OpenNF
OpenNF
StateAlyzr accepted at NSDI 2016
March 16, 2016
StateAlyzr is accepted at NSDI 2016.
Tutorial Posted
May 13, 2015
Follow the OpenNF tutorial to learn how to use OpenNF.
OpenNF presented at IETF 92
March 24, 2015
Watch the presentation of OpenNF at IETF 92.
OpenNF receives 2015 ANRP
January 7, 2015
OpenNF was awarded the 2015 Applied Networking Research Prize.
OpenNF presented at SIGCOMM 2014
August 19, 2014
OpenNF was presented at SIGCOMM 2014.
Network functions, or middleboxes, are systems that examine and modify
packets and flows in sophisticated ways: e.g., network address translators
(NATs), intrusion detection systems (IDSs), load balancers, caching proxies,
etc. Network functions play a critical role in ensuring security, improving
performance, and providing other novel functionality in enterprise and
service provider networks.
Recently, operators have expressed interest in replacing dedicated hardware
appliances with software-based network functions running on generic compute
resources---a trend known as network functions virtualization (NFV). In
parallel, operators are using software-defined networking (SDN) to steer
flows through appropriate network function instances to enforce high-level
policies and jointly manage network and network function load.
NFV and SDN together have the potential to help operators achieve three
important goals: (1) offer and satisfy tight service level agreements (SLAs);
(2) accurately monitor and manipulate network traffic; and (3) minimize
operating expenses. However, operators need additional control mechanisms to
be able to satisfy these goals in scenarios where packet processing must be
redistributed across a collection of network function instances: e.g.,
elastic network function scaling, rapid network function upgrades, and
selective invocation of advanced remote processing. If any flow can
quickly and safely be reallocated to any network function
instance at any time, then operators can optimally satisfy a combination of
objectives pertaining to performance, availability, security, cost, etc. Otherwise, operators must make trade-offs among key goals.
We present a control plane architecture that allows such quick and safe
allocation of flows across network function instances. Our architecture,
called OpenNF, provides efficient, coordinated control of both internal
network function state and network forwarding state. Crucially, we address
three major challenges in our control plane design: (1) dealing with race
conditions, (2) bounding overhead, and (3) accommodating a variety of network
functions with minimal changes.
Evaluations of OpenNF show that: (1) OpenNF can eliminate spurious alerts from IDSs and cut network function scale-in time by tens of minutes compared to using current control frameworks; (2) internal network function state can be moved, copied, and shared efficiently even when certain guarantees are requested--e.g., a loss-free move involving state for 750 flows takes only 221ms and imposes only 22ms of additional latency on packets received during the operation; and (3) additions to network functions to support OpenNF increase code size by at most 8%, and packet processing time at network functions increases by less than 10% during state transfers.
For middleboxes to work with OpenNF or similar frameworks, middlebox developers must modify, or at least annotate, their code to perform custom state allocation, track updates to state, and (de)serialize state objects. However, three factors make such modifications difficult today: (i) middlebox software is extremely complex, and the logic to update/create different pieces of state can be intricate; (ii) there may be 10s-100s of object types that correspond to state that needs explicit handling; and (iii) middleboxes are extremely diverse. Factors i and ii make it difficult to reason about the completeness or correctness of manual modifications. And, iii means manual techniques that apply to one middlebox may not extend to another.
To reduce manual effort and ease adoption, we develop StateAlyzr, a system that relies on data and control-flow analysis to automate identification of state objects that need explicit handling. Using StateAlyzr's output, developers can easily make framework-compliant changes to arbitrary middleboxes, e.g., identify which state to allocate using custom libraries, determine where to track updates to state, (de)serialize relevant state objects for transfer/cloning, and merge externally provided state with internal structures.
We find StateAlyzr to reduce the manual effort by 20x. For example, leveraging StateAlyzr to make PRADS OpenNF-compliant took under 6 man-hours of work.