OpenBox Controller Northbound API Dan Shmidt | January 2017 Project Goal Design and Implementation

of OpenBoxs Northbound API Agenda Network Function (AKA the Problem) OpenBox (AKA Solution)

Zoom-In OpenBox Controller Workflows Architecture Network Functions (NF)

What are Network Functions Appliances deployed on a networks data plane (Physical or Virtual) Usually perform some sort of Packet Processing

Examples: Firewall, IDS, IPS, Load Balancer Typical Firewall (Example) Typical IPS (Example)

The Downside of NFs Managed Separately Hardware Management Interface Redundant Processing Header inspection

OpenBox OpenBox Introduction Framework: Hardware, Software, SDK, API Decouple NF control plane from data plane

Merge data plane activity for multiple NFs Allow network administrators to experiment with NFs Merged Firewall + IPS

OpenBox Architecture OpenBox Components Northbound API

SDK for NF developers that allows NF creation with a small set of generic pieces. Application loading and management API for applications to interact with the data plane

OpenBox Application (OBA) User defined logic that aims to perform packet processing Defined in terms of the Northbound API (SDK)

Formally a Tuple: OpenBox Controller (OBC) Centralized control of the OpenBox Framework

Facing the user (Northbound API) Facing the data plane (Soutbound API) OpenBox Instance (OBI) A single unit in OpenBoxs data plane Executes the user defined logic

Single Requirement: Implement OpenBox protocol Virtual / Physical / Software / Hardware Southbound API Communication protocol between OBI and

OBC Control plane messages e.g: Set Processing Graph Data plane messages e.g: Read Handle (count of dropped packets)

OpenBox Controller Responsibilities (South) Manage the Data plane by controlling OBIs Communication layer between Applications and data plane

Load Custom modules Responsibilities (North) Create applications Load applications Query applications

Network Overview Expose OpenBox functionality Architecture Challenges

Asynchronous System How much of the raw data is exposed to the application Application Isolation OpenBox Abstraction Layer (OBAL)

SDK for application developers Building blocks for every possible NF Header Matching Payload Matching Alerts

OBAL Implementation Events Manager Responsible for triggering events Registers application to requested events Holds a hook to access applications when

needed Available Events Mandatory events: Application Started Application Stopped

Error Non-Mandatory: Alert Read / Write Handles Access to the application configuration and

statistics Access to specific processing block of a specific application Topology Manager The knowledge of how the network is built

Topology information is needed across the board Users OBC internal use Application Registry

Entry point for application creators Ability to register new applications to the controller Plugin like behavior Application Aggregator

Merge mutual processing blocks of several applications. Caution to not disrupt application isolation OBA

Topology Manager OBAL Registry

Handle Clients Event Handlers

Events Manager Aggregator To Data plane

Via Southbound API Workflows

Application Loading How to install a new OpenBox Application Implement logic with OpenBox SDK Supply Topology Information Use ApplicationRegistry to load application

Application Loading OBA Registry

Event Manager Aggregation Load Application

Aggregate Perform Aggregation Application Loaded Application

Started Read / Write Handles Workflow Once application has started, the administrator would like to query the application from the data plane.

How many packets were processed? How many packets were dropped? Read / Write Handles Workflow Handle Client

OBA Southboun d API

Read Handle Read Handle Read Handle Read Result Read Result

OBI Application Isolation Aggregator keeps a mapping of original block id -> new block id

A query for a read handle checks the mapping and queries the new block that actually resides in the data plane Event / Alert Workflow Applications way to actively notify about

its lifetime and about its process. Instance Down Packet Dropped Threat Detected Event/Alert Workflow

OBA Event Manager Southboun

d API OBI Alert Handle Alert

handler.Handle Application Isolation Alert Blocks carry their identifier Application aggregator keeps original blocks -> Application mapping

Aggregation takes care of keeping the original identifier on the aggregated graph Example (Simple IPS)

Processing Graph Code Snippets (Create Blocks) Code Snippets (Connect)

Benefits ~270 lines of code Code is readable and self explanatory Easy Configurable Easily Changeable

Experimental Results Experimental Environment Hardware (sheldon): Intel Xeon E3-1270 V3 CPU

32GB Ram Experiment Goal How well does the OBC handles messages from the Data plane?

Resource Utilization Latency Experimental Scenario Controller

Single OBI Single Application which sends alerts in a configurable rate (MPM). Memory Utilization

CPU Utilization Latency Futuristic

Future Work Smart / Automatic NF Placement OpenFlow Integration Create NFs with graphical tool Native Northbound API Dashboard Reloading applications while controller is

running Questions ?

Recently Viewed Presentations

  • identify the major eras and events in U.S.

    identify the major eras and events in U.S.

    explain the roles played by significant individuals during the Civil War, including Jefferson Davis, Ulysses S. Grant, Robert E. Lee, and Abraham Lincoln, and heroes such as congressional Medal of Honor recipients William Carney and Philip Bazaar.[8.8A] October 2014. SOCIAL...
  • Mass Depopulation and Euthanasia: Swine

    Mass Depopulation and Euthanasia: Swine

    Mass Depopulation & Euthanasia. Swine Euthanasia. Adapted from the FAD PReP/NAHEMS Guidelines: Mass Depopulation and Euthanasia (2015). The purpose of this presentation is to describe general methods and techniques that might be selectedfor euthanasia of swine during an animal health...
  • Verona Board of Education - Verona Public Schools

    Verona Board of Education - Verona Public Schools

    Verona Board of Education Public Hearing. 2016-2017 Budget. April 26, 2016
  • Implementation of NGSS in High Schools What is

    Implementation of NGSS in High Schools What is

    3 years of science (Achieve, 2014). NGSS . requires a revision of instructional practices. Students pursuing STEM careers will require a pipeline of enrichment courses to support their interest and curiosity in the sciences and engineering. Earth Science is an...
  • Year 10 Online Literacy and Numeracy Assessment Mark

    Year 10 Online Literacy and Numeracy Assessment Mark

    www.assess.scsa.wa.edu.au. Login : 1366. Password : prac14. 65. OLNA Schedule. Writing Component Tuesday March 8. Reading Component Friday March 11. Numeracy Component Monday March 14. To be conducted on College computers in the Technology Building beginning during Connect class and...
  • Lecture 8: Orbital Variation and Insolation Change (Chapter

    Lecture 8: Orbital Variation and Insolation Change (Chapter

    Milankovitch Theory Orbital theory of glaciations and climate model (2) a simple climate model Milankovitch(1920): (1) accurate calculations of insolation change due to orbital changes Koeppen and Wegner (1924): give strong support to linking cool summers to initiation of glacials...
  • Txt 2 Wrld 4eva - Central Bucks School District

    Txt 2 Wrld 4eva - Central Bucks School District

    Txt 2 Wrld 4eva Core 2 :Art options for Sophocles' Oedipus Fine Art Selections You will make 2 fine art selections from this list or from your own research. Remember to look for strong thematic parallels in any work. Burgin...
  • Representation structures in West Community Health and Care

    Representation structures in West Community Health and Care

    Representation structures in West Community Health and Care Partnership Public Partnership Forum West CHCP PPF West CHCP Has a PPF and a Local Service User Network LSUN The LSUN structure relates to Community Care Service Users and Carers and links...