opportunities in middlebox virtualization prof. anat bremler-barr idc herzliya supported by...
TRANSCRIPT
![Page 1: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/1.jpg)
Opportunities in Middlebox Virtualization
Prof. Anat Bremler-BarrIDC Herzliya
www.deepness-lab.orgSupported by European Research Council (ERC) Starting Grant no. 259085 , Kabrnit and Neptune consortium
![Page 2: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/2.jpg)
Network: Router & Switches
Internet
• Goal: Forwarding packets• Standard protocols & closed API
![Page 3: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/3.jpg)
Reality: Many Middleboxes (MBs)
Internet
• Need: Security, performance and compliance• Solution: add appliances middleboxes
Firewall
Proxy
![Page 4: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/4.jpg)
4
My Goal
• To present a clear picture about MBs.• Pain points in traditional MBs• Two revolutions: NFV and SDN and the influence
on the design of MBs• Going over new research works and trends
![Page 5: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/5.jpg)
5
Pain Points in traditional middleboxes
![Page 6: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/6.jpg)
High capital expenses & sprawl
• Many middleboxes are deployed: Typically on par with # routers and switches at enterprise networks
• High Capital Expenses & sprawl Power consumption
• The life cycle of HW appliances becomes shorterSurvey across 57 network operators (J. Sherry et al. SIGCOMM 2012)
![Page 7: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/7.jpg)
7
Management Adversity
• Many types of Middleboxes:Firewall, NIDS, NIPS, NAT, L2 Load Balancer, L2 Traffic Shaper, Web Application, Network Anti Virus, DDoS mitigation tools, Data Leakage Prevention, IPv6 Translator, VPN gateway, WAN
optimizer, Voice gateways, Proxies, Media gateway …
• Many types, many companies, many appliances (boxes) many management systems
DDoS protection
FirewallIDS
Load balancer
Ad insertion
![Page 8: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/8.jpg)
8
High operating expenses
• High operating expenses– Complex, error-prone – Mostly misconfiguration– There are also overloads and electrical and physical problems
Survey across 57 network operators (J. Sherry et al. SIGCOMM 2012)
![Page 9: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/9.jpg)
9
Limited Innovation
• Closed API• Vendor lock-in• MB is complex: high barrier to market entry
DDoS protection
FirewallIDS
Load balancer
Ad insertion
![Page 10: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/10.jpg)
10
Placement limitations
A B
D
Placement Limitations
• Service chain: traffic goes through several middleboxes • Classical routing : MB placement in-path
IDS FW
Service chain:
C
![Page 11: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/11.jpg)
11
Placement limitations
A B
C
Scalability problems
• Not scalable: Need more BW more boxes (peak load)– Backup MBs: to deal with physical and overload failures
D
![Page 12: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/12.jpg)
12
Key Pain Points:
• High Capital Expenses• Management adversity• High operating expenses• Limited innovation• Placement limitations• Scalability problems
We need to think outside the box about Middlebox
![Page 13: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/13.jpg)
13
My angle
• Former chief scientist and founder of riverhead (2000-2004)– Denial of Service mitigation middlebox
• Founding of in 2010.– Deep Packet Inspection(DPI) for next generation
networks, a key component in many MBs.
![Page 14: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/14.jpg)
14
Thinking outside the box about Middlebox
![Page 15: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/15.jpg)
Approach 1: Consolidation
15
Proxy Firewall IDS/IPS AppFilter
Commodity hardware
Management system Management system Management system Management system
Management system
• Vyas Sekar, Norbert Egi, Sylvia Ratnasamy, Michael K Reiter, and Guangyu Shi. Design and implementation of a consolidated middlebox architecture. In NSDI, pages 24–38, 2012.Pm
![Page 16: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/16.jpg)
Consolidation reduces CapEx
16
Multiplexing benefit = Max_of_TotalUtilization / Sum_of_MaxUtilizations
![Page 17: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/17.jpg)
Consolidation Enables Extensibility
17
Session Management
Protocol Parsers
VPN Web Mail IDS Proxy
Firewall
In the industry: widely used – motivation to expandthe market. Disadvantage vendor lock-in
Contribution of reusable modules: 30 – 80 %
![Page 18: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/18.jpg)
Approach 2: Making Middleboxes Someone Else’s Problem
Internet
• Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, and Vyas Sekar. Making middleboxes someone else’s problem: network processing as a cloud service. In SIGCOMM, 2012.
![Page 19: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/19.jpg)
Network Processing as a Cloud Service
Internet
Cloud Provider
Industry: • Scrubbing Center for Denial of Service attacks: For example Prolxiec (Akamai).
