SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Slides:



Advertisements
Similar presentations
Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Advertisements

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN
VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.
Composing Software Defined Networks
Nanxi Kang Princeton University
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
SDN: Extensions Middleboxes 1 Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi.
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
Software Defined Networking COMS , Fall 2013 Guest Speaker: Seyed Kaveh Fayazbakhsh Stony Brook University 11/12/2013: SDN and Middleboxes.
OpenFlow-Based Server Load Balancing GoneWild
Programming Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.
Network Innovation using OpenFlow: A Survey
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Software-Defined Networking
Dream Slides Courtesy of Minlan Yu (USC) 1. Challenges in Flow-based Measurement 2 Controller Configure resources1Fetch statistics2(Re)Configure resources1.
FireFly: A Reconfigurable Wireless Datacenter Fabric using Free-Space Optics Navid Hamedazimi, Zafar Qazi, Himanshu Gupta, Vyas Sekar, Samir Das, Jon.
The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
A Survey on Interfaces to Network Security
Justine Sherry*, Shaddi Hasan*, Colin Scott*, Arvind Krishnamurthy†,
Cellular Core Network Architecture
LABERIO: Dynamic load- balanced routing in OpenFlow- enabled networks Author:Hui Long, Yao Shen*, Minyi Guo, Feilong Tang IEEE 27th International.
Composing Software Defined Networks Jennifer Rexford Princeton University With Joshua Reich, Chris Monsanto, Nate Foster, and.
1 Using Composite Variable Modeling to Solve Integrated Freight Transportation Planning Problems Sarah Root University of Michigan IOE November 6, 2006.
Software-Defined Networks Jennifer Rexford Princeton University.
VeriFlow: Verifying Network-Wide Invariants in Real Time
Higher-Level Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.
1 Heterogeneity in Multi-Hop Wireless Networks Nitin H. Vaidya University of Illinois at Urbana-Champaign © 2003 Vaidya.
Software Defined Networking Kathryn Abbett. Definition □Origins from Berkley and Stanford, around 2008 □Software-Defined Networking (SDNs) allows applications.
CloudNaaS: A Cloud Networking Platform for Enterprise Applications Theophilus Benson*, Aditya Akella*, Anees Shaikh +, Sambit Sahu + (*University of Wisconsin,
Floodless in SEATTLE : A Scalable Ethernet ArchiTecTure for Large Enterprises. Changhoon Kim, Matthew Caesar and Jenifer Rexford. Princeton University.
Bohatei: Flexible and Elastic DDoS Defense
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Module 10: How Middleboxes Impact Performance
Programming Languages for Software Defined Networks Jennifer Rexford and David Walker Princeton University Joint work with the.
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
SDN Management Layer DESIGN REQUIREMENTS AND FUTURE DIRECTION NO OF SLIDES : 26 1.
CellSDN: Software-Defined Cellular Core networks Xin Jin Princeton University Joint work with Li Erran Li, Laurent Vanbever, and Jennifer Rexford.
SIMPLE-fying Middlebox Policy Enforcement Using SDN
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Programming Languages COS 597E: Software Defined Networking.
FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar, Rui Miao, Minlan Yu Presenter : ChoongHee.
NEWS: Network Function Virtualization Enablement within SDN Data Plane.
BUZZ: Testing Context-Dependent Policies in Stateful Networks Seyed K. Fayaz, Tianlong Yu, Yoshiaki Tobioka, Sagar Chaki, Vyas Sekar.
Preliminaries: EE807 Software-defined Networked Computing KyoungSoo Park Department of Electrical Engineering KAIST.
Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.
Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Ready-to-Deploy Service Function Chaining for Mobile Networks
Xin Li, Chen Qian University of Kentucky
SDN challenges Deployment challenges
SDN Network Updates Minimum updates within a single switch
A Survey of Network Function Placement
University of Maryland College Park
The DPIaaS Controller Prototype
Heitor Moraes, Marcos Vieira, Italo Cunha, Dorgival Guedes
Hydra: Leveraging Functional Slicing for Efficient Distributed SDN Controllers Yiyang Chang, Ashkan Rezaei, Balajee Vamanan, Jahangir Hasan, Sanjay Rao.
15-744: Computer Networking
NOX: Towards an Operating System for Networks
of Dynamic NFV-Policies
A Novel Framework for Software Defined Wireless Body Area Network
Software Defined Networking (SDN)
DDoS Attack Detection under SDN Context
Chapter 3 VLANs Chaffee County Academy
Programmable Networks
Presentation transcript:

SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu

Middleboxes management is hard! 2 Critical for security, performance, compliance But expensive, complex and difficult to manage Survey across 57 network operators (J. Sherry et al. SIGCOMM 2012) e.g., a network with ~2000 middleboxes required 500+ operators

Can SDN simplify middlebox management? Centralized Controller “ Flow ” FwdAction …… “ Flow ” FwdAction …… OpenFlow 3 Proxy IDS Necessity + Opportunity: Incorporate functions markets views as important Scope: Enforce middlebox-specific steering policies Firewall IDS Proxy Web

What makes this problem challenging? Centralized Controller “ Flow ” FwdAction …… “ Flow ” FwdAction …… OpenFlow 4 Proxy IDS Middleboxes introduce new dimensions beyond L2/L3 tasks. Achieve this with unmodified middleboxes and existing SDN APIs Firewall IDS Proxy Web

Firewall IDS Proxy Web Our Work: SIMPLE Legacy Middleboxes OpenFlow capable FlowAction …… FlowAction …… 5 Policy enforcement layer for middlebox-specific “traffic steering”

Outline Motivation Challenges SIMPLE Design Evaluation Conclusions 66

Challenge: Policy Composition S1 S2 7 Firewall Proxy IDS FirewallIDSProxy * Policy Chain: Oops! Forward Pkt to IDS or Dst? Dst “Loops” Traditional flow rules may not suffice!

Challenge: Resource Constraints S1 S2 S4 S3 Proxy Firewall IDS1 = 50% IDS2 = 50% Space for traffic split? Can we set up “feasible” forwarding rules? 8

9 S1 Proxy S2 User 1 User 2 Proxy may modify flows Are forwarding rules at S2 correct? Challenge: Dynamic Modifications Firewall User1: Proxy  Firewall User2: Proxy

New dimensions beyond Layer 2-3 tasks 1) Policy Composition  Potential loops 3) Dynamic Modifications  Correctness? 2) Resource Constraints  Switch + Middlebox 10 Can we address these with unmodified middleboxes and existing SDN APIs?

Outline Motivation + Context for the Work Challenges SIMPLE Design Evaluation Conclusion 11

Rule Generator Resource Manager Modifications Handler SIMPLE System Overview Legacy Middleboxes OpenFlow capable FlowAction …… FlowAction …… 12 Firewall IDS Proxy Web

Composition  Tag Processing State 13 FirewallIDSProxy * Policy Chain: S1 S2 Firewall Proxy IDS Dst ORIGINAL Post-Firewall Post-IDS Post-Proxy Fwd to Dst Insight: Distinguish different instances of the same packet

Rule Generator Resource Manager Modifications Handler SIMPLE System Overview Legacy Middleboxes OpenFlow capable FlowAction …… FlowAction …… 14 Firewall IDS Proxy Web

Resource Constraints  Joint Optimization Resource Manager Topology & Traffic Switch TCAM Middlebox Capacity + Footprints Policy Spec Optimal & Feasible load balancing Theoretically hard! Not obvious if some configuration is feasible! 15

Offline + Online Decomposition 16 Offline StageOnline Step Deals with Switch constraints Deals with only load balancing Resource Manager Network Topology Switch TCAM Policy Spec Traffic Matrix Mbox Capacity + Footprints

Offline Stage: ILP based pruning 17 Set of all possible middlebox load distributions Pruned Set Balance the middlebox load Feasible Sufficient freedom

FW IDS Proxy Web Rule Generator Resource Manager Modifications Handler SIMPLE System Overview Legacy Middleboxes OpenFlow capable FlowAction …… FlowAction …… 18

Modifications  Infer flow correlations 19 Correlate flows Install rules S1 Proxy S2 User 1 User 2 Firewall User1: Proxy  Firewall User2: Proxy Payload Similarity

FW IDS Proxy Web Rule Generator (Policy Composition) Resource Manager (Resource Constraint) Modifications Handler (Dynamic modifications) SIMPLE Implementation OpenFlow 1.0 FlowTag/Tun nel Action …… FlowTag/Tun nel Action …… POX extensions 20 CPLEX

Outline Motivation + Context for the Work Challenges SIMPLE Design Evaluation Conclusion 21

Evaluation and Methodology What benefits SIMPLE offers? load balancing? How scalable is the SIMPLE optimizer? How close is the SIMPLE optimizer to the optimal? How accurate is the dynamic inference? Methodology – Small-scale real test bed experiments (Emulab) – Evaluation over Mininet (with up to 60 nodes) – Large-scale trace driven simulations (for convergence times) 22

Benefits: Load balancing 4-7X better load balancing and near optimal 23 Optimal

Overhead: Reconfiguration Time Around 125 ms to reconfigure, most time spent in pushing rules node topology including 11 switches

Other Key Results LP solving takes 1s for a 252 node topology – 4-5 orders of magnitude faster than strawman 95 % accuracy in inferring flow correlations Scalability of pruning: 1800s  110s 25

Conclusions Middleboxes: Necessity and opportunity for SDN Goal: Simplify middlebox-specific policy enforcement Challenges: Composition, resource constraints, modifications SIMPLE: policy enforcement layer – Does not modify middleboxes – No changes to SDN APIs – No visibility required into the internal of middleboxes Scalable and offers 4-7X improvement in load balancing 26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.