extending sdn to handle dynamic middlebox actions via flowtags
TRANSCRIPT
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags
(Full version to appear in NSDI’14)
Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, Jeff Mogul
S1 S2
Firewall NAT
Internet
H1
H2
H3
Attribution is hard
2
NAT hides the true packet sources
Block the access of hosts H1 and H3 to certain website.
Network Diagnosis is difficult
Difficult to correlate network logs for diagnosis
3
S1 S2
Load Balancer
H2
H1
Server 2
Server 1
H1 sees a very high service delay – but what’s causing it?
NAT
t1 t2
S1 S2 Hn
H1
Light IPS
…
Server
Heavy IPS
Data-dependent policies
Difficult to set up forwarding rules at S2
Policy: Process all traffic by light IPS and only suspicious traffic by heavy IPS.
4
Policy violations may occur
S1 S2
Proxy
Internet
H2
H1
Web ACL: Block H2 xyz.com
Lack of visibility into the middlebox context
5
Cached response
High-level idea of FlowTags
• Middleboxes violate two SDN tenets
– Packets no longer bound to “origins”
– Packets don’t follow policy mandated paths
• Middleboxes need to help restore SDN tenets
• Add missing contextual information as Tags
– E.g., NAT or Load balancer give IP mappings; Proxy gives cache hit/miss state
• SDN+ Controller controls tagging logic
– For both switches and middleboxes 6
Control Apps e.g., steering, verification
Control Apps e.g., routing, traffic eng.
Network OS
Control
Data
SDN Switches
FlowTable
FlowTags Enhanced
Middleboxes
FlowTags Tables
Control Apps e.g., steering, verification
Admin
Mbox Config
FlowTags APIs
Existing APIs e.g., OpenFlow
Legacy interface
New interface
7
FlowTags Architecture
S1 S2
Firewall NAT
Internet
H1 192.168.1.1
H2
192.168.1.2
H3
192.168.1.3
SrcIP Tag
192.168.1.1 1
192.168.1.2 2
192.168.1.3 3
Tag OrigSrcIP
1 192.168.1.1
3 192.168.1.3 Block 192.168.1.1
Block 192.168.1.3
NAT Add Tags Decode Tags Firewall Config w.r.t original principals
Tag Forward
1,3 FW
2 Internet
S2 FlowTable
Example of FlowTags in action Tag
Generation
Tag Consumption
Tag Consumption
8
Challenges and Solutions
• What semantics should FlowTags capture?
New “dynamic policy graph” abstraction
• How easy is it to enhance middleboxes?
Less than 50-100 LOC vs. 2K-300K original
• Can we encode FlowTags in packets?
Yes, only 14 bits in expectation
9
Summary • Middleboxes violate the SDN tenets and make policy
enforcement and diagnosis challenging.
• FlowTags is an extension to SDN to provide contextual information using tags to restore the SDN tenets.
• FlowTags enables new network policy enforcement and verification capabilities.
• Practical, low-overhead, and scalable.
10