Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIMPLE-fying Middlebox Policy Enforcement Using SDN

Published byHilary Dale Lloyd Modified over 9 years ago

Similar presentations

Presentation on theme: "SIMPLE-fying Middlebox Policy Enforcement Using SDN"— Presentation transcript:

1 SIMPLE-fying Middlebox Policy Enforcement Using SDN
Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang, Rui Miao, Vyas Sekar, Minlan Yu Presenter: Chen Qian

2 Middleboxes are important
Security Network Function Firewall IDS Acceleration Network Function Network function, also known as middlleboxes, are playing important role in the network. Network Functions nowadays are ubiquitous in the network. Network functions are the networking devices that perform tasks other than packet forwarding. Network functions are built for different purposes. One category of network functions is used to enhance the security of enterprise networks, campus networks, or any others. The examples are firewall and intrusion detection system. Another category of network functions is used to accelerate the speed of the network. For instance, wide area network optimizer could be used to compress the traffic and web proxy is used for caching web pages. WAN Optimizer Proxy

3 Hardware and software middleboxes
IDS Hardware Software WAN Optimizer Traditionally, these network functions are built in propriety dedicated hardware. These hardware boxes incur high expenses for physical equipment as well as operational costs. Hardware updates and replacements are not easy, which also involve in a great amount of human labor and financial cost. To address these challenges, there is a trend in the networking community to build software version of these network functions. Based on software network functions, Network function virtualization is proposed to use virtualization technology to virtualize network functions nodes into blocks. Proxy

4 How middleboxes process network traffic
1. The specified network traffic should go through a sequence of middlebox before reaching the destination Firewall - IDS - Proxy 2. Middlebox policies (types and orders of MBs) should be strictly reinforced

5 Middleboxes management is hard!
Survey across 57 network operators (J. Sherry et al. SIGCOMM 2012) e.g., a network with ~2000 middleboxes required 500+ operators Critical for security, performance, compliance But expensive, complex and difficult to manage

6 How SDN helps middleboxes
SDN can effectively configure flow paths so that a flow can go through a number of middleboxes in a given order SDN can assign different flows to different middleboxes so that the load on middleboxes can be balanced

7 Can SDN simplify middlebox management?
Centralized Controller Firewall IDS Proxy Web OpenFlow “Flow” FwdAction “Flow” FwdAction Proxy IDS Scope: Enforce middlebox-specific steering policies Necessity + Opportunity: Incorporate functions markets views as important

8 What makes this problem challenging?
Centralized Controller Firewall IDS Proxy Web OpenFlow “Flow” FwdAction “Flow” FwdAction Proxy IDS Middleboxes introduce new dimensions beyond L2/L3 tasks. Achieve this with unmodified middleboxes and existing SDN APIs

9 SIMPLE Policy enforcement layer for
Firewall IDS Proxy Web Policy enforcement layer for middlebox-specific “traffic steering” Legacy Middleboxes OpenFlow capable Flow Action Flow Action

10 Outline Motivation Challenges SIMPLE Design Evaluation Conclusions 10

11 Challenge: Policy Composition
Firewall IDS Proxy * Policy Chain: Oops! Forward Pkt to IDS or Dst? Firewall Proxy IDS S1 S2 Dst “Loops” Traditional flow rules may not suffice!

12 Challenge: Resource Constraints
Firewall Proxy Space for traffic split? S2 S4 S1 IDS1 = 50% IDS2 = 50% S3 Can we set up “feasible” forwarding rules?

13 Challenge: Dynamic Modifications
User1: Proxy  Firewall User2: Proxy Proxy may modify flows User 1 Proxy S1 S2 User 2 Firewall Are forwarding rules at S2 correct?

14 New dimensions beyond Layer 2-3 tasks
1) Policy Composition  Potential loops 2) Resource Constraints  Switch + Middlebox 3) Dynamic Modifications  Correctness? Can we address these with unmodified middleboxes and existing SDN APIs?

15 Outline Motivation + Context for the Work Challenges SIMPLE Design
Evaluation Conclusion

16 SIMPLE System Overview
Firewall IDS Proxy Web Rule Generator Resource Manager Modifications Handler Legacy Middleboxes OpenFlow capable Flow Action Flow Action

17 High-level input The network administrators specify the processing policies to the resource manager, without worrying about where the process occur. The network topology and traffic information are input to the resource manager Resource constraints are input to the resource manager 1. packet processing resources (CPU, memory, accelerators) for different middleboxes 2. TCAM available for installing forwarding rules

18 Composition  Tag Processing State
Firewall IDS Proxy * Policy Chain: Firewall Proxy IDS Fwd to Dst S1 S2 Dst Post-Proxy Post-Firewall ORIGINAL Post-IDS Insight: Distinguish different instances of the same packet

19 Inter-switch tunnels

20 SIMPLE System Overview
Firewall IDS Proxy Web Rule Generator Resource Manager Modifications Handler Legacy Middleboxes OpenFlow capable Flow Action Flow Action

21 Resource Constraints Joint Optimization
Topology & Traffic Switch TCAM Middlebox Capacity + Footprints Policy Spec Resource Manager Optimal & Feasible load balancing Theoretically hard! Not obvious if some configuration is feasible!

