The textbook Internet architecture revolves around the end-to-end principle with smart endpoints and a dumb network, while the actual Internet is far messier, with middleboxes pervasively deployed and affecting end-to-end traffic in many ways. Today's Internet is fragile as most of the communications are affected by transparent stateful middleboxes deployed along the path. In this paper we propose an evolution of the Internet architecture to make the middleboxes an explicit part of the Internet communications. We do so using the new Multipath TCP (MPTCP) protocol recently standardized at the Internet Engineering Task Force. MPTCP allows us to change the endpoints of the connection and by extension to explicitly add middleboxes in the middle of an ongoing communication. We show that the proposed solution accommodates nicely several widely used use cases including load balancing, DDoS filtering and anycast services. We implement selected use cases as a proof of concept.
{"title":"Evolving the internet with connection acrobatics","authors":"Catalin Nicutar, C. Paasch, M. Bagnulo, C. Raiciu","doi":"10.1145/2535828.2535834","DOIUrl":"https://doi.org/10.1145/2535828.2535834","url":null,"abstract":"The textbook Internet architecture revolves around the end-to-end principle with smart endpoints and a dumb network, while the actual Internet is far messier, with middleboxes pervasively deployed and affecting end-to-end traffic in many ways. Today's Internet is fragile as most of the communications are affected by transparent stateful middleboxes deployed along the path. In this paper we propose an evolution of the Internet architecture to make the middleboxes an explicit part of the Internet communications. We do so using the new Multipath TCP (MPTCP) protocol recently standardized at the Internet Engineering Task Force. MPTCP allows us to change the endpoints of the connection and by extension to explicitly add middleboxes in the middle of an ongoing communication. We show that the proposed solution accommodates nicely several widely used use cases including load balancing, DDoS filtering and anycast services. We implement selected use cases as a proof of concept.","PeriodicalId":325481,"journal":{"name":"Workshop on Hot topics in Middleboxes and Network Function Virtualization","volume":"258 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134308348","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Network function outsourcing (NFO) enables enterprises and small businesses to achieve the performance and security benefits offered by middleboxes (e.g., firewall, IDS) without incurring high equipment or operating costs that such functions entail. In order for this vision to fully take root, however, we argue that NFO customers must be able to verify that the service is operating as intended w.r.t.: (1) functionality (e.g., did the packets traverse the desired sequence of middlebox modules?); (2) performance (e.g., is the latency comparable to an "in-house" service?); and (3) accounting (e.g., are the CPU/memory consumption being accounted for correctly?). In this position paper, we formalize these requirements and present a high-level roadmap to address the challenges involved.
{"title":"Verifiable network function outsourcing: requirements, challenges, and roadmap","authors":"S. K. Fayaz, M. Reiter, V. Sekar","doi":"10.1145/2535828.2535831","DOIUrl":"https://doi.org/10.1145/2535828.2535831","url":null,"abstract":"Network function outsourcing (NFO) enables enterprises and small businesses to achieve the performance and security benefits offered by middleboxes (e.g., firewall, IDS) without incurring high equipment or operating costs that such functions entail. In order for this vision to fully take root, however, we argue that NFO customers must be able to verify that the service is operating as intended w.r.t.: (1) functionality (e.g., did the packets traverse the desired sequence of middlebox modules?); (2) performance (e.g., is the latency comparable to an \"in-house\" service?); and (3) accounting (e.g., are the CPU/memory consumption being accounted for correctly?). In this position paper, we formalize these requirements and present a high-level roadmap to address the challenges involved.","PeriodicalId":325481,"journal":{"name":"Workshop on Hot topics in Middleboxes and Network Function Virtualization","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134271518","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Middleboxes are heavily used in the Internet to process the network traffic for a specific purpose. As there is no open standards, these proprietary boxes are expensive and difficult to upgrade. In this paper, we present a programmable platform for middleboxes called FlowOS to run on commodity hardware. It provides an elegant programming model for writing flow processing software, which hides the complexities of low-level packet processing, process synchronisation, and inter-process communication. We show that FlowOS itself does not add any significant overhead to flows by presenting some preliminary test results.
