100 likes | 262 Views
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14). Seyed K. Fayazbakhsh , Luis Chiang, Vyas Sekar , Minlan Yu, Jeff Mogul. Attribution is hard. Block the access of hosts H 1 and H 3 to certain website. H 1. Firewall . NAT. H 2.
E N D
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags(Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, VyasSekar, Minlan Yu, Jeff Mogul
Attribution is hard Block the access of hosts H1 and H3 to certain website. H1 Firewall NAT H2 Internet S1 S2 H3 NAT hides the true packet sources
Network Diagnosis is difficult H1 sees a very high service delay – but what’s causing it? Load Balancer NAT H1 Server 1 S1 H2 S2 t1 t2 Server 2 Difficult to correlate network logs for diagnosis
Data-dependent policies Policy: Process all traffic by light IPS and only suspicious traffic by heavy IPS. Light IPS Heavy IPS Server H1 … Hn S1 S2 Difficult to set up forwarding rules at S2
Policy violations may occur Web ACL: Block H2 xyz.com Proxy Get xyz.com H1 Response Cached response Internet S1 S2 Get xyz.com Cached response H2 Lack of visibility into the middlebox context
High-level idea of FlowTags • Middleboxes violate two SDN tenets • Packets no longer bound to “origins” • Packets don’t follow policy mandated paths • Middleboxes need to help restore SDN tenets • Add missing contextual information as Tags • E.g., NAT or Load balancer give IP mappings; Proxy gives cache hit/miss state • SDN+ Controller controls tagging logic • For both switches and middleboxes
FlowTags Architecture Legacy interface Control Apps e.g., steering, verification Admin Control Apps e.g., routing, traffic eng. Control Apps e.g., steering, verification New interface Network OS Control FlowTags APIs Existing APIs e.g., OpenFlow Data FlowTags Enhanced Middleboxes Mbox Config FlowTags Tables SDN Switches FlowTable
Example of FlowTags in action NAT Add Tags Tag Generation Firewall Config w.r.t original principals Decode Tags Block 192.168.1.1 Block 192.168.1.3 H1 192.168.1.1 TagConsumption Firewall NAT H2 192.168.1.2 Internet S1 S2 S2 FlowTable H3 192.168.1.3 Tag Consumption
Challenges and Solutions • What semantics should FlowTags capture? • New “dynamic policy graph” abstraction • How easy is it to enhance middleboxes? Less than 50-100 LOC vs. 2K-300K original • Can we encode FlowTags in packets? Yes, only 14 bits in expectation
Summary Middleboxes violate the SDN tenets and make policy enforcement and diagnosis challenging. FlowTags is an extension to SDN to provide contextual information using tags to restore the SDN tenets. FlowTags enables new network policy enforcement and verification capabilities. Practical, low-overhead, and scalable.