Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Published byRashad Gouge Modified over 9 years ago

Similar presentations

Presentation on theme: "Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu."— Presentation transcript:

1 Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu

2 Type of applianceNumber Firewalls166 Intrusion detection127 Media gateways110 Load balancers67 Proxies66 VPN gateways45 WAN Optimizers44 Voice gateways11 Total Middleboxes636 Total routers~900 Why middleboxes? Data from a large enterprise Survey across 57 network operators Critical for security, performance, compliance But painful to manage 2

3 Why should SDN community care? 3 Aug. 2012 ONF report – “integrate into production networks” – “APIs for functions market views as important” Survey on SDN adoption [Metzler 2012] – “use cases that justify deployment” – “add a focus on Layer 4 through Layer 7 functionality … change in the perceived value of SDN.” Middleboxes: Necessity and Opportunity for SDN

4 4 Goal: SDN + Middlebox integration Centralized Controller “ Flow ” FwdAction …… “ Flow ” FwdAction …… Can we achieve SDN-Middlebox integration: with existing SDN APIs? with unmodified middleboxes? Open APIs

5 Challenges in SDN-MB integration 5 S1 S2 S4 S3 Proxy IDS Firewall Pkt, S2—S4: IDS or Dst ? Resource constraints Traffic modifications Policy composition FirewallIDSProxy IDS1 = 50% IDS2 = 50% Are forwarding rules correct? Proxy may modify traffic Space for traffic split? Simple flow rules may not suffice!

6 Recap: Three main challenges Policy composition 6 Is there enough rule space? Correctness? Flow rules may not suffice New dimensions beyond Layer 2-3 tasks Traffic modifications Resource constraints

7 2= Post Firewall Composition  Tag Processing State 7 Firewall Proxy IDS 1=None 3=Post IDS 4 = Post Proxy S2 S4 Use “state” tags in addition to header, interface info

8 Resource constraints  Joint Optimization 8 Resource Manager Topology & Traffic Switch TCAM Middlebox Hardware Policy Spec Optimal & Feasible load balancing Theoretically hard, but have practical near-optimal heuristics

9 FW IDS Proxy Web Rule Generator (Processing state tags, Switch tunnels) Resource Manager (Scalable joint optimization) Modifications Handler (Infer flow correlations) NIMBLE System Overview Legacy Middleboxes OpenFlow-capable OpenFlow 1.0 FlowTag/TunnelAction …… FlowTag/TunnelAction …… POX extensions OpenvSwitch 1.7.1 9

10 Benefits: Load balancing 10 Nimble Today 4-7X better load balancing without modifying middleboxes Low overhead: 0.1s to reconfigure after failure/overload

11 SDN + Middlebox Convergence 11 High OpEx Inflexible High CapEx COMB Consolidation [NSDI ‘12] ONS Poster APLOMB Cloud Outsourcing [SIGCOMM’12] NIMBLE Practical Integration [today’s talk] Middlebox pain points

Download ppt "Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu."

Similar presentations

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Justine Sherry*, Shaddi Hasan*, Colin Scott*, Arvind Krishnamurthy†,

Justine Sherry*, Shaddi Hasan*, Colin Scott*, Arvind Krishnamurthy†,
Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Towards Software Defined Cellular Networks

Towards Software Defined Cellular Networks
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes

Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
Agenda Product Overview Hardware Interfaces Software Features

Agenda Product Overview Hardware Interfaces Software Features
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.

Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,

Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.

Software-Defined Networking, OpenFlow, and how SPARC applies it to the telecommunications domain Pontus Sköldström - Wolfgang John – Elisa Bellagamba November.
SDN: Extensions Middleboxes 1 Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi.

SDN: Extensions Middleboxes 1 Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi.
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.

Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
Software Defined Networking COMS 6998-8, Fall 2013 Guest Speaker: Seyed Kaveh Fayazbakhsh Stony Brook University 11/12/2013: SDN and Middleboxes.

Software Defined Networking COMS , Fall 2013 Guest Speaker: Seyed Kaveh Fayazbakhsh Stony Brook University 11/12/2013: SDN and Middleboxes.
15-744: Computer Networking

15-744: Computer Networking
MSIT 458: Information Security & Assurance By Curtis Pethley.

MSIT 458: Information Security & Assurance By Curtis Pethley.
1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.

1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.
Data Center Middleboxes Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking November 24,

Data Center Middleboxes Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking November 24,
Software-Defined Networking

Software-Defined Networking

Similar presentations

Ads by Google