How to implement complex policies on existing network infrastructure
Download as PPTX, PDF0 likes15 views
The document discusses the need for scalable methods to implement complex policies on network infrastructure, as traditional single-switch policies are limited by memory and computation constraints. It presents a solution that divides rules across multiple switches while ensuring that flow-table sizes are minimized and can operate within linear time complexity. The approach addresses issues of high computation costs and exponential growth of table sizes, and showcases an algorithm for managing packet classification effectively.
![Example
K #1 #2 #3 #4 Action
R1 * * 1 0 A1
R2 1 0 * * A2
R3 0 0 * * A3
R4 * * 1 1 A4
K1 #1 #2 #3 #4 Action
R1 * * 1 0 A1,
Matched=1
R2 1 0 * *
A2,
Matched =1
R3 0 0 * *
A3,
Matched =1
K2 #1 #2 #3 #4
Action
If matched==0
R4 * * 1 1
A4,
Matched = 1
Algorithm for OneBit(K<,c1,c2,…,cl)
1. Initialize K1,K2,…..,Kl to emply classifiers
2. For I in 1,2,….,l do
3. Let Ri be ci highest priority rules of K
4. for (F,A) € sorted(R,<) do
5. Append(F,[A , matched 1]) to Ki
6. if i=1 then
7. Set default action to matched 0 in Ki
8. else
9. Make Ki conditioned on matched = 1
10. Remove R from K
11. return K1,K2,……,Kl](https://image.slidesharecdn.com/group3-200103054342/85/How-to-implement-complex-policies-on-existing-network-infrastructure-8-320.jpg)
How to implement complex policies on existing network infrastructure
- 1. How to implement complex policies on existing network infrastructure Pavel Chuprikov Kirill Kogan Sergey Nikolenko Ajay Kharat (2019H1030011G) BITS - Pilani
- 2. Motivation • Network has grown complex today and requires several features like VPN, firewall, intrusion detection etc • Network wide policy cannot be defined on a single switch(approximately around 750 entries per table), requires too much memory and computation • Need to split policy into several switches
- 3. Problem Statement • To find scalable and manageable methods to support these complexities without upgrading the capabilities of individual network elements • Splitting policy over several switches and minimizing individual flow - table size in switches is an intractable optimization problem • Earlier proposed solutions suffer from three problems 1. very high computation cost 2. the resulting number of table sizes can grow exponentially 3. dynamic header fields cannot be handled
- 4. Approach and Solution • Model description: 1. Packet header H= (h1, h2, ..., hw ), bit sequence of 0 or 1 2. Classifier K = {R1, R2 , ..., Rn }, ordered set of rules with total ordering 3. Rule Ri = (Fi , Ai ), filter Fi and pointer to action Ai 4. Filter F = (f1, f2,..., fw), bit sequence of 0, 1 and *(don’t care) corresponding to header bits
- 5. Approach and Solution • A classifier’s main purpose is to find the action corresponding to the highest priority rule that matches a given header • Two classifiers K1 and K2 are equivalent if they choose the same actions for every possible incoming packet • If the individual capacity of each switch adds up to the total number of rules in the classifier then the solution works. i.e ∑ ci >= |K|
- 6. Approach and Solution • We simply put the first c1 rules to the first switch , then next c2 rules to the next switch and so on until all the rules in K are covered • The approach uses a “matched” bit. This bit ensures that the header is matched with the rules only once among all the switches
- 7. Algorithm followed • Runs in linear time complexity.(i.e O(K))
- 8. Example K #1 #2 #3 #4 Action R1 * * 1 0 A1 R2 1 0 * * A2 R3 0 0 * * A3 R4 * * 1 1 A4 K1 #1 #2 #3 #4 Action R1 * * 1 0 A1, Matched=1 R2 1 0 * * A2, Matched =1 R3 0 0 * * A3, Matched =1 K2 #1 #2 #3 #4 Action If matched==0 R4 * * 1 1 A4, Matched = 1 Algorithm for OneBit(K<,c1,c2,…,cl) 1. Initialize K1,K2,…..,Kl to emply classifiers 2. For I in 1,2,….,l do 3. Let Ri be ci highest priority rules of K 4. for (F,A) € sorted(R,<) do 5. Append(F,[A , matched 1]) to Ki 6. if i=1 then 7. Set default action to matched 0 in Ki 8. else 9. Make Ki conditioned on matched = 1 10. Remove R from K 11. return K1,K2,……,Kl
- 9. Evaluation of the solution
- 10. Related work • Palette : Distributing tables in software – defined networks • Expands each bit of header one by one. • Unable to cope with dynamic header changes. • Optimizing the "one big switch “ abstraction in software-defined networks • Uses header space and overlapping technique. • Unable to cope with dynamic header changes.