applications?
3
TCP/IP Header in Lego Format.
![Page 4: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/4.jpg)
Now, We Can: Software-Defined Networking• Before: Network
devices closed, proprietary
• Now: A single software program can control the behavior of entire networks.
4
![Page 5: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/5.jpg)
Software-Defined Networking
• Distributed configuration is a bad idea• Instead: Control the network from a logically
centralized system
5Feamster et al. The Case for Separating Routing from Routers. Proc. SIGCOMM FDNA, 2004
Caesar et al. Design and implementation of a Routing Control Platform. Proc NSDI, 2005
Network
RCP
2004 2005
Decision
DisseminationDiscovery
Data
2008
![Page 6: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/6.jpg)
Software Defined Networking
6
![Page 7: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/7.jpg)
Controller
OpenFlow Switch
FlowTable
SecureChannel
PCOpenFlow
Protocol
SSL
hw
sw
OpenFlow Switch specification
Background: OpenFlow Switching
![Page 8: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/8.jpg)
Key Idea: Control/Data Separation
8
![Page 9: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/9.jpg)
OpenFlow Forwarding Abstraction
9
![Page 10: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/10.jpg)
OpenFlow 1.0 Flow Table Entry
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
TCPsport
TCPdport
Rule Action Stats
1. Forward packet to port(s)2. Encapsulate and forward to controller3. Drop packet4. Send to normal processing pipeline
+ mask
Packet + byte counters
![Page 11: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/11.jpg)
OpenFlow Forwarding Abstraction• Match
– Match on any header or new header– Allows any flow granularity
• Action– Forward to port(s), drop, send to controller– Overwrite the header– Forward at a specific bitrate
11
![Page 12: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/12.jpg)
OpenFlow Forwarding Abstraction• Protocol independent
– Construct Ethernet, IPv4, VLAN, MPLS– Construct new forwarding methods
• Backwards compatible– Run in existing networks
• Technology independent– Switches, routers, WiFi APs– Cellular basestations– WDM/TDM circuits
12
![Page 13: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/13.jpg)
13
Software Defined Network Management
• Software defined networking (SDN) makes it easier for network operators to evolve network capabilities
• Can SDN also help network operators manage their networks, once they are deployed?– Campus/Enterprise networks– Home networks
![Page 14: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/14.jpg)
Big Problem: Configuration Changes Frequently
• Changes to the network configuration occur daily– Errors are also frequent
• Operators must determine– What will happen in
response to a configuration change
– Whether the configuration is correct
14
![Page 15: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/15.jpg)
But, Network Configuration is Really Just Event Processing!
• Rate limit all Bittorrent traffic between the hours of 9 a.m. and 5 p.m.
• Do not use more than 100 GB of my monthly allocation for Netflix traffic
• If a host becomes infected, re-direct it to a captive portal with software patches
• …
15
![Page 16: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/16.jpg)
Lithium: Event-Based Network Control
16
Main Idea: Express network policies as event-based programs.
Resonance: Inference-Based Access Control for Enterprise Networks. Nayak, Reimers, Feamster, Clark. ACM SIGCOMM Workshop on Enterprise Networks. August 2009.
![Page 17: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/17.jpg)
Extending the Control Model
• OpenFlow only operates on flow properties
• Lithium extends the control model so that actions can be taken on time, history, and user
17
![Page 18: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/18.jpg)
Event-Driven Control Domains
18
Domain: A condition on which traffic forwarding rules can be expressed.
![Page 19: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/19.jpg)
Dynamic Event Handler• Reacts to
domain events• Determines
event source• Updates state
based on event type
• Can process both internal and external events
19
![Page 20: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/20.jpg)
20
Representing Network State:Finite State Machine
• State: A set of domain values represents a state. Representation of network state.
• Events: Event-driven control domains invoke events, which trigger state transitions in the controller’s finite state machine.– Intrusions– Traffic fluctuations– Arrival/departure of hosts
![Page 21: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/21.jpg)
Current Implementation• NOX Version 0.6.0
• Lithium plumbing: About 1,300 lines of C++
• Policies– Enterprise network access control: 145 lines of C++– Home network usage cap management: 130 lines
• Ongoing: Policies without general-purpose programming
21
![Page 22: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/22.jpg)
22
Two Real-World Deployments• Access control in enterprise networks
– Re-implementation of access control on the Georgia Tech campus network
– Today: Complicated, low-level– With SDN: Simpler, more flexible
• Usage control in home networks– Implementation of user controls (e.g., usage cap
management, parental controls) in home networks– Today: Not possible– With SDN: Intuitive, simple
![Page 23: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/23.jpg)
23
Example from Campus Network: Enterprise Access Control
3. VLAN with Private IP
6. VLAN with Public IP
1. New MAC Addr 2. VQP
7. REBOOT
Web Portal
4. Web Authentication 5. Authentication
Result
VMPS
Switch
New Host
![Page 24: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/24.jpg)
24
Problems with Current Approach
• Access control is too coarse-grained– Static, inflexible and prone to misconfigurations– Need to rely on VLANs to isolate infected machines
• Cannot dynamically remap hosts to different portions of the network– Needs a DHCP request which for a windows user
would mean a reboot
• Cannot automatically process changes to network conditions.
![Page 25: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/25.jpg)
25
Lithium: State Machine-Based Control for Campus Networks
Registration
AuthenticatedOperation
Quarantined
SuccessfulAuthentication
Vulnerability detected
Clean after update
Failed Authentication
Infection removed or manually fixed
Still Infecte
d after an update
![Page 26: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/26.jpg)
Requirements: Policy Language• Network policies
– Are dynamic– Depend on temporal conditions defined in terms of
external events
• Need a way to configure these policies without resorting to general-purpose programming of a network controller
• Intuitive user interfaces can ultimately be built on top of this language
26
![Page 27: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/27.jpg)
27
Language Design Goals• Declarative Reactivity: Describing when events
happen, what changes they trigger, and how permissions change over time.
• Expressive and Compositional Operators: Building reactive permissions out of smaller re- active components.
• Well-defined Semantics: Simple semantics, simplifying policy specification.
• Error Checking & Conflict Resolution: Leveraging well-defined, mathematical semantics.
![Page 28: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/28.jpg)
The Need for Reactive Control• Simple policies are doable in FML: “Ban the device if
usage exceeds 10 GB in the last 5 days”
28
• But, adding temporal predicates is difficult!– “Remove the ban if usage drops below 10 GB.”– “Remove the ban when an administrator resets.”
• Each condition requires a new predicate.
![Page 29: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/29.jpg)
Procera: Programming Reactive, Event-Based Network Control
29
• Controller: signal functions and a flow constraint function• Receives input signals from environment• Periodically updates a flow constraint function that
controls the forwarding elements
Define a signal function for a device going over (or under) the usage cap:
Define the set of devices over the cap:
![Page 30: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/30.jpg)
Deployment: Campus Network• Software-defined
network in use across three buildings across the university
• Redesign of network access control
• Also deployed at other universities
30
![Page 31: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/31.jpg)
31
Example From Home Networks:Usage Control
• Network management in homes is challenging• One aspect of management: usage control
– Usage cap management– Parental control– Bandwidth management
• Idea: Outsource network management/control– Home router runs OpenFlow switch– Usage reported to off-site controller– Controller adjusts behavior of traffic flows
![Page 32: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/32.jpg)
32
Example From Home Networks:Usage Control
![Page 33: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/33.jpg)
Deployment: Home Networks(Outsourced Home Network Management)
33
• User monitors behavior and sets policies with UI(next slide)
• Lithium controller manages policies and router behavior
![Page 34: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/34.jpg)
uCap: Intuitive Management Interface
34Joint work with Boris de Souza, Bethany Sumner, Marshini Chetty.
![Page 35: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/35.jpg)
Frontier #1: GENI/SDN @ Home• OpenFlow deployments in home networks: Slicing
all the way to the end user in the home!• BISmark (http://projectbismark.net/)
35
![Page 36: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/36.jpg)
Frontier #2: Programmable Substrate
• Augment OpenFlow switches with custom packet processors
• Device abstraction layer to allow programmability of this substrate– Single device– Network wide
• Applications– Big data applications– On-the fly encryption, transcoding,
classification– Selective deep packet inspection
36
![Page 37: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/37.jpg)
Frontier #3: Policy Languages• Today’s configuration languages are error-prone,
distributed, low-level
• Functional reactive programming– Support for “boxes and arrows” (or signals and
systems) style programming– Can support much more complicated conditions
• Procera/Lithium is one example
37
![Page 38: Lithium: Event-Driven Network Control](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816935550346895de091d2/html5/thumbnails/38.jpg)
Summary• Network management is difficult and error-prone
• Lithium: Event-based network control
• Deployment in two real-world settings (campus and home network)
• Developing a high-level control language that enables reactive control
38