It is our great pleasure to welcome you to the 2015 ACM Workshop on Hot Topics in Middleboxes and Network Function Virtualization -- HotMiddlebox'15. This year's event is the second workshop on this topic, and it comes at a time when middleboxes are truly a hot topic of interest in both industry and academia. � �On the one hand, there is a concerted industry shift towards network functions virtualization that means middleboxes are now becoming software appliances that are easier to install, scale and upgrade than their hardware counterparts. On the other hand, widespread privacy concerns raised by online surveillance have led to more traffic running over HTTPS and work towards opportunistically securing TCP in the IETF. The long-lasting tussle between middleboxes and the endpoints has now reached a critical turning point that may deny middleboxes access to the payload, preventing most to do their jobs. � �HotMiddlebox'15 accepted 12 papers out of 32 submissions. The paper review process included an offline evaluation phase by PC members, followed by a teleconference discussion of the top 20 ranked papers, out of which 12 were accepted to appear in the program. The resulting program is a surprisingly accurate snapshot of the current state in the field. It features papers focusing on experiences of deploying middleboxes and scaling them to commercial speeds as well as measuring network behavior in the wild. A subset of the workshop's papers also asks the question of how to enable middleboxes to do their work while preserving privacy. Finally, there are papers examining migration algorithms, the interplay between NFV and SDN and ways to enable middlebox development. � �HotMiddlebox features two exciting keynotes that will bring the industry perspective on middlebox problems that appear in deployment. The first keynote will be given by Juho Snellman, the lead engineer on TCP optimization solutions at Teclo Networks in Zurich. Juho will discuss the practical lessons learnt while developing and deploying systems in mobile operator networks. The second keynote will be given by Marc Wooldward, CTO at Datacenter security company vArmour. Marc will discuss how recent innovations in virtualisation and computing technologies provide us with the opportunity to refashion the classic DMZ security model in the age of datacenters, by evolving it to an asset-centric 'Security as a Service' model.
{"title":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","authors":"Theophilus A. Benson, C. Raiciu","doi":"10.1145/2785989","DOIUrl":"https://doi.org/10.1145/2785989","url":null,"abstract":"It is our great pleasure to welcome you to the 2015 ACM Workshop on Hot Topics in Middleboxes and Network Function Virtualization -- HotMiddlebox'15. This year's event is the second workshop on this topic, and it comes at a time when middleboxes are truly a hot topic of interest in both industry and academia. \u0000 \u0000On the one hand, there is a concerted industry shift towards network functions virtualization that means middleboxes are now becoming software appliances that are easier to install, scale and upgrade than their hardware counterparts. On the other hand, widespread privacy concerns raised by online surveillance have led to more traffic running over HTTPS and work towards opportunistically securing TCP in the IETF. The long-lasting tussle between middleboxes and the endpoints has now reached a critical turning point that may deny middleboxes access to the payload, preventing most to do their jobs. \u0000 \u0000HotMiddlebox'15 accepted 12 papers out of 32 submissions. The paper review process included an offline evaluation phase by PC members, followed by a teleconference discussion of the top 20 ranked papers, out of which 12 were accepted to appear in the program. The resulting program is a surprisingly accurate snapshot of the current state in the field. It features papers focusing on experiences of deploying middleboxes and scaling them to commercial speeds as well as measuring network behavior in the wild. A subset of the workshop's papers also asks the question of how to enable middleboxes to do their work while preserving privacy. Finally, there are papers examining migration algorithms, the interplay between NFV and SDN and ways to enable middlebox development. \u0000 \u0000HotMiddlebox features two exciting keynotes that will bring the industry perspective on middlebox problems that appear in deployment. The first keynote will be given by Juho Snellman, the lead engineer on TCP optimization solutions at Teclo Networks in Zurich. Juho will discuss the practical lessons learnt while developing and deploying systems in mobile operator networks. The second keynote will be given by Marc Wooldward, CTO at Datacenter security company vArmour. Marc will discuss how recent innovations in virtualisation and computing technologies provide us with the opportunity to refashion the classic DMZ security model in the age of datacenters, by evolving it to an asset-centric 'Security as a Service' model.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121167787","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, V. Paxson
HTTP header enrichment allows mobile operators to annotate HTTP connections via the use of a wide range of request headers. Operators employ proxies to introduce such headers for operational purposes, and---as recently widely publicized---also to assist advertising programs in identifying the subscriber responsible for the originating traffic, with significant consequences for the user's privacy. In this paper, we use data collected by the Netalyzr network troubleshooting service over 16 months to identify and characterize HTTP header enrichment in modern mobile networks. We present a timeline of HTTP header usage for 299 mobile service providers from 112 countries, observing three main categories: (1) unique user and device identifiers (e.g., IMEI and IMSI), (2) headers related to advertising programs, and (3) headers associated with network operations.
