1 / 10

Seyed K. Fayazbakhsh , Luis Chiang, Vyas Sekar , Minlan Yu, Jeff Mogul

Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14). Seyed K. Fayazbakhsh , Luis Chiang, Vyas Sekar , Minlan Yu, Jeff Mogul. Attribution is hard. Block the access of hosts H 1 and H 3 to certain website. H 1. Firewall . NAT. H 2.

rufus
Télécharger la présentation

Seyed K. Fayazbakhsh , Luis Chiang, Vyas Sekar , Minlan Yu, Jeff Mogul

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extending SDN to Handle Dynamic Middlebox Actions via FlowTags(Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, VyasSekar, Minlan Yu, Jeff Mogul

  2. Attribution is hard Block the access of hosts H1 and H3 to certain website. H1 Firewall NAT H2 Internet S1 S2 H3 NAT hides the true packet sources

  3. Network Diagnosis is difficult H1 sees a very high service delay – but what’s causing it? Load Balancer NAT H1 Server 1 S1 H2 S2 t1 t2 Server 2 Difficult to correlate network logs for diagnosis

  4. Data-dependent policies Policy: Process all traffic by light IPS and only suspicious traffic by heavy IPS. Light IPS Heavy IPS Server H1 … Hn S1 S2 Difficult to set up forwarding rules at S2

  5. Policy violations may occur Web ACL: Block H2  xyz.com Proxy Get xyz.com H1 Response Cached response Internet S1 S2 Get xyz.com Cached response H2 Lack of visibility into the middlebox context

  6. High-level idea of FlowTags • Middleboxes violate two SDN tenets • Packets no longer bound to “origins” • Packets don’t follow policy mandated paths • Middleboxes need to help restore SDN tenets • Add missing contextual information as Tags • E.g., NAT or Load balancer give IP mappings; Proxy gives cache hit/miss state • SDN+ Controller controls tagging logic • For both switches and middleboxes

  7. FlowTags Architecture Legacy interface Control Apps e.g., steering, verification Admin Control Apps e.g., routing, traffic eng. Control Apps e.g., steering, verification New interface Network OS Control FlowTags APIs Existing APIs e.g., OpenFlow Data FlowTags Enhanced Middleboxes Mbox Config FlowTags Tables SDN Switches FlowTable

  8. Example of FlowTags in action NAT Add Tags Tag Generation Firewall Config w.r.t original principals Decode Tags Block 192.168.1.1 Block 192.168.1.3 H1 192.168.1.1 TagConsumption Firewall NAT H2 192.168.1.2 Internet S1 S2 S2 FlowTable H3 192.168.1.3 Tag Consumption

  9. Challenges and Solutions • What semantics should FlowTags capture? • New “dynamic policy graph” abstraction • How easy is it to enhance middleboxes?  Less than 50-100 LOC vs. 2K-300K original • Can we encode FlowTags in packets?  Yes, only 14 bits in expectation

  10. Summary Middleboxes violate the SDN tenets and make policy enforcement and diagnosis challenging. FlowTags is an extension to SDN to provide contextual information using tags to restore the SDN tenets. FlowTags enables new network policy enforcement and verification capabilities. Practical, low-overhead, and scalable.

More Related