Extending SDN to Handle Dynamic Middlebox Actions via FlowTags

Software-defined networking (SDN) seeks to simplify and enhance network management by decoupling the management logic from its implementation. Our overarching vision is to integrate advanced data plane functions or middleboxes (e.g., firewalls, NATs, proxies, intrusion detection and prevention systems, and application-level gateways) into the SDN fold. This integration, however, is challenging on two fronts: (1) it is difficult to ensure that “service-chaining” policies are implemented correctly [4], and (2) middleboxes hinder management functions such as performance debugging [5]. The root cause of this problem is that as packets traverse the network, they are altered by dynamic and opaque middlebox actions; for instance, proxies terminate TCP sessions, while NATs and load balancers rewrite headers. Thus, the promise of SDN to systematically enforce and verify network-wide policies (e.g., [3]) does not directly extend to networks with middlebox functions. In this work, we take a pragmatic stance that rather than eliminate or completely rearchitect middleboxes, we should attempt to integrate them into the SDN fold as “cleanly” as possible. To this end, we extend the SDN paradigm in the FlowTags architecture by identifying flow tracking as the key to policy enforcement in the presence of dynamic traffic transformations. That is, we need to reliably associate additional contextual information with a traffic flow as it traverses the network, even if the packet headers and contents are modified. Because middleboxes are in the best (and possibly the only) position to provide the relevant contextual information, FlowTags uses minimal extensions to existing middleboxes to add the relevant tags, carried in packet headers. SDN switches use the tags as part of their flow matching logic for their forwarding operations. Downstream middleboxes use the tags as part of their packet processing workflows; e.g., a firewall located after a NAT can use the tags to identify the true source IPs and apply the correct set of rules.