{"title":"Header Enrichment or ISP Enrichment?: Emerging Privacy Threats in Mobile Networks","authors":"N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, V. Paxson","doi":"10.1145/2785989.2786002","DOIUrl":"https://doi.org/10.1145/2785989.2786002","url":null,"abstract":"HTTP header enrichment allows mobile operators to annotate HTTP connections via the use of a wide range of request headers. Operators employ proxies to introduce such headers for operational purposes, and---as recently widely publicized---also to assist advertising programs in identifying the subscriber responsible for the originating traffic, with significant consequences for the user's privacy. In this paper, we use data collected by the Netalyzr network troubleshooting service over 16 months to identify and characterize HTTP header enrichment in modern mobile networks. We present a timeline of HTTP header usage for 299 mobile service providers from 112 countries, observing three main categories: (1) unique user and device identifiers (e.g., IMEI and IMSI), (2) headers related to advertising programs, and (3) headers associated with network operations.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"206 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131942951","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Franck Le, E. Nahum, Vasilis Pappas, Maroun Touma, D. Verma
This paper summarizes our experiences deploying a transparent Split TCP middlebox for WiFi networks in Enterprise customer environments. Since Split TCP is nearly two decades old, we believed this would be a straightforward application of well-known technology. Reality, however, would teach us otherwise. While we began our deployment in our own office with 3,000 users, we encountered several challenges in deploying this technology at customer sites. Each customer had different network architectures, security policies, and non-negotiable requirements. In particular, modifying the network architecture was frequently impossible. Deployment challenges tended to fall into two related but distinct categories. First, making the box transparent to both clients and servers required extending the notion of transparency from beyond just layer 3 and layer 4 to include layer 2. Second, the interaction of our middlebox with other middleboxes resulted in unexpected behaviors. Our deployments supported up to 15,000 simultaneous users and lasted up to 2 years. We offer up our experiences so that others need not repeat them. We discuss some implications of our experiences on deploying network functionality in virtual environments, or Network Function Virtualization (NFV). If NFV is to be successful in real environments, these challenges will need to be overcome.
{"title":"Experiences Deploying a Transparent Split TCP Middlebox and the Implications for NFV","authors":"Franck Le, E. Nahum, Vasilis Pappas, Maroun Touma, D. Verma","doi":"10.1145/2785989.2785991","DOIUrl":"https://doi.org/10.1145/2785989.2785991","url":null,"abstract":"This paper summarizes our experiences deploying a transparent Split TCP middlebox for WiFi networks in Enterprise customer environments. Since Split TCP is nearly two decades old, we believed this would be a straightforward application of well-known technology. Reality, however, would teach us otherwise. While we began our deployment in our own office with 3,000 users, we encountered several challenges in deploying this technology at customer sites. Each customer had different network architectures, security policies, and non-negotiable requirements. In particular, modifying the network architecture was frequently impossible. Deployment challenges tended to fall into two related but distinct categories. First, making the box transparent to both clients and servers required extending the notion of transparency from beyond just layer 3 and layer 4 to include layer 2. Second, the interaction of our middlebox with other middleboxes resulted in unexpected behaviors. Our deployments supported up to 15,000 simultaneous users and lasted up to 2 years. We offer up our experiences so that others need not repeat them. We discuss some implications of our experiences on deploying network functionality in virtual environments, or Network Function Virtualization (NFV). If NFV is to be successful in real environments, these challenges will need to be overcome.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133845017","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Contemporary networks contain many different kind of middleboxes that perform variety of advanced network functions. Currently, a special box is tailored to provide each such function. These special boxes are usually proprietary, and operators control over them is limited to the set of capabilities defined by the provider of each box. Nonetheless, many middleboxes perform very similar tasks. In this paper we present OpenBox: a logically-centralized framework that makes advanced packet processing and monitoring easier, faster, more scalable, flexible, and innovative. OpenBox decouples the control plane of middleboxes from their data plane, and unifies the data plane of multiple middlebox applications using entities called service instances. On top of the centralized control plane everyone can develop OpenBox applications. An OpenBox application, formerly implemented as a separate middlebox, instructs the data plane how to process packets in order to achieve its intended function. OpenBox service instances reside in data plane and process packets according to policies defined by the control plane. They can be implemented in software or use specialized hardware.
{"title":"OpenBox: Enabling Innovation in Middlebox Applications","authors":"A. Bremler-Barr, Yotam Harchol, David Hay","doi":"10.1145/2785989.2785992","DOIUrl":"https://doi.org/10.1145/2785989.2785992","url":null,"abstract":"Contemporary networks contain many different kind of middleboxes that perform variety of advanced network functions. Currently, a special box is tailored to provide each such function. These special boxes are usually proprietary, and operators control over them is limited to the set of capabilities defined by the provider of each box. Nonetheless, many middleboxes perform very similar tasks. In this paper we present OpenBox: a logically-centralized framework that makes advanced packet processing and monitoring easier, faster, more scalable, flexible, and innovative. OpenBox decouples the control plane of middleboxes from their data plane, and unifies the data plane of multiple middlebox applications using entities called service instances. On top of the centralized control plane everyone can develop OpenBox applications. An OpenBox application, formerly implemented as a separate middlebox, instructs the data plane how to process packets in order to achieve its intended function. OpenBox service instances reside in data plane and process packets according to policies defined by the control plane. They can be implemented in software or use specialized hardware.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"71 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126043999","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jingyuan Fan, Z. Ye, Chaowen Guan, Xiujiao Gao, K. Ren, C. Qiao
Network Function Virtualization (NFV) is a promising technique to greatly improve the effectiveness and flexibility of network management through a process called Service Function Chain (SFC) mapping, which can efficiently provision network services over a virtualized and shared middlebox platform. However, such an evolution towards software-defined middlebox introduces new challenges to network services which require high reliability. Sufficient redundancy can protect the network services when physical failures occur, but in doing so, the efficiency of physical resources may be greatly decreased. This paper presents GREP, a novel online algorithm that can minimize the physical resources consumption while guaranteeing the required high reliability with a polynomial time complexity. Simulation results show that our proposed algorithm can significantly improve the request acceptance ratio and reduce resource consumption.
网络功能虚拟化(Network Function Virtualization, NFV)是一种很有前途的技术,它通过业务功能链(Service Function Chain, SFC)映射过程,在一个虚拟化和共享的中间盒平台上高效地提供网络服务,极大地提高了网络管理的有效性和灵活性。然而,这种向软件定义的中间件的演变给需要高可靠性的网络服务带来了新的挑战。足够的冗余可以在发生物理故障时保护网络业务,但这样做可能会大大降低物理资源的效率。该文提出了一种新颖的在线算法GREP,该算法能以多项式的时间复杂度在保证高可靠性的同时,最大限度地减少物理资源的消耗。仿真结果表明,该算法可以显著提高请求接受率,降低资源消耗。
{"title":"GREP: Guaranteeing Reliability with Enhanced Protection in NFV","authors":"Jingyuan Fan, Z. Ye, Chaowen Guan, Xiujiao Gao, K. Ren, C. Qiao","doi":"10.1145/2785989.2786000","DOIUrl":"https://doi.org/10.1145/2785989.2786000","url":null,"abstract":"Network Function Virtualization (NFV) is a promising technique to greatly improve the effectiveness and flexibility of network management through a process called Service Function Chain (SFC) mapping, which can efficiently provision network services over a virtualized and shared middlebox platform. However, such an evolution towards software-defined middlebox introduces new challenges to network services which require high reliability. Sufficient redundancy can protect the network services when physical failures occur, but in doing so, the efficiency of physical resources may be greatly decreased. This paper presents GREP, a novel online algorithm that can minimize the physical resources consumption while guaranteeing the required high reliability with a polynomial time complexity. Simulation results show that our proposed algorithm can significantly improve the request acceptance ratio and reduce resource consumption.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"62 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131422379","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sejun Song, Daehee Kim, Hyungbae Park, Baek-Young Choi, T. Choi
A large portion of digital data is transferred repeatedly across networks and duplicated in storage systems, which costs excessive bandwidth, storage, energy, and operations. Thus, great effort has been made in both areas of networks and storage systems to lower the redundancies. However, due to the lack of the coordination capabilities, expensive procedures of C-H-I (Chunking, Hashing, and Indexing) are incurring recursively on the path of data processing. In this paper, we propose a collaborative redundancy reduction service (CO-REDUCE) in Software-Defined Networks (SDN). Taking advantage of SDN control, CO-REDUCE renders the promising vision of Redundancy Elimination as a network service (REaaS) as a real practical service. CO-REDUCE is a new virtualized network function service that dynamically offloads computational operations and memory management tasks of deduplication to the group of the software designed network middleboxes. Chaining various redundant REs of both storage and network into a service, COREDUCE consolidates and simplifies the expensive C-H-I processes. We develop service coordination protocols and virtualization and control mechanisms in SDN, and indexing algorithms for CO-REDUCE software-designed middleboxes (SDMB). Our evaluation results from the system and Mininet-based prototypes show that CO-REDUCE achieves 2-4 times more bandwidth reduction than existing RE technologies and has compatible storage space savings to existing storage de-duplication techniques while reducing expensive overhead of processing time and memory size.
很大一部分数字数据在网络上重复传输,在存储系统中重复传输,造成了过大的带宽、存储、能源和操作成本。因此,在网络和存储系统方面都做出了很大的努力来降低冗余。然而,由于缺乏协调能力,在数据处理的路径上递归地产生了昂贵的C-H-I (Chunking, Hashing, and Indexing)过程。在本文中,我们提出了一种软件定义网络(SDN)中的协同冗余减少服务(CO-REDUCE)。利用SDN控制,CO-REDUCE将冗余消除作为网络服务(REaaS)的前景呈现为真正的实用服务。CO-REDUCE是一种新的虚拟化网络功能服务,它动态地将重复数据删除的计算操作和内存管理任务卸载到软件设计的网络中间盒组中。COREDUCE将存储和网络的各种冗余REs链接到一个服务中,整合并简化了昂贵的C-H-I过程。我们开发了SDN中的服务协调协议和虚拟化控制机制,以及CO-REDUCE软件设计中间件(SDMB)的索引算法。我们对基于系统和基于miniet的原型的评估结果表明,CO-REDUCE比现有的可重构技术实现了2-4倍的带宽减少,并且与现有的存储重复数据删除技术兼容,节省了存储空间,同时减少了昂贵的处理时间和内存大小开销。
{"title":"CO-REDUCE: Collaborative Redundancy Reduction Service in Software-Defined Networks","authors":"Sejun Song, Daehee Kim, Hyungbae Park, Baek-Young Choi, T. Choi","doi":"10.1145/2785989.2786001","DOIUrl":"https://doi.org/10.1145/2785989.2786001","url":null,"abstract":"A large portion of digital data is transferred repeatedly across networks and duplicated in storage systems, which costs excessive bandwidth, storage, energy, and operations. Thus, great effort has been made in both areas of networks and storage systems to lower the redundancies. However, due to the lack of the coordination capabilities, expensive procedures of C-H-I (Chunking, Hashing, and Indexing) are incurring recursively on the path of data processing. In this paper, we propose a collaborative redundancy reduction service (CO-REDUCE) in Software-Defined Networks (SDN). Taking advantage of SDN control, CO-REDUCE renders the promising vision of Redundancy Elimination as a network service (REaaS) as a real practical service. CO-REDUCE is a new virtualized network function service that dynamically offloads computational operations and memory management tasks of deduplication to the group of the software designed network middleboxes. Chaining various redundant REs of both storage and network into a service, COREDUCE consolidates and simplifies the expensive C-H-I processes. We develop service coordination protocols and virtualization and control mechanisms in SDN, and indexing algorithms for CO-REDUCE software-designed middleboxes (SDMB). Our evaluation results from the system and Mininet-based prototypes show that CO-REDUCE achieves 2-4 times more bandwidth reduction than existing RE technologies and has compatible storage space savings to existing storage de-duplication techniques while reducing expensive overhead of processing time and memory size.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114610490","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The realization of increased service flexibility and scalability through the combination of Virtual Network Functions (VNF) and Software Defined Networks (SDN) requires careful management of both VNF and forwarding state. Without coordination, service scalability comes at a high cost due to unacceptable levels of packet loss, reordering and increased latencies. Previously developed techniques has shown that these issues can be managed, at least in scenarios with low traffic rates and optimistic control plane latencies. In this paper we extend previous work on coordinated state management in order to remove performance bottlenecks, this is done through distributed state management and minimizing control plane interactions. Evaluation of our changes show substantial performance gains using a distributed approach while maintaining centralized control.
通过VNF (Virtual Network Functions)和SDN (Software Defined Networks)的结合来实现更大的业务灵活性和可扩展性,需要对VNF和转发状态进行细致的管理。如果没有协调,由于不可接受的数据包丢失、重新排序和延迟增加,服务可伸缩性的成本很高。以前开发的技术表明,这些问题是可以管理的,至少在低流量速率和乐观控制平面延迟的情况下是这样。在本文中,我们扩展了以前关于协调状态管理的工作,以消除性能瓶颈,这是通过分布式状态管理和最小化控制平面交互来完成的。对变更的评估显示,在保持集中控制的同时,使用分布式方法获得了实质性的性能提升。
{"title":"Centrally Controlled Distributed VNF State Management","authors":"B. Kothandaraman, Manxing Du, Pontus Sköldström","doi":"10.1145/2785989.2785996","DOIUrl":"https://doi.org/10.1145/2785989.2785996","url":null,"abstract":"The realization of increased service flexibility and scalability through the combination of Virtual Network Functions (VNF) and Software Defined Networks (SDN) requires careful management of both VNF and forwarding state. Without coordination, service scalability comes at a high cost due to unacceptable levels of packet loss, reordering and increased latencies. Previously developed techniques has shown that these issues can be managed, at least in scenarios with low traffic rates and optimistic control plane latencies. In this paper we extend previous work on coordinated state management in order to remove performance bottlenecks, this is done through distributed state management and minimizing control plane interactions. Evaluation of our changes show substantial performance gains using a distributed approach while maintaining centralized control.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134113030","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
To understand whether the promise of Network Function Virtualization can be accomplished in practice, we set out to create a software version of the simplest middlebox that keeps per flow state: the NAT. While there is a lot of literature in the wide area of SDN in general and in scaling middleboxes, we find that by aiming to create a NAT good enough to compete with hardware appliances requires a lot more care than we had thought when we started our work. In particular, limitations of OpenFlow switches force us to rethink load balancing in a way that does not involve the centralized controller at all. The result is a solution that can sustain, on six low-end commodity boxes, a throughput of 40Gbps with 64B packets, on par with industrial offerings but at a third of the cost. To reach this performance, we designed and implemented our NAT from scratch to be migration friendly and optimized for common cases (inbound traffic, many mappings). Our experience shows that OpenFlow-based load balancing is very limited in the context of NATs (and by relation NFV), and that scalability can only be ensured by keeping the controller out of the data plane.
{"title":"Lost in Network Address Translation: Lessons from Scaling the World's Simplest Middlebox","authors":"V. Olteanu, Felipe Huici, C. Raiciu","doi":"10.1145/2785989.2785994","DOIUrl":"https://doi.org/10.1145/2785989.2785994","url":null,"abstract":"To understand whether the promise of Network Function Virtualization can be accomplished in practice, we set out to create a software version of the simplest middlebox that keeps per flow state: the NAT. While there is a lot of literature in the wide area of SDN in general and in scaling middleboxes, we find that by aiming to create a NAT good enough to compete with hardware appliances requires a lot more care than we had thought when we started our work. In particular, limitations of OpenFlow switches force us to rethink load balancing in a way that does not involve the centralized controller at all. The result is a solution that can sustain, on six low-end commodity boxes, a throughput of 40Gbps with 64B packets, on par with industrial offerings but at a third of the cost. To reach this performance, we designed and implemented our NAT from scratch to be migration friendly and optimized for common cases (inbound traffic, many mappings). Our experience shows that OpenFlow-based load balancing is very limited in the context of NATs (and by relation NFV), and that scalability can only be ensured by keeping the controller out of the data plane.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126792712","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Kaplan, Blake Caldwell, Richard Han, H. Jamjoom, Eric Keller
Newly virtualized network functions (like firewalls, routers, and intrusion detection systems) should be easy to consume. Despite recent efforts to improve their elasticity and high availability, network functions continue to maintain important flow state, requiring traditional development and deployment life cycles. At the same time, many cloud-scale applications are being rearchitected to be stateless by cleanly pushing application state into dedicated caches or backend stores. This state separation is enabling these applications to be more agile and support the so-called continuous deployment model. In this paper, we propose that network functions should be similarly redesigned to be stateless. Drawing insights from different classes of network functions, we describe how stateless network functions can leverage recent advances in low-latency network systems to achieve acceptable performance. Our Click-based prototype integrates with RAMCloud; using NAT as an example network function, we demonstrate that we are able to create stateless network functions that maintain the desired performance.
{"title":"Stateless Network Functions","authors":"M. Kaplan, Blake Caldwell, Richard Han, H. Jamjoom, Eric Keller","doi":"10.1145/2785989.2785993","DOIUrl":"https://doi.org/10.1145/2785989.2785993","url":null,"abstract":"Newly virtualized network functions (like firewalls, routers, and intrusion detection systems) should be easy to consume. Despite recent efforts to improve their elasticity and high availability, network functions continue to maintain important flow state, requiring traditional development and deployment life cycles. At the same time, many cloud-scale applications are being rearchitected to be stateless by cleanly pushing application state into dedicated caches or backend stores. This state separation is enabling these applications to be more agile and support the so-called continuous deployment model. In this paper, we propose that network functions should be similarly redesigned to be stateless. Drawing insights from different classes of network functions, we describe how stateless network functions can leverage recent advances in low-latency network systems to achieve acceptable performance. Our Click-based prototype integrates with RAMCloud; using NAT as an example network function, we demonstrate that we are able to create stateless network functions that maintain the desired performance.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"32 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124128313","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Recent pervasive monitoring of Internet traffic has resulted in an effort to protect all communications by using Transport Layer Security (TLS) to thwart malicious third parties. We argue that such large-scale use of TLS may potentially disrupt many useful network-based services provided by middleboxes such as content caching, web acceleration, anti-malware scanning and traffic shaping when faced with congestion. As the use of Internet grows to include devices with varying resources and capabilities, and access networks with differing link characteristics, the prevalent two-party TLS model may prove restrictive. We present EFGH, a pluggable TLS extension that allows a trusted third-party to be introduced in the two-party model without affecting the underlying end-to-end security of the channel. The extension stresses the end-to-end trust relationship integrity by allowing selective exposure of the exchanged data to trusted middleboxes.
{"title":"Love All, Trust Few: on Trusting Intermediaries in HTTP","authors":"T. Fossati, V. Gurbani, V. Kolesnikov","doi":"10.1145/2785989.2785990","DOIUrl":"https://doi.org/10.1145/2785989.2785990","url":null,"abstract":"Recent pervasive monitoring of Internet traffic has resulted in an effort to protect all communications by using Transport Layer Security (TLS) to thwart malicious third parties. We argue that such large-scale use of TLS may potentially disrupt many useful network-based services provided by middleboxes such as content caching, web acceleration, anti-malware scanning and traffic shaping when faced with congestion. As the use of Internet grows to include devices with varying resources and capabilities, and access networks with differing link characteristics, the prevalent two-party TLS model may prove restrictive. We present EFGH, a pluggable TLS extension that allows a trusted third-party to be introduced in the two-party model without affecting the underlying end-to-end security of the channel. The extension stresses the end-to-end trust relationship integrity by allowing selective exposure of the exchanged data to trusted middleboxes.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130975717","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: