Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.

Similar presentations


Presentation on theme: "Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan."— Presentation transcript:

1 Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, Jeff Mogul

2 S1S1 S2S2 Firewall NAT Internet H1H1 H2H2 H3H3 Attribution is hard 2 NAT hides the true packet sources Block the access of hosts H 1 and H 3 to certain website.

3 Network Diagnosis is difficult Difficult to correlate network logs for diagnosis 3 S1S1 S2S2 Load Balancer H2H2 H1H1 Server 2 Server 1 H 1 sees a very high service delay – but what’s causing it? NAT t1t1 t2t2

4 S1S1 S2S2 HnHn H1H1 Light IPS … Server Heavy IPS Data-dependent policies Difficult to set up forwarding rules at S 2 Policy: Process all traffic by light IPS and only suspicious traffic by heavy IPS. 4

5 Policy violations may occur S1S1 S2S2 Proxy Internet H2H2 H1H1 Web ACL: Block H 2  xyz.com Get xyz.com Cached response Response Lack of visibility into the middlebox context 5 Cached response

6 High-level idea of FlowTags Middleboxes violate two SDN tenets – Packets no longer bound to “origins” – Packets don’t follow policy mandated paths Middleboxes need to help restore SDN tenets Add missing contextual information as Tags – E.g., NAT or Load balancer give IP mappings; Proxy gives cache hit/miss state SDN+ Controller controls tagging logic – For both switches and middleboxes 6

7 Control Apps e.g., steering, verification Control Apps e.g., routing, traffic eng. Network OS Control Data SDN Switches FlowTable FlowTags Enhanced Middleboxes FlowTags Tables Control Apps e.g., steering, verification Admin Mbox Config FlowTags APIs Existing APIs e.g., OpenFlow Legacy interface New interface 7 FlowTags Architecture

8 S1S1 S2S2 Firewall NAT Internet H 1 192.168.1.1 H 2 192.168.1.2 H 3 192.168.1.3 SrcIPTag 192.168.1.11 192.168.1.22 192.168.1.33 TagOrigSrcIP 1192.168.1.1 3192.168.1.3 Block 192.168.1.1 Block 192.168.1.3 NAT Add Tags Decode Tags Firewall Config w.r.t original principals TagForward 1,3FW 2Internet S2 FlowTable Example of FlowTags in action Tag Generation Tag Consumption 8

9 Challenges and Solutions What semantics should FlowTags capture?  New “dynamic policy graph” abstraction How easy is it to enhance middleboxes?  Less than 50-100 LOC vs. 2K-300K original Can we encode FlowTags in packets?  Yes, only 14 bits in expectation 9

10 Summary Middleboxes violate the SDN tenets and make policy enforcement and diagnosis challenging. FlowTags is an extension to SDN to provide contextual information using tags to restore the SDN tenets. FlowTags enables new network policy enforcement and verification capabilities. Practical, low-overhead, and scalable. 10


Download ppt "Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan."

Similar presentations


Ads by Google