SDN-Ethane原版完整课件.pptx

Ethane:Taking Control of the EnterpriseMartn Casado,Michael J.Freedman,Justin Pettit,Jianying Luo,Scott ShenkerACM SIGCOMM,2007Presented by Ye Tian for Course CS05112Overview Motivation Overview of Ethane Design Ethane in More Detail The POL-ETH Policy Language Prototype and PerformanceMotivation Enterprise network Run a wide variety of applications and protocols Operate under strict reliability and security constraintsMotivation Need manual configuration Expensive and error-prone 62%of network downtime in multi-vendor networks comes from human-error 80%of IT budgets is spent on maintenance and operations Network management approaches Introduces proprietary middle-boxes,placed at network choke-points.E.g,firewall Add functionality to existing networks.E.g.,add ACL on switch Only hide the complexity,not reduce it.Motivation Question:How could we change the enterprise network architecture to make it more manageable?Three fundamental principles:The network should be governed by policies declared over high-level names.Policy should determine the path that packets follow.Policy might require packets to pass through an intermediate middlebox;Traffic can receive more appropriate service if its path is controlled;The network should enforce a strong binding between a packet and its origin.Desired RealityGoverned by policies declared over high-level names.Governed by low-level names such as IP address and MAC addressDetermine the path Determine next hopStrong binding between packets and originOnly inspect destination address in routingCurrent approachLevel-2:forwarding table,one entry per destination MAC addressLevel-3:routing table,one entry per IP address prefixOverview Motivation Overview of Ethane Design Ethane in More Detail The POL-ETH Policy Language Prototype and PerformanceOverview Ethane controls the network by not allowing any communication between end-hosts without explicit permission.Two components A central Controller Contains the global network policy and topology Performs route computation for permitted flows.A set of Ethane switches Simple and dumb Consisting of a simple flow table and a secure channel to the Controller Forward packets under the instruction of the Controller.Names,Bindings,and Policy Language Keep the namespace consistent as components join,leave and move around the network.How(machine address user)Ethane takes over all the binding of addresses,behave as a DHCP server Machine is registered on the network Users are required to authenticate with the network Such as the ones in WiFi hotpot.Benefits:The Controller can keep track of where any entity is located;The Controller can journal all bindings and flow-entries in a log for network event reconstruction.Ethane in Use Registration All switches,users,and hosts are registered at the Controller with the credentials necessary to authenticate them.Ethane in Use Bootstrap Switches bootstrap connectivity by creating a spanning tree rooted at the Controller.Each switch authenticates with and creates a secure channel to the Controller.Ethane in Use Authentication UserA joins the network with hostA,switch 1 initially forward all of hostAs packets to the Controller;HostA sends a DHCP request to the Controller.The Controller binds hostA to IPA,IPA to MACA,and MACA to a physical port on switch 1.UserA opens a web browser,whose traffic is directed to the Controller,and authenticates through a web-form.Ethane in Use Flow Setup Switch 1 forwards the packet to the Controller after determining that the packet does not match any active entries in its flow table.The Controller decides whether to allow or deny the flow,or require it to traverse a set of waypoints.The Controller computes the flows path,adds a new entry to the flow tables of all the Switches along the path.Ethane in Use Forwarding If path is allowed,the Controller sends the packet back to switch 1 which forwards it based on the new flow entry.Subsequent packets from the flow are forwarded directly by the Switch,and are not sent to the Controller.The flow-entry is kept in the switch until it times out.Overview Motivation Overview of Ethane Design Ethane in More Detail The POL-ETH Policy Language Prototype and PerformanceAn Ethane NetworkEthane Switch An Ethane switch is much simpler than conventional Ethernet switch Doesnt need to learn addresses,support VLANs,check for source-address spoofing,or keep flow-level statistics(?).If layer3,doesnt need to run routing protocols such as OSPF,ISIS,and RIP.Ethane switchs flow table can be much smaller than the forwarding table in an equivalent Ethernet switch.Ethernet switch needs to remember all the addresses its likely to encounter.Ethane Switch only needs to keep track of flows in-progress.Flow Table and Flow Entries Two common types of entry in the flow