Design and Implementation of a Consolidated Middlebox Architecture (CoMb) Vyas Sekar, Norbert Egi, Sylvia Ratnasamy Michael K. Reiter, Guangyu Shi Intel.

Slides:



Advertisements
Similar presentations
Building Fast, Flexible Virtual Networks on Commodity Hardware Nick Feamster Georgia Tech Trellis: A Platform for Building Flexible, Fast Virtual Networks.
Advertisements

Towards Software Defined Cellular Networks
New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel.
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
Software Defined Networking COMS , Fall 2013 Guest Speaker: Seyed Kaveh Fayazbakhsh Stony Brook University 11/12/2013: SDN and Middleboxes.
® Context Aware Firewall Policies Ravi Sahita Priya Rajagopal, Pankaj Parmar Intel Corp. June 8 th 2004 IEEE Policy (Security)
15-744: Computer Networking
The Multikernel: A new OS architecture for scalable multicore systems Andrew Baumann et al CS530 Graduate Operating System Presented by.
Towards Virtual Routers as a Service 6th GI/ITG KuVS Workshop on “Future Internet” November 22, 2010 Hannover Zdravko Bozakov.
Semester 4 - Chapter 3 – WAN Design Routers within WANs are connection points of a network. Routers determine the most appropriate route or path through.
1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
A Scalable, Commodity Data Center Network Architecture Mohammad Al-Fares, Alexander Loukissas, Amin Vahdat Presented by Gregory Peaker and Tyler Maclean.
The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
1 Restricted to Nortel Networks Internal Review Ebusiness Infrastructure Platform.
Router Architectures An overview of router architectures.
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Router Architectures An overview of router architectures.
Network Management Concepts and Practice Author: J. Richard Burke Presentation by Shu-Ping Lin.
CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance---
DRFQ: Multi-Resource Fair Queueing for Packet Processing Ali Ghodsi 1,3, Vyas Sekar 2, Matei Zaharia 1, Ion Stoica 1 1 UC Berkeley, 2 Intel ISTC/Stony.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Cellular Core Network Architecture
XOMB Incrementally scalable architecture for middleboxes Presenter : Donghwi Kim.
VLANS and Other Hardware CS442. Examples: Client in A wants to contact server in A or B First, a review problem Subnet mask:
Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.
Institute of Computer and Communication Network Engineering OFC/NFOEC, 6-10 March 2011, Los Angeles, CA Lessons Learned From Implementing a Path Computation.
ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.
Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
1 Liquid Software Larry Peterson Princeton University John Hartman University of Arizona
MIDeA :A Multi-Parallel Instrusion Detection Architecture Author: Giorgos Vasiliadis, Michalis Polychronakis,Sotiris Ioannidis Publisher: CCS’11, October.
Module 11: Remote Access Fundamentals
FUTURE OF NETWORKING SAJAN PAUL JUNIPER NETWORKS.
4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.
Hot Interconnects TCP-Splitter: A Reconfigurable Hardware Based TCP/IP Flow Monitor David V. Schuehler
CS 4396 Computer Networks Lab Router Architectures.
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
SDN Management Layer DESIGN REQUIREMENTS AND FUTURE DIRECTION NO OF SLIDES : 26 1.
LRPC Firefly RPC, Lightweight RPC, Winsock Direct and VIA.
CellSDN: Software-Defined Cellular Core networks Xin Jin Princeton University Joint work with Li Erran Li, Laurent Vanbever, and Jennifer Rexford.
Mr. P. K. GuptaSandeep Gupta Roopak Agarwal
SIMPLE-fying Middlebox Policy Enforcement Using SDN
Network Virtualization Sandip Chakraborty. In routing table we keep both the next hop IP (gateway) as well as the default interface. Why do we require.
Multimedia Retrieval Architecture Electrical Communication Engineering, Indian Institute of Science, Bangalore – , India Multimedia Retrieval Architecture.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar, Rui Miao, Minlan Yu Presenter : ChoongHee.
Efficient Opportunistic Sensing using Mobile Collaborative Platform MOSDEN.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Preliminaries: EE807 Software-defined Networked Computing KyoungSoo Park Department of Electrical Engineering KAIST.
Instructor Materials Chapter 7: Network Evolution
Xin Li, Chen Qian University of Kentucky
CompTIA Security+ Study Guide (SY0-401)
CIS 700-5: The Design and Implementation of Cloud Networks
A Survey of Network Function Placement
15-744: Computer Networking
Semester 4 - Chapter 3 – WAN Design
15-744: Computer Networking
Software Defined Networking (SDN)
CompTIA Security+ Study Guide (SY0-401)
Cloud Computing and Cloud Networking
Software Defined Networking (SDN)
An Introduction to Computer Networking
Ebusiness Infrastructure Platform
GEN: A GPU-Accelerated Elastic Framework for NFV
Extending MPLS/BGP VPNs to End-Systems
Process-to-Process Delivery:
Presentation transcript:

Design and Implementation of a Consolidated Middlebox Architecture (CoMb) Vyas Sekar, Norbert Egi, Sylvia Ratnasamy Michael K. Reiter, Guangyu Shi Intel Labs, UC Berkeley, UNC Capel Hill, Huawei Presenter: Giyoung Nam Some slides are brought from the author’s presentation EE807 – Software-defined Networked Computing

Need for Network Evolution New devices New applications Evolving threats Policy constraints Performance, Security 2

Era of Middleboxes Exponentially growth middlebox market Reaching the number of middleboxes to number of L3 network devices Type of applianceNumber Firewalls166 NIDS127 Media gateways110 Load balancers67 Proxies66 VPN gateways45 WAN Optimizers44 Voice gateways11 Total Middleboxes636 Total routers~900 3

Messy Middlebox Infrastructure Developed uncoordinated manner Acquired from independent vendors Closed system Specialized boxes One device, one functionality No unified interfaces Hard to manage No unified view or management middleboxes across the network Increases CapEx Increases OpEx 4

CoMb: Consolidate Middleboxes CoMb consolidates at two levels Platform – decuples the hardware and software Network management Network-wide Controller 5 Multiplexing & reusability Load distribution

Consolidation at Platform-Level Reduces CapEx Enables extensibility 6 ProxyFirewallIDS/IPS AppFilter Decouple Hardware and Software

Application Multiplexing 7 Different peak time shows a possibility of multiplexing’s benefit

Reusing Software Elements Low-level modules can be shared each other Enables extensibility 8 Session Management Protocol Parsers VPN Web Mail IDS Proxy Firewall

CoMb: Consolidate Middleboxes CoMb consolidates at two levels Platform – decuples the hardware and software Network management Network-wide Controller 9 Multiplexing & reusability Load distribution

Spatial Distribution Management consolidation enables flexible resource allocation 10 N1 N3 N2 Path: N1  N3 Network-wide Controller ‘s Capacity: 100 unit Incoming 150 unit Overload! Distribute loads

Outline Motivation Overview of CoMb Design Management layer Platform layer Evaluation & Conclusion xOMB Discussion 11

CoMb Management Layer Goal: balance load across network, exploit multiplexing, reuse, distribution Require three inputs AppSpec: Policy constraints for middlebox application NetworkSpec: Routing path, middleboxes’ location, traffic classification information BoxSpec: Resource requirements for each application 12 Network-wide Controller Policy Constraints Resource Requirements Routing, Traffic

Constrains of Management Layer Processing coverage Each middlebox application should define interested sessions Policy dependences Respect the policy ordering constraints across middlebox applications Reuse dependences Model the potential for reusing common actions 13

Constrains of Management Layer All applications pertaining to a given session run on the same node for a practical reason 14 IDSProxy common Footprint on resource HTTP UDP HTTP NFS Memory CPU HTTP For HTTP session, IDS and Proxy must locate on a same node Need to Identify the exact sequence of applications for each session: HyperApp

Capturing Reuse with HyperApps 15 IDSProxy common Footprint on resource HTTP UDP HTTP NFS Memory CPU HTTP = IDS & Proxy 43 Memory UDP = IDS NFS = Proxy CPU Memory CPU HyperApp: find the union of apps to run HTTP HTTP: 1+2 unit of CPU 1+3 units of mem

