Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K....

Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox

Actions using FlowTags

Seyed K. Fayazbakhsh*, Luis Chiang¶, Vyas Sekar*, Minlan Yu★, Jeffrey Mogul

*CMU, ¶Deutsche Telekom, ★USC, Google

Network OS

Data Plane

Control Apps

Policy:E.g., service chaining,access control

Middleboxes complicate policy enforcement in SDN

2

Dynamic and traffic-dependentmodifications!e.g., NATs, proxies

3

Modifications Attribution is hard

S1 S2

FirewallNAT

Internet

H1

Block the access of H2 to certain websites.

H2

4

Dynamic actions Policy violations

S1 S2

Proxy

Internet

H2

H1

Web ACLBlock H2 xyz.com1. Get xyz.com

3. Get xyz.com

4. Cached response

2. Response Cached response

5

Our work: FlowTags

FlowTags provides an architectural solution: Enables policy enforcement and diagnosis

despite dynamic middlebox actions.

Some candidate (non-)solutions: Placement, tunneling, consolidation, correlation

Address some symptoms but not root cause OriginBinding and PathsFollowPolicy violations

6

Outline• Motivation

• High-level Idea

• FlowTags Design

• Evaluation

High-level idea• Middleboxes need to restore SDN tenets– Possibly only option for correctness– Minimal changes to middleboxes

• Add missing contextual information as Tags– NAT gives IP mappings, – Proxy provides cache hit/miss info

• FlowTags controller configures tagging logic

7

Control Appse.g., steering, verificationControl Apps

Network OS

Control plane

Data plane

SDN Switches

FlowTableMiddleboxes

FlowTagsTables

New control appse.g., policy steering, verification

Admin

MboxConfig

FlowTags APIs

Existing APIse.g., OpenFlow

FlowTags architecture

8

FlowTagsEnhanced

Policy

Web ACL

Block: 10.1.1.2 xyz.comConfig w.r.t original principals

FlowTags in action

9

S1 S2

Proxy

Internet

H1 10.1.1.1

H2

10.1.1.2

xyz.com

xyz.com 2

<SrcIP,Cache Hit> Tag10.1.1.2, Hit 2

Tag Fwd2 S2

Tag Fwd2 ACL

Tag OrigSrcIP2 10.1.1.2

DROP

10

Outline

• Motivation

• High-level Idea of FlowTags

• FlowTags Design

• Evaluation

Challenge 1: Tag Semantics

11

S1 S2

Proxy

Internet

H1 10.1.1.1

H2

10.1.1.2

Add Tag Decode Tag

Tag Forward Tag Forward

Control plane

Data plane

FlowTags-enhancedSDN Controller

Web ACL

Challenge 2: New APIs, control apps

12

Add Tag Decode Tag



S1S2

Proxy

Internet

H1 10.1.1.1

H2

10.1.1.2

Web ACL

Control plane

Data plane

Challenge 3: Middlebox Extensions

13

Add Tag Decode Tag



S1 S2

Proxy

Internet

H1 10.1.1.1

H2

10.1.1.2

Web ACL

Control plane

Data plane

14

Outline

• Motivation


• FlowTags Design– Tag semantics– Controller and APIs– Middlebox modification

• Evaluation

Semantics: Dynamic Policy Graph (DPG)

15

S1 S2

Proxy

InternetH2

H1

Web ACL: Block H2 xyz.com

Proxy ACL

Internet

{H2}; Blocked

H1

H2

{H1}; -

{H2}; -

{H2}; Hit{H2}; Miss

{H2}; <Allowed,Miss>{H1}; Miss

{H2}; <Allowed,Hit> Drop

{H1}; Hit

Semantics: Dynamic Policy Graph (DPG)

16

Intuitively, need a Tag <per flow, per-edge> in DPG

S1 S2

Proxy

InternetH2

H1

Web ACL: Block H2 xyz.com

Proxy ACL

Internet

{H2}; Blocked

H1

H2

{H1}; -

{H2}; -

{H2}; Hit{H2}; Miss

{H2}; <Allowed,Miss>{H1}; Miss

{H2}; <Allowed,Hit> Drop

{H1}; Hit

17

Outline

• Motivation



• Evaluation

FlowTags APIs

18

S1 S2

Internet

H1 10.1.1.1

H2

10.1.1.2

<SrcIP,Cache Hit> Tag

Tag OrigSrcIP

Tag Fwd Tag Fwd

<SrcIP,Cache Hit> Tag10.1.1.2, Hit 2

Tag Fwd2 S2

Tag Fwd2 ACL

Tag OrigSrcIP2 10.1.1.2


OpenFlowFlowTags

Generate Tag Consume Tag

Web ACLProxy

19

FlowTags-enhanced controllerPolicy DPG

Physicalrealization

S1 S2

S3S4

Reactive

Middlebox Event Handlers

Tag generate and consume

Switch Event Handlers

Flow expiryFlow rules

20

Outline• Motivation



• Evaluation

21

Middlebox extension strategies to add FlowTags support

Pro: One shotCon: Hard to get internal context

input traffic

outputtraffic

Light-weight packetrewriting shims

Middlebox

Strategy 1: Packet Rewriting

module

module module

module module

module

22


Pro: More change is neededCon: Suited for getting internal context

input traffic

outputtraffic

Middlebox

Strategy 2: Module Modification

module

module module

module module

module

23


Our Strategy:Packet rewriting for Tag consumptionModule modification for Tag generation

input traffic

outputtraffic

Middlebox

Shim

Tag generationTag consumption

module

module module

module module

module

24

Outline

• Motivation


• FlowTags Design

• Evaluation

25

Key evaluation questions

• Feasibility of middlebox modification

• FlowTags overhead

• Number of Tag bits

• New capabilities

26

FlowTags needs minimal middlebox modificationsMiddlebox Total LOC Modified LOC

Squid 216,000 75

Snort 336,000 45

Balance 2,000 60

iptables 42,000 55

PRADS 15,000 25

FlowTags adds low overhead

27

Brea

kdow

n of

flow

pr

oces

sing

tim

e (m

s)

Abilene Geant Telstra Sprint Verizon AT&T11 22 44 52 70 115

1.41.2

10.80.60.40.2

0

Controller ProcessingMiddlebox Tag Processing

Switch Setup

# PoPs:

28

Summary of other results• Adds < 1% overhead to middlebox processing

• Tags can be encoded in ~ 15 bits– E.g., IP-ID, IPv6 FlowLabel, EncapHeaders (NVP)

• Can enable new capabilities– Extended header space analysis– Diagnosing network bottlenecks

29

Conclusions• Middleboxes complicate enforcement – E.g., NAT/LB rewrite headers, proxy sends cached response

• Root cause: Violation of the SDN tenets– Origin Binding and Paths-Follow-Policy

• FlowTags extends SDN with new middlebox APIs– Restores tenets using new DPG abstraction– No changes to switches and switch APIs

• FlowTags is practical – Minimal middlebox changes, low overhead– An enabler for verification, testing, and diagnosis

Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K....

Documents

Transcript of Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K....