a policy-aware switching layer for data centers
TRANSCRIPT
1
1
A Policy-aware Switching Layer for Data Centers
Dilip Joseph Arsalan Tavakoli
Ion Stoica
University of California at Berkeley
Problem: Middleboxes are hard to deploy
• Place on network path • Overload path selection mechanisms
pkt network path
• On path placement fails to achieve
Correctness Guaranteed middlebox traversal
Flexibility (Re)configurable network topology
Efficiency No middlebox resource wastage
Load Balancer Firewall
2
Preview
• Problem – Middleboxes are hard to deploy
• Solution – Overview – Challenges – Limitations
• Implementation & evaluation
• Related work
Common data center topology Internet
Servers
Layer-2 switch Access
Data Center
Layer-2/3 switch Aggregation
Layer-3 router Core
Firewall
Load Balancer
3
Inflexible topology
Internet
Intrusion Prevention Box
Firewall
Load Balancer
Inefficient - middlebox resource wastage
Internet
Process unnecessary traffic
Unutilized
Backup path
4
S1 S2
Protect S1 ↔ S2 traffic
Correctness is hard Internet
• Option 1 – Existing firewalls
Newly blocked
link
Correctness is hard Internet
• Option 1 – Existing firewalls
• Option 2 – New firewall
S1 S2
Protect S1 ↔ S2 traffic
5
Correctness is hard Internet
• Option 1 – Existing firewalls
• Option 2 – New firewall
• Option 3 – Separate VLANs
S1 S2
Protect S1 ↔ S2 traffic
Outline
Problem Middleboxes are hard to deploy
• Solution – Overview – Challenges – Limitations
• Implementation & evaluation
• Related work
6
Policy-aware Switching Layer
Policy-aware switching layer
load balancer
Existing mechanisms
firewall
1 Take middleboxes off-path Separate policy from reachability 2
HTTP Firewall Load balancer TCP port = 80
PSwitch
load balancer
firewall
P P P P P P P P P P
P P P P P
PSwitch explicitly forwards packets to middleboxes
Firewall (F) Load Balancer (L)
Core Router
R
PSwitch Web
Server
Data center
Src:R
Src:L Header Body
Rule table
Match Next Hop
MACR,port 80 F
Interface 1, port 80 L
MACL,port 80 FinalDest
P P P P P 0
1 2
3
HTTP Firewall Load balancer
Centralized Policy
Controller
7
Firewall Load
Balancer
PSwitch A Web Server
Data center
Custom Firewall
Intrusion Prevention
Box
ERP Server
Firewall
PSwitch B
HTTP Firewall Load balancer ERP Custom Firewall IPS
• Distributed forwarding
• Loadbalancing middleboxes
• Different policies for different traffic
Challenges
1. Minimizing infrastructure changes
2. Non-transparent middleboxes
3. Guaranteeing correctness under churn
8
Guarantees under Churn
Network
Middlebox
Policy
Packets never bypass middleboxes
Some packets may be dropped
Limitations
• Indirect paths
• Policy specification complexity
9
Outline
Problem Middleboxes are hard to deploy
Solution Overview Challenges Limitations
• Implementation & evaluation
• Related work
Implementation
• PSwitches prototyped in
P P P P P
750 Mbps
0.3 milliseconds 25 policies
• Compared to software Ethernet switch – 82% TCP throughput – 16% latency increase
• Exploring hardware options
PSwitch
10
Validation of functionality
• 10 PCs with 4 network interfaces each
P P P P P P P P P P P P P P P P P P P P
iptables firewalls webservers BalanceNG Load balancer
client
Physical topology
Logical topologies on same physical topology
X
11
Related Work
4D Routing Control Platform Ethane
Indirection Internet Indirection Infrastructure Delegation Oriented Architecture
Separation of policy and reachability
High-end switches
Cisco Catalyst 6500
SIGCOMM 2008
SEATTLE DCell Commodity DC Network Architecture
Conclusion
• Deploying middleboxes is hard
• A new layer-2 with explicit middlebox support – Middleboxes taken off network path – Policy separated from reachability
12
Questions?
Backup Slides
13
Policy churn • Conflicting policy updates
HTTP Load balancer Firewall Version 1
Firewall Load balancer HTTP Version 2
Firewall Load Balancer
P P P P P
Version 1 Version 2 Match Next Hop
Interface 0, port 80 L
Interface 2, port 80 F
Interface 1, port 80 FinalDest
0
1 2
3
Match Next Hop
Interface 0, port 80 F
Interface 2, port 80 FinalDest
Interface 1, port 80 L
Intermediate middlebox types
• Guarantees traversal HTTP Load balancer Firewall Version 1
Firewall’ Load balancer’ HTTP Version 2
Firewall
Load Balancer
P P P P P
Firewall’
Load Balancer’