فایل ورد کامل کنترل کننده زنجیره های عملکرد خدمات: بررسی عملکرد صحیح ارسال زنجیره عملکرد خدمات

توجه : به همراه فایل word این محصول فایل پاورپوینت (PowerPoint) و اسلاید های آن به صورت هدیه ارائه خواهد شد

این مقاله، ترجمه شده یک مقاله مرجع و معتبر انگلیسی می باشد که به صورت بسیار عالی توسط متخصصین این رشته ترجمه شده است و به صورت فایل ورد (microsoft word) ارائه می گردد

متن داخلی مقاله بسیار عالی، پر محتوا و قابل درک می باشد و شما از استفاده ی آن بسیار لذت خواهید برد. ما عالی بودن این مقاله را تضمین می کنیم

فایل ورد این مقاله بسیار خوب تایپ شده و قابل کپی و ویرایش می باشد و تنظیمات آن نیز به صورت عالی انجام شده است؛ به همراه فایل ورد این مقاله یک فایل پاور پوینت نیز به شما ارئه خواهد شد که دارای یک قالب بسیار زیبا و تنظیمات نمایشی متعدد می باشد

توجه : در صورت مشاهده بهم ریختگی احتمالی در متون زیر ،دلیل ان کپی کردن این مطالب از داخل فایل می باشد و در فایل اصلی فایل ورد کامل کنترل کننده زنجیره های عملکرد خدمات: بررسی عملکرد صحیح ارسال زنجیره عملکرد خدمات،به هیچ وجه بهم ریختگی وجود ندارد

تعداد صفحات این فایل: ۲۶ صفحه

بخشی از مقاله انگلیسیعنوان انگلیسی:SFC-Checker: Checking the Correct Forwarding Behavior of Service Function Chaining~~en~~

Abstract

Network middleboxes are difficult to manage and troubleshoot, due to their proprietary monolithic design. Moving towards Network Functions Virtualization (NFV), virtualized middlebox appliances can be more flexibly instantiated and dynamically chained, making troubleshooting even more difficult. To guarantee carrier-grade availability and minimize outages, operators need ways to automatically verify that the deployed network and middlebox configurations obey higher level network policies. In this paper, we first define and identify the key challenges for checking the correct forwarding behavior of Service Function Chains (SFC). We then design and develop a network diagnosis framework that aids network administrators in verifying the correctness of SFC policy enforcement. Our prototype – SFC-Checker can verify stateful service chains efficiently, by analyzing the switches’ forwarding rules and the middleboxes’ stateful forwarding behavior. Built on top of the network function models we proposed, we develop a diagnosis algorithm that is able to check the stateful forwarding behavior of a chain of network service functions.

۱ Introduction

Network Functions Virtualization (NFV) is a significant transformation of Telco infrastructure to reduce both CAPEX and OPEX while maintaining high carrier-grade service levels. The move to virtualized Network Functions (NFs) on standard servers raises the possibility of reduced performance and increased number of errors and outages. Hence troubleshooting and diagnosing problems early on before deployment is a critical issue. One killer requirement of NFV is service function chaining (SFC), where traffic is steered through a sequence of NFs dynamically. Even with today’s physical NFs, constructing a service chain involves multiple components: defining policy, programming the SDN controller, installing switch flow tables, and configuring the NFs. Mistakes in any of these components may cause packets being forwarded to the wrong NFs, or in the wrong order, or dropped. With the emergence of NFV, the scale and dynamics of chaining virtual NFs (VNFs) is likely to increase significantly – these errors will only become more prevalent. Hence, verifying and troubleshooting SFC has become increasingly crucial to the success of NFV adoption. Our long term goal is to build a comprehensive NFV diagnosis and troubleshooting framework into which network, NF and SFC troubleshooting tools can be plugged into, for both static and dynamic, proactive and reactive fault diagnosis and help operational efficiency while maintaining the required SLAs.

Towards the above high level goal, in this paper, we develop a SFC troubleshooting and diagnosis tool. More specifically, we examine whether flows are forwarded correctly according to the high level service chaining policies. We call it checking or diagnosing the forwarding behavior of an SFC. It includes three aspects, as demonstrated via three illustrative examples in Figure 1. First, it should check the sequence of NFs any flow should traverse. In Figure 1(a), the policy requires all the HTTP traffic from Campus A to Storage servers should be handled by a NAT, followed by a firewall, and finally an IDS. To check the correct implementation of this policy, we not only need to check the forwarding rules on the switches, but also to check how the NFs forward packets. Second, the service chain may be altered dynamically in run time according to the states of the traversed NF. In Figure 1(b), the flow initially goes through an IDS and a Load balancer (LB). If the IDS detects an attack signature in the flow, it alters the service chain to include a firewall for policy enforcement, e.g., dropping the malicious traffic. We call it dynamic service chains, and we aim at checking its correct implementation in both switches and NFs. Besides checking a network path, we also check NF configurations. The third example in Figure 1(c) illustrates the difficulties of performing such static analysis in the presence of NFs. The policy specifies that a Web request from Contractor to the Payroll server should be blocked by the FW. Checking this policy in a path without NFs is comparatively easy: check the rules on the FW and see if it blocks the right range of source IP addresses. However, it is hard when a NAT hides the original source IP addresses before the FW. Note that we only handle the forwarding behavior of an SFC. NFs’ other non-forwarding related behaviors, such as counting, traffic optimization, are out of the scope of this paper. We plan to address these extensions in future work.

One straightforward way to catch errors in the SFC for warding is to monitor the flows at run time and then compare the observed path with the policy. However, by the time the error is detected, traffic has already been affected. In this work, we argue for a static analysis framework to capture the problems before deployment. This is often known as “network verification” in the SDN context [1], [2]. Different from formal code verification, network verification tools essentially examine rules on all the switches in the network.

Our goal follows the same spirit to perform “verification” on SFC forwarding behaviors. However, we found that existing methods cannot be directly applied to check SFC correctness for a few reasons. First, a policy is complex and stateful. For example, a policy can specify that unauthorized users are prevented from accessing sensitive servers. To do this, an operator could use a stateful firewall to ensure that only traffic initiated from within the network is permitted and in doing so protect users from malicious traffic. NFs maintain each flow’s states and perform different actions based on these states. Second, existing forwarding abstractions (e.g., Openflow) cannot be directly applied because all packets of a flow are handled the same using a match-action rule. Thus, we need a new forwarding abstraction to consider the disparate state for individual flows. Finally, to check an SFC, we must check all NFs and switches that the flows traverses: essentially, verifying the entire network. While verifying stateless network devices is computationally challenging [1], [2], adding stateful devices further complicates the problem.

To address these challenges, we make the following contributions. First, we leverage existing middlebox abstract models and generalize them to a forwarding model for NF data planes. Each NF is described using a flow table and a state machine. We extend existing Openflow based match-action rules in two ways: (1) the match condition includes not only packet headers but also NFs’ internal states, and (2) the action consists of not only modifying packets but also triggering NF state transitions. Further, the match and action can be defined against either an individual packet or on the entire flow. The temporal relationship between states are described using a Finite State Machine (FSM). Note that modeling every detail of a complex NF is clearly intractable without applying sophisticated code analysis techniques. Instead, we focus only on the forwarding behavior of the NF. Different from recent extensions to make Openflow stateful [3], [4], [5], our model is specific to NFs and the SFC checking problem. Second, we develop an efficient algorithm for the static analysis of stateful networks. Existing approaches build forwarding graphs from the rules and verify using these graphs [1], [6]. However, this approach is insufficient because the forwarding graphs only capture the forwarding behavior of the network, but not the state transitions of the NFs. We propose a Stateful Forwarding Graph (SFG) that encodes both the state transitions and forwarding behavior. We develop an algorithm that automatically generates SFGs from NF tables and FSMs. Additionally, we designed several graph traversal algorithms on the SFG that answers state-dependent reachability questions.

In this work, we design and implement SFC-Checker, a framework that performs correctness checking of forwarding behavior for service function chains. Similar to existing verification work [1], [6], [7], we focus on checking stateful reachability invariants: e.g., “Given a specific packet trace, what sequence of NFs will the flow traverse”, or “After what sequence of packets, will A be allowed to communicate with B”. We developed a prototype of SFC-Checker and used it to analyze SFC diagnosis speed and scalability. The preliminary evaluation results show that we can verify an NF with 27 states in 1s and a network of 1800 NFs per path in 12ms. The time to construct the stateful forwarding graph is around 100ms – 300ms. For the NFs in the evaluation, we developed the forwarding models manually. A future effort will focus on automatic model generation.

$$en!!