1

A Policy-aware Switching Layer for Data Centers

Dilip JosephArsalan Tavakoli

Ion Stoica

University of California at Berkeley

Problem: Middleboxes are hard to deploy

• Place on network path• Overload path selection mechanisms

pkt

network path

• On path placement fails to achieve

Correctness Guaranteed middlebox traversal

Flexibility (Re)configurable network topology

Efficiency No middlebox resource wastage

Load BalancerFirewall

Preview

• Problem– Middleboxes are hard to deploy

• Solution– Overview– Challenges– Limitations

• Implementation & evaluation

• Related work

Common data center topology

Internet

Servers

Layer-2 switchAccess

Data Center

Layer-2/3 switchAggregation

Layer-3 routerCore

Firewall

Load Balancer

Inflexible topology

Internet

IntrusionPreventionBox

Firewall

Load Balancer

Inefficient - middlebox resource wastage

Internet

Process unnecessary traffic

Unutilized

Backup path

S1 S2

Protect S1 ↔ S2 traffic

Correctness is hard

Internet

• Option 1– Existing firewalls

Newly blocked

link

Correctness is hard

Internet

• Option 1– Existing firewalls

• Option 2– New firewall

S1 S2

Protect S1 ↔ S2 traffic

Correctness is hard

Internet

• Option 1– Existing firewalls

• Option 2– New firewall

• Option 3– Separate VLANs

S1 S2

Protect S1 ↔ S2 traffic

Outline

ProblemMiddleboxes are hard to deploy

• Solution– Overview– Challenges– Limitations

• Implementation & evaluation

• Related work

Policy-aware Switching Layer

Policy-aware switching layer

load balancer

Existing mechanisms

firewall

1 Take middleboxes off-path

Separate policy from reachability2HTTP Firewall Load balancer

TCP port = 80

PSwitch

load balancer

firewall

P P PP PP P PP P

P P PP P

PSwitch explicitly forwards packets to middleboxes

Firewall (F) Load Balancer (L)

Core Router

R

PSwitchWeb

Server

Data center

Src:R

Src:L

Header Body

Rule table

Match Next Hop

MACR,port 80 F

Interface 1, port 80 L

MACL,port 80 FinalDest

P P PP P0

1 2

3

HTTP Firewall Load balancer

CentralizedPolicy

Controller

Firewall Load

Balancer

PSwitch AWeb Server

Data center

CustomFirewall

Intrusion Prevention

Box

ERP Server

Firewall

PSwitch B

HTTP Firewall Load balancerERP Custom Firewall IPS

• Distributed forwarding

• Loadbalancing middleboxes

• Different policies for different traffic

Challenges

1. Minimizing infrastructure changes

2. Non-transparent middleboxes

3. Guaranteeing correctness under churn

Guarantees under Churn

Network

Middlebox

Policy

Packets never bypass middleboxes

Some packets may be dropped

Limitations

• Indirect paths

• Policy specification complexity

Outline

ProblemMiddleboxes are hard to deploy

SolutionOverviewChallengesLimitations

• Implementation & evaluation

• Related work

Implementation

• PSwitches prototyped in

P P PP P

750 Mbps

0.3 milliseconds25 policies

• Compared to software Ethernet switch– 82% TCP throughput– 16% latency increase

• Exploring hardware options

PSwitch

Validation of functionality

• 10 PCs with 4 network interfaces each

P P PP P P P PP P P P PP P P P PP P

iptables firewalls webserversBalanceNGLoad balancer

client

Physical topology

Logical topologies on same physical topology

X

Related Work

4D

Routing Control Platform

Ethane

IndirectionInternet Indirection Infrastructure

Delegation Oriented Architecture

Separation of policy andreachability

High-end switches

Cisco Catalyst 6500

SIGCOMM 2008

SEATTLE

DCell

Commodity DC Network Architecture

Conclusion

• Deploying middleboxes is hard

• A new layer-2 with explicit middlebox support– Middleboxes taken off network path– Policy separated from reachability

Questions?

Backup Slides

Policy churn• Conflicting policy updates

HTTP Load balancer FirewallVersion 1

Firewall Load balancerHTTPVersion 2

Firewall Load Balancer

P P PP P

Version 1 Version 2

Match Next Hop

Interface 0, port 80 L

Interface 2, port 80 F

Interface 1, port 80 FinalDest

0

1 2

3

Match Next Hop

Interface 0, port 80 F

Interface 2, port 80 FinalDest

Interface 1, port 80 L

Intermediate middlebox types

• Guarantees traversal

HTTP Load balancer FirewallVersion 1

Firewall’ Load balancer’HTTPVersion 2

Firewall

Load Balancer

P P PP P

Firewall’

Load Balancer’