Network-wide Optimization 16 Minimize Maximum Load, Subject to Processing coverage for each class of traffic  Fraction of processed traffic adds up to 1 Load on each node  Sum over HyperApp responsibilities per-path HTTP N1  N3 N1 N2 N3 IDS < Proxy 0.4 IDS < Proxy 0.3 IDS < Proxy 0.3 CPU HTTP = IDS & Proxy 43 Memory 1.2 CPU, 1.6 Mem 0.9 CPU, 1.2 Mem 0.9 CPU, 1.2 Mem 10 CPU 10 Mem load = 12% CPU, 16% Mem 9% CPU, 12% Mem 9% CPU, 12% Mem Max{Load} = 12% CPU, 16% Mem

CoMb Platform Layer 17 NIC Policy Shim (Pshim) Core1 Core4 IDS … … Proxy Traffic Applications Policy Enforcer Classification: HTTP IDS -> Proxy Performance Parallelize Isolation Lightweight Parallelize Fast classification

Parallelizing Application Instances 18 M1 M2 PShim App-per-core Core3 M3 PShim Core1Core2 HyperApp-per-core M2M3 PShim M1M2 PShim Core1 Core2 - Inter-core communication + No in-core context switch + Keeps structures core-local + Better for reuse - But incurs context-switch - Need replicas

CoMb Platform Design 19 Hyper App1 Hyper App2 Hyper App4 Hyper App3 Hyper App3 PShim M1M4M1M4M2M3 Q1 Q3 Q2Q4Q5 M1M5 Core 1Core 3Core 2 NIC hardware Contention-free network I/O Core-local processing Parallel, core-local Workload balancing

Outline Motivation Overview of CoMb Design Management layer Platform layer Evaluation & Conclusion xOMB Discussion 20

Implementation CoMb Controller Use CPLEX (mathematical solver for liner programming) CoMb box prototype Classification is done by NIC Policy enforcer is implemented in kernel-mode Click CoMb application Session reconstruction & protocol parser Port these logic from Bro to Click For standalone applications Enable DMA or virtual network interfaces 21

Reduction in Provisioning Cost 22 Consolidation reduces provisioning cost X Relative savings = Provisioning Today /Provisioning Consolidated

Reduction in Maximum Load 23 Consolidation reduces maximum load by X Relative savings = MaxLoad Today /MaxLoad Consolidated

Conclusion Most network evolution occurs via middleboxes Current middleboxes is inflexible and difficult to extend High CapEx, OpEx CoMb: Consolidated Middlebox Decouple software and hardware Application multiplexing Spatial load distribution Resource reuse 24

xOMB: Extensible Open Middleboxes with Commodity Servers James Anderson, Ryan Braud, Rishi Kapoor, George Porter and Amin Vahdat

xOMB: eXtensible Open Middlebox Framework for programmable middleboxes using commodity servers Focused on programmability and extensibility Provides a programmable pipeline CoMb: Per-packet processing xOMB allows byte stream level Provides low-level functionality necessary for high performance processing User defined functionality on top of basic xOMB blocks It currently working for TCP only 26

xOMB Architecture 27

Design of xOMB Server 28 Socket I/O Control Plane Connection Manager Message Reorder Buffer Client TCP Buffer Manager Backend TCP User or xOMB defined modules Pipeline Basic Functionality

Example of Pipeline: HTTP 29

Discussion Missing explanation about “reusable modules” in design Hyperapp only identifying application sequence and resource footprint Shows an opportunity of reusable modules in evaluation only How to classify traffic which has already processed from other middlebox? Identifying hyperapp requires huge pre-processing time “handful of applications” does not fit on future network Tradeoff of batching Batching packet on each hyperapp can reduce overhead of context switching Pshim (or some layer between app and pshim) needs additional buffer to store mid-stage 30

Load Balancing Switches Although xOMB design is for general middlebox, we will examine it with load balancing switch scenario LBS with xOMB Packet-payload granularity Additional functionalities: Re-writing HTTP 1.0 requests as 1.1 Connection collapsing 31

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.