Presentation is loading. Please wait.

Presentation is loading. Please wait.

ETTM: A Scalable, Fault-tolerant Network Manager Colin Dixon Hardeep Uppal UMass Amherst Vjekoslav Brajkovic, Dane Brandon, Thomas Anderson and Arvind.

Published byMoris Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "ETTM: A Scalable, Fault-tolerant Network Manager Colin Dixon Hardeep Uppal UMass Amherst Vjekoslav Brajkovic, Dane Brandon, Thomas Anderson and Arvind."— Presentation transcript:

1 ETTM: A Scalable, Fault-tolerant Network Manager Colin Dixon Hardeep Uppal UMass Amherst Vjekoslav Brajkovic, Dane Brandon, Thomas Anderson and Arvind Krishnamurthy University of Washington

2 What I want from a network Services NAT (v4  v4, v4  v6 or both) Firewall Traffic Prioritization Transparent Web Cache Remote Access (VPN) Pervasive Intrusion Detection (IDS/DPI) Requires buying several proprietary middleboxes Even that is potentially inconsistent, inextensible, and doesn’t scale

3 Intrusion detection today packet Deployed at the edge of the network Difficult to catch internal threats Increased deployment requires coordination packet

4 A different approach An End to the Middle (ETTM) We do not need physically centralized hardware to make logically centralized decisions Implement network functionality as “virtual middleboxes” running as software on users’ PCs

5 Pervasive intrusion detection packet Assume a trusted shim at each host to provide monitoring and control Gives pervasive monitoring and the ability to quarantine hosts

6 Assumptions Enterprise Network Single administrative domain Hosts have trusted computing hardware Hosts are multicores Hosts are virtualized Switches provide access control Increasingly true of commodity PCs 802.1X & OpenFlow

7 Goals of ETTM Make it easy to extend network functionality One platform with simple APIs Automatically scale with network demand Run management on already-present end-hosts Function pervasively, consistently, fault-tolerantly Distributed consensus

8 Outline Introduction & Motivation ETTM Design Evaluation Conclusion

9 Challenges Can users’ commodity PCs be trusted to faithfully carry out network management tasks? Can users’ commodity PCs quickly make consistent decisions that survive failures? How can we enable developers and administrators to build and deploy new features?

10 Challenges Can users’ commodity PCs be trusted to faithfully carry out tasks? Can users’ commodity PCs quickly make consistent decisions that survive failures? How can we enable developers and administrators to build and deploy new features? Commodity OS Application HypervisorHypervisor w/TPM Attested Exec. Env. Distributed Consensus Filters/ µvrouter Network Service Physical Switch

11 Trusted Authorization Step 7: Verification server turns on port for hostStep 6: (Optional) Load new image or configurationsStep 5: End-host sends integrity measurementsStep 4: Verification server sends challenge nonce to end-hostStep 3: Message tunneled to verification server using 802.1XStep 2: End-host responds with EAP Response with public key to useStep 1: Switch discovers new end-host and sends EAP Request Identity Step 1:50 ms Step 2-4:20 ms Step 5:1 s Step 6:varies Step 7:20 ms Total:1.09s(Can be overlaid with commodity OS boot)

12 Hypervisor w/TPM Commodity OS Application Legacy hosts What about hosts which don’t (or can’t) run their own AEE? AEEs are virtual and need not run on the same host they are filtering Attested Exec. Env. Distributed Consensus Filters/ µvrouter Network Service

13 Fault tolerance/Consistency Shared Table 1 row per application Each row is a log of state updates Each cell is the result of a Paxos round Catastrophic Failures Allow unsafe progress Fork row, merge changes after the fact Name123 … NATA→BC→D… Web Cache host down host up … Topologylink uplink down … ………… Name123 … NATA→BC→D… unsafe NAT from NAT at t=4 E→F… Web Cache host down host up … Topologylink uplink dn… …………

14 µvrouter Runs in the AEE, invokes filters on packets Open vSwitch implementation Line-speed Accepts OpenFlow commands Limited to packet header operations iptables implementation 250 Mbps Full C++ filters Access to complete packet

15 Application Filters µvrouter determines which filters to invoke on each packet and in what order Filters capture, delay, rewrite, drop and inject packets µvrouter also calls filters’ upkeep functionality, fetches any new packets matchOnHeader() true if the filter works on only headers getPriority() returns integer used to order filters getName() returns user-friendly name matchHeader(ipH,tcpH,udpH) check if the filter matches headers match(pkt) check if the filter matches full payload filter(pkt) processes a packet, returns an action upkeep() called periodically for maintanence getReadyPackets() used to inject new packets

16 Putting it all together Hypervisor w/TPM Commodity OS Application Attested Exec. Env. Distributed Consensus Filters/ µvrouter NAT filter Hypervisor w/TPM Attested Exec. Env. Commodity OS Application Distributed Consensus Filters/ µvrouter NAT filter Name1234 … NATA→B… ………… Name1234 … NATA→BC→D… ………… packet

17 Outline Introduction & Motivation ETTM Design Evaluation Conclusion

18 Implemented ETTM Apps NAT Deep Packet Inspection/IDS Web Cache Traffic Prioritization Worm Scan Detection Firewall Most are only a few 100s of lines

19 Is consensus fast? We make fault-tolerant decisions in under 1 ms on a wired LAN

20 Does consensus scale? We can add between 1700 and 8000 cells to a row each second

21 Do filters hurt performance? Achieve 1 Gb/s For reasonable flows (>10 KB), performance is identical

22 ETTM Bandwidth Allocation Latency spikes with BitTorrent flow Bandwidth allocator keeps latency stable Latency to load google.com Latency with bandwidth reservations

23 Conclusion Enterprise network management today is complex, expensive and ultimately unsatisfying We propose a new approach: implementing network management tasks as software on end-hosts Easy to write and distribute network apps Management resources scale with demand Tasks run pervasively, consistently and tolerate faults Implemented NAT, IDS, Cache, BW Alloc., Scan Det.

Download ppt "ETTM: A Scalable, Fault-tolerant Network Manager Colin Dixon Hardeep Uppal UMass Amherst Vjekoslav Brajkovic, Dane Brandon, Thomas Anderson and Arvind."

Similar presentations

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.
Distributed Processing, Client/Server and Clusters

Distributed Processing, Client/Server and Clusters
SDN Controller Challenges

SDN Controller Challenges
Packet Switching COM1337/3501 Textbook: Computer Networks: A Systems Approach, L. Peterson, B. Davie, Morgan Kaufmann Chapter 3.

Packet Switching COM1337/3501 Textbook: Computer Networks: A Systems Approach, L. Peterson, B. Davie, Morgan Kaufmann Chapter 3.
PortLand: A Scalable Fault-Tolerant Layer 2 Data Center Network Fabric. Presented by: Vinuthna Nalluri Shiva Srivastava.

PortLand: A Scalable Fault-Tolerant Layer 2 Data Center Network Fabric. Presented by: Vinuthna Nalluri Shiva Srivastava.
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.

Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.

Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.
NETWORK LOAD BALANCING NLB.  Network Load Balancing (NLB) is a Clustering Technology.  Windows Based. (windows server).  To scale performance, Network.

NETWORK LOAD BALANCING NLB.  Network Load Balancing (NLB) is a Clustering Technology.  Windows Based. (windows server).  To scale performance, Network.
Business Continuity and DR, A Practical Implementation Mich Talebzadeh, Consultant, Deutsche Bank

Business Continuity and DR, A Practical Implementation Mich Talebzadeh, Consultant, Deutsche Bank
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.

Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.
Spring 2002CS 4611 Router Construction Outline Switched Fabrics IP Routers Tag Switching.

Spring 2002CS 4611 Router Construction Outline Switched Fabrics IP Routers Tag Switching.
OnCall: Defeating Spikes with Dynamic Application Clusters Keith Coleman and James Norris Stanford University June 3, 2003.

OnCall: Defeating Spikes with Dynamic Application Clusters Keith Coleman and James Norris Stanford University June 3, 2003.
OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”
Data Center Virtualization: Open vSwitch Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking.

Data Center Virtualization: Open vSwitch Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking.
Distributed Systems: Client/Server Computing

Distributed Systems: Client/Server Computing
Virtual techdays INDIA │ 22-23 November 2010 SQL Azure Data Sync Shilpa Nirmale │ Associate Manager, Accenture.

Virtual techdays INDIA │ November 2010 SQL Azure Data Sync Shilpa Nirmale │ Associate Manager, Accenture.

Similar presentations

Ads by Google