Design and implementation of a framework for software-defined middlebox networking

Middleboxes (MBs) are used widely to ensure security (e.g., intrusion detection systems), improve performance (e.g., WAN optimizers), and provide other novel network functionality [4, 6]. Recently, researchers have proposed several new architectures for MB deployment, including Stratos [2], CoMb [4], and APLOMB [6]. These frameworks all advocate dynamic deployment of software-based MBs with the goal of increasing flexibility, improving efficiency, and reducing management overhead. However, approaches for controlling the behavior of MBs (i.e., how MBs examine and modify network traffic) remain limited. Today, configuration policies and parameters are manipulated using narrow, MB-specific configuration interfaces, while internal algorithms and state are completely inaccessible and unmodifiable. This apparent lack of finegrained control over MBs and their state precludes correct and performant implementation of control scenarios that involve re-allocating live flows across MBs: e.g., server migration, scale up/down of MBs to meet cost-performance trade-offs, recovery from network or MB failures, etc. Several key requirements must be satisfied to effectively support the above scenarios. To illustrate these requirements, we consider a scenario where MB instances are added and removed based on current network load [2] (Figure 1). When scaling up, some in-progress flows may need to be moved to a new MB instance to reduce the load on the original instance. To preserve the correctness and fidelity of MB operations, the new instance must receive the internal MB state associated with the moved flows, while the old instance still has the internal state associated with the remaining flows. For some MBs (e.g., an intrusion prevention