Explore

slides - Laurent Vanbever
download Report

Transcription

slides - Laurent Vanbever 
Novel Applications for a
SDN-enabled Internet Exchange Point
Laurent Vanbever
vanbever@cs.princeton.edu
SDN Research Group, IETF87
July, 29 2013
Based on joint work with
Arpit Gupta, Muhammad Shahbaz, Hyojoon Kim,
Russ Clark, Nick Feamster, Jennifer Rexford and Scott Shenker
BGP is notoriously unflexible
and difficult to manage
Operating BGP has at least three limitations
BGP is notoriously unflexible
and difficult to manage
Operating BGP has at least three limitations
assume destination IP based routing
BGP is notoriously unflexible
and difficult to manage
Operating BGP has at least three limitations
assume destination IP based routing
what people really want
customized routing decisions
BGP is notoriously unflexible
and difficult to manage
Operating BGP has at least three limitations
assume destination IP based routing
policies are applied to direct neighbors
what people really want
customized routing decisions
BGP is notoriously unflexible
and difficult to manage
Operating BGP has at least three limitations
what people really want
assume destination IP based routing
customized routing decisions
policies are applied to direct neighbors
affect end-to-end paths
BGP is notoriously unflexible
and difficult to manage
Operating BGP has at least three limitations
what people really want
assume destination IP based routing
customized routing decisions
policies are applied to direct neighbors
affect end-to-end paths
indirectly influence forwarding paths
BGP is notoriously unflexible
and difficult to manage
Operating BGP has at least three limitations
what people really want
assume destination IP based routing
customized routing decisions
policies are applied to direct neighbors
affect end-to-end paths
indirectly influence forwarding paths
directing traffic on specific paths
SDN can enable fine-grained, flexible
and direct expression of interdomain policies
SDN devices forward based on any packet-header fields
at line rate, enabling flexible forwarding
SDN controller can be controlled by remote parties
on a bilateral basis, without any global standards
SDN controller exerts direct control on the data plane
using a standardized API such as OpenFlow
Internet Exchange Points are perfect places
to deploy new interdomain features
Internet Exchange Points are perfect places
to deploy new interdomain features
Internet Exchange Points (IXPs) ...
Internet Exchange Points are perfect places
to deploy new interdomain features
Internet Exchange Points (IXPs)
connect a large number of participants
Internet Exchange Points are perfect places
to deploy new interdomain features
Internet Exchange Points (IXPs)
connect a large number of participants
AMS-IX:
600 participants
Internet Exchange Points are perfect places
to deploy new interdomain features
Internet Exchange Points (IXPs)
AMS-IX:
connect a large number of participants
600 participants
carry a large amount of traffic
> 2250 Gb/s (peak)
Internet Exchange Points are perfect places
to deploy new interdomain features
Internet Exchange Points (IXPs)
AMS-IX:
connect a large number of participants
600 participants
carry a large amount of traffic
> 2250 Gb/s (peak)
are a hotbed of innovation
BGP Route Server
Mobile peering
Open peering
...
Internet Exchange Points are perfect places
to deploy new interdomain features
Internet Exchange Points (IXPs)
connect a large number of participants
carry a large amount of traffic
are a hotbed of innovation
Even a single deployment can have a large impact!
An IXP is a large L2 domain where
participants routers peer using BGP
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
*
!"#$
+
)
%&'()&#!"#*
!"#+
*
+
)
,
,
!"#$%&'()
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
!"#$%&'()&**+)
,&62&5.74(81&9:;014(4#7;.45
6
,#-$!./(01/'2$345)/0
7
%
<&074(!4;/4;
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
An IXP is a large
L2 domain where
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
*!"#+
+
participants* routers
using
BGP
)
+
) peer
*
+
,
!"#$%&'()
*
!"#$%&'()
+
%&'()&#!"#*
)
*
+
,
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
*
!"#$%&'()&**+)
+
)
*
+
)
,
,
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
,#-$!./(01/'2$345)/0!"#$%&'()&**+)
6
,&62&5.74(81&9:;014(4#7;.45
6
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
<&074(!4;/4;
%
7<&074(!4;/4;
%
<&074(!4;/4;
Participant
BGP Edge router
7
%
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
An IXP is a large
L2 domain where
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
*!"#+
+
participants* routers
using
BGP
)
+
) peer
*
+
,
!"#$%&'()
*
!"#$%&'()
+
%&'()&#!"#*
)
*
+
,
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
*
!"#$%&'()&**+)
+
)
*
+
)
,
,
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
,#-$!./(01/'2$345)/0!"#$%&'()&**+)
6
,&62&5.74(81&9:;014(4#7;.45
6
<&074(!4;/4;
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
(private)
7<&074(!4;/4;
eBGP session
%
%
<&074(!4;/4;
Participant
BGP Edge router
7
%
!"#$%&'()
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
An IXP is a large
L2 domain where
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
*!"#+
+
participants* routers
using
BGP
)
+
) peer
*
+
,
!"#$%&'()
*
!"#$%&'()
+
%&'()&#!"#*
)
*
+
,
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
6
*
Route-Server
,
eBGP
session
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
!"#$%&'()&**+)
+
)
*
+
)
,
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
,#-$!./(01/'2$345)/0!"#$%&'()&**+)
6
,&62&5.74(81&9:;014(4#7;.45
6
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
<&074(!4;/4;
%
7<&074(!4;/4;
%
<&074(!4;/4;
Participant
BGP Edge router
7
%
<&074(!4;/4;
Route server
!"#$%&'()
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
An IXP is a large
L2 domain where
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
*!"#+
+
participants* routers
using
BGP
)
+
) peer
*
+
,
!"#$%&'()
*
!"#$%&'()
+
%&'()&#!"#*
)
*
+
,
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
6
*
!"#$%&'()&**+)
+
)
*
+
)
,
,
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
Traffic
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
,#-$!./(01/'2$345)/0!"#$%&'()&**+)
6
,&62&5.74(81&9:;014(4#7;.45
6
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
<&074(!4;/4;
%
7<&074(!4;/4;
%
<&074(!4;/4;
Participant
BGP Edge router
7
%
<&074(!4;/4;
Route server
!"#$%&'()
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
With respect !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
to IXPs, SDN-enabled IXPs (SDX) ...’
!"#!
!"#$
*!"#+
+ %&'()&#!"#*
)
*
,
data plane *relies+ on) SDN-capable
devices
)
*
+
,
,
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
*
!"#$%&'()
+
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
6
*
!"#$%&'()&**+)
+
)
*
+
)
,
,
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
,#-$!./(01/'2$345)/0!"#$%&'()&**+)
6
,&62&5.74(81&9:;014(4#7;.45
6
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
<&074(!4;/4;
%
7<&074(!4;/4;
%
<&074(!4;/4;
+
Participant
Edge router
7
%
<&074(!4;/4;
Route server
!"#$%&'()
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
With respect !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
to IXPs, SDN-enabled IXPs (SDX)
!"#!
!"#$
*!"#+
+ %&'()&#!"#*
)
*
,
data plane *relies+ on) SDN-capable
devices
)
*
+
,
,
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
*
!"#$%&'()
+
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
6
*
!"#$%&'()&**+)
+
)
*
+
)
,
,
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
OpenFlow
enabled
Switch
,#-$!./(01/'2$345)/0!"#$%&'()&**+)
6
!"#$%&'(+
,&62&5.74(81&9:;014(4#7;.45
6
,#-$!./(01/'2$345)/0
F
O
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
<&074(!4;/4;
%
7<&074(!4;/4;
%
<&074(!4;/4;
+
Participant
Edge router
7
%
<&074(!4;/4;
Route server
!"#$%&'()
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
With respect !"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
to IXPs, SDN-enabled IXPs (SDX)
!"#!
!"#$
*!"#+
+ %&'()&#!"#*
)
*
,
control plane
relies
)
*
+
)on, a SDX
* controller
+
,
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
*
+
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
6
!"#$%&'()
*
!"#$%&'()&**+)
+
)
*
+
)
,
,
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
,#-$!./(01/'2$345)/0!"#$%&'()&**+)
6
,&62&5.74(81&9:;014(4#7;.45
6
,#-$!./(01/'2$345)/0
F
O
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
<&074(!4;/4;
%
7<&074(!4;/4;
%
<&074(!4;/4;
+
Participant
Edge router
7
%
SDX controller
<&074(!4;/4;
!"#$%&'()
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
SDX participants
write policies using a high-level
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
*!"#+
+ %&'()&#!"#*
)
*
,
language on
top +of )a virtual
)
*
*topology
+
,
,
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
*
+
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
match(dstip=ipA) >> fwd(outA)
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
6
!"#$%&'()
*
!"#$%&'()&**+)
+
)
*
+
)
,
,
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
,#-$!./(01/'2$345)/0!"#$%&'()&**+)
6
,&62&5.74(81&9:;014(4#7;.45
match(dstip=ipC) >> fwd(C) +
6
match(dstip=ipA) >> fwd(A) +
match(dstip=ipB) >> fwd(outB)
+
,#-$!./(01/'2$345)/0
F
O
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
<&074(!4;/4;
%
7<&074(!4;/4;
%
<&074(!4;/4;
match(dstip=ipC) >> fwd(outC)
7
%
SDX controller
<&074(!4;/4;
!"#$%&'()
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
The SDX controller
composes policies
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
*!"#+
+ %&'()&#!"#*
)
*
,
together ensuring
isolation
and
correctness
)
*
+
)
*
+
,
,
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
*
+
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
match(dstip=ipA) >> fwd(outA)
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
6
!"#$%&'()
*
!"#$%&'()&**+)
+
)
*
+
)
,
,
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
,#-$!./(01/'2$345)/0!"#$%&'()&**+)
6
,&62&5.74(81&9:;014(4#7;.45
match(dstip=ipC) >> fwd(C) +
6
match(dstip=ipA) >> fwd(A) +
match(dstip=ipB) >> fwd(outB)
+
,#-$!./(01/'2$345)/0
F
O
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
<&074(!4;/4;
%
7<&074(!4;/4;
%
<&074(!4;/4;
match(dstip=ipC) >> fwd(outC)
7
%
SDX controller
<&074(!4;/4;
!"#$%&'()
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
The SDX controller
composes policies
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
*!"#+
+ %&'()&#!"#*
)
*
,
together ensuring
isolation
and
correctness
)
*
+
)
*
+
,
,
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
*
+
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
match(dstip=ipA) >> fwd(outA)
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
6
!"#$%&'()
*
!"#$%&'()&**+)
+
)
*
+
,
)
,
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
,#-$!./(01/'2$345)/0!"#$%&'()&**+)
6
OpenFlow
rules
,&62&5.74(81&9:;014(4#7;.45
match(dstip=ipC) >> fwd(C) +
6
match(dstip=ipA) >> fwd(A) +
match(dstip=ipB) >> fwd(outB)
+
,#-$!./(01/'2$345)/0
F
O
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
<&074(!4;/4;
%
7<&074(!4;/4;
%
<&074(!4;/4;
match(dstip=ipC) >> fwd(outC)
7
%
SDX controller
<&074(!4;/4;
!"#$%&'()
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#!
!"#$
!"#$
%&'()&#!"#*
!"#+
!"#+
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
*
!"#$
+
)
6
,
!"#$%&'()
*
!"#$%&'()
+
*!"#+
*
+
+ %&'()&#!"#*
)
*
,
)
,
-#$./.$0"1()!(2&1.3.45
,#-$!./(01/'2$345)/0
-#$./.$0"1()!(2&1.3.45 !"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'()&**+)
)
)
*
+
,
,
!"#$%&'()&**+)
SDX
controller
,&62&5.74(81&9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
%&'()&#!"#*
!"#!
!"#$
!"#+
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
6
*
!"#$%&'()&**+)
+
)
7
*
+
)
,
,
-#$./.$0"1()!(2&1.3.45
,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
,#-$!./(01/'2$345)/0
What 6does SDX
enable
that
was
hard
<&074(!4;/4;
or impossible to do before?
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
!"#$%&'()&**+)
,&62&5.74(81&9:;014(4#7;.45
6
,#-$!./(01/'2$345)/0
F
O
,#-$!./(01/'2$345)/0
6
7
<&074(!4;/4;
%
7
<&074(!4;/4;
%
7<&074(!4;/4;
%
<&074(!4;/4;
+
Participant
Edge router
7
%
<&074(!4;/4;
Route server
%
SDX enables a wide range of
novel interdomain applications
security
Prevent/block policy violation
Prevent participants communication
forwarding optimization
Middlebox traffic steering
Traffic offloading
Inbound Traffic Engineering
peering
Application-specific peering
remote-control
Wide-area load balancing
Influence BGP path selection
Upstream blocking of DoS attacks
SDX enables a wide range of
novel interdomain applications
security
Prevent/block policy violation
Prevent participants communication
forwarding optimization
Middlebox traffic steering
Traffic offloading
Inbound Traffic Engineering
peering
Application-specific peering
remote-control
Wide-area load balancing
Influence BGP path selection
Upstream blocking of DoS attacks
Novel Applications for a
SDN-enabled Internet Exchange Point
1
Inbound Traffic Engineering
2
Upstream DoS blocking
3
Wide-area load balancing
Novel Applications for a
SDN-enabled Internet Exchange Point
1
Inbound Traffic Engineering
Upstream DoS blocking
Wide-area load balancing
SDX can improve inbound traffic engineering
#$
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
%&'()&#!"#*
!"#!
!"#$
!"#+
!"#+
%&'()&#!"#*
SDX
can
improve inbound traffic engineering
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
*
)
+
,
*
+
)
,
-#$./.$0"1()!(2&1.3.45
!"#!
%&'(*
!"#$%&'(,
!"#! !"#$
!"#$ !"#+
!"#$%&'(+
!"#$%&'()
)
*
+
%&'()&#!"#* %&'()&#!"#*
!"#+
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
,
!"#$%&'(+
!"#$%&'()&**+)
Given
an IXP Physical Topology
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'()&**+)
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
+*
)
+
)
*
*
,
!"#$
!"#!
!"#+,
+*
)
%&'()&#!"#*
,&62&5.74(81&9:;014(4#7;.45
)
,+
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
!"#$%&'(*
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'(,
)
!"#$%&'()
*
+
)
*
+
!./(01/'2$345)/0
!"#$%&'(+
,
,
,#-$!./(01/'2$345)/0
!"#$%&'()&**+)
!"#$%&'()&**+)
6
!"#$%&'(+
!"#$%&'(,
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
!"#$%&'(*
!"#$%&'()&**+),&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
7
6
%
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6,#-$!./(01/'2$345)/0
6
<&074(!4;/4;
eBGP session
7
%
<&074(!4;/4;
71
72
%
<&074(!4;/4;
<&074(!4;/4;
%
%
#$
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
%&'()&#!"#*
!"#!
!"#$
!"#+
!"#+
%&'()&#!"#*
SDX
can
improve inbound traffic engineering
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
*
)
+
,
*
+
)
,
-#$./.$0"1()!(2&1.3.45
!"#!
