Firewall1
advertisement
Practical and Incremental Convergence between SDN and Middleboxes Zafar Qazi, Cheng-Chun Tu, Luis Chiang Rui Miao Vyas Sekar Minlan Yu 1 Why middleboxes? Data from a large enterprise Type of appliance Number Firewalls 166 NIDS 127 Media gateways 110 Load balancers 67 Proxies 66 VPN gateways 45 WAN Optimizers 44 Voice gateways 11 Total Middleboxes Total routers Survey across 57 network operators 636 ~900 piece of network infrastructure Critical But painful to manage, hard to add new functions 2 Why should SDN community care? Aug. 2012 ONF report – Integrate SDN into production networks – APIs for functions the market views as important Survey on SDN adoption [Metzler 2012] – use cases that justify deployment – “add a focus on Layer 4 through Layer 7 functionality … change in the perceived value of SDN.” Middleboxes: Necessity and Opportunity 3 Goal: SDN + Middlebox integration Centralized Controller Open APIs “Flow” FwdAction … … “Flow” FwdAction … … Can we achieve SDN-Middlebox integration: with existing SDN APIs? with unmodified middleboxes? 4 Challenge: Policy Composition Proxy1 Firewall1 Pkt, S2—S4: IDS1 vs Dst ?? S2 Src S4 S1 Dst S3 IDS1 Policy routing Firewall IDS Proxy Need more expressive data plane? Solution: Tag Packet Processing State Firewall Proxy IDS S2 S4 1=None 2= Post Firewall 3=Post IDS 4 = Post Proxy Use “state” tags in addition to header, interface info 6 Challenge: Resource Management Proxy1 Firewall1 Rules to “split” traffic S2 S4 Src S1 Dst S3 IDS1 = 50% IDS2 = 50% How much TCAM does this load balancing need? Solution: Joint Optimization Topology Traffic Middlebox Hardware Switch TCAM Policy Spec Resource Manager Forwarding Rules Processing Distribution Theoretically hard, but we have practical decomposition 8 Challenge: Traffic Modifications Proxy1 Firewall1 S2 S4 Src S1 Proxy may modify sessions Dst S3 IDS1 = 50% IDS2 = 50% How can we set up the correct forwarding rules? Solution: Infer flow correlations Payload similarity algorithms Collect first 2-3 packets p1 Install rules Correlate flows P1* P2* p2 q1 q2 User 1 Proxy f1: p4 p3 p2 p1 f1’: p4* f2’: q3 p2* p3 q2 p1* User 2 q1 Time window T 10 Challenges in SDN-Middlebox integration Policy composition Resource management “Tag” processing state Scalable joint optimization Tunnels for compact routing Traffic modification Infer flow correlations 11 NIMBLE System Overview Web Admin FW Resource Manager IDS Proxy Dynamics Handler Rule Generator Forward first k pkts Using OpenFlow 1.0! Flow … Legacy Middleboxes Tag/Tunnel Action … Flow … Tag/Tunnel Action … OpenFlow-enabled Switches Evaluation TBD Say something about prototype Show one/two results 13 Broader Middlebox Research Agenda Inflexible, not extensible Management complexity SDN integration [ongoing] Cloud Outsourcing High capital costs Consolidated Architecture [NSDI ‘12] ONS Poster [SIGCOMM’12] 14
