ShadeNF: Testing Online Network Functions

Abstract

The correct implementation of network policies for "in-production" network functions is critical, as it determines the security, availability and performance of a production network. Usually, conducting network testing for these network functions in a live production environment is attractive, as the production environment captures the most exact, realistic dynamic state and vulnerabilities of the system under test. However, doing so also brings potential risks of impacting or even damaging the production system. To address this tension, we present ShadeNF, a novel online platform for testing in-cloud network functions in a production-like environment, without disrupting the real production system. ShadeNF enables such a production-like environment with an exact live clone of production network functions and real production traffic as the test traffic. In designing and implementing ShadeNF, we address several key challenges and contribute new techniques in supporting such a testing platform, including an SDN-based live, consistent snapshot approach, a new programmable forwarding plane, and a scaled test traffic generator. We implement a ShadeNF prototype upon OpenStack and demonstrate that ShadeNF successfully captures the dynamics of production systems, and effectively localizes a range of policy violations in SDN/NFV systems.