{"title":"FlowOS: a flow-based platform for middleboxes","authors":"Mehdi Bezahaf, A. Alim, L. Mathy","doi":"10.1145/2535828.2535836","DOIUrl":"https://doi.org/10.1145/2535828.2535836","url":null,"abstract":"Middleboxes are heavily used in the Internet to process the network traffic for a specific purpose. As there is no open standards, these proprietary boxes are expensive and difficult to upgrade. In this paper, we present a programmable platform for middleboxes called FlowOS to run on commodity hardware. It provides an elegant programming model for writing flow processing software, which hides the complexities of low-level packet processing, process synchronisation, and inter-process communication. We show that FlowOS itself does not add any significant overhead to flows by presenting some preliminary test results.","PeriodicalId":325481,"journal":{"name":"Workshop on Hot topics in Middleboxes and Network Function Virtualization","volume":"14 12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116537676","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Benjamin Hesmans, F. Duchene, C. Paasch, G. Detal, O. Bonaventure
Besides the traditional routers and switches, middleboxes such as NATs, firewalls, IDS or proxies have a growing importance in many networks, notably in entreprise and wireless access networks. Many of these middleboxes modify the packets that they process. For this, they to implement (a subset of) protocols like TCP. Despite the deployment of these middleboxes, TCP continues to evolve on the endhosts and little is known about the interactions between TCP extensions and the middleboxes.� In this paper, we experimentally evaluate the interference between middleboxes and the Linux TCP stack. For this, we first propose MBtest, a set of Click elements that model middlebox behavior. We use it to experimentally evaluate how three TCP extensions interact with middleboxes. We also analyzes measurements of the interference between Multipath TCP and middleboxes in fifty different networks.
{"title":"Are TCP extensions middlebox-proof?","authors":"Benjamin Hesmans, F. Duchene, C. Paasch, G. Detal, O. Bonaventure","doi":"10.1145/2535828.2535830","DOIUrl":"https://doi.org/10.1145/2535828.2535830","url":null,"abstract":"Besides the traditional routers and switches, middleboxes such as NATs, firewalls, IDS or proxies have a growing importance in many networks, notably in entreprise and wireless access networks. Many of these middleboxes modify the packets that they process. For this, they to implement (a subset of) protocols like TCP. Despite the deployment of these middleboxes, TCP continues to evolve on the endhosts and little is known about the interactions between TCP extensions and the middleboxes.\u0000 In this paper, we experimentally evaluate the interference between middleboxes and the Linux TCP stack. For this, we first propose MBtest, a set of Click elements that model middlebox behavior. We use it to experimentally evaluate how three TCP extensions interact with middleboxes. We also analyzes measurements of the interference between Multipath TCP and middleboxes in fifty different networks.","PeriodicalId":325481,"journal":{"name":"Workshop on Hot topics in Middleboxes and Network Function Virtualization","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116704973","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Middleboxes are an essential part of today's networks since they allow to introduce additional functionality without having to change end-hosts. Network Address Translation (NAT) has been the number one choice for coping with the address depletion problem of IPv4. Although NAT introduces many problems for existing applications it can be found in almost every consumer and mobile network.� Large Scale NAT (LSN) is the latest trend in middlebox deployment and plays an important role for the transition from IPv4 to IPv6. LSN may consist of a distributed NAT at the provider or it may include multiple layers of NAT. LSN introduces additional problems for customers since many existing NAT traversal techniques cannot be applied.� This paper presents an approach for discovering and measuring stateful cascaded NATs on the path between two arbitrary peers in the Internet. An algorithm combining multiple UDP packets, individual timeouts and traceroute measurements is presented and evaluated in a public field test. Finally, we show how NAT traversal for LSN can be improved by parameterizing existing algorithms according to the detected topology.
