Extending SDN to Handle Dynamic Middlebox Actions via FlowTags

Authors: 

Seyed Kaveh Fayazbakhsh, Carnegie Mellon University; Luis Chiang, Deutsche Telekom Labs; Vyas Sekar, Carnegie Mellon University; Minlan Yu, University of Southern California; Jeffrey C. Mogul, Google

Abstract: 

Software-defined networking (SDN) seeks to simplify and enhance network management by decoupling the management logic from its implementation. Our overarching vision is to integrate advanced data plane functions or middleboxes (e.g., firewalls, NATs, proxies, intrusion detection and prevention systems, and application-level gateways) into the SDN fold. This integration, however, is challenging on two fronts: (1) it is difficult to ensure that “service-chaining” policies are implemented correctly, and (2) middleboxes hinder management functions such as performance debugging.

The root cause of this problem is that as packets traverse the network, they are altered by dynamic and opaque middlebox actions; for instance, proxies terminate TCP sessions, while NATs and load balancers rewrite headers. Thus, the promise of SDN to systematically enforce and verify network-wide policies does not directly extend to networks with middlebox functions.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Fayazbakhsh PDF