Florian Heimgaertner, Mark T. Schmidt, David Morgenstern, M. Menth
{"title":"用于阻塞卸载的软件定义防火墙旁路","authors":"Florian Heimgaertner, Mark T. Schmidt, David Morgenstern, M. Menth","doi":"10.23919/CNSM.2017.8255971","DOIUrl":null,"url":null,"abstract":"With increasing network bandwidths, stateful firewalls are likely to become communication bottlenecks in networks. To mitigate this problem, we propose to bypass selected traffic around firewalls using software-defined networking (SDN). We discuss various approaches and elaborate the following concept. A controller samples outgoing packets at the firewall using sFlow to detect congestion. In case of congestion, flows already admitted by the firewall are identified and offloaded at an appropriate rate by installing flow-specific bypass rules on an OpenFlow-capable switch. We suggest two different algorithms to select appropriate flows and provide a proof-of-concept implementation in a network testbed using the Ryu controller framework. Experimental results illustrate the system behavior at different load levels with and without offloading. We provide an analytical system model to predict the offloading performance for other system parameters than experimentally evaluated and validate the model with our experimental results. A parameter study suggests that the offloaded traffic rate may be a multiple of the firewall's capacity if the switch supports sufficient flow rules or is able to match for TCP flags.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"A software-defined firewall bypass for congestion offloading\",\"authors\":\"Florian Heimgaertner, Mark T. Schmidt, David Morgenstern, M. Menth\",\"doi\":\"10.23919/CNSM.2017.8255971\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"With increasing network bandwidths, stateful firewalls are likely to become communication bottlenecks in networks. To mitigate this problem, we propose to bypass selected traffic around firewalls using software-defined networking (SDN). We discuss various approaches and elaborate the following concept. A controller samples outgoing packets at the firewall using sFlow to detect congestion. In case of congestion, flows already admitted by the firewall are identified and offloaded at an appropriate rate by installing flow-specific bypass rules on an OpenFlow-capable switch. We suggest two different algorithms to select appropriate flows and provide a proof-of-concept implementation in a network testbed using the Ryu controller framework. Experimental results illustrate the system behavior at different load levels with and without offloading. We provide an analytical system model to predict the offloading performance for other system parameters than experimentally evaluated and validate the model with our experimental results. A parameter study suggests that the offloaded traffic rate may be a multiple of the firewall's capacity if the switch supports sufficient flow rules or is able to match for TCP flags.\",\"PeriodicalId\":211611,\"journal\":{\"name\":\"2017 13th International Conference on Network and Service Management (CNSM)\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 13th International Conference on Network and Service Management (CNSM)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.23919/CNSM.2017.8255971\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 13th International Conference on Network and Service Management (CNSM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/CNSM.2017.8255971","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A software-defined firewall bypass for congestion offloading
With increasing network bandwidths, stateful firewalls are likely to become communication bottlenecks in networks. To mitigate this problem, we propose to bypass selected traffic around firewalls using software-defined networking (SDN). We discuss various approaches and elaborate the following concept. A controller samples outgoing packets at the firewall using sFlow to detect congestion. In case of congestion, flows already admitted by the firewall are identified and offloaded at an appropriate rate by installing flow-specific bypass rules on an OpenFlow-capable switch. We suggest two different algorithms to select appropriate flows and provide a proof-of-concept implementation in a network testbed using the Ryu controller framework. Experimental results illustrate the system behavior at different load levels with and without offloading. We provide an analytical system model to predict the offloading performance for other system parameters than experimentally evaluated and validate the model with our experimental results. A parameter study suggests that the offloaded traffic rate may be a multiple of the firewall's capacity if the switch supports sufficient flow rules or is able to match for TCP flags.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
