Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.

Published byCory Alexander Modified over 9 years ago

Similar presentations

Presentation on theme: "Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan."— Presentation transcript:

1 Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan Yu ★, Jeffrey Mogul * CMU, ¶ Deutsche Telekom, ★ USC, Google

2 Network OS Data Plane Control Apps Policy: E.g., service chaining, access control Middleboxes complicate policy enforcement in SDN 2 Dynamic and traffic-dependent modifications! e.g., NATs, proxies

3 Modifications  Attribution is hard 3 S1S1 S2S2 Firewall NAT Internet H1H1 Block the access of H 2 to certain websites. H2H2

4 Dynamic actions  Policy violations S1S1 S2S2 Proxy Internet H2H2 H1H1 Web ACL Block H 2  xyz.com 1. Get xyz.com 3. Get xyz.com 4. Cached response 2. Response 4 Cached response

5 Our work: FlowTags 5 FlowTags provides an architectural solution:  Enables policy enforcement and diagnosis despite dynamic middlebox actions. Some candidate (non-)solutions: Placement, tunneling, consolidation, correlation Address some symptoms but not root cause  OriginBinding and PathsFollowPolicy violations

6 Outline Motivation High-level Idea FlowTags Design Evaluation 6

7 High-level idea Middleboxes need to restore SDN tenets – Possibly only option for correctness – Minimal changes to middleboxes Add missing contextual information as Tags – NAT gives IP mappings, – Proxy provides cache hit/miss info FlowTags controller configures tagging logic 7

8 Control Apps e.g., steering, verification Control Apps Network OS Control plane Data plane SDN Switches FlowTable Middleboxes FlowTags Tables New control apps e.g., policy steering, verification Admin Mbox Config FlowTags APIs Existing APIs e.g., OpenFlow FlowTags architecture 8 FlowTags Enhanced Policy

9 Web ACL Block: 10.1.1.2  xyz.com Config w.r.t original principals FlowTags in action 9 S1S1 S2S2 Proxy Internet H 1 10.1.1.1 H 2 10.1.1.2 xyz.com 2 2 Tag 10.1.1.2, Hit2 TagFwd 2S2S2 TagFwd 2ACL TagOrigSrcIP 210.1.1.2 DROP

10 Outline Motivation High-level Idea of FlowTags FlowTags Design Evaluation 10

11 Challenge 1: Tag Semantics 11 S1S1 S2S2 Proxy Internet H 1 10.1.1.1 H 2 10.1.1.2 Add Tag Decode Tag TagForward TagForward Control plane Data plane FlowTags-enhanced SDN Controller Web ACL

12 Challenge 2: New APIs, control apps 12 Add Tag Decode Tag TagForward Tag Forward FlowTags-enhanced SDN Controller S1S1 S2S2 Proxy Internet H 1 10.1.1.1 H 2 10.1.1.2 Web ACL Control plane Data plane

13 Challenge 3: Middlebox Extensions 13 Add Tag Decode Tag TagForward Tag Forward FlowTags-enhanced SDN Controller S1S1 S2S2 Proxy Internet H 1 10.1.1.1 H 2 10.1.1.2 Web ACL Control plane Data plane

14 Outline Motivation High-level Idea of FlowTags FlowTags Design – Tag semantics – Controller and APIs – Middlebox modification Evaluation 14

15 Semantics: Dynamic Policy Graph (DPG) 15 S1S1 S2S2 Proxy Internet H2H2 H1H1 Web ACL: Block H 2  xyz.com Proxy ACL Internet {H 2 }; Blocked H1H1 H1H1 H2H2 H2H2 {H 1 }; - {H 2 }; - {H 2 }; Hit {H 2 }; Miss {H 2 }; {H 1 }; Miss {H 2 }; Drop {H 1 }; Hit

16 Semantics: Dynamic Policy Graph (DPG) 16 Intuitively, need a Tag in DPG S1S1 S2S2 Proxy Internet H2H2 H1H1 Web ACL: Block H 2  xyz.com Proxy ACL Internet {H 2 }; Blocked H1H1 H1H1 H2H2 H2H2 {H 1 }; - {H 2 }; - {H 2 }; Hit {H 2 }; Miss {H 2 }; {H 1 }; Miss {H 2 }; Drop {H 1 }; Hit

