Practical and Incremental Convergence between SDN and Middleboxes
description
Transcript of Practical and Incremental Convergence between SDN and Middleboxes
1
Practical and IncrementalConvergence betweenSDN and Middleboxes
Zafar Qazi, Cheng-Chun Tu, Luis Chiang
Vyas Sekar
Rui Miao
Minlan Yu
Type of appliance Number
Firewalls 166
NIDS 127
Media gateways 110
Load balancers 67
Proxies 66
VPN gateways 45
WAN Optimizers 44
Voice gateways 11
Total Middleboxes 636
Total routers ~900
Why middleboxes?Data from a large enterprise Survey across 57 network operators
Critical piece of network infrastructureBut painful to manage, hard to add new functions
2
Why should SDN community care?
3
Aug. 2012 ONF report– Integrate SDN into production networks– APIs for functions the market views as important
Survey on SDN adoption [Metzler 2012]– use cases that justify deployment – “add a focus on Layer 4 through Layer 7 functionality …
change in the perceived value of SDN.”
Middleboxes: Necessity and Opportunity
4
Goal: SDN + Middlebox integration Centralized Controller
“Flow” FwdAction… …
“Flow” FwdAction… …
Can we achieve SDN-Middlebox integration: with existing SDN APIs? with unmodified middleboxes?
Open APIs
S1S2
S4Src
S3
Firewall IDS Proxy
Proxy1
IDS1
Challenge: Policy Composition
Dst
Firewall1
Pkt, S2—S4: IDS1 vs Dst ??
Policy routing
Need more expressive data plane?
2= Post Firewall
Solution: Tag Packet Processing State
6
Firewall Proxy IDS
1=None3=Post IDS
4 = Post Proxy
S2 S4
Use “state” tags in addition to header, interface info
S1
S2S4
Src S3
Proxy1
IDS1 = 50%
Challenge: Resource Management
Dst
Firewall1
IDS2 = 50%
How much TCAM does this load balancing need?
Rules to “split” traffic
Solution: Joint Optimization
8
Resource Manager
TopologyTraffic
Switch TCAM
MiddleboxHardware
Policy Spec
ProcessingDistribution
ForwardingRules
Theoretically hard, but we have practical decomposition
S1
S2S4
Src S3
Proxy1
IDS1 = 50%
Challenge: Traffic Modifications
Dst
Firewall1
IDS2 = 50%
How can we set up the correct forwarding rules?
Proxy may modify sessions
10
Proxy
Correlate flows
Install rules
p1
Collect first 2-3 packets
Time window T
p2p3p4
p1 p2User 1
User 2p1*p2*p3p4*
P1* P2*
q1q2q3
q1 q2
f1: f1’:
f2’:
Solution: Infer flow correlationsPayload similarity algorithms
Challenges in SDN-Middlebox integration
Policy composition
Resource management
Traffic modification11
Scalable joint optimization
Infer flow correlations
“Tag” processing state
Tunnels for compact routing
Admin FW IDS ProxyWeb
Rule Generator
Resource Manager Dynamics Handler
NIMBLE System Overview
LegacyMiddleboxes
OpenFlow-enabledSwitches
Using OpenFlow 1.0!Flow Tag/Tunnel Action… …
Flow Tag/Tunnel Action… …
Forward first k pkts
Evaluation
TBD
Say something about prototype
Show one/two results
13
Broader Middlebox Research Agenda
14
High capital costs
Management complexity
Inflexible, not extensible
ConsolidatedArchitecture[NSDI ‘12]ONS PosterCloud
Outsourcing[SIGCOMM’12]
SDNintegration[ongoing]