Tuesday, August 13, 2013

SIGCOMM2013: SIMPLE-fying Middlebox Policy Enforcement Using SDN

This is a report of the presentation done by Zafar Qazi on 2013-08-13. Paper co-authors are Cheng-Chun Tu, and Luis Chiang (Stony Brook University), Rui Miao (USC), Vyas Sekar (Stony Brook University), and Minlan Yu (USC).

Middlebox management is hard! It is critical for performance, security, and policy capabilities to our today networks. Zafar started his talk with a question: can SDN simplify middlebox management? Also Software Defined Networking shows a promising alternative. However, Middleboxes rise new aspects that fall outside SDN supports. In this talk, Zafar presented a SIMPLE, SDN based policy enforcement layer for efficient middlebox specific “traffic steering”

Zafar discussed the design of SIMPLE to work with the constraints of legacy middle boxes and SDN interfaces. He demonstrated the feasibility of using SND to simplify middle box traffic steering as well as addressing the industry concerns about the ability of SDN to support L4-L7 capabilities.

Middlebox: Necessity and opportunity for SDN
Goal: Simplify Middlebox
Challenges: Composition, resource constraints, modification
  • Policy enforcement layer
  • Does not modify middlebox
  • No changes to SDN
  • Scalable and offers 4-7X improvement in load balancing

Q&A Session
Q) Why did you choose to work with legacy middleboxes? How do you see the SDN architecture evolving? Do you see middleboxes as part of future SDN architecture?

A) We choose to work with legacy middleboxes because there already have a large number of middlebox deployments,  middleboxes offer diverse functionalities and the middlebox implementations are proprietary in nature, making it difficult to modify middleboxes.  Therefore, we wanted to make our solution backward compatible. It is conceivable that in the future SDN switches may offer some middlebox capabilities or middle
boxes may become programmable. These may enable new opportunities for realizing middlebox functions that SIMPLE can additionally exploit; e.g., instantiating middlebox modules on demand or flexibly using switches in multiple roles.

Q) Where are the tags added to track the processing state of the packets?
A) The SDN switches add the processing tags to the packet header. We can use any spare bits in the IP header field to add the tags. For our evaluation, we use VLAN tags and tos bits.