OpenBox–EnablingInnovaonin MiddleboxApplicaons

OpenBox – Enabling Innova2on in Middlebox Applica2ons

Yotam Harchol Hebrew University of Jerusalem, Israel Joint work with: Anat Bremler-‐Barr (Interdisciplinary Center Herzliya, Israel) David Hay (Hebrew University of Jerusalem, Israel)

This research was supported by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-‐2013)/ERC Grant agreement no 259085.

ACM SIGCOMM HotMiddleboxes 2015

So^ware-‐Defined Solu2ons

2

SDN Controller

OpenBox Controller

OBI

OBI

OBI

Forwarding plane (switches, routers): -‐  High cost -‐  Limited management -‐  No mul--‐tenancy -‐  Limited func-onality and limited innova-on -‐  Complex distributed algorithms

Forwarding plane (switches, routers): -‐  High cost -‐  Limited management -‐  No mul--‐tenancy -‐  Limited func-onality and limited innova-on -‐  Complex distributed algorithms

Solu&on: SDN / OpenFlow

Middleboxes: -‐  Higher cost -‐  Limited and separate management -‐  Limited provisioning and scalability -‐  No mul--‐tenancy -‐  Limited func-onality and limited innova-on -‐  Similar processing steps, no re-‐use

Middleboxes: -‐  Higher cost -‐  Limited and separate management -‐  Limited provisioning and scalability -‐  No mul--‐tenancy -‐  Limited func-onality and limited innova-on -‐  Similar processing steps, no re-‐use

Our solu&on: OpenBox

OpenBox

•  OpenBox: A new protocol •  Decouples middleboxes control from their data plane •  Unifies data plane of mul2ple middleboxes

Benefits: •  Easier, unified control •  Beber performance •  Scalable •  Flexible •  Mul2-‐tenancy •  Innova2on

3

OpenBox Protocol

OpenBox Service Instances

OpenBox Controller

OpenBox Applica2ons

Control Plane

Data Plane

A Different View of Middleboxes

•  Previous works: Middlebox = monolithic closed unit –  Middlebox Traffic Steering (e.g., SIMPLE [Sigcomm ‘13], Stratos) –  Middlebox Virtualiza2on (e.g., ComB [NSDI ’12]) –  Middlebox State Management (e.g., OpenNF [Sigcomm ‘14]) –  Middlebox Run2me Plakorm (e.g., xOMB [ANCS ‘12], SDM [INFOCOM ‘14])

•  OpenBox: Middlebox = logical applica2on –  Most processing steps are shared among many types of middlebox

applica2ons –  Some steps can be done once for mul2ple applica2ons

4

OpenBox Controller

OpenBox Applica2ons

Typical Middlebox Processing

5

Header Lookup

Modify Header Output

Header Lookup

Session Analysis

Protocol Analysis

Decomp-‐ression

Payload Lookup

Alert / Log

Output/Drop

Header Lookup

Payload Lookup

Alert / Log

Output/Drop

Header Lookup

Session Analysis

Payload Lookup


Header Lookup

Session Analysis

Protocol Analysis

Decomp-‐ression

Payload Lookup

Alert / Log

Output/Drop

Session Analysis

Header Lookup


L7 Load Balancer

Intrusion Preven2on

Web App. Firewall

NAT

IPv6 Translator

Leakage Preven2on

WAN Op2mizer

Header Lookup

Session Analysis

Protocol Analysis

Payload Lookup

Output/Drop

Specialized Payload Rewrite

Unified Processing in Data Plane

6

Header Lookup

Session Analysis

Protocol Analysis

Decomp-‐ression

Payload Lookup

Alert / Log

Output/Drop

Header Lookup

Session Analysis

Payload Lookup

Modify Header Output L7 Load

Balancer

Intrusion Preven2on

Header Lookup

Alert / Log

Output/Drop Firewall

Header Lookup

Session Analysis

Protocol Analysis

Decomp-‐ression

Payload Lookup

Alert / Log

Output/Drop

Modify Header

OpenBox Service Instance

Virtual or Physical

MiddleBox è OpenBox Applica2on

•  Each applica2on defines: –  Processing path (of processing stages) –  Rules:

