ABSTRACT
Modern enterprises almost ubiquitously deploy middlebox processing services to improve security and performance in their networks. Despite this, we find that today's middlebox infrastructure is expensive, complex to manage, and creates new failure modes for the networks that use them. Given the promise of cloud computing to decrease costs, ease management, and provide elasticity and fault-tolerance, we argue that middlebox processing can benefit from outsourcing the cloud. Arriving at a feasible implementation, however, is challenging due to the need to achieve functional equivalence with traditional middlebox deployments without sacrificing performance or increasing network complexity.
In this paper, we motivate, design, and implement APLOMB, a practical service for outsourcing enterprise middlebox processing to the cloud.
Our discussion of APLOMB is data-driven, guided by a survey of 57 enterprise networks, the first large-scale academic study of middlebox deployment. We show that APLOMB solves real problems faced by network administrators, can outsource over 90% of middlebox hardware in a typical large enterprise network, and, in a case study of a real enterprise, imposes an average latency penalty of 1.1ms and median bandwidth inflation of 3.8%.
Supplemental Material
- Amazon Direct Connect. http://aws.amazon.com/directconnect/.Google Scholar
- Amazon Route 53. http://aws.amazon.com/route53.Google Scholar
- Amazon Virtual Private Cloud. http://aws.amazon.com/vpc/.Google Scholar
- Amazon Web Services launches Brazil datacenters for its cloud computing platform. http://phx.corporate-ir.net/phoenix.zhtml?c= 176060&p=irol-newsArticle&ID=1639908.Google Scholar
- Aryaka WAN Optimization. http://www.aryaka.com.Google Scholar
- Barracuda Web Security Flex. http://www.barracudanetworks. com/ns/products/web_security_flex_overview.php.Google Scholar
- Cisco: Quality of Service Design Overview. http: //www.ciscopress.com/articles/article.asp?p=357102.Google Scholar
- Embrane. http://www.embrane.com/.Google Scholar
- Network Monitoring Tools. http://slac.stanford.edu/xorg/nmtf/nmtf-tools.html.Google Scholar
- OpenVPN. http://www.openvpn.com.Google Scholar
- Palo Alto Networks. http://www.paloaltonetworks.com/.Google Scholar
- Rightscale Cloud management. http://www.rightscale.com/.Google Scholar
- Riverbed Virtual Steelhead. http://www.riverbed.com/us/ products/steelhead_appliance/virtual_steelhead.php.Google Scholar
- Symantec: Data Loss Protection. http://www.vontu.com.Google Scholar
- Tivoli Monitoring Software. http://ibm.com/software/tivoli/products/monitor.Google Scholar
- Vyatta Software Middlebox. http://www.vyatta.com.Google Scholar
- ZScaler Cloud Security. http://www.zscaler.com.Google Scholar
- Cloud computing - 31 companies describe their experiences. http: //www.ipanematech.com/information-center/download. php?link=white-papers/White%20Book_2011-Cloud_Computing_OBS_Ipanema_Technologies_EBG.pdf, 2011.Google Scholar
- Enterprise Network and Data Security Spending Shows Remarkable Resilience. http://www.abiresearch.com/press/3591, 2011.Google Scholar
- M. Allman and V. Paxson. TCP congestion control. RFC 5681.Google Scholar
- A. Anand, A. Gupta, A. Akella, S. Seshan, and S. Shenker. Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination. In Proc. of SIGCOMM, 2008. Google ScholarDigital Library
- D. Andersen, H. Balakrishnan, F. Kaashoek, and R. Morris. Resilient overlay networks. In SOSP, 2001. Google ScholarDigital Library
- M. Armbrust et al. A view of cloud computing. Commun. ACM, April 2010. Google ScholarDigital Library
- H. Ballani and P. Francis. CONMan: a step towards network manageability. In SIGCOMM, 2007. Google ScholarDigital Library
- T. Benson, A. Akella, A. Shaikh, and S. Sahu. Cloudnaas: a cloud networking platform for enterprise applications. In Proc. SOCC, 2011. Google ScholarDigital Library
- D. R. Choffnes and F. E. Bustamante. Taming the torrent: a practical approach to reducing cross-isp traffic in peer-to-peer systems. In SIGCOMM, 2008. Google ScholarDigital Library
- C. Dixon, H. Uppal, V. Brajkovic, D. Brandon, T. Anderson, and A. Krishnamurthy. ETTM: a scalable fault tolerant network manager. In NSDI, 2011. Google ScholarDigital Library
- N. Dukkipati and N. McKeown. Why flow-completion time is the right metric for congestion control. CCR, January 2006. Google ScholarDigital Library
- S. Floyd. HighSpeed TCP for large congestion windows. RFC 3649. Google ScholarDigital Library
- G. Gibb, H. Zeng, and N. McKeown. Outsourcing network functionality. In HotSDN, 2012. Google ScholarDigital Library
- K. P. Gummadi, H. V. Madhyastha, S. D. Gribble, H. M. Levy, and D. Wetherall. Improving the reliability of Internet paths with One-hop Source Routing. In Proc. OSDI, 2004. Google ScholarDigital Library
- M. Hajjat, X. Sun, Y.-W. E. Sung, D. A. Maltz, S. Rao, K. Sripanidkulchai, and M. Tawarmalani. Cloudward bound: Planning for beneficial migration of enterprise applications to the cloud. In SIGCOMM, 2012. Google ScholarDigital Library
- D. Joseph and I. Stoica. Modeling middleboxes. Network, IEEE, 22(5), 2008. Google ScholarDigital Library
- D. A. Joseph, A. Tavakoli, and I. Stoica. A policy-aware switching layer for data centers. In SIGCOMM, 2008. Google ScholarDigital Library
- D. Katabi, M. Handley, and C. Rohrs. Congestion control for high bandwidth-delay product networks. In SIGCOMM, 2002. Google ScholarDigital Library
- E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click modular router. ACM ToCS, August 2000. Google ScholarDigital Library
- V. Kundra. 25 Point Implementation Plan to Reform Federal Information Technology Management. Technical report, US CIO, 2010.Google Scholar
- M57 packet traces. https://domex.nps.edu/corp/scenarios/2009-m57/net/.Google Scholar
- N. McKeown et al. OpenFlow: enabling innovation in campus networks. CCR, March 2008. Google ScholarDigital Library
- T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In CCS, 2009. Google ScholarDigital Library
- M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In LISA, 1999. Google ScholarDigital Library
- V. Sekar, S. Ratnasamy, M. K. Reiter, N. Egi, and G. Shi. The middlebox manifesto: enabling innovation in middlebox deployment. In HotNets, 2011. Google ScholarDigital Library
- I. Stoica et al. Internet indirection infrastructure. ToN, April 2004. Google ScholarDigital Library
- A. Su, D. Choffnes, A. Kuzmanovic, and F. Bustamante. Drafting behind Akamai (Travelocity-based detouring). In SIGCOMM, 2006. Google ScholarDigital Library
- V. Valancius, N. Laoutaris, L. Massouli'e, C. Diot, and P. Rodriguez. Greening the internet with nano data centers. In Proc. CoNEXT, 2009. Google ScholarDigital Library
- Visolve. Transparent caching using Squid. http://www.visolve.com/squid/whitepapers/trans_caching.pdf, 2006.Google Scholar
- M. Walfish, J. Stribling, M. Krohn, H. Balakrishnan, R. Morris, and S. Shenker. Middleboxes no longer considered harmful. In OSDI, 2004. Google ScholarDigital Library
Index Terms
- Making middleboxes someone else's problem: network processing as a cloud service
Recommendations
Making middleboxes someone else's problem: network processing as a cloud service
Special october issue SIGCOMM '12Modern enterprises almost ubiquitously deploy middlebox processing services to improve security and performance in their networks. Despite this, we find that today's middlebox infrastructure is expensive, complex to manage, and creates new failure modes ...
A flexible and efficient container-based NFV platform for middlebox networking
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied ComputingNetwork Function Virtualization (NFV) enables multiple network functions (NFs) to operate simultaneously on a commodity server. Internet Data Centers (IDCs) gain significant flexibility and agility through NFV's ability to dynamically deploy and ...
OpenANFV: accelerating network function virtualization with a consolidated framework in openstack
SIGCOMM '14: Proceedings of the 2014 ACM conference on SIGCOMMThe resources of dedicated accelerators (e.g. FPGA) are still required to bridge the gap between software-based Middleboxs(MBs) and the commodity hardware. To consolidate various hardware resources in an elastic, programmable and reconfigurable manner, ...
Comments