Deep Packet Inspection as a Service

Middleboxes play a major role in contemporary networks, as forwarding packets is often not enough to meet operator demands, and other functionalities (such as security, QoS/QoE provisioning, and load balancing) are required. Traffic is usually routed through a sequence of such middleboxes, which either reside across the network or in a single, consolidated location. Although middleboxes provide a vast range of different capabilities, there are components that are shared among many of them. A task common to almost all middleboxes that deal with L7 protocols is Deep Packet Inspection (DPI). Today, traffic is inspected from scratch by all the middleboxes on its route. In this paper, we propose to treat DPI as a service to the middleboxes, implying that traffic should be scanned only once, but against the data of all middleboxes that use the service. The DPI service then passes the scan results to the appropriate middleboxes. Having DPI as a service has significant advantages in performance, scalability, robustness, and as a catalyst for innovation in the middlebox domain. Moreover, technologies and solutions for current Software Defined Networks (SDN) (e.g., SIMPLE [41]) make it feasible to implement such a service and route traffic to and from its instances.

[1]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[2]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[3]  Yi Zhang,et al.  Performance Adaptation in Real-Time Intrusion Detection Systems , 2002, RAID.

[4]  Viktor K. Prasanna,et al.  Time and area efficient pattern matching on FPGAs , 2004, FPGA '04.

[5]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM.

[6]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[7]  John W. Lockwood,et al.  Fast and Scalable Pattern Matching for Network Intrusion Detection Systems , 2006, IEEE Journal on Selected Areas in Communications.

[8]  Jonathan S. Turner,et al.  Advanced algorithms for fast and scalable deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[9]  Patrick Crowley,et al.  An improved algorithm to accelerate regular expression evaluation , 2007, ANCS '07.

[10]  Patrick Crowley,et al.  A hybrid finite automaton for practical deep packet inspection , 2007, CoNEXT '07.

[11]  Jing Fu,et al.  Efficient IP-address lookup with a shared forwarding table for multiple virtual routers , 2008, CoNEXT '08.

[12]  Stefano Giordano,et al.  An improved DFA for fast regular expression matching , 2008, CCRV.

[13]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[14]  Eric Torng,et al.  Fast Regular Expression Matching Using Small TCAMs for Network Intrusion Detection and Prevention Systems , 2010, USENIX Security Symposium.

[15]  Fang Hao,et al.  Building Scalable Virtual Routers with Trie Braiding , 2010, 2010 Proceedings IEEE INFOCOM.

[16]  Viktor K. Prasanna,et al.  Memory-efficient and scalable virtual routers using FPGA , 2011, FPGA '11.

[17]  Anat Bremler-Barr,et al.  Space-time tradeoffs in software-based deep Packet Inspection , 2011, 2011 IEEE 12th International Conference on High Performance Switching and Routing.

[18]  Yehuda Afek,et al.  MCA2: Multi-Core Architecture for Mitigating Complexity Attacks , 2012, 2012 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[19]  Vyas Sekar,et al.  Design and Implementation of a Consolidated Middlebox Architecture , 2012, NSDI.

[20]  Amin Vahdat,et al.  xOMB: Extensible Open MiddleBoxes with commodity servers , 2012, 2012 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[21]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[22]  Aditya Akella,et al.  Toward software-defined middlebox networking , 2012, HotNets-XI.

[23]  Glen Gibb,et al.  Outsourcing network functionality , 2012, HotSDN '12.

[24]  Processors Qosmos Service-Aware Network Architecture Based on SDN, NFV, and Network Intelligence: White Paper , 2013 .

[25]  Vyas Sekar,et al.  Stratos: A Network-Aware Orchestration Layer for Middleboxes in the Cloud , 2013, ArXiv.

[26]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[27]  Hani Jamjoom,et al.  Pico replication: a high availability framework for middleboxes , 2013, SoCC.

[28]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[29]  Andrew Warfield,et al.  Split/Merge: System Support for Elastic Execution in Virtual Middleboxes , 2013, NSDI.

[30]  Vyas Sekar,et al.  Verifiable network function outsourcing: requirements, challenges, and roadmap , 2013, HotMiddlebox '13.

[31]  Jan Korenek,et al.  Software Defined Monitoring of application protocols , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[32]  Wim Henderickx,et al.  Network Service Header , 2015 .

[33]  Peter Kulchyski and , 2015 .