Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization最新文献

{"title":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","authors":"Theophilus A. Benson, C. Raiciu","doi":"10.1145/2785989","DOIUrl":"https://doi.org/10.1145/2785989","url":null,"abstract":"It is our great pleasure to welcome you to the 2015 ACM Workshop on Hot Topics in Middleboxes and Network Function Virtualization -- HotMiddlebox'15. This year's event is the second workshop on this topic, and it comes at a time when middleboxes are truly a hot topic of interest in both industry and academia. \u0000 \u0000On the one hand, there is a concerted industry shift towards network functions virtualization that means middleboxes are now becoming software appliances that are easier to install, scale and upgrade than their hardware counterparts. On the other hand, widespread privacy concerns raised by online surveillance have led to more traffic running over HTTPS and work towards opportunistically securing TCP in the IETF. The long-lasting tussle between middleboxes and the endpoints has now reached a critical turning point that may deny middleboxes access to the payload, preventing most to do their jobs. \u0000 \u0000HotMiddlebox'15 accepted 12 papers out of 32 submissions. The paper review process included an offline evaluation phase by PC members, followed by a teleconference discussion of the top 20 ranked papers, out of which 12 were accepted to appear in the program. The resulting program is a surprisingly accurate snapshot of the current state in the field. It features papers focusing on experiences of deploying middleboxes and scaling them to commercial speeds as well as measuring network behavior in the wild. A subset of the workshop's papers also asks the question of how to enable middleboxes to do their work while preserving privacy. Finally, there are papers examining migration algorithms, the interplay between NFV and SDN and ways to enable middlebox development. \u0000 \u0000HotMiddlebox features two exciting keynotes that will bring the industry perspective on middlebox problems that appear in deployment. The first keynote will be given by Juho Snellman, the lead engineer on TCP optimization solutions at Teclo Networks in Zurich. Juho will discuss the practical lessons learnt while developing and deploying systems in mobile operator networks. The second keynote will be given by Marc Wooldward, CTO at Datacenter security company vArmour. Marc will discuss how recent innovations in virtualisation and computing technologies provide us with the opportunity to refashion the classic DMZ security model in the age of datacenters, by evolving it to an asset-centric 'Security as a Service' model.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121167787","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Header Enrichment or ISP Enrichment?: Emerging Privacy Threats in Mobile Networks","authors":"N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, V. Paxson","doi":"10.1145/2785989.2786002","DOIUrl":"https://doi.org/10.1145/2785989.2786002","url":null,"abstract":"HTTP header enrichment allows mobile operators to annotate HTTP connections via the use of a wide range of request headers. Operators employ proxies to introduce such headers for operational purposes, and---as recently widely publicized---also to assist advertising programs in identifying the subscriber responsible for the originating traffic, with significant consequences for the user's privacy. In this paper, we use data collected by the Netalyzr network troubleshooting service over 16 months to identify and characterize HTTP header enrichment in modern mobile networks. We present a timeline of HTTP header usage for 299 mobile service providers from 112 countries, observing three main categories: (1) unique user and device identifiers (e.g., IMEI and IMSI), (2) headers related to advertising programs, and (3) headers associated with network operations.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"206 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131942951","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Experiences Deploying a Transparent Split TCP Middlebox and the Implications for NFV","authors":"Franck Le, E. Nahum, Vasilis Pappas, Maroun Touma, D. Verma","doi":"10.1145/2785989.2785991","DOIUrl":"https://doi.org/10.1145/2785989.2785991","url":null,"abstract":"This paper summarizes our experiences deploying a transparent Split TCP middlebox for WiFi networks in Enterprise customer environments. Since Split TCP is nearly two decades old, we believed this would be a straightforward application of well-known technology. Reality, however, would teach us otherwise. While we began our deployment in our own office with 3,000 users, we encountered several challenges in deploying this technology at customer sites. Each customer had different network architectures, security policies, and non-negotiable requirements. In particular, modifying the network architecture was frequently impossible. Deployment challenges tended to fall into two related but distinct categories. First, making the box transparent to both clients and servers required extending the notion of transparency from beyond just layer 3 and layer 4 to include layer 2. Second, the interaction of our middlebox with other middleboxes resulted in unexpected behaviors. Our deployments supported up to 15,000 simultaneous users and lasted up to 2 years. We offer up our experiences so that others need not repeat them. We discuss some implications of our experiences on deploying network functionality in virtual environments, or Network Function Virtualization (NFV). If NFV is to be successful in real environments, these challenges will need to be overcome.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133845017","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"OpenBox: Enabling Innovation in Middlebox Applications","authors":"A. Bremler-Barr, Yotam Harchol, David Hay","doi":"10.1145/2785989.2785992","DOIUrl":"https://doi.org/10.1145/2785989.2785992","url":null,"abstract":"Contemporary networks contain many different kind of middleboxes that perform variety of advanced network functions. Currently, a special box is tailored to provide each such function. These special boxes are usually proprietary, and operators control over them is limited to the set of capabilities defined by the provider of each box. Nonetheless, many middleboxes perform very similar tasks. In this paper we present OpenBox: a logically-centralized framework that makes advanced packet processing and monitoring easier, faster, more scalable, flexible, and innovative. OpenBox decouples the control plane of middleboxes from their data plane, and unifies the data plane of multiple middlebox applications using entities called service instances. On top of the centralized control plane everyone can develop OpenBox applications. An OpenBox application, formerly implemented as a separate middlebox, instructs the data plane how to process packets in order to achieve its intended function. OpenBox service instances reside in data plane and process packets according to policies defined by the control plane. They can be implemented in software or use specialized hardware.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"71 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126043999","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"GREP: Guaranteeing Reliability with Enhanced Protection in NFV","authors":"Jingyuan Fan, Z. Ye, Chaowen Guan, Xiujiao Gao, K. Ren, C. Qiao","doi":"10.1145/2785989.2786000","DOIUrl":"https://doi.org/10.1145/2785989.2786000","url":null,"abstract":"Network Function Virtualization (NFV) is a promising technique to greatly improve the effectiveness and flexibility of network management through a process called Service Function Chain (SFC) mapping, which can efficiently provision network services over a virtualized and shared middlebox platform. However, such an evolution towards software-defined middlebox introduces new challenges to network services which require high reliability. Sufficient redundancy can protect the network services when physical failures occur, but in doing so, the efficiency of physical resources may be greatly decreased. This paper presents GREP, a novel online algorithm that can minimize the physical resources consumption while guaranteeing the required high reliability with a polynomial time complexity. Simulation results show that our proposed algorithm can significantly improve the request acceptance ratio and reduce resource consumption.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"62 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131422379","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"CO-REDUCE: Collaborative Redundancy Reduction Service in Software-Defined Networks","authors":"Sejun Song, Daehee Kim, Hyungbae Park, Baek-Young Choi, T. Choi","doi":"10.1145/2785989.2786001","DOIUrl":"https://doi.org/10.1145/2785989.2786001","url":null,"abstract":"A large portion of digital data is transferred repeatedly across networks and duplicated in storage systems, which costs excessive bandwidth, storage, energy, and operations. Thus, great effort has been made in both areas of networks and storage systems to lower the redundancies. However, due to the lack of the coordination capabilities, expensive procedures of C-H-I (Chunking, Hashing, and Indexing) are incurring recursively on the path of data processing. In this paper, we propose a collaborative redundancy reduction service (CO-REDUCE) in Software-Defined Networks (SDN). Taking advantage of SDN control, CO-REDUCE renders the promising vision of Redundancy Elimination as a network service (REaaS) as a real practical service. CO-REDUCE is a new virtualized network function service that dynamically offloads computational operations and memory management tasks of deduplication to the group of the software designed network middleboxes. Chaining various redundant REs of both storage and network into a service, COREDUCE consolidates and simplifies the expensive C-H-I processes. We develop service coordination protocols and virtualization and control mechanisms in SDN, and indexing algorithms for CO-REDUCE software-designed middleboxes (SDMB). Our evaluation results from the system and Mininet-based prototypes show that CO-REDUCE achieves 2-4 times more bandwidth reduction than existing RE technologies and has compatible storage space savings to existing storage de-duplication techniques while reducing expensive overhead of processing time and memory size.