table:Per-flow entries for flows that should be forwarded,Per-host entries for misbehaving hosts whose packets should be dropped.Entries are removed because Timeout due to inactivity Revoked by the Controller.Local Switch Manager To establish and maintain the secure channel to the Controller Two ways:For Switches that are part of the same physical network as the Controller,use Minimum Spanning Tree protocol.For the Switch that is not within the same broadcast domain as the Controller,create an IP tunnel to it.Switches maintain a list of neighboring switches by broadcasting and receiving neighbor-discovery messages.Neighbor lists are sent to the Controller periodically every 15 seconds.Controller The Controller holds the policy file,which is compiled into a fast lookup table The route computation uses the network topology to pick the flows route.The topology is maintained by the switch manager,which receives link updates from the Switches.Controller Registration All entities that are to be named by the network(i.e.,hosts,protocols,switches,users,and access points7)must be registered.They make up the policy namespace and is used to statically check the policy.Authentication.Does not specify a particular host authentication mechanism:e.g.,802.1XController Tracking bindings Track all the bindings between names,addresses,and physical ports on the network event as switches,hosts,and users join,leave,and move around the network.Controller Namespace interface In current networks,it is almost impossible to figure out user activities very quickly An Ethane Controller can journal all the authentication and binding information,it is possible to determine exactly which user sent a packet,when it was sent,the path it took,and its destination.Controller Permission Check and Access Granting Upon receiving a packet,the Controller checks the policy to see what actions apply to it Enforcing Resource Limits Controller can limit a flows rate,limit the rate at which new flows are setup,or limit the number of IP addresses allocated.Broadcast and Multicast Handling multicast:The Switch keeps a bitmap for each flow to indicate which ports the packets are to be sent to along the path.The Controller can calculate the multicast tree and assign the appropriate bits during path setup.Example,a 24-bit bitmap for 24 ports on a switch,0/1 means packet should be forwarded/dropped on corresponding port Handling broadcast discovery protocols:A host is trying to find a server or an address;e.g,ARP,DHCP Given that the Controller knows all,it can reply to a request without creating a new flow and broadcasting the traffic.Replicating the Controller:Fault-Tolerance and Scalability Three techniques for replicating Cold standby:Backup Controllers sit idly-by waiting to take over if needed.If failure,the network will converge on a new root for MST.The backups need only contain the registration state and the network policy.The main advantage is simplicity;the downside is that hosts,switches,and users need to re-authenticate and re-bind upon the primarys failure.Paths need to be re-computed.Replicating the Controller Warm-standby:a separate MST is created for every Controller.The Controllers monitor one anothers liveness and,upon detecting the primarys failure,a secondary Controller takes over based on a static ordering.Need to replicate bindings across Controllers.Some new users and hosts need to re-authenticate.Replicating the Controller Fully-replication:two or more active Controllers.A Switch need only authenticate itself to one Controller and can then spread its flow-requests over the Controllers(e.g.,hashing or round-robin)Gossip to provide a weakly-consistent ordering over events.Others Link failure The Switch removes all flow table entries tied to the failed port and sends its new link-state information to the Controller.The Controller learns the new topology.Bootstraping On startup,the network creates a minimum spanning tree with the Controller advertising itself as the root.If a Switch finds a shorter path to the Controller,it attempts two-way authentication before advertising that path as a valid route.Overview Motivation Overview of Ethane Design Ethane in More Detail The POL-ETH Policy Language Prototype and PerformanceOverview Ethane network policy is declared as a set of rules,each consisting of a condition and a corresponding action.Example Condition:if the user initiating the flow is“bob”and the flow protocol is“HTTP”and the flow destination is host“websrv”Action:Actions include allo w,den y,waypoin ts,and outbound-only.Rules are independent and dont contain an intrinsic orderingExample Two parts:group declarations and rules#Groups desktops=griffin,roo;laptops=glaptop,rlaptop;phones=gphone,rphone;server=http_server,nfs_server;private=desktops,laptops;computers=private,server;students=bob,bill,pete;profs=plum;group=students,profs;waps=wap1,wap2;Example Rules#Rules(hsrc=in(server)(hdst=in(private):deny;#Do not allow phones and private computers to communicate(hsrc=in(phones)(hdst=in(computers):deny;(hsrc=in(computers)(hdst=in(phones):deny;#NAT-like protection for laptops(hsrc=in(laptops):outbound-only;#No restrictions on desktops communicating with each other(hsrc=in(desktops)(hdst=in(desktops):allow;#For wireless,non-group members can use http through#a proxy.Group members have unrestricted access.(apsrc=in(waps)(user=in(group):allow;(apsrc=in(waps)(protocol=http):waypoints(http-proxy);(apsrc=in(waps):deny;:allow;#Default-on:by default allow flowsOverview Motivation Overview of Ethane Design Ethane in More Detail The POL-ETH Policy Language Prototype and Performance ReviewImplementation:Switch Three different Ethane Switches:An 802.11g wireless access point(based on a commercial access point)A wired 4-port Gigabit Ethernet Switch that forwards packets at line-speed(based on the NetFPGA programmable switch platform and written in Verilog)A wired 4-port Ethernet Switch in Linux on a desktop PC Flow table The main tablefor packets that should be forwardedhas 8,192 flow entries A second table with 32K entries for return route of outbound trafficImplementation:Controller Policy compiler:a source-to-source compiler that generates C+from a Pol-Eth policy file.Implemented the Controller on a standard Linux PC Registration:standard database Authentication:use university authentication system Bind Journal and Namespace Interface:use BerkeleyDB for the log,keyed by timestamps Route Computation:using an all pairs shortest path algorithm.Deployment Stanford CS department 19 Ethane switches:11 wired and 8 wireless;About 300 hosts Policy Non-servers are protected from outbound connections from servers.Workstations can communicate uninhibited.Hosts must register a MAC address,but no user authentication.Wireless nodes do not require user authentication.Deployment Policy The VoIP phones are restricted from communicating with non-phones and are statically bound to a single access point to prevent mobility.Performance:Controller Scalability Experiment:30-40 new flow requests per second with a peak of 750 flow requests per second.A single Controller could comfortably handle 10,000 new flow requests per second.Performance During Failures Controller failure:measure the completion time of 275 consecutive HTTP requests,retrieving 63MB in total,under cold-standby failure recovery While the requests were ongoing,we crashed the Controller and restarted it multiple times.Performance During Failures Link failure:All outstanding flows re-contact the Controller in order to re-establish the path Created a topology with redundant pathsso the network can withstand a link-failureand measured the latencies experienced by packets.Performance During Failures Path re-converges in under 40ms,but a packet could be delayed up to a second while the Controller handles the flurry of requests.Performance:Flow Table Sizing Use two network database:An 8,000-host network at Lawrence Berkeley National LAB A 22,000-host network at Stanford Active flows Never exceed 500Performance:Flow Table Sizing Switches closer to the edge will see a number of flows proportional to the number of hosts they connect to.A Switch at the center of a network will likely see more active flows,and so we assume it will see all active flows.Overview Motivation Overview of Ethane Design Ethane in More Detail The POL-ETH Policy Language Prototype and Performance Ethanes shortcoming ReviewEthanes shortcoming Broadcast and Service Discovery Protocols Create large numbers of flow entries,lead to lots of traffic.Unless Ethane can interpret the protocol and respond on its behalf.Application-layer routing Ethanes policy can be compromised by communications at a higher layer.For example,if A is allowed to talk to B but not C,and if B can talk to C,then B can relay messages from A to C.Example,TorEthanes shortcoming Knowing what the user is doing Ethanes policy assumes that the transport port numbers indicate what the user is doing.Colluding malicious users or applications can fool Ethane by agreeing to use nonstandard port numbers.Spoofing Ethernet addresses Ethane Switches rely on the binding between a user and Ethernet addresses to identify flows.If a user spoofs a MAC address,it might be possible to fool Ethane into delivering packets to an end-host.Ethanes shortcoming Denial of service attack On switch:flush the flow table On controller:Review Principles Govern by policy with high-level names Policy determine path Know packets origin Component of Ethane Controller Ethane switch Name binding in a Ethane network How two hosts communicate in a Ethane network?Controller replicating Policy Language