Module 10: How Middleboxes Impact Performance

WHAT IS A MIDDLEBOX? What is a middlebox? “Any intermediate device performing functions other than the normal, standard functions of an IP router on the datagram path between a source host and a destination host.” Network Working Group, RFC 3234, Middleboxes: Taxonomy and Issues. Network 1 2 Source Middlebox Destination

WHAT DO MIDDLEBOXES DO? Middleboxes may: Drop, insert or modify packets. Terminate one IP packet flow and originate another. Transform or divert an IP packet flow in some way. Middleboxes are never the ultimate end-system of an application session.

EXAMPLES OF MIDDLEBOXES Firewalls Network Address Translators Traffic Shapers Load Balancers

MIDDLEBOXES AND ‘CLASSIC’ TCP / IP Traditionally: Networks have ceded control to the end-points of a connection. Only function carried out ‘in the middle’ was IP routing Middleboxes change this: They spread functionality throughout the network.

WHAT ISSUES DO MIDDLEBOXES INTRODUCE? Challenges represented by middleboxes: Networking protocols were not designed with middleboxes in mind. We have to deal with connections that are compromised by crashed middleboxes. Middleboxes are often hidden points of failure. Middleboxes may require configuration and management. You must take middleboxes into account when diagnosing network failures or poor performance. Some key services may not operate ‘through’ middleboxes (e.g. video conferencing)

FIREWALLS A firewall is an agent that screens network traffic, blocking traffic that it believes to be inappropriate or dangerous. Examples: Block telnet connections from the internet Block FTP connections to the internet from internal systems not authorised to send files Act as an intermediate server handling SMTP and HTTP connections Can be divided into two categories: IP Firewalls Application Firewalls

FIREWALLS IN THE PATH: EXAMPLE Backbone Network NREN A Network NREN B Campus X Network Campus Y Video conference connection Firewalls are potential obstacles to (UDP) media streams

IP FIREWALLS Features of an IP firewall: Simplest form of firewall, usually contained in a router Inspects each individual packet’s IP and Transport headers. Decides whether to forward or discard based on configured policies. Examples: Disallows incoming traffic to certain port numbers Disallows traffic to certain subnets Does not alter the packets it allows through Not visible as protocol end-point By rejecting some packets, may cause connectivity problems that are difficult to identify and resolve.

APPLICATION FIREWALLS Features of an application firewall: Acts as protocol end-point and relay E.g. SMTP client / server or web proxy agent May: Implement ‘safe’ subset of the protocol Perform extensive protocol validity checks Use an implementation methodology to minimise likelihood of bugs Run in an insulated ‘safe’ environment

PROBLEMS ASSOCIATED WITH FIREWALLS ICMP (Internet Control Message Protocol) messages are often blocked, as they may be perceived as a security risk. Applications dependent upon them, such as PING, will return fallacious results Path discovery black holes can be created Legitimate traffic can be delayed or completely blocked

NETWORK ADDRESS TRANSLATORS What does a Network Address Translator do? Dynamically assigns unique address to a host Translates appropriate address field in inbound and outbound packets Network Address Translation is often built into routers.

LOAD BALANCERS Motivation is typically to balance load across a pool of servers. Divert packets from intended IP destination or make the destination ambiguous. Session state? Debugging? Sometimes it works, sometimes it doesn’t