FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions
Abstract
Past studies show that middleboxes are a critical piece of network
infrastructure for providing security and performance guarantees.
Unfortunately, the dynamic and traffic-dependent modifications induced by middleboxes make it difficult to reason about the correctness of network-wide policy enforcement (e.g., access control,
accounting, and performance diagnostics). Using practical application scenarios, we argue that we need a flow tracking capability
to ensure consistent policy enforcement in the presence of such dynamic traffic modifications. To this end, we propose FlowTags, an
extended SDN architecture in which middleboxes add Tags to outgoing packets, to provide the necessary causal context (e.g., source
hosts or internal cache/miss state). These Tags are used on switches
and (other) middleboxes for systematic policy enforcement. We
discuss the early promise of minimally extending middleboxes to
provide this support. We also highlight open challenges in the design of southbound and northbound FlowTags APIs; new controllayer applications for enforcing and verifying policies; and automatically modifying legacy middleboxes to support FlowTags.