22 Offline + Online Decomposition
Policy Spec Network Topology Switch TCAM Mbox Capacity + Footprints Traffic Matrix Resource Manager Offline Stage Online Step Deals with Switch constraints Deals with only load balancing

23 Offline Stage: ILP based pruning

24 Offline Stage: ILP based pruning
Feasible Sufficient freedom Set of all possible middlebox load distributions Pruned Set Balance the middlebox load (online, LP)

25 SIMPLE System Overview
FW IDS Proxy Web Rule Generator Resource Manager Modifications Handler Legacy Middleboxes OpenFlow capable Flow Action Flow Action

26 Modifications  Infer flow correlations
Correlate flows Install rules Payload Similarity User 1 Proxy S1 S2 User 2 Firewall User1: Proxy  Firewall User2: Proxy

27

28 When a middlebox changes everything
Payloads still have a significant amount of partial overlap. For the proxy case, the web content still matches. Use Rabin fingerprints to calculate the similarity.

29

30 SIMPLE Implementation
FW IDS Proxy Web Rule Generator (Policy Composition) Resource Manager (Resource Constraint) Modifications Handler (Dynamic modifications) CPLEX POX extensions OpenFlow 1.0 Flow Tag/Tunnel Action Flow Tag/Tunnel Action

31 Outline Motivation + Context for the Work Challenges SIMPLE Design
Evaluation Conclusion

32 Evaluation and Methodology
What benefits SIMPLE offers? load balancing? How scalable is the SIMPLE optimizer? How close is the SIMPLE optimizer to the optimal? How accurate is the dynamic inference? Methodology Small-scale real test bed experiments (Emulab) Evaluation over Mininet (with up to 60 nodes) Large-scale trace driven simulations (for convergence times)

33 Compare to Ingress-based method
The middleboxes closest to the ingress are selected.

34 Benefits: Load balancing
Optimal 4-7X better load balancing and near optimal

35 Overhead: Reconfiguration Time
33 node topology including 11 switches Around 125 ms to reconfigure, most time spent in pushing rules

36 Fraction of sequences with loops

37 Time of execution

38 Other Key Results LP solving takes 1s for a 252 node topology
4-5 orders of magnitude faster than strawman 95 % accuracy in inferring flow correlations Scalability of pruning: 1800s  110s

39 Conclusions Middleboxes: Necessity and opportunity for SDN
Goal: Simplify middlebox-specific policy enforcement Challenges: Composition, resource constraints, modifications SIMPLE: policy enforcement layer Does not modify middleboxes No changes to SDN APIs No visibility required into the internal of middleboxes Scalable and offers 4-7X improvement in load balancing

Download ppt "SIMPLE-fying Middlebox Policy Enforcement Using SDN"

Similar presentations

Justine Sherry*, Shaddi Hasan*, Colin Scott*, Arvind Krishnamurthy†,

Justine Sherry*, Shaddi Hasan*, Colin Scott*, Arvind Krishnamurthy†,
Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes

Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.

VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.
Composing Software Defined Networks

Composing Software Defined Networks
Nanxi Kang Princeton University

Nanxi Kang Princeton University
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.

Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,

Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Incremental Consistent Updates Naga Praveen Katta Jennifer Rexford, David Walker Princeton University.

Incremental Consistent Updates Naga Praveen Katta Jennifer Rexford, David Walker Princeton University.
SDN: Extensions Middleboxes 1 Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi.

SDN: Extensions Middleboxes 1 Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi.
Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.

Design and Implementation of a Consolidated Middlebox Architecture 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
Software Defined Networking COMS 6998-8, Fall 2013 Guest Speaker: Seyed Kaveh Fayazbakhsh Stony Brook University 11/12/2013: SDN and Middleboxes.

Software Defined Networking COMS , Fall 2013 Guest Speaker: Seyed Kaveh Fayazbakhsh Stony Brook University 11/12/2013: SDN and Middleboxes.
Network Innovation using OpenFlow: A Survey

Network Innovation using OpenFlow: A Survey
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.

The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security

Similar presentations

Ads by Google