research-article

Free Access

Making middleboxes someone else's problem: network processing as a cloud service

Authors:
Justine Sherry

UC Berkeley, Berkeley, CA, USA

UC Berkeley, Berkeley, CA, USA
View Profile

,
Shaddi Hasan

UC Berkeley, Berkeley, CA, USA

UC Berkeley, Berkeley, CA, USA
View Profile

,
Colin Scott

UC Berkeley, Berkeley, CA, USA

UC Berkeley, Berkeley, CA, USA
View Profile

,
Arvind Krishnamurthy

University of Washington, Seattle, WA, USA

University of Washington, Seattle, WA, USA
View Profile

,
Sylvia Ratnasamy

UC Berkeley, Berkeley, CA, USA

UC Berkeley, Berkeley, CA, USA
View Profile

,
Vyas Sekar

Intel Labs, Berkeley, CA, USA

Intel Labs, Berkeley, CA, USA
View Profile

SIGCOMM '12: Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communicationAugust 2012Pages 13–24https://doi.org/10.1145/2342356.2342359

Published:13 August 2012Publication History

SIGCOMM '12: Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication

Pages 13–24

ABSTRACT

Modern enterprises almost ubiquitously deploy middlebox processing services to improve security and performance in their networks. Despite this, we find that today's middlebox infrastructure is expensive, complex to manage, and creates new failure modes for the networks that use them. Given the promise of cloud computing to decrease costs, ease management, and provide elasticity and fault-tolerance, we argue that middlebox processing can benefit from outsourcing the cloud. Arriving at a feasible implementation, however, is challenging due to the need to achieve functional equivalence with traditional middlebox deployments without sacrificing performance or increasing network complexity.

In this paper, we motivate, design, and implement APLOMB, a practical service for outsourcing enterprise middlebox processing to the cloud.

Our discussion of APLOMB is data-driven, guided by a survey of 57 enterprise networks, the first large-scale academic study of middlebox deployment. We show that APLOMB solves real problems faced by network administrators, can outsource over 90% of middlebox hardware in a typical large enterprise network, and, in a case study of a real enterprise, imposes an average latency penalty of 1.1ms and median bandwidth inflation of 3.8%.

Supplemental Material

sigcomm-i-02-networkprocessingasacloudservice.mp4

mp4

80.6 MB

Download

References

Amazon Direct Connect. http://aws.amazon.com/directconnect/.Google Scholar
Amazon Route 53. http://aws.amazon.com/route53.Google Scholar
Amazon Virtual Private Cloud. http://aws.amazon.com/vpc/.Google Scholar
Amazon Web Services launches Brazil datacenters for its cloud computing platform. http://phx.corporate-ir.net/phoenix.zhtml?c= 176060&p=irol-newsArticle&ID=1639908.Google Scholar
Aryaka WAN Optimization. http://www.aryaka.com.Google Scholar
Barracuda Web Security Flex. http://www.barracudanetworks. com/ns/products/web_security_flex_overview.php.Google Scholar
Cisco: Quality of Service Design Overview. http: //www.ciscopress.com/articles/article.asp?p=357102.Google Scholar
Embrane. http://www.embrane.com/.Google Scholar
Network Monitoring Tools. http://slac.stanford.edu/xorg/nmtf/nmtf-tools.html.Google Scholar
OpenVPN. http://www.openvpn.com.Google Scholar
Palo Alto Networks. http://www.paloaltonetworks.com/.Google Scholar
Rightscale Cloud management. http://www.rightscale.com/.Google Scholar
Riverbed Virtual Steelhead. http://www.riverbed.com/us/ products/steelhead_appliance/virtual_steelhead.php.Google Scholar
Symantec: Data Loss Protection. http://www.vontu.com.Google Scholar
Tivoli Monitoring Software. http://ibm.com/software/tivoli/products/monitor.Google Scholar
Vyatta Software Middlebox. http://www.vyatta.com.Google Scholar
ZScaler Cloud Security. http://www.zscaler.com.Google Scholar
Cloud computing - 31 companies describe their experiences. http: //www.ipanematech.com/information-center/download. php?link=white-papers/White%20Book_2011-Cloud_Computing_OBS_Ipanema_Technologies_EBG.pdf, 2011.Google Scholar
Enterprise Network and Data Security Spending Shows Remarkable Resilience. http://www.abiresearch.com/press/3591, 2011.Google Scholar
M. Allman and V. Paxson. TCP congestion control. RFC 5681.Google Scholar
A. Anand, A. Gupta, A. Akella, S. Seshan, and S. Shenker. Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination. In Proc. of SIGCOMM, 2008. Google ScholarDigital Library
D. Andersen, H. Balakrishnan, F. Kaashoek, and R. Morris. Resilient overlay networks. In SOSP, 2001. Google ScholarDigital Library
M. Armbrust et al. A view of cloud computing. Commun. ACM, April 2010. Google ScholarDigital Library
H. Ballani and P. Francis. CONMan: a step towards network manageability. In SIGCOMM, 2007. Google ScholarDigital Library
T. Benson, A. Akella, A. Shaikh, and S. Sahu. Cloudnaas: a cloud networking platform for enterprise applications. In Proc. SOCC, 2011. Google ScholarDigital Library
D. R. Choffnes and F. E. Bustamante. Taming the torrent: a practical approach to reducing cross-isp traffic in peer-to-peer systems. In SIGCOMM, 2008. Google ScholarDigital Library
C. Dixon, H. Uppal, V. Brajkovic, D. Brandon, T. Anderson, and A. Krishnamurthy. ETTM: a scalable fault tolerant network manager. In NSDI, 2011. Google ScholarDigital Library
N. Dukkipati and N. McKeown. Why flow-completion time is the right metric for congestion control. CCR, January 2006. Google ScholarDigital Library
S. Floyd. HighSpeed TCP for large congestion windows. RFC 3649. Google ScholarDigital Library
G. Gibb, H. Zeng, and N. McKeown. Outsourcing network functionality. In HotSDN, 2012. Google ScholarDigital Library
K. P. Gummadi, H. V. Madhyastha, S. D. Gribble, H. M. Levy, and D. Wetherall. Improving the reliability of Internet paths with One-hop Source Routing. In Proc. OSDI, 2004. Google ScholarDigital Library
M. Hajjat, X. Sun, Y.-W. E. Sung, D. A. Maltz, S. Rao, K. Sripanidkulchai, and M. Tawarmalani. Cloudward bound: Planning for beneficial migration of enterprise applications to the cloud. In SIGCOMM, 2012. Google ScholarDigital Library
D. Joseph and I. Stoica. Modeling middleboxes. Network, IEEE, 22(5), 2008. Google ScholarDigital Library
D. A. Joseph, A. Tavakoli, and I. Stoica. A policy-aware switching layer for data centers. In SIGCOMM, 2008. Google ScholarDigital Library
D. Katabi, M. Handley, and C. Rohrs. Congestion control for high bandwidth-delay product networks. In SIGCOMM, 2002. Google ScholarDigital Library
E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click modular router. ACM ToCS, August 2000. Google ScholarDigital Library
V. Kundra. 25 Point Implementation Plan to Reform Federal Information Technology Management. Technical report, US CIO, 2010.Google Scholar
M57 packet traces. https://domex.nps.edu/corp/scenarios/2009-m57/net/.Google Scholar
N. McKeown et al. OpenFlow: enabling innovation in campus networks. CCR, March 2008. Google ScholarDigital Library
T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In CCS, 2009. Google ScholarDigital Library
M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In LISA, 1999. Google ScholarDigital Library
V. Sekar, S. Ratnasamy, M. K. Reiter, N. Egi, and G. Shi. The middlebox manifesto: enabling innovation in middlebox deployment. In HotNets, 2011. Google ScholarDigital Library
I. Stoica et al. Internet indirection infrastructure. ToN, April 2004. Google ScholarDigital Library
A. Su, D. Choffnes, A. Kuzmanovic, and F. Bustamante. Drafting behind Akamai (Travelocity-based detouring). In SIGCOMM, 2006. Google ScholarDigital Library
V. Valancius, N. Laoutaris, L. Massouli'e, C. Diot, and P. Rodriguez. Greening the internet with nano data centers. In Proc. CoNEXT, 2009. Google ScholarDigital Library
Visolve. Transparent caching using Squid. http://www.visolve.com/squid/whitepapers/trans_caching.pdf, 2006.Google Scholar
M. Walfish, J. Stribling, M. Krohn, H. Balakrishnan, R. Morris, and S. Shenker. Middleboxes no longer considered harmful. In OSDI, 2004. Google ScholarDigital Library

Index Terms

Making middleboxes someone else's problem: network processing as a cloud service
1. Networks
  1. Network services
    1. Network management

Recommendations

Making middleboxes someone else's problem: network processing as a cloud service
Special october issue SIGCOMM '12

Modern enterprises almost ubiquitously deploy middlebox processing services to improve security and performance in their networks. Despite this, we find that today's middlebox infrastructure is expensive, complex to manage, and creates new failure modes ...
Read More
A flexible and efficient container-based NFV platform for middlebox networking
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing

Network Function Virtualization (NFV) enables multiple network functions (NFs) to operate simultaneously on a commodity server. Internet Data Centers (IDCs) gain significant flexibility and agility through NFV's ability to dynamically deploy and ...
Read More
OpenANFV: accelerating network function virtualization with a consolidated framework in openstack
SIGCOMM '14: Proceedings of the 2014 ACM conference on SIGCOMM

The resources of dedicated accelerators (e.g. FPGA) are still required to bridge the gap between software-based Middleboxs(MBs) and the commodity hardware. To consolidate various hardware resources in an elastic, programmable and reconfigurable manner, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SIGCOMM '12: Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication
August 2012
474 pages
ISBN:9781450314190
DOI:10.1145/2342356
General Chairs:
Lars Eggert
NetApp, Germany
,
Jörg Ott
Aalto University, Finland
,
Program Chairs:
Venkat Padmanabhan
Microsoft Research, India
,
George Varghese
UCSD, USA
Copyright © 2012 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 August 2012
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
cloud
middlebox
outsourcing
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate554of3,547submissions,16%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 299
  Total Citations
  View Citations
- 2,342
  Total Downloads
- Downloads (Last 12 months)272
- Downloads (Last 6 weeks)31
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Making middleboxes someone else's problem: network processing as a cloud service

SIGCOMM '12: Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Making middleboxes someone else's problem: network processing as a cloud service

A flexible and efficient container-based NFV platform for middlebox networking

OpenANFV: accelerating network function virtualization with a consolidated framework in openstack