Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K....
-
Upload
cory-alexander -
Category
Documents
-
view
215 -
download
1
Transcript of Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K....
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox
Actions using FlowTags
Seyed K. Fayazbakhsh*, Luis Chiang¶, Vyas Sekar*, Minlan Yu★, Jeffrey Mogul
*CMU, ¶Deutsche Telekom, ★USC, Google
Network OS
Data Plane
Control Apps
Policy:E.g., service chaining,access control
Middleboxes complicate policy enforcement in SDN
2
Dynamic and traffic-dependentmodifications!e.g., NATs, proxies
3
Modifications Attribution is hard
S1 S2
FirewallNAT
Internet
H1
Block the access of H2 to certain websites.
H2
4
Dynamic actions Policy violations
S1 S2
Proxy
Internet
H2
H1
Web ACLBlock H2 xyz.com1. Get xyz.com
3. Get xyz.com
4. Cached response
2. Response Cached response
5
Our work: FlowTags
FlowTags provides an architectural solution: Enables policy enforcement and diagnosis
despite dynamic middlebox actions.
Some candidate (non-)solutions: Placement, tunneling, consolidation, correlation
Address some symptoms but not root cause OriginBinding and PathsFollowPolicy violations
6
Outline• Motivation
• High-level Idea
• FlowTags Design
• Evaluation
High-level idea• Middleboxes need to restore SDN tenets– Possibly only option for correctness– Minimal changes to middleboxes
• Add missing contextual information as Tags– NAT gives IP mappings, – Proxy provides cache hit/miss info
• FlowTags controller configures tagging logic
7
Control Appse.g., steering, verificationControl Apps
Network OS
Control plane
Data plane
SDN Switches
FlowTableMiddleboxes
FlowTagsTables
New control appse.g., policy steering, verification
Admin
MboxConfig
FlowTags APIs
Existing APIse.g., OpenFlow
FlowTags architecture
8
FlowTagsEnhanced
Policy
Web ACL
Block: 10.1.1.2 xyz.comConfig w.r.t original principals
FlowTags in action
9
S1 S2
Proxy
Internet
H1 10.1.1.1
H2
10.1.1.2
xyz.com
xyz.com 2
<SrcIP,Cache Hit> Tag10.1.1.2, Hit 2
Tag Fwd2 S2
Tag Fwd2 ACL
Tag OrigSrcIP2 10.1.1.2
DROP
10
Outline
• Motivation
• High-level Idea of FlowTags
• FlowTags Design
• Evaluation
Challenge 1: Tag Semantics
11
S1 S2
Proxy
Internet
H1 10.1.1.1
H2
10.1.1.2
Add Tag Decode Tag
Tag Forward Tag Forward
Control plane
Data plane
FlowTags-enhancedSDN Controller
Web ACL
Challenge 2: New APIs, control apps
12
Add Tag Decode Tag
Tag Forward Tag Forward
FlowTags-enhancedSDN Controller
S1S2
Proxy
Internet
H1 10.1.1.1
H2
10.1.1.2
Web ACL
Control plane
Data plane
Challenge 3: Middlebox Extensions
13
Add Tag Decode Tag
Tag Forward Tag Forward
FlowTags-enhancedSDN Controller
S1 S2
Proxy
Internet
H1 10.1.1.1
H2
10.1.1.2
Web ACL
Control plane
Data plane
14
Outline
• Motivation
• High-level Idea of FlowTags
• FlowTags Design– Tag semantics– Controller and APIs– Middlebox modification
• Evaluation
Semantics: Dynamic Policy Graph (DPG)
15
S1 S2
Proxy
InternetH2
H1
Web ACL: Block H2 xyz.com
Proxy ACL
Internet
{H2}; Blocked
H1
H2
{H1}; -
{H2}; -
{H2}; Hit{H2}; Miss
{H2}; <Allowed,Miss>{H1}; Miss
{H2}; <Allowed,Hit> Drop
