Network functions, or middleboxes, are systems that examine and modify packets and flows in sophisticated ways: e.g., network address translators (NATs), intrusion detection systems (IDSs), load balancers, caching proxies, etc. Network functions play a critical role in ensuring security, improving performance, and providing other novel functionality in enterprise and service provider networks.
Recently, operators have expressed interest in replacing dedicated hardware appliances with software-based network functions running on generic compute resources---a trend known as network functions virtualization (NFV). In parallel, operators are using software-defined networking (SDN) to steer flows through appropriate network function instances to enforce high-level policies and jointly manage network and network function load.
NFV and SDN together have the potential to help operators achieve three important goals: (1) offer and satisfy tight service level agreements (SLAs); (2) accurately monitor and manipulate network traffic; and (3) minimize operating expenses. However, operators need additional control mechanisms to be able to satisfy these goals in scenarios where packet processing must be redistributed across a collection of network function instances: e.g., elastic network function scaling, rapid network function upgrades, and selective invocation of advanced remote processing. If any flow can quickly and safely be reallocated to any network function instance at any time, then operators can optimally satisfy a combination of objectives pertaining to performance, availability, security, cost, etc. Otherwise, operators must make trade-offs among key goals.
We present a control plane architecture that allows such quick and safe allocation of flows across network function instances. Our architecture, called OpenNF, provides efficient, coordinated control of both internal network function state and network forwarding state. Crucially, we address three major challenges in our control plane design: (1) dealing with race conditions, (2) bounding overhead, and (3) accommodating a variety of network functions with minimal changes.
Evaluations of OpenNF show that: (1) OpenNF can eliminate spurious alerts from IDSs and cut network function scale-in time by tens of minutes compared to using current control frameworks; (2) internal network function state can be moved, copied, and shared efficiently even when certain guarantees are requested--e.g., a loss-free move involving state for 750 flows takes only 221ms and imposes only 22ms of additional latency on packets received during the operation; and (3) additions to network functions to support OpenNF increase code size by at most 8%, and packet processing time at network functions increases by less than 10% during state transfers.