1 1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley Problem: Middleboxes are hard to deploy • Place on network path • Overload path selection mechanisms pkt network path • On path placement fails to achieve Correctness Guaranteed middlebox traversal Flexibility (Re)configurable network topology Efficiency No middlebox resource wastage Load Balancer Firewall
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
1
A Policy-aware Switching Layer for Data Centers
Dilip Joseph Arsalan Tavakoli
Ion Stoica
University of California at Berkeley
Problem: Middleboxes are hard to deploy
• Place on network path • Overload path selection mechanisms
pkt network path
• On path placement fails to achieve
Correctness Guaranteed middlebox traversal
Flexibility (Re)configurable network topology
Efficiency No middlebox resource wastage
Load Balancer Firewall
2
Preview
• Problem – Middleboxes are hard to deploy
• Solution – Overview – Challenges – Limitations
• Implementation & evaluation
• Related work
Common data center topology Internet
Servers
Layer-2 switch Access
Data Center
Layer-2/3 switch Aggregation
Layer-3 router Core
Firewall
Load Balancer
3
Inflexible topology
Internet
Intrusion Prevention Box
Firewall
Load Balancer
Inefficient - middlebox resource wastage
Internet
Process unnecessary traffic
Unutilized
Backup path
4
S1 S2
Protect S1 ↔ S2 traffic
Correctness is hard Internet
• Option 1 – Existing firewalls
Newly blocked
link
Correctness is hard Internet
• Option 1 – Existing firewalls
• Option 2 – New firewall
S1 S2
Protect S1 ↔ S2 traffic
5
Correctness is hard Internet
• Option 1 – Existing firewalls
• Option 2 – New firewall
• Option 3 – Separate VLANs
S1 S2
Protect S1 ↔ S2 traffic
Outline
Problem Middleboxes are hard to deploy
• Solution – Overview – Challenges – Limitations
• Implementation & evaluation
• Related work
6
Policy-aware Switching Layer
Policy-aware switching layer
load balancer
Existing mechanisms
firewall
1 Take middleboxes off-path Separate policy from reachability 2
HTTP Firewall Load balancer TCP port = 80
PSwitch
load balancer
firewall
P P P P P P P P P P
P P P P P
PSwitch explicitly forwards packets to middleboxes