In-Net: in-network processing for the masses

Network Function Virtualization is pushing network operators to deploy commodity hardware that will be used to run middlebox functionality and processing on behalf of third parties: in effect, network operators are slowly but surely becoming in-network cloud providers. The market for innetwork clouds is large, ranging from content providers, mobile applications and even end-users. We show in this paper that blindly adopting cloud technologies in the context of in-network clouds is not feasible from both the security and scalability points of view. Instead we propose In-Net, an architecture that allows untrusted endpoints as well as content-providers to deploy custom in-network processing to be run on platforms owned by network operators. In-Net relies on static analysis to allow platforms to check whether the requested processing is safe, and whether it contradicts the operator's policies. We have implemented In-Net and tested it in the wide-area, supporting a range of use-cases that are difficult to deploy today. Our experience shows that In-Net is secure, scales to many users (thousands of clients on a single inexpensive server), allows for a wide-range of functionality, and offers benefits to end-users, network operators and content providers alike.

[1]  David Wetherall,et al.  Towards an active network architecture , 1996, CCRV.

[2]  John V. Guttag,et al.  ANTS: a toolkit for building and dynamically deploying network protocols , 1998, 1998 IEEE Open Architectures and Network Programming.

[3]  Kenneth L. Calvert,et al.  Directions in active networks , 1998 .

[4]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[5]  Michael Walfish,et al.  Middleboxes No Longer Considered Harmful , 2004, OSDI.

[6]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[7]  Nick Feamster,et al.  In VINI veritas: realistic and controlled network experimentation , 2006, SIGCOMM.

[8]  S. Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[9]  Saikat Guha,et al.  An end-middle-end approach to connection establishment , 2007, SIGCOMM '07.

[10]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[11]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[12]  Frank Thomson Leighton,et al.  Improving performance on the internet , 2008, CACM.

[13]  Katerina J. Argyraki,et al.  RouteBricks: exploiting parallelism to scale software routers , 2009, SOSP '09.

[14]  Martín Casado,et al.  Practical declarative network management , 2009, WREN '09.

[15]  Rob Sherwood,et al.  Can the Production Network Be the Testbed? , 2010, OSDI.

[16]  Ramesh K. Sitaraman,et al.  The Akamai network: a platform for high-performance internet applications , 2010, OPSR.

[17]  Mark Handley,et al.  Is it still possible to extend TCP? , 2011, IMC '11.

[18]  Vyas Sekar,et al.  The middlebox manifesto: enabling innovation in middlebox deployment , 2011, HotNets-X.

[19]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[20]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[21]  Vyas Sekar,et al.  Design and Implementation of a Consolidated Middlebox Architecture , 2012, NSDI.

[22]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[23]  Costin Raiciu,et al.  SymNet: static checking for stateful networks , 2013, HotMiddlebox '13.

[24]  Narseo Vallina-Rodriguez,et al.  Staying online while mobile: the hidden costs , 2013, CoNEXT.

[25]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[26]  Ramesh Govindan,et al.  Reducing web latency: the virtue of gentle aggression , 2013, SIGCOMM.

[27]  Timothy Roscoe,et al.  Arrakis , 2014, OSDI.

[28]  Thomas E. Anderson,et al.  One tunnel is (often) enough , 2014, SIGCOMM.

[29]  Christoforos E. Kozyrakis,et al.  IX: A Protected Dataplane Operating System for High Throughput and Low Latency , 2014, OSDI.

[30]  Katerina J. Argyraki,et al.  Software dataplane verification , 2014, NSDI.

[31]  Roberto Bifulco,et al.  ClickOS and the Art of Network Function Virtualization , 2014, NSDI.

[32]  Manish Mahajan,et al.  Proof carrying code , 2015 .

[33]  Scott Shenker,et al.  Off by Default , 2016 .