{H1}; Hit
Semantics: Dynamic Policy Graph (DPG)
16
Intuitively, need a Tag <per flow, per-edge> in DPG
S1 S2
Proxy
InternetH2
H1
Web ACL: Block H2 xyz.com
Proxy ACL
Internet
{H2}; Blocked
H1
H2
{H1}; -
{H2}; -
{H2}; Hit{H2}; Miss
{H2}; <Allowed,Miss>{H1}; Miss
{H2}; <Allowed,Hit> Drop
{H1}; Hit
17
Outline
• Motivation
• High-level Idea of FlowTags
• FlowTags Design– Tag semantics– Controller and APIs– Middlebox modification
• Evaluation
FlowTags APIs
18
S1 S2
Internet
H1 10.1.1.1
H2
10.1.1.2
<SrcIP,Cache Hit> Tag
Tag OrigSrcIP
Tag Fwd Tag Fwd
<SrcIP,Cache Hit> Tag10.1.1.2, Hit 2
Tag Fwd2 S2
Tag Fwd2 ACL
Tag OrigSrcIP2 10.1.1.2
FlowTags-enhancedSDN Controller
OpenFlowFlowTags
Generate Tag Consume Tag
Web ACLProxy
19
FlowTags-enhanced controllerPolicy DPG
Physicalrealization
S1 S2
S3S4
Reactive
Middlebox Event Handlers
Tag generate and consume
Switch Event Handlers
Flow expiryFlow rules
20
Outline• Motivation
• High-level Idea of FlowTags
• FlowTags Design– Tag semantics– Controller and APIs– Middlebox modification
• Evaluation
21
Middlebox extension strategies to add FlowTags support
Pro: One shotCon: Hard to get internal context
input traffic
outputtraffic
Light-weight packetrewriting shims
Middlebox
Strategy 1: Packet Rewriting
module
module module
module module
module
22
Middlebox extension strategies to add FlowTags support
Pro: More change is neededCon: Suited for getting internal context
input traffic
outputtraffic
Middlebox
Strategy 2: Module Modification
module
module module
module module
module
23
Middlebox extension strategies to add FlowTags support
Our Strategy:Packet rewriting for Tag consumptionModule modification for Tag generation
input traffic
outputtraffic
Middlebox
Shim
Tag generationTag consumption
module
module module
module module
module
24
Outline
• Motivation
• High-level Idea of FlowTags
• FlowTags Design
• Evaluation
25
Key evaluation questions
• Feasibility of middlebox modification
• FlowTags overhead
• Number of Tag bits
• New capabilities
26
FlowTags needs minimal middlebox modificationsMiddlebox Total LOC Modified LOC
Squid 216,000 75
Snort 336,000 45
Balance 2,000 60
iptables 42,000 55
PRADS 15,000 25
FlowTags adds low overhead
27
Brea
kdow
n of
flow
pr
oces
sing
tim
e (m
s)
Abilene Geant Telstra Sprint Verizon AT&T11 22 44 52 70 115
1.41.2
10.80.60.40.2
0
Controller ProcessingMiddlebox Tag Processing
Switch Setup
# PoPs:
28
Summary of other results• Adds < 1% overhead to middlebox processing
• Tags can be encoded in ~ 15 bits– E.g., IP-ID, IPv6 FlowLabel, EncapHeaders (NVP)
• Can enable new capabilities– Extended header space analysis– Diagnosing network bottlenecks
29
Conclusions• Middleboxes complicate enforcement – E.g., NAT/LB rewrite headers, proxy sends cached response
• Root cause: Violation of the SDN tenets– Origin Binding and Paths-Follow-Policy
• FlowTags extends SDN with new middlebox APIs– Restores tenets using new DPG abstraction– No changes to switches and switch APIs
• FlowTags is practical – Minimal middlebox changes, low overhead– An enabler for verification, testing, and diagnosis