Presentation is loading. Please wait.

Presentation is loading. Please wait.

FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Seyed K. Fayazbakhsh Vyas Sekar Jeff MogulMinlan Yu 1.

Similar presentations


Presentation on theme: "FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Seyed K. Fayazbakhsh Vyas Sekar Jeff MogulMinlan Yu 1."— Presentation transcript:

1 FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Seyed K. Fayazbakhsh Vyas Sekar Jeff MogulMinlan Yu 1

2 Network OS Data Plane Control Apps FlowAction …… Physical View Logical view: Specify policy goals Admin Middleboxes complicate policy enforcement in SDN 2 Policy routing Access control Diagnostics Forensics Dynamic traffic-dependent modifications! e.g., NATs, proxies

3 Example: Policy Routing S1S2 NAT Internet H2 H1 IDS H1: NAT Firewall H2: NAT IDS Firewall How do we setup correct forwarding rules? 3

4 Example: Dynamic Dependence S1S2 Proxy Internet H2 H1 Web ACL: Block H2 xyz Get xyz.com Cached response Response Cached responses may violate policy 4 Cached response

5 Strawman Solutions Careful placement? (i.e., manual) – May not always be feasible Consolidating middleboxes? (e.g., CoMb) – Just punting the problem Inferring flow mappings? (e.g., SIMPLE) – Hard to reason about accuracy + high overhead 5 Key missing piece: Lack of visibility into middlebox context

6 FlowTags: High-level Idea Middleboxes help with the lack of visibility Add FlowTags to packets to bridge gaps – NAT gives IP mappings; Proxy gives cache hit/miss Middleboxes produce + consume FlowTags Switches only consume FlowTags 6

7 FlowTags Architecture Overview Controller Existing Interfaces e.g., OpenFlow SDN enabled Switches FlowTable Control Apps FlowTags API FlowTags API FlowTags Enhanced Middleboxes FlowTags Config FlowTags Config 7 e.g., NAT exposes mappings Proxy gives hit/miss state IDS uses tags to disambiguate decouple

8 FlowTags Southbound API S1 S2 Proxy Internet H2 H1 ACL 8 FlowTags Controller Pkt RqstTag(Pkt,Context)FlowMatch, {Tags} Pkt w/ Tags RqstAction(Pkt + Tags) FlowMatch, Action TagsFlowTable TagsActionTable

9 Policy Implementation via FlowTags S1 S2 Proxy Internet H2 H1 InputTagOut Proxy2H1 Proxy1,3,4S2 TagSrcAction 4H2Block H1, MISS 1 H1, HIT 2 H2, MISS 3 H2, HIT 4 InputTagOut S11,3,4ACL 4S1 ACL1,3Internet ACL Policy: Block H2 xyz 9 TagsFlowTableTagsActionTable

10 FlowTags Proof-of-Concept Using Squid (> over 100,000 lines of code) About 30 lines of code to add FlowTags support – Manually identify code chokepoints Validated use-cases with examples 10

11 Conclusions Middleboxes make policy enforcement hard – Dynamic modifications are hard to account for FlowTags can make flow context visible – Minimal modifications to middleboxes – No changes to switch/switch APIs Enabler for new verification and forensic tasks – Simpler HSA; Dynamic policies; Correlating logs Early promise, but many challenges remain – E.g., How many bits? Automatic patches? Control apps? 11


Download ppt "FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Seyed K. Fayazbakhsh Vyas Sekar Jeff MogulMinlan Yu 1."

Similar presentations


Ads by Google