Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

ons14-flowtags

advertisement 
Extending SDN to Handle Dynamic
Middlebox Actions via FlowTags
(Full version to appear in NSDI’14)
Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar,
Minlan Yu, Jeff Mogul
Attribution is hard
Block the access of hosts H1 and H3 to certain website.
H1
Firewall
NAT
H2
Internet
S1
S2
H3
NAT hides the true packet sources
2
Network Diagnosis is difficult
H1 sees a very high service delay – but what’s causing it?
NAT
Load Balancer
H1
Server 1
H2
S1
S2
t1
t2
Server 2
Difficult to correlate network logs for diagnosis
3
Data-dependent policies
Policy: Process all traffic by light IPS and only suspicious
traffic by heavy IPS.
Light
IPS
H1
Heavy
Server
IPS
…
Hn
S1
S2
Difficult to set up forwarding rules at S2
4
Policy violations may occur
Proxy
H1
Web ACL:
Block H2  xyz.com
Cached
response
Internet
S1
S2
H2
Lack of visibility into the middlebox context
5
High-level idea of FlowTags
• Middleboxes violate two SDN tenets
– Packets no longer bound to “origins”
– Packets don’t follow policy mandated paths
• Middleboxes need to help restore SDN tenets
• Add missing contextual information as Tags
– E.g., NAT or Load balancer give IP mappings;
Proxy gives cache hit/miss state
• SDN+ Controller controls tagging logic
– For both switches and middleboxes
6
FlowTags Architecture
Legacy
interface
New
interface
Control
Apps
Control
Apps
Control
Apps
e.g.,
steering,
verification
e.g.,
routing,
traffic
eng.
e.g., steering, verification
Admin
Network OS
Control
Data
SDN
Switches
Existing APIs
e.g., OpenFlow
FlowTable
FlowTags
APIs
FlowTags
Tables
Mbox
FlowTags
Config Enhanced
Middleboxes
7
Example of FlowTags in action
Tag
Generation
H1
192.168.1.1
H2
192.168.1.2
NAT Add Tags
SrcIP
192.168.1.1
192.168.1.2
192.168.1.3
Tag
1
2
3
Decode Tags
Tag
1
3
OrigSrcIP
192.168.1.1
192.168.1.3
Block 192.168.1.1
Block 192.168.1.3
Tag
Consumption
Firewall
NAT
Firewall Config w.r.t
original principals
Internet
S1
S2
S2 FlowTable
H3
192.168.1.3
Tag
Consumption
Tag
1,3
2
Forward
FW
Internet
8
Challenges and Solutions
• What semantics should FlowTags capture?
New “dynamic policy graph” abstraction
• How easy is it to enhance middleboxes?
 Less than 50-100 LOC vs. 2K-300K original
• Can we encode FlowTags in packets?
 Yes, only 14 bits in expectation
9
Summary
• Middleboxes violate the SDN tenets and make policy
enforcement and diagnosis challenging.
• FlowTags is an extension to SDN to provide contextual
information using tags to restore the SDN tenets.
• FlowTags enables new network policy enforcement and
verification capabilities.
• Practical, low-overhead, and scalable.
10
Related documents
Thomas Edwards, Fox - Hollywood Post Alliance
Thomas Edwards, Fox - Hollywood Post Alliance
Firewall1
Firewall1
Slides
Slides
Brendan_Jennings TSSG Waterford Institue of Technology
Brendan_Jennings TSSG Waterford Institue of Technology
Toward Practical Integration of SDN and Middleboxes
Toward Practical Integration of SDN and Middleboxes
Meridian - ShareCourse
Meridian - ShareCourse
02_20_14 - Stanford University Networking Seminar
02_20_14 - Stanford University Networking Seminar
RaZER
RaZER
Hosts SDN Alliance Taiwan
Hosts SDN Alliance Taiwan
NAT - David Choffnes
NAT - David Choffnes
simple
simple
SDN: Extensions Middleboxes Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi 1
SDN: Extensions Middleboxes Ack: Vyas Sekar, Aaron Gember, Felipe Huici, Zafar Qazi 1
EECS-2012-24
EECS-2012-24
SDN Middleboxes - Columbia University
SDN Middleboxes - Columbia University
Enforcing Network-Wide Policies in the Presence of Dynamic
Enforcing Network-Wide Policies in the Presence of Dynamic
Collaborative Network Security in Multi-Tenant Data Center for
Collaborative Network Security in Multi-Tenant Data Center for
Download
advertisement