practical and incremental convergence between sdn and middleboxes

1

Practical and IncrementalConvergence betweenSDN and Middleboxes

Zafar Qazi, Cheng-Chun Tu, Luis Chiang

Vyas Sekar

Rui Miao

Minlan Yu

Type of appliance Number

Firewalls 166

NIDS 127

Media gateways 110

Load balancers 67

Proxies 66

VPN gateways 45

WAN Optimizers 44

Voice gateways 11

Total Middleboxes 636

Total routers ~900

Why middleboxes?Data from a large enterprise Survey across 57 network operators

Critical piece of network infrastructureBut painful to manage, hard to add new functions

2

Why should SDN community care?

3

Aug. 2012 ONF report– Integrate SDN into production networks– APIs for functions the market views as important

Survey on SDN adoption [Metzler 2012]– use cases that justify deployment – “add a focus on Layer 4 through Layer 7 functionality …

change in the perceived value of SDN.”

Middleboxes: Necessity and Opportunity

4

Goal: SDN + Middlebox integration Centralized Controller

“Flow” FwdAction… …

“Flow” FwdAction… …

Can we achieve SDN-Middlebox integration: with existing SDN APIs? with unmodified middleboxes?

Open APIs

S1S2

S4Src

S3

Firewall IDS Proxy

Proxy1

IDS1

Challenge: Policy Composition

Dst

Firewall1

Pkt, S2—S4: IDS1 vs Dst ??

Policy routing

Need more expressive data plane?

2= Post Firewall

Solution: Tag Packet Processing State

6

Firewall Proxy IDS

1=None3=Post IDS

4 = Post Proxy

S2 S4

Use “state” tags in addition to header, interface info

S1

S2S4

Src S3

Proxy1

IDS1 = 50%

Challenge: Resource Management

Dst

Firewall1

IDS2 = 50%

How much TCAM does this load balancing need?

Rules to “split” traffic

Solution: Joint Optimization

8

Resource Manager

TopologyTraffic

Switch TCAM

MiddleboxHardware

Policy Spec

ProcessingDistribution

ForwardingRules

Theoretically hard, but we have practical decomposition

S1

S2S4

Src S3

Proxy1

IDS1 = 50%

Challenge: Traffic Modifications

Dst

Firewall1

IDS2 = 50%

How can we set up the correct forwarding rules?

Proxy may modify sessions

10

Proxy

Correlate flows

Install rules

p1

Collect first 2-3 packets

Time window T

p2p3p4

p1 p2User 1

User 2p1*p2*p3p4*

P1* P2*

q1q2q3

q1 q2

f1: f1’:

f2’:

Solution: Infer flow correlationsPayload similarity algorithms

Challenges in SDN-Middlebox integration

Policy composition

Resource management

Traffic modification11

Scalable joint optimization

Infer flow correlations

“Tag” processing state

Tunnels for compact routing

Admin FW IDS ProxyWeb

Rule Generator

Resource Manager Dynamics Handler

NIMBLE System Overview

LegacyMiddleboxes

OpenFlow-enabledSwitches

Using OpenFlow 1.0!Flow Tag/Tunnel Action… …

Flow Tag/Tunnel Action… …

Forward first k pkts

Evaluation

TBD

Say something about prototype

Show one/two results

13

Broader Middlebox Research Agenda

14

High capital costs

Management complexity

Inflexible, not extensible

ConsolidatedArchitecture[NSDI ‘12]ONS PosterCloud

Outsourcing[SIGCOMM’12]

SDNintegration[ongoing]