ppt - Roman Pletka
Download
Report
Transcript ppt - Roman Pletka
Adaptive End-to-End QoS Guarantees in IP
Networks using an Active Network Approach
Roman Pletka
IBM Research, Zurich Research Laboratory, Switzerland
Burkhard Stiller
University of Federal Armed Forces Munich, Germany and
Computer Engineering and Networks Laboratory (TIK), ETH Zürich, Switzerland
IBM Zurich Research Laboratory
Zurich Research Laboratory
Agenda
• Introduction
• The abstract node model
• Active networking framework
– Overview of security risks.
– The hierarchical safety levels
• Example Applications
– E2E services with RSVP signaling and active packets
• Conclusion
IBM Zurich Research Laboratory
Zurich Research Laboratory
Introduction
• Why is QoS rarely used today?
– ISP’s use massive over-provisioning.
– Huge variety in existing QoS architectures (Intserv,
Diffserv, ST2+, QoS classes in GPRS).
– No end-to-end support for service guarantees in
heterogeneous IP networks (Are user’s willing to pay
for unpredictable service?).
– Increasing variety in QoS-provisioning mechanisms
(eg., policers, schedulers, AQM schemes)
=> Need for QoS translation services.
IBM Zurich Research Laboratory
Zurich Research Laboratory
Building E2E services
End-to-end Service
Service Description
SLA
Networking Parameters
SLS
SLA
Networking Parameters
SLS
Sender
SLA
SLS
Receiver
IBM Zurich Research Laboratory
Zurich Research Laboratory
Node Model for QoS Provisioning in a
Proactive Environment
Active Security
Hierarchy
3
2
1
0
Absolute and Relative
QoS Description
5
4
Active Packets
Intserv
RSVP
Diffserv
Proactive QoS Plane
Application Plane
IBM Zurich Research Laboratory
Zurich Research Laboratory
Networking Plane
Functional Description
•
Discovery process
– Leads to initial behavior bounds that specify upper bounds for available resources.
– Within the network, not from hosts.
•
Resource Management
– Comprises the task of maintaining information on the actual status of resource
availability.
– Example: maximum available bandwidth per traffic class, policies, resources
related to the neighborhood, and router services.
•
Feedback Control
– Instantaneous traffic characteristics can deviate from QoS reservation.
•
Translation phase
– Translation of QoS parameters using active code provided by either the network
administrator or the application itself.
– No simple one-to-one mapping => active code.
Surjective code translation is obtained by projection onto the new QoS space,
whereas injective code translation needs additional information based on default
mappings and/or educated guess methods.
IBM Zurich Research Laboratory
Zurich Research Laboratory
Security Risks in Active Networks
•
Byte-code language
–
–
–
•
Resource bound
–
–
–
–
•
Divides networking resources into a two-dimensional vector (local and network part)
Limitation of bandwidth, CPU, and memory usage in nodes.
Enables efficient charging of active packets at the network edge.
Presence of code and data in the same packet does not compromise security.
Safety levels
–
–
•
Byte-code provides architectural neutrality and intrinsic safety properties [SNAP].
Common operations can be represented with a single byte-codes which leads to high code
compactness.
Specific characteristics of the underlying architecture are hidden.
Monitoring control plane activities.
Handling of active networking packets is split into 6 security levels.
Sandbox environment
–
–
–
Safe execution environment: Active Networking Sandbox (ANSB)
Information exchange in nodes only feasible using router services.
JIT-compiler (SNAP -> Network Processor Picocode).
IBM Zurich Research Laboratory
Zurich Research Laboratory
AN Safety Hierarchy
5
4
3
Dynamic router services:
registering new router services
Authentication of active packets
needed using a public key infrastructure.
Complex policy insertion
and manipulation
Admission control at the edge of the
network, trusted within a domain.
Simple policy modification
and manipulation
Running in a sandbox environment,
limited by predefined rules and
installed router services.
Creation of new packets and
resource-intensive router
services (e.g., lookups)
Sandbox environment based on the
knowledge of the instruction
performance.
Simple packet byte-code
Safety issues solved by restrictions
in the language definition and the
use of a sandbox environment.
No active code present
in packets
Corresponds to the traditional
packet forwarding process.
2
1
0
Safety
Level
IBM Zurich Research Laboratory
Zurich Research Laboratory
The Sandbox Environment in Active Nodes
Policy
Database
Resource
Database
Control
Entity
Neighborhood
Database
Safety
Levels
Router Service Handler
Active Code
Handler
Services Tables
Feedback
Control
2+
Forwarding
Entity
Active Byte-code
Interpreter
Hardware specific Services
1
Cls
Pol
TE
AQM
Networking Hardware
IBM Zurich Research Laboratory
Zurich Research Laboratory
Sched
0
AN and Network Processors
• Forwarding, filtering and classification functions.
• In pico-code programmable core language processors.
• Coprocessor assists for
–
–
–
–
–
table lookups (FM, LPM, SMT)
queuing
policing
string copy
checksum generator
• Hardware scheduler (WFQ, Priority Scheduler).
• Hardware assist for flow control (BAT, WRED).
• Embedded Power PC for more complex tasks.
=> On-the-fly active code execution at line speed is feasible.
IBM Zurich Research Laboratory
Zurich Research Laboratory
Example Applications
Intserv/RSVP Domain
Diffserv Network
with Active Nodes
Sender
SGSN
BSS
Receiver
GGSN
Pure Active Network Domain
IBM Zurich Research Laboratory
Zurich Research Laboratory
Mobile Network using
a GPRS Backbone
Conclusion
• Efficient QoS translation using Active Networks can lead
to improved E2E service guarantees.
• Security risks are bounded to the level of traditional IP
forwarding, control, and management.
• The Active Networking framework benefits from the
presence of network processors with specialized hardware
assists. Lower safety levels have been implemented on an
IBM PowerNP 4GS3.
• Future work: Dynamic off-loading of forwarding and
control functionalities directly onto a network processor.
IBM Zurich Research Laboratory
Zurich Research Laboratory
Questions…
IBM Zurich Research Laboratory
Zurich Research Laboratory
Additional Slides
IBM Zurich Research Laboratory
Zurich Research Laboratory
AN Requirements for Network Processors
• Array register initialized with the first part of the packet content (i.e.,
packet header).
• Array registers (scratch memory) that is large enough to hold the memory
section of an active packet as well as additional temporary values.
• A mechanism to read more data from the packet (access to all data in the
packet) and an array register to store this information.
• A mechanism to update the packet being forwarded.
• Load and store operations to move data between registers.
• Standard arithmetic and logical operations on scalar registers.
• Support for standard comparison and control flow operations (e.g.
(un)conditional branching, subroutine calls).
IBM Zurich Research Laboratory
Zurich Research Laboratory
E2E Service using Active Networks
RSVP (controlled load and fixed filter)
Domain A
Domain B
Domain C
- full support of RSVP in the
domain.
- no active routers present
(active packets are forwarded as
regular IP packets)
- metropolitan area
- limited RSVP support using
active routers.
- active packets from outside the
domain are not executed in this
domain (preemption)
- router services installed by
administrator
- corresponds to a core ISP
- No RSVP support.
- entering active packets are
allowed to execute active code
up to safety level 1.
- ISP at the edge of the network
Sender
Receiver
IBM Zurich Research Laboratory
Zurich Research Laboratory