Scalable Rule Management for Data Centers

Cloud operators increasingly need more and more fine-grained rules to better control individual network flows for various traffic management policies. In this paper, we explore automated rule management in the context of a system called vCRIB (a virtual Cloud Rule Information Base), which provides the abstraction of a centralized rule repository. The challenge in our approach is the design of algorithms that automatically off-load rule processing to overcome resource constraints on hypervisors and/or switches, while minimizing redirection traffic overhead and responding to system dynamics. vCRIB contains novel algorithms for finding feasible rule placements and adapting traffic overhead induced by rule placement in the face of traffic changes and VM migration. We demonstrate that vCRIB can find feasible rule placements with less than 10% traffic overhead even in cases where the traffic-optimal rule placement may be infeasible with respect to hypervisor CPU or memory constraints.

[1]  I. Stoica,et al.  FairCloud: sharing the network in cloud computing , 2011, CCRV.

[2]  Edward G. Coffman,et al.  Approximation algorithms for bin packing: a survey , 1996 .

[3]  Minlan Yu,et al.  CloudPolice: taking access control out of the network , 2010, Hotnets-IX.

[4]  Minghua Chen,et al.  Joint VM placement and routing for data center traffic engineering , 2012, 2012 Proceedings IEEE INFOCOM.

[5]  Nick Feamster,et al.  Procera: a language for high-level reactive network control , 2012, HotSDN '12.

[6]  Martín Casado,et al.  Practical declarative network management , 2009, WREN '09.

[7]  Ramesh Govindan,et al.  vCRIB: Virtualized Rule Management in the Cloud , 2012, HotCloud.

[8]  Jia Wang,et al.  Scalable flow-based networking with DIFANE , 2010, SIGCOMM '10.

[9]  Martín Casado,et al.  Rethinking Enterprise Network Control , 2009, IEEE/ACM Transactions on Networking.

[10]  Jeffrey C. Mogul,et al.  NetLord: a scalable multi-tenant network architecture for virtualized datacenters , 2011, SIGCOMM.

[11]  Prashant J. Shenoy,et al.  Sharing-aware algorithms for virtual machine colocation , 2011, SPAA '11.

[12]  Martín Casado,et al.  Virtualizing the network forwarding plane , 2010, PRESTO '10.

[13]  Beng Chin Ooi,et al.  R-tree-based data migration and self-tuning strategies in shared-nothing spatial databases , 2001, GIS '01.

[14]  Sujata Banerjee,et al.  ElasticTree: Saving Energy in Data Center Networks , 2010, NSDI.

[15]  Albert G. Greenberg,et al.  The nature of data center traffic: measurements & analysis , 2009, IMC '09.

[16]  A. Russell,et al.  The Minimum k-Colored Subgraph Problem in Haplotyping and DNA Primer Selection , 2004 .

[17]  Jan Chomicki,et al.  Hippo: A System for Computing Consistent Answers to a Class of SQL Queries , 2004, EDBT.

[18]  Amin Vahdat,et al.  Hedera: Dynamic Flow Scheduling for Data Center Networks , 2010, NSDI.

[19]  George Kollios,et al.  Management of Highly Dynamic Multidimensional Data in a Cluster of Workstations , 2004, EDBT.

[20]  Pankaj Gupta,et al.  Packet Classification using Hierarchical Intelligent Cuttings , 1999 .

[21]  Reuven Cohen,et al.  An efficient approximation for the Generalized Assignment Problem , 2006, Inf. Process. Lett..

[22]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[23]  Ming Zhang,et al.  MicroTE: fine grained traffic engineering for data centers , 2011, CoNEXT '11.

[24]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM.

[25]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[26]  Nick McKeown,et al.  Classifying Packets with Hierarchical Intelligent Cuttings , 2000, IEEE Micro.

[27]  David A. Maltz,et al.  Network traffic characteristics of data centers in the wild , 2010, IMC '10.

[28]  Dorit S. Hochbaum,et al.  Approximation Algorithms for NP-Hard Problems , 1996 .

[29]  Jonathan S. Turner,et al.  ClassBench: A Packet Classification Benchmark , 2005, IEEE/ACM Transactions on Networking.

[30]  S. Bellovin Distributed Firewalls , 1994 .

[31]  Albert G. Greenberg,et al.  Sharing the Data Center Network , 2011, NSDI.

[32]  George Varghese,et al.  Packet classification using multidimensional cutting , 2003, SIGCOMM '03.

[33]  T. N. Vijaykumar,et al.  EffiCuts: optimizing packet classification for memory and throughput , 2010, SIGCOMM '10.

[34]  Sanjeev Khanna,et al.  A PTAS for the multiple knapsack problem , 2000, SODA '00.