FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions

Past studies show that middleboxes are a critical piece of network infrastructure for providing security and performance guarantees. Unfortunately, the dynamic and traffic-dependent modifications induced by middleboxes make it difficult to reason about the correctness of network-wide policy enforcement (e.g., access control, accounting, and performance diagnostics). Using practical application scenarios, we argue that we need a flow tracking capability to ensure consistent policy enforcement in the presence of such dynamic traffic modifications. To this end, we propose FlowTags, an extended SDN architecture in which middleboxes add Tags to outgoing packets, to provide the necessary causal context (e.g., source hosts or internal cache/miss state). These Tags are used on switches and (other) middleboxes for systematic policy enforcement. We discuss the early promise of minimally extending middleboxes to provide this support. We also highlight open challenges in the design of southbound and northbound FlowTags APIs; new controllayer applications for enforcing and verifying policies; and automatically modifying legacy middleboxes to support FlowTags.