![Page 20: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/20.jpg)
21
Revolutions: SDN & NFV
![Page 21: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/21.jpg)
22
Two revolutions : SDN & NVFIncrease flexibility and innovation
Software Defined Networking
Network Function Virtualization
Rethinking MiddleBox Architecture
Switches/Routers Middleboxes
2009- 2012-
![Page 22: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/22.jpg)
23
Revolution I: Network Function Virtualization (NFV)
![Page 23: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/23.jpg)
24
Network Function Virtualization(NFV)
DDoS protection
Firewall
IDS
Load balancer
Network Operators: “we want to enjoy the IT revolution and cloud world”
Hardware appliances (MB) Virtualized Network Function(VNF)
![Page 24: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/24.jpg)
25
NFV advantages (& Disadvantage)
• High capital expenses Reduced capital expenses. Commodity servers.
• Management adversity
• High operating expenses Reduced operating expenses. Software.
• Limited innovation Software. Easy to experiment
• Placement limitations
• Scalability problems Auto scaling.
• Performance problem: No hardware accelerators. VM.
![Page 25: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/25.jpg)
26
Revolution II: Software Defined Networking (SDN)
Based on Jennifer Rexford’s slides “Software Defined Networking” 2010
![Page 26: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/26.jpg)
Traditional Computer Networks
Control plane: Distributed protocols, Track topology changes, Compute routes, Install forwarding rules
Data plane: Packet streaming - Forward, Filter, Buffer, Mark, Rate-limit and Measure packets
![Page 27: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/27.jpg)
Traditional Computer Networks
Collect measurements and configure the equipment, Limited CLI, Closed API
Management plane: Human time scale
![Page 28: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/28.jpg)
Software Defined Networking (SDN)
API to the data plane(e.g., OpenFlow)
Logically-centralized controllerrunning on commodity server
Switches
Smart,Slow
Dumb,fast
Decoupling control plane from data plane: Simpler cheaper switches, Simpler managment, Easier interoperability, Faster pace of innovation
![Page 29: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/29.jpg)
Network researchers: “The switches and routers industry need to be like the microprocessor industry”
Vertically integrated,Closed proprietary, Slow innovation, Small industry
SpecializedOperatingSystem
SpecializedHardware
AppAppAppAppAppAppAppAppAppAppApp
SpecializedApplications
Open interfaces, Rapid innovation, Huge Industry
Microprocessor
Open Interface
Linux MacOS
Windows(OS) or or
Open Interface
From Nick McKeown’s talk “Making SDN Work” at the Open Networking Summit, 2012
![Page 30: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/30.jpg)
Vision: Routers/Switches -> SDN
Vertically integrated,Closed proprietary,Slow innovation
AppAppAppAppAppAppAppAppAppAppApp
Open interfaces,Rapid innovation
ControlPlane
ControlPlane
ControlPlane or or
Open Interface
SpecializedControlPlane
SpecializedHardware
SpecializedFeatures
MerchantSwitching Chips
Open Interfaceopenflow
From Nick McKeown’s talk “Making SDN Work” at the Open Networking Summit, 2012
![Page 31: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/31.jpg)
Data-Plane: Simple Packet Handling
• Simple packet-handling rules– Pattern: match packet header bits– Actions: drop, forward, modify, send to controller – Priority: disambiguate overlapping patterns– Counters: #bytes and #packets
1. src=1.2.*.*, dest=3.4.5.* drop 2. src = *.*.*.*, dest=3.4.*.* forward(2)3. src=10.1.2.3, dest=*.*.*.* send to controller
![Page 32: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/32.jpg)
Vision: Unifies Different Kinds of Boxes also MBs
• Router– Match: longest
destination IP prefix– Action: forward out a
link• Switch
– Match: destination MAC address
– Action: forward or flood
• Firewall– Match: IP addresses and
TCP/UDP port numbers– Action: permit or deny
• NAT– Match: IP address and
port– Action: rewrite address
and port
33
![Page 33: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/33.jpg)
34
No limitation on the PlacementFirewall IDS Proxy
*Policy Chain:
S1 S2
Firewall Proxy IDS
DstORIGINAL Post-Firewall
Post-IDSPost-Proxy
Fwd to Dst
Using tagging and SDN match rule to implement efficiently policy chain
SDN Controller
TrafficSteering
Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang, Rui Miao, Vyas Sekar, and Minlan Yu. SIMPLE-fying middlebox policy enforcement using SDN. In SIGCOMM, 2013
![Page 34: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/34.jpg)
35
NFV + SDN advantages
• High capital expenses Reduced capital expenses. Commodity servers.
• Management adversity
• High operating expense Reduced operating expenses. Software.
• Limited innovation Software. Easy to experiment
• Placement limitations No limitations with SDN.
• Scalability problems Auto scaling.
• Performance – No hardware accelerators. VM.
![Page 35: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/35.jpg)
36
NFV+SDN: Thinking outside the box about Middlebox
![Page 36: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/36.jpg)
Our approach: MB common modules as a service • Break MB architecture to common data-plane modules
– Many MBs use Deep Packet Inspection (DPI)– MB application performs more or less a set of the same MB
modules
• Provide data-plane modules as a service– DPI as an example
• Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral, "Deep Packet Inspection as a Service". in ACM CoNEXT, December 2014• Anat Bremler-Barr, Yotam Harchol and David Hay, "OpenBox: Enabling Innovation in Middlebox Applications", in ACM SIGCOMM
HotMiddleboxes, August 2015
![Page 37: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/37.jpg)
38
Deep Packet Inspection (DPI)
• Classify packets according to:– Packet payload (data)– Against known set of patterns: strings or regular expressions
• Common task in Middleboxes
InternetIP packet
“Evil”Firewall
“Evil” ->
![Page 38: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/38.jpg)
39
DPI-Based Middleboxes
Intrusion Detection
System
Network Anti-Virus
L7 Firewall L7 Load BalancerLeakage
Prevention System
Network Analytic Traffic Shaper
Lawful Interception
Copyright Enforcement
DPI
![Page 39: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/39.jpg)
40
DPI Engine – Complicated Challenge
• Pattern set size varies between 102-105 patterns• DPI engine is considered a system bottleneck in many
of todays MBs (30%-80%)[Laboratory simulations over real deployments of Snort and ClamAV]
• Hundreds of academic papers over recent years
scalability throughput latency power
resiliency updates compression
![Page 40: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/40.jpg)
41
Middleboxes Service Chains
• Each packet is scanned multiple times causing waste of computation resources
• Each MB implements its own DPI engine (higher MB costs, reduced features)
![Page 41: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/41.jpg)
42
Our Solution: DPI as a Service
Contribution: a logically centralized DPI service instead of multiple instances at each Middlebox
Benefits:• Innovation – Lower entry barriers• Reduced costs – Cheaper MB HW/SW• Improved performance - Scan each packet once,
improve latency, throughput • Rich DPI functionality – Invest once for all MB
![Page 42: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/42.jpg)
Service chain of MBs in NFV
L7 FW1
IDS1
IDS2AV2
AV1 TS
S1S2
S3
S4
VMVM
VM
VM
VMVM
TrafficSteering
SDN Controller
![Page 43: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/43.jpg)
DPI as a Service
L7 FW1 IDS1
DPI
IDS2AV2
AV1 TS
S1S2
S3
S4
AV1 TS IDS1 L7 FW1
Modified Service Chain:
DPI
TrafficSteering
SDN Controller
![Page 44: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/44.jpg)
45
DPI2
Architecture Overview (SDN)
L7 FW1 IDS1
DPI1
IDS2AV2
AV1 TS
S1S2
S3
S4
SDN Controller
TrafficSteering
DPIController
hello
hello
hello
Register PatternsAdd
PatternsUpdate Service Chain New elements:
• DPI controller• Multiple DPI instances
![Page 45: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/45.jpg)
Details
• Mechanism for passing results:– Network Service Header (NSH)
• Scalable DPI algorithm – Beneficial if the time complexity is sub linear(#patterns)
![Page 46: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/46.jpg)
Details: Passing Results
• Use a dedicated new header in packet– A common need by many network services– Network Service Header (NSH) – IETF draft (cisco’s vPath)
• Each pattern & each MB has a unique ID • Result: <MB ID> + <Pattern ID> + <Match Offset>• Each packet may contain several pattern matches
– Results header size: For security apps - mostly 0B (95% normal traffic), upon match - 99% use less than 200B
47
MB: 1 ID: 139; Offset: 90MB: 2 ID: 14; Offset: 109MB: 3 ID: 723; Offset: 201MB: 4 ID: 221; Offset: 507… DPI
Instance
![Page 47: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/47.jpg)
48
Are DPI Algorithms Scalable? Sublinear?
