Enforcing Network-‐Wide Policies in the Presence of Dynamic Middlebox Ac>ons using FlowTags Seyed K. Fayazbakhsh*, Luis Chiang¶, Vyas Sekar*, Minlan Yu★, Jeffrey Mogul *CMU, ¶Deutsche Telekom, ★USC, Google Middleboxes complicate policy enforcement in SDN Policy: E.g., service chaining, access control Control Apps Network OS Dynamic and traffic-‐dependent modifica>ons! e.g., NATs, proxies Data Plane 2 Modifica>ons à ATribu>on is hard Block the access of H2 to certain websites. NAT Firewall H1 H2 S1 S2 Internet 3 Dynamic ac>ons à Policy viola>ons Proxy H1 Web ACL Block H2 à xyz.com Cached response S1 S2 Internet H2 4 Our work: FlowTags Some candidate (non-‐)solu>ons: Placement, tunneling, consolida>on, correla>on Address some symptoms but not root cause à OriginBinding and PathsFollowPolicy viola>ons FlowTags provides an architectural solu>on: à Enables policy enforcement and diagnosis despite dynamic middlebox ac>ons. 5 Outline • Mo>va>on • High-‐level Idea • FlowTags Design • Evalua>on 6 High-‐level idea • Middleboxes need to restore SDN tenets – Possibly only op>on for correctness – Minimal changes to middleboxes • Add missing contextual informa>on as Tags – NAT gives IP mappings, – Proxy provides cache hit/miss info • FlowTags controller configures tagging logic 7 FlowTags architecture Control Apps New control Aapps Control e.g., steering, vpps erifica>on e.g., policy steering, verifica>on Admin Policy Network OS Control plane Data plane Exis>ng APIs e.g., OpenFlow SDN FlowTable Switches FlowTags APIs FlowTags Tables Mbox FlowTags Config Enhanced Middleboxes 8 FlowTags in ac>on Config w.r.t original principals Block: 10.1.1.2 à xyz.com H1 10.1.1.1 <SrcIP,Cache Hit> 10.1.1.2, Hit Proxy Tag Tag 2 2 Web ACL xyz.com 2 S1 xyz.com H2 10.1.1.2 Tag 2 Fwd S2 OrigSrcIP 10.1.1.2 DROP S2 Internet Tag 2 Fwd ACL 9 Outline • Mo>va>on • High-‐level Idea of FlowTags • FlowTags Design • Evalua>on 10 Challenge 1: Tag Seman>cs FlowTags-‐enhanced SDN Controller Control plane Data plane H1 10.1.1.1 H2 10.1.1.2 Decode Tag Add Tag Proxy Web ACL S1 Tag Forward S2 Internet Tag Forward 11 Challenge 2: New APIs, control apps FlowTags-‐enhanced SDN Controller Control plane Data plane H1 10.1.1.1 H2 10.1.1.2 Decode Tag Add Tag Proxy Web ACL S1 Tag Forward S2 Tag Internet Forward 12 Challenge 3: Middlebox Extensions FlowTags-‐enhanced SDN Controller Control plane Data plane H1 10.1.1.1 H2 10.1.1.2 Decode Tag Add Tag Proxy Web ACL S1 Tag Forward S2 Tag Internet Forward 13 Outline • Mo>va>on • High-‐level Idea of FlowTags • FlowTags Design – Tag seman>cs – Controller and APIs – Middlebox modifica>on • Evalua>on 14 Seman>cs: Dynamic Policy Graph (DPG) Proxy Web ACL: Block H2 à xyz.com H1 H2 S1 H2 {H1 }; -‐ {H 2}; -‐ S2 {H1}; Miss {H1}; Hit H1 Internet Proxy {H2}; Hit {H2}; Miss {H2}; <Allowed,Hit> > s s i M , ed w Internet o l l A < ; } {H 2 ACL {H2 }; Blocke d Drop 15 Seman>cs: Dynamic Policy Graph (DPG) Proxy Web ACL: Block H2 à xyz.com H1 H2 S1 H2 {H1 }; -‐ {H 2}; -‐ S2 {H1}; Miss {H1}; Hit H1 Internet Proxy {H2}; Hit {H2}; Miss {H2}; <Allowed,Hit> > s s i M , ed w Internet o l l A < ; } {H 2 ACL {H2 }; Blocke d Drop Intui>vely, need a Tag <per flow, per-‐edge> in DPG 16 Outline • Mo>va>on • High-‐level Idea of FlowTags • FlowTags Design – Tag seman>cs – Controller and APIs – Middlebox modifica>on • Evalua>on 17 FlowTags APIs OpenFlow FlowTags FlowTags-‐enhanced SDN Controller Consume Tag Generate Tag H1 10.1.1.1 <SrcIP,Cache Hit> Tag Tag 10.1.1.2, Hit Proxy 2 Tag Tag OrigSrcIP OrigSrcIP 2 Web ACL S1 S2 Tag Fwd Fwd H2 10.1.1.2 2 10.1.1.2 S2 Internet Tag Tag Fwd Fwd 2 ACL 18 FlowTags-‐enhanced controller Reac?ve Policy DPG Middlebox Event Handlers Physical realiza>on Tag generate and consume S1 S3 Switch Event Handlers Flow expiry Flow rules S2 S4 19 Outline • Mo>va>on • High-‐level Idea of FlowTags • FlowTags Design – Tag seman>cs – Controller and APIs – Middlebox modifica>on • Evalua>on 20 Middlebox extension strategies to add FlowTags support Strategy 1: Packet Rewri>ng Middlebox module input traffic module module module module output traffic module Light-‐weight packet rewri?ng shims Pro: One shot Con: Hard to get internal context 21 Middlebox extension strategies to add FlowTags support Strategy 2: Module Modifica>on Middlebox module input traffic module module module module output traffic module Pro: More change is needed Con: Suited for genng internal context 22 Middlebox extension strategies to add FlowTags support Middlebox input traffic S h i m module module module module module output traffic module Tag consump?on Tag genera?on Our Strategy: Packet rewri>ng for Tag consump>on Module modifica>on for Tag genera>on 23 Outline • Mo>va>on • High-‐level Idea of FlowTags • FlowTags Design • Evalua>on 24 Key evalua>on ques>ons • Feasibility of middlebox modifica>on • FlowTags overhead • Number of Tag bits • New capabili>es 25 FlowTags needs minimal middlebox modifica>ons Middlebox Squid Snort Total LOC Modified LOC 216,000 336,000 75 45 Balance 2,000 60 iptables 42,000 55 PRADS 15,000 25 26 FlowTags adds low overhead Breakdown of flow processing Ome (ms) 1.4 1.2 1 0.8 0.6 0.4 Controller Processing Middlebox Tag Processing Switch Setup 0.2 0 Abilene Geant Telstra Sprint Verizon AT&T # PoPs: 11 22 44 52 70 115 27 Summary of other results • Adds < 1% overhead to middlebox processing • Tags can be encoded in ~ 15 bits – E.g., IP-‐ID, IPv6 FlowLabel, EncapHeaders (NVP) • Can enable new capabili>es – Extended header space analysis – Diagnosing network boTlenecks 28 Conclusions • Middleboxes complicate enforcement – E.g., NAT/LB rewrite headers, proxy sends cached response • Root cause: Viola>on of the SDN tenets – Origin Binding and Paths-‐Follow-‐Policy • FlowTags extends SDN with new middlebox APIs – Restores tenets using new DPG abstrac>on – No changes to switches and switch APIs • FlowTags is prac>cal – Minimal middlebox changes, low overhead – An enabler for verifica>on, tes>ng, and diagnosis 29
© Copyright 2024 ExpyDoc