Nanxi Kang Princeton University Research Track Part 1 ONS2015: http://bit.ly/ons2015sd ONS Inspire! Webinars: http://bit.ly/oiw-sd Watch the talk (video) on ONS Content Archives: http://bit.ly/ons-archives-sd

3. An Efficient Distributed
Implementation of One Big Switch
Nanxi Kang
Princeton University
in collaboration with Zhenming Liu, Jennifer Rexford, David Walker

4. One Big Switch Abstraction
2
H1
H2
H3
H1 H2
H1
H3
From H1, dstIP = 0* => go to H2
From H1, dstIP = 1* => go to H3
Endpoint policy
e.g, Firewall, Load Balancer
Routing policy
e.g, Shortest path routing
H1 H2
H3
Automatic Rule Placement

5. Challenges of Rule Placement
3
H1 H2
H1
H3
H1 H2
H3
...
...
...
...
...
#rules >10k
TCAM size =1k ~ 2k
Automatic Rule Placement

6. Contributions
• Design a new rule placement algorithm
• Stay within rule capacity of switches
• Minimize the total number of installed rules
• Handle policy update incrementally
• Evaluation on real and synthetic data
4

7. Contribution
• Design a new rule placement algorithm
• Stay within rule capacity of switches
• Minimize the total number of installed rules
• Handle policy update incrementally
• Evaluation on real and synthetic data
4

8. • Enforce routing policy
• install rules on switches to forward packets
• Enforce endpoint policy
• topology as multiple paths: an ordered list of switches
• Solve paths separately
Topology = {Paths}
H1
H2
H3
H1 H2
H1
H3
H1
H2
H1
H3
5

9. Model shared switches
• Multiple paths share the same switch
• Split shared rule capacity over paths
• Paths have different demands for total rule capacities
• Linear Programming
6
H1
H2
H3

10. Place rules over a path
• How to place rules over a path ?
7
R1: (srcIP = 0*, dstIP = 00*),
permit
R2: (srcIP = 01, dstIP = 1* ),
permit
R3: (srcIP = *, dstIP = 11*),
deny
R4: (srcIP = 11*, dstIP = * ),
permit

11. Map rule to rectangle
0
0
0
1
1
0
11
0
00
11
0
11
srcI
P
dstIP
8
R1: (0*,
00),P
R2: (01,
1*),P
R3: (**,
11),D
R4: (11,
**),P
R5: (10,
0*),P
R6: (**,
0
0
0
1
1
0
11
0
00
11
0
11
R
1
srcI
P
dstIP

12. Map rule to rectangle
0
0
0
1
1
0
11
0
00
11
0
11
srcI
P
dstIP
9
R1: (0*,
00),P
R2: (01,
1*),P
R3: (**,
11),D
R4: (11,
**),P
R5: (10,
0*),P
R6: (**,
C = 4
0
0
0
1
1
0
11
0
00
11
0
11
R
1
R4
R
3
R2
R5
srcI
P
dstIP

13. Cover a rectangle
R1: (0*, 00)
R2: (01, 1*)
R3: (**, 11)
R4: (11, **)
R5: (10, 0*)
R6: (**, **)
q: (**,1*)
• Overlapped rules:
R2, R3, R4, R6
• Internal rules:
R2, R3
0
0
0
1
1
0
11
0
00
11
0
11
R
1
R4
R
3
R2
R5
10C = 4

14. Install rules in first switch
R1: (0*, 00)
R2: (01, 1*)
R3: (**, 11)
R4: (11, **)
R5: (10, 0*)
R6: (**, **)
q: (**,1*)
0
0
0
1
1
0
11
0
00
11
0
11 R’4
R
3
R2
R2: (01,
1*)
R3: (**, 11)
R’4: (11,
1*)
R’6: (**,
1*)
0
0
0
1
1
0
11
0
00
11
0
11
R
1
R4
R
3
R2
R5
11

15. Rewrite policy
qfwd: (**,
1*)
R1: (0*,
00)
R4: (11, **)
R5: (10,
0*)
R6: (**, **)
0
0
0
1
1
0
11
0
00
11
0
11
R
1
R4
R5
q
Bypass everything in q
12
R1: (0*, 00)
R2: (01, 1*)
R3: (**, 11)
R4: (11, **)
R5: (10, 0*)
R6: (**, **)
q: (**,1*)
0
0
0
1
1
0
11
0
00
11
0
11
R
1
R4
R
3
R2
R5

16. Summary
• Contribution
• An efficient rule placement algorithm
• Support for incremental update
• Evaluation on real and synthetic data
• Path: 8-hop, 14k rules, <1.9k rules/switch
• Graph:100 switches, 0.5s(LP) + 0.5s ~
9s(Path)
• Future work
• Integrate with real-time SDN systems
• Combine with policy checking and verification13

18. Related Work
• Single switch optimization
• TCAM Razor
• “Compressing Rectilinear Pictures and Minimizing Access
Control Lists”
• Distributed switch optimization
• vCRIB
• Algorithm assumes control over routing
• Palette
• Enforce the whole network-wide policy on every path
31