nice to meet you! - tu berlinstefan/swfan17keynote.pdf · nice to meet you! confluence: innovation!...
TRANSCRIPT
![Page 1: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/1.jpg)
Exploiting Flexibilities in SDNs: Opportunities, Challenges, and Security
Implications
Stefan Schmid
Aalborg University, DK & TU Berlin, DE
Nice to meet you!
![Page 2: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/2.jpg)
Confluence: innovation!
Programmability and virtualization: new flexibilities!
Algorithms
”We are at an interesting inflection point!”Keynote by George Varghese at SIGCOMM 2014
A rehash: It’s a great time to be a scientist!
![Page 3: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/3.jpg)
Even techsavvy companies struggle to provide reliable operations
We discovered a misconfiguration on thispair of switches that caused what's called a“bridge loop” in the network.
A network change was […] executed incorrectly […] more “stuck” volumes and added more requests to the re-mirroring storm
Service outage was due to a series of internalnetwork events that corrupted router data tables
Experienced a network connectivity issue […]interrupted the airline's flight departures,airport processing and reservations systems
Source: Talk by Nate Foster at DSDN Workshop
Mostly manual and ad-hoc!
Big Networking Challenges: Dependability
![Page 4: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/4.jpg)
Big Networking Challenges: Security
Source: Slide by Adrian Perrig
The Internet on first sight: - Monumental- Passed the “Test-of-Time”- Should not and cannot be changed
The Internet on second sight: - Antique- Britle- Successful attacks more and more
frequent (e.g., based on IoT)
![Page 5: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/5.jpg)
The Wall Street Bank Anecdote
❏ Outage of a data center of a Wall Street investment bank: lost revenue measured in USD 106 / min!
❏ Quickly, assembled emergency team:
Source: «The world’s fastest and most programmable networks»White Paper Barefoot Networks
Big Networking Challenges: Lack of Good Tools
The compute team: quickly came armed with reams of logs, showing how and when the applications failed, and had already written experiments to reproduce and isolate the error, along with candidate prototype programs to workaround the failure.
The storage team: similarly equipped, showing which file system logs were affected, and already progressing with workaround programs.
The networking team: All the networking team had were two tools invented over twenty years ago [ping and traceroute] to merely test end-to-end connectivity. Neither tool could reveal problems with the switches, the congestion experienced by individual packets, or provide any means to create experiments to identify, quarantine and resolve the problem.
Guess who getsblamed?
![Page 6: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/6.jpg)
❏ Cloud-based applications like batch processing, streaming, and scale-out databases generate a significant amount of network traffic
❏ Considerable fraction of their runtime is due to network activity
❏ Facebook traces: network transfers account for 33% of the execution time
❏ But: available bandwidth (to tenant) varies significantly over time
❏ So: How to render networking more predictable?
Big Networking Challenges: Predictable Performance
![Page 7: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/7.jpg)
Software-defined networking: Introduces many new flexibilities by decoupling and consolidating the control plane. Enables fast control plane innovations, automatic verification, new debugging tools, …
Network virtualization: Allows to ensure performance isolation, support networks with different stacks to co-exist on same infrastructure. Etc.
New opportunities - new challenges!
A killer applicationfor SDN
A Case for SDN and NV?
![Page 8: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/8.jpg)
Ctrl
Control
Programs
Control
Programs
Setting the Stage:A Mental Model for SDNs
SDN outsources and consolidates control over multiple devices to (logically) centralized software controller
![Page 9: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/9.jpg)
Ctrl
Control
Programs
Control
Programs
SDN = More Flexibilities…
![Page 10: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/10.jpg)
SDN = More Flexibilities…
Ctrl
Control
Programs
Control
Programs
Flexibility 1: New flexibilities to devise algorithms for traffic engineering, load-balancing, logically-centralized failover, etc.
![Page 11: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/11.jpg)
SDN = More Flexibilities…
Ctrl
Control
Programs
Control
Programs
C.ACM 3/2016
Key reasons for Google’s move to SDN: more fine-grained traffic engineering, and more predictable
and faster failure recovery.
Flexibility 1: New flexibilities to devise algorithms for traffic engineering, load-balancing, logically-centralized failover, etc.
![Page 12: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/12.jpg)
Ctrl
Control
Programs
Control
Programs
Flexibility 2: Decoupling! Control plane can evolve independently of data plane: innovation at speed of software development.
SDN = More Flexibilities…
![Page 13: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/13.jpg)
Ctrl
Control
Programs
Control
Programs
Flexibility 3: Can choose level of locality: onecontroller for the whole network, onecontroller per switch, anything between.
SDN = More Flexibilities…
![Page 14: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/14.jpg)
SDN = More Flexibilities…
Ctrl
Control
Programs
Control
Programs
Flexibility 4: OpenFlow is about generalization!• Generalize devices (L2-L4: switches,
routers, middleboxes)• Generalize routing and traffic engineering
(not only destination-based)• Generalize flow-installation: coarse-
grained rules and wildcards okay, proactive vs reactive installation
• Provide flexible logical network views to the application / tenant
![Page 15: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/15.jpg)
Ctrl
Control
Programs
Control
Programs
SDN = More Flexibilities…
![Page 16: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/16.jpg)
Ctrl
Control
Programs
Control
Programs
… But Also New Challenges!
![Page 17: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/17.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
… But Also New Challenges!
![Page 18: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/18.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
… But Also New Challenges!Let’s start with
the applications!
![Page 19: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/19.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
… But Also New Challenges!Let’s start with
the applications!
Claim: SDN introduces greattraffic engineering flexibilities!
Can flexibly route traffic throughmiddleboxes to compose more
complex service chains.
![Page 20: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/20.jpg)
Routing Through Waypoints
s t
❏ Traditionally: routes form simple paths (e.g., shortest paths)
❏ Traffic engineering is a classic and hard topic: not today
❏ Novel aspect: routing through middleboxes may requiremore general paths, with loops: a walk
![Page 21: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/21.jpg)
Routing Through Waypoints
s t
❏ Traditionally: routes form simple paths (e.g., shortest paths)
❏ Traffic engineering is a classic and hard topic: not today
❏ Novel aspect: routing through middleboxes may requiremore general paths, with loops: a walk
How to compute a shortest route
through a waypoint?
![Page 22: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/22.jpg)
Routing or “Walking” Through Waypoints:A Deep Combinatorial Problem
s
❏ Computing shortest routes through waypointsis non-trivial!
wt
Greedy fails: choose shortest path from s to w…
![Page 23: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/23.jpg)
Routing or “Walking” Through Waypoints:A Deep Combinatorial Problem
s
wt
Greedy fails: … now need long path from w to t
❏ Computing shortest routes through waypointsis non-trivial!
![Page 24: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/24.jpg)
Routing or “Walking” Through Waypoints:A Deep Combinatorial Problem
s
wt
Greedy fails: … now need long path from w to t
Total length: 2+6=8
❏ Computing shortest routes through waypointsis non-trivial!
![Page 25: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/25.jpg)
Routing or “Walking” Through Waypoints:A Deep Combinatorial Problem
s
wt
A better solution: jointly optimize the two segments!
Total length: 4+2=6
❏ Computing shortest routes through waypointsis non-trivial!
![Page 26: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/26.jpg)
❏ Related to the 2-disjoint path problem: NP-hard on directed networks…
❏ … so is routing via a single waypoint!
Routing or “Walking” Through Waypoints:A Deep Combinatorial Problem
s1
s2
t1
t2
Why?
![Page 27: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/27.jpg)
Routing or “Walking” Through Waypoints:A Deep Combinatorial Problem
s1
s2
t1
t2
w
Reduction: From joint shortest paths (s1,t1),(s2,t2)
to shortest walk (s,w,t) problem
![Page 28: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/28.jpg)
Routing or “Walking” Through Waypoints:A Deep Combinatorial Problem
s1
s2
t1
t2
w
•Reduction: To find shortest paths (s1,t1), (s2,t2), introduce waypoint w and connect t1 to s2
via w….
Reduction: From joint shortest paths (s1,t1),(s2,t2)
to shortest walk (s,w,t) problem
![Page 29: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/29.jpg)
Routing or “Walking” Through Waypoints:A Deep Combinatorial Problem
s1
s2
t1
t2
w
•Reduction: To find shortest paths (s1,t1), (s2,t2), introduce waypoint w and connect t1 to s2
via w….
Reduction: From joint shortest paths (s1,t1),(s2,t2)
to shortest walk (s,w,t) problem
… and ask for shortest waypoint route (s1,w,t2)
![Page 30: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/30.jpg)
Routing or “Walking” Through Waypoints:A Deep Combinatorial Problem
s1
s2
t1
t2
w
•Reduction: To find shortest paths (s1,t1), (s2,t2), introduce waypoint w and connect t1 to s2
via w….
Reduction: From joint shortest paths (s1,t1),(s2,t2)
to shortest walk (s,w,t) problem
… and ask for shortest waypoint route (s1,w,t2)
Walk (s1,w,t2) walk defines a (s1,t1) and a (s2,t2) path pair before/after the
waypoint! Solves original problem: Contradiction!
![Page 31: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/31.jpg)
What about waypoint routes on undirected networks?
![Page 32: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/32.jpg)
❏ Reduction from disjoint paths no longer works: disjointpaths problem not NP-hard on undirected networks❏ Feasible paths can be computed: still a very deep problem
❏ Shortest paths: recent breakthrough (polytime randomized algorithm)
❏ Indeed, algorithm exists: We can reduce to edge-disjoint paths to compute a waypoint route!
What about waypoint routes on undirected networks?
•How?
![Page 33: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/33.jpg)
❏ Reduction from disjoint paths no longer works: disjointpaths problem not NP-hard on undirected networks❏ Feasible paths can be computed: still a very deep problem
❏ Shortest paths: recent breakthrough (polytime randomized algorithm)
❏ Indeed, algorithm exists: We can reduce to edge-disjoint paths to compute a waypoint route!
What about waypoint routes on undirected networks?
s tw s tw22
Walks Edge-Disjoint Paths
•Replace capacitated links with parallel links!
•Shortest paths (s,w),(w,t) will give shortest (s,w,t) path!
![Page 34: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/34.jpg)
❏ Suurballe’s algorithm: finds two shortest paths betweensame endpoints:
We Can Do Even Faster Waypoint Routing on Undirected Networks: Suurballe’s Algorithm
ts
![Page 35: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/35.jpg)
❏ Suurballe’s algorithm: finds two shortest paths betweensame endpoints:
We Can Do Even Faster Waypoint Routing on Undirected Networks: Suurballe’s Algorithm
ts
•How to compute a shortest (s,w,t) route with this algorithm??
![Page 36: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/36.jpg)
❏ Reduction to Suurballe’s algorithm:
t
s
wG
Waypoint Routing on Steroids
•To find shortest (s,w,t) route…
![Page 37: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/37.jpg)
❏ Reduction to Suurballe’s algorithm:
t
s
wS+ T+
G
Waypoint Routing on Steroids
•… connect S+ to s and t, and w to T+…
![Page 38: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/38.jpg)
❏ Reduction to Suurballe’s algorithm:
t
s
wS+ T+
G
Waypoint Routing on Steroids
•… ask Suurballe for 2 disjoint paths from S+ to T+…
![Page 39: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/39.jpg)
❏ Reduction to Suurballe’s algorithm:
t
s
wG
Waypoint Routing on Steroids
•.. and hence also (s,w,t).
![Page 40: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/40.jpg)
❏ Remark 2: Suurballe is for directed graphs, so needgadget to transform problem in right form:
y
x
u v u v
❏ Remark 3: Suurballe: vertex disjoint❏ Suurballe & Tarjan: edge disjoint
Remarks: Under the rug…
❏ Remark 1: We have not talked about directions but doesnot matter on undirected graph
![Page 41: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/41.jpg)
❏ Remark 2: Suurballe is for directed graphs, so needgadget to transform problem in right form:
y
x
u v u v
❏ Remark 3: Suurballe: vertex disjoint❏ Suurballe & Tarjan: edge disjoint
Remarks: Under the rug…
❏ Remark 1: We have not talked about directions but doesnot matter on undirected graph
Conclusion: exploiting traffic engineering flexibilities is non-trivial!
![Page 42: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/42.jpg)
Further Reading
Charting the Complexity Landscape of Waypoint RoutingSaeed Akhoondian Amiri, Klaus-Tycho Foerster, Riko Jacob, and Stefan Schmid. ArXiv Technical Report, May 2017.
![Page 43: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/43.jpg)
Next claim: Can use SDN+NV tomake bandwidth reservationsand get predictable network
performance!
![Page 44: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/44.jpg)
Predictable Performance: About More Than Bandwidth Reservations!
![Page 45: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/45.jpg)
Predictable Performance: About More Than Bandwidth Reservations!
vSDN-2 vSDN-2 vSDN-2
vSDN-1vSDN-1vSDN-1
An Experiment: 2 vSDNs with bw guarantee!
![Page 46: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/46.jpg)
SDN Network Hypervisor
vSDN-1
controller
vSDN-2
controller
vSDN-2 vSDN-2 vSDN-2
vSDN-1vSDN-1vSDN-1
To enable multi-tenancy, need network hypervisor:
provides networkabstraction and control
plane translation!
Predictable Performance: About More Than Bandwidth Reservations!
An Experiment: 2 vSDNs with bw guarantee!
![Page 47: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/47.jpg)
SDN Network Hypervisor
vSDN-1
controller
vSDN-2
controller
vSDN-2 vSDN-2 vSDN-2
1 packet-in
vSDN-1vSDN-1vSDN-1
2 translate
packet-in
3 packet-in4 flow-mod
5 packet-out
7 flow-mod
8 packet-out
6 translate
7 flow-mod7 flow-mod
Intercepts controlplane messages.
Predictable Performance: About More Than Bandwidth Reservations!
An Experiment: 2 vSDNs with bw guarantee!
![Page 48: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/48.jpg)
Predictable Performance: About More Than Bandwidth Reservations!
SDN Network Hypervisor
vSDN-1
controller
vSDN-2
controller
vSDN-2 vSDN-2 vSDN-2
1 packet-in
vSDN-1vSDN-1vSDN-1
2 translate
packet-in
3 packet-in4 flow-mod
5 packet-out
7 flow-mod
8 packet-out
6 translate
7 flow-mod7 flow-mod
Translation could include,
e.g., switchDPID, port
numbers, …
Translation could include,
e.g., switchDPID, port
numbers, …
An Experiment: 2 vSDNs with bw guarantee!
![Page 49: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/49.jpg)
SDN Network Hypervisor
vSDN-1
controller
vSDN-2
controller
vSDN-2 vSDN-2 vSDN-2
1 packet-in
vSDN-1vSDN-1vSDN-1
2 translate
packet-in
3 packet-in4 flow-mod
5 packet-out
7 flow-mod
8 packet-out
6 translate
7 flow-mod7 flow-mod
The network hypervisor can be source of unpredictable performance!
Predictable Performance: About More Than Bandwidth Reservations!
An Experiment: 2 vSDNs with bw guarantee!
![Page 50: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/50.jpg)
SDN Network Hypervisor
vSDN-1
controller
vSDN-2
controller
vSDN-2 vSDN-2 vSDN-2
1 packet-in
vSDN-1vSDN-1vSDN-1
2 translate
packet-in
3 packet-in4 flow-mod
5 packet-out
7 flow-mod
8 packet-out
6 translate
7 flow-mod7 flow-mod
Experiment: web latency dependson hypervisor CPU load!
Predictable Performance: About More Than Bandwidth Reservations!
![Page 51: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/51.jpg)
Performance also dependson hypervisor type…
(multithreaded or not, which versionof Nagle’s algorithm, etc.)
What you need to know about yournetwork hypervisor!
… number of tenants…
![Page 52: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/52.jpg)
Performance also dependson hypervisor type…
(multithreaded or not, which versionof Nagle’s algorithm, etc.)
What you need to know about yournetwork hypervisor!
… number of tenants…
Conclusion: for predictable performance, need to account for all resources!
![Page 53: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/53.jpg)
Further Reading
Logically Isolated, Actually Unpredictable? Measuring HypervisorPerformance in Multi-Tenant SDNsArsany Basta, Andreas Blenk, Wolfgang Kellerer, and Stefan Schmid.ArXiv Technical Report, May 2017.
![Page 54: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/54.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
Algorithmic Problems in SDNs
Let’s talk aboutthe decoupling
next!
![Page 55: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/55.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
Algorithmic Problems in SDNs
Claim: Outsourcing and consolidating the control
simplifies network managementand operation.
![Page 56: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/56.jpg)
❏ Fundamental networking task: MAC learning❏ Flood packets sent to unknown destinations
❏ Learn host’s location when it sends packets
❏ Example❏ h1 sends to h2:
h1
h2h3
Thanks to Jennifer Rexford for example!
Challenge 1: Controller may miss events
![Page 57: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/57.jpg)
❏ Fundamental networking task: MAC learning❏ Flood packets sent to unknown destinations
❏ Learn host’s location when it sends packets
❏ Example❏ h1 sends to h2:
flood h1
h2h3
Thanks to Jennifer Rexford for example!
1
23
Challenge 1: Controller may miss events
![Page 58: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/58.jpg)
h1
h2h3
Thanks to Jennifer Rexford for example!
1
23
❏ Fundamental networking task: MAC learning❏ Flood packets sent to unknown destinations
❏ Learn host’s location when it sends packets
❏ Example❏ h1 sends to h2:
flood, learn (h1,p1)
Challenge 1: Controller may miss events
![Page 59: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/59.jpg)
❏ Fundamental networking task: MAC learning❏ Flood packets sent to unknown destinations
❏ Learn host’s location when it sends packets
❏ Example❏ h1 sends to h2:
flood, learn (h1,p1)
❏ h3 sends to h1:
forward to p1
h1
h2h3
Thanks to Jennifer Rexford for example!
1
23
Challenge 1: Controller may miss events
![Page 60: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/60.jpg)
❏ Fundamental networking task: MAC learning❏ Flood packets sent to unknown destinations
❏ Learn host’s location when it sends packets
❏ Example❏ h1 sends to h2:
flood, learn (h1,p1)
❏ h3 sends to h1:
forward to p1, learn (h3,p3)
h1
h2h3
Thanks to Jennifer Rexford for example!
1
23
Challenge 1: Controller may miss events
![Page 61: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/61.jpg)
h1
h2h3
Thanks to Jennifer Rexford for example!
1
23
❏ Fundamental networking task: MAC learning❏ Flood packets sent to unknown destinations
❏ Learn host’s location when it sends packets
❏ Example❏ h1 sends to h2:
flood, learn (h1,p1)
❏ h3 sends to h1:
forward to p1, learn (h3,p3)
❏ h1 sends to h3:
forward to p3
Challenge 1: Controller may miss events
![Page 62: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/62.jpg)
h1
h2h3
Thanks to Jennifer Rexford for example!
1
23
❏ Fundamental networking task: MAC learning❏ Flood packets sent to unknown destinations
❏ Learn host’s location when it sends packets
❏ Example❏ h1 sends to h2:
flood, learn (h1,p1)
❏ h3 sends to h1:
forward to p1, learn (h3,p3)
❏ h1 sends to h3:
forward to p3
Controller
Now: how to do via controller?
Challenge 1: Controller may miss events
![Page 63: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/63.jpg)
Example: SDN MAC Learning Done Wrong
❏ Initial rule *: Send everything to controller
h1
h2h3
1
23
Controller
OpenFlow
switch
![Page 64: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/64.jpg)
Example: SDN MAC Learning Done Wrong
❏ Initial rule *: Send everything to controller
h1
h2h3
1
23
Controller
OpenFlow
switch
❏ What happens when h1 sends to h2?
![Page 65: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/65.jpg)
Example: SDN MAC Learning Done Wrong
❏ Initial rule *: Send everything to controller
h1
h2h3
1
23
Controller
❏ What happens when h1 sends to h2?
❏ Controller learns that h1@p1 and floods
OpenFlow
switch
![Page 66: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/66.jpg)
Example: SDN MAC Learning Done Wrong
❏ Initial rule *: Send everything to controller
h1
h2h3
1
23
Controller
❏ What happens when h1 sends to h2?
❏ Controller learns that h1@p1 and floods
OpenFlow
switch
h1 sends to h2
![Page 67: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/67.jpg)
Example: SDN MAC Learning Done Wrong
❏ Initial rule *: Send everything to controller
h1 sends to h2
h1
h2h3
1
23
Controller
❏ What happens when h2 sends to h1?
OpenFlow
switch
![Page 68: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/68.jpg)
Example: SDN MAC Learning Done Wrong
❏ Initial rule *: Send everything to controller
h1 sends to h2
h1
h2h3
1
23
Controller
❏ What happens when h2 sends to h1?
❏ Switch knows destination: message forwarded to h1
OpenFlow
switch
![Page 69: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/69.jpg)
Example: SDN MAC Learning Done Wrong
❏ Initial rule *: Send everything to controller
h1 sends to h2
h1
h2h3
1
23
Controller
❏ What happens when h2 sends to h1?
❏ Switch knows destination: message forwarded to h1
❏ BUT: No controller interaction, no new rule for h2
OpenFlow
switch
![Page 70: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/70.jpg)
Example: SDN MAC Learning Done Wrong
❏ Initial rule *: Send everything to controller
h1 sends to h2
h1
h2h3
1
23
Controller
❏ What happens when h2 sends to h1?
❏ Switch knows destination: message forwarded to h1
❏ BUT: No controller interaction, no new rule for h2
❏ What happens when h3 sends to h2?
OpenFlow
switch
![Page 71: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/71.jpg)
Example: SDN MAC Learning Done Wrong
❏ Initial rule *: Send everything to controller
h1 sends to h2
h1
h2h3
1
23
Controller
❏ What happens when h2 sends to h1?
❏ Switch knows destination: message forwarded to h1
❏ BUT: No controller interaction, no new rule for h2
❏ What happens when h3 sends to h2?
❏ Flooded! Controller did not put the rule to h2.
OpenFlow
switch
![Page 72: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/72.jpg)
Example: SDN MAC Learning Done Wrong
❏ Initial rule *: Send everything to controller
h1 sends to h2
h1
h2h3
1
23
Controller
❏ What happens when h2 sends to h1?
❏ Switch knows destination: message forwarded to h1
❏ BUT: No controller interaction, no new rule for h2
❏ What happens when h3 sends to h2?
❏ Flooded! Controller did not put the rule to h2!
Controller however does learn about h3. BUT NOW: Future communications fromh2 to h3 missed by controller too: noopportunity to learn about h2, so futurerequests to h2 flooded as well?!?
OpenFlow
switch
![Page 73: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/73.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
Algorithmic Problems in SDNs
Let’s talk aboutthe decoupling
next!
![Page 74: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/74.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
Algorithmic Problems in SDNs
Claim: Outsourcing and consolidating the control
simplifies network managementand operation.
![Page 75: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/75.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
Algorithmic Problems in SDNs
Challenge 2: Consistent network
updates!
He et al., ACM SOSR 2015:
without network latency
Asynchronous!
![Page 76: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/76.jpg)
untrusted
hoststrusted
hosts
Controller Platform
Challenge 2: Route UpdatesWhat can possibly go wrong?
Invariant: Traffic from untrusted hosts to trusted hosts via firewall!
![Page 77: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/77.jpg)
untrusted
hoststrusted
hosts
Controller Platform
Invariant: Traffic from untrusted hosts to trusted hosts via firewall!
In virtual networks: Not necessarily deployed at edge!
Challenge 2: Route UpdatesWhat can possibly go wrong?
![Page 78: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/78.jpg)
Problem 1: Bypassed Waypoint
insecure
Internetsecure
zone
Controller Platform
Invariant: Traffic from untrusted hosts to trusted hosts via firewall!
![Page 79: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/79.jpg)
Problem 2: Transient Loop
insecure
Internetsecure
zone
Controller Platform
Invariant: Traffic from untrusted hosts to trusted hosts via firewall!
![Page 80: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/80.jpg)
Tagging: A Universal Solution?
tag blue
redred
blue
blue
new route
❏ Old route: red
❏ New route: blue
❏ 2-Phase Update:
❏ Install blue flowrules internally
❏ Flip tag at ingressports
old route
tag red
Reitblatt et al. Abstractions for Network Update, ACM SIGCOMM 2012.
![Page 81: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/81.jpg)
Tagging: A Universal Solution?
tag blue
redred
blue
blue
new route
❏ Old route: red
❏ New route: blue
❏ 2-Phase Update:
❏ Install blue flowrules internally
❏ Flip tag at ingressports
old route
tag red
Where to tag? Header space? Overhead!
Time till new link becomes available!
Reitblatt et al. Abstractions for Network Update, ACM SIGCOMM 2012.
Cost of extra rules!
![Page 82: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/82.jpg)
Tagging: A Universal Solution?
tag blue
redred
blue
blue
new route
❏ Old route: red
❏ New route: blue
❏ 2-Phase Update:
❏ Install blue flowrules internally
❏ Flip tag at ingressports
old route
tag red
Cost of extra rules!
Where to tag? Header space? Overhead!
Time till new link becomes available!
Reitblatt et al. Abstractions for Network Update, ACM SIGCOMM 2012.
Possible solution without tagging, and at least preserve weaker consistency properties?
![Page 83: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/83.jpg)
Idea: Schedule Subsets of Nodes!
Idea: Schedule safe update subsets in multiple rounds!
Packet may take a mix of old and new path, as long as, e.g., Loop-Freedom (LF) and Waypoint Enforcement(WPE) are fulfilled
Controller Platform
Controller Platform
Round 1
Round 2
…
![Page 84: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/84.jpg)
Idea: Schedule Subsets of Nodes!
Idea: Schedule safe update subsets in multiple rounds!
Packet may take a mix of old and new path, as long as, e.g., Loop-Freedom (LF) and Waypoint Enforcement(WPE) are fulfilled
Controller Platform
Controller Platform
Round 1
Round 2
…
How to be sure?
![Page 85: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/85.jpg)
Going Back to Our Examples: LF Update
insecure
Internet
secure
zone
![Page 86: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/86.jpg)
Going Back to Our Examples: LF Update
insecure
Internet
secure
zone
insecure
Internet
secure
zone
insecure
Internet
secure
zone
R1:
R2:
![Page 87: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/87.jpg)
Going Back to Our Examples: LF Update
insecure
Internet
secure
zone
insecure
Internet
secure
zone
insecure
Internet
secure
zone
R1:
R2:
Forward edges(wrt old policy)! Always safe.
Backwardedge: risky!
![Page 88: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/88.jpg)
Going Back to Our Examples: LF Update
insecure
Internet
secure
zone
insecure
Internet
secure
zone
insecure
Internet
secure
zone
R1:
R2:LF ok! But: WPE violated in Round 1!
Forward edges(wrt old policy)! Always safe.
Backwardedge: risky!
![Page 89: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/89.jpg)
Going Back to Our Examples: WPE Update
insecure
Internet
secure
zone
![Page 90: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/90.jpg)
Going Back to Our Examples: WPE Update
insecure
Internet
secure
zone
insecure
Internet
secure
zone
insecure
Internet
secure
zone
R1:
R2:
Don’t cross thewaypoint: safe!
![Page 91: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/91.jpg)
Going Back to Our Examples: WPE Update
insecure
Internet
secure
zone
insecure
Internet
secure
zone
insecure
Internet
secure
zone
R1:
R2:… ok but may violate LF in Round 1!
Don’t cross thewaypoint: safe!
![Page 92: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/92.jpg)
Going Back to Our Examples: Both WPE+LF?
insecure
Internet
secure
zone
![Page 93: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/93.jpg)
Going Back to Our Examples: WPE+LF!
insecure
Internet
secure
zone
insecure
Internet
secure
zone
R1:
R2:
insecure
Internet
secure
zoneR3:
![Page 94: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/94.jpg)
Going Back to Our Examples: WPE+LF!
insecure
Internet
secure
zone
insecure
Internet
secure
zone
R1:
R2:
insecure
Internet
secure
zoneR3:Is there always a WPE+LF schedule?
![Page 95: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/95.jpg)
What about this one?
![Page 96: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/96.jpg)
LF and WPE may conflict!
❏ Cannot update any forward edge in R1: WP
❏ Cannot update any backward edge in R1: LF
No schedule exists!
Resort to tagging…
![Page 97: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/97.jpg)
What about this one?
![Page 98: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/98.jpg)
NP-Hard!
1
1
Bad news: Even decidability hard: cannot quickly test feasibility and ifinfeasible resort to say, tagging solution!
Open question: very artificial? Under which circumstances poly-time?
To update or not to update in the first round?
That is the question… leading to NP-hardness!
Also an example that greedy can be bad.
We don’t know!
![Page 99: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/99.jpg)
Let us focus on loop-freedom only:always possible in n rounds! How?
![Page 100: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/100.jpg)
Let us focus on loop-freedom only:always possible in n rounds! How?
1
From the destination! Invariant: path suffix updated!
![Page 101: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/101.jpg)
Let us focus on loop-freedom only:always possible in n rounds! How?
12
From the destination! Invariant: path suffix updated!
![Page 102: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/102.jpg)
Let us focus on loop-freedom only:always possible in n rounds! How?
12
3
From the destination! Invariant: path suffix updated!
![Page 103: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/103.jpg)
Let us focus on loop-freedom only:always possible in n rounds! How?
1
From the destination! Invariant: path suffix updated!
2
34
5
6
![Page 104: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/104.jpg)
Let us focus on loop-freedom only:always possible in n rounds! How?
1
From the destination! Invariant: path suffix updated!
2
34
5
6
![Page 105: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/105.jpg)
But how to minimize # rounds?
![Page 106: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/106.jpg)
But how to minimize # rounds?
2 rounds easy, 3 rounds NP-hard. Let’s take it offline!
![Page 107: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/107.jpg)
What about capacity constraints?
1
2
2
1 1
1
1
w
s t
u v
![Page 108: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/108.jpg)
What about capacity constraints?
1
2
2
1 1
1
1
Flow 1
w
s t
u v
![Page 109: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/109.jpg)
What about capacity constraints?
1
2
2
1 1
1
1
Flow 1
Flow 2Can you find an update schedule?
w
s t
u v
e.g., cannot update red: congestion!
![Page 110: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/110.jpg)
What about capacity constraints?
1
2
2
1 1
1
1
Schedule:1. red@w,blue@u,blue@v
w
s t
u v
1 1
1
Round 1: prepare
No flow! No flow!
No flow!
![Page 111: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/111.jpg)
What about capacity constraints?
1
2
2
1 1
1
1
Schedule:1. red@w,blue@u,blue@v
w
s t
u v
1 1
1
2. blue@s
2
Round 2
flow! No flow!
No flow!
![Page 112: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/112.jpg)
What about capacity constraints?
1
2
2
1 1
1
1
Schedule:1. red@w,blue@u,blue@v
w
s t
u v
1 1
1
2. blue@s
2
3. red@sRound 3
Capacity 2: ok!
3
No flow!
![Page 113: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/113.jpg)
What about capacity constraints?
1
2
2
1 1
1
1
Schedule:1. red@w,blue@u,blue@v
w
s t
u v
1 1
1
2. blue@s
2
3. red@sRound 4
Capacity 2: ok!
3
4
4. blue@w
![Page 114: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/114.jpg)
What about capacity constraints?
1
2
2
1 1
1
1
Schedule:1. red@w,blue@u,blue@v
w
s t
u v
1 1
1
2. blue@s
2
3. red@sRound 4
3
4
4. blue@w
Note: this (non-trivial) example was just a DAG,
without loops!
![Page 115: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/115.jpg)
Block Decomposition of DAGs
1
2
2
1 1
1
1
Flow 1
Flow 2
Block for a given flow: subgraph between two
consecutive nodes whereold and new route meet. w
s t
u v
![Page 116: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/116.jpg)
Block Decomposition of DAGs
1
2
2
1 1
1
1
Block for a given flow: subgraph between two
consecutive nodes whereold and new route meet. w
s t
u v
Just one red block: r1
r1
![Page 117: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/117.jpg)
Block Decomposition of DAGs
1
2
2
1 1
1
1
Block for a given flow: subgraph between two
consecutive nodes whereold and new route meet. w
s t
u v
Two blue blocks: b1 and b2
b1 b2
![Page 118: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/118.jpg)
Block Decomposition of DAGs
1
2
2
1 1
1
1
Block for a given flow: subgraph between two
consecutive nodes whereold and new route meet. w
s t
u v
Dependencies: update b2 after r1 after b1.
b1 b2r1
![Page 119: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/119.jpg)
Algorithms and Properties
❏ For k=2 flows❏ Using dependency graph of DAG block decomposition:
feasible update exists if and only if cycle-free dependency
❏ Also directly yields optimal number of rounds!
❏ For general k flows❏ Harder: We need a weaker notion of dependency graph
❏ Only feasibility for constant k in polynomial-time
❏ For general k, NP-hard
❏ Not much more is known so far❏ NP-hard on general networks already for 2 flows
![Page 120: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/120.jpg)
Further Reading
Scheduling Loop-free Network Updates: It's Good to Relax!Arne Ludwig, Jan Marcinkowski, and Stefan Schmid.ACM Symposium on Principles of Distributed Computing (PODC), Donostia-San Sebastian, Spain, July 2015.
Transiently Secure Network UpdatesArne Ludwig, Szymon Dudycz, Matthias Rost, and Stefan Schmid.42nd ACM SIGMETRICS, Antibes Juan-les-Pins, France, June 2016.
Can't Touch This: Consistent Network Updates for Multiple PoliciesSzymon Dudycz, Arne Ludwig, and Stefan Schmid.46th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Toulouse, France, June 2016.
Congestion-Free Rerouting of Flows on DAGsSaeed Akhoondian Amiri, Szymon Dudycz, Stefan Schmid, and Sebastian Wiederrecht. ArXiv Technical Report, November 2016.
![Page 121: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/121.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
Algorithmic Problems in SDNs
![Page 122: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/122.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
Algorithmic Problems in SDNs
Claim: SDN allows for muchsimpler data plane logic.
![Page 123: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/123.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
Algorithmic Problems in SDNs
But somefunctionality
should stay in data plane, e.g.?
![Page 124: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/124.jpg)
Should Stay in Data Plane: Local Fast Failover
Ctrl
OpenFlow supportspreconfigured
failover rules: First line of defense. Via controller too slow!
![Page 125: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/125.jpg)
Should Stay in Data Plane: Local Fast Failover
Ctrl
The Crux: How to define conditional rules which have local failure knowledge only?
OpenFlow supportspreconfigured
failover rules: First line of defense. Via controller too slow!
![Page 126: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/126.jpg)
1
2
3
4
6
5
The network:
Local Fast Failover
![Page 127: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/127.jpg)
1
2
3
4
6
5
Without failures!
Traffic demand:{1,2,3}->6
Local Fast Failover
![Page 128: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/128.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
Local Fast Failover
![Page 129: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/129.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
Local failover @1:Does not know failures
downstream!
Local Fast Failover
![Page 130: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/130.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
Local failover @1:Does not know failures
downstream!
Local Fast FailoverFailover table:flow 1->6: 2,3,4,5,…
![Page 131: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/131.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
Local failover @1:Reroute to 2!
Local Fast FailoverFailover table:flow 1->6: 2,3,4,5,…
Failover table:flow 1->6: 2,3,4,5,…
![Page 132: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/132.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
But also from 2: 6 not reachable.
Next: 3.
Local Fast FailoverFailover table:flow 1->6: 2,3,4,5,…
Failover table:flow 1->6: 2,3,4,5,…
Failover table:flow 1->6: 2,3,4,5,…
![Page 133: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/133.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
Finally, 6 can be reached!
Local Fast FailoverFailover table:flow 1->6: 2,3,4,5,…
Failover table:flow 1->6: 2,3,4,5,…
Failover table:flow 1->6: 2,3,4,5,…
![Page 134: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/134.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
Similarly for the other two flows.
Local Fast FailoverFailover table:flow 1->6: 2,3,4,5,…
Failover table:flow 1->6: 2,3,4,5,…flow 2->6: 3,4,5,…
Failover table:flow 1->6: 2,3,4,5,…flow 2->6: 3,4,5,…flow 3->6: 4,5,…
![Page 135: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/135.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
Max load:3
Local Fast Failover
![Page 136: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/136.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
A better solution:load 2
Local Fast Failover
![Page 137: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/137.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
A better solution:load 2
Local Fast FailoverFailover table:flow 1->6: 2,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…flow 3->6: 4,5,…
![Page 138: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/138.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
A better solution:load 2
Local Fast FailoverFailover table:flow 1->6: 2,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…flow 3->6: 4,5,…
Tables statically defined, without global failure
knowledge: a local algorithmwithout communication!
![Page 139: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/139.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
A better solution:load 2
Local Fast FailoverFailover table:flow 1->6: 2,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…flow 3->6: 4,5,…
In order to load balance: prefixes of rows should be
different!
![Page 140: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/140.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
A better solution:load 2
Local Fast FailoverFailover table:flow 1->6: 2,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…flow 3->6: 4,5,…
Bad news (intriguing!): High load unavoidable even in well-connected residual networks: a price of locality.
Given L failures, load at least √L, although network still highly connected (n-L connected). E.g., L=n/2, load
could be 2 still, but due to locality at least √n.
![Page 141: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/141.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
A better solution:load 2
Local Fast FailoverFailover table:flow 1->6: 2,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…flow 3->6: 4,5,…
Good news: Theory of local algorithms withoutcommunication: symmetric block design theory.
Bad news (intriguing!): High load unavoidable even in well-connected residual networks: a price of locality.
Given L failures, load at least √L, although network still highly connected (n-L connected). E.g., L=n/2, load
could be 2 still, but due to locality at least √n.
![Page 142: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/142.jpg)
1
2
3
4
6
5
Traffic demand:{1,2,3}->6
A better solution:load 2
Local Fast FailoverFailover table:flow 1->6: 2,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…
Failover table:flow 1->6: 2,5, …flow 2->6: 3,4,5,…flow 3->6: 4,5,…
Good news: Theory of local algorithms withoutcommunication: symmetric block design theory.
Bad news (intriguing!): High load unavoidable even in well-connected residual networks: a price of locality.
Given L failures, load at least √L, although network still highly connected (n-L connected). E.g., L=n/2, load
could be 2 still, but due to locality at least √n.
What about multihop networks? See Chiesa et al.
![Page 143: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/143.jpg)
Further Reading
How (Not) to Shoot in Your Foot with SDN Local Fast Failover: A Load-Connectivity TradeoffMichael Borokhovich and Stefan Schmid.17th International Conference on Principles of Distributed Systems (OPODIS), Nice, France, Springer LNCS, December 2013.
Load-Optimal Local Fast Rerouting for Dependable NetworksYvonne-Anne Pignolet, Stefan Schmid, and Gilles Tredan.47th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Denver, Colorado, USA, June 2017.
![Page 144: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/144.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
Algorithmic Problems in SDNs
One wordabout control
plane…
![Page 145: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/145.jpg)
Ctrl
Control
Programs
Control
ProgramsApplications and
Control Plane
… and regardingdecoupling / inter-
connect!
Data Plane
Algorithmic Problems in SDNs
Claim: SDN introduces manyflexibilities in how control planes
can be designed.
![Page 146: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/146.jpg)
Ctrl Ctrl Ctrl
Ctrl
One for all…
Ctrl
Ctrl
CtrlCtrl
Ctrl
… one for each…
… anything between.
![Page 147: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/147.jpg)
Ctrl Ctrl Ctrl
Ctrl
One for all…
Ctrl
Ctrl
CtrlCtrl
Ctrl
… one for each…
… anything between.
What can becomputed locally?
E.g., to prolong lifetimeof routers with restricted
memory: cache onlyheavy hitters!
E.g., shortest paths: global problem
![Page 148: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/148.jpg)
❏ Some insights from distributed computing are handy: but come in a new light!
❏ But finding right level of locality is non-trivial: tradeoff between inter-controller communication and quality of solution
❏ E.g., in load balancing
Challenge: Right Level of Locality?
Points ofpresence
Customer sites
Primary links
![Page 149: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/149.jpg)
Further Reading
A Distributed and Robust SDN Control Plane for TransactionalNetwork UpdatesMarco Canini, Petr Kuznetsov, Dan Levin, and Stefan Schmid.34th IEEE Conference on Computer Communications (INFOCOM), Hong Kong, April 2015.
Exploiting Locality in Distributed SDN ControlStefan Schmid and Jukka Suomela.ACM SIGCOMM Workshop on Hot Topics in Software DefinedNetworking (HotSDN), Hong Kong, China, August 2013.
![Page 150: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/150.jpg)
Challenge: Right Level of Locality?
❏ Also: how to manage switches inband?
Ctrl
Ctrl
unmanaged!
![Page 151: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/151.jpg)
Further Reading
Medieval: Towards A Self-Stabilizing, Plug & Play, In-Band SDN Control Network (Demo Paper)Liron Schiff, Stefan Schmid, and Marco Canini.ACM Sigcomm Symposium on SDN Research (SOSR), Santa Clara, California, USA, June 2015.
![Page 152: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/152.jpg)
Ctrl
Control
Programs
Control
Programs
Let’s talk about security!
![Page 153: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/153.jpg)
Ctrl
Control
Programs
Control
Programs
Let’s talk about security!
In particular: malicious switches
(less studied).
![Page 154: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/154.jpg)
Ctrl
Control
Programs
Control
Programs
Let’s talk about security!
In particular: malicious switches
(less studied).
Note: Governments etc. don’t have resources to build their own trusted hardware.
![Page 155: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/155.jpg)
Ctrl
Control
Programs
Control
Programs
Let’s talk about security!
The case for insecure dataplanes: many incidents
❏ Attackers have compromisedrouters
❏ Compromised routers aretraded underground
❏ Vendors have left backdoorsopen
❏ National security agenciescan bug network equipment
❏ …
![Page 156: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/156.jpg)
What a malicious switch could do:
1 drop/reroute/exfiltrate 2 mirror
3 modify 4 inject
![Page 157: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/157.jpg)
New attack vector:
❏ DoS on controller
❏ Harms availability
❏ E.g., force otherswitches into defaultbehavior
Ctrl
Control
Programs
Control
Programs
More and New Attacks in SDN
![Page 158: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/158.jpg)
Ctrl
Control
Programs
Control
Programs
❏ Idea: exploit controller tocommunicate information: «Teleportation»
Another New SDN Attack: Teleportation
![Page 159: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/159.jpg)
Ctrl
Control
Programs
Control
Programs
❏ Idea: exploit controller tocommunicate information: «Teleportation»
❏ Controller reacts to switchevents (packet-ins) by sendingflowmods/packet-outs/… etc.: can be exploited to transmitinformation
❏ E.g., in MAC learning: src MAC 0xBADDAD
❏ Can also modulate informationimplicitly (e.g., frequency ofpacketins)
❏ E.g.: covert communication, bypass firewall, coordinateattack
Another New SDN Attack: Teleportation
![Page 160: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/160.jpg)
Ctrl
Control
Programs
Control
Programs
❏ Idea: exploit controller tocommunicate information: «Teleportation»
❏ Controller reacts to switchevents (packet-ins) by sendingflowmods/packet-outs/… etc.: can be exploited to transmitinformation
❏ E.g., in MAC learning: src MAC 0xBADDAD
❏ Can also modulate informationimplicitly (e.g., frequency ofpacketins)
❏ E.g.: covert communication, bypass firewall, coordinateattack
Another New SDN Attack: TeleportationDifficult to detect: (1) The teleported information follows
the normal traffic pattern of control communication, indirectly between any switch and the controller. (2)
Teleportation channel is inside the typically encrypted OpenFlow channel. Cannot easily be detected with
modern IDS, even if they operate in the control plane.
![Page 161: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/161.jpg)
Ctrl
Control
Programs
Control
Programs
❏ Idea: exploit controller tocommunicate information: «Teleportation»
❏ Controller reacts to switchevents (packet-ins) by sendingflowmods/packet-outs/… etc.: can be exploited to transmitinformation
❏ E.g., in MAC learning: src MAC 0xBADDAD
❏ Can also modulate informationimplicitly (e.g., frequency ofpacketins)
❏ E.g.: covert communication, bypass firewall, coordinateattack
Another New SDN Attack: Teleportation
E.g., 2 switches try to use the same DPID, exploit pave
path technique, etc.
![Page 162: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/162.jpg)
Ctrl
Control
Programs
Control
Programs
Another Front: Virtualized Switches
Attack vector:
❏ The virtualized data plane
![Page 163: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/163.jpg)
Further Reading
Outsmarting Network Security with SDN TeleportationKashyap Thimmaraju, Liron Schiff, and Stefan Schmid.2nd IEEE European Symposium on Security and Privacy (EuroS&P), Paris, France, April 2017.
![Page 164: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/164.jpg)
Ctrl
Control
Programs
Control
Programs
Another Front: Virtualized Switches
Attack vector:
❏ The virtualized data plane
Background:
❏ Packet processing and other network functionsare more and morevirtualized
❏ E.g., runing on servers at the edge of the datacenter
❏ Example: OVS
Advantage:
❏ Cheap and performance ok!
❏ Fast and easydeployment
![Page 165: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/165.jpg)
Attack vector:
❏ The virtualized data plane
Background:
❏ Packet processing and other network functionsare more and morevirtualized
❏ E.g., runing on servers at the edge of the datacenter
❏ Example: OVS
Advantage:
❏ Cheap and performance ok!
❏ Fast and easy deployment
Ctrl
Control
Programs
Control
Programs
Security Challenges: Insecure Dataplane
New vulnerability: collocation. Switches
run with evelated (root) priviledges.
![Page 166: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/166.jpg)
Attack vector:
❏ The virtualized data plane
Background:
❏ Packet processing and other network functionsare more and morevirtualized
❏ E.g., runing on servers at the edge of the datacenter
❏ Example: OVS
Advantage:
❏ Cheap and performance ok!
❏ Fast and easy deployment
Ctrl
Control
Programs
Control
Programs
Security Challenges: Insecure Dataplane
New vulnerability: collocation. Switches
run with evelated (root) priviledges.
Collocated with e.g., controllers, hypervisors, guest VMs, VM image and network management, identity management (of admins and tenants), etc.
![Page 167: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/167.jpg)
A Case Study: OVS
❏ OVS: a production quality switch, widely deployed in the Cloud
❏ After fuzzing just 2% of the code, found major vulnerabilities:
❏ E.g., two stack overflows when malformed MPLS packets are parsed
❏ These vulnerabilities can easily be weaponized:
❏ Can be exploited for arbitrary remote code execution
❏ E.g., our «reign worm» compromised cloud setups within 100s
❏ Significance
❏ It is often believed that only state-level attackers (with, e.g., control overthe vendor’s supply chain) can compromise the data plane
❏ Virtualized data planes can be exploited by very simple, low-budget attackers: e.g., by renting a VM in the cloud and sending a singlemalformed MPLS packet
![Page 168: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/168.jpg)
The Reign Worm
Exploits 4 problems:
1. Security assumptions: Virtual switches often run with elevated(root) priviledges by design.
2. Collocation: virtual switchs reside in virtualized servers (Dom0), and are hence collocated with other and possibly critical cloud software, including controller software
3. Logical centralization: the control of data plane elements is oftenoutsourced to a centralized software. The correspondingbidirectional communication channels can be exploited to spreadthe worm further.
4. Support for extended protocol parsers: Virtual switches providefunctionality which goes beyond basic protocol locations of normal switches (e.g., handling MPLS in non-standard manner)
![Page 169: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/169.jpg)
The Reign Worm: Step 1
Attacker VM sends a malicious packet that compromises its server, giving the remote attacker control of the server.
![Page 170: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/170.jpg)
The Reign Worm: Step 2
Attacker controlled server compromises the controllers’server, giving the remote attacker control of the controllers’ server.
Bidirectionalcommunication channel
![Page 171: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/171.jpg)
The Reign Worm: Step 3
The compromised controllers’ server propagatesthe worm to the remaining uncompromised server.
![Page 172: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/172.jpg)
The Reign Worm: Step 4
All the servers are controlled by the remote attacker.
![Page 173: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/173.jpg)
Further Reading
Reigns to the Cloud: Compromising Cloud Systems via the Data PlaneKashyap Thimmaraju, Bhargava Shastry, Tobias Fiebig, Felicitas Hetzelt, Jean-Pierre Seifert, Anja Feldmann, and Stefan Schmid.ArXiv Technical Report, October 2016.
![Page 174: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/174.jpg)
Ctrl
Control
Programs
Control
Programs
Let’s talk about security!
Challenge: how to build securenetworks if hardware untrusted?
![Page 175: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/175.jpg)
Opportunity: Adversarial Trajectory Sampling
Trajectory Sampling
❏ Classic tool to monitor packet routes: trajectory sampling
Principle:
❏ Sample subset ofpackets (based on hash value) anytime
❏ Get complete route for sampled packets
❏ Efficient: sampling
![Page 176: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/176.jpg)
Principle:
❏ Sample subset ofpackets (based on hash value) anytime
❏ Get complete route for sampled packets
❏ Efficient: sampling
Opportunity: Adversarial Trajectory Sampling
Trajectory Sampling
❏ Classic tool to monitor packet routes: trajectory sampling
Not sampled!
Sampled!
![Page 177: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/177.jpg)
Principle:
❏ Sample subset ofpackets (based on hash value) anytime
❏ Get complete route for sampled packets
❏ Efficient: sampling
Opportunity: Adversarial Trajectory Sampling
Trajectory Sampling
❏ Classic tool to monitor packet routes: trajectory sampling
Problem: knows whichpackets are sampled and
which not! Can manipulateothers without risk!
![Page 178: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/178.jpg)
Principle:
❏ Sample subset ofpackets (based on hash value) anytime
❏ Get complete route for sampled packets
❏ Efficient: sampling
Opportunity: Adversarial Trajectory Sampling
Trajectory Sampling
❏ Classic tool to monitor packet routes: trajectory sampling
Problem: knows whichpackets are sampled and
which not! Can manipulateothers without risk!
How to make trajectory sampling secure to malicious switches?
![Page 179: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/179.jpg)
Opportunity: Adversarial Trajectory Sampling
Adversarial Trajectory Sampling
❏ Classic tool to monitor packet routes: trajectory sampling
![Page 180: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/180.jpg)
Opportunity: Adversarial Trajectory Sampling
Adversarial Trajectory Sampling
❏ Classic tool to monitor packet routes: trajectory sampling
Idea: leverage SDN!
Secure communicationchannels: can
distributed samplingvalues in a secure and
redundant way!
![Page 181: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/181.jpg)
Opportunity: Adversarial Trajectory Sampling
Adversarial Trajectory Sampling
❏ Classic tool to monitor packet routes: trajectory sampling
Different switches sample different packets!
Idea: leverage SDN!
Secure communicationchannels: can
distributed samplingvalues in a secure and
redundant way!
![Page 182: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/182.jpg)
Opportunity: Adversarial Trajectory Sampling
Adversarial Trajectory Sampling
❏ Classic tool to monitor packet routes: trajectory sampling
e.g., injects packet (e.g., for exfiltration)
![Page 183: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/183.jpg)
Opportunity: Adversarial Trajectory Sampling
Adversarial Trajectory Sampling
❏ Classic tool to monitor packet routes: trajectory sampling
Does not reportpacket!
Reports packet!
e.g., injects packet (e.g., for exfiltration)
![Page 184: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/184.jpg)
Opportunity: Adversarial Trajectory Sampling
Adversarial Trajectory Sampling
❏ Classic tool to monitor packet routes: trajectory sampling
Does not reportpacket!
Reports packet!
e.g., injects packet (e.g., for exfiltration)
If sampled before and after:
Inconsistency detected!
![Page 185: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/185.jpg)
Further Reading
Software-Defined Adversarial Trajectory SamplingKashyap Thimmaraju, Liron Schiff, and Stefan Schmid.ArXiv Technical Report, May 2017.
![Page 186: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/186.jpg)
Software-Defined Wifi
![Page 187: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/187.jpg)
Further Reading
OpenSDWN: Programmatic Control over Home and Enterprise WiFiJulius Schulz-Zander, Carlos Mayer, Bogdan Ciobotaru, Stefan Schmid, and Anja Feldmann.ACM Sigcomm Symposium on SDN Research (SOSR), Santa Clara, California, USA, June 2015.
![Page 188: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/188.jpg)
Automatically Verifiable!
Claim: SDN networks can beautomatically and
programmatically configuredand verified.
![Page 189: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/189.jpg)
Computational Tractability?
Emulating Turing machine with twoswitches? (Ribbon in packet?)
![Page 190: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/190.jpg)
Further Reading
WNetKAT: A Weighted SDN Programming and Verification LanguageKim G. Larsen, Stefan Schmid, and Bingtian Xue.20th International Conference on Principles ofDistributed Systems (OPODIS), Madrid, Spain, December 2016.
![Page 191: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/191.jpg)
Conclusion
❏ SDN introduces many flexibilities
❏ But also new challenges
❏ How to exploit flexibilities algorithmically?
❏ How to deal with remote controller(s)?
❏ New (and old) security challenges
❏ Another grand challenge: predictable performance in virtualized SDNs
![Page 192: Nice to meet you! - TU Berlinstefan/swfan17keynote.pdf · Nice to meet you! Confluence: innovation! Programmability and virtualization: new flexibilities! Algorithms ”We are at](https://reader036.vdocument.in/reader036/viewer/2022081400/605a6a1500ba3415ff73af48/html5/thumbnails/192.jpg)
Algorithms for flow rerouting:
Can't Touch This: Consistent Network Updates for Multiple Policies
Szymon Dudycz, Arne Ludwig, and Stefan Schmid.
46th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Toulouse, France, June 2016.
Transiently Secure Network Updates
Arne Ludwig, Szymon Dudycz, Matthias Rost, and Stefan Schmid.
42nd ACM SIGMETRICS, Antibes Juan-les-Pins, France, June 2016.
Scheduling Loop-free Network Updates: It's Good to Relax!
Arne Ludwig, Jan Marcinkowski, and Stefan Schmid.
ACM Symposium on Principles of Distributed Computing (PODC), Donostia-San Sebastian, Spain, July 2015.
Good Network Updates for Bad Packets: Waypoint Enforcement Beyond Destination-Based Routing Policies
Arne Ludwig, Matthias Rost, Damien Foucard, and Stefan Schmid.
13th ACM Workshop on Hot Topics in Networks (HotNets), Los Angeles, California, USA, October 2014.
Congestion-Free Rerouting of Flows on DAGs
Saeed Akhoondian Amiri, Szymon Dudycz, Stefan Schmid, and Sebastian Wiederrecht.
ArXiv Technical Report, November 2016.
Survey of Consistent Network Updates
Klaus-Tycho Foerster, Stefan Schmid, and Stefano Vissicchio.
ArXiv Technical Report, September 2016.
Security of the data plane:
Outsmarting Network Security with SDN Teleportation
Kashyap Thimmaraju, Liron Schiff, and Stefan Schmid.
2nd IEEE European Symposium on Security and Privacy (EuroS&P), Paris, France, April 2017.
See also CVE-2015-7516.
Reigns to the Cloud: Compromising Cloud Systems via the Data Plane
Kashyap Thimmaraju, Bhargava Shastry, Tobias Fiebig, Felicitas Hetzelt, Jean-Pierre Seifert, Anja Feldmann, and Stefan Schmid.
ArXiv Technical Report, October 2016.
teleportation
attacking the cloud
survey
loop-freedom
multiple policies
waypointing
loop-freedom
waypointing
capacity constraints