Week3 Flashcards
What is/are the problem(s) with manual configuration of packet routing policy?
Manual intervention
- is complex
- makes scaling slow and leads to overload
- is a potential cause of failures.
What does it mean the stateful NFs require attention to affinity?
What is flow affinity? What is session affinity?
Packets of a given flow should be processed by the same NF instance.
If NFs (like stateful intrusion detection system) require
both direction of traffic it is called “session affinity”. Otherwise, affinity for packet of a given flow in one direction is called “flow affinity”.
What are some examples of misconfigurations that can lead to failures?
- Administrators need to train employees with new hardware in cases of hardware upgrades.
- Misconfiguration software after an upgrade
- Misconfiguration can be due to incorrect IP addresses, incorrect routing/load-balancing configuration after scaling NF instances.
What are some of the basic requirements of control plane for middlebox management?
- Deploy chains of NFs
2. Dynamically scale them based on workload.
What is OpenStack?
OpenStack is a platform that allows a cluster of servers to be converted to a cloud-like IaaS (Infrastructure as a Service), using a number of microservice.
What are the OpenFlow functions that are typically used for implementing custom traffic forwarding paths?
*SDN allows programming switches to implement custom traffic forwarding paths.
Switches need to be compliant with OpenFlow.
SDN programs a switch by specifying which port a packet should be forwarded to based on its packet headers.
Switch can also be programmed to modify packet headers, e.g., change destination MAC address or add VLAN Tag.
What are the main tasks of the network programming?
- How to setup complex forwarding between NFs
- How to ensure affinity constraints of NFs, namelu:
all packets of a given flow must be processed by the same NF instance (flow affinity), or packets in both directions of a connection should be processed by same NF instance (session affinity) - Ensure consistent routing for output packets of NFs that modify packet header (for example, NAT changes IP header)
What are the main tasks relevant to network programming?
- How to setup complex forwarding between NFs
- How to ensure affinity constraints of NFs, namely:
all packets of a given flow must be processed by the same NF instance (flow affinity), or packets in both directions of a connection should be processed by same NF instance (session affinity or connection affinity) - Ensure consistent routing despite the presence of header modifying NFs (for example, NAT changes IP header)
What are possible types of packet modification made by middleboxes?
- No packet modification - Firewall, IDS=Intrusion Detection System, IPS=Intrusion Prevention System (TCP/IP headers match exactly)
- Header modification - NAT, Load balancer - packet payload matches exactly, packet transformation occurs at the timescale of each flow
- Payload modification - WAN Optimization, HTTP proxy (change HTTP header) - high correlation in packet payload, packet transformation occurs at the timescale of each session.
- Complex modification - Encrypted VPN, compression
What are the two possible solution being used to ensure affinity?
Flow correlation - collect packet at SDN controller, calculate payload similarity (approximately). Doesn’t work on complex modification such as compression or encryption.
FlowTags - Allows middleboxes to “tag” packets based on the internal context. Perform tag based forwarding using OpenFlow. Deterministic approach, but requires middleboxes to follow FlowTags API.
What types of information are required to perform “right-sizing” of the network function instances?
Use initial estimates of expected traffic rate to determine load on an NF and per-core capacity to determine number of instance of each NF.
*One of the considerations of the orchestrator is the placement of network functions. This includes to determine the right sizing of the NFs - i.e., how many instances of each NF are needed.
Why is the minimization of inter-server traffic bandwidth important?
- Intra-server traffic can happen much faster through software forwarding.
- Inter-server link bandwidth is a limited resource
*inter means outside while intra means inside.
What information can be used by the NFV Orchestrator to determine the NF chain that a packet belongs to?
Use TCP/IP headers to identify the NF chain that the packet is part of.
How can the NFV control plane keep track of which segment of an NF chain that a given packet belongs to?
To determine which segment of the chain that this packet is part of:
- can embed chain segment information using dest MAC addr, VLAN tags, MPLS tags or unused fields in IP header
- Tag each packet of a flow on very first switch it encounters.
What is an important challenge in exposing the header-transformation state of the middleboxes to the NFV Orchestrator?
achieving standardized APIs and requiring vendors to expose internal states does not appear to be a viable near-term solution because of:
- vast array of middleboxes and middleboxes vendor.
- proprietary nature of middlebox functionality.
