reasoning about software defined networks
DESCRIPTION
Reasoning about Software Defined Networks. Mooly Sagiv [email protected] 03-640-7606 Tel Aviv University Thursday 16-18 (Physics 105) Monday 14-16 Schrieber 317 Adviser: Michael Shapira Hebrew University. http://www.cs.tau.ac.il/~msagiv/courses/rsdn.html. Content. Challenges in SDNs - PowerPoint PPT PresentationTRANSCRIPT
Reasoning about Software Defined Networks
Mooly [email protected]
Tel Aviv UniversityThursday 16-18 (Physics 105)Monday 14-16 Schrieber 317Adviser: Michael Shapira
Hebrew University
http://www.cs.tau.ac.il/~msagiv/courses/rsdn.html
Content
• Challenges in SDNs• Programming Language Abstractions• Programming Language Techniques• Program Language Tools • Other useful tools
Challenges in SDN
• Programming complexity• Reliabilty
The Internet: A Remarkable Story
• Tremendous success– From research experiment
to global infrastructure• Brilliance of under-specifying– Network: best-effort packet delivery– Hosts: arbitrary applications
• Enables innovation in applications– Web, P2P, VoIP, social networks, virtual worlds
• But, change is easy only at the edge… 4
Inside the ‘Net: A Different Story…• Closed equipment– Software bundled with hardware– Vendor-specific interfaces
• Over specified– Slow protocol standardization
• Few people can innovate– Equipment vendors write the code– Long delays to introduce new features
5
Impacts performance, security, reliability, cost…
Do We Need Innovation Inside?
6
Many boxes (routers, switches, firewalls, …), with different interfaces.
How Hard are Networks to Manage?
• Operating a network is expensive– More than half the cost of a network– Yet, operator error causes most outages
• Buggy software in the equipment– Routers with 20+ million lines of code– Cascading failures, vulnerabilities, etc.
• The network is “in the way”– Especially a problem in data centers– … and home networks
7
Creating Foundation for Networking
• A domain, not a discipline– Alphabet soup of protocols– Header formats, bit twiddling– Preoccupation with artifacts
• From practice, to principles– Intellectual foundation for networking– Identify the key abstractions– … and support them efficiently
• To build networks worthy of society’s trust8
Rethinking the “Division of Labor”
9
Traditional Computer Networks
10
Data plane:Packet streaming
Forward, filter, buffer, mark, rate-limit, and measure packets
Traditional Computer Networks
11
Track topology changes, compute routes, install forwarding rules
Control plane:Distributed algorithms
Traditional Computer Networks
12
Collect measurements and configure the equipment
Management plane: Human time scale
Shortest-Path Routing
• Management: set the link weights• Control: compute shortest paths• Data: forward packets to next hop
13
1
1
3
1
1
Shortest-Path Routing
• Management: set the link weights• Control: compute shortest paths• Data: forward packets to next hop
14
1
1
3
1
1
Inverting the Control Plane
• Traffic engineering– Change link weights– … to induce the paths– … that alleviate congestion
15
5
1
3
1
1
Avoiding Transient Anomalies
• Distributed protocol– Temporary disagreement among the nodes– … leaves packets stuck in loops– Even though the change was planned!
16
1 5
1
3
1
1
Death to the Control Plane!
• Simpler management– No need to “invert” control-plane operations
• Faster pace of innovation– Less dependence on vendors and standards
• Easier interoperability– Compatibility only in “wire” protocols
• Simpler, cheaper equipment– Minimal software
17
Software Defined Networking (SDN)
18
API to the data plane(e.g., OpenFlow)
Logically-centralized control
Switches
Smart,slow
Dumb,fast
OpenFlow Networks
19
Data-Plane: Simple Packet Handling
• Simple packet-handling rules– Pattern: match packet header bits– Actions: drop, forward, modify, send to controller – Priority: disambiguate overlapping patterns– Counters: #bytes and #packets
20
1. src=1.2.*.*, dest=3.4.5.* drop 2. src = *.*.*.*, dest=3.4.* forward(2)3. src=10.1.2.3, dest=*.*.*.* send to controller
1. src=1.2.*.*, dest=3.4.5.* drop 2. src = *.*.*.*, dest=3.4.* forward(2)3. src=10.1.2.3, dest=*.*.*.* send to controller
Controller: Programmability
21
Network OS
App #1 App #2 App #3
Events from switchesTopology changes,Traffic statistics,Arriving packets
Commands to switches(Un)install rules,Query statistics,Send packets
OpenFlow in the Wild
• Open Networking Foundation– Creating Software Defined Networking standards– Google, Facebook, Microsoft, Yahoo, Verizon, Deutsche
Telekom, and many other companies• Commercial OpenFlow switches– HP, NEC, Quanta, Dell, IBM, Juniper, …
• Network operating systems– NOX, Beacon, Floodlight, Nettle, ONIX, POX, Frenetic
• Network deployments– Eight campuses, and two research backbone networks– Commercial deployments
22
Dynamic Access Control• Inspect first packet of each connection• Consult the access control policy• Install rules to block or route traffic
23
Seamless Mobility/Migration• See host sending traffic at new
location• Modify rules to reroute the traffic
24
Example Applications
• Dynamic access control• Seamless mobility/migration• Server load balancing• Using multiple wireless access points• Energy-efficient networking• Adaptive traffic monitoring• Denial-of-Service attack detection• Network virtualization
25See http://www.openflow.org/videos/
Challenges of Programming Software Defined Networks
26
Programming OpenFlow Networks
• OpenFlow makes programming possible– Network-wide view at controller– Direct control over data plane
• The APIs do not make it easy– Low level of abstraction
• Challenges– Composition– Concurrency– Correctness– Testing
27
Controller
Switches
A Simple example: Firewall
• A switch connected to two kind of hosts– Trusted hosts via port 1– Untrusted hosts via port 2
• Trusted hosts can freely send packets to untrusted hosts
• An unstrusted host can only send to a trusted destination which previously sent messages to this host
Firewall
12
Firewall Controller Pseudo-code
rel trusted(SW, HO) packetIn(s, p, 1) # packets from trusted hosts send(s, p, 2) # forward the packet to untrusted hosts trusted.insert(s, p.dst) # insert the target of p into trusted controller memory ft.insert(s, p, 1, 2) # insert a per-flow rule to forward future packets
packetIn(s, p, 2) -> # packets from untrusted hosts if trusted(s, p.src) then { send(s, p, 1) # forward the packet to trusted hosts ft.insert (s, p, 2, 1) # insert a per-flow rule to forward future packets }
Firewall Controller Pseudo-code(2)
packetIn(s, p, 1) # packets from trusted hosts send(s, p, 2) # forward the packet to untrusted hosts ft.insert(s, src:p.src, 1, 2) # insert a general rule to forward future packets ft.insert(s, dst:p.dst, 2, 1) # allow future packets from 2
A Learning Switch
• Ttwo hosts (A & B) • An OpenFlow switch with 3 ports• Host A is connected to port 1• and Host B is connected to port 2• Gradually install forwarding rules• Update upon relocation
Host A
Switch1
2Host B
‘A’ sends a message to ‘B’
Host A
Switch1
2Host B
TCP syn dst=B
Forward to the Controller
Host A
Switch1
2Host B
TCP syn dst=B
3
send TCP syn dst=B on port 2
send TCP syn dst=B on port 3
learn that A is connected via port 1
‘B’ sends a message to ‘A’
Host A
Switch1
2Host BTCP ack dst=A
Forward to the Controller
Host A
Switch1
2Host B
TCP ack dst=A
3
send TCP ack dst=A on port 1
learn that B is connected via port 2
Install a rule to forward packets from B to A on port 1
‘A’ sends another message to ‘B’
Host A
Switch1
2Host B
dst=B
Forward to the Controller
Host A
Switch1
2Host B
dst=B
3
Send dst=B on port 2
Install a rule to forward packets from A to B to port 2
Learning Switch Pseudo-code
rel connected (SW, PR, HO)PacketIn(s, p, e) -> connect.insert (s, e, p.src) if connect(s, o, p.dst) then { send (s, p, o) ft.insert(s, p, e, o) } else foreach o in {1, 2, 3} – p # Flood send (s, p, o)
Reasoning about Programs
• Debugging• Testing– Model checking
• Programming language support– Abstraction– Composition– Ease of use
• Program verification– Abstraction
Seminar Benefits
• A cool topic• Reasoning• Critically read an article• Learn to present an article
Seminar Requirements
• Compilers• Read an article (2 weeks)• Prepare presentation (1 week)• Participate in lectures
Tentative Schedule
October 24 Michael Shapira
Introduction to SDN
October 31 Mooly Sagiv Introduction to Program Reasoning
November 7 ? ?
November 14 ? ?