Presentation is loading. Please wait.

Presentation is loading. Please wait.

Toward Practical Integration of SDN and Middleboxes

Published byEssence Tuckett Modified over 10 years ago

Similar presentations

Presentation on theme: "Toward Practical Integration of SDN and Middleboxes"— Presentation transcript:

1 Toward Practical Integration of SDN and Middleboxes
Vyas Sekar Stony Brook University Joint work with Zafar Qazi, William Tu, Luis Chiang, Stony Brook University Rui Miao, Minlan Yu USC

2 High capital and management costs Little flexibility
Middleboxes Galore! Data from a large enterprise Survey across 57 network operators Type of appliance Number Firewalls 166 NIDS 127 Media gateways 110 Load balancers 67 Proxies 66 VPN gateways 45 WAN Optimizers 44 Voice gateways 11 Total Middleboxes 636 Total routers ~900 Refer to guru’s slide High capital and management costs Little flexibility

3 Our past work in MB space
CoMb [NSD1 ‘12] Consolidate hardware-software Consolidate management Aplomb [SIGCOMM ‘12] Outsource middleboxes to the cloud NIDS/NIPS Load Balancing [CoNext ‘10 ‘12] Network-wide load balancing

4 Two crucial missing links
Can we deal with existing middleboxes? Legitimate technical and business reasons (Over)simplified or assumed away the problem? Use custom API, not SDN interfaces In spite of the obvious parallels Why haven’t we seen a practical integration between SDN and existing middleboxes? “…policy might require packets to pass through an intermediate middlebox….” Casado et al, SIGCOMM ‘07

5 Goal of this work Centralized management with open interfaces
Middleboxes IDS, Firewall, Load balancer, VPN WAN optimizer, Proxy, etc Centralized management with open interfaces e.g., NOX/OpenFlow Centralized management with open interfaces e.g., NOX/OpenFlow IDS, Firewall, Load balancer, VPN WAN optimizer, Proxy, etc

6 What this work is NOT New vision for SDN New vision for middlebox
A new L4-L7 programmable data plane New northbound APIs for middleboxes Look for practical, incremental convergence

7 Roadmap Motivation + Context Challenges with SDN-MB integration
Promising starts Reflections..

8 Middlebox “policy chain”
F1 I1 Firewall IDS * S2 S4 S5 S1 S3 I2 Here .. Sequence not just composition and spatial, not just single box/signle controller F2 Implication: Proactive set up of routing rules Implication: New verification requirements

9 Flow rules may not suffice?
HTTP: Firewall  IDS  Proxy OpenFlow forward: Pkt header, Interface  Forwarding interface HTTP, S1—S2  ?? Firewall Proxy IDS 1 2 3 4 S2 S1 5 HTTP Return path? Stateful! Implication: More flexible forwarding abstractions Implication: loop-free at logical level, not physical

10 Middlebox load balancing
F1 = 0.5 I1 = 0.25 F2 =0.5 I2 = 0.75 Policy Src, Dst, Input,NextHop 10.1.0/17,*,*,S2 /17,*,*,S3 /17,*,S1,M3 /17,*,M3,S4 10.1.0/17,*,S1,M1 10.1.0/18,*,M1,M2 /18,*,M1,S4 10.1.0/18,*,M2,S4 10.1.0/18,*,S2,S5 /18,*,S2,M4 /17,*,S3,M4 /18,*,M4,S5 /17,*,M4,S5 Firewall IDS 10.1/16 * Src = /16 S2 S4 S5 S1 S3 Implication: Unified view of MB and switch resources

11 Middlebox introduce packet mods
NAT rewrites headers Proxy, WanOPT coalesces sessions Dynamic invocation? Something like the conditional composition .. Implication: Visibility and scalability challenges

12 Middlebox implications for SDN view
Logical view Specify policy goals Control Apps Admin MB + switch resources Verification Handle dynamics Network OS Physical View More expressive data plane fwding Data Plane “Flow” Action

13 Roadmap Motivation for this talk Challenges with SDN-MB integration
Promising starts Reflections..

14 Middlebox implications for SDN view
Logical view Specify policy goals Control Apps Admin MB + switch resources Verification Handle dynamics Network OS Physical View More expressive data plane fwding Data Plane “Flow” Action

15 Logical view: “DataFlow” Abstraction
“Raw” Traffic Classifier Intranet, NFS Public, Web Public, Rest WanOpt Firewall Firewall Proxy IDS Specify “what” processing, not “where”

16 Middlebox implications for SDN view
Logical view Specify policy goals Control Apps Admin MB + switch resources Verification Handle dynamics Network OS Physical View More expressive data plane fwding Data Plane “Flow” Action

17 Data plane: Virtual Packet State
HTTP: Firewall  IDS  Proxy Firewall Proxy IDS 1 2 3 4 S1 S2 5 HTTP Analogous to the virtual packet idea from jen controller, realization is via “VLAN” – packet carries its logical state somehow Each segment gets a logical tag Can implement this with VLAN tags/tunnels

18 Middlebox implications for SDN view
Logical view Specify policy goals Control Apps Admin MB + switch resources Verification Handle dynamics Network OS Physical View More expressive data plane fwding Data Plane “Flow” Action

19 Joint configuration of MB + Switch
Topology, Traffic Policy Spec Resource Constraints Middlebox behavior SDN-MB Controller Joint optimization Forwarding Rules Processing Distribution Challenge: Impact of MB load balancing on switches? i.e., is a given load balancing strategy feasible?

20 Idea: Enumerate physical sequences!
F1 I1 Policy S2 S4 S5 S1 S3 I2 F2 F1-I1 : S1  S2  F1 S2  I1  S2  S4  S rules on S2, 1 on rest F1-I2: S1  S2  F1  S2  S4  I2  S4  S5 2 rules on S2 & S4, 1 on rest F2: I1: S1  S3  F2  S3  S1  S2  I1  S2 S4  S5 2 rules on S1, S2, S3 F2-I2: S1  S3  F2 S3  S4  I2  S4  S5 2 rules on S3, S4; 1 on rest Not yet tractable (discrete optimization)

21 Verification properties
Policy compliance: Every packet goes through correct policy No extra processing: A packet should not traverse a middlebox, if the policy does not dictate it. No spurious traffic: Packets that would be dropped otherwise, should not be allowed Have needs, don’t yet have solutions ..

22 Dynamic middlebox transformations?
What we do know how to do Taxonomy of existing middleboxes Capture typical packet transformations No comprehensive solution yet …

23 Roadmap Motivation for this talk Challenges with SDN-MB integration
Promising starts Reflections..

24 Some reflections on SDN-MB synergy
Aug ONF report on new initiatives integrate an SDN into production networks APIs for functions the market views as important Development of next generation forwarding plane Middlebox as a concrete use-case can inform these initiatives!

25 More reflections on SDN-MB synergy
Survey reports on key factors on SDN adoption [Metzler 2012] use cases that justify deployment .. fits in with both the existing infrastructure.. “ SDN tended to focus on the physical network elements that comprised the network layers (e.g., Layer 2 and Layer 3) …add a focus on Layer 4 through Layer 7 functionality … it shows a change in the perceived value of SDN.” Middleboxes are a necessity and an opportunity!

26 Talk summary Can we achieve “incremental” SDN-MB integration?
Several challenges, but promising starts Composition, resource management, dynamics Implications for data, control plane, and control apps MB can be an informative and concrete use-case Longer-term evolution? SDN gets rid of MBs? MB becomes integrated into dataplane?

Download ppt "Toward Practical Integration of SDN and Middleboxes"

Similar presentations

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Towards Software Defined Cellular Networks

Towards Software Defined Cellular Networks
Software-defined networking: Change is hard Ratul Mahajan with Chi-Yao Hong, Rohan Gandhi, Xin Jin, Harry Liu, Vijay Gill, Srikanth Kandula, Mohan Nanduri,

Software-defined networking: Change is hard Ratul Mahajan with Chi-Yao Hong, Rohan Gandhi, Xin Jin, Harry Liu, Vijay Gill, Srikanth Kandula, Mohan Nanduri,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
Composing Software-Defined Networks Princeton*Cornell^ Chris Monsanto*, Joshua Reich* Nate Foster^, Jen Rexford*, David Walker* www.frenetic-lang.org/pyretic.

Composing Software-Defined Networks Princeton*Cornell^ Chris Monsanto*, Joshua Reich* Nate Foster^, Jen Rexford*, David Walker*
Nanxi Kang Princeton University

Nanxi Kang Princeton University
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.

Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,

Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Network Based Services in Mobile Networks Context, Typical Use Cases, Problem Area, Requirements IETF 87 Berlin, 29 July 2013 BoF Meeting on Network Service.

Network Based Services in Mobile Networks Context, Typical Use Cases, Problem Area, Requirements IETF 87 Berlin, 29 July 2013 BoF Meeting on Network Service.
Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.

Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.

VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
SDN: Extensions Middleboxes 1 Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi.

SDN: Extensions Middleboxes 1 Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi.
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.

Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.

1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.
Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.

Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.

Similar presentations

Ads by Google