Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.

Published byAmice O’Brien’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan."— Presentation transcript:

1 Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, Jeff Mogul

2 S1S1 S2S2 Firewall NAT Internet H1H1 H2H2 H3H3 Attribution is hard 2 NAT hides the true packet sources Block the access of hosts H 1 and H 3 to certain website.

3 Network Diagnosis is difficult Difficult to correlate network logs for diagnosis 3 S1S1 S2S2 Load Balancer H2H2 H1H1 Server 2 Server 1 H 1 sees a very high service delay – but what’s causing it? NAT t1t1 t2t2

4 S1S1 S2S2 HnHn H1H1 Light IPS … Server Heavy IPS Data-dependent policies Difficult to set up forwarding rules at S 2 Policy: Process all traffic by light IPS and only suspicious traffic by heavy IPS. 4

5 Policy violations may occur S1S1 S2S2 Proxy Internet H2H2 H1H1 Web ACL: Block H 2  xyz.com Get xyz.com Cached response Response Lack of visibility into the middlebox context 5 Cached response

6 High-level idea of FlowTags Middleboxes violate two SDN tenets – Packets no longer bound to “origins” – Packets don’t follow policy mandated paths Middleboxes need to help restore SDN tenets Add missing contextual information as Tags – E.g., NAT or Load balancer give IP mappings; Proxy gives cache hit/miss state SDN+ Controller controls tagging logic – For both switches and middleboxes 6

7 Control Apps e.g., steering, verification Control Apps e.g., routing, traffic eng. Network OS Control Data SDN Switches FlowTable FlowTags Enhanced Middleboxes FlowTags Tables Control Apps e.g., steering, verification Admin Mbox Config FlowTags APIs Existing APIs e.g., OpenFlow Legacy interface New interface 7 FlowTags Architecture

8 S1S1 S2S2 Firewall NAT Internet H 1 192.168.1.1 H 2 192.168.1.2 H 3 192.168.1.3 SrcIPTag 192.168.1.11 192.168.1.22 192.168.1.33 TagOrigSrcIP 1192.168.1.1 3192.168.1.3 Block 192.168.1.1 Block 192.168.1.3 NAT Add Tags Decode Tags Firewall Config w.r.t original principals TagForward 1,3FW 2Internet S2 FlowTable Example of FlowTags in action Tag Generation Tag Consumption 8

9 Challenges and Solutions What semantics should FlowTags capture?  New “dynamic policy graph” abstraction How easy is it to enhance middleboxes?  Less than 50-100 LOC vs. 2K-300K original Can we encode FlowTags in packets?  Yes, only 14 bits in expectation 9

10 Summary Middleboxes violate the SDN tenets and make policy enforcement and diagnosis challenging. FlowTags is an extension to SDN to provide contextual information using tags to restore the SDN tenets. FlowTags enables new network policy enforcement and verification capabilities. Practical, low-overhead, and scalable. 10

Download ppt "Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan."

Similar presentations

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Towards Software Defined Cellular Networks

Towards Software Defined Cellular Networks
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes

Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
SDN Applications Jennifer Rexford Princeton University.

SDN Applications Jennifer Rexford Princeton University.
Composing Software-Defined Networks Princeton*Cornell^ Chris Monsanto*, Joshua Reich* Nate Foster^, Jen Rexford*, David Walker* www.frenetic-lang.org/pyretic.

Composing Software-Defined Networks Princeton*Cornell^ Chris Monsanto*, Joshua Reich* Nate Foster^, Jen Rexford*, David Walker*
Jennifer Rexford Princeton University

Jennifer Rexford Princeton University
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.

Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,

Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,

Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.

VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
SDN: Extensions Middleboxes 1 Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi.

SDN: Extensions Middleboxes 1 Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi.
Programming Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.

Programming Abstractions for Software-Defined Networks Jennifer Rexford Princeton University.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.

Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Similar presentations

Ads by Google