May 28-29, 2002 1DANCE Exposition
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines
Tal Lavian - [email protected] NetworksAdvanced Technology Labs
Open Source - http://www.openetlab.org
May 28-29, 2002 2DANCE Exposition
Outline of the talk
• Driving Forces
• Openet
• AFM Enabling Mechanism
• Realization with Openet Passport
• Application Examples
• Openet Alteon: AN platform
• Next step
• Conclusion
May 28-29, 2002 3DANCE Exposition
Driving Forces
• Introducing services on-demand
• Assuring Quality of Service
• Addressing Impedance Mismatch
• Demanding Programmability
Users – Service Providers – Network Providers
May 28-29, 2002 4DANCE Exposition
Network Device
Dynamicloading
Introducing Services on-Introducing Services on-demanddemand
HWOS
VIRTUAL ENVIRONMENT
React
MonitorA
uthe
ntic
atio
n
Sec
urity
Services &Control Intelligenceapplication
May 28-29, 2002 5DANCE Exposition
Programmability
• A significant challenge in today’s Internet is the ability to efficiently incorporate customizable network intelligence in commercial high performance network devices.— Framework for introducing services
— API for programming network devices
May 28-29, 2002 6DANCE Exposition
Impedance Mismatch
Core Networks (WAN)
Residential
Enterprise
LAN
Intranet
Access(Edge)
Carrier Network
ISP Network
Access(Edge)
ISP NetworkUser Network
User ConnectionsHTTP, RTP,TCP, UDP, etc
Fiber 1Optical World
May 28-29, 2002 7DANCE Exposition
AN SolutionAN Solution
•Active networks (AN) approach opens an exciting opportunity for individual applications to define the service provided by the network through programmability.
•Active Networks technologies expose a novel approach that allows customer value-added services to be introduced to the network “on-the-fly”.
•Active Nets program has produced a new network platform flexible and extensible at runtime to accommodate the rapid evolution and deployment of network technologies.
•The exciting opportunity exists for network service providers and third parties, not just the network device providers, to program the network infrastructure and services.
May 28-29, 2002 8DANCE Exposition
AN issuesAN issues
•AN requires substantial supports from a NOS
•AN introduces substantial software component, hence delay on the data path
•AN lacks adequate measures to addressing integrity and security of network devices.
Lack of industrial-strength Active Network devices that dispel major
concerns:
May 28-29, 2002 9DANCE Exposition
Openet PlatformOpenet Platform= Active Nets Enabling Platform = Active Nets Enabling Platform
= Programmable = Programmable Networking SolutionNetworking Solution
•Passport Router
•Openet
•Active Flow Manipulation (AFM)
•Programmable Openet Passport Platform
May 28-29, 2002 10DANCE Exposition
Passport Router - Separation of Control and Forwarding Planes
Centralized, Centralized, CPU-based RouterCPU-based Router
Control + ForwardingControl + ForwardingFunctions combinedFunctions combined
CPU
Routing SW
Slow
Forwarding-ProcessorsForwarding-Processors Based RouterBased Router
Control separatedControl separatedfrom forwardingfrom forwarding
CPU
Control Plane
Forwarding Processor
Forwarding Processor
Forwarding Processor
Wire Speed
May 28-29, 2002 11DANCE Exposition
CPU
JVM
…MEM
JNI/Native Code
ORE JFWD
Filtered packets New forwarding rules
Forwarding Engine
Monitor status
User Oplets
OpletService, Shell, Logger
Jcapture, HTTP,IpPacket
Standard Services
ANTSFirewall, DiffServApplication services
Function Services
Control PlaneControl Plane
Data PlaneData Plane
Openet: a view from a node
May 28-29, 2002 12DANCE Exposition
CE
FE
Control Functions
ControlIntensive
computation
(2)
(3)
(1)
1) Control functions that reside wholly in the control plane2) Control functions that insert software in the critical data path3) Control functions that allow control entities to act both in the
control plane and in the data forwarding plane without adding software in the data path
CE: Control ElementFE: Forwarding Element
May 28-29, 2002 13DANCE Exposition
Active Flow Manipulation Abstractions
• Aggregate data into traffic flows— Flows whose characteristics can be identified in real-
time
— E.g., “all UDP packets to a particular service”, “all TCP packets from a particular machine”.
• Actions to be performed in the traffic flows— Actions that can be performed in real-time
— E.g., “Change the priority of all traffic destined to a particular service on a particular machine”, “Stop all traffic out of a particular link of a router”.
May 28-29, 2002 14DANCE Exposition
Active Flow Manipulation
ForwardingProcessor
ForwardingProcessor
Pac
ket
Policy
Filters
AFM
Packet
Filte
rPa
cket
Action
• A key enabling technology of Openet
• Two abstractions— Primitive flows— Primitive actions
• Customer network services exercise active network control— Identifying specific
flows— Apply actions to alter
network behavior in real-time
May 28-29, 2002 15DANCE Exposition
Identifiable Elements of Primitive Flows
Destination Address (DA)
Range of Destination Address (RDA)
Source Address (SA)
Range of Source Address (RSA)
Exact TCP protocol match (TCP)
Exact UDP protocol match (UDP)
Exact ICMP protocol match (ICMP)
Source Port number, for both TCP and UDP (SP)
Destination Port number for both TCP and UDP (DP)
TCP connection request (TCPReg)
ICMP request (ICMPReg)
DS field of a datagram (DS)
IP Frame fragment (FrameFrag)
May 28-29, 2002 16DANCE Exposition
Primitive Permissible actions
Drop
Forward
Mirror
Stop on Match (SOM)
Detect Out of Profile behaviour (Out)
Change DSCP value (DSCP)
Prevent TCP Connect Request
Modify IEEE 802.1p bit
May 28-29, 2002 17DANCE Exposition
Switching Fabric
CPU System
Data Plane(Wire Speed Forwarding)
Control Plane ORE
Active Services
Traffic Packets
Monitor status New rules
System Services
Openet on Passport Router
ForwardingProcessor
Forwarding
Rules
Statistics&Monitors
. . .ForwardingProcessor
Forwarding
Rules
Statistics&Monitors
ForwardingProcessor
Forwarding
Rules
Statistics&Monitors
Active NetworksServices
May 28-29, 2002 19DANCE Exposition
Example 1: Active Flow Priority Change in Real-time
0
20
40
60
80
100
0 1 2 3 4 5 6 7 8 9 10Seconds
Mb
ps
Low Priority
High Priority
Start2nd Flow
ChangePriority
End2nd Flow
May 28-29, 2002 20DANCE Exposition
Example 2 : JDiffserv on Passport
Linux PC
Linux PC
Passport 8600Passport 1100BPassport 1100B
UDP UDP UDP
UDP sender
UDP receiver
Diffserv Monitor
Device Console
Linux PC
HTTP server
JDiffserv
Differv-enabled Network
May 28-29, 2002 21DANCE Exposition
Example 3 : Regatta - Fault Recovery
• Automated supervision
• Minimal service interruption
• Heartbeats
May 28-29, 2002 22DANCE Exposition
Current Development: Programmable Services SolutionProgrammable Services Solution
•Alteon-iSD
•Openet
•Extended Active Flow Manipulation (AFM)
•Openet Alteon-based Active Nets Platform
May 28-29, 2002 23DANCE Exposition
Openet Alteon Active Nets Platform= A Powerful Platform for AN Technologies Transfer
• A powerful and extensible control and computational plane— Partitioning hardware/software resources
— Active service enabling
— content filtering in real-time
— active services accommodation
L2-L7 filtering
Contentprocessing
Powercomputing
OpticalWireless
router Contentgateway
Edge Device
Openet
May 28-29, 2002 24DANCE Exposition
Solutions’ Features Solutions’ Features •Real-time Filtering
— Ability to poke at the device’s data flows
•Processing Power
— Ability to perform intensive processing
•Enabling Services
— Introducing services on-demand
•Programmable Services
— Enabling active and adaptive services
•Impedance Matching
— Addressing mismatches between disparate domains, disparate technologies
May 28-29, 2002 25DANCE Exposition
Openet Alteon AN Platform for SMDS 1 Real server on Linux or NT, 2~8 Real Players on Solaris SMDS on iSD
Real Player RTSP request filter and interception Real Server reply real-time stream filter and replication RTSP session setup by replicating first 16 packets cached
Real Server 8
SMDS service
Real Player 1
Linux/X86
Sun/Solaris
Real Player 2
Alteon
1st Client RTSP Request
Server reply
Packet Redirection
rtsp://pcary1gc/real8video
rtsp://pcary1gc:5454/real8video
iSD
Packet Writeback
RTSPintercept
Packet Replicate
ClientRegister
Streaming Media Distribution Service
May 28-29, 2002 26DANCE Exposition
Control Mesg
A Simple EvaQ8 concept
8600
8600
OmniNet
8600
10G10G
10G
1G
1G
1G
AB
C
D
X
Y
Z
B2
B3
OmniNet Control Plane [Linux]
TL1
Alteon
iSD
Alteon
iSD
Alteon
iSD
EvaQ8 OG - 1
EvaQ8 OG -2
EvaQ8 OG - 3
1. Normal App flow : Client X -> Server Z
2. Disaster Strikes at Location Z
3. EvaQ8 OG 3 sends a signal[RSVP] to OG1
4. OG1 instructs Omnit net to connect B2 & B3 ; Server Z and Server Y data syncd
5. On successful sync, OG2 instructs OmniNet to connect B1->B2.
6. Service Restored for Client X ->server Y
Disaster Event/Environ. Sensor
B1
Control Mesg
May 28-29, 2002 27DANCE Exposition
What next?
Service-centric Active Nets Platform
SERVICES
ManageServiceEnabling
Control
Impedance
Matching
Intra-Serv
ice
Comm
Secu
rity
• Service Enabling API
• Control API
• Impedance Matching API
• Security API
• Management API
• Intra-service Communications API
May 28-29, 2002 28DANCE Exposition
Summary
• Openet – our Networking Programmability
• Commercial network programmable hardware
• New AN platform: Openet + Alteon + iSD— Alteon: AN platform on an advanced content switch
— iSD: powerful & extensible computation plane
• Enables AN technologies transfer • Promoting an edge device service-centric
platform