Making middleboxes someone else's problem: network processing as a cloud service

Modern enterprises almost ubiquitously deploy middlebox processing services to improve security and performance in their networks. Despite this, we find that today's middlebox infrastructure is expensive, complex to manage, and creates new failure modes for the networks that use them. Given the promise of cloud computing to decrease costs, ease management, and provide elasticity and fault-tolerance, we argue that middlebox processing can benefit from outsourcing the cloud. Arriving at a feasible implementation, however, is challenging due to the need to achieve functional equivalence with traditional middlebox deployments without sacrificing performance or increasing network complexity. In this paper, we motivate, design, and implement APLOMB, a practical service for outsourcing enterprise middlebox processing to the cloud. Our discussion of APLOMB is data-driven, guided by a survey of 57 enterprise networks, the first large-scale academic study of middlebox deployment. We show that APLOMB solves real problems faced by network administrators, can outsource over 90% of middlebox hardware in a typical large enterprise network, and, in a case study of a real enterprise, imposes an average latency penalty of 1.1ms and median bandwidth inflation of 3.8%.

[1]  Glen Gibb,et al.  Outsourcing network functionality , 2012, HotSDN '12.

[2]  Vyas Sekar,et al.  The middlebox manifesto: enabling innovation in middlebox deployment , 2011, HotNets-X.

[3]  Anees Shaikh,et al.  CloudNaaS: a cloud networking platform for enterprise applications , 2011, SoCC.

[4]  Thomas E. Anderson,et al.  ETTM: A Scalable Fault Tolerant Network Manager , 2011, NSDI.

[5]  Vivek Kundra,et al.  25 Point Implementation Plan to Reform Federal Information Technology Management , 2010 .

[6]  David A. Maltz,et al.  Cloudward bound: planning for beneficial migration of enterprise applications to the cloud , 2010, SIGCOMM '10.

[7]  Juhnyoung Lee,et al.  A view of cloud computing , 2010, CACM.

[8]  Laurent Massoulié,et al.  Greening the internet with nano data centers , 2009, CoNEXT '09.

[9]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[10]  Vern Paxson,et al.  TCP Congestion Control , 1999, RFC.

[11]  Ion Stoica,et al.  Modeling middleboxes , 2008, IEEE Network.

[12]  Srinivasan Seshan,et al.  Packet caches on routers: the implications of universal redundant traffic elimination , 2008, SIGCOMM '08.

[13]  Ion Stoica,et al.  A policy-aware switching layer for data centers , 2008, SIGCOMM '08.

[14]  Fabián E. Bustamante,et al.  Taming the torrent: a practical approach to reducing cross-isp traffic in peer-to-peer systems , 2008, SIGCOMM '08.

[15]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[16]  P. Francis,et al.  CONMan: a step towards network manageability , 2007, SIGCOMM '07.

[17]  Aleksandar Kuzmanovic,et al.  Drafting behind Akamai (travelocity-based detouring) , 2006, SIGCOMM '06.

[18]  Nick McKeown,et al.  Why flow-completion time is the right metric for congestion control , 2006, CCRV.

[19]  Krishna P. Gummadi,et al.  Improving the Reliability of Internet Paths with One-hop Source Routing , 2004, OSDI.

[20]  Michael Walfish,et al.  Middleboxes No Longer Considered Harmful , 2004, OSDI.

[21]  Scott Shenker,et al.  Internet indirection infrastructure , 2004, TNET.

[22]  Sally Floyd,et al.  HighSpeed TCP for Large Congestion Windows , 2003, RFC.

[23]  Mark Handley,et al.  Congestion control for high bandwidth-delay product networks , 2002, SIGCOMM '02.

[24]  D. Andersen,et al.  Resilient overlay networks , 2002, CCRV.

[25]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[26]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .