skip to main content
research-article

SIMPLE-fying middlebox policy enforcement using SDN

Published: 27 August 2013 Publication History

Abstract

Networks today rely on middleboxes to provide critical performance, security, and policy compliance capabilities. Achieving these benefits and ensuring that the traffic is directed through the desired sequence of middleboxes requires significant manual effort and operator expertise. In this respect, Software-Defined Networking (SDN) offers a promising alternative. Middleboxes, however, introduce new aspects (e.g., policy composition, resource management, packet modifications) that fall outside the purvey of traditional L2/L3 functions that SDN supports (e.g., access control or routing).
This paper presents SIMPLE, a SDN-based policy enforcement layer for efficient middlebox-specific "traffic steering''. In designing SIMPLE, we take an explicit stance to work within the constraints of legacy middleboxes and existing SDN interfaces. To this end, we address algorithmic and system design challenges to demonstrate the feasibility of using SDN to simplify middlebox traffic steering. In doing so, we also take a significant step toward addressing industry concerns surrounding the ability of SDN to integrate with existing infrastructure and support L4-L7 capabilities.

References

[1]
Mininet. http://yuba.stanford.edu/foswiki/bin/view/OpenFlow/Mininet.
[2]
NEC's Simple Middlebox Configuration (SIMCO) Protocol. RFC 4540.
[3]
Open vSwitch. http://openvswitch.org/.
[4]
Palo Alto Networks. http://www.paloaltonetworks.com/.
[5]
POX Controller. http://www.noxrepo.org/pox/about-pox/.
[6]
Top million US websites. http://ak.quantcast.com/quantcast-top-million.zip.
[7]
World Enterprise Network Security Markets. http://www.abiresearch.com/research/product/1006059-world-enterprise-network-and-data-security/.
[8]
A. Anand et al. Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination. In Proc.\ SIGCOMM, 2008.
[9]
J. W. Anderson, R. Braud, R. Kapoor, G. Porter, and A. Vahdat. xOMB: Extensible Open Middleboxes with Commodity Servers. In Proc.\ ANCS, 2012.
[10]
T. Benson, A. Akella, A. Shaikh, and S. Sahu. CloudNaaS: A Cloud Networking Platform for Enterprise Applications. In Proc.\ SOCC, 2011.
[11]
T. Benson, A. Anand, A. Akella, and M. Zhang. The Case for Fine-Grained Traffic Engineering in Data Centers. In Proc.\ INM/WREN, 2010.
[12]
M. Casado et al. Ethane: Taking Control of the Enterprise. In Proc.\ SIGCOMM, 2007.
[13]
T. Cormen, C. Leiserson, R. Rivest, and C. Stein. The Rabin--Karp algorithm. Introduction to Algorithms, 2001.
[14]
A. R. Curtis et al. DevoFlow: Scaling Flow Management for High-Performance Networks. In Proc.\ SIGCOMM, 2011.
[15]
M. Dobrescu et al. RouteBricks: Exploiting Parallelism to Scale Software Routers. In Proc.\ SOSP, 2009.
[16]
S. Fayazbakhsh, V. Sekar, M. Yu, and J. Mogul. FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions. In Proc.\ HotSDN, 2013 (to appear).
[17]
A. Feldmann et al. Deriving Traffic Demands for Operational IP Networks: Methodology and Experience. In Proc.\ SIGCOMM, 2000.
[18]
A. Gember, P. Prabhu, Z. Ghadiyali, and A. Akella. Toward Software-Defined Middlebox Networking. In Proc.\ HotNets-XI, 2012.
[19]
G. Gibb, H. Zeng, and N. McKeown. Outsourcing Network Functionality. In Proc.\ HotSDN, 2012.
[20]
P. Gill et al. Understanding Network Failures in Data Centers: Measurement, Analysis, and Implications. In Proc.\ SIGCOMM, 2011.
[21]
A. Greenlagh et al. Flow Processing and the Rise of Commodity Network Hardware. In CCR, 2009.
[22]
N. Gude et al. NOX: Towards an Operating System for Networks. In CCR, 2008.
[23]
V. Heorhiadi, M. K. Reiter, and V. Sekar. New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems. In Proc.\ CoNEXT, 2012.
[24]
X. Jin, L. E. Li, L. Vanbever, and J. Rexford. SoftCell: Taking Control of Cellular Core Networks. In TR-950--13, Princeton University, 2013.
[25]
D. Joseph and I. Stoica. Modeling middleboxes. IEEE Network, 2008.
[26]
D. A. Joseph, A. Tavakoli, and I. Stoica. A Policy-aware Switching Layer for Data Centers. In Proc.\ SIGCOMM, 2008.
[27]
P. Kazemian, G. Varghese, and N. McKeown. Header Space Analysis: Static Checking for Networks. In Proc.\ NSDI, 2012.
[28]
E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click Modular Router. ACM TOS, Aug 2000.
[29]
T. Koponen et al. Onix: A Distributed Control Platform for Large-scale Production Network. In Proc.\ OSDI, 2010.
[30]
L. E. Li et al. PACE: Policy-Aware Application Cloud Embedding. In Proc.\ INFOCOM, 2013.
[31]
C. Monsanto, J. Reich, N. Foster, J. Rexford, and D. Walker. Composing Software Defined Networks. In Proc.\ NSDI, 2013.
[32]
M. Moshref, M. Yu, A. Sharma, and R. Govindan. vCRIB: Virtualized Rule Management in the Cloud. In Proc.\ NSDI, 2013.
[33]
V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Computer Networks, pages 2435--2463, 1999.
[34]
H. Pucha, D. G. Andersen, and M. Kaminsky. Exploiting Similarity for Multi-Source Downloads using File Handprints. In Proc.\ NSDI, 2007.
[35]
S. Raza et al. MeasuRouting: A Framework for Routing Assisted Traffic Monitoring. In Proc.\ INFOCOM, 2010.
[36]
C. Rotsos, N. Sarrar, S. Uhlig, R. Sherwood, and A. Moore. OFLOPS: An Open Framework for Openflow Switch Evaluation. In Proc.\ PAM, 2012.
[37]
V. Sekar et al. The middlebox manifesto: enabling innovation in middlebox deployment. In Proc.\ HotNets, 2011.
[38]
V. Sekar et al. Design and Implementation of a Consolidated Middlebox Architecture. In Proc.\ NSDI, 2012.
[39]
J. Sherry et al. Making Middleboxes Someone Else's Problem: Network Processing as a Cloud Service. In Proc.\ SIGCOMM, 2012.
[40]
N. Spring, R. Mahajan, and D. Wetherall. Measuring ISP Topologies with Rocketfuel. In Proc.\ SIGCOMM, 2002.
[41]
M. Stiemerling, J. Quittek, and T. Taylor. Middlebox communication (MIDCOM) protocol semantics. RFC 5189.
[42]
R. Wang, D. Butnariu, and J. Rexford. Openflow-Based Server Load Balancing Gone Wild. In Proc.\ Hot-ICE, 2011.
[43]
Z. Wang, Z. Qian, Q. Xu, Z. Mao, and M. Zhang. An Untold Story of Middleboxes in Cellular Networks. In Proc.\ SIGCOMM, 2011.
[44]
B. White et al. An Integrated Experimental Environment for Distributed Systems and Networks. In Proc. of OSDI, 2002.
[45]
M. Yu, J. Rexford, M. J. Freedman, and J. Wang. Scalable Flow-Based Networking with DIFANE. In Proc.\ SIGCOMM, 2010.
[46]
Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proc.\ USENIX Security Symposium, 2000.

Cited By

View all
  • (2024)Elephant flow detection intelligence for software-defined networks: a survey on current techniques and future directionEvolutionary Intelligence10.1007/s12065-023-00902-717:4(2125-2143)Online publication date: 7-Feb-2024
  • (2024)VNF placement in NFV-enabled networks: considering time-varying workloads and multi-tenancy with a throughput optimization heuristicComputing10.1007/s00607-024-01336-4Online publication date: 10-Aug-2024
  • (2024)Choate: Toward High-Level, Cross-Layer SDN ProgrammingNetwork Simulation and Evaluation10.1007/978-981-97-4522-7_7(102-117)Online publication date: 2-Aug-2024
  • Show More Cited By

Index Terms

  1. SIMPLE-fying middlebox policy enforcement using SDN

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM SIGCOMM Computer Communication Review
      ACM SIGCOMM Computer Communication Review  Volume 43, Issue 4
      October 2013
      595 pages
      ISSN:0146-4833
      DOI:10.1145/2534169
      Issue’s Table of Contents
      • cover image ACM Conferences
        SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
        August 2013
        580 pages
        ISBN:9781450320566
        DOI:10.1145/2486001
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 27 August 2013
      Published in SIGCOMM-CCR Volume 43, Issue 4

      Check for updates

      Author Tags

      1. middlebox
      2. network management
      3. software-defined networking

      Qualifiers

      • Research-article

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)229
      • Downloads (Last 6 weeks)29
      Reflects downloads up to 20 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Elephant flow detection intelligence for software-defined networks: a survey on current techniques and future directionEvolutionary Intelligence10.1007/s12065-023-00902-717:4(2125-2143)Online publication date: 7-Feb-2024
      • (2024)VNF placement in NFV-enabled networks: considering time-varying workloads and multi-tenancy with a throughput optimization heuristicComputing10.1007/s00607-024-01336-4Online publication date: 10-Aug-2024
      • (2024)Choate: Toward High-Level, Cross-Layer SDN ProgrammingNetwork Simulation and Evaluation10.1007/978-981-97-4522-7_7(102-117)Online publication date: 2-Aug-2024
      • (2023)Distributed Controller Placement in Software-Defined Networks with Consistency and Interoperability ProblemsJournal of Electrical and Computer Engineering10.1155/2023/64669962023Online publication date: 1-Jan-2023
      • (2023)Flexible Offloading of Service Function Chains to Programmable SwitchesIEEE Transactions on Services Computing10.1109/TSC.2022.316270116:2(1198-1211)Online publication date: 1-Mar-2023
      • (2023)A hybrid scheme for detecting and preventing single packet Low-rate DDoS and flooding DDoS attacks in SDN2023 IEEE 3rd International Maghreb Meeting of the Conference on Sciences and Techniques of Automatic Control and Computer Engineering (MI-STA)10.1109/MI-STA57575.2023.10169712(707-712)Online publication date: 21-May-2023
      • (2023)Research on Service Function Chain Orchestration for Intractable Scenarios2023 3rd International Symposium on Computer Technology and Information Science (ISCTIS)10.1109/ISCTIS58954.2023.10213001(900-903)Online publication date: 7-Jul-2023
      • (2023)DeepMetricCorrComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.109904233:COnline publication date: 1-Sep-2023
      • (2022)Optimal Embedding of Aggregated Service Function TreeIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2022.314787033:10(2584-2596)Online publication date: 1-Oct-2022
      • (2022)HARS: A High-Available and Resource-Saving Service Function Chain Placement Approach in Data Center NetworksIEEE Transactions on Network and Service Management10.1109/TNSM.2022.314510319:2(829-847)Online publication date: 1-Jun-2022
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media