ons14-flowtags

Download Report

Transcript ons14-flowtags

Extending SDN to Handle Dynamic Middlebox Actions via FlowTags

(Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, Jeff Mogul

Attribution is hard Block the access of hosts H 1 and H 3 to certain website.

H 1 NAT Firewall H 2 Internet S 1 S 2 H 3 NAT hides the true packet sources 2

Network Diagnosis is difficult H 1 sees a very high service delay – but what’s causing it?

NAT Load Balancer H 1 Server 1 H 2 S 1 t 1 S 2 t 2 Server 2 Difficult to correlate network logs for diagnosis 3

Data-dependent policies Policy: Process all traffic by light IPS and only suspicious traffic by heavy IPS.

H 1 Light IPS Heavy IPS Server H n S 1 S 2 Difficult to set up forwarding rules at S 2 4

H 1 Policy violations may occur Proxy Cached response Web ACL: Block H 2  xyz.com

Internet S 1 S 2 H 2 Lack of visibility into the middlebox context 5

High-level idea of FlowTags • Middleboxes violate two SDN tenets – Packets no longer bound to “origins” – Packets don’t follow policy mandated paths • Middleboxes need to help restore SDN tenets • Add missing contextual information as TagsE.g., NAT or Load balancer give IP mappings; Proxy gives cache hit/miss state • SDN+ Controller controls tagging logic – For both switches and middleboxes 6

FlowTags Architecture

Control

Legacy interface New interface Control Apps e.g., steering, verification e.g., steering, verification Existing APIs e.g., OpenFlow Network OS FlowTags APIs

Data

SDN Switches FlowTable Admin FlowTags Tables Mbox Config FlowTags Enhanced Middleboxes 7

Example of FlowTags in action Tag Generation H 1 192.168.1.1

NAT Add Tags

SrcIP Tag

192.168.1.1 1 192.168.1.2 2 192.168.1.3 3 NAT

Decode Tags

Tag OrigSrcIP

1 3 192.168.1.1

192.168.1.3

Firewall

Firewall Config w.r.t

original principals

Block 192.168.1.1

Block 192.168.1.3

Tag Consumption H 2 192.168.1.2

S 1 Internet H 3 192.168.1.3

Tag Consumption S 2

S2 FlowTable

Tag Forward

1,3 2 FW Internet 8

Challenges and Solutions • What semantics should FlowTags capture?

 New “dynamic policy graph” abstraction • How easy is it to enhance middleboxes?

 Less than 50-100 LOC vs. 2K-300K original • Can we encode FlowTags in packets?

 Yes, only 14 bits in expectation 9

Summary • Middleboxes violate the SDN tenets and make policy enforcement and diagnosis challenging.

• FlowTags is an extension to SDN to provide contextual information using tags to restore the SDN tenets.

• FlowTags enables new network policy enforcement and verification capabilities.

• Practical, low-overhead, and scalable.

10