• Yes, each input byte requires a single lookup almost regardless the number of patterns!!– Lookup can be 1 memory access or 1 cache access
IDS1 AV1
DPI1
DPI2
IDS1IDS1
Two separate DPIs
DPI as a ServiceTwo
Latency traditional: 21.5us/pLatency DPI as a services: 13.8us/p
AV1
![Page 48: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/48.jpg)
49
String Matching: Aho-Corasick Algorithm • Build a Deterministic Finite Automaton
(basic full-table variant)
• Example:{E, BE, BD, BCD, CDBCAB, BCAA}
• Each byte requires a single memory reference.
s0
s7
s12
s1 s2
s3 s5s4
s14
s13 s6
s8
s9
s10
s11
C
C
E
D
B
E D
D B
C
A
B
A
A
B
Input: BCDBCAB
s0
s12
s2
s5
s6s9
s10
s11
![Page 49: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/49.jpg)
50
Pattern Set Aggregation
MB 0: Pattern Set 0 MB 1: Pattern Set 1
Pattern set 1
Pattern set 2
Both sets
Pattern set 0Pattern set 1Both sets
![Page 50: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/50.jpg)
Generalization: MB Data plane
Data plane tasks: each MB application performs more or less a set of the same MB modules (in pipeline).
• Wire speed• Module: Software (VM) or
Hardware (Accelerator)
Packet Classification
Application Classification
Session Reconstruction
Decrypt/Decompress
Traffic Normalizer
DPI
Traffic Measurement
![Page 51: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/51.jpg)
Our vision: Thin MB with MB Services• The main difference between MBs: the control level.• MB modules will be implemented as services in the network. • Traffic travels between the services.
Example: DDOS protection
IP anti-spoofing
Packet Classification
DPI
Traffic Measurement
new module
FIlter ICMP
Filter X
X is an attacker
![Page 52: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/52.jpg)
Our vision: control tasks
• Configure the flow between MB modules
• Configure each of the MB modules
• Dynamic changes due to measurements
• Scale up and scale out of modules (orchestration)
DDOS protection
IP anti-spoofing
Packet Classification
DPI
Traffic Measurement
FIlter ICMP
X is an attacker
Filter X
• Service chain optimization – use the same service one time in a service chain Improved performance
MB as an application with control tasks:
![Page 53: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/53.jpg)
54
Vision: Benefits
• Improve performance– Service chain scenario– Services from HW accelerators
• Innovation enablers: – Lower entry barriers
• If the modules are services one can tailor a MB by using off-the shelf modules Cheaper MB HW/SW
– Richer functionality • Companies will specialize in specific MB modules
![Page 54: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/54.jpg)
55
Vision: Enhancement with service modules• Enhance Switch: example use DPI service to tag packets to drive
policies in switches
• Enhance MB: SDN switches can perform the packet classification module
Check if there is “evil” in the
packet
IDS1
Filter flow: src x to dst y
![Page 55: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/55.jpg)
56
Related Industry solution: Qosmos
• Application aware classification– Qosmos suggests a NFV service that classifies the
traffic • Skype/IM/VoIP/FTP/Video/Social Networks…
![Page 56: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/56.jpg)
57
The future
![Page 57: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/57.jpg)
58
P4: Future SDN Switches
• The SDN wish list:– Configurable packet parser
• Not tied to a specific header format,
– General actions primitives (copy, remove, modify)
• New generation of switch ASICs: programmable switches– Intel FlexPipe, RMT [SIGCOMM’13], Cisco Doppler, ? ?
• P4 high-level language for programming switches
![Page 58: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/58.jpg)
59
SDN+MB: Open questions
• Q1: Can we implement a whole MB/ or a part of MB using programmable switch ? – Generic platform with fast data-plane
• Q2: What will be the standard management language for MB? – Abstraction of MB API increase flexibility
• Q3: Will variation on P4 be a standard also for MB?
![Page 59: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/59.jpg)
60
NFV current status
• Currently MB companies move to NFV naively– They take the software that ran on HW appliances
with some small modifications and just move it to VM.– This is not optimal MB architecture
• Auto-scaling feature: need to move flow with its state. Shriram Rajagopalan, Dan Williams, Hani Jamjoom, and Andrew Warfield.
Split/merge: System support for elastic execution in virtual middleboxes. In NSDI,2013
![Page 60: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/60.jpg)
61
NFV+MB: Open Questions
• Q1: What will be the common architecture of VNFs?– VNF - virtualized network function
• former implemented by MBs
– Fresh rethinking
• Q2: What will be the “OS” of NFV.– Features ? Openstack ?
• Q3: Is NFV cost-effective to all types of MBs? – Are there MBs that must have HW accelerators ?
• Q4: How do you combine most effectively HW and NFV?– The service module ?
![Page 61: Opportunities in Middlebox Virtualization Prof. Anat Bremler-Barr IDC Herzliya Supported by European Research Council (ERC) Starting](https://reader035.vdocument.in/reader035/viewer/2022062518/56649de45503460f94adaa19/html5/thumbnails/61.jpg)
62
Conclusion
• Middlebox area - evolving area, very dynamic • SDN & NFV change the field of MBs.
Thank You!!!