<priority, header match, metadata match, payload match, ac2ons>

•  Northbound API basic building blocks: –  Specify processing path and rules –  Customize specific processing stages –  Metadata: informa2on passing

between processing stages –  Session based storage

•  E.g., gzip window for decompression

–  Content storage •  E.g., for caching and quaran2ne

7

OpenBox Protocol


OpenBox Controller

OpenBox Applica2ons

Control Plane

Data Plane

NB API

(Logically-‐)Centralized Control •  Aggregates mul2ple OpenBox applica2ons

–  Creates a Processing Graph that aggregates mul2ple processing paths

–  Aggregates rules based on priority and network loca2on

•  Provides a central management

–  Mul&ple tenants run mul&ple applica&ons for mul&ple policies in the same network

8

OpenBox Protocol


OpenBox Controller

OpenBox Applica2ons

Control Plane

Data Plane

Header Lookup

Session Analysis

Protocol Analysis Deep

Packet Inspec2on

Modify Header

Alert / Log

Output / Drop

Deep Packet

Inspec2on IP Dst =

10.0.0.10

TCP Dst = 80

Decomp-‐ression

OpenBox Service Instance (OBI)

•  Receives processing graph and rules from controller –  executes them on data path

•  Hardware or so^ware based –  Room for innova2on –  Proac2ve rule spawning

•  Centralized or

•  Distributed –  E.g., performs all or just part

of the processing stages –  Results of each stage are

passed as metadata for next stages •  Use NSH / Geneve /

VXLAN-‐GPE (IETF dra^s) with jumbo frames for metadata passing

9

Session / Protocol Analyzer OBI

Payload Handler

OBI

Decision Maker OBI

Header lookup (on SDN switch)

Via OpenFlow

controller

OpenBox Controller

Packet

Metadata

Packet

Metadata

Packet

Packet

Can re-‐use: •  SDN switches for header lookup •  Programmable packet processors (P4) •  Click / DPDK plakorms

OpenBox Protocol


OpenBox Controller

OpenBox Applica2ons

Control Plane

Data Plane

Performance Gain

10

1000 Rules log(1000) latency


Time for most processing stages is sublinear with # of rules (or even constant)


OpenBox Service Instance

< 2 × log(1000) Was shown for DPI in [Bremler-‐Barr et al., CoNEXT ‘14]

Also improves throughput when re-‐using resources

Innova2on in Data Plane

•  OpenBox provides a set of required processing steps •  Vendors can provide enhanced OBIs along with their OpenBox

applica2ons: –  Can place these enhanced processors

only where needed –  No need the whole network to comply

with a specific vendor –  Vendors may cooperate

11

WAN Opt.

OBI

OBI

OBI

Scalable & Reliable Data Plane

•  Easy provisioning of new OBIs by simply running more VMs (VNFs) –  Even for hardware-‐assisted tasks, can use so^ware VMs as a backup for

peak 2mes

•  OBIs can report load informa2on to controller, to allow centralized control over provisioning

•  Increases reliability – quickly respond to crashes

12

OBI OBI

OBI

OBI OBI

Conclusions

•  Middleboxes are currently a real challenge in datacenter, operator, and enterprise networks

•  OpenBox decouples the data plane processing from middlebox applica2ons logic and: –  Reduces costs of management –  Enhances performance –  Improves scalability –  Increases reliability –  Provides mul2-‐tenancy –  Allows easier innova2on and

lets new players into the game

13

OpenBox Protocol


OpenBox Controller

OpenBox Applica2ons

Control Plane

Data Plane

Status & Future Work

Current Status: •  Ongoing development of control plane and data plane

–  Along with some sample applica2ons such as NIPS, Load Balancer, NAT –  Looking at Click/DPDK as a possible plakorm

•  Working on defining the OpenBox protocol Future Work: •  Algorithms for smart aggrega2on of OpenBox applica2ons •  Algorithms for smart placement and provisioning of OpenBox service

instances •  Distributed data plane, possibly coopera2ng with SDN/P4 switches •  New OpenBox applica2ons

14

Ques2ons?

Thank you.

15

OpenBox–EnablingInnovaonin MiddleboxApplicaons

Documents

Transcript of OpenBox–EnablingInnovaonin MiddleboxApplicaons