2018/6/25 Developing a Traffic Classification Platform for Enterprise Networks with SDN: Experiences & Lessons Learned Author: Bryan Ng 、Matthew Hayes 、Winston K.G. Seah Presenter: Yi-Hsien Wu Date: 2016/11/30 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1
Outline Introduction Challenges In Enterprise Network Traffic Classification Architecture Performance Analysis Lessons Learn Conclusion National Cheng Kung University CSIE Computer & Internet Architecture Lab
2018/6/25 Introduction Traffic classification : It is an automated process which categorises computer network traffic according to various parameters (for example, based on port number or protocol) into many traffic classes. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Challenges In Enterprise Network 2018/6/25 Challenges In Enterprise Network Many enterprise network operators who are interested in QoS do not know all the applications running on their network. Port-based classifiers are increasingly out of favour with the advent of IoT,because newer applications may not have a registered port number, while other applications deliberately hide traffic within well known port numbers. With the trend of bring-you-own-device picking up, the number of networked devices in an enterprise will surely grow significantly as new uses are found for the services that they provide. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Challenges In Enterprise Network 2018/6/25 Challenges In Enterprise Network A solution that at least partially automates traffic classification configuration is required so that organizations can efficiently and quickly apply and monitor traffic classification at a policy level, without having to make configurations on a per-flow, per-device or per-port basis. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Traffic Classification Architecture 2018/6/25 Traffic Classification Architecture The two points for consideration pertaining to traffic classification in enterprise networks are : (i)Traffic classification requirements for enterprise networks. (ii)Alignment of the requirements with the SDN paradigm. We deduce that operators of enterprise networks are likely to have functional traffic classification requirements as per Table I. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Traffic classification requirements 2018/6/25 Traffic classification requirements 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Traffic Classification Architecture 2018/6/25 Traffic Classification Architecture 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Traffic Classification Architecture 2018/6/25 Traffic Classification Architecture The nmeta Core reigon (orange shaded area) : Manages communications with switches ( processing of packet-in and switch messages, adding flows etc.) via OpenFlow and handles incoming REST API calls via the Ryu Controllor. The Traffic Classification (blue shaded area) : Classifies packets against a traffic classification policy and Returns results to nmeta Core. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Traffic Classification Architecture 2018/6/25 Traffic Classification Architecture The Flow Metadata region (the purple shaded area) : It stores the enriched metadata in a Python data structure called a dictionary, and controls the installation of flow match entries to switches. The Metadata Consumer - QoS region (the red shaded area): It is a simple stub that provides a QoS treatment (queue assignment) based on matching a QoS flow metadata tag. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Traffic Classification Architecture 2018/6/25 Traffic Classification Architecture All communication from the traffic classification region to the flow metadata region is via the nmeta core region. This rule is to ensure that the forwarding module has visibility of traffic classification status messages. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/25 Performance Analysis The identity classification module records the identity of endpoints that broadcast Link Layer Discovery Protocol (LLDP) messages. Identity information is stored in two dictionaries : One for Network Interface Controller (NIC) identities and the other is system identities. Two dictionaries are required since an endpoint may have multiple network interface cards (NICs). 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/25 LLDP It is a link layer protocol . It packages some information to a LLDPDU(Link Layer Discovery Data Unit), and sent to it’s neighbor. At the same time , it store LLDPDU sent by it’s neighbor using standered MIB(Management Information Base) format. LLDP Packet-in events are used by the identity module to accumulate system information and likewise, IPv4 Packet-in events are used to accumulate MAC address to IPv4 address linkages in the NIC dictionary. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/25 Performance Analysis 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/25 Performance Analysis In Figure 3, it is designed to demonstrate that the identity classifier can classify traffic to provide differential treatment of connectivity to/from a particular endpoint. Both Client 1 and Client 2 make regular HTTP connections to Server / Controller on tcp-80 and retrieve the same HTML object. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/25 Performance Analysis Client 1 with LLDP system name pc1.dev.example.com is not matched by the identity classification. Client 2 has an LLDP system name of pc2.audit.example.com and has its connections classified and treated as high priority based on the configured wildcard match for *.audit.example.com. The response time to fetch the HTML object is shown in Figure 4. The base load time for both Client 1 and Client 2 is approximately 0.18s. As the Iperf congestion builds up, the load time for Client 1 significantly increases while the load time for Client 12remains unaffected. Upon terminating Iperf , the load times for both Client 1 and Client 2 revert to the baseline load time observed before congestion was introduced. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/25 Performance Analysis 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Lessons Learned(Secutity) 2018/6/25 Lessons Learned(Secutity) It is unlikely that SDN will take hold in enterprises until it can be shown to be as secure as monolithic networking. They use Group Secure Association Key Management Protocol(GSAKMP) to providing secured communication for traffic classification modules. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Lessons Learned(Hardware quirks ) 2018/6/25 Lessons Learned(Hardware quirks ) 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Lessons Learned(Hardware quirks ) 2018/6/25 Lessons Learned(Hardware quirks ) 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
Lessons Learned(Hardware quirks ) 2018/6/25 Lessons Learned(Hardware quirks ) Response time for HTTP connections on tcp-1234 in test Static-1 in the virtual lab were not materially affected by the link congestion, meeting the expectations of desired outcome. However the hardware queueing implementation on the commodity switches does not provide adequate isolation. Therefore the traffic in the high priority queue was impacted by the Iperf congestion to within 68% of the increase observed in the default priority queue. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab
2018/6/25 Conclusion Our efforts are helping to identify practical issues with the roll out of traffic classification in SDN. We detected potential incompatibilities with legacy networking devices and protocols, and uncovered indications of possible implementation barriers for enterprise network adoption. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab