research-article

Free access

Making middleboxes someone else's problem: network processing as a cloud service

Authors:

Justine Sherry,

Arvind Krishnamurthy,

Sylvia Ratnasamy,

Vyas SekarAuthors Info & Claims

SIGCOMM '12: Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication

Pages 13 - 24

https://doi.org/10.1145/2342356.2342359

Published: 13 August 2012 Publication History

Abstract

Modern enterprises almost ubiquitously deploy middlebox processing services to improve security and performance in their networks. Despite this, we find that today's middlebox infrastructure is expensive, complex to manage, and creates new failure modes for the networks that use them. Given the promise of cloud computing to decrease costs, ease management, and provide elasticity and fault-tolerance, we argue that middlebox processing can benefit from outsourcing the cloud. Arriving at a feasible implementation, however, is challenging due to the need to achieve functional equivalence with traditional middlebox deployments without sacrificing performance or increasing network complexity.

In this paper, we motivate, design, and implement APLOMB, a practical service for outsourcing enterprise middlebox processing to the cloud.

Our discussion of APLOMB is data-driven, guided by a survey of 57 enterprise networks, the first large-scale academic study of middlebox deployment. We show that APLOMB solves real problems faced by network administrators, can outsource over 90% of middlebox hardware in a typical large enterprise network, and, in a case study of a real enterprise, imposes an average latency penalty of 1.1ms and median bandwidth inflation of 3.8%.

Supplementary Material

JPG File (sigcomm-i-02-networkprocessingasacloudservice.jpg)

Download
23.67 KB

MP4 File (sigcomm-i-02-networkprocessingasacloudservice.mp4)

Download
80.65 MB

References

[1]

Amazon Direct Connect. http://aws.amazon.com/directconnect/.

[2]

Amazon Route 53. http://aws.amazon.com/route53.

[3]

Amazon Virtual Private Cloud. http://aws.amazon.com/vpc/.

[4]

Amazon Web Services launches Brazil datacenters for its cloud computing platform. http://phx.corporate-ir.net/phoenix.zhtml?c= 176060&p=irol-newsArticle&ID=1639908.

[5]

Aryaka WAN Optimization. http://www.aryaka.com.

[6]

Barracuda Web Security Flex. http://www.barracudanetworks. com/ns/products/web_security_flex_overview.php.

[7]

Cisco: Quality of Service Design Overview. http: //www.ciscopress.com/articles/article.asp?p=357102.

[8]

Embrane. http://www.embrane.com/.

[9]

Network Monitoring Tools. http://slac.stanford.edu/xorg/nmtf/nmtf-tools.html.

[10]

OpenVPN. http://www.openvpn.com.

[11]

Palo Alto Networks. http://www.paloaltonetworks.com/.

[12]

Rightscale Cloud management. http://www.rightscale.com/.

[13]

Riverbed Virtual Steelhead. http://www.riverbed.com/us/ products/steelhead_appliance/virtual_steelhead.php.

[14]

Symantec: Data Loss Protection. http://www.vontu.com.

[15]

Tivoli Monitoring Software. http://ibm.com/software/tivoli/products/monitor.

[16]

Vyatta Software Middlebox. http://www.vyatta.com.

[17]

ZScaler Cloud Security. http://www.zscaler.com.

[18]

Cloud computing - 31 companies describe their experiences. http: //www.ipanematech.com/information-center/download. php?link=white-papers/White%20Book_2011-Cloud_Computing_OBS_Ipanema_Technologies_EBG.pdf, 2011.

[19]

Enterprise Network and Data Security Spending Shows Remarkable Resilience. http://www.abiresearch.com/press/3591, 2011.

[20]

M. Allman and V. Paxson. TCP congestion control. RFC 5681.

[21]

A. Anand, A. Gupta, A. Akella, S. Seshan, and S. Shenker. Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination. In Proc. of SIGCOMM, 2008.

Digital Library

[22]

D. Andersen, H. Balakrishnan, F. Kaashoek, and R. Morris. Resilient overlay networks. In SOSP, 2001.

Digital Library

[23]

M. Armbrust et al. A view of cloud computing. Commun. ACM, April 2010.

Digital Library

[24]

H. Ballani and P. Francis. CONMan: a step towards network manageability. In SIGCOMM, 2007.

Digital Library

[25]

T. Benson, A. Akella, A. Shaikh, and S. Sahu. Cloudnaas: a cloud networking platform for enterprise applications. In Proc. SOCC, 2011.

Digital Library

[26]

D. R. Choffnes and F. E. Bustamante. Taming the torrent: a practical approach to reducing cross-isp traffic in peer-to-peer systems. In SIGCOMM, 2008.

Digital Library

[27]

C. Dixon, H. Uppal, V. Brajkovic, D. Brandon, T. Anderson, and A. Krishnamurthy. ETTM: a scalable fault tolerant network manager. In NSDI, 2011.

Digital Library

[28]

N. Dukkipati and N. McKeown. Why flow-completion time is the right metric for congestion control. CCR, January 2006.

Digital Library

[29]

S. Floyd. HighSpeed TCP for large congestion windows. RFC 3649.

Digital Library

[30]

G. Gibb, H. Zeng, and N. McKeown. Outsourcing network functionality. In HotSDN, 2012.

Digital Library

[31]

K. P. Gummadi, H. V. Madhyastha, S. D. Gribble, H. M. Levy, and D. Wetherall. Improving the reliability of Internet paths with One-hop Source Routing. In Proc. OSDI, 2004.

Digital Library

[32]

M. Hajjat, X. Sun, Y.-W. E. Sung, D. A. Maltz, S. Rao, K. Sripanidkulchai, and M. Tawarmalani. Cloudward bound: Planning for beneficial migration of enterprise applications to the cloud. In SIGCOMM, 2012.

Digital Library

[33]

D. Joseph and I. Stoica. Modeling middleboxes. Network, IEEE, 22(5), 2008.

Digital Library

[34]

D. A. Joseph, A. Tavakoli, and I. Stoica. A policy-aware switching layer for data centers. In SIGCOMM, 2008.

Digital Library

[35]

D. Katabi, M. Handley, and C. Rohrs. Congestion control for high bandwidth-delay product networks. In SIGCOMM, 2002.

Digital Library

[36]

E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click modular router. ACM ToCS, August 2000.

Digital Library

[37]

V. Kundra. 25 Point Implementation Plan to Reform Federal Information Technology Management. Technical report, US CIO, 2010.

[38]

M57 packet traces. https://domex.nps.edu/corp/scenarios/2009-m57/net/.

[39]

N. McKeown et al. OpenFlow: enabling innovation in campus networks. CCR, March 2008.

Digital Library

[40]

T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In CCS, 2009.

Digital Library

[41]

M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In LISA, 1999.

Digital Library

[42]

V. Sekar, S. Ratnasamy, M. K. Reiter, N. Egi, and G. Shi. The middlebox manifesto: enabling innovation in middlebox deployment. In HotNets, 2011.

Digital Library

[43]

I. Stoica et al. Internet indirection infrastructure. ToN, April 2004.

Digital Library

[44]

A. Su, D. Choffnes, A. Kuzmanovic, and F. Bustamante. Drafting behind Akamai (Travelocity-based detouring). In SIGCOMM, 2006.

Digital Library

[45]

V. Valancius, N. Laoutaris, L. Massouli'e, C. Diot, and P. Rodriguez. Greening the internet with nano data centers. In Proc. CoNEXT, 2009.

Digital Library

[46]

Visolve. Transparent caching using Squid. http://www.visolve.com/squid/whitepapers/trans_caching.pdf, 2006.

[47]

M. Walfish, J. Stribling, M. Krohn, H. Balakrishnan, R. Morris, and S. Shenker. Middleboxes no longer considered harmful. In OSDI, 2004.

Digital Library

Cited By

Li HDang YSun GWu CZhang PShan DPan THu C(2024)Programming Network Stack for Physical Middleboxes and Virtualized Network FunctionsIEEE/ACM Transactions on Networking10.1109/TNET.2023.330764132:2(971-986)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3307641
Hou XLiu JTu TZhang RRen K(2024)PrivRE: Regular Expression Matching for Encrypted Packet Inspection2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00123(1306-1317)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00123
Singh VKehkeshan Jallal SDas S(2024)Managing Cloud Networks: A Classification of SDN-Enabled Clouds2024 IEEE International Conference on Computing, Power and Communication Technologies (IC2PCT)10.1109/IC2PCT60090.2024.10486787(824-827)Online publication date: 9-Feb-2024
https://doi.org/10.1109/IC2PCT60090.2024.10486787
Show More Cited By

Index Terms

Making middleboxes someone else's problem: network processing as a cloud service
1. Networks
  1. Network services
    1. Network management

Recommendations

Making middleboxes someone else's problem: network processing as a cloud service
Special october issue SIGCOMM '12

Modern enterprises almost ubiquitously deploy middlebox processing services to improve security and performance in their networks. Despite this, we find that today's middlebox infrastructure is expensive, complex to manage, and creates new failure modes ...
A flexible and efficient container-based NFV platform for middlebox networking
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing

Network Function Virtualization (NFV) enables multiple network functions (NFs) to operate simultaneously on a commodity server. Internet Data Centers (IDCs) gain significant flexibility and agility through NFV's ability to dynamically deploy and ...
OpenANFV: accelerating network function virtualization with a consolidated framework in openstack
SIGCOMM '14: Proceedings of the 2014 ACM conference on SIGCOMM

The resources of dedicated accelerators (e.g. FPGA) are still required to bridge the gap between software-based Middleboxs(MBs) and the commodity hardware. To consolidate various hardware resources in an elastic, programmable and reconfigurable manner, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '12: Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication

August 2012

474 pages

ISBN:9781450314190

DOI:10.1145/2342356

General Chairs:
Lars Eggert
NetApp, Germany
,
Jörg Ott
Aalto University, Finland
,
Program Chairs:
Venkat Padmanabhan
Microsoft Research, India
,
George Varghese
UCSD, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 August 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGCOMM '12

Sponsor:

SIGCOMM

SIGCOMM '12: ACM SIGCOMM 2012 Conference

August 13 - 17, 2012

Helsinki, Finland

Acceptance Rates

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

299
Total Citations
View Citations
2,427
Total Downloads

Downloads (Last 12 months)246
Downloads (Last 6 weeks)38

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li HDang YSun GWu CZhang PShan DPan THu C(2024)Programming Network Stack for Physical Middleboxes and Virtualized Network FunctionsIEEE/ACM Transactions on Networking10.1109/TNET.2023.330764132:2(971-986)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3307641
Hou XLiu JTu TZhang RRen K(2024)PrivRE: Regular Expression Matching for Encrypted Packet Inspection2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00123(1306-1317)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00123
Singh VKehkeshan Jallal SDas S(2024)Managing Cloud Networks: A Classification of SDN-Enabled Clouds2024 IEEE International Conference on Computing, Power and Communication Technologies (IC2PCT)10.1109/IC2PCT60090.2024.10486787(824-827)Online publication date: 9-Feb-2024
https://doi.org/10.1109/IC2PCT60090.2024.10486787
Zhang Y(2023)Make It Real: An End-to-End Implementation of A Physically Disaggregated Data CenterACM SIGOPS Operating Systems Review10.1145/3606557.360655957:1(1-9)Online publication date: 28-Jun-2023
https://dl.acm.org/doi/10.1145/3606557.3606559
Salamatian LArnold TCunha ÍZhu JZhang YKatz-Bassett ECalder M(2023)Who Squats IPv4 Addresses?ACM SIGCOMM Computer Communication Review10.1145/3594255.359426053:1(48-72)Online publication date: 20-Apr-2023
https://dl.acm.org/doi/10.1145/3594255.3594260
Johnson DVerdicchio M(2023)Ethical AI is Not about AICommunications of the ACM10.1145/357693266:2(32-34)Online publication date: 20-Jan-2023
https://dl.acm.org/doi/10.1145/3576932
Ericson B(2023)Four Ways to Add Active Learning to Computing CoursesCommunications of the ACM10.1145/357693066:2(26-29)Online publication date: 20-Jan-2023
https://dl.acm.org/doi/10.1145/3576930
Yellin D(2023)The Premature Obituary of ProgrammingCommunications of the ACM10.1145/355536766:2(41-44)Online publication date: 20-Jan-2023
https://dl.acm.org/doi/10.1145/3555367
Baldassarre MErnst NHermann BMenzies TYedida R(2023)(Re)Use of Research Results (Is Rampant)Communications of the ACM10.1145/355497666:2(75-81)Online publication date: 20-Jan-2023
https://dl.acm.org/doi/10.1145/3554976
Reed DGannon DDongarra J(2023)HPC ForecastCommunications of the ACM10.1145/355230966:2(82-90)Online publication date: 20-Jan-2023
https://dl.acm.org/doi/10.1145/3552309
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents