Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia...
-
Upload
aubrie-foster -
Category
Documents
-
view
221 -
download
3
Transcript of Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia...
![Page 1: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/1.jpg)
1
Design and Implementation of aConsolidated Middlebox
ArchitectureVyas Sekar Sylvia Ratnasamy Michael Reiter Norbert Egi
Guangyu Shi
![Page 2: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/2.jpg)
Need for Network Evolution
2
New devices
New applications
Evolving threats Policy
constraintsPerformance, Security, Compliance
![Page 3: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/3.jpg)
3
Type of appliance NumberFirewalls 166NIDS 127Media gateways 110Load balancers 67Proxies 66VPN gateways 45WAN Optimizers 44Voice gateways 11Total Middleboxes 636Total routers ~900
Network Evolution today: Middleboxes!
Data from a large enterprise: >80K users across tens of sites
Just network security$10 billion
![Page 4: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/4.jpg)
4
Specialized boxes
Narrowinterfaces
“Point”solutions!
Increases capital expenses & sprawl Increases operating expensesLimits extensibility and flexibility
Management ManagementManagement
Key “pain points”
![Page 5: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/5.jpg)
• Motivation
• High-level idea: Consolidation
• System design
• Implementation and Evaluation5
Outline
![Page 6: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/6.jpg)
Network-wide Controller
Key idea: Consolidation
2. Consolidate Management
1. ConsolidatePlatform
Two levels corresponding to two sources of inefficiency
6
![Page 7: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/7.jpg)
Consolidation at Platform-Level
7
Proxy Firewall IDS/IPS AppFilterToday: Independent, specialized boxes
Decouple Hardware and Software
Commodity hardware:e.g., PacketShader, RouteBricks,ServerSwitch, SwitchBlade
Consolidation reduces capital expenses and sprawl
![Page 8: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/8.jpg)
Consolidation reduces CapEx
8
Multiplexing benefit = Max_of_TotalUtilization / Sum_of_MaxUtilizations
![Page 9: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/9.jpg)
Consolidation Enables Extensibility
9
Session Management
Protocol Parsers
VPN Web Mail IDS Proxy
Firewall
Contribution of reusable modules: 30 – 80 %
![Page 10: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/10.jpg)
Management consolidation enables flexible resource allocation
10
N1 N3
N2P: N1 N3
Process (0.4 P)
Today: All processing at logical “ingress”
Overload!
Network-wide distribution reduces load imbalance
Process (0.3 P)
Process (0.3 P)Process (P)
![Page 11: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/11.jpg)
• Motivation
• High-level idea: Consolidation
• CoMb: System design
• Implementation and Evaluation11
Outline
![Page 12: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/12.jpg)
Network-wide Controller
CoMb System Overview
12
General-purpose hardware:e.g., PacketShader, RouteBricks, ServerSwitch,
Logically centralized e.g., NOX, 4D
Existing work: simple, homogeneous routing-like workload
Middleboxes: complex, heterogeneous, new opportunities
![Page 13: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/13.jpg)
Network-wide Controller
Processingresponsibilities
CoMb Management Layer
Policy Constraints
ResourceRequirements
Routing, Traffic
Goal: Balance load across network.Leverage multiplexing, reuse, distribution
13
![Page 14: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/14.jpg)
Capturing Reuse with HyperApps
14
IDS Proxy
common
Footprint onresource
HTTPUDP
HTTPNFS
2 311
Memory
CPU
HTTP = IDS & Proxy
43Memory
UDP = IDS
NFS = Proxy
13
41
CPU
CPU
Memory
Memory
CPU
HyperApp: find the union of apps to run
Policy, dependency are implicitNeed per-packet policy, reuse dependencies!
HTTP:1+2 unit of CPU1+3 units of mem
![Page 15: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/15.jpg)
Modeling Processing Coverage
15
HTTPN1 N3
N1 N2 N3
What fraction of traffic of class HTTP from N1 N3 should each node process?
IDS < Proxy0.4
HTTP: Run IDS < Proxy
IDS < Proxy0.3
IDS < Proxy0.3
![Page 16: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/16.jpg)
Network-wide Optimization
16
Minimize Maximum Load, Subject to
Processing coverage for each class of traffic Fraction of processed traffic adds up to 1
Load on each node sum over HyperApp responsibilities per-path
A simple, tractable linear programVery close (< 0.1%) to theoretical optimal
No explicitDependencyPolicy
![Page 17: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/17.jpg)
Network-wide Controller
CoMb System Overview
17
General-purpose hardware:e.g., PacketShader, RouteBricks, ServerSwitch,
Logically centralized e.g., NOX, 4D
Existing work: simple, homogeneous routing-like workload
Middleboxes: complex, heterogeneous, new opportunities
![Page 18: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/18.jpg)
CoMb Platform
18
NIC
Policy Shim (Pshim)
Core1 Core4
IDS
…
… Proxy
Traffic
Applications
Policy Enforcer
Classification: HTTP
IDS < Proxy
Challenges: PerformanceParallelizeIsolation
Challenges: LightweightParallelize
Challenges: No contentionFast classification
![Page 19: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/19.jpg)
Parallelizing Application Instances
19
M1 M2
PShim
App-per-core
Core3
M3
PShim
Core1 Core2
HyperApp-per-core
M2 M3
PShim
M1 M2
PShim
Core1 Core2
- Inter-core communication- More work for PShim+ No in-core context switch
+ Keeps structures core-local+ Better for reuse- But incurs context-switch- Need replicas
✔
HyperApp-per-core is better or comparableContention does not seem to matter!
![Page 20: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/20.jpg)
CoMb Platform Design
20
HyperApp1
HyperApp2
HyperApp4
HyperApp3
HyperApp3
PShim PShim PShimPShim PShim
M1 M4 M1 M4M2 M3
Q1 Q3Q2 Q4 Q5
M1 M5
Core 1 Core 3Core 2
NIC hardware
Contention-free network I/O
Core-local processing
Parallel, core-local
Workload balancing
![Page 21: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/21.jpg)
• Motivation
• High-level idea: Consolidation
• System design: Making Consolidation Practical
• Implementation and Evaluation21
Outline
![Page 22: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/22.jpg)
Implementation
22
Network-wide Management
Session
Protocol
Extensible apps Standalone apps
Policy Shim
using CPLEX
Kernel mode Click
Ported logic FromBro Click
Memory mappedOr
Virtual interfaces
8-core Intel Xeon with Intel 82599 NIC
![Page 23: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/23.jpg)
Consolidation is Practical
• Low overhead for existing applications
• Controller takes < 1.6s for 52-node topology
• 5x better than VM-based consolidation
23
![Page 24: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/24.jpg)
Benefits: Reduction in Maximum Load
24
Consolidation reduces maximum load by 2.5-25X
MaxLoadToday /MaxLoadConsolidated
![Page 25: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/25.jpg)
Benefits: Reduction in Provisioning Cost
25
Consolidation reduces provisioning cost 1.8-2.5X
ProvisioningToday /ProvisioningConsolidated
![Page 26: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/26.jpg)
Discussion
• Changes traditional vendor business – Already happening (e.g., “virtual appliances”)– Benefits imply someone will do it!– May already have extensible stacks internally!
• Isolation– Current: rely on process-level isolation– Get reuse-despite-isolation?
26
![Page 27: Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.](https://reader030.fdocuments.us/reader030/viewer/2022013004/56649ce45503460f949b1768/html5/thumbnails/27.jpg)
• Network evolution occurs via middleboxes
• Today: Narrow “point” solutions– High CapEx, OpEx, and device sprawl– Inflexible, difficult to extend
• Our proposal: Consolidated architecture– Reduces CapEx, OpEx, and device sprawl – Extensible, general-purpose
• More opportunities– Isolation– APIs (H/W—Apps, Management—Apps, App Stack)
27
Conclusions