Zirak Zaheer, Hyunseok Chang, S. Mukherjee, J. Merwe
Emerging microservices-based workloads introduce new security risks in today's data centers as attacks can propagate laterally within the data center relatively easily by exploiting cross-service dependencies. As countermeasures for such attacks, traditional perimeterization approaches, such as network-endpoint-based access control, do not fare well in highly dynamic microservices environments (especially considering the management complexity, scalability and policy granularity of these earlier approaches). In this paper, we propose eZTrust, a network-independent perimeterization approach for microservices. eZTrust allows data center tenants to express access control policies based on fine-grained workload identities, and enables data center operators to enforce such policies reliably and efficiently in a purely network-independent fashion. To this end, we leverage eBPF, the extended Berkeley Packet Filter, to trace authentic workload identities and apply per-packet tagging and verification. We demonstrate the feasibility of our approach through extensive evaluation of our proof-of-concept prototype implementation. We find that, when comparable policies are enforced, eZTrust incurs 2--5 times lower packet latency and 1.5--2.5 times lower CPU overhead than traditional perimeterization schemes.
{"title":"eZTrust: Network-Independent Zero-Trust Perimeterization for Microservices","authors":"Zirak Zaheer, Hyunseok Chang, S. Mukherjee, J. Merwe","doi":"10.1145/3314148.3314349","DOIUrl":"https://doi.org/10.1145/3314148.3314349","url":null,"abstract":"Emerging microservices-based workloads introduce new security risks in today's data centers as attacks can propagate laterally within the data center relatively easily by exploiting cross-service dependencies. As countermeasures for such attacks, traditional perimeterization approaches, such as network-endpoint-based access control, do not fare well in highly dynamic microservices environments (especially considering the management complexity, scalability and policy granularity of these earlier approaches). In this paper, we propose eZTrust, a network-independent perimeterization approach for microservices. eZTrust allows data center tenants to express access control policies based on fine-grained workload identities, and enables data center operators to enforce such policies reliably and efficiently in a purely network-independent fashion. To this end, we leverage eBPF, the extended Berkeley Packet Filter, to trace authentic workload identities and apply per-packet tagging and verification. We demonstrate the feasibility of our approach through extensive evaluation of our proof-of-concept prototype implementation. We find that, when comparable policies are enforced, eZTrust incurs 2--5 times lower packet latency and 1.5--2.5 times lower CPU overhead than traditional perimeterization schemes.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"238 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130621702","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Data center networks are designed to interconnect large clusters of servers. However, their static, rack-based architecture poses many constraints. For instance, due to over-subscription, bandwidth tends to be highly unbalanced---while servers in the same rack enjoy full bisection bandwidth through a top-of-rack (ToR) switch, servers across racks have much more constrained bandwidth. This translates to a series of performance issues for modern cloud applications. In this paper, we propose a rackless data center (RDC) architecture that removes this fixed "rack boundary". We achieve this by inserting circuit switches at the edge layer, and dynamically reconfiguring the circuits to allow servers from different racks to form "locality groups". RDC optimizes the topology between servers and edge switches based on the changing workloads, and achieves lower flow completion times and improved load balance for realistic workloads.
