D. Joseph, A. Tavakoli, I. Stoica, "A Policy-aware Switching Layer for Data Centers," ACM SIGCOMM Conference, (August 2008).To protect, manage and improve performance of datacenter applications, data centers deploy a large variety of middleboxes including firewalls, load balancers, SSL offloaders, web caches and intrusion prevention boxes. However, as of now, the procedure of deploying various middleboxes involves manually placing them in the physical path and then tweaking traffic by overloading layer 2 mechanisms to explicitly pass through them. This paper on the other hand proposes a policy aware switching layer based approach which allows switches to specify various policies for the packets passes through them to traverse certain 'out of the way' middleboxes. This system is designed keeping the following 3 points in mind:
- Correctness: Traffic should maintain proper sequence of order in traversing the middleboxes.
- Flexibility: The sequence should be easily reconfigurable.
- Efficiency: Traffic should not traverse unnecessary middleboxes.
- Separating policy from reachability: This is done by incorporating policies in switches comprising of
- Takings middleboxes off the physical network path: The middleboxes are no longer in the physical path and are connected via various interfaces to the Pswitch. There is no need of modifying middleboxes by introducing SRCMACREWRITER in between the middlebox and the regular Ethernet switch.
I found this paper extremely well written and relevant. It tackles a real problem in a pretty generalized manner. However there are some rough edges which need to tackled out:
- 15-byte frame encapsulation overhead may increase frame size beyond 1500 byte MTU.
- MAC address and VLAN spoofing attacks can render the protocol ineffective.
- Stateful PSwitches may not always be good for scalability.
No comments:
Post a Comment