an efficient distributed implementation of one big switch
TRANSCRIPT
![Page 1: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/1.jpg)
![Page 2: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/2.jpg)
![Page 3: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/3.jpg)
An Efficient Distributed
Implementation of One Big Switch
Nanxi Kang
Princeton University
in collaboration with Zhenming Liu, Jennifer Rexford, David Walker
![Page 4: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/4.jpg)
One Big Switch Abstraction
2
H1 H2
H3
H1 H2
H1 H3
From H1, dstIP = 0* => go to H2
From H1, dstIP = 1* => go to H3
Endpoint policy e.g, Firewall, Load Balancer
Routing policy e.g, Shortest path routing
H1 H2
H3
Automatic Rule Placement
![Page 5: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/5.jpg)
Challenges of Rule Placement
3
H1 H2
H1 H3
H1 H2
H3
...
...
...
...
...
#rules >10k
TCAM size =1k ~ 2k
Automatic Rule Placement
![Page 6: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/6.jpg)
Contributions
• Design a new rule placement algorithm
• Stay within rule capacity of switches
• Minimize the total number of installed rules
• Handle policy update incrementally
• Evaluation on real and synthetic data
4
![Page 7: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/7.jpg)
Contribution
• Design a new rule placement algorithm
• Stay within rule capacity of switches
• Minimize the total number of installed rules
• Handle policy update incrementally
• Evaluation on real and synthetic data
4
![Page 8: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/8.jpg)
• Enforce routing policy
• install rules on switches to forward packets
• Enforce endpoint policy
• topology as multiple paths: an ordered list of switches
• Solve paths separately
Topology = {Paths}
H1 H2
H3
H1 H2
H1 H3
H1 H2
H1 H3
5
![Page 9: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/9.jpg)
Model shared switches • Multiple paths share the same switch
• Split shared rule capacity over paths • Paths have different demands for total rule capacities
• Linear Programming
6
H1 H2
H3
![Page 10: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/10.jpg)
Place rules over a path • How to place rules over a path ?
7
R1: (srcIP = 0*, dstIP = 00*),
permit
R2: (srcIP = 01, dstIP = 1* ),
permit
R3: (srcIP = *, dstIP = 11*),
deny
R4: (srcIP = 11*, dstIP = * ),
permit
R5: (srcIP = 10*, dstIP = 0* ),
permit
R6: (srcIP = *, dstIP = * ),
deny
![Page 11: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/11.jpg)
Map rule to rectangle
0
0
0
1
1
0 11
0
0 0
1 1
0 11
srcI
P
dstIP
8
R1: (0*,
00),P
R2: (01,
1*),P
R3: (**,
11),D
R4: (11,
**),P
R5: (10,
0*),P
R6: (**,
**),D
0
0
0
1
1
0 11
0
0 0
1 1
0 11
R
1
srcI
P
dstIP
![Page 12: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/12.jpg)
Map rule to rectangle
0
0
0
1
1
0 11
0
0 0
1 1
0 11
srcI
P
dstIP
9
R1: (0*,
00),P
R2: (01,
1*),P
R3: (**,
11),D
R4: (11,
**),P
R5: (10,
0*),P
R6: (**,
**),D
C = 4
0
0
0
1
1
0 11
0
0 0
1 1
0 11
R
1
R4
R
3
R2
R5
srcI
P
dstIP
![Page 13: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/13.jpg)
Cover a rectangle
R1: (0*, 00)
R2: (01, 1*)
R3: (**, 11)
R4: (11, **)
R5: (10, 0*)
R6: (**, **) q: (**,1*)
• Overlapped rules:
R2, R3, R4, R6
• Internal rules:
R2, R3
0
0
0
1
1
0 11
0
0 0
1 1
0 11
R
1
R4
R
3
R2 R5
10 C = 4
![Page 14: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/14.jpg)
Install rules in first switch
R1: (0*, 00)
R2: (01, 1*)
R3: (**, 11)
R4: (11, **)
R5: (10, 0*)
R6: (**, **)
q: (**,1*)
0
0
0
1
1
0 11
0
0 0
1 1
0 11 R’4
R
3
R2
R2: (01,
1*)
R3: (**, 11)
R’4: (11,
1*)
R’6: (**,
1*)
0
0
0
1
1
0 11
0
0 0
1 1
0 11
R
1
R4
R
3
R2
R5
11
![Page 15: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/15.jpg)
Rewrite policy
qfwd: (**,
1*)
R1: (0*,
00)
R4: (11, **)
R5: (10,
0*)
R6: (**, **)
0
0
0
1
1
0 11
0
0 0
1 1
0 11
R
1
R4
R5 q
Bypass everything in q
12
R1: (0*, 00)
R2: (01, 1*)
R3: (**, 11)
R4: (11, **)
R5: (10, 0*)
R6: (**, **)
q: (**,1*)
0
0
0
1
1
0 11
0
0 0
1 1
0 11
R
1
R4
R
3
R2
R5
![Page 16: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/16.jpg)
Summary • Contribution
• An efficient rule placement algorithm
• Support for incremental update
• Evaluation on real and synthetic data • Path: 8-hop, 14k rules, <1.9k rules/switch
• Graph:100 switches, 0.5s(LP) + 0.5s ~
9s(Path)
• Future work • Integrate with real-time SDN systems
• Combine with policy checking and verification 13
![Page 17: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/17.jpg)
![Page 18: An Efficient Distributed Implementation of One Big Switch](https://reader030.vdocuments.mx/reader030/viewer/2022032422/55a9b0d11a28ab3b0c8b48a0/html5/thumbnails/18.jpg)
Related Work
• Single switch optimization • TCAM Razor
• “Compressing Rectilinear Pictures and Minimizing Access
Control Lists”
• Distributed switch optimization
• vCRIB
• Algorithm assumes control over routing
• Palette
• Enforce the whole network-wide policy on every path
31