Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paving the Way for NFV: Simplifying Middlebox Modifications with StateAlyzr Junaid Khalid, Aaron Gember-Jacobson, Roney Michael, Archie Abhashkumar, Aditya.

Published byJuliana Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "Paving the Way for NFV: Simplifying Middlebox Modifications with StateAlyzr Junaid Khalid, Aaron Gember-Jacobson, Roney Michael, Archie Abhashkumar, Aditya."— Presentation transcript:

1 Paving the Way for NFV: Simplifying Middlebox Modifications with StateAlyzr Junaid Khalid, Aaron Gember-Jacobson, Roney Michael, Archie Abhashkumar, Aditya Akella 1

2 Middleboxes Perform sophisticated operations on network traffic Firewall Caching proxy Intrusion detection system (IDS) Maintain state about connections and hosts 2

3 Network Function Virtualization (NFV) Reroute new connections existing 3 state NFV enables elastic scaling and high availability

4 State created or updated by a middlebox applies to either a single connection or a set of connections Connection TcpAnalyzer HttpAnalyzer TcpAnalyzer HttpAnalyzer Per-conn state ConnCount Cross-conn state All-conns state Statistics Input state Config + Sig State taxonomy 4

5 NFV state management -> middlebox modification Pre-flow state Cross-flow state Init state Shared Library Frameworks for transferring, or sharing live middlebox state Require modifications or annotation to middlebox code 5 Split/Merge [NSDI 2013]

6 Framework Split/Merge [NSDI 2013] OpenNF [SIGCOMM 2014] FTMB [SIGCOMM 2015] Pico Rep. [SoCC 2013] Stateless NF [HotMiddlebox 2015] 6 NFV state management -> middlebox modification Frameworks for transferring, or sharing live middlebox state Require modifications or annotation to middlebox code

7 Why is modifying a middlebox hard? MBLOC (C/C++) Classes/ Structs Level of pointers Number of Procedures PRADS10K404297 OpenVPN62K19422023 HAProxy63K19182560 Bro IDS97K1798-3034 Squid166K875-2133 Snort IDS275K898104617 Middleboxes are complex, diverse and have a variety of state Missing a change to some structure, class or function, may violate output equivalence. Output equivalence: for any input the aggregate output of a dynamic set of instances should be equivalent to the output produced by single instance. 7

8 StateAlyzr source code annotated code StateAlyzr: program analysis to the rescue A system that relies on data and control-flow analysis to automatically identify state objects that need explicit handling Leverage middlebox code structure to improve precision without compromising soundness Soundness means that the system must not miss any critical types, storage locations, allocations, or uses of state Precision means that the system identifies the minimal set of state that requires special handling. required for output equivalence required for performant state transfers 8

9 Fault tolerance IDS Per flow state Multi flow state All state Config state The primary sends a copy of the state to the hot standby after each packet ^ updated PrimaryHot standby 9

10 StateAlyzr 10 All State Per-/Cross- Flow State Output- Impacting State Updateable State

11 while (!done) packet = receive() send(packet) write(log) Packet processing loop Packet processing procedures foo() process(packet) Main loopProcedure() init() raiseEvent() Logical structure of middlebox code 11

12 1. Per-/cross-flow state identification Variables corresponding to per-/cross-flow state must be persistent Persistent state can be stored in 1.Global variables 2.Static variables 3.Local variables declared in loop proc. 4.Formal Params of loop proc. int loopProcedure(int *threshold) { int count = 0; while(1) { struct pcap_pkthdr pcapHdr; char *pkt = pcap_next(extPcap, &pcapHdr);. x x x abab abab abab Stack frame of main parameters return address local variables parameters return address local variables parameters return address local variables Stack frame of foo Stack frame of loopProcedure Stack origin 12

13 Improve precision by considering variables which are used in packet processing code 1. Per-/cross-flow state identification 96 Conf Per Multi All Init Initialization 13 How to identify packet processing code?

14 while (!done) packet = receive() send(packet) write(log) Packet processing loop while (event = dequeue()) Event thread Packet processing procedures foo() processIndirect(event) process(packet) Main loopProcedure() init() raiseEvent() 1. Per-/cross-flow state identification Computes a forward slice from packet recv function. Any procedure appearing in the slice is considered as packet processing procedure. 14 struct pktHdr *pkt = recv(extPcap); src_ip = pkt->ip_src_addr; packet_count ++; index = src_ip + offset Indirect call How to identify packet processing code?

15 2. Identify updateable state Whether the state is updated while processing the packet ? Strawman approach Identify top-level variable on the left-hand-side(LHS) of assignment statement Falls short due to aliasing int *index = &tail; *index = (*index + 1)%100; per-/cross-flow var 116 Conf State Per Multi All Read-onlyUpdateable StateAlyzr employs flow-, context-, and field- insensitive pointer analysis to identify updateable variables in_port = pkt.src_port; per-/cross-flow var 15

16 3. Identify states’ flowspace dimensions Identify a set of packet header fields that delineate the subset of traffic that relates to the state Common access patterns key value key & value 1.Square brackets entry = table[index]; 2.Pointer arithmetic entry = head + offset; 3.Iteration struct host *lookup(uint ip) { struct host *curr = hosts; while (curr != NULL) { if (curr->ip == ip) return curr; curr = curr->next; } HashtableLinked List Conf State Per Multi All Read-only Updateable [Src IP, Dst IP, Src Port, Dst_Port, proto] [Src IP, Dst IP] Program chopping to determine relevant header fields 16 struct pktHdr *pkt = recv(extPcap); src_ip = pkt->ip_src_addr; packet_count ++; index = src_ip + offset entry = host_map[index]

17 StateAlyzr steps 1.Identify Per-/Cross-flow state 2.Identify Updateable State 3.Identify States’ Flowspace Dimensions 4.Output Impacting State Identify the type of output (log or packet) that updateable state affects 5.Tracking Run-time Update Insert statements to do run time monitoring to track whether a variable is updated 6 Conf State Per Multi All Read-onlyUpdateable Per Multi All Conf Per Multi [Src IP, Dst IP, Src Port, Dst_Port, proto] [Src IP, Dst IP] Per Multi Per Flowspace 17

18 Used CodeSurfer to implement StateAlyzr CodeSurfer has built-in support for Control flow graph construction Flow and context-insensitive pointer analysis Forward/backward slice and chop computation Analyzed four open-source middleboxes 1.PRADS – a monitoring middlebox 2.Snort – an IDS 3.HAProxy – a load balancing proxy 4.OpenVPN – a VPN gateway Implementation 18

19 Precision Performance benefits at run time 19 Evaluation

20 Evaluation: effectiveness MBAll variables Persistent variables per-/cross- flow variables Updateable variables PRADS1529612910 Snort IDS18393507333148 HAproxy7876272176115 OpenVPN8704156131106 Step 0 Step 1 Step 2 StateAlyzr offers useful improvements in precision Theoretically proved the soundness of our algorithms 20

21 Highly available PRADS Reduction in the state transfer by 305x 21 PrimaryHot standby State transfer after each packet StateAlyzr reduced the manual effort of modifying PRADS from 120hrs to 6 hrs StateAlyzr found a compound variable which we missed in our prior modification.

22 Summary Goal is to aid middlebox developers to identify state objects that need explicit handling Novel state characterization algorithms that adapt standard program analysis tools Ensure soundness and high precision Ultimate goal is to fully automate the process 22

Download ppt "Paving the Way for NFV: Simplifying Middlebox Modifications with StateAlyzr Junaid Khalid, Aaron Gember-Jacobson, Roney Michael, Archie Abhashkumar, Aditya."

Similar presentations

C Language.

C Language.
Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.

Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.
Intermediate Code Generation

Intermediate Code Generation
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.

Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
1 Compiler Construction Intermediate Code Generation.

1 Compiler Construction Intermediate Code Generation.
OpenNF: Enabling Innovation in Network Function Control Aditya Akella With: Aaron Gember, Raajay Vishwanathan, Chaithan Prakash, Sourav Das, Robert Grandl,

OpenNF: Enabling Innovation in Network Function Control Aditya Akella With: Aaron Gember, Raajay Vishwanathan, Chaithan Prakash, Sourav Das, Robert Grandl,
Chapter 7: User-Defined Functions II

Chapter 7: User-Defined Functions II
Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.

Aaron Gember-Jacobson, Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 OpenNF: Enabling Innovation in Network.
Chapter 9 Subprogram Control Consider program as a tree- –Each parent calls (transfers control to) child –Parent resumes when child completes –Copy rule.

Chapter 9 Subprogram Control Consider program as a tree- –Each parent calls (transfers control to) child –Parent resumes when child completes –Copy rule.
1 Chapter 7: Runtime Environments. int * larger (int a, int b) { if (a > b) return &a; //wrong else return &b; //wrong } int * larger (int *a, int *b)

1 Chapter 7: Runtime Environments. int * larger (int a, int b) { if (a > b) return &a; //wrong else return &b; //wrong } int * larger (int *a, int *b)
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Run-Time Storage Organization

Run-Time Storage Organization
Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.

Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.
Toward Software-Defined Middlebox Networking Aaron Gember, Prathmesh Prabhu, Zainab Ghadiyali, Aditya Akella University of Wisconsin-Madison 1.

Toward Software-Defined Middlebox Networking Aaron Gember, Prathmesh Prabhu, Zainab Ghadiyali, Aditya Akella University of Wisconsin-Madison 1.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 13: Pointers, Classes, Virtual Functions, and Abstract Classes.

C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 13: Pointers, Classes, Virtual Functions, and Abstract Classes.
Pointer Data Type and Pointer Variables

Pointer Data Type and Pointer Variables
Data Structures Using C++ 2E Chapter 3 Pointers and Array-Based Lists.

Data Structures Using C++ 2E Chapter 3 Pointers and Array-Based Lists.

Similar presentations

Ads by Google