%&'(*
!"#$%&'(,
!"#! !"#$
!"#$ !"#+
!"#$%&'(+
!"#$%&'()
!"#$%&'(*
!"#$%&'()&**+)
Given
an IXP Physical Topology
,&62&5.74(81&9:;014(4#7;.45
,
!"#$
!"#!
!"#+,
!"#$%&'(,
!"#$%&'()&**+)
and
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
+*
)
+
)
*
*
)
*
+
%&'()&#!"#* %&'()&#!"#*
!"#+
-#$./.$0"1()!(2&1.3.45
+*
)
%&'()&#!"#*
*
+
)
*
+
a BGP topology
!"#!
!"#$
!"#+ %&'()&#!"#*%&'()&#!"#*
!"#!
!"#$
!"#+
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
*
%&'()&#!"#*
!"#+
+
,
)
*+
, *
)
)
+
,
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
)
+
)
*
+
, !"#$%&'(+
,
!"#$%&'(*!"#$%&'(, !"#$%&'(,
!"#$%&'() !"#$%&'()
!"#$%&'(*
!"#$%&'(+
192.0.{1,2,3}.0/24
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
!"#$%&'(+
!"#$%&'()
!"#$%&'()&**+)!"#+
!"#$%&'()&**+)
!"#$
!"#!
!"#$%&'(*
%&'()&#!"#*
!"#$%&'(+
!"#$%&'(,
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
,
,
!./(01/'2$345)/0
!"#$%&'(+
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
,&62&5.74(81&9:;014(4#7;.45
)
*+
*,
)
,+
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
!"#$%&'(*
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'(,
)
!"#$%&'()
,
!"#$%&'()&**+)
,#-$!./(01/'2$345)/0
!"#$%&'()&**+)
!"#$%&'()&**+)
6
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
,&62&5.74(81&9:;014(4#7;.45
*
+
,
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
*
+
!"#$%&'()&**+),&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
192.0.1.0/24 6
,&62&5.74(81&9:;014(4#7;.45
6
%
!"#$%&'(,
<&074(!4;/4;
%
%
,&62&5.74(81&9:;014(4#7;.45
%
192.0.3.0/24
7
6
%
,#-$!./(01/'2$345)/0
AS A
AS C
<&074(!4;/4;
7
%
<&074(!4;/4;
7
71
72
%
<&074(!4;/4;
%
<&074(!4;/4;
<&074(!4;/4;
%
!"#$%&'(+
7
192.0.3.0/24
,#-$!./(01/'2$345)/0
,
,#-$!./(01/'2$345)/0
!"#$%&'()&**+)192.0.2.0/24
7
<&074(!4;/4;<&074(!4;/4;
,#-$!./(01/'2$345)/0
6,#-$!./(01/'2$345)/0
6
AS !"#$%&'(*
B
!"#$%&'()
7
)
192.0.1.0/24
-#$./.$0"1()!(2&1.3.45
6
6
192.0.2.0/24
)
*
+
)
*
)
+
,
,
*
+
)
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9
,
-#$./.$0"1()!(2&1.3.45
!"#!
!"#$%&'(*
!"#$%&'(,
%&'()&#
!"#! !"#$
!"#$ !"#+
!"#+
-#$./.$0"1()!(2
!"#$%&'(+
!"#$%&'()
!"#$%&'(*
SDX can improve inbound!"#$%&'()&**+)
traffic engineering!"#$%&'()
!"#$%&'()
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
*
+*
)
)
*
,+
,
!"#!
!"#$
)
+*
%&'()&#!"#*
!"#+
,&
,+
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
Implements B’s inbound policy
!"#$%&'()*
6
!"#$%&'()
!"#$%&'(*
+
)
*
!"#$%&'(*
!"#$%&'(,
)
+
,#-$!./(01/'2$345)/0
!"#$%&
!"#$%&'(,
,
,
,#-$!./(01/'2$34
6
!"#$%&'()&**+)
!"#$%&'()&**+)
!"#$%&'(+
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
!"#$%&'()
!"#$%&'()&**+),&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;
,&62&5.74(81&9:;014(4#7;.45
to
from
receive on
7
7
,#-$!./(01/'2$345)/0
6
%
,#-$!./(01/'2$345)/0
6 ,#-$!./(01/'2$345)/0
6
<&074(!4;/4;
192.0.1.0/24
A
<&074(!4;/4;
B1
7
%
<&074(!4;/4;
192.0.2.0/24
B
72
71
B2
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
!"#+ %&'()&#!"#*%&'()&#!"#*
!"#!
!"#$
!"#+
!"#!
192.0.2.0/24
ATT_IP
B2
<&074(!4;/4;
<&074(!4;/4;
IXP
*
B1
%
%&'()&#!"#*
!"#+
Topology
+
)
)
*+
, *
,
)
+
)
,
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
)
+
)
*
+
,
,
!"#$%&'() !"#$%&'()
!"#$%&'(* !"#$%&'(*!"#$%&'(, !"#$%&'(,
!"#$%&'(+ !"#$%&'(+
*
192.0.2.0/24
*+
*
%
!"#$
192.0.{1,2,3}.0/24
-#$./.$0"1()!(2&1.3.45
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()&**+)
!"#$%&'()&**+)
!"#$%&'()
!"#! !"#$%&'(*
!"#$
!"#$%&'(,
!"#+
!"#$%&'(+%&'()&#!"#*
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'()&**+)
192.0.3.0/24
*
B2
,&62&5.74(81&9:;014(4#7;.45
*
192.0.1.0/24
+
6
6
*
,
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
+
)
,
-#$./.$0"1()!(2&1.3.45192.0.1.0/24
AS !"#$%&'(*
B
!"#$%&'()
192.0.2.0/24
)
!"#$%&'(,
!"#$%&'(+
7 !"#$%&'()&**+)192.0.2.0/24
%
% ,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
7
192.0.3.0/24<&074(!4;/4;<&074(!4;/4;
192.0.3.0/24
7
6
%
,#-$!./(01/'2$345)/0
AS A
AS C
<&074(!4;/4;
7
BGP Topology
<&074(!4;/4;
%
*
+
)
*
)
+
,
,
*
+
)
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9
,
-#$./.$0"1()!(2&1.3.45
!"#!
!"#$%&'(*
!"#$%&'(,
%&'()&#
!"#! !"#$
!"#$ !"#+
!"#+
-#$./.$0"1()!(2
!"#$%&'(+
!"#$%&'()
!"#$%&'(*
How do you do that with !"#$%&'()&**+)
BGP?
!"#$%&'()
!"#$%&'()
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
*
+*
)
)
*
,+
,
!"#!
!"#$
)
+*
%&'()&#!"#*
!"#+
,&
,+
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
Implements B’s inbound policy
!"#$%&'()*
6
!"#$%&'()
!"#$%&'(*
+
)
*
!"#$%&'(*
!"#$%&'(,
)
+
,#-$!./(01/'2$345)/0
!"#$%&
!"#$%&'(,
,
,
,#-$!./(01/'2$34
6
!"#$%&'()&**+)
!"#$%&'()&**+)
!"#$%&'(+
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
!"#$%&'()
!"#$%&'()&**+),&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;
,&62&5.74(81&9:;014(4#7;.45
to
from
receive on
7
7
,#-$!./(01/'2$345)/0
6
%
,#-$!./(01/'2$345)/0
6 ,#-$!./(01/'2$345)/0
6
<&074(!4;/4;
192.0.1.0/24
A
<&074(!4;/4;
B1
7
%
<&074(!4;/4;
192.0.2.0/24
B
72
71
B2
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
!"#+ %&'()&#!"#*%&'()&#!"#*
!"#!
!"#$
!"#+
!"#!
192.0.2.0/24
ATT_IP
B2
<&074(!4;/4;
<&074(!4;/4;
IXP
*
B1
%
%&'()&#!"#*
!"#+
Topology
+
)
)
*+
, *
,
)
+
)
,
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
)
+
)
*
+
,
,
!"#$%&'() !"#$%&'()
!"#$%&'(* !"#$%&'(*!"#$%&'(, !"#$%&'(,
!"#$%&'(+ !"#$%&'(+
*
192.0.2.0/24
*+
*
%
!"#$
192.0.{1,2,3}.0/24
-#$./.$0"1()!(2&1.3.45
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()&**+)
!"#$%&'()&**+)
!"#$%&'()
!"#! !"#$%&'(*
!"#$
!"#$%&'(,
!"#+
!"#$%&'(+%&'()&#!"#*
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
!"#$%&'()&**+)
192.0.3.0/24
*
B2
,&62&5.74(81&9:;014(4#7;.45
*
192.0.1.0/24
+
6
6
*
,
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
+
)
,
-#$./.$0"1()!(2&1.3.45192.0.1.0/24
AS !"#$%&'(*
B
!"#$%&'()
192.0.2.0/24
)
!"#$%&'(,
!"#$%&'(+
7 !"#$%&'()&**+)192.0.2.0/24
%
% ,&62&5.74(81&9:;014(4#7;.45
,#-$!./(01/'2$345)/0
6
7
192.0.3.0/24<&074(!4;/4;<&074(!4;/4;
192.0.3.0/24
7
6
%
,#-$!./(01/'2$345)/0
AS A
AS C
<&074(!4;/4;
7
BGP Topology
<&074(!4;/4;
%
It is at least hard... BGP provides
few knobs to influence remote decisions
Implementing such a policy is configuration-intensive
using AS-Path prepend, MED, community tagging, etc.
and even impossible for some requirements...
BGP policies cannot influence remote parties
decisions based on source addresses
to
from
receive on
192.0.2.0/24
ATT_IP
B2
In any case, the outcome is unpredictable
Implementing such a policy is configuration-intensive
using AS-Path prepend, MED, community tagging, etc.