17 Outline Motivation High-level Idea of FlowTags FlowTags Design – Tag semantics – Controller and APIs – Middlebox modification Evaluation 17

18 FlowTags APIs 18 S1S1 S2S2 Internet H 1 10.1.1.1 H 2 10.1.1.2 Tag OrigSrcIP TagFwd TagFwd Tag 10.1.1.2, Hit2 TagFwd 2S2 TagFwd 2ACL TagOrigSrcIP 210.1.1.2 FlowTags-enhanced SDN Controller OpenFlow FlowTags Generate Tag Consume Tag Web ACL Proxy

19 19 FlowTags-enhanced controller Policy DPG Physical realization Physical realization S1S1 S2S2 S3S3 S4S4 Reactive Middlebox Event Handlers Tag generate and consume Switch Event Handlers Flow expiry Flow rules

20 Outline Motivation High-level Idea of FlowTags FlowTags Design – Tag semantics – Controller and APIs – Middlebox modification Evaluation 20

21 Middlebox extension strategies to add FlowTags support 21 Pro: One shot Con: Hard to get internal context input traffic output traffic output traffic Light-weight packet rewriting shims Middlebox Strategy 1: Packet Rewriting module

22 Middlebox extension strategies to add FlowTags support 22 Pro: More change is needed Con: Suited for getting internal context input traffic output traffic output traffic Middlebox Strategy 2: Module Modification module

23 Middlebox extension strategies to add FlowTags support 23 Our Strategy: Packet rewriting for Tag consumption Module modification for Tag generation input traffic output traffic output traffic Middlebox ShimShim ShimShim Tag generation Tag consumption module

24 Outline Motivation High-level Idea of FlowTags FlowTags Design Evaluation 24

25 Key evaluation questions Feasibility of middlebox modification FlowTags overhead Number of Tag bits New capabilities 25

26 FlowTags needs minimal middlebox modifications 26 Middlebox Total LOCModified LOC Squid216,00075 Snort336,00045 Balance2,00060 iptables42,00055 PRADS15,00025

27 FlowTags adds low overhead 27 Breakdown of flow processing time (ms) Abilene Geant Telstra Sprint Verizon AT&T 11 22 44 52 70 115 1. 4 1. 2 1 0. 8 0. 6 0. 4 0. 2 0 Controller Processing Middlebox Tag Processing Switch Setup # PoPs:

28 Summary of other results Adds < 1% overhead to middlebox processing Tags can be encoded in ~ 15 bits – E.g., IP-ID, IPv6 FlowLabel, EncapHeaders (NVP) Can enable new capabilities – Extended header space analysis – Diagnosing network bottlenecks 28

29 Conclusions Middleboxes complicate enforcement – E.g., NAT/LB rewrite headers, proxy sends cached response Root cause: Violation of the SDN tenets – Origin Binding and Paths-Follow-Policy FlowTags extends SDN with new middlebox APIs – Restores tenets using new DPG abstraction – No changes to switches and switch APIs FlowTags is practical – Minimal middlebox changes, low overhead – An enabler for verification, testing, and diagnosis 29

Download ppt "Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan."

Similar presentations

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Towards Software Defined Cellular Networks

Towards Software Defined Cellular Networks
SDN Controller Challenges

SDN Controller Challenges
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes

Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
Nanxi Kang Princeton University

Nanxi Kang Princeton University
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.

Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Software Defined Networking COMS 6998-10, Fall 2014 Instructor: Li Erran Li 6998-10SDNFall2014/

Software Defined Networking COMS , Fall 2014 Instructor: Li Erran Li SDNFall2014/
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,

Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,

Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.

VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.

Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
Towards Virtual Routers as a Service 6th GI/ITG KuVS Workshop on “Future Internet” November 22, 2010 Hannover Zdravko Bozakov.

Towards Virtual Routers as a Service 6th GI/ITG KuVS Workshop on “Future Internet” November 22, 2010 Hannover Zdravko Bozakov.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Similar presentations

Ads by Google