The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 7 months ago)

86 views

The
Middlebox

Manifesto:

Enabling Innovation in
Middlebox

Deployment

1

Vyas Sekar

Sylvia
Ratnasamy

Michael Reiter

Norbert
Egi

Guangyu

Shi

2

Growing literature on network innovation

Build
programmable

elements

using
commodity

hardware

e.g.,
PacketShader
,
RouterBricks
,

ServerSwitch
,
SwitchBlade

C
entralized

management

with
open interfaces

e.g., 4D, NOX/
OpenFlow
, RCP

3

Type

of appliance

Number

Firewalls

166

NIDS

127

Media

gateways

110

Load balancers

67

Proxies

66

VPN

gateways

45

WAN Optimizers

44

Voice gateways

11

Total
Middleboxes

636

Total routers

~900

Most innovation today:
Middleboxes
!

Data from a large enterprise: >80K users across tens of sites

Just network security


~ 6 billion $ (2010)




10 billion $ (2016)

4

Type

of appliance

Number

Firewalls

166

NIDS

127

Media

gateways

110

Load balancers

67

Proxies

66

VPN

gateways

45

WAN Optimizers

44

Voice gateways

11

Middleboxes

are valuable,

but have many
painpoints


1. Device Sprawl, High
CapEx


2
. High
OpEx

e.g., separate
management
teams

n
eed manual tuning

3
.
Inflexible, difficult to extend





need for new boxes!

?


consumerization



Most network innovation occurs via
middleboxes


Not
by changes to
routers or switches



Suffer similar, and maybe more, pain points


Significant capital and operating expenses


Narrow, closed management interfaces


D
ifficult to extend



Surprisingly MIA in the innovation discussion

5

The
Middlebox

Manifesto


Most network innovation occurs via
middleboxes


Not via routers or switches



Suffer almost same, if not more, pain points


Too many of them


Narrow, closed interfaces & difficult to extend


Significant capital and operating expenses



Surprisingly MIA in the innovation discussion

6

The
Middlebox

Manifesto

How to build?

How to manage?

Our vision: Enabling innovation in

middlebox

deployments

7

Network
-
Wide

Management

1. Software
-
centric

implementations

2
.

Consolidated

physical platform

3. Logically centralized

o
pen management APIs

Easy to deploy, extend

Reduce sprawl

Direct control, expressive

Our vision: Enabling innovation in

middlebox

deployments

8

Network
-
Wide

Management

1. Software
-
centric

implementations

2
.

Consolidated

physical platform

3. Logically centralized

o
pen management APIs

Easy to deploy, extend

Reduce sprawl

Direct control, expressive

In a general context, ideas
aren

t especially new!

But,
m
iddleboxes

raise new opportunities and challenges

New Efficiency Opportunities


“Software
-
centric”, “extensible” sounds nice ..




But, usually very resource inefficient


Compared to “specialized” solutions




N
ew efficiency avenues, at least for
middleboxes


Multiplexing


Reuse


Spatial distribution

9

Opportunity 1:
Multiplexing Benefits

10

M
ultiplexing benefit
= 1
-

Peak_Sum

/
Sum_Peak

= 28%

Opportunity 2: Reusing Modules

11

Session Management

Protocol Parsers

VPN Web Mail IDS Proxy

Firewall

How much traffic overlap?

> 60 %

Contribution of reusable modules?

18


54 %

New Challenges

12

Network
-
wide Management

Session

Protocol

Extensible functions

Standalone


functions

Heterogeneity

Complex processing

Policy constraints

Challenges in Management

13

Network
-
wide Management

Session

Protocol

Extensible functions

Standalone


functions

Policy

dependencies?

e.g. IDS < Proxy

What is a

minimal interface?

Is it tractable?

e.g., reuse

Challenges in Single
-
box Design

14

Session

Protocol

Extensible functions

Standalone


functions

Accelerators?

Primitives?

Performance,

Isolation?


Most network innovation occurs via
middleboxes


Little presence in the innovation discussion!



Our vision:


Software
-
based, consolidated


Logically unified, open management

APIs



New opportunities


Multiplexing, reuse, and spatial distribution



Practical challenges: Management + Platform

15

Conclusions