Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Firewall1

advertisement 
Practical and Incremental
Convergence between
SDN and Middleboxes
Zafar Qazi, Cheng-Chun Tu, Luis Chiang
Rui Miao
Vyas Sekar
Minlan Yu
1
Why middleboxes?
Data from a large enterprise
Type of appliance
Number
Firewalls
166
NIDS
127
Media gateways
110
Load balancers
67
Proxies
66
VPN gateways
45
WAN Optimizers
44
Voice gateways
11
Total Middleboxes
Total routers
Survey across 57 network operators
636
~900 piece of network infrastructure
Critical
But painful to manage, hard to add new functions
2
Why should SDN community care?
Aug. 2012 ONF report
– Integrate SDN into production networks
– APIs for functions the market views as important
Survey on SDN adoption [Metzler 2012]
– use cases that justify deployment
– “add a focus on Layer 4 through Layer 7 functionality …
change in the perceived value of SDN.”
Middleboxes: Necessity and Opportunity
3
Goal: SDN + Middlebox integration
Centralized Controller
Open APIs
“Flow”
FwdAction
…
…
“Flow”
FwdAction
…
…
Can we achieve SDN-Middlebox integration:
with existing SDN APIs?
with unmodified middleboxes?
4
Challenge: Policy Composition
Proxy1
Firewall1
Pkt, S2—S4:
IDS1 vs Dst ??
S2
Src
S4
S1
Dst
S3
IDS1
Policy routing
Firewall IDS
Proxy
Need more expressive data plane?
Solution: Tag Packet Processing State
Firewall
Proxy
IDS
S2
S4
1=None
2= Post Firewall
3=Post IDS
4 = Post Proxy
Use “state” tags in addition to header, interface info
6
Challenge: Resource Management
Proxy1
Firewall1
Rules to
“split” traffic
S2
S4
Src
S1
Dst
S3
IDS1 = 50%
IDS2 = 50%
How much TCAM does this load balancing need?
Solution: Joint Optimization
Topology
Traffic
Middlebox
Hardware
Switch
TCAM
Policy
Spec
Resource Manager
Forwarding
Rules
Processing
Distribution
Theoretically hard, but we have practical decomposition
8
Challenge: Traffic Modifications
Proxy1
Firewall1
S2
S4
Src
S1
Proxy may
modify
sessions
Dst
S3
IDS1 = 50%
IDS2 = 50%
How can we set up the correct forwarding rules?
Solution: Infer flow correlations
Payload similarity algorithms
Collect first
2-3 packets
p1
Install
rules
Correlate
flows
P1* P2*
p2
q1
q2
User 1
Proxy
f1:
p4
p3
p2
p1
f1’:
p4*
f2’: q3
p2*
p3
q2
p1*
User 2
q1
Time window T
10
Challenges in SDN-Middlebox integration
Policy composition
Resource management
“Tag” processing state
Scalable joint optimization
Tunnels for compact routing
Traffic modification
Infer flow correlations
11
NIMBLE System Overview
Web
Admin
FW
Resource Manager
IDS
Proxy
Dynamics Handler
Rule Generator
Forward first k pkts
Using OpenFlow 1.0!
Flow
…
Legacy
Middleboxes
Tag/Tunnel
Action
…
Flow
…
Tag/Tunnel
Action
…
OpenFlow-enabled
Switches
Evaluation
TBD
Say something about prototype
Show one/two results
13
Broader Middlebox Research Agenda
Inflexible,
not extensible
Management
complexity
SDN
integration
[ongoing]
Cloud
Outsourcing
High capital costs
Consolidated
Architecture
[NSDI ‘12]
ONS Poster
[SIGCOMM’12]
14
Related documents
Thomas Edwards, Fox - Hollywood Post Alliance
Thomas Edwards, Fox - Hollywood Post Alliance
ons14-flowtags
ons14-flowtags
Toward Practical Integration of SDN and Middleboxes
Toward Practical Integration of SDN and Middleboxes
Slides
Slides
iSTAMP
iSTAMP
Proxy
Proxy
02_20_14 - Stanford University Networking Seminar
02_20_14 - Stanford University Networking Seminar
simple
simple
Meridian - ShareCourse
Meridian - ShareCourse
slides
slides
RaZER
RaZER
Hosts SDN Alliance Taiwan
Hosts SDN Alliance Taiwan
Download
advertisement