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114610490","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Centrally Controlled Distributed VNF State Management","authors":"B. Kothandaraman, Manxing Du, Pontus Sköldström","doi":"10.1145/2785989.2785996","DOIUrl":"https://doi.org/10.1145/2785989.2785996","url":null,"abstract":"The realization of increased service flexibility and scalability through the combination of Virtual Network Functions (VNF) and Software Defined Networks (SDN) requires careful management of both VNF and forwarding state. Without coordination, service scalability comes at a high cost due to unacceptable levels of packet loss, reordering and increased latencies. Previously developed techniques has shown that these issues can be managed, at least in scenarios with low traffic rates and optimistic control plane latencies. In this paper we extend previous work on coordinated state management in order to remove performance bottlenecks, this is done through distributed state management and minimizing control plane interactions. Evaluation of our changes show substantial performance gains using a distributed approach while maintaining centralized control.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134113030","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Lost in Network Address Translation: Lessons from Scaling the World's Simplest Middlebox","authors":"V. Olteanu, Felipe Huici, C. Raiciu","doi":"10.1145/2785989.2785994","DOIUrl":"https://doi.org/10.1145/2785989.2785994","url":null,"abstract":"To understand whether the promise of Network Function Virtualization can be accomplished in practice, we set out to create a software version of the simplest middlebox that keeps per flow state: the NAT. While there is a lot of literature in the wide area of SDN in general and in scaling middleboxes, we find that by aiming to create a NAT good enough to compete with hardware appliances requires a lot more care than we had thought when we started our work. In particular, limitations of OpenFlow switches force us to rethink load balancing in a way that does not involve the centralized controller at all. The result is a solution that can sustain, on six low-end commodity boxes, a throughput of 40Gbps with 64B packets, on par with industrial offerings but at a third of the cost. To reach this performance, we designed and implemented our NAT from scratch to be migration friendly and optimized for common cases (inbound traffic, many mappings). Our experience shows that OpenFlow-based load balancing is very limited in the context of NATs (and by relation NFV), and that scalability can only be ensured by keeping the controller out of the data plane.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126792712","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Stateless Network Functions","authors":"M. Kaplan, Blake Caldwell, Richard Han, H. Jamjoom, Eric Keller","doi":"10.1145/2785989.2785993","DOIUrl":"https://doi.org/10.1145/2785989.2785993","url":null,"abstract":"Newly virtualized network functions (like firewalls, routers, and intrusion detection systems) should be easy to consume. Despite recent efforts to improve their elasticity and high availability, network functions continue to maintain important flow state, requiring traditional development and deployment life cycles. At the same time, many cloud-scale applications are being rearchitected to be stateless by cleanly pushing application state into dedicated caches or backend stores. This state separation is enabling these applications to be more agile and support the so-called continuous deployment model. In this paper, we propose that network functions should be similarly redesigned to be stateless. Drawing insights from different classes of network functions, we describe how stateless network functions can leverage recent advances in low-latency network systems to achieve acceptable performance. Our Click-based prototype integrates with RAMCloud; using NAT as an example network function, we demonstrate that we are able to create stateless network functions that maintain the desired performance.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"32 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124128313","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Love All, Trust Few: on Trusting Intermediaries in HTTP","authors":"T. Fossati, V. Gurbani, V. Kolesnikov","doi":"10.1145/2785989.2785990","DOIUrl":"https://doi.org/10.1145/2785989.2785990","url":null,"abstract":"Recent pervasive monitoring of Internet traffic has resulted in an effort to protect all communications by using Transport Layer Security (TLS) to thwart malicious third parties. We argue that such large-scale use of TLS may potentially disrupt many useful network-based services provided by middleboxes such as content caching, web acceleration, anti-malware scanning and traffic shaping when faced with congestion. As the use of Internet grows to include devices with varying resources and capabilities, and access networks with differing link characteristics, the prevalent two-party TLS model may prove restrictive. We present EFGH, a pluggable TLS extension that allows a trusted third-party to be introduced in the two-party model without affecting the underlying end-to-end security of the channel. The extension stresses the end-to-end trust relationship integrity by allowing selective exposure of the exchanged data to trusted middleboxes.","PeriodicalId":429815,"journal":{"name":"Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130975717","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}