SDN-Ethane原版完整課件

Ethane:TakingControloftheEnterpriseMartìnCasado,MichaelJ.Freedman,JustinPettit,JianyingLuo,

ScottShenkerACMSIGCOMM,2007PresentedbyYeTianforCourseCS05112OverviewMotivationOverviewofEthaneDesignEthaneinMoreDetailThePOL-ETHPolicyLanguagePrototypeandPerformanceMotivationEnterprise

networkRunawide

varietyof

applications

and

protocolsOperate

understrict

reliabilityand

securityconstraintsMotivationNeedmanualconfigurationExpensiveanderror-prone62%ofnetworkdowntimeinmulti-vendornetworkscomesfromhuman-error80%ofITbudgetsisspentonmaintenanceandoperationsNetworkmanagementapproachesIntroducesproprietarymiddle-boxes,placedatnetworkchoke-points.E.g,firewallAddfunctionalitytoexistingnetworks.E.g.,addACLonswitchOnlyhidethecomplexity,notreduceit.MotivationQuestion:Howcouldwechangetheenterprisenetworkarchitecturetomakeitmoremanageable?Threefundamentalprinciples:Thenetworkshouldbegovernedbypoliciesdeclaredoverhigh-levelnames.Policyshoulddeterminethepaththatpacketsfollow.Policymightrequirepacketstopassthroughanintermediatemiddlebox;Trafficcanreceivemoreappropriateserviceifitspathiscontrolled;Thenetworkshouldenforceastrongbindingbetweenapacketanditsorigin.DesiredRealityGovernedbypoliciesdeclaredoverhigh-levelnames.Governedbylow-levelnames

suchasIPaddressandMACaddressDeterminethepath

DeterminenexthopStrongbindingbetweenpacketsandoriginOnlyinspect

destinationaddressinroutingCurrentapproachLevel-2:forwardingtable,oneentryperdestinationMACaddressLevel-3:routingtable,oneentryperIPaddressprefixOverviewMotivationOverviewofEthaneDesignEthaneinMoreDetailThePOL-ETHPolicyLanguagePrototypeandPerformanceOverviewEthanecontrolsthenetworkbynotallowinganycommunicationbetweenend-hostswithoutexplicitpermission.TwocomponentsAcentralController

ContainstheglobalnetworkpolicyandtopologyPerformsroutecomputationforpermittedflows.AsetofEthaneswitchesSimpleanddumbConsistingofasimpleflowtableandasecurechanneltotheControllerForwardpacketsundertheinstructionoftheController.Names,Bindings,andPolicyLanguageKeepthenamespaceconsistentascomponentsjoin,leaveandmovearoundthenetwork.How(machine–address–user)Ethanetakesoverallthebindingofaddresses,behaveasaDHCPserverMachineisregisteredonthenetworkUsersarerequiredtoauthenticatewiththenetworkSuchastheonesinWiFihotpot.Benefits:TheControllercankeeptrackofwhereanyentityislocated;TheControllercanjournalallbindingsandflow-entriesinalogfornetworkeventreconstruction.EthaneinUseRegistrationAllswitches,users,andhostsareregisteredattheControllerwiththecredentialsnecessarytoauthenticatethem.EthaneinUseBootstrapSwitchesbootstrapconnectivitybycreatingaspanningtreerootedattheController.EachswitchauthenticateswithandcreatesasecurechanneltotheController.EthaneinUseAuthenticationUserAjoinsthenetworkwithhostA,switch1initiallyforwardallofhostA’spacketstotheController;HostAsendsaDHCPrequesttotheController.TheControllerbindshostAtoIPA,IPAtoMACA,andMACAtoaphysicalportonswitch1.UserAopensawebbrowser,whosetrafficisdirectedtotheController,andauthenticatesthroughaweb-form.EthaneinUseFlowSetupSwitch1forwardsthepackettotheControllerafterdeterminingthatthepacketdoesnotmatchanyactiveentriesinitsflowtable.TheControllerdecideswhethertoallowordenytheflow,orrequireittotraverseasetofwaypoints.TheControllercomputestheflow’spath,addsanewentrytotheflowtablesofalltheSwitchesalongthepath.EthaneinUseForwardingIfpathisallowed,theControllersendsthepacketbacktoswitch1whichforwardsitbasedonthenewflowentry.SubsequentpacketsfromtheflowareforwardeddirectlybytheSwitch,andarenotsenttotheController.Theflow-entryiskeptintheswitchuntilittimesout.OverviewMotivationOverviewofEthaneDesignEthaneinMoreDetailThePOL-ETHPolicyLanguagePrototypeandPerformanceAnEthaneNetworkEthaneSwitchAnEthaneswitchismuchsimplerthanconventionalEthernetswitchDoesn’tneedtolearnaddresses,supportVLANs,checkforsource-addressspoofing,orkeepflow-levelstatistics(?).Iflayer3,doesn’tneedtorunroutingprotocolssuchasOSPF,ISIS,andRIP.Ethaneswitch’sflowtablecanbemuchsmallerthantheforwardingtableinanequivalentEthernetswitch.Ethernetswitchneedstorememberalltheaddressesit’slikelytoencounter.EthaneSwitchonlyneedstokeeptrackofflowsin-progress.FlowTableandFlowEntriesTwocommontypesofentryintheflowtable:Per-flowentriesforflowsthatshouldbeforwarded,Per-hostentriesformisbehavinghostswhosepacketsshouldbedropped.EntriesareremovedbecauseTimeoutduetoinactivityRevokedbytheController.LocalSwitchManagerToestablishandmaintainthesecurechanneltotheControllerTwoways:ForSwitchesthatarepartofthesamephysicalnetworkastheController,useMinimumSpanningTreeprotocol.FortheSwitchthatisnotwithinthesamebroadcastdomainastheController,createanIPtunneltoit.Switchesmaintainalistofneighboringswitchesbybroadcastingandreceivingneighbor-discoverymessages.NeighborlistsaresenttotheControllerperiodicallyevery15seconds.ControllerTheControllerholdsthepolicyfile,whichiscompiledintoafastlookuptableTheroutecomputation

usesthenetwork

topologytopickthe

flow’sroute.Thetopologyis

maintainedbythe

switchmanager,which

receiveslinkupdates

fromtheSwitches.ControllerRegistrationAllentitiesthataretobenamedbythenetwork(i.e.,hosts,protocols,switches,users,andaccesspoints7)mustberegistered.Theymakeupthepolicynamespaceandisusedtostaticallycheckthepolicy.Authentication.Doesnotspecifyaparticularhostauthenticationmechanism:e.g.,802.1XControllerTrackingbindingsTrackallthebindingsbetweennames,addresses,andphysicalportsonthenetworkeventasswitches,hosts,andusersjoin,leave,andmovearoundthenetwork.ControllerNamespaceinterfaceIncurrentnetworks,itisalmostimpossibletofigureoutuseractivitiesveryquicklyAnEthaneControllercanjournalalltheauthenticationandbindinginformation,itispossibletodetermineexactlywhichusersentapacket,whenitwassent,thepathittook,anditsdestination.ControllerPermissionCheckandAccessGrantingUponreceivingapacket,theControllerchecksthepolicytoseewhatactionsapplytoitEnforcingResourceLimitsControllercanlimitaflow’srate,limittherateatwhichnewflowsaresetup,orlimitthenumberofIPaddressesallocated.BroadcastandMulticastHandlingmulticast:TheSwitchkeepsabitmapforeachflowtoindicatewhichportsthepacketsaretobesenttoalongthepath.TheControllercancalculatethemulticasttreeandassigntheappropriatebitsduringpathsetup.Example,a24-bitbitmapfor24portsonaswitch,0/1meanspacketshouldbeforwarded/droppedoncorrespondingportHandlingbroadcastdiscoveryprotocols:Ahostistryingtofindaserveroranaddress;e.g,ARP,DHCPGiventhattheControllerknowsall,itcanreplytoarequestwithoutcreatinganewflowandbroadcastingthetraffic.ReplicatingtheController:Fault-ToleranceandScalabilityThreetechniquesforreplicatingColdstandby:BackupControllerssitidly-bywaitingtotakeoverifneeded.Iffailure,thenetworkwillconvergeonanewrootforMST.Thebackupsneedonlycontaintheregistrationstateandthenetworkpolicy.Themainadvantageissimplicity;thedownsideisthathosts,switches,andusersneedtore-authenticateandre-bindupontheprimary’sfailure.Pathsneedtobere-computed.ReplicatingtheControllerWarm-standby:aseparateMSTiscreatedforeveryController.TheControllersmonitoroneanother’slivenessand,upondetectingtheprimary’sfailure,asecondaryControllertakesoverbasedonastaticordering.NeedtoreplicatebindingsacrossControllers.Somenewusersandhostsneedtore-authenticate.ReplicatingtheControllerFully-replication:twoormoreactiveControllers.ASwitchneedonlyauthenticateitselftooneControllerandcanthenspreaditsflow-requestsovertheControllers(e.g.,hashingorround-robin)Gossiptoprovideaweakly-consistentorderingoverevents.OthersLinkfailureTheSwitchremovesallflowtableentriestiedtothefailedportandsendsitsnewlink-stateinformationtotheController.TheControllerlearnsthenewtopology.BootstrapingOnstartup,thenetworkcreatesaminimumspanningtreewiththeControlleradvertisingitselfastheroot.IfaSwitchfindsashorterpathtotheController,itattemptstwo-wayauthenticationbeforeadvertisingthatpathasavalidroute.OverviewMotivationOverviewofEthaneDesignEthaneinMoreDetailThePOL-ETHPolicyLanguagePrototypeandPerformanceOverviewEthanenetworkpolicyisdeclaredasasetofrules,eachconsistingofaconditionandacorrespondingaction.

ExampleCondition:iftheuserinitiatingtheflowis“bob”andtheflowprotocolis“HTTP”andtheflowdestinationishost“websrv”Action:Actionsincludeallow,deny,waypoints,andoutbound-only.Rulesareindependentanddon’tcontainanintrinsicorderingExampleTwoparts:

group

declarationsandrules#Groups—desktops=["griffin","roo"];laptops=["glaptop","rlaptop"];phones=["gphone","rphone"];server=["http_server","nfs_server"];private=["desktops","laptops"];computers=["private","server"];students=["bob","bill","pete"];profs=["plum"];group=["students","profs"];waps=["wap1","wap2"];ExampleRules#Rules—[(hsrc=in("server")^(hdst=in("private"))]:deny;#Donotallowphonesandprivatecomputerstocommunicate[(hsrc=in("phones")^(hdst=in("computers"))]:deny;[(hsrc=in("computers")^(hdst=in("phones"))]:deny;#NAT-likeprotectionforlaptops[(hsrc=in("laptops")]:outbound-only;#Norestrictionsondesktopscommunicatingwitheachother[(hsrc=in("desktops")^(hdst=in("desktops"))]:allow;#Forwireless,non-groupmemberscanusehttpthrough#aproxy.Groupmembershaveunrestrictedaccess.[(apsrc=in("waps"))^(user=in("group"))]:allow;[(apsrc=in("waps"))^(protocol="http)]:waypoints("http-proxy");[(apsrc=in("waps"))]:deny;[]:allow;#Default-on:bydefaultallowflowsOverviewMotivationOverviewofEthaneDesignEthaneinMoreDetailThePOL-ETHPolicyLanguagePrototypeandPerformanceReviewImplementation:SwitchThreedifferentEthaneSwitches:An802.11gwirelessaccesspoint(basedonacommercialaccesspoint)Awired4-portGigabitEthernetSwitchthatforwardspacketsatline-speed(basedontheNetFPGAprogrammableswitchplatformandwritteninVerilog)Awired4-portEthernetSwitchinLinuxonadesktopPCFlowtableThemaintable—forpacketsthatshouldbeforwarded—has8,192flowentriesAsecondtablewith32Kentries–forreturnrouteofoutboundtrafficImplementation:ControllerPolicycompiler:asource-to-sourcecompilerthatgeneratesC++fromaPol-Ethpolicyfile.ImplementedtheControlleronastandardLinuxPCRegistration:standarddatabaseAuthentication:useuniversityauthenticationsystemBindJournalandNamespaceInterface:useBerkeleyDBforthelog,keyedbytimestampsRouteComputation:usinganallpairsshortestpathalgorithm.DeploymentStanfordCSdepartment19Ethaneswitches:11wiredand8wireless;About300hostsPolicyNon-serversareprotectedfromoutboundconnectionsfromservers.Workstationscancommunicateuninhibited.HostsmustregisteraMACaddress,butnouserauthentication.Wirelessnodesdonotrequireuserauthentication.DeploymentPolicyTheVoIPphonesarerestrictedfromcommunicatingwithnon-phonesandarestaticallyboundtoasingleaccesspointtopreventmobility.Performance:ControllerScalabilityExperiment:30-40newflowrequestspersecondwithapeakof750flowrequestspersecond.AsingleControllercouldcomfortablyhandle10,000newflowrequestspersecond.PerformanceDuringFailuresControllerfailure:measurethecompletiontimeof275consecutiveHTTPrequests,retrieving63MBintotal,undercold-standbyfailurerecoveryWhiletherequestswereongoing,wecrashedtheControllerandrestarteditmultipletimes.PerformanceDuringFailuresLinkfailure:Alloutstandingflowsre-contacttheControllerinordertore-establishthepathCreatedatopologywithredundantpaths—sothenetworkcanwithstandalink-failure—andmeasuredthelatenciesexperiencedbypackets.PerformanceDuringFailuresPathre-convergesinunder40ms,butapacketcouldbedelayeduptoasecondwhiletheControllerhandlestheflurryofrequests.Performance:FlowTableSizingUsetwonetworkdatabase:An8,000-hostnetworkatLawrenceBerkeleyNationalLABA22,000-hostnetworkatStanfordActiveflowsNeverexceed500Performance:FlowTableSizingSwitchesclosertotheedgewillseeanumberofflowsproportionaltothenumberofhoststheyconnectto.ASwitchat