research-article

SIMPLE-fying middlebox policy enforcement using SDN

Authors:
Zafar Ayyub Qazi

Stony Brook University, Stony Brook, NY, USA

Stony Brook University, Stony Brook, NY, USA
View Profile

,
Cheng-Chun Tu

Stony Brook University, Stony Brook, NY, USA

Stony Brook University, Stony Brook, NY, USA
View Profile

,
Luis Chiang

Stony Brook University, Stony Brook, NY, USA

Stony Brook University, Stony Brook, NY, USA
View Profile

,
Rui Miao

University of Southern California, Los Angeles, CA, USA

University of Southern California, Los Angeles, CA, USA
View Profile

,
Vyas Sekar

Stony Brook University, Stony Brook, NY, USA

Stony Brook University, Stony Brook, NY, USA
View Profile

,
Minlan Yu

University of Southern California, Los Angeles, CA, USA

University of Southern California, Los Angeles, CA, USA
View Profile

Authors Info & Claims

ACM SIGCOMM Computer Communication Review Volume 43 Issue 4October 2013pp 27–38https://doi.org/10.1145/2534169.2486022

Published:27 August 2013Publication History

ACM SIGCOMM Computer Communication Review

Abstract

Networks today rely on middleboxes to provide critical performance, security, and policy compliance capabilities. Achieving these benefits and ensuring that the traffic is directed through the desired sequence of middleboxes requires significant manual effort and operator expertise. In this respect, Software-Defined Networking (SDN) offers a promising alternative. Middleboxes, however, introduce new aspects (e.g., policy composition, resource management, packet modifications) that fall outside the purvey of traditional L2/L3 functions that SDN supports (e.g., access control or routing).

This paper presents SIMPLE, a SDN-based policy enforcement layer for efficient middlebox-specific "traffic steering''. In designing SIMPLE, we take an explicit stance to work within the constraints of legacy middleboxes and existing SDN interfaces. To this end, we address algorithmic and system design challenges to demonstrate the feasibility of using SDN to simplify middlebox traffic steering. In doing so, we also take a significant step toward addressing industry concerns surrounding the ability of SDN to integrate with existing infrastructure and support L4-L7 capabilities.

References

Mininet. http://yuba.stanford.edu/foswiki/bin/view/OpenFlow/Mininet.Google Scholar
NEC's Simple Middlebox Configuration (SIMCO) Protocol. RFC 4540.Google Scholar
Open vSwitch. http://openvswitch.org/.Google Scholar
Palo Alto Networks. http://www.paloaltonetworks.com/.Google Scholar
POX Controller. http://www.noxrepo.org/pox/about-pox/.Google Scholar
Top million US websites. http://ak.quantcast.com/quantcast-top-million.zip.Google Scholar
World Enterprise Network Security Markets. http://www.abiresearch.com/research/product/1006059-world-enterprise-network-and-data-security/.Google Scholar
A. Anand et al. Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination. In Proc.\ SIGCOMM, 2008. Google ScholarDigital Library
J. W. Anderson, R. Braud, R. Kapoor, G. Porter, and A. Vahdat. xOMB: Extensible Open Middleboxes with Commodity Servers. In Proc.\ ANCS, 2012. Google ScholarDigital Library
T. Benson, A. Akella, A. Shaikh, and S. Sahu. CloudNaaS: A Cloud Networking Platform for Enterprise Applications. In Proc.\ SOCC, 2011. Google ScholarDigital Library
T. Benson, A. Anand, A. Akella, and M. Zhang. The Case for Fine-Grained Traffic Engineering in Data Centers. In Proc.\ INM/WREN, 2010. Google ScholarDigital Library
M. Casado et al. Ethane: Taking Control of the Enterprise. In Proc.\ SIGCOMM, 2007. Google ScholarDigital Library
T. Cormen, C. Leiserson, R. Rivest, and C. Stein. The Rabin--Karp algorithm. Introduction to Algorithms, 2001.Google Scholar
A. R. Curtis et al. DevoFlow: Scaling Flow Management for High-Performance Networks. In Proc.\ SIGCOMM, 2011. Google ScholarDigital Library
M. Dobrescu et al. RouteBricks: Exploiting Parallelism to Scale Software Routers. In Proc.\ SOSP, 2009. Google ScholarDigital Library
S. Fayazbakhsh, V. Sekar, M. Yu, and J. Mogul. FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions. In Proc.\ HotSDN, 2013 (to appear). Google ScholarDigital Library
A. Feldmann et al. Deriving Traffic Demands for Operational IP Networks: Methodology and Experience. In Proc.\ SIGCOMM, 2000. Google ScholarDigital Library
A. Gember, P. Prabhu, Z. Ghadiyali, and A. Akella. Toward Software-Defined Middlebox Networking. In Proc.\ HotNets-XI, 2012. Google ScholarDigital Library
G. Gibb, H. Zeng, and N. McKeown. Outsourcing Network Functionality. In Proc.\ HotSDN, 2012. Google ScholarDigital Library
P. Gill et al. Understanding Network Failures in Data Centers: Measurement, Analysis, and Implications. In Proc.\ SIGCOMM, 2011. Google ScholarDigital Library
A. Greenlagh et al. Flow Processing and the Rise of Commodity Network Hardware. In CCR, 2009. Google ScholarDigital Library
N. Gude et al. NOX: Towards an Operating System for Networks. In CCR, 2008. Google ScholarDigital Library
V. Heorhiadi, M. K. Reiter, and V. Sekar. New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems. In Proc.\ CoNEXT, 2012. Google ScholarDigital Library
X. Jin, L. E. Li, L. Vanbever, and J. Rexford. SoftCell: Taking Control of Cellular Core Networks. In TR-950--13, Princeton University, 2013.Google Scholar
D. Joseph and I. Stoica. Modeling middleboxes. IEEE Network, 2008. Google ScholarDigital Library
D. A. Joseph, A. Tavakoli, and I. Stoica. A Policy-aware Switching Layer for Data Centers. In Proc.\ SIGCOMM, 2008. Google ScholarDigital Library
P. Kazemian, G. Varghese, and N. McKeown. Header Space Analysis: Static Checking for Networks. In Proc.\ NSDI, 2012. Google ScholarDigital Library
E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click Modular Router. ACM TOS, Aug 2000. Google ScholarDigital Library
T. Koponen et al. Onix: A Distributed Control Platform for Large-scale Production Network. In Proc.\ OSDI, 2010. Google ScholarDigital Library
L. E. Li et al. PACE: Policy-Aware Application Cloud Embedding. In Proc.\ INFOCOM, 2013.Google Scholar
C. Monsanto, J. Reich, N. Foster, J. Rexford, and D. Walker. Composing Software Defined Networks. In Proc.\ NSDI, 2013. Google ScholarDigital Library
M. Moshref, M. Yu, A. Sharma, and R. Govindan. vCRIB: Virtualized Rule Management in the Cloud. In Proc.\ NSDI, 2013.Google Scholar
V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Computer Networks, pages 2435--2463, 1999. Google ScholarDigital Library
H. Pucha, D. G. Andersen, and M. Kaminsky. Exploiting Similarity for Multi-Source Downloads using File Handprints. In Proc.\ NSDI, 2007. Google ScholarDigital Library
S. Raza et al. MeasuRouting: A Framework for Routing Assisted Traffic Monitoring. In Proc.\ INFOCOM, 2010. Google ScholarDigital Library
C. Rotsos, N. Sarrar, S. Uhlig, R. Sherwood, and A. Moore. OFLOPS: An Open Framework for Openflow Switch Evaluation. In Proc.\ PAM, 2012. Google ScholarDigital Library
V. Sekar et al. The middlebox manifesto: enabling innovation in middlebox deployment. In Proc.\ HotNets, 2011. Google ScholarDigital Library
V. Sekar et al. Design and Implementation of a Consolidated Middlebox Architecture. In Proc.\ NSDI, 2012. Google ScholarDigital Library
J. Sherry et al. Making Middleboxes Someone Else's Problem: Network Processing as a Cloud Service. In Proc.\ SIGCOMM, 2012. Google ScholarDigital Library
N. Spring, R. Mahajan, and D. Wetherall. Measuring ISP Topologies with Rocketfuel. In Proc.\ SIGCOMM, 2002. Google ScholarDigital Library
M. Stiemerling, J. Quittek, and T. Taylor. Middlebox communication (MIDCOM) protocol semantics. RFC 5189.Google Scholar
R. Wang, D. Butnariu, and J. Rexford. Openflow-Based Server Load Balancing Gone Wild. In Proc.\ Hot-ICE, 2011. Google ScholarDigital Library
Z. Wang, Z. Qian, Q. Xu, Z. Mao, and M. Zhang. An Untold Story of Middleboxes in Cellular Networks. In Proc.\ SIGCOMM, 2011. Google ScholarDigital Library
B. White et al. An Integrated Experimental Environment for Distributed Systems and Networks. In Proc. of OSDI, 2002. Google ScholarDigital Library
M. Yu, J. Rexford, M. J. Freedman, and J. Wang. Scalable Flow-Based Networking with DIFANE. In Proc.\ SIGCOMM, 2010. Google ScholarDigital Library
Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proc.\ USENIX Security Symposium, 2000. Google ScholarDigital Library

Index Terms

SIMPLE-fying middlebox policy enforcement using SDN
1. Networks
  1. Network architectures
  2. Network services
    1. Network management

Recommendations

SIMPLE-fying middlebox policy enforcement using SDN
SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM

Networks today rely on middleboxes to provide critical performance, security, and policy compliance capabilities. Achieving these benefits and ensuring that the traffic is directed through the desired sequence of middleboxes requires significant manual ...
Read More
A flexible and efficient container-based NFV platform for middlebox networking
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing

Network Function Virtualization (NFV) enables multiple network functions (NFs) to operate simultaneously on a commodity server. Internet Data Centers (IDCs) gain significant flexibility and agility through NFV's ability to dynamically deploy and ...
Read More
Virtual Network Functions Instantiation on SDN Switches for Policy-Aware Traffic Steering
ANCS '16: Proceedings of the 2016 Symposium on Architectures for Networking and Communications Systems

Software-Defined Networking (SDN) provides the capability to steer traffic in a network to lower the management cost. Network Function Virtualization (NFV) gives the chance to implement network functions at the right time and the right place to increase ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGCOMM Computer Communication Review Volume 43, Issue 4
October 2013
595 pages
ISSN:0146-4833
DOI:10.1145/2534169
Issue’s Table of Contents
SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
August 2013
580 pages
ISBN:9781450320566
DOI:10.1145/2486001
General Chairs:
Dah Ming Chiu
Chinese University of Hong Kong, China
,
Jia Wang
AT&T Labs - Research, USA
,
Program Chairs:
Paul Barford
University of Wisconsin, USA
,
Srinivasan Seshan
Carnegie Mellon University, USA
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 August 2013
Check for updates
Author Tags
middlebox
network management
software-defined networking
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 611
  Total Citations
  View Citations
- 4,087
  Total Downloads
- Downloads (Last 12 months)232
- Downloads (Last 6 weeks)29
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

SIMPLE-fying middlebox policy enforcement using SDN

ACM SIGCOMM Computer Communication Review

Abstract

References

Cited By

Index Terms

Recommendations

SIMPLE-fying middlebox policy enforcement using SDN

A flexible and efficient container-based NFV platform for middlebox networking

Virtual Network Functions Instantiation on SDN Switches for Policy-Aware Traffic Steering