OpenBox Controller Northbound API Dan Shmidt | January 2017 Project Goal Design and Implementation

of OpenBoxs Northbound API Agenda Network Function (AKA the Problem) OpenBox (AKA Solution)

Zoom-In OpenBox Controller Workflows Architecture Network Functions (NF)

What are Network Functions Appliances deployed on a networks data plane (Physical or Virtual) Usually perform some sort of Packet Processing

Examples: Firewall, IDS, IPS, Load Balancer Typical Firewall (Example) Typical IPS (Example)

The Downside of NFs Managed Separately Hardware Management Interface Redundant Processing Header inspection

OpenBox OpenBox Introduction Framework: Hardware, Software, SDK, API Decouple NF control plane from data plane

Merge data plane activity for multiple NFs Allow network administrators to experiment with NFs Merged Firewall + IPS

OpenBox Architecture OpenBox Components Northbound API

SDK for NF developers that allows NF creation with a small set of generic pieces. Application loading and management API for applications to interact with the data plane

OpenBox Application (OBA) User defined logic that aims to perform packet processing Defined in terms of the Northbound API (SDK)

Formally a Tuple: OpenBox Controller (OBC) Centralized control of the OpenBox Framework

Facing the user (Northbound API) Facing the data plane (Soutbound API) OpenBox Instance (OBI) A single unit in OpenBoxs data plane Executes the user defined logic

Single Requirement: Implement OpenBox protocol Virtual / Physical / Software / Hardware Southbound API Communication protocol between OBI and

OBC Control plane messages e.g: Set Processing Graph Data plane messages e.g: Read Handle (count of dropped packets)

OpenBox Controller Responsibilities (South) Manage the Data plane by controlling OBIs Communication layer between Applications and data plane

Load Custom modules Responsibilities (North) Create applications Load applications Query applications

Network Overview Expose OpenBox functionality Architecture Challenges

Asynchronous System How much of the raw data is exposed to the application Application Isolation OpenBox Abstraction Layer (OBAL)

SDK for application developers Building blocks for every possible NF Header Matching Payload Matching Alerts

OBAL Implementation Events Manager Responsible for triggering events Registers application to requested events Holds a hook to access applications when

needed Available Events Mandatory events: Application Started Application Stopped

Error Non-Mandatory: Alert Read / Write Handles Access to the application configuration and

statistics Access to specific processing block of a specific application Topology Manager The knowledge of how the network is built

Topology information is needed across the board Users OBC internal use Application Registry

Entry point for application creators Ability to register new applications to the controller Plugin like behavior Application Aggregator

Merge mutual processing blocks of several applications. Caution to not disrupt application isolation OBA

Topology Manager OBAL Registry

Handle Clients Event Handlers

Events Manager Aggregator To Data plane

Via Southbound API Workflows

Application Loading How to install a new OpenBox Application Implement logic with OpenBox SDK Supply Topology Information Use ApplicationRegistry to load application

Application Loading OBA Registry

Event Manager Aggregation Load Application

Aggregate Perform Aggregation Application Loaded Application

Started Read / Write Handles Workflow Once application has started, the administrator would like to query the application from the data plane.

How many packets were processed? How many packets were dropped? Read / Write Handles Workflow Handle Client

OBA Southboun d API

Read Handle Read Handle Read Handle Read Result Read Result

OBI Application Isolation Aggregator keeps a mapping of original block id -> new block id

A query for a read handle checks the mapping and queries the new block that actually resides in the data plane Event / Alert Workflow Applications way to actively notify about

its lifetime and about its process. Instance Down Packet Dropped Threat Detected Event/Alert Workflow

OBA Event Manager Southboun

d API OBI Alert Handle Alert

handler.Handle Application Isolation Alert Blocks carry their identifier Application aggregator keeps original blocks -> Application mapping

Aggregation takes care of keeping the original identifier on the aggregated graph Example (Simple IPS)

Processing Graph Code Snippets (Create Blocks) Code Snippets (Connect)

Benefits ~270 lines of code Code is readable and self explanatory Easy Configurable Easily Changeable

Experimental Results Experimental Environment Hardware (sheldon): Intel Xeon E3-1270 V3 CPU

32GB Ram Experiment Goal How well does the OBC handles messages from the Data plane?

Resource Utilization Latency Experimental Scenario Controller

Single OBI Single Application which sends alerts in a configurable rate (MPM). Memory Utilization

CPU Utilization Latency Futuristic

Future Work Smart / Automatic NF Placement OpenFlow Integration Create NFs with graphical tool Native Northbound API Dashboard Reloading applications while controller is

running Questions ?

Recently Viewed Presentations

  • Lesson 1: Length English vs. Metric Units Which

    Lesson 1: Length English vs. Metric Units Which

    English vs. Metric Units. Which is longer? A. 1 mile or 1 kilometer. B. 1 yard or 1 meter. C. 1 inch or 1 centimeter. 1.6 kilometers. 1 mile. 1 yard = 0.9144 meters
  • In-hospital Cardiac Arrest: First and foremost, Chest Compressions

    In-hospital Cardiac Arrest: First and foremost, Chest Compressions

    IHCA is pretty common… ˜200,000 in the US. Survival is 18-20%. There is tremendous variability among hospitals. Get with the Guidelines. 135,896. 20% with Ventricular fibrillation or Ventricular tachycardia
  • Chapter 11- Peer Pressure

    Chapter 11- Peer Pressure

    Consequences: Verbal warning Name on smart board- Writing assignment may be given Check mark 1- Phone call home Check mark 2- Lunch detention Check mark 3- Office referral If behavior continues and alternative assignment will be given and student will...
  • Unit 11 Digestive System and Urinary system

    Unit 11 Digestive System and Urinary system

    bile - yellow-green fluid containing minerals, cholesterol, neutral fats, phospholipids, bile pigments, and bile acids. bilirubin - principal pigment derived from the decomposition of hemoglobin. bacteria in large intestine metabolize bilirubin to urobilinogen. responsible for the brown color of feces
  • Presentación de PowerPoint - ESPE

    Presentación de PowerPoint - ESPE

    MONTERO, ALICIA CODIRECTOR: ING. REALPE, EDY Abril, 2015 ... 9000 19000 ESTUDIO DE MERCADO ESTUDIO DE MERCADO Situación Actual Ecuador-can Ecuador-Perú ESTUDIO DE MERCADO Cifras Comerciales IFT - Competencia SEGMENTACIÓN DE MERCADO Competencia comercial Posicionamiento ESTUDIO DE MERCADO ...
  • College Algebra with Modeling and Visualization, 6e

    College Algebra with Modeling and Visualization, 6e

    In real life, populations of bacteria, insects, and animals do not continue to grow indefinitely. Initially, population growth may be unrestricted, and modeled by exponential growth.
  • Chemical Bonds & Reactions

    Chemical Bonds & Reactions

    Ionic bond. The attractive force between oppositely charged ions, which form when electrons are transferredfrom one atom to another. Covalent Bond. A bond formed when atoms share one or more pairs of electrons. Metallic Bond. A bond formed by the...
  • Accessory Organs

    Accessory Organs

    It gives passage to the: Portal vein Hepatic artery Hepatic nerve plexus Hepatic ducts Lymphatic vessels Peritoneal relations of the Liver The Lesser omentum Encloses the portal triad (bile duct, hepatic artery and portal vein ) Passes from the liver...