{"title":"Say No to Rack Boundaries: Towards A Reconfigurable Pod-Centric DCN Architecture","authors":"Ding-Xue Wu, Weitao Wang, Ang Chen, T. Ng","doi":"10.1145/3314148.3314350","DOIUrl":"https://doi.org/10.1145/3314148.3314350","url":null,"abstract":"Data center networks are designed to interconnect large clusters of servers. However, their static, rack-based architecture poses many constraints. For instance, due to over-subscription, bandwidth tends to be highly unbalanced---while servers in the same rack enjoy full bisection bandwidth through a top-of-rack (ToR) switch, servers across racks have much more constrained bandwidth. This translates to a series of performance issues for modern cloud applications. In this paper, we propose a rackless data center (RDC) architecture that removes this fixed \"rack boundary\". We achieve this by inserting circuit switches at the edge layer, and dynamically reconfiguring the circuits to allow servers from different racks to form \"locality groups\". RDC optimizes the topology between servers and edge switches based on the changing workloads, and achieves lower flow completion times and improved load balance for realistic workloads.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"141 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133891915","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Factories need to adapt their communication networks to versatile customer-driven markets. Software defined networking enables a programmatic approach that provides modularity, flexibility and paves the road for behavior certification. Previous works proposed rigorous programming languages and abstractions offering safety properties and verification in best-effort environments. In this work, we propose an approach to provide live update of network elements behavior while respecting real-time constraints. During the network updates, the traffic can be deviated to devices not involved in the desired upgrade ensuring that communication invariant and software requirements are always taken into account. We leverage Temporal NetKAT to write network wide programs and P4 annotations to give indications on the impact of the implementation on deterministic real-time communications passing through network appliances.
{"title":"NUTS: Network Updates in Real Time Systems","authors":"Saif U. N. Noor Prottoy, D. Saucez, W. Dabbous","doi":"10.1145/3314148.3318051","DOIUrl":"https://doi.org/10.1145/3314148.3318051","url":null,"abstract":"Factories need to adapt their communication networks to versatile customer-driven markets. Software defined networking enables a programmatic approach that provides modularity, flexibility and paves the road for behavior certification. Previous works proposed rigorous programming languages and abstractions offering safety properties and verification in best-effort environments. In this work, we propose an approach to provide live update of network elements behavior while respecting real-time constraints. During the network updates, the traffic can be deviated to devices not involved in the desired upgrade ensuring that communication invariant and software requirements are always taken into account. We leverage Temporal NetKAT to write network wide programs and P4 annotations to give indications on the impact of the implementation on deterministic real-time communications passing through network appliances.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134073092","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yikai Lin, Yuru Shao, Xiao Zhu, Junpeng Guo, K. Barton, Z. Morley Mao
Existing SDN controllers commonly adopt an event-driven model that minimizes southbound communication and control-plane overhead. This model satisfies most existing SDN applications' goals to maximize data plane performance while still being able to programmatically control with a decent level of visibility. However, as network composition becomes more heterogeneous with NFV and IoT, such model can be insufficient for future applications that rely more on data analysis and intelligent decision making. In this paper, we present our findings in a case study on smart manufacturing systems, which have highly heterogeneous device compositions, and applications that are much less "throughput" hungry or "latency" sensitive than network applications but require a lot more data for (real-time) decision making. We share the insights we gain that help us design a new Application and Data-Driven (ADD) model for SDN controllers. We build a proof-of-concept ADD controller based on this model and develop two applications to showcase its new capabilities. Evaluation results show that ADD delivers satisfying scalability and performance. More importantly, applications enabled by ADD gain more insights of the data plane and can make better decisions faster.
{"title":"ADD: Application and Data-Driven Controller Design","authors":"Yikai Lin, Yuru Shao, Xiao Zhu, Junpeng Guo, K. Barton, Z. Morley Mao","doi":"10.1145/3314148.3314351","DOIUrl":"https://doi.org/10.1145/3314148.3314351","url":null,"abstract":"Existing SDN controllers commonly adopt an event-driven model that minimizes southbound communication and control-plane overhead. This model satisfies most existing SDN applications' goals to maximize data plane performance while still being able to programmatically control with a decent level of visibility. However, as network composition becomes more heterogeneous with NFV and IoT, such model can be insufficient for future applications that rely more on data analysis and intelligent decision making. In this paper, we present our findings in a case study on smart manufacturing systems, which have highly heterogeneous device compositions, and applications that are much less \"throughput\" hungry or \"latency\" sensitive than network applications but require a lot more data for (real-time) decision making. We share the insights we gain that help us design a new Application and Data-Driven (ADD) model for SDN controllers. We build a proof-of-concept ADD controller based on this model and develop two applications to showcase its new capabilities. Evaluation results show that ADD delivers satisfying scalability and performance. More importantly, applications enabled by ADD gain more insights of the data plane and can make better decisions faster.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124433837","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
BGP is known to restrict policy expressiveness and induce uncontrolled policy interactions that are hard to understand, reuse, and evolve. We argue that the use of a path vector system as the carrier of interdomain policies is the root cause of these limitations. To this end, we propose an alternative policy scheme built in a software-defined controller to decouple policy making from the path vector system. Rather than treating policies as hardwired attributes of a route, that are configured and consumed as the route goes through the path vector decision process, we let policies flow, interact, and combine to influence end to end routes. This new software-defined scheme creates new space for policy language, route decision, and conflict resolution design, towards more flexible policies, cleaner policy enforcement, and controlled policy interaction. As a realization of our vision, we present an implementation that uses data integrity constraints for representing and reasoning about routing policies, addressing unique challenges in the decentralized interdomain environment.
{"title":"Enabling Policy Innovation in Interdomain Routing: A Software-Defined Approach","authors":"Anduo Wang, Zhijia Chen, Tony Yang, Minlan Yu","doi":"10.1145/3314148.3314359","DOIUrl":"https://doi.org/10.1145/3314148.3314359","url":null,"abstract":"BGP is known to restrict policy expressiveness and induce uncontrolled policy interactions that are hard to understand, reuse, and evolve. We argue that the use of a path vector system as the carrier of interdomain policies is the root cause of these limitations. To this end, we propose an alternative policy scheme built in a software-defined controller to decouple policy making from the path vector system. Rather than treating policies as hardwired attributes of a route, that are configured and consumed as the route goes through the path vector decision process, we let policies flow, interact, and combine to influence end to end routes. This new software-defined scheme creates new space for policy language, route decision, and conflict resolution design, towards more flexible policies, cleaner policy enforcement, and controlled policy interaction. As a realization of our vision, we present an implementation that uses data integrity constraints for representing and reasoning about routing policies, addressing unique challenges in the decentralized interdomain environment.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129631535","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ayyoob Hamza, H. Gharakheili, Theophilus A. Benson, V. Sivaraman
Smart environments equipped with IoT devices are increasingly under threat from an escalating number of sophisticated cyber-attacks. Current security approaches are inaccurate, expensive, or unscalable, as they require static signatures of known attacks, specialized hardware, or full packet inspection. The IETF Manufacturer Usage Description (MUD) framework aims to reduce the attack surface on an IoT device by formally defining its expected network behavior. In this paper, we use SDN to monitor compliance with the MUD behavioral profile, and develop machine learning methods to detect volumetric attacks such as DoS, reflective TCP/UDP/ICMP flooding, and ARP spoofing to IoT devices. Our first contribution develops a machine for detecting anomalous patterns of MUD-compliant network activity via coarse-grained (device-level) and fine-grained (flow-level) SDN telemetry for each IoT device, thereby giving visibility into flows that contribute to a volumetric attack. For our second contribution we measure network behavior of IoT devices by collecting benign and volumetric attacks traffic traces in our lab, label our dataset, and make it available to the public. Our last contribution prototypes a full working system (built with an OpenFlow switch, Faucet SDN controller, and a MUD policy engine), demonstrates its application in detecting volumetric attacks on several consumer IoT devices with high accuracy, and provides insights into cost and performance of our system. Our data and solution modules are released as open source to the community.
{"title":"Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity","authors":"Ayyoob Hamza, H. Gharakheili, Theophilus A. Benson, V. Sivaraman","doi":"10.1145/3314148.3314352","DOIUrl":"https://doi.org/10.1145/3314148.3314352","url":null,"abstract":"Smart environments equipped with IoT devices are increasingly under threat from an escalating number of sophisticated cyber-attacks. Current security approaches are inaccurate, expensive, or unscalable, as they require static signatures of known attacks, specialized hardware, or full packet inspection. The IETF Manufacturer Usage Description (MUD) framework aims to reduce the attack surface on an IoT device by formally defining its expected network behavior. In this paper, we use SDN to monitor compliance with the MUD behavioral profile, and develop machine learning methods to detect volumetric attacks such as DoS, reflective TCP/UDP/ICMP flooding, and ARP spoofing to IoT devices. Our first contribution develops a machine for detecting anomalous patterns of MUD-compliant network activity via coarse-grained (device-level) and fine-grained (flow-level) SDN telemetry for each IoT device, thereby giving visibility into flows that contribute to a volumetric attack. For our second contribution we measure network behavior of IoT devices by collecting benign and volumetric attacks traffic traces in our lab, label our dataset, and make it available to the public. Our last contribution prototypes a full working system (built with an OpenFlow switch, Faucet SDN controller, and a MUD policy engine), demonstrates its application in detecting volumetric attacks on several consumer IoT devices with high accuracy, and provides insights into cost and performance of our system. Our data and solution modules are released as open source to the community.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132456803","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
C. Dominicini, G. Vassoler, Rodolfo V. Valentim, R. Villaça, M. Ribeiro, M. Martinello, E. Zambon
One of the main challenges in network functions virtualization (NFV) is how to dynamically steer traffic flows through a set of service functions (SFs). Fig. 1(a) shows the embedding of a service function chaining (SFC) request in a NFV Infrastructure (NFVI). The overlay layer represents logical connections between virtual machines (VMs), while the underlay layer represents connections between physical nodes.
{"title":"KeySFC","authors":"C. Dominicini, G. Vassoler, Rodolfo V. Valentim, R. Villaça, M. Ribeiro, M. Martinello, E. Zambon","doi":"10.1145/3314148.3318048","DOIUrl":"https://doi.org/10.1145/3314148.3318048","url":null,"abstract":"One of the main challenges in network functions virtualization (NFV) is how to dynamically steer traffic flows through a set of service functions (SFs). Fig. 1(a) shows the embedding of a service function chaining (SFC) request in a NFV Infrastructure (NFVI). The overlay layer represents logical connections between virtual machines (VMs), while the underlay layer represents connections between physical nodes.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115072302","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Current implementations of time synchronization protocols (e.g. PTP) in standard industry-grade switches handle the protocol stack in the slow-path (control-plane). With new use cases of in-network computing using programmable switching ASICs, global time-synchronization in the data-plane is very much necessary for supporting distributed applications. In this paper, we explore the possibility of using programmable switching ASICs to design and implement a time synchronization protocol, DPTP, with the core logic running in the data-plane. We perform comprehensive measurement studies on the variable delay characteristics in the switches and NICs under different traffic conditions. Based on the measurement insights, we design and implement DPTP on a Barefoot Tofino switch using the P4 programming language. Our evaluation on a multi-switch testbed shows that DPTP can achieve median and 99th percentile synchronization error of 19 ns and 47 ns between 2 switches, 4-hops apart, in the presence of clock drifts and under heavy network load.
{"title":"Precise Time-synchronization in the Data-Plane using Programmable Switching ASICs","authors":"Pravein G. Kannan, Raj Joshi, M. Chan","doi":"10.1145/3314148.3314353","DOIUrl":"https://doi.org/10.1145/3314148.3314353","url":null,"abstract":"Current implementations of time synchronization protocols (e.g. PTP) in standard industry-grade switches handle the protocol stack in the slow-path (control-plane). With new use cases of in-network computing using programmable switching ASICs, global time-synchronization in the data-plane is very much necessary for supporting distributed applications. In this paper, we explore the possibility of using programmable switching ASICs to design and implement a time synchronization protocol, DPTP, with the core logic running in the data-plane. We perform comprehensive measurement studies on the variable delay characteristics in the switches and NICs under different traffic conditions. Based on the measurement insights, we design and implement DPTP on a Barefoot Tofino switch using the P4 programming language. Our evaluation on a multi-switch testbed shows that DPTP can achieve median and 99th percentile synchronization error of 19 ns and 47 ns between 2 switches, 4-hops apart, in the presence of clock drifts and under heavy network load.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"78 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114660052","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
BGP is known to restrict policy expressiveness and induce monolithic policies with uncontrolled interactions among ASes that are hard to understand, reuse, and evolve. We argue that the use of a path vector system as the carrier of interdomain policy is the root causes of these limitations. To this end, we propose an alternative policy scheme built in a software-defined controller to decouple policy making from the path vector system. This new software-defined scheme creates new space for policy language, route decision, and conflict resolution design, towards flexible policies, cleaner policy enforcement, and controlled policy interaction. In this demonstration, we showcase boléro, a realization of our vision via the use of data integrity constraints --- logical statements about what are the acceptable network states --- for representing and reasoning about AS policies, addressing unique challenges in the decentralized interdomain environment.
{"title":"(Demo) Boléro: Enabling Policy Innovation in Interdomain Routing","authors":"Zhijia Chen, Anduo Wang","doi":"10.1145/3314148.3318049","DOIUrl":"https://doi.org/10.1145/3314148.3318049","url":null,"abstract":"BGP is known to restrict policy expressiveness and induce monolithic policies with uncontrolled interactions among ASes that are hard to understand, reuse, and evolve. We argue that the use of a path vector system as the carrier of interdomain policy is the root causes of these limitations. To this end, we propose an alternative policy scheme built in a software-defined controller to decouple policy making from the path vector system. This new software-defined scheme creates new space for policy language, route decision, and conflict resolution design, towards flexible policies, cleaner policy enforcement, and controlled policy interaction. In this demonstration, we showcase boléro, a realization of our vision via the use of data integrity constraints --- logical statements about what are the acceptable network states --- for representing and reasoning about AS policies, addressing unique challenges in the decentralized interdomain environment.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129382215","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Programmable switches enable the implementation of many complex network functions directly in the data plane. Protocol Independent Switch Architecture (PISA) is a stateof-the-art architecture for programmable switches [1]. After entering a PISA switch, packets first go through an ingress pipeline, then enter the traffic manager that maintains multiple queues, and are finally processed by an egress pipeline. However, there exists an intrinsic constraint in PISA. The traffic manager generates metadatas of queue lengths which are only accessible in egress, while the ingress has no visibility in the queue status. This prevents PISA switches from supporting many advanced network functions. For instance, DRILL [3] employs per-packet load balancing by deciding which queue a packet should enter based on the lengths of candidate queues. The decision has to happen in ingress before packet queuing, which cannot be supported in PISA.
{"title":"Prophet: Real-time Queue Length Inference in Programmable Switches","authors":"Shuhe Wang, J. Bi, Chen Sun, Yu Zhou","doi":"10.1145/3314148.3318050","DOIUrl":"https://doi.org/10.1145/3314148.3318050","url":null,"abstract":"Programmable switches enable the implementation of many complex network functions directly in the data plane. Protocol Independent Switch Architecture (PISA) is a stateof-the-art architecture for programmable switches [1]. After entering a PISA switch, packets first go through an ingress pipeline, then enter the traffic manager that maintains multiple queues, and are finally processed by an egress pipeline. However, there exists an intrinsic constraint in PISA. The traffic manager generates metadatas of queue lengths which are only accessible in egress, while the ingress has no visibility in the queue status. This prevents PISA switches from supporting many advanced network functions. For instance, DRILL [3] employs per-packet load balancing by deciding which queue a packet should enter based on the lengths of candidate queues. The decision has to happen in ingress before packet queuing, which cannot be supported in PISA.","PeriodicalId":346870,"journal":{"name":"Proceedings of the 2019 ACM Symposium on SDN Research","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131008200","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: