Abstract
Networks today rely on middleboxes to provide critical performance, security, and policy compliance capabilities. Achieving these benefits and ensuring that the traffic is directed through the desired sequence of middleboxes requires significant manual effort and operator expertise. In this respect, Software-Defined Networking (SDN) offers a promising alternative. Middleboxes, however, introduce new aspects (e.g., policy composition, resource management, packet modifications) that fall outside the purvey of traditional L2/L3 functions that SDN supports (e.g., access control or routing).
This paper presents SIMPLE, a SDN-based policy enforcement layer for efficient middlebox-specific "traffic steering''. In designing SIMPLE, we take an explicit stance to work within the constraints of legacy middleboxes and existing SDN interfaces. To this end, we address algorithmic and system design challenges to demonstrate the feasibility of using SDN to simplify middlebox traffic steering. In doing so, we also take a significant step toward addressing industry concerns surrounding the ability of SDN to integrate with existing infrastructure and support L4-L7 capabilities.
- Mininet. http://yuba.stanford.edu/foswiki/bin/view/OpenFlow/Mininet.Google Scholar
- NEC's Simple Middlebox Configuration (SIMCO) Protocol. RFC 4540.Google Scholar
- Open vSwitch. http://openvswitch.org/.Google Scholar
- Palo Alto Networks. http://www.paloaltonetworks.com/.Google Scholar
- POX Controller. http://www.noxrepo.org/pox/about-pox/.Google Scholar
- Top million US websites. http://ak.quantcast.com/quantcast-top-million.zip.Google Scholar
- World Enterprise Network Security Markets. http://www.abiresearch.com/research/product/1006059-world-enterprise-network-and-data-security/.Google Scholar
- A. Anand et al. Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination. In Proc.\ SIGCOMM, 2008. Google ScholarDigital Library
- J. W. Anderson, R. Braud, R. Kapoor, G. Porter, and A. Vahdat. xOMB: Extensible Open Middleboxes with Commodity Servers. In Proc.\ ANCS, 2012. Google ScholarDigital Library
- T. Benson, A. Akella, A. Shaikh, and S. Sahu. CloudNaaS: A Cloud Networking Platform for Enterprise Applications. In Proc.\ SOCC, 2011. Google ScholarDigital Library
- T. Benson, A. Anand, A. Akella, and M. Zhang. The Case for Fine-Grained Traffic Engineering in Data Centers. In Proc.\ INM/WREN, 2010. Google ScholarDigital Library
- M. Casado et al. Ethane: Taking Control of the Enterprise. In Proc.\ SIGCOMM, 2007. Google ScholarDigital Library
- T. Cormen, C. Leiserson, R. Rivest, and C. Stein. The Rabin--Karp algorithm. Introduction to Algorithms, 2001.Google Scholar
- A. R. Curtis et al. DevoFlow: Scaling Flow Management for High-Performance Networks. In Proc.\ SIGCOMM, 2011. Google ScholarDigital Library
- M. Dobrescu et al. RouteBricks: Exploiting Parallelism to Scale Software Routers. In Proc.\ SOSP, 2009. Google ScholarDigital Library
- S. Fayazbakhsh, V. Sekar, M. Yu, and J. Mogul. FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions. In Proc.\ HotSDN, 2013 (to appear). Google ScholarDigital Library
- A. Feldmann et al. Deriving Traffic Demands for Operational IP Networks: Methodology and Experience. In Proc.\ SIGCOMM, 2000. Google ScholarDigital Library
- A. Gember, P. Prabhu, Z. Ghadiyali, and A. Akella. Toward Software-Defined Middlebox Networking. In Proc.\ HotNets-XI, 2012. Google ScholarDigital Library
- G. Gibb, H. Zeng, and N. McKeown. Outsourcing Network Functionality. In Proc.\ HotSDN, 2012. Google ScholarDigital Library
- P. Gill et al. Understanding Network Failures in Data Centers: Measurement, Analysis, and Implications. In Proc.\ SIGCOMM, 2011. Google ScholarDigital Library
- A. Greenlagh et al. Flow Processing and the Rise of Commodity Network Hardware. In CCR, 2009. Google ScholarDigital Library
- N. Gude et al. NOX: Towards an Operating System for Networks. In CCR, 2008. Google ScholarDigital Library
- V. Heorhiadi, M. K. Reiter, and V. Sekar. New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems. In Proc.\ CoNEXT, 2012. Google ScholarDigital Library
- X. Jin, L. E. Li, L. Vanbever, and J. Rexford. SoftCell: Taking Control of Cellular Core Networks. In TR-950--13, Princeton University, 2013.Google Scholar
- D. Joseph and I. Stoica. Modeling middleboxes. IEEE Network, 2008. Google ScholarDigital Library
- D. A. Joseph, A. Tavakoli, and I. Stoica. A Policy-aware Switching Layer for Data Centers. In Proc.\ SIGCOMM, 2008. Google ScholarDigital Library
- P. Kazemian, G. Varghese, and N. McKeown. Header Space Analysis: Static Checking for Networks. In Proc.\ NSDI, 2012. Google ScholarDigital Library
- E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click Modular Router. ACM TOS, Aug 2000. Google ScholarDigital Library
- T. Koponen et al. Onix: A Distributed Control Platform for Large-scale Production Network. In Proc.\ OSDI, 2010. Google ScholarDigital Library
- L. E. Li et al. PACE: Policy-Aware Application Cloud Embedding. In Proc.\ INFOCOM, 2013.Google Scholar
- C. Monsanto, J. Reich, N. Foster, J. Rexford, and D. Walker. Composing Software Defined Networks. In Proc.\ NSDI, 2013. Google ScholarDigital Library
- M. Moshref, M. Yu, A. Sharma, and R. Govindan. vCRIB: Virtualized Rule Management in the Cloud. In Proc.\ NSDI, 2013.Google Scholar
- V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Computer Networks, pages 2435--2463, 1999. Google ScholarDigital Library
- H. Pucha, D. G. Andersen, and M. Kaminsky. Exploiting Similarity for Multi-Source Downloads using File Handprints. In Proc.\ NSDI, 2007. Google ScholarDigital Library
- S. Raza et al. MeasuRouting: A Framework for Routing Assisted Traffic Monitoring. In Proc.\ INFOCOM, 2010. Google ScholarDigital Library
- C. Rotsos, N. Sarrar, S. Uhlig, R. Sherwood, and A. Moore. OFLOPS: An Open Framework for Openflow Switch Evaluation. In Proc.\ PAM, 2012. Google ScholarDigital Library
- V. Sekar et al. The middlebox manifesto: enabling innovation in middlebox deployment. In Proc.\ HotNets, 2011. Google ScholarDigital Library
- V. Sekar et al. Design and Implementation of a Consolidated Middlebox Architecture. In Proc.\ NSDI, 2012. Google ScholarDigital Library
- J. Sherry et al. Making Middleboxes Someone Else's Problem: Network Processing as a Cloud Service. In Proc.\ SIGCOMM, 2012. Google ScholarDigital Library
- N. Spring, R. Mahajan, and D. Wetherall. Measuring ISP Topologies with Rocketfuel. In Proc.\ SIGCOMM, 2002. Google ScholarDigital Library
- M. Stiemerling, J. Quittek, and T. Taylor. Middlebox communication (MIDCOM) protocol semantics. RFC 5189.Google Scholar
- R. Wang, D. Butnariu, and J. Rexford. Openflow-Based Server Load Balancing Gone Wild. In Proc.\ Hot-ICE, 2011. Google ScholarDigital Library
- Z. Wang, Z. Qian, Q. Xu, Z. Mao, and M. Zhang. An Untold Story of Middleboxes in Cellular Networks. In Proc.\ SIGCOMM, 2011. Google ScholarDigital Library
- B. White et al. An Integrated Experimental Environment for Distributed Systems and Networks. In Proc. of OSDI, 2002. Google ScholarDigital Library
- M. Yu, J. Rexford, M. J. Freedman, and J. Wang. Scalable Flow-Based Networking with DIFANE. In Proc.\ SIGCOMM, 2010. Google ScholarDigital Library
- Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proc.\ USENIX Security Symposium, 2000. Google ScholarDigital Library
Index Terms
- SIMPLE-fying middlebox policy enforcement using SDN
Recommendations
SIMPLE-fying middlebox policy enforcement using SDN
SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMMNetworks today rely on middleboxes to provide critical performance, security, and policy compliance capabilities. Achieving these benefits and ensuring that the traffic is directed through the desired sequence of middleboxes requires significant manual ...
A flexible and efficient container-based NFV platform for middlebox networking
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied ComputingNetwork Function Virtualization (NFV) enables multiple network functions (NFs) to operate simultaneously on a commodity server. Internet Data Centers (IDCs) gain significant flexibility and agility through NFV's ability to dynamically deploy and ...
Virtual Network Functions Instantiation on SDN Switches for Policy-Aware Traffic Steering
ANCS '16: Proceedings of the 2016 Symposium on Architectures for Networking and Communications SystemsSoftware-Defined Networking (SDN) provides the capability to steer traffic in a network to lower the management cost. Network Function Virtualization (NFV) gives the chance to implement network functions at the right time and the right place to increase ...
Comments