Flow caching for high entropy packet fields

Packet classification on general purpose CPUs remains expensive regardless of advances in classification algorithms. Unless the packet forwarding pipeline is both simple and static in function, fine-tuning the system for optimal forwarding is a time-consuming and brittle process. Network virtualization and network function virtual-ization value general purpose CPUs exactly for their flexibility: in such systems, a single x86 forwarding element does not implement a single, static classification step but a sequence of dynamically reconfigurable and potentially complex forwarding operations. This leaves a software developer looking for maximal packet forwarding throughput with few options besides flow caching. In this paper, we consider the problem of flow caching and more specifically, how to cache forwarding decisions that depend on packet fields with high entropy (and therefore, change often); to this end, we arrive at algorithms that allow us to efficiently compute near optimal flow cache entries spanning several transport connections, even if forwarding decisions depend on transport protocol headers. Categories and Subject Descriptor

Packet Transactions: High-level Programming for Line-Rate Switches

Many algorithms for congestion control, scheduling, network measurement, active queue management, security, and load balancing require custom processing of packets as they traverse the data plane of a network switch. To run at line rate, these data-plane algorithms must be in hardware. With today's switch hardware, algorithms cannot be changed, nor new algorithms installed, after a switch has been built. This paper shows how to program data-plane algorithms in a high-level language and compile those programs into low-level microcode that can run on emerging programmable line-rate switching chipsets. The key challenge is that these algorithms create and modify algorithmic state. The key idea to achieve line-rate programmability for stateful algorithms is the notion of a packet transaction : a sequential code block that is atomic and isolated from other such code blocks. We have developed this idea in Domino, a C-like imperative language to express data-plane algorithms. We show with many examples that Domino provides a convenient and natural way to express sophisticated data-plane algorithms, and show that these algorithms can be run at line rate with modest estimated die-area overhead.Comment: 16 page

Delegating Network Security with More Information

Network security is gravitating towards more centralized control. Strong centralization places a heavy burden on the administrator who has to manage complex security policies and be able to adapt to users' requests. To be able to cope, the administrator needs to delegate some control back to end-hosts and users, a capability that is missing in today's networks. Delegation makes administrators less of a bottleneck when policy needs to be modified and allows network administration to follow organizational lines. To enable delegation, we propose ident++ - a simple protocol to request additional information from end-hosts and networks on the path of a flow. ident++ allows users and end-hosts to participate in network security enforcement by providing information that the administrator might not have or rules to be enforced on their behalf. In this paper we describe ident++ and how it provides delegation and enables flexible and powerful policies.United States. Dept. of Homeland Security (Scholarship and Fellowship Program)United States. Dept. of EnergyOak Ridge Institute for Science and Educatio

The Stanford OpenRoads Deployment

ABSTRACT We have built and deployed OpenRoad