SIMPLE-fying Middlebox Policy Enforcement Using SDN

Slides:



Advertisements
Similar presentations
Justine Sherry*, Shaddi Hasan*, Colin Scott*, Arvind Krishnamurthy†,
Advertisements

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN
VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.
Composing Software Defined Networks
Nanxi Kang Princeton University
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Incremental Consistent Updates Naga Praveen Katta Jennifer Rexford, David Walker Princeton University.
SDN: Extensions Middleboxes 1 Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi.
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
Software Defined Networking COMS , Fall 2013 Guest Speaker: Seyed Kaveh Fayazbakhsh Stony Brook University 11/12/2013: SDN and Middleboxes.
Network Innovation using OpenFlow: A Survey
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
A Survey on Interfaces to Network Security
OpenFlow Switch Limitations. Background: Current Applications Traffic Engineering application (performance) – Fine grained rules and short time scales.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Justine Sherry*, Shaddi Hasan*, Colin Scott*, Arvind Krishnamurthy†,
Cellular Core Network Architecture
Enabling Innovation Inside the Network Jennifer Rexford Princeton University
Composing Software Defined Networks Jennifer Rexford Princeton University With Joshua Reich, Chris Monsanto, Nate Foster, and.
1 Using Composite Variable Modeling to Solve Integrated Freight Transportation Planning Problems Sarah Root University of Michigan IOE November 6, 2006.
Software-Defined Networks Jennifer Rexford Princeton University.
VeriFlow: Verifying Network-Wide Invariants in Real Time
Floodless in SEATTLE : A Scalable Ethernet ArchiTecTure for Large Enterprises. Changhoon Kim, Matthew Caesar and Jenifer Rexford. Princeton University.
Bohatei: Flexible and Elastic DDoS Defense
Central Control over Distributed Routing fibbing.net SIGCOMM Stefano Vissicchio 18th August 2015 UCLouvain Joint work with O. Tilmans (UCLouvain), L. Vanbever.
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Programming Languages for Software Defined Networks Jennifer Rexford and David Walker Princeton University Joint work with the.
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
SDN Management Layer DESIGN REQUIREMENTS AND FUTURE DIRECTION NO OF SLIDES : 26 1.
CellSDN: Software-Defined Cellular Core networks Xin Jin Princeton University Joint work with Li Erran Li, Laurent Vanbever, and Jennifer Rexford.
1 Simple provisioning, complex consolidation – An approach to improve the efficiency of provisioning oriented optical networks Tamás Kárász Budapest University.
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Programming Languages COS 597E: Software Defined Networking.
FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar, Rui Miao, Minlan Yu Presenter : ChoongHee.
Logically Centralized? State Distribution Trade-offs in Software Defined Networks.
BUZZ: Testing Context-Dependent Policies in Stateful Networks Seyed K. Fayaz, Tianlong Yu, Yoshiaki Tobioka, Sagar Chaki, Vyas Sekar.
Atrium Router Project Proposal Subhas Mondal, Manoj Nair, Subhash Singh.
Preliminaries: EE807 Software-defined Networked Computing KyoungSoo Park Department of Electrical Engineering KAIST.
Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.
NFP: Enabling Network Function Parallelism in NFV
Ready-to-Deploy Service Function Chaining for Mobile Networks
Xin Li, Chen Qian University of Kentucky
SDN challenges Deployment challenges
SDN Network Updates Minimum updates within a single switch
A Survey of Network Function Placement
University of Maryland College Park
The DPIaaS Controller Prototype
Heitor Moraes, Marcos Vieira, Italo Cunha, Dorgival Guedes
Hydra: Leveraging Functional Slicing for Efficient Distributed SDN Controllers Yiyang Chang, Ashkan Rezaei, Balajee Vamanan, Jahangir Hasan, Sanjay Rao.
Efficient Round-Trip Time Monitoring in OpenFlow Networks
15-744: Computer Networking
NOX: Towards an Operating System for Networks
of Dynamic NFV-Policies
A Novel Framework for Software Defined Wireless Body Area Network
NFP: Enabling Network Function Parallelism in NFV
Software Defined Networking (SDN)
DDoS Attack Detection under SDN Context
NFP: Enabling Network Function Parallelism in NFV
ClosedFlow: OpenFlow-like Control over Proprietary Devices
Programmable Networks
Autonomous Network Alerting Systems and Programmable Networks
Presentation transcript:

SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang, Rui Miao, Vyas Sekar, Minlan Yu Presenter: Chen Qian

Middleboxes are important Security Network Function Firewall IDS Acceleration Network Function Network function, also known as middlleboxes, are playing important role in the network. Network Functions nowadays are ubiquitous in the network. Network functions are the networking devices that perform tasks other than packet forwarding. Network functions are built for different purposes. One category of network functions is used to enhance the security of enterprise networks, campus networks, or any others. The examples are firewall and intrusion detection system. Another category of network functions is used to accelerate the speed of the network. For instance, wide area network optimizer could be used to compress the traffic and web proxy is used for caching web pages. WAN Optimizer Proxy

Hardware and software middleboxes IDS Hardware Software WAN Optimizer Traditionally, these network functions are built in propriety dedicated hardware. These hardware boxes incur high expenses for physical equipment as well as operational costs. Hardware updates and replacements are not easy, which also involve in a great amount of human labor and financial cost. To address these challenges, there is a trend in the networking community to build software version of these network functions. Based on software network functions, Network function virtualization is proposed to use virtualization technology to virtualize network functions nodes into blocks. Proxy

How middleboxes process network traffic 1. The specified network traffic should go through a sequence of middlebox before reaching the destination Firewall - IDS - Proxy 2. Middlebox policies (types and orders of MBs) should be strictly reinforced

Middleboxes management is hard! Survey across 57 network operators (J. Sherry et al. SIGCOMM 2012) e.g., a network with ~2000 middleboxes required 500+ operators Critical for security, performance, compliance But expensive, complex and difficult to manage

How SDN helps middleboxes SDN can effectively configure flow paths so that a flow can go through a number of middleboxes in a given order SDN can assign different flows to different middleboxes so that the load on middleboxes can be balanced

Can SDN simplify middlebox management? Centralized Controller Firewall IDS Proxy Web OpenFlow “Flow” FwdAction … “Flow” FwdAction … Proxy IDS Scope: Enforce middlebox-specific steering policies Necessity + Opportunity: Incorporate functions markets views as important

What makes this problem challenging? Centralized Controller Firewall IDS Proxy Web OpenFlow “Flow” FwdAction … “Flow” FwdAction … Proxy IDS Middleboxes introduce new dimensions beyond L2/L3 tasks. Achieve this with unmodified middleboxes and existing SDN APIs

SIMPLE Policy enforcement layer for Firewall IDS Proxy Web Policy enforcement layer for middlebox-specific “traffic steering” Legacy Middleboxes OpenFlow capable Flow Action … Flow Action …

Outline Motivation Challenges SIMPLE Design Evaluation Conclusions 10

Challenge: Policy Composition Firewall IDS Proxy * Policy Chain: Oops! Forward Pkt to IDS or Dst? Firewall Proxy IDS S1 S2 Dst “Loops” Traditional flow rules may not suffice!

Challenge: Resource Constraints Firewall Proxy Space for traffic split? S2 S4 S1 IDS1 = 50% IDS2 = 50% S3 Can we set up “feasible” forwarding rules?

Challenge: Dynamic Modifications User1: Proxy  Firewall User2: Proxy Proxy may modify flows User 1 Proxy S1 S2 User 2 Firewall Are forwarding rules at S2 correct?

New dimensions beyond Layer 2-3 tasks 1) Policy Composition  Potential loops 2) Resource Constraints  Switch + Middlebox 3) Dynamic Modifications  Correctness? Can we address these with unmodified middleboxes and existing SDN APIs?

Outline Motivation + Context for the Work Challenges SIMPLE Design Evaluation Conclusion

SIMPLE System Overview Firewall IDS Proxy Web Rule Generator Resource Manager Modifications Handler Legacy Middleboxes OpenFlow capable Flow Action … Flow Action …

High-level input The network administrators specify the processing policies to the resource manager, without worrying about where the process occur. The network topology and traffic information are input to the resource manager Resource constraints are input to the resource manager 1. packet processing resources (CPU, memory, accelerators) for different middleboxes 2. TCAM available for installing forwarding rules

Composition  Tag Processing State Firewall IDS Proxy * Policy Chain: Firewall Proxy IDS Fwd to Dst S1 S2 Dst Post-Proxy Post-Firewall ORIGINAL Post-IDS Insight: Distinguish different instances of the same packet

Inter-switch tunnels

SIMPLE System Overview Firewall IDS Proxy Web Rule Generator Resource Manager Modifications Handler Legacy Middleboxes OpenFlow capable Flow Action … Flow Action …

Resource Constraints Joint Optimization Topology & Traffic Switch TCAM Middlebox Capacity + Footprints Policy Spec Resource Manager Optimal & Feasible load balancing Theoretically hard! Not obvious if some configuration is feasible!

Offline + Online Decomposition Policy Spec Network Topology Switch TCAM Mbox Capacity + Footprints Traffic Matrix Resource Manager Offline Stage Online Step Deals with Switch constraints Deals with only load balancing

Offline Stage: ILP based pruning

Offline Stage: ILP based pruning Feasible Sufficient freedom Set of all possible middlebox load distributions Pruned Set Balance the middlebox load (online, LP)

SIMPLE System Overview FW IDS Proxy Web Rule Generator Resource Manager Modifications Handler Legacy Middleboxes OpenFlow capable Flow Action … Flow Action …

Modifications  Infer flow correlations Correlate flows Install rules Payload Similarity User 1 Proxy S1 S2 User 2 Firewall User1: Proxy  Firewall User2: Proxy

When a middlebox changes everything Payloads still have a significant amount of partial overlap. For the proxy case, the web content still matches. Use Rabin fingerprints to calculate the similarity.

SIMPLE Implementation FW IDS Proxy Web Rule Generator (Policy Composition) Resource Manager (Resource Constraint) Modifications Handler (Dynamic modifications) CPLEX POX extensions OpenFlow 1.0 Flow Tag/Tunnel Action … Flow Tag/Tunnel Action …

Outline Motivation + Context for the Work Challenges SIMPLE Design Evaluation Conclusion

Evaluation and Methodology What benefits SIMPLE offers? load balancing? How scalable is the SIMPLE optimizer? How close is the SIMPLE optimizer to the optimal? How accurate is the dynamic inference? Methodology Small-scale real test bed experiments (Emulab) Evaluation over Mininet (with up to 60 nodes) Large-scale trace driven simulations (for convergence times)

Compare to Ingress-based method The middleboxes closest to the ingress are selected.

Benefits: Load balancing Optimal 4-7X better load balancing and near optimal

Overhead: Reconfiguration Time 33 node topology including 11 switches Around 125 ms to reconfigure, most time spent in pushing rules

Fraction of sequences with loops

Time of execution

Other Key Results LP solving takes 1s for a 252 node topology 4-5 orders of magnitude faster than strawman 95 % accuracy in inferring flow correlations Scalability of pruning: 1800s  110s

Conclusions Middleboxes: Necessity and opportunity for SDN Goal: Simplify middlebox-specific policy enforcement Challenges: Composition, resource constraints, modifications SIMPLE: policy enforcement layer Does not modify middleboxes No changes to SDN APIs No visibility required into the internal of middleboxes Scalable and offers 4-7X improvement in load balancing

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.