EnforSDN: Network policies enforcement with SDN

Network services, such as security, load-balancing, and monitoring, are an indisputable part of modern networking infrastructure and are traditionally realized as specialized appliances or middleboxes. Middleboxes complicate the management, the deployment, and the operations of the entire network. Moreover, they induce network performance issues and scalability limitations by requiring huge amounts of traffic to be, often sub-optimally redirected, and sometimes redundantly processed. Recent trends of server virtualization and Network Function Virtualization (NFV) exacerbate these scalability and performance issues. In this paper, we present EnforSDN - a new management approach that exploits SDN principles to decouple the policy resolution layer from the policy enforcement layer in network service appliances. Our approach improves the enforcement management, network utilization and communication latency, without compromising the policy and the functionality of the network. Using emulated SDN-based data center environment, we demonstrate higher throughput and lower latency achieved with EnforSDN, as compared to a baseline SDN network. In addition, we show that EnforSDN reduces the overall network appliances load, as well as the forwarding tables size.

[1]  Bugra Gedik,et al.  Fundamentals of Stream Processing: Application Design, Systems, and Analytics , 2014 .

[2]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[3]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[4]  David Walker,et al.  Frenetic: a network programming language , 2011, ICFP.

[5]  David A. Maltz,et al.  Data center TCP (DCTCP) , 2010, SIGCOMM 2010.

[6]  Pedro López,et al.  Deterministic versus Adaptive Routing in Fat-Trees , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[7]  Vyas Sekar,et al.  Stratos: A Network-Aware Orchestration Layer for Middleboxes in the Cloud , 2013, ArXiv.

[8]  Saikat Guha,et al.  An end-middle-end approach to connection establishment , 2007, SIGCOMM '07.

[9]  Michael Walfish,et al.  Middleboxes No Longer Considered Harmful , 2004, OSDI.

[10]  Vyas Sekar,et al.  Design and Implementation of a Consolidated Middlebox Architecture , 2012, NSDI.

[11]  Martín Casado,et al.  Extending Networking into the Virtualization Layer , 2009, HotNets.

[12]  Glen Gibb,et al.  Outsourcing network functionality , 2012, HotSDN '12.

[13]  Albert G. Greenberg,et al.  Ananta: cloud scale load balancing , 2013, SIGCOMM.

[14]  Aditya Akella,et al.  OpenNF: enabling innovation in network function control , 2015, SIGCOMM 2015.

[15]  Amin Vahdat,et al.  A scalable, commodity data center network architecture , 2008, SIGCOMM '08.

[16]  Yeh-Ching Chung,et al.  A multiple LID routing scheme for fat-tree-based InfiniBand networks , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[17]  Ion Stoica,et al.  A policy-aware switching layer for data centers , 2008, SIGCOMM '08.

[18]  Vyas Sekar,et al.  The middlebox manifesto: enabling innovation in middlebox deployment , 2011, HotNets-X.

[19]  Darren J. Kerbyson,et al.  Optimized InfiniBand TM fat-tree routing for shift all-to-all communication patterns , 2010, ISC 2010.

[20]  Aditya Akella,et al.  Toward software-defined middlebox networking , 2012, HotNets-XI.

[21]  Vijay Mann,et al.  NCP: Service replication in data centers through software defined networking , 2013, 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013).

[22]  LeeJeongkeun,et al.  No more middlebox , 2010 .

[23]  Arvind Krishnamurthy,et al.  Proceedings of the 2014 ACM conference on SIGCOMM , 2014, SIGCOMM 2014.

[24]  S. Bellovin Distributed Firewalls , 1994 .

[25]  Brian E. Carpenter,et al.  Middleboxes: Taxonomy and Issues , 2002, RFC.

[26]  Henrique C. M. Andrade,et al.  Fundamentals of Stream Processing by Henrique C. M. Andrade , 2014 .

[27]  Junda Liu,et al.  Multi-enterprise networking , 2000 .

[28]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[29]  Michael Lang,et al.  Optimized InfiniBandTM fat‐tree routing for shift all‐to‐all communication patterns , 2010, Concurr. Comput. Pract. Exp..

[30]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[31]  Henrique C. M. Andrade,et al.  Fundamentals of Stream Processing: Frontmatter , 2014 .

[32]  Navendu Jain,et al.  Demystifying the dark side of the middle: a field study of middlebox failures in datacenters , 2013, Internet Measurement Conference.

[33]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[34]  Vyas Sekar,et al.  Verifiable network function outsourcing: requirements, challenges, and roadmap , 2013, HotMiddlebox '13.

[35]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.