FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.

Slides:



Advertisements
Similar presentations
Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Advertisements

Verifiable Network Function Outsourcing Seyed K. FayazbakhshMichael K. ReiterVyas Sekar 1.
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN
Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:
Scalable Packet Classification Using Hybrid and Dynamic Cuttings Authors : Wenjun Li,Xianfeng Li Publisher : Engineering Lab on Intelligent Perception.
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.
Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.
Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.
Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.
Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.
Research on TCAM-based OpenFlow Switch Author: Fei Long, Zhigang Sun, Ziwen Zhang, Hui Chen, Longgen Liao Conference: 2012 International Conference on.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
SIMPLE-fying Middlebox Policy Enforcement Using SDN
Early Detection of DDoS Attacks against SDN Controllers
OpenFlow MPLS and the Open Source Label Switched Router Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,
Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:
Updating Designed for Fast IP Lookup Author : Natasa Maksic, Zoran Chicha and Aleksandra Smiljani´c Conference: IEEE High Performance Switching and Routing.
TFA: A Tunable Finite Automaton for Regular Expression Matching Author: Yang Xu, Junchen Jiang, Rihua Wei, Yang Song and H. Jonathan Chao Publisher: ACM/IEEE.
Binary-tree-based high speed packet classification system on FPGA Author: Jingjiao Li*, Yong Chen*, Cholman HO**, Zhenlin Lu* Publisher: 2013 ICOIN Presenter:
Lossy Compression of Packet Classifiers Author: Ori Rottenstreich, J’anos Tapolcai Publisher: 2015 IEEE International Conference on Communications Presenter:
LOP_RE: Range Encoding for Low Power Packet Classification Author: Xin He, Jorgen Peddersen and Sri Parameswaran Conference : IEEE 34th Conference on Local.
Stochastic Pre-Classification for SDN Data Plane Matching Author : Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson Conference: 2014 IEEE 22nd.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar, Rui Miao, Minlan Yu Presenter : ChoongHee.
SRD-DFA Achieving Sub-Rule Distinguishing with Extended DFA Structure Author: Gao Xia, Xiaofei Wang, Bin Liu Publisher: IEEE DASC (International Conference.
BUZZ: Testing Context-Dependent Policies in Stateful Networks Seyed K. Fayaz, Tianlong Yu, Yoshiaki Tobioka, Sagar Chaki, Vyas Sekar.
Hierarchical Hybrid Search Structure for High Performance Packet Classification Authors : O˜guzhan Erdem, Hoang Le, Viktor K. Prasanna Publisher : INFOCOM,
Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference.
Project Proposed Reducing accidents in roadways by using RSU Clouds in Support of the Internet of Vehicles Under Guidence of M.O.Ramkumar M.Tech., Senior.
LightFlow : Speeding Up GPU-based Flow Switching and Facilitating Maintenance of Flow Table Author : Nobutaka Matsumoto and Michiaki Hayashi Conference:
Scalable Multi-match Packet Classification Using TCAM and SRAM Author: Yu-Chieh Cheng, Pi-Chung Wang Publisher: IEEE Transactions on Computers (2015) Presenter:
JA-trie: Entropy-Based Packet Classification Author: Gianni Antichi, Christian Callegari, Andrew W. Moore, Stefano Giordano, Enrico Anastasi Conference.
Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Ready-to-Deploy Service Function Chaining for Mobile Networks
Xin Li, Chen Qian University of Kentucky
A Survey of Network Function Placement
2018/4/27 PiDFA : A Practical Multi-stride Regular Expression Matching Engine Based On FPGA Author: Jiajia Yang, Lei Jiang, Qiu Tang, Qiong Dai, Jianlong.
Minimizing latency of critical traffic through SDN
The DPIaaS Controller Prototype
A DFA with Extended Character-Set for Fast Deep Packet Inspection
2018/6/26 An Energy-efficient TCAM-based Packet Classification with Decision-tree Mapping Author: Zhao Ruan, Xianfeng Li , Wenjun Li Publisher: 2013.
Hardware accelerator to speed up packet processing in NDN router
of Dynamic NFV-Policies
2018/11/19 Source Routing with Protocol-oblivious Forwarding to Enable Efficient e-Health Data Transfer Author: Shengru Li, Daoyun Hu, Wenjian Fang and.
2018/12/10 Energy Efficient SDN Commodity Switch based Practical Flow Forwarding Method Author: Amer AlGhadhban and Basem Shihada Publisher: 2016 IEEE/IFIP.
2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.
Memory-Efficient Regular Expression Search Using State Merging
Virtual TCAM for Data Center Switches
Scalable Multi-Match Packet Classification Using TCAM and SRAM
A New String Matching Algorithm Based on Logical Indexing
2019/5/2 Using Path Label Routing in Wide Area Software-Defined Networks with OpenFlow ICNP = International Conference on Network Protocols Presenter:Hung-Yen.
Compact DFA Structure for Multiple Regular Expressions Matching
2019/5/8 BitCoding Network Traffic Classification Through Encoded Bit Level Signatures Author: Neminath Hubballi, Mayank Swarnkar Publisher/Conference:
QoS Constrained Path Optimization Algorithm in NFV/SDN Environment
Power-efficient range-match-based packet classification on FPGA
Fast Network Congestion Detection And Avoidance Using P4
OpenSec:Policy-Based Security Using Software-Defined Networking
2019/7/26 OpenFlow-Enabled User Traffic Profiling in Campus Software Defined Networks Presenter: Wei-Li,Wang Date: 2016/1/4 Author: Taimur Bakhshi and.
2019/10/9 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter:Hung-Yen Wang Authors:Jin-Li Ye, Yu-Huang Chu, Chien Chen.
Towards TCAM-based Scalable Virtual Routers
2019/11/12 Efficient Measurement on Programmable Switches Using Probabilistic Recirculation Presenter:Hung-Yen Wang Authors:Ran Ben Basat, Xiaoqi Chen,
Presentation transcript:

FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey C. Mogul Conference: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking(HotSDN), 2013 Presenter: Kuan-Chieh Feng Date: 2015/12/02 Department of Computer Science and Information Engineering National Cheng Kung University

Outline Introduction Motivation FlowTags Architecture Preliminary Result Conclusion National Cheng Kung University CSIE Computer & Internet Architecture Lab 2

Introduction A key advantage of SDN is the ability to consistently enforce and verify network-wide policies for network management tasks. Unfortunately, middleboxes make it challenging to enforce and verify such policies. National Cheng Kung University CSIE Computer & Internet Architecture Lab 3

Introduction The cause of this problem is that as packets traverse the network, their headers and contents may be dynamically modified by middleboxes. To this end, we propose FlowTags, an extended SDN architecture in which middleboxes add Tags to outgoing packets, to provide the necessary causal context. National Cheng Kung University CSIE Computer & Internet Architecture Lab 4

Motivation Traffic Attribution - 1 National Cheng Kung University CSIE Computer & Internet Architecture Lab 5

Motivation Traffic Attribution - 2 National Cheng Kung University CSIE Computer & Internet Architecture Lab 6

Motivation Dynamic Traffic Dependence National Cheng Kung University CSIE Computer & Internet Architecture Lab 7

Motivation Strawman Solutions Correlating flows Middlebox placement Consolidation Policy verification tools National Cheng Kung University CSIE Computer & Internet Architecture Lab 8

FlowTags Architecture Motivated by this observation, we propose FlowTags, an extended SDN architecture that incorporates the necessary visibility into middlebox actions in order to systematically enforce and verify policies. National Cheng Kung University CSIE Computer & Internet Architecture Lab 9

FlowTags Architecture In designing, we impose three constraints: Require minimal modifications to middleboxes Preserve existing switches as well as the switch- controller interface Avoid direct interactions between middleboxes and switches National Cheng Kung University CSIE Computer & Internet Architecture Lab 10

FlowTags Architecture – Overview FlowTags-enhanced middlebox will add new Tags based on the context. Switches use Tags to steer packets. New FlowTags APIs between controller and FlowTags-enhanced middlebox. New control applications that configure the tagging behavior of the middleboxes and switches, and that also leverage Tags to support policy enforcement and verification National Cheng Kung University CSIE Computer & Internet Architecture Lab 11

FlowTags Architecture - Overview National Cheng Kung University CSIE Computer & Internet Architecture Lab 12

FlowTags Architecture - Southbound API We define an interface between the enhanced SDN controller and FlowTags-enhanced middleboxes. Middleboxes are both producers as well as consumers of Tags. National Cheng Kung University CSIE Computer & Internet Architecture Lab 13

FlowTags Architecture - Southbound API Corresponding to these two roles we envision two configuration tables: TagsFlowTable TagsActionTable National Cheng Kung University CSIE Computer & Internet Architecture Lab 14

FlowTags Architecture - Southbound API Tag addition Mbox queries the controller via RqstTag(Pkt,{MboxContext}) The response from the controller is a two-tuple of the form Tag consumption Mbox queries the controller via RqstAction(Pkt,Tags) The controller responds with an appropriate Action, in the form of a tuple of the form National Cheng Kung University CSIE Computer & Internet Architecture Lab 15

FlowTags Architecture - Example As in traditional SDN, the controller maintains a global view of the network state, including switch FIBs. Additionally, the controller maintains a copy the TagsFlowTable and TagsActionTable for each middlebox. National Cheng Kung University CSIE Computer & Internet Architecture Lab 16

FlowTags Architecture - Example National Cheng Kung University CSIE Computer & Internet Architecture Lab 17

Preliminary Result FlowTags Proof-of-Concept Using Squid (> over 100,000 lines of code) About 30 lines of code to add FlowTags support Using ToS/DSCP field in IPv4 packet header Validated use-cases with examples National Cheng Kung University CSIE Computer & Internet Architecture Lab 18

Preliminary Result National Cheng Kung University CSIE Computer & Internet Architecture Lab 19

Supplement FlowTags needs minimal middlebox modifications National Cheng Kung University CSIE Computer & Internet Architecture Lab 20 MiddleboxTotal LOCModified LOC Squid216,00075 Snort336,00045 Balance2,00060 iptables42,00055 PRADS15,00025

Supplement FlowTags adds low overhead National Cheng Kung University CSIE Computer & Internet Architecture Lab 21 Breakdown of flow processing time (ms)

Conclusion Middleboxes make policy enforcement hard Dynamic modifications are hard to account for FlowTags can make “flow context” visible Minimal modifications to middleboxes No changes to switch/switch APIs Early promise, but many challenges remain E.g., How many bits? Control apps? National Cheng Kung University CSIE Computer & Internet Architecture Lab 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.