1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley

Problem: Middleboxes are hard to deploy Place on network path Overload path selection mechanisms pkt network path On path placement fails to achieve CorrectnessGuaranteed middlebox traversal Flexibility(Re)configurable network topology EfficiencyNo middlebox resource wastage Load Balancer Firewall

Preview Problem –Middleboxes are hard to deploy Solution –Overview –Challenges –Limitations Implementation & evaluation Related work

Common data center topology Internet Servers Layer-2 switch Access Data Center Layer-2/3 switch Aggregation Layer-3 router Core Firewall Load Balancer

Inflexible topology Internet Intrusion Prevention Box Firewall Load Balancer

Inefficient - middlebox resource wastage Internet Process unnecessary traffic Unutilized Backup path

S1S2 Protect S1 ↔ S2 traffic Correctness is hard Internet Option 1 –Existing firewalls Newly blocked link

Correctness is hard Internet Option 1 –Existing firewalls Option 2 –New firewall S1S2 Protect S1 ↔ S2 traffic

Correctness is hard Internet Option 1 –Existing firewalls Option 2 –New firewall Option 3 –Separate VLANs S1S2 Protect S1 ↔ S2 traffic

Outline Problem Middleboxes are hard to deploy Solution –Overview –Challenges –Limitations Implementation & evaluation Related work

Policy-aware Switching Layer Policy-aware switching layer load balancer Existing mechanisms firewall 1Take middleboxes off-path Separate policy from reachability2 HTTP Firewall  Load balancer TCP port = 80 PSwitch load balancer firewall PPPPPPPPPPPPPPP

PSwitch explicitly forwards packets to middleboxes Firewall (F)Load Balancer (L) Core Router R PSwitch Web Server Data center Src:RSrc:L HeaderBody Rule table MatchNext Hop MAC R,port 80F Interface 1, port 80L MAC L,port 80FinalDest PPPPP HTTPFirewall  Load balancer Centralized Policy Controller

Firewall Load Balancer PSwitch A Web Server Data center Custom Firewall Intrusion Prevention Box ERP Server Firewall PSwitch B HTTPFirewall  Load balancer ERPCustom Firewall  IPS Distributed forwarding Loadbalancing middleboxes Different policies for different traffic

Challenges 1.Minimizing infrastructure changes 2.Non-transparent middleboxes 3.Guaranteeing correctness under churn

Guarantees under Churn Network Middlebox Policy Packets never bypass middleboxes Some packets may be dropped

Limitations Indirect paths Policy specification complexity

Outline Problem Middleboxes are hard to deploy Solution Overview Challenges Limitations Implementation & evaluation Related work

Implementation PSwitches prototyped in PPPPP 750 Mbps 0.3 milliseconds 25 policies Compared to software Ethernet switch –82% TCP throughput –16% latency increase Exploring hardware options PSwitch

Validation of functionality 10 PCs with 4 network interfaces each PPPPPPPPPPPPPPPPPPPP iptables firewallswebservers BalanceNG Load balancer client Physical topology

Logical topologies on same physical topology X

Related Work 4D Routing Control Platform Ethane Indirection Internet Indirection Infrastructure Delegation Oriented Architecture Separation of policy and reachability High-end switches Cisco Catalyst 6500 SIGCOMM 2008 SEATTLE DCell Commodity DC Network Architecture

Conclusion Deploying middleboxes is hard A new layer-2 with explicit middlebox support –Middleboxes taken off network path –Policy separated from reachability

Questions?

Backup Slides

Policy churn Conflicting policy updates HTTPLoad balancer  Firewall Version 1 Firewall  Load balancerHTTP Version 2 FirewallLoad Balancer PPPPP Version 1Version 2 MatchNext Hop Interface 0, port 80L Interface 2, port 80F Interface 1, port 80FinalDest MatchNext Hop Interface 0, port 80F Interface 2, port 80FinalDest Interface 1, port 80L

Intermediate middlebox types Guarantees traversal HTTPLoad balancer  Firewall Version 1 Firewall ’  Load balancer ’ HTTP Version 2 Firewall Load Balancer PPPPP Firewall ’ Load Balancer ’