Enabling Innovation in Network Function Control


StateAlyzr accepted at NSDI 2016

March 16, 2016

StateAlyzr is accepted at NSDI 2016.

Tutorial Posted

May 13, 2015

Follow the OpenNF tutorial to learn how to use OpenNF.

OpenNF presented at IETF 92

March 24, 2015

Watch the presentation of OpenNF at IETF 92.

OpenNF receives 2015 ANRP

January 7, 2015

OpenNF was awarded the 2015 Applied Networking Research Prize.

OpenNF presented at SIGCOMM 2014

August 19, 2014

OpenNF was presented at SIGCOMM 2014.


Network functions, or middleboxes, are systems that examine and modify packets and flows in sophisticated ways: e.g., network address translators (NATs), intrusion detection systems (IDSs), load balancers, caching proxies, etc. Network functions play a critical role in ensuring security, improving performance, and providing other novel functionality in enterprise and service provider networks.

Recently, operators have expressed interest in replacing dedicated hardware appliances with software-based network functions running on generic compute resources---a trend known as network functions virtualization (NFV). In parallel, operators are using software-defined networking (SDN) to steer flows through appropriate network function instances to enforce high-level policies and jointly manage network and network function load.


NFV and SDN together have the potential to help operators achieve three important goals: (1) offer and satisfy tight service level agreements (SLAs); (2) accurately monitor and manipulate network traffic; and (3) minimize operating expenses. However, operators need additional control mechanisms to be able to satisfy these goals in scenarios where packet processing must be redistributed across a collection of network function instances: e.g., elastic network function scaling, rapid network function upgrades, and selective invocation of advanced remote processing. If any flow can quickly and safely be reallocated to any network function instance at any time, then operators can optimally satisfy a combination of objectives pertaining to performance, availability, security, cost, etc. Otherwise, operators must make trade-offs among key goals.

We present a control plane architecture that allows such quick and safe allocation of flows across network function instances. Our architecture, called OpenNF, provides efficient, coordinated control of both internal network function state and network forwarding state. Crucially, we address three major challenges in our control plane design: (1) dealing with race conditions, (2) bounding overhead, and (3) accommodating a variety of network functions with minimal changes.

Evaluations of OpenNF show that: (1) OpenNF can eliminate spurious alerts from IDSs and cut network function scale-in time by tens of minutes compared to using current control frameworks; (2) internal network function state can be moved, copied, and shared efficiently even when certain guarantees are requested--e.g., a loss-free move involving state for 750 flows takes only 221ms and imposes only 22ms of additional latency on packets received during the operation; and (3) additions to network functions to support OpenNF increase code size by at most 8%, and packet processing time at network functions increases by less than 10% during state transfers.


For middleboxes to work with OpenNF or similar frameworks, middlebox developers must modify, or at least annotate, their code to perform custom state allocation, track updates to state, and (de)serialize state objects. However, three factors make such modifications difficult today: (i) middlebox software is extremely complex, and the logic to update/create different pieces of state can be intricate; (ii) there may be 10s-100s of object types that correspond to state that needs explicit handling; and (iii) middleboxes are extremely diverse. Factors i and ii make it difficult to reason about the completeness or correctness of manual modifications. And, iii means manual techniques that apply to one middlebox may not extend to another.

To reduce manual effort and ease adoption, we develop StateAlyzr, a system that relies on data and control-flow analysis to automate identification of state objects that need explicit handling. Using StateAlyzr's output, developers can easily make framework-compliant changes to arbitrary middleboxes, e.g., identify which state to allocate using custom libraries, determine where to track updates to state, (de)serialize relevant state objects for transfer/cloning, and merge externally provided state with internal structures.

We find StateAlyzr to reduce the manual effort by 20x. For example, leveraging StateAlyzr to make PRADS OpenNF-compliant took under 6 man-hours of work.

OpenNF Presentation @ IETF 92