www.deepness-lab.org

www.deepness-lab.org

OpenBox Controller Northbound API Dan Shmidt | January 2017 Project Goal Design and Implementation

of OpenBoxs Northbound API Agenda Network Function (AKA the Problem) OpenBox (AKA Solution)

Zoom-In OpenBox Controller Workflows Architecture Network Functions (NF)

What are Network Functions Appliances deployed on a networks data plane (Physical or Virtual) Usually perform some sort of Packet Processing

Examples: Firewall, IDS, IPS, Load Balancer Typical Firewall (Example) Typical IPS (Example)

The Downside of NFs Managed Separately Hardware Management Interface Redundant Processing Header inspection

OpenBox OpenBox Introduction Framework: Hardware, Software, SDK, API Decouple NF control plane from data plane

Merge data plane activity for multiple NFs Allow network administrators to experiment with NFs Merged Firewall + IPS

OpenBox Architecture OpenBox Components Northbound API

SDK for NF developers that allows NF creation with a small set of generic pieces. Application loading and management API for applications to interact with the data plane

OpenBox Application (OBA) User defined logic that aims to perform packet processing Defined in terms of the Northbound API (SDK)

Formally a Tuple: OpenBox Controller (OBC) Centralized control of the OpenBox Framework

Facing the user (Northbound API) Facing the data plane (Soutbound API) OpenBox Instance (OBI) A single unit in OpenBoxs data plane Executes the user defined logic

Single Requirement: Implement OpenBox protocol Virtual / Physical / Software / Hardware Southbound API Communication protocol between OBI and

OBC Control plane messages e.g: Set Processing Graph Data plane messages e.g: Read Handle (count of dropped packets)

OpenBox Controller Responsibilities (South) Manage the Data plane by controlling OBIs Communication layer between Applications and data plane

Load Custom modules Responsibilities (North) Create applications Load applications Query applications

Network Overview Expose OpenBox functionality Architecture Challenges

Asynchronous System How much of the raw data is exposed to the application Application Isolation OpenBox Abstraction Layer (OBAL)

SDK for application developers Building blocks for every possible NF Header Matching Payload Matching Alerts

OBAL Implementation Events Manager Responsible for triggering events Registers application to requested events Holds a hook to access applications when

needed Available Events Mandatory events: Application Started Application Stopped

Error Non-Mandatory: Alert Read / Write Handles Access to the application configuration and

statistics Access to specific processing block of a specific application Topology Manager The knowledge of how the network is built

Topology information is needed across the board Users OBC internal use Application Registry

Entry point for application creators Ability to register new applications to the controller Plugin like behavior Application Aggregator

Merge mutual processing blocks of several applications. Caution to not disrupt application isolation OBA

Topology Manager OBAL Registry

Handle Clients Event Handlers

Events Manager Aggregator To Data plane

Via Southbound API Workflows

Application Loading How to install a new OpenBox Application Implement logic with OpenBox SDK Supply Topology Information Use ApplicationRegistry to load application

Application Loading OBA Registry

Event Manager Aggregation Load Application

Aggregate Perform Aggregation Application Loaded Application

Started Read / Write Handles Workflow Once application has started, the administrator would like to query the application from the data plane.

How many packets were processed? How many packets were dropped? Read / Write Handles Workflow Handle Client

OBA Southboun d API

Read Handle Read Handle Read Handle Read Result Read Result

OBI Application Isolation Aggregator keeps a mapping of original block id -> new block id

A query for a read handle checks the mapping and queries the new block that actually resides in the data plane Event / Alert Workflow Applications way to actively notify about

its lifetime and about its process. Instance Down Packet Dropped Threat Detected Event/Alert Workflow

OBA Event Manager Southboun

d API OBI Alert Handle Alert

handler.Handle Application Isolation Alert Blocks carry their identifier Application aggregator keeps original blocks -> Application mapping

Aggregation takes care of keeping the original identifier on the aggregated graph Example (Simple IPS)

Processing Graph Code Snippets (Create Blocks) Code Snippets (Connect)

Benefits ~270 lines of code Code is readable and self explanatory Easy Configurable Easily Changeable

Experimental Results Experimental Environment Hardware (sheldon): Intel Xeon E3-1270 V3 CPU

32GB Ram Experiment Goal How well does the OBC handles messages from the Data plane?

Resource Utilization Latency Experimental Scenario Controller

Single OBI Single Application which sends alerts in a configurable rate (MPM). Memory Utilization

CPU Utilization Latency Futuristic

Future Work Smart / Automatic NF Placement OpenFlow Integration Create NFs with graphical tool Native Northbound API Dashboard Reloading applications while controller is

running Questions ?

Recently Viewed Presentations

  • Napoleon is Defeated & the Congress of Vienna!

    Napoleon is Defeated & the Congress of Vienna!

    Europe following the defeat of Napoleon. Napoleon is Defeated and the Congress of Vienna. Part 1: Napoleon's 3 Costly Mistakes! Directions: Use the class notes, pages 589-592, or the online resources to complete the chart below by dragging the terms.
  • Gerunds - Mrs. Capocci's 8B Literacy Class

    Gerunds - Mrs. Capocci's 8B Literacy Class

    GERUNDS Gerund—verbal that ends in -ing and is used as a noun. "Healing requires taking responsibility for your actions" (12). Cole expresses his anger by fighting. The island requires healing. "It" Test Before doing ANYTHING, you should do the "it"...
  • Mao'S Red China

    Mao'S Red China

    mao's red china china in 1900
  • New Jersey Department of Labor

    New Jersey Department of Labor

    See Appendix E for a detailed discussion of each risk listed above Organizing the program Organizing the program Our goal is a strong, balanced relationship that promotes the right conditions for delivery Making the relationship work Expect & budget for...
  • Biologia General

    Biologia General

    El término Biología (del griego. bio = vida; logos = estudio) Introducido en Alemania en 1800 y popularizado por el naturalista francés Jean Baptiste de Lamarck, significa literalmente "estudio de la vida"
  • Sexual Dysfunctions, Gender Dysphoria, and Paraphilic Disorders

    Sexual Dysfunctions, Gender Dysphoria, and Paraphilic Disorders

    Controversy surrounding definition of deviant sexual behavior. Some argue that sexual behavior is only deviant if it threatens society, causes distress to participants, or impairs social or occupational functioning. Greater controversy regarding whether gender dysphoria should be considered a psychiatric...
  • The Odyssey By Homer All content taken from

    The Odyssey By Homer All content taken from

    The next morning Odysseus asks for a sign, and Zeus sends a clap of thunder out of the clear blue sky. A servant recognizes it as a portent and prays that this day be the last of the suitors' abuse....
  • A Back-End Design Flow for Single Chip Radios

    A Back-End Design Flow for Single Chip Radios

    Wm. Rhett Davis Last modified by: Ken Goldberg Created Date: 1/27/1999 7:25:34 AM Document presentation format: Custom Company: Slartibartfast Bistromathics Other titles: Times New Roman Arial Default Design 1_Default Design Statistical Adhesion Analysis of Sandwich Creme Cookies Odessa Goldberg April,...