Introduction
- new network architecture for the enterprise
- enterprise networks comprised of applications, protocols, w/ reliability and security constraints
- management solutions are weak which makes network management expensive and error-prone
- approaches
- physical middle-box to route all traffic through
- change and/or layer more protocols
- ethane – three principles
- network should be governed by policies declared over high-level names
- policy should determine the path that packets follow
- the network should enforce a strong binding between a packet and its origin
- additional ethan features:
- security follows mgmt
- incrementally deployable
Ethane design overview
- ethane control the network by not allowing any communication between
end hosts without explicit permission.
- central Controller with global network policy
- 2nd component is a switch: simple/dumb with flow table and
communication channel to the controller
- names/binding/policy language
- controller needs host/service-type IP mappings
- controller knows about types of machines and where they are located (physical port, AP, etc)
- five basic ethane activities
- registration (with controller)
- bootstrapping (connect to switch to controller)
- authentication
- verify users are allowed to have packets routed in the network
- flow setup: when a packet is un-recognized, switch forwards it to the controller for decision
- following packets use same decision
- forwarding: if a controller allows a path, sends the packet back
to a switch to forward it based on a new flow entry
- ethane switches only have a partial view of the network, controller has entire view
- switches in the network can be much “dumber” and replace een routers
- controller takes care of telling the switch where packets should be routed
- ethane switches need to maintain much less state than a forwarding switch
- flow table and flow entries
- switch datapath is a managed flow table
- flow entries have a header to match packets against and corresponding rule
- per-flow entries and per-host entries
- only controller can add entries into a flow table
- flow table implemented with two exact-match tables – can use
exact matches+hashing than TCAMs (longest-prefix)
- switch needs a small local manager/OS to establish and maintain a channel to the controller
- if switch is not in the sam broadcast domain as the controller, use IP tunneling
- controller
- registration: all entities needing to be named by the network
(hosts, protocols, switchers, users, APs) must register
- authentication: all entities must authenticate with the network
- track bindings: tracks connections between names addresses, and physical ports
- namespace interface: a way for a management entity to view/analyze network behavior
- authorization: controller must determine which entities have access to particular resources
- enforce resource limits: must be able to manage resource
utilization of entities in the network
- broadcast and multicast
- switch holds bitmap to determine flow destinations
- controller builds multicast tree
- replicating the controller
- use journaling+replication (e.g. paxos/raft) to keep consistent state in case of failure
- link failures:
- switches send neighbor discovery messages to neighbors to determine link state
- controller can receive said messages as a “health check”
- bootstrapping
- use MST algorithm to get packets to the controller.
- pol-eth policy language
- network policy declared as a set of rules
- each with corresponding condition and action (allow/deny)
- rules must be specifically allowed
- each rule independent
results
- flow setup time increases with controller load…about 1.6ms for 10k+ node network
- shortcomings
- broadcast traffic takes 90% of flows
- trusts end hosts to not relay traffic around policies
- assumes transport port numbers corresponds with traffic type (e.g. 80/443 for http, 22 for ssh)
- ethane switches rely on ethernet addresses to identify flows
- spoofing a MAC can fool ethane into delivering packets to the wrong hosts
-