1. The DPIaaS Controller Prototype
DPI as a Service –Deepness lab
This research was supported by the European Research Council under the European Union’s Seventh Framework Programme (FP7/ )/ERC Grant agreement no  

2. Overview DPI as a Service – Reminder The DPIaaS Controller prototype
Traffic Steering Application (TSA)
Evaluation
Discussion

3. DPI as a Service
Conext 2014

4. Middleboxes Policy Chains
DPI
SDN technology allows easy deployment of service chains within the network that consist of several such middleboxes.
In this example three of the middleboxes perform DPI.
Still: <read bullets>
Each MB implements its own DPI engine (higher MB costs, reduced features)
Each packet is scanned multiple times causing waste of computation resources
DPI Engine is considered a system bottleneck in many of todays MBs (30%-80%)

5. Our Solution: DPI as a Service
Our solution is to use a single DPI engine that provides service to all network functions.
By doing so we gain: <read bullets>

6. The Advantages
The idea of having a centralized DPI service instead of multiple instances of it
at each Middlebox
Rich Functionality – Invest once for all MB
Reduced Costs – Cheaper MB HW/SW
Improved performance
Scan each packet once
aggregate MatchRules
Innovation – Lower entry barriers

7. System Overview S2 S1 S4 S3 TS AV1 DPI1 DPI2 AV2 IDS2 IDS1 L7 FW1
Register Rules
Add Patterns
Update Policy Chain
DPI
Controller
Traffic
Steering
SDN
Controller TS
AV1
DPI1
hello
DPI2 S2 S1 S4
hello
We introduce a new application on top of the controller: the DPI Controller. Upon startup, each middlebox registers its rules at the DPI Controller, which in turn, distributes the patterns that are extracted from these rules to one or more DPI Services in the network.
It also instructs the traffic steering app to steer each packet first through the appropriate DPI Service and only then through the middleboxes of the service chain that require DPI.
A packet that reaches the DPI Service is scanned. The scan results are added to the packet itself, using some tag or an additional header in case of a wide range of possible pattern matches.
Then it is forwarded to the different middleboxes, where the last one in chain removes the results from the packet. S3
AV2
hello
IDS2
IDS1
L7 FW1

8. The DPIaaS Controller Prototype

9. The Project goals Design and implement DPIaaS controller prototype
Design and implement a simple TSA
Deploy a functioning DPIaaS network
Test the systems in complex networks
Evaluate performance and compare to the article

10. Architecture Overview

11. The TSA (Traffic Steering Application)
based on the “SIMPLE-fying Middlebox Policy Enforcement Using SDN” (SIGCOMM 2013):
Network Composition
Middlebox Load-balancing
Support Packet Modifications
Resource constraints
Switch TCAM capacity

12. Simple TSA Network Composition Support Packet Modifications
Middlebox Load-balancing
Support Packet Modifications
Resource constraints
Switch TCAM capacity

13. TSA - implementation Some technical issues
Each policy has a unique OpenFlow Match and hosts (IP) chain
Using vlan-id tags
TSA make no changes the packets
Should only affect policy chain traversal

14. TSA Configuration

15. TSA pseudo Code 1 2 2 1 3 3 1 2 3 4 hello Id:2 Id:1 hello hello hello
->2
ID=1 | ->3
ID=2
->3
ID=NONE
hello 1
Id:1
hello
Id:2
hello
hello 2 2 3 1 3
->2
ID=2 | ->1
Id = 1
RT | ->2
ID=NONE
->1 1 2
hello
GenerateRules(PolicyChain)
ChainHosts = findHosts(PolicyChain.hosts)
Switches = getAllSwitches()
vlanTag = firstVlan
For (host,nextHost) in ChainHosts:
If nextHost <> NULL:
// handle packets from host to host
flow = generateFlowFromHost(host, nextHost, vlanTag+1, PRIORITY+2)
result[getSwitch(Host)].add(flow)
For switch in switches:
// route to next host
If host is FirstHost:
flows = generateRouteToFirstHost(host,switch,vlanTag,PRIORITY)
Result[switch].add(flows)
flow = generateRouteToHost(host,switch,vlanTag, PRIORITY+1)
Result[switch].add(Flow)
vlanTag++
Id = 1
->2
Id = 2
RT | ->4
ID=NONE
->1 3 4

16. TSA pseudo Code – Loop problem
->2
ID=2 | ->3
ID=3
->3
->1,ID=1
->2 | RT 1 2 2 3 1 3
->2
ID=3 | ->1
Id = 2
RT | ->2
-> 3
ID = 1 |->1 1 2
Id = 2
->2
Id = 3
RT | ->4
->3
ID=4|->1
ID = 1
->1
GenerateRules(PolicyChain)
ChainHosts = findHosts(PolicyChain.hosts)
Switches = getAllSwitches()
vlanTag = firstVlan
For (host,nextHost) in ChainHosts:
If nextHost <> NULL:
// handle packets from host to host
flow = generateFlowFromHost(host, nextHost, vlanTag+1, PRIORITY+2)
result[getSwitch(Host)].add(flow)
For switch in switches:
// route to next host
If host is FirstHost:
flows = generateRouteToFirstHost(host,switch,vlanTag,PRIORITY)
Result[switch].add(flows)
flow = generateRouteToHost(host,switch,vlanTag, PRIORITY+1)
Result[switch].add(Flow)
vlanTag++ 3 4

17. The DPI Controller Server for middleboxes and instances
Global Match-Rules set of all the middleboxes
Managing available instances
Negotiating with TSA
Reacting to changes

18. DPI Controller Strategies
Rules dividing strategies
Balanced Policy-chain across instances
Instances placement strategy
The assigned instance in the beginning of each chain

19. Evaluation

20. Two types of evaluation
Functional evaluation – using Mininet
Performance evaluation – using virtual machines and real OF switch

21. Additional Tools Mocks Wrappers DPIaaS mininet creation script
Necessary in order to evaluate Correctness and Performance
Mocks
Wrappers
DPIaaS mininet creation script
Wrappers
Wrap the deepness IDS and service executables with DPI Protocol capabilities
Middlebox mock
Implementing the DPI Protocol
Can load match-rules from file
Can add and remove rules using interactive console
Loop packets back to network
Instance mock
register and deregister to controller
Print incoming messages (Match-rules)
Setting up a DPI network using Mininet
Supporting FatTree topology
Script steps:
Running the mininet network with the desired topology
Ping all host pairs to create connectivity
Connecting DPI controller Host to SDN controller
Running middleboxes and instances in the desired hosts
Possibly loading initial MatchRules
Can automatically start sniffing on the network parts

22. Functional evaluation
Testing the DPIaaS correctness in a large Fat-Tree network

23. Functional evaluation2 1 4 6 8 3 5 7
We will set up a large network that uses DPI as a Service
Starting Using 3 middleboxes and 1 dpi instance
We will test the network by sniffing and send different packets
We will add an instance a see the network change automatically
We will play with the TSA
We will add new middlebox to the network and to the policy chain
Add some rules
We will change a policy class

24. Performance evaluation
Deploy and Test the system in a real environment, using a real OF Switch
Comparing Full system performance to the Paper’s preliminary results

25. Evaluation setup

26. Testing scenario
HTTP
Top site from Alexa

27. Results
Paper’s results
Full-system results

28. Results
Paper’s results
Full-system results

29. Further Investigation
Virtualization related Drops
Divide and conquer experiments
Using only physical servers
Not using network
The libpcap issue
ניסויים נוספים הרצה על המכונות הפיזיות הרצה ללא רשת

30. Conclusion and Future work
We have a functioning system, now what
Verify the results
ODL impressions
DPI controller – implement better strategies
TSA – improve TCAM utilization
Load-balancing
ODL – מורכב מאוד אבל מספק הרבה שירותים
חלוקה יעילה יותר של החוקים והמכונות
מאפשר לעשות scaling לInstaces