flowtags enforcing network wide policies in the presence of dynamic middlebox actions n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
FlowTags : Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions PowerPoint Presentation
Download Presentation
FlowTags : Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions

Loading in 2 Seconds...

play fullscreen
1 / 11

FlowTags : Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions - PowerPoint PPT Presentation


  • 146 Views
  • Uploaded on

FlowTags : Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions. Seyed K. Fayazbakhsh Vyas Sekar . Minlan Yu . Jeff Mogul. Middleboxes complicate policy enforcement in SDN. Logical view: Specify policy goals. Admin. Physical View. Network OS.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'FlowTags : Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions' - kynton


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
flowtags enforcing network wide policies in the presence of dynamic middlebox actions

FlowTags:Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions

Seyed K. Fayazbakhsh Vyas Sekar

Minlan Yu

Jeff Mogul

middleboxes complicate policy enforcement in sdn
Middleboxes complicate policy enforcement in SDN

Logical view: Specify policy goals

Admin

Physical View

Network OS

Control Apps

Dynamic

traffic-dependent

modifications!

e.g., NATs, proxies

Data Plane

Policy routing

Access control

Diagnostics

Forensics

example policy routing
Example: Policy Routing

H1: NAT  Firewall

H2: NAT  IDS

NAT

IDS

Firewall

H1

Internet

S1

S2

H2

How do we setup correct forwarding rules?

example dynamic dependence
Example: Dynamic Dependence

Web ACL:

Block H2  xyz

Proxy

Get xyz.com

H1

Cached

response

Response

Internet

Get xyz.com

S1

S2

Cached response

H2

Cached responses may violate policy

strawman solutions
Strawman Solutions

Key missing piece:

Lack of “visibility” into middlebox context

  • Careful placement? (i.e., manual)
    • May not always be feasible
  • Consolidating middleboxes? (e.g., CoMb)
    • Just “punting” the problem
  • Inferring flow mappings? (e.g., SIMPLE)
    • Hard to reason about accuracy + high overhead
flowtags high level idea
FlowTags: High-level Idea
  • Middleboxes “help” with the lack of visibility
  • Add FlowTagsto packets to bridge gaps
    • NAT gives IP mappings; Proxy gives cache hit/miss
  • Middleboxes “produce” + “consume” FlowTags
  • Switches only “consume” FlowTags
flowtags architecture overview
FlowTags Architecture Overview

Control Apps

Controller

Existing Interfaces

e.g., OpenFlow

FlowTags

API

FlowTags

Config

FlowTags

Enhanced

Middleboxes

SDN

enabled

Switches

FlowTable

“decouple”

e.g., NAT exposes mappings

Proxy gives hit/miss state

IDS uses tags to disambiguate

flowtags southbound api
FlowTags Southbound API

FlowTags Controller

FlowMatch, Action

RqstTag(Pkt,Context)

FlowMatch, {Tags}

RqstAction(Pkt+ Tags)

TagsActionTable

H1

TagsFlowTable

Proxy

ACL

S2

S1

Pkt

Pktw/ Tags

Internet

H2

8

policy implementation via flowtags
Policy Implementation via FlowTags

Policy: Block H2  xyz

TagsFlowTable

TagsActionTable

H1, MISS  1

H1, HIT  2

H2, MISS  3

H2, HIT  4

H1

Proxy

ACL

S2

S1

Internet

H2

flowtags proof of concept
FlowTags Proof-of-Concept
  • Using Squid (> over 100,000 lines of code)
  • About 30 lines of code to add FlowTagssupport
    • Manually identify code chokepoints
  • Validated use-cases with examples
conclusions
Conclusions
  • Middleboxesmake policy enforcement hard
    • Dynamic modifications are hard to account for
  • FlowTags can make “flow context” visible
    • Minimal modifications to middleboxes
    • No changes to switch/switch APIs
  • Enabler for new verificationand forensic tasks
    • Simpler HSA; Dynamic policies; Correlating logs
  • Early promise, but many challenges remain
    • E.g., How many bits? Automatic patches? Control apps?