Dynamic Service Chaining with Dysco

Middleboxes are crucial for improving network security and performance, but only if the right traffic goes through the right middleboxes at the right time. Existing traffic-steering techniques rely on a central controller to install fine-grained forwarding rules in network elements---at the expense of a large number of rules, a central point of failure, challenges in ensuring all packets of a session traverse the same middleboxes, and difficulties with middleboxes that modify the "five tuple." We argue that a session-level protocol is a fundamentally better approach to traffic steering, while naturally supporting host mobility and multihoming in an integrated fashion. In addition, a session-level protocol can enable new capabilities like dynamic service chaining, where the sequence of middleboxes can change during the life of a session, e.g., to remove a load-balancer that is no longer needed, replace a middlebox undergoing maintenance, or add a packet scrubber when traffic looks suspicious. Our Dysco protocol steers the packets of a TCP session through a service chain, and can dynamically reconfigure the chain for an ongoing session. Dysco requires no changes to end-host and middlebox applications, host TCP stacks, or IP routing. Dysco's distributed reconfiguration protocol handles the removal of proxies that terminate TCP connections, middleboxes that change the size of a byte stream, and concurrent requests to reconfigure different parts of a chain. Through formal verification using Spin and experiments with our Linux-based prototype, we show that Dysco is provably correct, highly scalable, and able to reconfigure service chains across a range of middleboxes.

[1]  Xin Jin,et al.  SoftCell: scalable and flexible cellular core network architecture , 2013, CoNEXT.

[2]  Pablo Rodriguez,et al.  Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS , 2015, Comput. Commun. Rev..

[3]  Charles E. Perkins,et al.  Mobility support in IPv6 , 1996, MobiCom '96.

[4]  Albert G. Greenberg,et al.  Ananta: cloud scale load balancing , 2013, SIGCOMM.

[5]  Albert Cabellos-Aparicio,et al.  LISP-MN: Mobile Networking Through LISP , 2013, Wirel. Pers. Commun..

[6]  References , 1971 .

[7]  Mark Handley,et al.  How Hard Can It Be? Designing and Implementing a Deployable Multipath TCP , 2012, NSDI.

[8]  Hari Balakrishnan,et al.  An end-to-end approach to host mobility , 2000, MobiCom '00.

[9]  Andrew Warfield,et al.  Split/Merge: System Support for Elastic Execution in Virtual Middleboxes , 2013, NSDI.

[10]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[11]  Michael Walfish,et al.  Middleboxes No Longer Considered Harmful , 2004, OSDI.

[12]  Saikat Guha,et al.  An end-middle-end approach to connection establishment , 2007, SIGCOMM '07.

[13]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[14]  J. Rexford,et al.  The Design Space of Network Mobility , 2013 .

[15]  Arun Venkataramani,et al.  msocket: System support for mobile, multipath, and middlebox-agnostic applications , 2016, 2016 IEEE 24th International Conference on Network Protocols (ICNP).

[16]  Vyas Sekar,et al.  Stratos: A Network-Aware Orchestration Layer for Virtual Middleboxes in Clouds , 2013, 1305.0209.

[17]  Olivier Bonaventure,et al.  Multipath TCP , 2014 .

[18]  Ion Stoica,et al.  A policy-aware switching layer for data centers , 2008, SIGCOMM '08.

[19]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[20]  Janardhan R. Iyengar,et al.  Concurrent Multipath Transfer Using SCTP Multihoming Over Independent End-to-End Paths , 2006, IEEE/ACM Transactions on Networking.

[21]  Olivier Bonaventure,et al.  Multipath TCP , 2014, Communications of the ACM.

[22]  Diego Lopez,et al.  Service Function Chaining Use Cases in Mobile Networks , 2019 .

[23]  Scott Shenker,et al.  E2: a framework for NFV applications , 2015, SOSP.

[24]  Michael J. Freedman,et al.  A formally-verified migration protocol for mobile, multi-homed hosts , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[25]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[26]  Marcelo Bagnulo,et al.  Evolving the internet with connection acrobatics , 2013, HotMiddlebox '13.

[27]  Aditya Akella,et al.  OpenNF , 2014, SIGCOMM.

[28]  Vyas Sekar,et al.  KLEIN: A Minimally Disruptive Design for an Elastic Cellular Core , 2016, SOSR.

[29]  Meral Shirazipour,et al.  StEERING: A software-defined networking for inline service chaining , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[30]  Michael J. Freedman,et al.  Serval: An End-Host Stack for Service-Centric Networking , 2012, NSDI.

[31]  Pekka Nikander,et al.  Host Identity Protocol (HIP): Connectivity, Mobility, Multi-Homing, Security, and Privacy over IPv4 and IPv6 Networks , 2010, IEEE Communications Surveys & Tutorials.

[32]  Charles Anderson,et al.  Docker , 2015, IEEE Softw..

[33]  Anoop Ghanwani,et al.  SFC Long-lived Flow Use Cases , 2015 .

[34]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[35]  Saleem N. Bhatti,et al.  Evolving the Internet Architecture Through Naming , 2010, IEEE Journal on Selected Areas in Communications.

[36]  Nick Feamster,et al.  Programming slick network functions , 2015, SOSR.