AHI: Efficient policy space set operations

With the fast industrial deployment of software-defined networking (SDN) and network function virtualization (NFV) technologies, network function policy enforcement in large scale virtualized networks becomes a key challenge for network management. Distributed policy enforcement heavily involves network policy space analysis, where set operations consume most of the computation. Based on spatial projection and bitmap indexing, a novel algorithm AHI (Atomic Hyper-Rectangle Indexing) is proposed for fast policy space set operations. Experiments with real datasets demonstrated that AHI improves set operation speed by two to three orders of magnitude and achieves the same least space cost, comparing to existing state-of-the-art algorithms r-BDD, wildcard expression, and PSA.

[1]  Ying Zhang,et al.  PGA: Using Graphs to Express and Automatically Reconcile Network Policies , 2015, Comput. Commun. Rev..

[2]  Zhi Liu,et al.  From CIA to PDR: A Top-Down Survey of SDN Security for Cloud DCN , 2019 .

[3]  Scott Shenker,et al.  NetBricks: Taking the V out of NFV , 2016, OSDI.

[4]  Zhi Liu,et al.  BitCuts: Towards Fast Packet Classification for Order-Independent Rules , 2015, Comput. Commun. Rev..

[5]  George Varghese,et al.  Real Time Network Policy Checking Using Header Space Analysis , 2013, NSDI.

[6]  David Walker,et al.  Optimizing the "one big switch" abstraction in software-defined networks , 2013, CoNEXT.

[7]  Minlan Yu,et al.  Scalable flow-based networking with DIFANE , 2010, SIGCOMM 2010.

[8]  Isaac Keslassy,et al.  Palette: Distributing tables in software-defined networks , 2013, 2013 Proceedings IEEE INFOCOM.

[9]  Hongkun Yang,et al.  Real-Time Verification of Network Properties Using Atomic Predicates , 2016, IEEE/ACM Trans. Netw..

[10]  Kevin C. Almeroth,et al.  Proceedings of the ninth ACM conference on Emerging networking experiments and technologies , 2013 .

[11]  Ramesh Govindan,et al.  Scalable Rule Management for Data Centers , 2013, NSDI.

[12]  Jun Li,et al.  Efficient Network Security Policy Enforcement With Policy Space Analysis , 2016, IEEE/ACM Transactions on Networking.

[13]  Osamu Akashi,et al.  Rethinking Packet Classification for Global Network View of Software-Defined Networking , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[14]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[15]  Scott Shenker,et al.  E2: a framework for NFV applications , 2015, SOSP.

[16]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[17]  Baohua Yang,et al.  Packet Classification Algorithms: From Theory to Practice , 2009, IEEE INFOCOM 2009.