Practical and Incremental Convergence between SDN and Middleboxes
-
Upload
open-networking-summits -
Category
Technology
-
view
40 -
download
0
Transcript of Practical and Incremental Convergence between SDN and Middleboxes
![Page 1: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/1.jpg)
![Page 2: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/2.jpg)
![Page 3: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/3.jpg)
Practical and Incremental Convergence between SDN and Middleboxes
1
Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar
Rui Miao Minlan Yu
![Page 4: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/4.jpg)
Type of appliance Number
Firewalls 166
Intrusion detection 127
Media gateways 110
Load balancers 67
Proxies 66
VPN gateways 45
WAN Optimizers 44
Voice gateways 11
Total Middleboxes 636
Total routers ~900
Why middleboxes? Data from a large enterprise Survey across 57 network operators
Critical for security, performance, compliance But painful to manage
2
![Page 5: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/5.jpg)
Why should SDN community care?
3
Aug. 2012 ONF report
– “integrate into production networks”
– “APIs for functions market views as important”
Survey on SDN adoption [Metzler 2012]
– “use cases that justify deployment”
– “add a focus on Layer 4 through Layer 7 functionality … change in the perceived value of SDN.”
Middleboxes: Necessity and Opportunity for SDN
![Page 6: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/6.jpg)
4
Goal: SDN + Middlebox integration Centralized Controller
“Flow” FwdAction … …
“Flow” FwdAction … …
Can we achieve SDN-Middlebox integration: with existing SDN APIs? with unmodified middleboxes?
Open APIs
![Page 7: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/7.jpg)
Challenges in SDN-MB integration
5
S1
S2 S4
S3
Proxy
IDS
Firewall Pkt, S2—S4: IDS or Dst ?
Resource constraints Traffic modifications Policy composition
Firewall IDS Proxy
IDS1 = 50% IDS2 = 50%
Are forwarding rules correct?
Proxy may modify traffic
Space for traffic split?
Simple flow rules may not suffice!
![Page 8: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/8.jpg)
Recap: Three main challenges
Policy composition
6
Is there enough rule space?
Correctness?
Flow rules may not suffice
New dimensions beyond Layer 2-3 tasks
Traffic modifications
Resource constraints
![Page 9: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/9.jpg)
2= Post Firewall
Composition Tag Processing State
7
Firewall Proxy IDS
1=None 3=Post IDS
4 = Post Proxy
S2 S4
Use “state” tags in addition to header, interface info
![Page 10: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/10.jpg)
Resource constraints Joint Optimization
8
Resource Manager
Topology & Traffic
Switch TCAM
Middlebox Hardware
Policy Spec
Optimal & Feasible load balancing
Theoretically hard, but have practical near-optimal heuristics
![Page 11: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/11.jpg)
FW IDS Proxy Web
Rule Generator (Processing state tags, Switch tunnels)
Resource Manager (Scalable joint optimization)
Modifications Handler (Infer flow correlations)
NIMBLE System Overview
Legacy Middleboxes
OpenFlow-capable
OpenFlow 1.0
Flow Tag/Tunnel Action … …
Flow Tag/Tunnel Action … …
POX extensions
OpenvSwitch 1.7.1
9
![Page 12: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/12.jpg)
Benefits: Load balancing
10
Nimble Today
4-7X better load balancing without modifying middleboxes
Low overhead: 0.1s to reconfigure after failure/overload
![Page 13: Practical and Incremental Convergence between SDN and Middleboxes](https://reader030.fdocuments.net/reader030/viewer/2022032422/55a9bed81a28abd4238b476e/html5/thumbnails/13.jpg)
SDN + Middlebox Convergence
11
High OpEx
Inflexible
High CapEx
COMB Consolidation [NSDI ‘12]
ONS Poster
APLOMB Cloud Outsourcing [SIGCOMM’12]
NIMBLE Practical Integration [today’s talk]
Middlebox pain points