Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
A policy-aware switching layer for data centers
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Flow processing and the rise of commodity network hardware
ACM SIGCOMM Computer Communication Review
Network-wide deployment of intrusion detection and prevention systems
Proceedings of the 6th International COnference
Is it still possible to extend TCP?
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
A compiler and run-time system for network programming languages
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Header space analysis: static checking for networks
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
Design and implementation of a consolidated middlebox architecture
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
Making middleboxes someone else's problem: network processing as a cloud service
Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication
Toward software-defined middlebox networking
Proceedings of the 11th ACM Workshop on Hot Topics in Networks
VeriFlow: verifying network-wide invariants in real time
nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
SIMPLE-fying middlebox policy enforcement using SDN
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
SIMPLE-fying middlebox policy enforcement using SDN
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
Virtual network diagnosis as a service
Proceedings of the 4th annual Symposium on Cloud Computing
SoftCell: scalable and flexible cellular core network architecture
Proceedings of the ninth ACM conference on Emerging networking experiments and technologies
Verifiable network function outsourcing: requirements, challenges, and roadmap
Proceedings of the 2013 workshop on Hot topics in middleboxes and network function virtualization
Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags
NSDI'14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation
| Hi-index | 0.00 |
Past studies show that middleboxes are a critical piece of network infrastructure for providing security and performance guarantees. Unfortunately, the dynamic and traffic-dependent modifications induced by middleboxes make it difficult to reason about the correctness of network-wide policy enforcement (e.g., access control, accounting, and performance diagnostics). Using practical application scenarios, we argue that we need a flow tracking capability to ensure consistent policy enforcement in the presence of such dynamic traffic modifications. To this end, we propose FlowTags, an extended SDN architecture in which middleboxes add Tags to outgoing packets, to provide the necessary causal context (e.g., source hosts or internal cache/miss state). These Tags are used on switches and (other) middleboxes for systematic policy enforcement. We discuss the early promise of minimally extending middleboxes to provide this support. We also highlight open challenges in the design of southbound and northbound FlowTags APIs; new control-layer applications for enforcing and verifying policies; and automatically modifying legacy middleboxes to support FlowTags.