Presentation is loading. Please wait.

Presentation is loading. Please wait.

FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.

Published byMagnus O’Neal’ Modified over 9 years ago

Similar presentations

Presentation on theme: "FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey."— Presentation transcript:

1 FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey C. Mogul Conference: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking(HotSDN), 2013 Presenter: Kuan-Chieh Feng Date: 2015/12/02 Department of Computer Science and Information Engineering National Cheng Kung University

2 Outline Introduction Motivation FlowTags Architecture Preliminary Result Conclusion National Cheng Kung University CSIE Computer & Internet Architecture Lab 2

3 Introduction A key advantage of SDN is the ability to consistently enforce and verify network-wide policies for network management tasks. Unfortunately, middleboxes make it challenging to enforce and verify such policies. National Cheng Kung University CSIE Computer & Internet Architecture Lab 3

4 Introduction The cause of this problem is that as packets traverse the network, their headers and contents may be dynamically modified by middleboxes. To this end, we propose FlowTags, an extended SDN architecture in which middleboxes add Tags to outgoing packets, to provide the necessary causal context. National Cheng Kung University CSIE Computer & Internet Architecture Lab 4

5 Motivation Traffic Attribution - 1 National Cheng Kung University CSIE Computer & Internet Architecture Lab 5

6 Motivation Traffic Attribution - 2 National Cheng Kung University CSIE Computer & Internet Architecture Lab 6

7 Motivation Dynamic Traffic Dependence National Cheng Kung University CSIE Computer & Internet Architecture Lab 7

8 Motivation Strawman Solutions Correlating flows Middlebox placement Consolidation Policy verification tools National Cheng Kung University CSIE Computer & Internet Architecture Lab 8

9 FlowTags Architecture Motivated by this observation, we propose FlowTags, an extended SDN architecture that incorporates the necessary visibility into middlebox actions in order to systematically enforce and verify policies. National Cheng Kung University CSIE Computer & Internet Architecture Lab 9

10 FlowTags Architecture In designing, we impose three constraints: Require minimal modifications to middleboxes Preserve existing switches as well as the switch- controller interface Avoid direct interactions between middleboxes and switches National Cheng Kung University CSIE Computer & Internet Architecture Lab 10

11 FlowTags Architecture – Overview FlowTags-enhanced middlebox will add new Tags based on the context. Switches use Tags to steer packets. New FlowTags APIs between controller and FlowTags-enhanced middlebox. New control applications that configure the tagging behavior of the middleboxes and switches, and that also leverage Tags to support policy enforcement and verification National Cheng Kung University CSIE Computer & Internet Architecture Lab 11

12 FlowTags Architecture - Overview National Cheng Kung University CSIE Computer & Internet Architecture Lab 12

13 FlowTags Architecture - Southbound API We define an interface between the enhanced SDN controller and FlowTags-enhanced middleboxes. Middleboxes are both producers as well as consumers of Tags. National Cheng Kung University CSIE Computer & Internet Architecture Lab 13

14 FlowTags Architecture - Southbound API Corresponding to these two roles we envision two configuration tables: TagsFlowTable TagsActionTable National Cheng Kung University CSIE Computer & Internet Architecture Lab 14

15 FlowTags Architecture - Southbound API Tag addition Mbox queries the controller via RqstTag(Pkt,{MboxContext}) The response from the controller is a two-tuple of the form Tag consumption Mbox queries the controller via RqstAction(Pkt,Tags) The controller responds with an appropriate Action, in the form of a tuple of the form National Cheng Kung University CSIE Computer & Internet Architecture Lab 15

16 FlowTags Architecture - Example As in traditional SDN, the controller maintains a global view of the network state, including switch FIBs. Additionally, the controller maintains a copy the TagsFlowTable and TagsActionTable for each middlebox. National Cheng Kung University CSIE Computer & Internet Architecture Lab 16

17 FlowTags Architecture - Example National Cheng Kung University CSIE Computer & Internet Architecture Lab 17

18 Preliminary Result FlowTags Proof-of-Concept Using Squid (> over 100,000 lines of code) About 30 lines of code to add FlowTags support Using ToS/DSCP field in IPv4 packet header Validated use-cases with examples National Cheng Kung University CSIE Computer & Internet Architecture Lab 18

19 Preliminary Result National Cheng Kung University CSIE Computer & Internet Architecture Lab 19

20 Supplement FlowTags needs minimal middlebox modifications National Cheng Kung University CSIE Computer & Internet Architecture Lab 20 MiddleboxTotal LOCModified LOC Squid216,00075 Snort336,00045 Balance2,00060 iptables42,00055 PRADS15,00025

21 Supplement FlowTags adds low overhead National Cheng Kung University CSIE Computer & Internet Architecture Lab 21 Breakdown of flow processing time (ms)

22 Conclusion Middleboxes make policy enforcement hard Dynamic modifications are hard to account for FlowTags can make “flow context” visible Minimal modifications to middleboxes No changes to switch/switch APIs Early promise, but many challenges remain E.g., How many bits? Control apps? National Cheng Kung University CSIE Computer & Internet Architecture Lab 22

Download ppt "FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey."

Similar presentations

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul

Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Verifiable Network Function Outsourcing Seyed K. FayazbakhshMichael K. ReiterVyas Sekar 1.

Verifiable Network Function Outsourcing Seyed K. FayazbakhshMichael K. ReiterVyas Sekar 1.
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes

Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN

SIMPLE-fying Middlebox Policy Enforcement Using SDN
Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:
Scalable Packet Classification Using Hybrid and Dynamic Cuttings Authors : Wenjun Li,Xianfeng Li Publisher : Engineering Lab on Intelligent Perception.

Scalable Packet Classification Using Hybrid and Dynamic Cuttings Authors : Wenjun Li,Xianfeng Li Publisher : Engineering Lab on Intelligent Perception.
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.

Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,

Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,

Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.

Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.
Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.

Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.
Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:

Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.

Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.

Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.
Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.

Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.
Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM 2007. 26th IEEE International.

Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.

Similar presentations

Ads by Google