www.deepness-lab.org

www.deepness-lab.org

OpenBox Controller Northbound API Dan Shmidt | January 2017 Project Goal Design and Implementation

of OpenBoxs Northbound API Agenda Network Function (AKA the Problem) OpenBox (AKA Solution)

Zoom-In OpenBox Controller Workflows Architecture Network Functions (NF)

What are Network Functions Appliances deployed on a networks data plane (Physical or Virtual) Usually perform some sort of Packet Processing

Examples: Firewall, IDS, IPS, Load Balancer Typical Firewall (Example) Typical IPS (Example)

The Downside of NFs Managed Separately Hardware Management Interface Redundant Processing Header inspection

OpenBox OpenBox Introduction Framework: Hardware, Software, SDK, API Decouple NF control plane from data plane

Merge data plane activity for multiple NFs Allow network administrators to experiment with NFs Merged Firewall + IPS

OpenBox Architecture OpenBox Components Northbound API

SDK for NF developers that allows NF creation with a small set of generic pieces. Application loading and management API for applications to interact with the data plane

OpenBox Application (OBA) User defined logic that aims to perform packet processing Defined in terms of the Northbound API (SDK)

Formally a Tuple: OpenBox Controller (OBC) Centralized control of the OpenBox Framework

Facing the user (Northbound API) Facing the data plane (Soutbound API) OpenBox Instance (OBI) A single unit in OpenBoxs data plane Executes the user defined logic

Single Requirement: Implement OpenBox protocol Virtual / Physical / Software / Hardware Southbound API Communication protocol between OBI and

OBC Control plane messages e.g: Set Processing Graph Data plane messages e.g: Read Handle (count of dropped packets)

OpenBox Controller Responsibilities (South) Manage the Data plane by controlling OBIs Communication layer between Applications and data plane

Load Custom modules Responsibilities (North) Create applications Load applications Query applications

Network Overview Expose OpenBox functionality Architecture Challenges

Asynchronous System How much of the raw data is exposed to the application Application Isolation OpenBox Abstraction Layer (OBAL)

SDK for application developers Building blocks for every possible NF Header Matching Payload Matching Alerts

OBAL Implementation Events Manager Responsible for triggering events Registers application to requested events Holds a hook to access applications when

needed Available Events Mandatory events: Application Started Application Stopped

Error Non-Mandatory: Alert Read / Write Handles Access to the application configuration and

statistics Access to specific processing block of a specific application Topology Manager The knowledge of how the network is built

Topology information is needed across the board Users OBC internal use Application Registry

Entry point for application creators Ability to register new applications to the controller Plugin like behavior Application Aggregator

Merge mutual processing blocks of several applications. Caution to not disrupt application isolation OBA

Topology Manager OBAL Registry

Handle Clients Event Handlers

Events Manager Aggregator To Data plane

Via Southbound API Workflows

Application Loading How to install a new OpenBox Application Implement logic with OpenBox SDK Supply Topology Information Use ApplicationRegistry to load application

Application Loading OBA Registry

Event Manager Aggregation Load Application

Aggregate Perform Aggregation Application Loaded Application

Started Read / Write Handles Workflow Once application has started, the administrator would like to query the application from the data plane.

How many packets were processed? How many packets were dropped? Read / Write Handles Workflow Handle Client

OBA Southboun d API

Read Handle Read Handle Read Handle Read Result Read Result

OBI Application Isolation Aggregator keeps a mapping of original block id -> new block id

A query for a read handle checks the mapping and queries the new block that actually resides in the data plane Event / Alert Workflow Applications way to actively notify about

its lifetime and about its process. Instance Down Packet Dropped Threat Detected Event/Alert Workflow

OBA Event Manager Southboun

d API OBI Alert Handle Alert

handler.Handle Application Isolation Alert Blocks carry their identifier Application aggregator keeps original blocks -> Application mapping

Aggregation takes care of keeping the original identifier on the aggregated graph Example (Simple IPS)

Processing Graph Code Snippets (Create Blocks) Code Snippets (Connect)

Benefits ~270 lines of code Code is readable and self explanatory Easy Configurable Easily Changeable

Experimental Results Experimental Environment Hardware (sheldon): Intel Xeon E3-1270 V3 CPU

32GB Ram Experiment Goal How well does the OBC handles messages from the Data plane?

Resource Utilization Latency Experimental Scenario Controller

Single OBI Single Application which sends alerts in a configurable rate (MPM). Memory Utilization

CPU Utilization Latency Futuristic

Future Work Smart / Automatic NF Placement OpenFlow Integration Create NFs with graphical tool Native Northbound API Dashboard Reloading applications while controller is

running Questions ?

Recently Viewed Presentations

  • Befuddled about Support Surfaces? - Welcome to RESNA

    Befuddled about Support Surfaces? - Welcome to RESNA

    Envelopment: The ability of a support surface to conform, so to fit or mold around, irregularities of the body. Immersion and envelopment are how one's weight is distributed across the surface of the bed so as to have equal weight...
  • Work Safe Stay Safe

    Work Safe Stay Safe

    TRAINER SCRIPT: You have responsibilities, too, for your own safety and the safety of others. You will be trained to operate machines safely, to work with chemicals safely, fire safety, forklift safety, and using personal protective equipment [show. PPE gear...
  • Pedagogies in RE - mmiweb.org.uk

    Pedagogies in RE - mmiweb.org.uk

    Insert pic from Spirited Arts Include just some pupils' names, rather than names of all the pupils who achieve the 'majority class expectation'. Digital; records could include e.g. photos of a drama presentation, or a scribed record of key contributions...
  • GASB 68 Reporting & Worksheet - Montana

    GASB 68 Reporting & Worksheet - Montana

    This pension expense by major function is entered on the OP Conversion of the annual financial report. Pension expense has a normal debit balance; if the allocation results in credit balances, or negative numbers as shown in the example, enter...
  • State Tax Appropriation Changes by Agency

    State Tax Appropriation Changes by Agency

    Chancellor, VCAA, VCAS. Expenses related to campus administrative offices. Included in this category are costs of the . VCEA, VCHA, VCSA. Academic Computer Center. These expenses are in the unit's budgets. The F&A earnings have been . assigned to the...
  • Forensic Patient Population in NSW

    Forensic Patient Population in NSW

    The Law Lords formulated the M'Naghten's Rules: "To establish a defence on the grounds of insanity, it must be clearly proved that, at the time of the committing of the act, the party accused was labouring under such a defect...
  • Reklama jako instrument promocji

    Reklama jako instrument promocji

    Reklama jako instrument promocji Reklama (z łac. reclamo, reclamare) to informacja połączona z komunikatem perswazyjnym. Zazwyczaj ma na celu skłonienie do nabycia lub korzystania z określonych towarów czy usług, popierania określonych spraw lub idei (np.promowanie marki).
  • Developing Risk Assessment Beyond Science and Decisions

    Developing Risk Assessment Beyond Science and Decisions

    "Fit for Purpose" MOA/Human Relevance Analysis M.E. (Bette) Meek McLaughlin Centre University of Ottawa [email protected] * * * * * * * Manner in which we consider data in risk assessment will drive toxicity testing (not vice versa) * *...