Verifiable network function outsourcing: requirements, challenges, and roadmap

Network function outsourcing (NFO) enables enterprises and small businesses to achieve the performance and security benefits offered by middleboxes (e.g., firewall, IDS) without incurring high equipment or operating costs that such functions entail. In order for this vision to fully take root, however, we argue that NFO customers must be able to verify that the service is operating as intended w.r.t.: (1) functionality (e.g., did the packets traverse the desired sequence of middlebox modules?); (2) performance (e.g., is the latency comparable to an "in-house" service?); and (3) accounting (e.g., are the CPU/memory consumption being accounted for correctly?). In this position paper, we formalize these requirements and present a high-level roadmap to address the challenges involved.

[1]  Jennifer Rexford,et al.  Accountability in hosted virtual networks , 2009, VISA '09.

[2]  Andreas Haeberlen,et al.  Accountable Virtual Machines , 2010, OSDI.

[3]  Randy H. Katz,et al.  X-Trace: A Pervasive Network Tracing Framework , 2007, NSDI.

[4]  Sangjin Han,et al.  PacketShader: a GPU-accelerated software router , 2010, SIGCOMM '10.

[5]  Nick G. Duffield,et al.  Trajectory sampling for direct traffic observation , 2001, TNET.

[6]  Glen Gibb,et al.  Outsourcing network functionality , 2012, HotSDN '12.

[7]  Anees Shaikh,et al.  CloudNaaS: a cloud networking platform for enterprise applications , 2011, SoCC.

[8]  Xiaowei Yang,et al.  PacketCloud: an open platform for elastic in-network services , 2013, MobiArch '13.

[9]  Michael Walfish,et al.  Middleboxes No Longer Considered Harmful , 2004, OSDI.

[10]  Katerina J. Argyraki,et al.  Verifiable network-performance measurements , 2010, CoNEXT.

[11]  Jonathan K. Millen,et al.  Principles of remote attestation , 2011, International Journal of Information Security.

[12]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[13]  Tadayoshi Kohno,et al.  Detecting In-Flight Page Changes with Web Tripwires , 2008, NSDI.

[14]  Srinath T. V. Setty,et al.  A Hybrid Architecture for Interactive Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[15]  Vyas Sekar,et al.  Multi-resource fair queueing for packet processing , 2012, CCRV.

[16]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[17]  Xiaowei Yang,et al.  CloudCmp: comparing public cloud providers , 2010, IMC '10.

[18]  Marcos K. Aguilera,et al.  Performance debugging for distributed systems of black boxes , 2003, SOSP '03.

[19]  Xin Zhang,et al.  Packet-dropping adversary identification for data plane security , 2008, CoNEXT '08.

[20]  Vyas Sekar,et al.  Verifiable resource accounting for cloud computing services , 2011, CCSW '11.

[21]  Michael Walfish,et al.  Verifying and enforcing network paths with icing , 2011, CoNEXT '11.

[22]  Vyas Sekar,et al.  Towards verifiable resource accounting for outsourced computation , 2013, VEE '13.

[23]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[24]  Michael K. Reiter,et al.  Toward Online Verification of Client Behavior in Distributed Applications , 2013, NDSS.

[25]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[26]  Stefan Berger,et al.  TVDc: managing security in the trusted virtual datacenter , 2008, OPSR.

[27]  Vyas Sekar,et al.  SmartRE: an architecture for coordinated network-wide redundancy elimination , 2009, SIGCOMM '09.