Lithium: Event-Driven Network Control



Similar documents
Applying SDN to Network Management Problems. Nick Feamster University of Maryland

Facilitating Network Management with Software Defined Networking

The Past, Present, and Future of Software Defined Networking

Software-Defined Network Management

Managing the Home Network

Improving Network Management with Software Defined Networking

Improving Network Management with Software Defined Networking

Pushing Enterprise Security Down the Network Stack

A Method for Load Balancing based on Software- Defined Network

Procera: A Language for High-Level Reactive Network Control

A Study on Software Defined Networking

Network Functions Virtualization in Home Networks

A Coordinated. Enterprise Networks Software Defined. and Application Fluent Programmable Networks

Network Virtualization Network Admission Control Deployment Guide

VIA COLLAGE Deployment Guide

Musings on OpenFlow and SDN. David Meyer Cisco Systems OpenFlow Symposium

OpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks?

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

VIA CONNECT PRO Deployment Guide

SDN Security Considerations in the Data Center. ONF Solution Brief October 8, 2013

Cloud Computing Security: What Changes with Software-Defined Networking?

Implementation of Address Learning/Packet Forwarding, Firewall and Load Balancing in Floodlight Controller for SDN Network Management

1 Network Service Development Trends and Challenges

SDN and NFV in the WAN

Simplify IT. With Cisco Application Centric Infrastructure. Barry Huang Nov 13, 2014

Software Defined Networking and Network Virtualization

PART IV Performance oriented design, Performance testing, Performance tuning & Performance solutions. Outline. Performance oriented design

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

Information Technology Solutions

SDN. What's Software Defined Networking? Angelo Capossele

Using Ranch Networks for Internal LAN Security

Tutorial: OpenFlow in GENI

Testing Challenges for Modern Networks Built Using SDN and OpenFlow

The High Availability and Resiliency of the Pertino Cloud Network Engine

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Enhancing Hypervisor and Cloud Solutions Using Embedded Linux Iisko Lappalainen MontaVista

Network Virtualization Solutions - A Practical Solution

A Look at the New Converged Data Center

SDX Project Updates GEC 20

SDN Security Design Challenges

How To Unify Your Wireless Architecture Without Limiting Performance or Flexibility

ONOS Open Network Operating System

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

Software Defined Networking and Network Virtualization

SDN Programming Languages. Programming SDNs!

How the emergence of OpenFlow and SDN will change the networking landscape

EXTENSIBLE WIDE AREA NETWORKING

Using SDN-OpenFlow for High-level Services

Leveraging SDN and NFV in the WAN

Protecting VMs in a Multi-Tenancy Environment

PLUMgrid Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure

Open Source Network: Software-Defined Networking (SDN) and OpenFlow

Software-Defined Networking Architecture Framework for Multi-Tenant Enterprise Cloud Environments

Campus Network Best Practices: Core and Edge Networks

Enterprise Data Center Networks

Data Center Middleboxes

Outline. Institute of Computer and Communication Network Engineering. Institute of Computer and Communication Network Engineering

When SDN meets Mobility

The impact of active network devices mis-configuration in network security

Best Practices for Outdoor Wireless Security

Software Defined Networking What is it, how does it work, and what is it good for?

Network Services in the SDN Data Center

SINGLE-TOUCH ORCHESTRATION FOR PROVISIONING, END-TO-END VISIBILITY AND MORE CONTROL IN THE DATA CENTER

Technical Note. ForeScout CounterACT: Virtual Firewall

Information- Centric Networks. Section # 13.2: Alternatives Instructor: George Xylomenos Department: Informatics

Virtualized Domain Name System and IP Addressing Environments. White Paper September 2010

WAN Optimization For Software Defined Networks

SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network

Integration Guide. EMC Data Domain and Silver Peak VXOA Integration Guide

HUAWEI OceanStor Load Balancing Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

SDN/Virtualization and Cloud Computing

Simplifying Data Data Center Center Network Management Leveraging SDN SDN

Cisco Outdoor Wireless Mesh Enables Alternative Broadband Access

VIDEO STREAMING OVER SOFTWARE DEFINED NETWORKS WITH SERVER LOAD BALANCING. Selin Yilmaz, A. Murat Tekalp, Bige D. Unluturk

What is VLAN Routing?

The Many Faces of SDN: An Industry Perspective

IP Telephony Management

OpenFlow: Enabling Innovation in Campus Networks

Top Ten Reasons for Deploying Oracle Virtual Networking in Your Data Center

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Oracle SDN Performance Acceleration with Software-Defined Networking

Lecture 02b Cloud Computing II

Network Design Best Practices for Deploying WLAN Switches

PROPALMS TSE 6.0 March 2008

APPLICATION-AWARE ROUTING IN SOFTWARE-DEFINED NETWORKS

Transcription:

Lithium: Event-Driven Network Control Nick Feamster, Hyojoon Kim, Russ Clark Georgia Tech Andreas Voellmy Yale University

Software Defined Network Management Software defined networking (SDN) makes it easier for network operators to evolve network capabilities Can SDN also help network operators manage their networks, once they are deployed? Campus/Enterprise networks Home networks 2

Big Problem: Configuration Changes Frequently Changes to the network configuration occur daily Errors are also frequent Operators must determine What will happen in response to a configuration change Whether the configuration is correct 3

But, Network Configuration is Really Just Event Processing! Rate limit all Bittorrent traffic between the hours of 9 a.m. and 5 p.m. Do not use more than 100 GB of my monthly allocation for Netflix traffic If a host becomes infected, re-direct it to a captive portal with software patches 4

Lithium: Event-Based Network Control Main Idea: Express network policies as event-based programs. Resonance: Inference-Based Access Control for Enterprise Networks. Nayak, Reimers, Feamster, Clark. ACM SIGCOMM Workshop on Enterprise Networks. August 2009. 5

Extending the Control Model OpenFlow only operates on flow properties Lithium extends the control model so that actions can be taken on time, history, and user 6

Event-Driven Control Domains Domain: A condition on which traffic forwarding rules can be expressed. 7

Dynamic Event Handler Reacts to domain events Determines event source Updates state based on event type Can process both internal and external events 8

Representing Network State: Finite State Machine State: A set of domain values represents a state. Representation of network state. Events: Event-driven control domains invoke events, which trigger state transitions in the controller s finite state machine. Intrusions Traffic fluctuations Arrival/departure of hosts 9

Current Implementation NOX Version 0.6.0 Lithium plumbing: About 1,300 lines of C++ Policies Enterprise network access control: 145 lines of C++ Home network usage cap management: 130 lines Ongoing: Policies without general-purpose programming 10

Two Real-World Deployments Access control in enterprise networks Re-implementation of access control on the Georgia Tech campus network Today: Complicated, low-level With SDN: Simpler, more flexible Usage control in home networks Implementation of user controls (e.g., usage cap management, parental controls) in home networks Today: Not possible With SDN: Intuitive, simple 11

Example from Campus Network: Enterprise Access Control 7. REBOOT Switch 3. VLAN with Private IP 1. New MAC Addr 2. VQP New Host 6. VLAN with Public IP VMPS 4. Web Authentication 5. Authentication Result ta Web Portal 12

Problems with Current Approach Access control is too coarse-grained Static, inflexible and prone to misconfigurations Need to rely on VLANs to isolate infected machines Cannot dynamically remap hosts to different portions of the network Needs a DHCP request which for a windows user would mean a reboot Cannot automatically process changes to network conditions. 13

Lithium State Machine for Campus Network Registration Infection removed or manually fixed Failed Authentication Quarantined Successful Authentication Authenticated Clean after update Vulnerability detected Operation 14

Deployment: Campus Network Software-defined network in use across three buildings across the university Redesign of network access control Also deployed at other universities 15

Example From Home Networks: Usage Control Network management in homes is challenging One aspect of management: usage control Usage cap management Parental control Bandwidth management Idea: Outsource network management/control Home router runs OpenFlow switch Usage reported to off-site controller Controller adjusts behavior of traffic flows 16

Example From Home Networks: Usage Control 17

Deployment: Home Networks (Outsourced Home Network Management) User monitors behavior and sets policies with UI (next slide) Lithium controller manages policies and router behavior 18

ucap: Intuitive Management Interface Joint work with Boris de Souza, Bethany Sumner, Marshini Chetty. 19

Evaluation Qualitative: Is Lithium usable? More expressive Fewer touches More general More portable Quantitative: Is Lithium feasible? Forwarding performance and latency Flow table size Load on controller and switches (scalability) 20

Quantitative Evaluation Forwarding speed Negligible (< 1%) decrease in throughput for production switches Forwarding speed on home routers is limited by the user-space OpenWrt implementation Flow table entries In a large campus network, the number of flows is always less than 25,000 (commodity switches can support 130,000 entries already) Controller load Significant under heavy traffic load, but can be mitigated by distributing the controller 21

Needed: High-Level Language Network policies Are dynamic Depend on temporal conditions defined in terms of external events Need a way to configure these policies without resorting to general-purpose programming of a network controller Intuitive user interfaces can ultimately be built on top of this language 22

Language Design Goals Declarative Reactivity: Describing when events happen, what changes they trigger, and how permissions change over time. Expressive and Compositional Operators: Building reactive permissions out of smaller reactive components. Well-defined Semantics: Simple semantics, simplifying policy specification. Error Checking & Conflict Resolution: Leveraging well-defined, mathematical semantics. 23

The Need for Reactive Control Simple policies are doable in FML: Ban the device if usage exceeds 10 GB in the last 5 days But, adding temporal predicates is difficult! Remove the ban if usage drops below 10 GB. Remove the ban when an administrator resets. Each condition requires a new predicate. 24

Programming Reactive, Event-Based Network Control Define a signal function for a device going over (or under) the usage cap: Define the set of devices over the cap: Controller: signal functions and a flow constraint function Receives input signals from environment Periodically updates a flow constraint function that controls the forwarding elements 25

Summary Network management is difficult and error-prone Lithium: Event-based network control Deployment in two real-world settings (campus and home network) Developing a high-level control language that enables reactive control 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information