Extending SDN to Handle Dynamic Middlebox Actions via FlowTags

(Full version to appear in NSDI’14)

Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, Jeff Mogul

S1 S2

Firewall NAT

Internet

H1

H2

H3

Attribution is hard

2

NAT hides the true packet sources

Block the access of hosts H1 and H3 to certain website.

Network Diagnosis is difficult

Difficult to correlate network logs for diagnosis

3

S1 S2

Load Balancer

H2

H1

Server 2

Server 1

H1 sees a very high service delay – but what’s causing it?

NAT

t1 t2

S1 S2 Hn

H1

Light IPS

…

Server

Heavy IPS

Data-dependent policies

Difficult to set up forwarding rules at S2

Policy: Process all traffic by light IPS and only suspicious traffic by heavy IPS.

4

Policy violations may occur

S1 S2

Proxy

Internet

H2

H1

Web ACL: Block H2 xyz.com

Lack of visibility into the middlebox context

5

Cached response

High-level idea of FlowTags

• Middleboxes violate two SDN tenets

– Packets no longer bound to “origins”

– Packets don’t follow policy mandated paths

• Middleboxes need to help restore SDN tenets

• Add missing contextual information as Tags

– E.g., NAT or Load balancer give IP mappings; Proxy gives cache hit/miss state

• SDN+ Controller controls tagging logic

– For both switches and middleboxes 6

Control Apps e.g., steering, verification

Control Apps e.g., routing, traffic eng.

Network OS

Control

Data

SDN Switches

FlowTable

FlowTags Enhanced

Middleboxes

FlowTags Tables

Control Apps e.g., steering, verification

Admin

Mbox Config

FlowTags APIs

Existing APIs e.g., OpenFlow

Legacy interface

New interface

7

FlowTags Architecture

S1 S2

Firewall NAT

Internet

H1 192.168.1.1

H2

192.168.1.2

H3

192.168.1.3

SrcIP Tag

192.168.1.1 1

192.168.1.2 2

192.168.1.3 3

Tag OrigSrcIP

1 192.168.1.1

3 192.168.1.3 Block 192.168.1.1

Block 192.168.1.3

NAT Add Tags Decode Tags Firewall Config w.r.t original principals

Tag Forward

1,3 FW

2 Internet

S2 FlowTable

Example of FlowTags in action Tag

Generation

Tag Consumption

Tag Consumption

8

Challenges and Solutions

• What semantics should FlowTags capture?

New “dynamic policy graph” abstraction

• How easy is it to enhance middleboxes?

Less than 50-100 LOC vs. 2K-300K original

• Can we encode FlowTags in packets?

Yes, only 14 bits in expectation

9

Summary • Middleboxes violate the SDN tenets and make policy

enforcement and diagnosis challenging.

• FlowTags is an extension to SDN to provide contextual information using tags to restore the SDN tenets.

• FlowTags enables new network policy enforcement and verification capabilities.

• Practical, low-overhead, and scalable.

10