slides - Usenix

Enforcing Network-‐Wide Policies in the Presence of Dynamic Middlebox Ac>ons using FlowTags Seyed K. Fayazbakhsh*, Luis Chiang¶, Vyas Sekar*, Minlan Yu★, Jeﬀrey Mogul *CMU, ¶Deutsche Telekom, ★USC, Google Middleboxes complicate policy enforcement in SDN Policy: E.g., service chaining, access control Control Apps Network OS Dynamic and traﬃc-‐dependent modiﬁca>ons! e.g., NATs, proxies Data Plane 2 Modiﬁca>ons à ATribu>on is hard Block the access of H2 to certain websites. NAT Firewall H1 H2 S1 S2 Internet 3 Dynamic ac>ons à Policy viola>ons Proxy H1 Web ACL Block H2 à xyz.com Cached response S1 S2 Internet H2 4 Our work: FlowTags Some candidate (non-‐)solu>ons: Placement, tunneling, consolida>on, correla>on Address some symptoms but not root cause à OriginBinding and PathsFollowPolicy viola>ons FlowTags provides an architectural solu>on: à Enables policy enforcement and diagnosis despite dynamic middlebox ac>ons. 5 Outline •  Mo>va>on •  High-‐level Idea •  FlowTags Design •  Evalua>on 6 High-‐level idea •  Middleboxes need to restore SDN tenets –  Possibly only op>on for correctness –  Minimal changes to middleboxes •  Add missing contextual informa>on as Tags –  NAT gives IP mappings, –  Proxy provides cache hit/miss info •  FlowTags controller conﬁgures tagging logic 7 FlowTags architecture Control Apps New control Aapps Control e.g., steering, vpps eriﬁca>on e.g., policy steering, veriﬁca>on Admin Policy Network OS Control plane Data plane Exis>ng APIs e.g., OpenFlow SDN FlowTable Switches FlowTags APIs FlowTags Tables Mbox FlowTags Conﬁg Enhanced Middleboxes 8 FlowTags in ac>on Conﬁg w.r.t original principals Block: 10.1.1.2 à xyz.com H1 10.1.1.1 <SrcIP,Cache Hit> 10.1.1.2, Hit Proxy Tag Tag 2 2 Web ACL xyz.com 2 S1 xyz.com H2 10.1.1.2 Tag 2 Fwd S2 OrigSrcIP 10.1.1.2 DROP S2 Internet Tag 2 Fwd ACL 9 Outline •  Mo>va>on •  High-‐level Idea of FlowTags •  FlowTags Design •  Evalua>on 10 Challenge 1: Tag Seman>cs FlowTags-‐enhanced SDN Controller Control plane Data plane H1 10.1.1.1 H2 10.1.1.2 Decode Tag Add Tag Proxy Web ACL S1 Tag Forward S2 Internet Tag Forward 11 Challenge 2: New APIs, control apps FlowTags-‐enhanced SDN Controller Control plane Data plane H1 10.1.1.1 H2 10.1.1.2 Decode Tag Add Tag Proxy Web ACL S1 Tag Forward S2 Tag Internet Forward 12 Challenge 3: Middlebox Extensions FlowTags-‐enhanced SDN Controller Control plane Data plane H1 10.1.1.1 H2 10.1.1.2 Decode Tag Add Tag Proxy Web ACL S1 Tag Forward S2 Tag Internet Forward 13 Outline •  Mo>va>on •  High-‐level Idea of FlowTags •  FlowTags Design –  Tag seman>cs –  Controller and APIs –  Middlebox modiﬁca>on •  Evalua>on 14 Seman>cs: Dynamic Policy Graph (DPG) Proxy Web ACL: Block H2 à xyz.com H1 H2 S1 H2 {H1 }; -‐ {H 2}; -‐ S2 {H1}; Miss {H1}; Hit H1 Internet Proxy {H2}; Hit {H2}; Miss {H2}; <Allowed,Hit> > s
s
i
M
,
ed
w
Internet o
l
l
A
<
;
}
{H 2
ACL {H2 }; Blocke
d
Drop 15 Seman>cs: Dynamic Policy Graph (DPG) Proxy Web ACL: Block H2 à xyz.com H1 H2 S1 H2 {H1 }; -‐ {H 2}; -‐ S2 {H1}; Miss {H1}; Hit H1 Internet Proxy {H2}; Hit {H2}; Miss {H2}; <Allowed,Hit> > s
s
i
M
,
ed
w
Internet o
l
l
A
<
;
}
{H 2
ACL {H2 }; Blocke
d
Drop Intui>vely, need a Tag <per ﬂow, per-‐edge> in DPG 16 Outline •  Mo>va>on •  High-‐level Idea of FlowTags •  FlowTags Design –  Tag seman>cs –  Controller and APIs –  Middlebox modiﬁca>on •  Evalua>on 17 FlowTags APIs OpenFlow FlowTags FlowTags-‐enhanced SDN Controller Consume Tag Generate Tag H1 10.1.1.1 <SrcIP,Cache Hit> Tag Tag 10.1.1.2, Hit Proxy 2 Tag Tag OrigSrcIP OrigSrcIP 2 Web ACL S1 S2 Tag Fwd Fwd H2 10.1.1.2 2 10.1.1.2 S2 Internet Tag Tag Fwd Fwd 2 ACL 18 FlowTags-‐enhanced controller Reac?ve Policy DPG Middlebox Event Handlers Physical realiza>on Tag generate and consume S1 S3 Switch Event Handlers Flow expiry Flow rules S2 S4 19 Outline •  Mo>va>on •  High-‐level Idea of FlowTags •  FlowTags Design –  Tag seman>cs –  Controller and APIs –  Middlebox modiﬁca>on •  Evalua>on 20 Middlebox extension strategies to add FlowTags support Strategy 1: Packet Rewri>ng Middlebox module input traﬃc module module module module output traﬃc module Light-‐weight packet rewri?ng shims Pro: One shot Con: Hard to get internal context 21 Middlebox extension strategies to add FlowTags support Strategy 2: Module Modiﬁca>on Middlebox module input traﬃc module module module module output traﬃc module Pro: More change is needed Con: Suited for genng internal context 22 Middlebox extension strategies to add FlowTags support Middlebox input traﬃc S
h
i
m
module module module module module output traﬃc module Tag consump?on Tag genera?on Our Strategy: Packet rewri>ng for Tag consump>on Module modiﬁca>on for Tag genera>on 23 Outline •  Mo>va>on •  High-‐level Idea of FlowTags •  FlowTags Design •  Evalua>on 24 Key evalua>on ques>ons •  Feasibility of middlebox modiﬁca>on •  FlowTags overhead •  Number of Tag bits •  New capabili>es 25 FlowTags needs minimal middlebox modiﬁca>ons Middlebox Squid Snort Total LOC Modiﬁed LOC 216,000 336,000 75 45 Balance 2,000 60 iptables 42,000 55 PRADS 15,000 25 26 FlowTags adds low overhead Breakdown of ﬂow processing Ome (ms) 1.4 1.2 1 0.8 0.6 0.4 Controller Processing Middlebox Tag Processing Switch Setup 0.2 0 Abilene Geant Telstra Sprint Verizon AT&T # PoPs: 11 22 44 52 70 115 27 Summary of other results •  Adds < 1% overhead to middlebox processing •  Tags can be encoded in ~ 15 bits –  E.g., IP-‐ID, IPv6 FlowLabel, EncapHeaders (NVP) •  Can enable new capabili>es –  Extended header space analysis –  Diagnosing network boTlenecks 28 Conclusions •  Middleboxes complicate enforcement –  E.g., NAT/LB rewrite headers, proxy sends cached response •  Root cause: Viola>on of the SDN tenets –  Origin Binding and Paths-‐Follow-‐Policy •  FlowTags extends SDN with new middlebox APIs –  Restores tenets using new DPG abstrac>on –  No changes to switches and switch APIs •  FlowTags is prac>cal –  Minimal middlebox changes, low overhead –  An enabler for veriﬁca>on, tes>ng, and diagnosis 29

Download Report