Absolutely no guarantee that the remote party will comply
one can only “influence” remote decisions
Networks engineers have no choice but to “try and see”
which makes it impossible to adapt to traffic pattern
With a SDX,
implementing B’s inbound policy is easy
SDX policies give B direct control on its forwarding paths
to
from
fwd
B’s SDX Policy
192.0.1.0/24
A
B1
match(dstip=192.0.1.0/24, srcmac=A) >> fwd(B1)
192.0.2.0/24
B
B2
match(dstip=192.0.2.0/24, srcmac=B) >> fwd(B2)
192.0.2.0/24
ATT_IP
B2
match(dstip=192.0.2.0/24, srcip=ATT) >> fwd(B2)
192.0.2.0/24
*
B1
match(dstip=192.0.2.0/24) >> fwd(B1)
192.0.3.0/24
*
B2
match(dstip=192.0.3.0/24) >> fwd(B2)
Novel Applications for a
SDN-enabled Internet Exchange Point
Inbound Traffic Engineering
2
Upstream DoS blocking
Wide-area load balancing
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
%&'()&#!"#*
!"#+
SDX can help blocking DoS attacks
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
closer to the source
*
+
)
*
)
+
,
,
!"#$%&'()
-#$./.$0"1()!(2&1.3.45
!"#!
!"#$%&'(*
!"#$%&'(,
!"#$
!"#$%&'(+
!"#$%&'()&**+)
A simple Internet topology
,&62&5.74(81&9:;014(4#7;.45
+
)
,
*
!"#$%&'()
6
Attacker
*
AS13
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
,#-$!./(01/'2$345)/0
6
%
,#-$!./(01/'2$345)/0
controller
7
%
SDX#B
<&074(!4;/4;
AS7
Victim
)
,
!"#$%&'(
,&62&5.74(81&9:;014(4#7;.45
7
<&074(!4;/4;
SDX#A
+
%&'()&#!"
!"#$%&'()&**+)
controller
AS1
!"#+
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
AS7 is under a DoS attack
originated by AS13
*
+
!"#$%&'()
%&'()&#!"#*
!"#+
)
)
,
*
+
,
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
-#$./.$0"1()!(2&1.3.45
!"#!
!"#$%&'(*
!"#$%&'(,
!"#$
!"#$%&'(+
!"#$%&'()&**+)
,&62&5.74(81&9:;014(4#7;.45
+
)
,
*
!"#$%&'()
6
AS13
6
%
,#-$!./(01/'2$345)/0
controller
7
%
SDX#B
<&074(!4;/4;
AS7
Victim
)
,
!"#$%&'(
,&62&5.74(81&9:;014(4#7;.45
7
<&074(!4;/4;
SDX#A
+
!"#$%&'()&**+)
controller
AS1
Attacker
*
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
,#-$!./(01/'2$345)/0
%&'()&#!"
!"#+
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
%&'()&#!"#*
!"#+
AS7 can remotely install drop rule
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
in the SDX platforms
*
+
)
*
)
+
,
,
!"#$%&'()
-#$./.$0"1()!(2&1.3.45
!"#!
!"#$%&'(*
!"#$%&'(,
!"#$
!"#$%&'(+
!"#$%&'()&**+)
,&62&5.74(81&9:;014(4#7;.45
+
)
,
*
!"#$%&'()
6
Attacker
*
AS13
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
,#-$!./(01/'2$345)/0
6
%
,#-$!./(01/'2$345)/0
controller
7
%
SDX#B
<&074(!4;/4;
AS7
Victim
)
,
!"#$%&'(
,&62&5.74(81&9:;014(4#7;.45
7
<&074(!4;/4;
SDX#A
+
%&'()&#!"
!"#$%&'()&**+)
controller
AS1
!"#+
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#!
!"#$
%&'()&#!"#*
!"#+
AS7 can remotely install drop rule
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
in the SDX platforms
*
+
)
*
)
+
,
,
!"#$%&'()
-#$./.$0"1()!(2&1.3.45
!"#!
!"#$%&'(*
!"#$%&'(,
!"#$
!"#$%&'(+
!"#$%&'()&**+)
,&62&5.74(81&9:;014(4#7;.45
+
)
,
*
!"#$%&'()
6
Attacker
*
AS13
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
,#-$!./(01/'2$345)/0
6
%
,#-$!./(01/'2$345)/0
controller
match(srcip=Attacker/24, dstip=Victim/32) >> drop
7
%
SDX#B
<&074(!4;/4;
AS7
Victim
)
,
!"#$%&'(
,&62&5.74(81&9:;014(4#7;.45
7
<&074(!4;/4;
SDX#A
+
%&'()&#!"
!"#$%&'()&**+)
controller
AS1
!"#+
SDX-based DoS protection is more
efficient than traditional blackholing solutions
Remote ASes could drop traffic destined to their network
even if there are not physically connect to the IXP!
Traffic drop can be done based on any field
source address, destination address, port number, etc.
Traffic drop can be coordinated across multiple IXPs
thanks to SDX controllers collaboration
Novel Applications for a
SDN-enabled Internet Exchange Point
Inbound Traffic Engineering
Upstream DoS blocking
3
Wide-area load balancing
DNS-based wide-area load balancing
has several limitations
High TTL values lead to slow recovery when a server fails
due to caching by local DNS servers and browsers
Low TTL values lead to higher delay for DNS resolution
due to cache misses
Load-balancing is not based on the client IP address
but on the IP address of the DNS resolver (e.g., Google DNS)
SDX enable direct and quick control
of traffic redirection
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
SDX enable
direct and quick control
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
of traffic redirection
!"#!
!"#$
%&'()&#!"#*
!"#+
!"#!
*
+
)
*
!"#+
)
+
,
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
*
+
)
*
,
,
-#$./.$0"1()!(2&1.3.45
C is a CDN hosting three types
of services:
!"#!
!"#$%&'()
!"#$
!"#$%&'(*
!"#!!"#$
!"#$ !"#+
!"#$%&'(+
!"#$%&'()
!"#$%&'(,
+
%&'()&#!"#*
%&'()&#!
!"#+
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
!"#$%&'()&**+)
!"#$%&'()&**+)
*
,&62&5.74(81&9:;014(4#7;.45
+!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
* )
) *,
, !"#$+
!"#!
!"#+
DC1
)
,&62&5.74(81&9:;0
)
, +
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
!"#$%&'(*
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'(,
)
!"#$%&'()
6
+ *
%&'()&#!"#*
*
+
)
*
+
,
,#-$!./(01/'2$345)/0
!"#$%&'()
!"#$%&'
,
,#-$!./(01/'2$345)/0
!"#$%&'()&**+)
!"#$%&'()&**+)
6
!"#$%&'(+
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
!"#$%&'()&**+)
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
7
7
DC2
%
6
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6,#-$!./(01/'2$345)/0
6
<&074(!4;/4;
<&074(!4;/4;
7
%
<&074(!4;/4;
71
72
%
<&074(!4;/4;
<&074(!4;/4;
%
%
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
SDX enable
direct and quick control
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
of traffic redirection
!"#!
!"#$
%&'()&#!"#*
!"#+
!"#!
*
+
)
*
!"#$
!"#+
)
+
,
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
*
+
)
*
,
,
-#$./.$0"1()!(2&1.3.45
Each of C’s data center is assigned
!"#!
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
to a single IP prefix
!"#!!"#$
!"#$ !"#+
!"#$%&'(+
!"#$%&'()
+
%&'()&#!"#*
%&'()&#!
!"#+
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
!"#$%&'()&**+)
!"#$%&'()&**+)
*
192.0.2.0/24
DC1
6
,&62&5.74(81&9:;014(4#7;.45
+!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
* )
) *,
, !"#$+
!"#!
!"#+
+ *
)
%&'()&#!"#*
,&62&5.74(81&9:;0
)
, +
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
!"#$%&'(*
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'(,
)
!"#$%&'()
*
+
)
*
+
,
,#-$!./(01/'2$345)/0
!"#$%&'()
!"#$%&'
,
,#-$!./(01/'2$345)/0
!"#$%&'()&**+)
!"#$%&'()&**+)
6
!"#$%&'(+
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
!"#$%&'()&**+)
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
7
7
DC2
%
6
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6,#-$!./(01/'2$345)/0
6
<&074(!4;/4;
<&074(!4;/4;
7
192.0.3.0/24
%
<&074(!4;/4;
71
72
%
<&074(!4;/4;
<&074(!4;/4;
%
%
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
SDX enable
direct and quick control
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
of traffic redirection
!"#!
!"#$
%&'()&#!"#*
!"#+
!"#!
*
+
)
*
)
+
!"#!!"#$
!"#$ !"#+
!"#$%&'(+
!"#$%&'()
192.0.1.2
!"#$%&'()&**+)
*
192.0.2.0/24
+
%&'()&#!"#*
%&'()&#!
!"#+
-#$./.$0"1()!(2&1.3.45
192.0.1.1
C assigns one IP address per-#$./.$0"1()!(2&1.3.45
service !"#!
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
taken from a service prefix
DC1
!"#+
,
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
*
+
)
*
,
,
6
!"#$
,&62&5.74(81&9:;014(4#7;.45
192.0.1.3
+!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
* )
) *,
, !"#$+
!"#!
!"#+
!"#$%&'(*
!"#$%&'(,
192.0.1.0/24
!"#$%&'()&**+)
service
prefix
+ *
)
%&'()&#!"#*
,&62&5.74(81&9:;0
)
, +
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
!"#$%&'(*
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'(,
)
!"#$%&'()
*
+
)
*
+
,
,#-$!./(01/'2$345)/0
!"#$%&'()
!"#$%&'
,
,#-$!./(01/'2$345)/0
!"#$%&'()&**+)
!"#$%&'()&**+)
6
!"#$%&'(+
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
!"#$%&'()&**+)
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
7
7
DC2
%
6
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6,#-$!./(01/'2$345)/0
6
<&074(!4;/4;
<&074(!4;/4;
7
192.0.3.0/24
%
<&074(!4;/4;
71
72
%
<&074(!4;/4;
<&074(!4;/4;
%
%
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
SDX enable
direct and quick control
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
of traffic redirection
!"#!
!"#$
%&'()&#!"#*
!"#+
!"#!
*
+
)
*
!"#$
!"#+
)
+
,
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
*
+
)
*
,
,
+
%&'()&#!"#*
%&'()&#!
!"#+
-#$./.$0"1()!(2&1.3.45
192.0.1.1
-#$./.$0"1()!(2&1.3.45
C announces the service prefix
!"#!
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
directly from the IXP
!"#!!"#$
!"#$ !"#+
!"#$%&'(+
!"#$%&'()
192.0.1.2
!"#$%&'()&**+)
!"#$%&'(*
!"#$%&'(,
192.0.1.0/24
!"#$%&'()&**+)
*
192.0.2.0/24
DC1
6
,&62&5.74(81&9:;014(4#7;.45
192.0.1.3
+!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
* )
) *,
, !"#$+
!"#!
!"#+
+ *
)
%&'()&#!"#*
,&62&5.74(81&9:;0
)
, +
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
!"#$%&'(*
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'(,
)
!"#$%&'()
*
+
)
*
+
,
,#-$!./(01/'2$345)/0
!"#$%&'()
!"#$%&'
,
,#-$!./(01/'2$345)/0
!"#$%&'()&**+)
!"#$%&'()&**+)
6
!"#$%&'(+
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
192.0.1.0/24
!"#$%&'()&**+)
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
7
7
DC2
%
6
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6,#-$!./(01/'2$345)/0
6
<&074(!4;/4;
<&074(!4;/4;
7
192.0.3.0/24
%
<&074(!4;/4;
71
72
%
<&074(!4;/4;
<&074(!4;/4;
%
%
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
SDX enable
direct and quick control
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
of traffic redirection
!"#!
!"#$
%&'()&#!"#*
!"#+
!"#!
*
+
)
*
!"#$
!"#+
)
+
,
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
*
+
)
*
C installs a policy to direct requests
to
a
given
service
,
-#$./.$0"1()!(2&1.3.45
,
!"#$%&'()replica!"#$%&'(*
to the appropriate
based on
+
%&'()&#!"#*
%&'()&#!
!"#+
-#$./.$0"1()!(2&1.3.45
!"#!
!"#!!"#$
!"#$ !"#+
!"#$%&'(,
the
client’s IP!"#$%&'(+
address
!"#$%&'()
!"#$%&'(*
!"#$%&'(,
!"#$%&'()&**+)
!"#$%&'()&**+)
*
,&62&5.74(81&9:;014(4#7;.45
+!"#$%&'()*+(,-.$#&/$"01(2,)3.4(5"36.(07(8+9:
* )
) *,
, !"#$+
!"#!
!"#+
+ *
)
%&'()&#!"#*
,&62&5.74(81&9:;0
)
, +
,
-#$./.$0"1()!(2&1.3.45
-#$./.$0"1()!(2&1.3.45
!"#$%&'()
!"#$%&'(*
!"#$%&'(*
!"#$%&'(+
!"#$%&'(,
!"#$%&'(,
)
!"#$%&'()
!"#$%&'
match(dstip=192.0.1.1) >>
,#-$!./(01/'2$345)/0
6
,#-$!./(01/'2$345)/0
!"#$%&'()&**+)
!"#$%&'()&**+)
6
DC1
(match(srcip=0.0.0.0/1) >>
!"#$%&'()&**+)
,&62&5.74(81&9:;014(4#7;.45
,&62&5.74(81&9:;014(4#7;.45
(match(dstip=192.0.1.1) >> mod(dstip=192.0.0.161)) +
mod(dstip=192.0.2.161)) +
(match(srcip=192.0.1.2) >> mod(dstip=192.0.0.139)) +
7
(match(srcip=128.0.0.0/1) >>
7
(match(srcip=192.0.1.3) >> mod(dstip=192.0.0.111))
,#-$!./(01/'2$345)/0
6
%
%
mod(dstip=192.0.3.139))
,#-$!./(01/'2$345)/0
,#-$!./(01/'2$345)/0
6
6
<&074(!4;/4;
DC2
<&074(!4;/4;
7
...
*
+
)
*
+
,
,
!"#$%&'()
-#$./.$0"1()!(2&1.3.45
!"#$%&'(*
!"#$%&'(,
!"#$%&'(+
,&62&5.74(81&9:;014(4#7;.45
%
<&074(!4;/4;
71
DC3
72
%
<&074(!4;/4;
<&074(!4;/4;
%
SDX enable direct and quick control
of traffic redirection
SDX load-balancing is
fast
no more problem due to DNS caching
flexible
any load-balancing algorithm can be used
efficient
based on the actual client IP address
Novel Applications for a
SDN-enabled Internet Exchange Point
Inbound Traffic Engineering
Upstream DoS blocking
Wide-area load balancing
We have running code
as well as a first deployment site
We have implemented a first SDX controller prototype
which supports policies composition
We have partnered with a large regional IXP in Atlanta
which hosts many large content providers such as Akamai
Ping me if you are interested in knowing more
Several challenges remain
We need authentication mechanisms to validate policies
e.g., using RPKI
We need “access-lists” to constrain the policies
e.g., limiting the capabilities available to each participant
We need to make the platform scalable
as SDN devices currently support a relatively small # of rules
Novel Applications for a
SDN-enabled Internet Exchange Point
Laurent Vanbever
Laurent Vanbever
http://vanbever.eu
SDN Research Group, IETF87
July, 29 2013

Similar documents

Keine chance dem daten-tSunami DDoS-AttAcken - T

Keine chance dem daten-tSunami DDoS-AttAcken - T

More information
2024 © doczz.net
About us | DMCA / GDPR | Abuse