Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines
Download as PPT, PDF0 likes229 views
This document discusses enabling active flow manipulation in silicon-based network forwarding engines. It describes Nortel's Openet platform, which uses active flow manipulation to allow network services to define and alter network behavior in real-time. Examples of applications using this capability are presented, including SSL acceleration and an active firewall service. The presentation outlines the technology transfer of active network ideas into practical commercial products and considers future directions such as service-centric networks and integrated management of network services.
![iSD
iSD
May 28-29, 2002 18
Disaster Recovery concept
OmniNet Control Plane
DANCE Exposition
Control
Mesg
8600
8600
OmniNet
8600
10G
10G
10G
iSD
1G
1G
1G
A B
C
D
X
Y
Z
B2
B3
[Linux]
TL1
Alteon
Alteon
Alteon
EvaQ8
OG - 1
EvaQ8
OG -2
EvaQ8
OG - 3
1. Normal App flow : Client X -> Server Z
2. Disaster Strikes at Location Z
3. EvaQ8 OG 3 sends a signal[RSVP] to
OG1
4. OG1 instructs Omnit net to connect B2
& B3 ; Server Z and Server Y data
syncd
5. On successful sync, OG2 instructs
OmniNet to connect B1->B2.
6. Service Restored for Client X ->server
Y
Disaster Event/
Environ. Sensor
B1
Control
Mesg](https://image.slidesharecdn.com/45repenablingactiveflowmanipulationinsilicon-basednetworkforwardingengines-141028124335-conversion-gate02/85/Enabling-Active-Flow-Manipulation-In-Silicon-based-Network-Forwarding-Engines-18-320.jpg)
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines
- 1. Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines May 28-29, 2002 1 Tal Lavian - tlavian@ieee.org Nortel Networks Advanced Technology Labs Open Source - http://www.openetlab.org DANCE Exposition
- 2. • AN technologies => Real Network Devices • Main thrust of the paper • Commercial Active Nets Platform • Application Example 1 – SSL • Application Example 2 – ASF • Next Generation AN Platform • Conclusion May 28-29, 2002 2 Outline of the talk DANCE Exposition
- 3. May 28-29, 2002 3 AN Technology Transfer DANCE Exposition Active Nets Community Realistic Mechanisms Great Ideas Usable/Realizable Mechanisms/Products Active Nets Community Active Nets Ideas Active Nets Ideas Real AN Network Products Internet
- 4. Great Active Nets CCoommmmuunniittyy SSoolluuttiioonnss • Active networks (AN) approach opens an exciting opportunity for individual applications to define the service provided by the network through programmability. • Active Networks technologies expose a novel approach that allows customer value-added services to be introduced to the network “on-the-fly”. • Active Nets program has produced a new network platform flexible and extensible at runtime to accommodate the rapid evolution and deployment of network technologies. • The exciting opportunity exists for network service providers and third parties, not just the network device providers, to program the network infrastructure and services. May 28-29, 2002 4 DANCE Exposition
- 5. Lack of industrial-strength Active Network devices that dispel major concerns: May 28-29, 2002 5 DANCE Exposition AANN iissssuueess • AN requires substantial supports from a NOS • AN introduces substantial software component, hence delay on the data path • AN lacks adequate measures to addressing integrity and security of network devices.
- 6. May 28-29, 2002 6 Main contributions of the paper • Active Flow Manipulation Concept DANCE Exposition — Flow abstraction — Actions on Flows — Control/Data separation • Openet Platform — Commercial Network Devices — Runtime Environment — Active Services • Applications
- 7. May 28-29, 2002 7 Openet: An active service platform User Oplets ORE JFWD CPU JNI/Native Code Monitor status DANCE Exposition JVM MEM … Filtered packets New forwarding rules Forwarding Engine OpletService, Shell, Logger Jcapture, HTTP, IpPacket Standard Services ANTS Application services Firewall, DiffServ Function Services Control Plane Data Plane
- 8. May 28-29, 2002 8 Active Flow Manipulation DANCE Exposition Forwarding Processor Forwarding Processor Packet Policy Filters AFM Packet Filte r Packet Action • A key enabling technology of Openet • Two abstractions — Primitive flows — Primitive actions • Customer network services exercise active network control — Identifying specific flows — Apply actions to alter network behavior in real-time
- 9. May 28-29, 2002 9 Openet Alteon Active Nets Platform = A Powerful Platform for AN Technologies Transfer DANCE Exposition • A powerful and extensible control and computational plane — Partitioning hardware/software resources — Active service enabling — Content filtering in real-time — Active services accommodation Optical Wireless Active Services router Content gateway Edge Device Content Aware Computation Power Dynamic Service Enabling
- 10. Nortel Networks’ contributions to Active Networks • Practical Active Networks Architecture on real network device. • First Commercial Active Networks platform. May 28-29, 2002 10 DANCE Exposition
- 11. May 28-29, 2002 11 Any AN products? DANCE Exposition Active Nets Community Active Nets Community Active Nets Ideas Active Nets Ideas Realistic Mechanisms Experimental/Laboratory Platforms Commercial AN Platform? ? Nortel Networks AN Products SSSSLL AASSFF IDIDSS VVPPNN
- 12. • Client sends an HTTPS request • Switch redirects request on port 443 to iSD-SSL • iSD-SSL completes SSL handshake • iSD-SSL initiates HTTP connection to server on port 80 • Switch selects real server based on configured LB policy • Server responds to HTTP request and replies to the iSD-SSL • iSD-SSL encrypts session and sends HTTPS response to client HTTPS, SMTP-S, POP3-S and IMAP-S services May 28-29, 2002 12 SSL Acceleration How Does the iiSSDD--SSSSLL AAcccceelleerraattoorr wwoorrkk?? DANCE Exposition
- 13. May 28-29, 2002 13 Client And Server Authentication DANCE Exposition 1 User opens session 2 Sends server certificate Requests client certificate 3 Serves request/response 7 Send encrypted data to back 6 end Validates the client certificate info. 5 Private key Confidential 4 Client sends the certificate with public key Public key Published
- 14. May 28-29, 2002 14 ASF – Alteon Switched Firewall DANCE Exposition
- 15. Relate AFS to AN Technology • The Alteon selectively redirects new connection requests to the Alteon Switched Firewall Director to perform policy checking. • The Director runs the Check Point FireWall-1 engine as an Active Service. • The Active Service manages the connection table, specifies rules for handling packets in the session, passes the connection table to the Alteon Switched Accelerator. • 90% of traffic is accelerated, supporting a throughput of 3.2 Gbps. May 28-29, 2002 15 DANCE Exposition
- 16. Alteon Security Cluster Acceleration and intelligent integration of security applications Single point of secure central management IDS IDS URL Filtering Virus Scan Nortel Appliance Acceleration Protocol (Enables application control of switch sessions) May 28-29, 2002 16 BBI, CLI, SSI, Plug and Play DANCE Exposition Application Plane Security Appliance NAAP Control Plane Controller of accelerated sessions Management Plane IDS IDS IDS Fir Fi Firewall SSL SSL SSL Security Accelerator Data Plane Switch based acceleration of session data Fir Fi VPNs SSL SSL
- 17. May 28-29, 2002 17 DANCE Exposition What next?
- 18. iSD iSD May 28-29, 2002 18 Disaster Recovery concept OmniNet Control Plane DANCE Exposition Control Mesg 8600 8600 OmniNet 8600 10G 10G 10G iSD 1G 1G 1G A B C D X Y Z B2 B3 [Linux] TL1 Alteon Alteon Alteon EvaQ8 OG - 1 EvaQ8 OG -2 EvaQ8 OG - 3 1. Normal App flow : Client X -> Server Z 2. Disaster Strikes at Location Z 3. EvaQ8 OG 3 sends a signal[RSVP] to OG1 4. OG1 instructs Omnit net to connect B2 & B3 ; Server Z and Server Y data syncd 5. On successful sync, OG2 instructs OmniNet to connect B1->B2. 6. Service Restored for Client X ->server Y Disaster Event/ Environ. Sensor B1 Control Mesg
- 19. May 28-29, 2002 19 What next? Quotes from VIPs DANCE Exposition
- 20. Service-centric Active Nets Platform May 28-29, 2002 20 What after next? DANCE Exposition Manage Service Enabling SERVICES Control Matching Impedance Intra-Service Comm Security • Service Enabling API • Control API • Impedance Matching API • Security API • Management API • Intra-service Communications API
- 21. May 28-29, 2002 21 DANCE Exposition Summary • AN Technologies Transfer => Nortel AN Platform • New AN platform: Openet + Alteon + iSD — Alteon: AN platform advanced content filtering — iSD: powerful & extensible computation plane • Important Applications • Impact of AN on next generation networks
- 22. OpenetLab – Nortel Networks: http://www.openetlab.org/ May 28-29, 2002 22 QQ&&AA DANCE Exposition
- 23. May 28-29, 2002 23 BBaacckkuupp SSlliiddeess DANCE Exposition
- 24. May 28-29, 2002 25 Secure XL & NAAP in Action TCP session Alteon Switched Firewall (ASF) 5 Update Conn. DANCE Exposition 1 SYN Policy Check 1 1 Add Conn. (F2F) 1 2 SYN/ACK 3 Update Conn. 6 4 TCP 3-way handshake complete, data for the session accelerated 5 FIN-1 6 FIN-2 7 ACK Update Conn. Delete Conn. 7 Clients Servers 3 ACK (TCP 3-way handshake complete)
- 25. New Focus on Integrated Management and Flow Application Clusters SSL FW VPN IDS Virus • Shift from physical management to logical management • Central management of multiple services May 28-29, 2002 27 Intelligent Flow Management Security Dashboard • Plug and play simplicity and scalability DANCE Exposition Scanning URL SSL FW VPN IDS Virus Filtering Scanning URL SSL FW VPN IDS Virus Filtering Scanning URL SSL FW VPN IDS Virus Filtering Scanning URL SSL FW VPN IDS Virus Filtering Scanning URL SSL FW VPN IDS Virus Filtering Scanning URL Filtering
Editor's Notes
- #3: Here is the outline of the talk. First I will identify several driving forces that led us in this direction of programmable networking Next, I review some basic functionality of a routing network element. Then I introduce our idea when we develop the AFM concept I will describe a framework for which AFM can be applied I will also describe several relevant examples using AFM and the platform Finally I conclude with a hint of what we go from here.
- #4: To us as researchers: to be able to implement several of our new ideas on a real router. For Nortel Networks (if I am not wrong): potential revenue generating direction by inventing and developing advanced technology/ By looking at the Internet from users’ perspective, service providers’ perspective and network providers’ perspective, we have identified several driving forces that steered us in this direction of research: Users want intelligent services Service providers want to differentiate their service by offering new services, time to market, flexibility in managing their services Network Providers want to manage their services efficiently and economically. They want to sell, lease their resources at premium price. They want to sell bandwidth on-demand, etc.
- #7: Above all we need programmability in network devices for introducing, enabling all kinds of intelligent services. What we need : a framework, a platform independent API.
- #9: Database of what to be done based on SLA Database of possible filters of interests AFM defines a set of primitive flows and operation to obtain composite flows AFM defines a set of primitive actions Flow and Action can form an algebra in the most general sense. One can actually design machine with this algebra. The main interest is in identifying specific flows and applying actions to alter the behaviour in real-time.
- #28: Shift from physical management to logical management o Manage the data based on flows and apply the services depending on the user and flow o Simplify the configuration significantly o Essentially separate data plane from control plane to enable effective management Central management of multiple services o Eliminate multiple points of management o Scale management to control devices and applications Plug and play simplicity and scalability