{"title":"Analysis and topology-based traversal of cascaded large scale NATs","authors":"Andreas Müller, F. Wohlfart, G. Carle","doi":"10.1145/2535828.2535833","DOIUrl":"https://doi.org/10.1145/2535828.2535833","url":null,"abstract":"Middleboxes are an essential part of today's networks since they allow to introduce additional functionality without having to change end-hosts. Network Address Translation (NAT) has been the number one choice for coping with the address depletion problem of IPv4. Although NAT introduces many problems for existing applications it can be found in almost every consumer and mobile network.\u0000 Large Scale NAT (LSN) is the latest trend in middlebox deployment and plays an important role for the transition from IPv4 to IPv6. LSN may consist of a distributed NAT at the provider or it may include multiple layers of NAT. LSN introduces additional problems for customers since many existing NAT traversal techniques cannot be applied.\u0000 This paper presents an approach for discovering and measuring stateful cascaded NATs on the path between two arbitrary peers in the Internet. An algorithm combining multiple UDP packets, individual timeouts and traceroute measurements is presented and evaluated in a public field test. Finally, we show how NAT traversal for LSN can be improved by parameterizing existing algorithms according to the detected topology.","PeriodicalId":325481,"journal":{"name":"Workshop on Hot topics in Middleboxes and Network Function Virtualization","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126736967","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Simon Kuenzer, J. Martins, Mohamed Ahmed, Felipe Huici
Video comprises the majority of traffic on the Internet today, and most of it is delivered via Content Delivery Networks (CDNs) whose performance depends, to a large extent, on being able to deploy a (sometimes rather large) set of distributed content caches at different networks and geographical locations. Recently, ISPs have started deploying micro datacenters close to customers, giving the possibility to third parties to rent out this equipment.� While such pay-on-demand infrastructure would allow CDNs to dynamically expand their capacity and improve their efficiency, a high performance, virtualized content cache would be needed for multiple tenants to be able to share such facilities. Towards this end we introduce Minicache, a Xen-based virtualized content cache prototype. A Minicache virtual machine has a small memory footprint (as small as 5MB in size), can boot in as little as 30 milliseconds, and can fill up a 10Gb pipe using data retrieved from storage devices.
{"title":"Towards minimalistic, virtualized content caches with minicache","authors":"Simon Kuenzer, J. Martins, Mohamed Ahmed, Felipe Huici","doi":"10.1145/2535828.2535832","DOIUrl":"https://doi.org/10.1145/2535828.2535832","url":null,"abstract":"Video comprises the majority of traffic on the Internet today, and most of it is delivered via Content Delivery Networks (CDNs) whose performance depends, to a large extent, on being able to deploy a (sometimes rather large) set of distributed content caches at different networks and geographical locations. Recently, ISPs have started deploying micro datacenters close to customers, giving the possibility to third parties to rent out this equipment.\u0000 While such pay-on-demand infrastructure would allow CDNs to dynamically expand their capacity and improve their efficiency, a high performance, virtualized content cache would be needed for multiple tenants to be able to share such facilities. Towards this end we introduce Minicache, a Xen-based virtualized content cache prototype. A Minicache virtual machine has a small memory footprint (as small as 5MB in size), can boot in as little as 30 milliseconds, and can fill up a 10Gb pipe using data retrieved from storage devices.","PeriodicalId":325481,"journal":{"name":"Workshop on Hot topics in Middleboxes and Network Function Virtualization","volume":"104 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127191262","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Multipath TCP (MPTCP) is a major modification to TCP that enables a single transport connection to use multiple paths. Smartphones can benefit from MPTCP by using both WiFi and 3G/4G interfaces for their data-traffic, potentially improving the performance and allowing mobility through vertical handover. However, MPTCP requires a modification of the end hosts, thus suffers from the chicken-and-egg deployment problem. A global deployment of MPTCP is therefore expected to take years. To increase the incentives for clients and servers to upgrade their system, we propose MiMBox an efficient protocol converter that can translate MPTCP into TCP and vice versa to provide multipath benefits to early adopters of MPTCP.� MiMBox is application agnostic and can be used transparently or explicitly. Moreover, a close attention was paid to the implementation's design to achieve good forwarding performance. MiMBox is implemented entirely in the Linux kernel so that it is able to more easily circumvent the bottlenecks of a user-space implementation. Measurements show that we always outperform user-space solutions and that the performance is close to plain IP packet forwarding.
{"title":"Multipath in the middle(box)","authors":"G. Detal, C. Paasch, O. Bonaventure","doi":"10.1145/2535828.2535829","DOIUrl":"https://doi.org/10.1145/2535828.2535829","url":null,"abstract":"Multipath TCP (MPTCP) is a major modification to TCP that enables a single transport connection to use multiple paths. Smartphones can benefit from MPTCP by using both WiFi and 3G/4G interfaces for their data-traffic, potentially improving the performance and allowing mobility through vertical handover. However, MPTCP requires a modification of the end hosts, thus suffers from the chicken-and-egg deployment problem. A global deployment of MPTCP is therefore expected to take years. To increase the incentives for clients and servers to upgrade their system, we propose MiMBox an efficient protocol converter that can translate MPTCP into TCP and vice versa to provide multipath benefits to early adopters of MPTCP.\u0000 MiMBox is application agnostic and can be used transparently or explicitly. Moreover, a close attention was paid to the implementation's design to achieve good forwarding performance. MiMBox is implemented entirely in the Linux kernel so that it is able to more easily circumvent the bottlenecks of a user-space implementation. Measurements show that we always outperform user-space solutions and that the performance is close to plain IP packet forwarding.","PeriodicalId":325481,"journal":{"name":"Workshop on Hot topics in Middleboxes and Network Function Virtualization","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133224701","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Radu Stoenescu, Matei Popovici, L. Negreanu, C. Raiciu
Today's networks deploy many stateful procesing boxes ranging from NATs to firewalls and application optimizers: these boxes operate on packet flows, rather than individual packets. As more and more middleboxes are deployed, understanding their composition is becoming increasingly difficult. Static checking of network configurations is a promising approach to help understand whether a network is configured properly, but existing tools are limited as they only support stateless processing.� We propose to use symbolic execution---a technique prevalent in compilers---to check network properties more general than basic reachability. The key idea is to track the possible values for specified fields in the packet as it travels through a network. Each middlebox or router will impose constraints on certain fields of the packet via forwarding actions, packet modifications and filtering. The symbolic approach also allows us to model middlebox per-flow state in a scalable way.� We have implemented this technique in a tool we call SymNet and conducted preliminary evaluation. Early results show SymNet scales well and models basic stateful middleboxes, opening the possibility of analyzing complex stateful middlebox behaviours.
{"title":"SymNet: static checking for stateful networks","authors":"Radu Stoenescu, Matei Popovici, L. Negreanu, C. Raiciu","doi":"10.1145/2535828.2535835","DOIUrl":"https://doi.org/10.1145/2535828.2535835","url":null,"abstract":"Today's networks deploy many stateful procesing boxes ranging from NATs to firewalls and application optimizers: these boxes operate on packet flows, rather than individual packets. As more and more middleboxes are deployed, understanding their composition is becoming increasingly difficult. Static checking of network configurations is a promising approach to help understand whether a network is configured properly, but existing tools are limited as they only support stateless processing.\u0000 We propose to use symbolic execution---a technique prevalent in compilers---to check network properties more general than basic reachability. The key idea is to track the possible values for specified fields in the packet as it travels through a network. Each middlebox or router will impose constraints on certain fields of the packet via forwarding actions, packet modifications and filtering. The symbolic approach also allows us to model middlebox per-flow state in a scalable way.\u0000 We have implemented this technique in a tool we call SymNet and conducted preliminary evaluation. Early results show SymNet scales well and models basic stateful middleboxes, opening the possibility of analyzing complex stateful middlebox behaviours.","PeriodicalId":325481,"journal":{"name":"Workshop on Hot topics in Middleboxes and Network Function Virtualization","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121733121","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: