際際滷

際際滷Share a Scribd company logo

Middlebox hate blog

Download as pptx, pdf
Justine Sherry
Justine Sherry

The document discusses issues with middleboxes such as violating the end-to-end principle, encouraging architectural ossification, and creating reachability and management complexity problems. However, middleboxes have also been successful due to desirable features they provide like security and performance. The document examines a study that tested the deployability of real TCP extensions and found that while some extensions like MPTCP may work, others are fragile and not safe to deploy due to interference from middleboxes ossifying the TCP protocol. There is debate around whether the study sufficiently represented real networks and if protocol ossification is fundamentally caused by middleboxes or the global nature of the internet. The future of middleboxes remains an open question.

1 of 31
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Middleboxes: Why all the Hate? Justine Sherry (Neither taking nor TAing this class, but somehow presenting.)
Middlebox hate blog
Middlebox hate blog
Middlebox hate blog
Why all the hate?
Why all the hate? Middleboxes violate the E2E principle. Middleboxes encourage architectural ossification. Middleboxes create reachability problems. Its like the formerly two-way Internet has a bunch of one- way streets. Middleboxes cause new and wonky failures. "Middleboxes create management complexity theyre just confusing to administer.
Quick Taxonomy Architectural Issues Managerial Issues Confusing & One-Way Expensive Complex Streets E2E Reliability Architectural Ossification
Hold up. These are a lot of issues! Why have middleboxes been so successful despite these problems? Whats good about them?
The Good Stuff The features they provide are desirable! Security, performance, etc. Ability to impose centralized, unilateral control over protocol usage, resource consumption, etc, /without/ control of end host itself. Ease of deployment . just drop in Nevertheless
Back to Our Taxonomy Architectural Issues Managerial Issues Confusing & One-Way Expensive Complex Streets E2E Reliability Protocol Ossification
Back to Our Taxonomy Architectural Issues Managerial Issues Confusing & One-Way Expensive Complex Streets E2E Reliability Protocol Ossification APLOMB (+Steves Discussion)
Back to Our Taxonomy Architectural Issues Managerial Issues Confusing & One-Way Expensive Complex Streets E2E Reliability Protocol Ossification Where Im headed with this. Lets go through these one-by-one.
The End to End Argument The function in question can completely and correctly be implemented only with the knowledge and help of the application standing at the end points of the communication system. Therefore, providing that questioned function as a feature of the communication system itself is not possible. (Sometimes an incomplete version of the function provided by the communication system may be useful as a performance enhancement.) We call this line of reasoning against low-level function implementation the "end-to-end argument." [Saltzer, Reed, and Clark 89]
The One-Way Street Problem Inbound connections to a host are blocked/filtered by a middlebox, but outbound connections work just fine.
The One-Way Street Problem Network address translation: Goal: allow multiple internal hosts to all share a public external IP address Problem: When an inbound SYN comes to the shared IP address, how do we know which host to send it to? Firewalls: Goal: protect internal hosts from traffic that appears malicious; e.g., destined to inbound ports that are often abused Problem: What if I really do want to enable SSH logins, host an IRC server, or run an FTP server on my internal server?
Is the One-Way Street Problem fundamental to middleboxes? Can we design middleboxes to solve the One-Way Street Problem?
Some Proposals Stuart Cheshire and Marc Krochmal. NAT Port Mapping Protocol (NAT-PMP). RFC Internet Draft. http://tools.ietf.org/html/draft-cheshire- nat-pmp-07 Michael Walfish, Jeremy Stribling, Maxwell Krohn, Hari Balakrishnan, Robert Morris, and Scott Shenker. 2004. Middleboxes no longer considered harmful. In Proceedings of the 6th conference on Symposium on Operating Systems Design & Implementation - Volume 6 (OSDI'04), Vol. 6. USENIX Association, Berkeley, CA, USA, 15-15. Justine Sherry, Daniel C. Kim, Seshadri S. Mahalingam, Amy Tang, Steve Wang and Sylvia Ratnasamy. Netcalls: End Host Function Calls to Network Traffic Processing Services. UC Berkeley Technical Report No. UCB/EECS-2012-175
Protocol Ossification Aha! Now she gets to the paper: Michio Honda, Yoshifumi Nishida, Costin Raiciu, Adam Greenhalgh, Mark Handley, and Hideyuki Tokuda. 2011. Is it still possible to extend TCP?. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference (IMC '11). ACM, New York, NY, USA, 181-194.
Protocol Ossification The great virtue of the Internet was always that it was stupid; it did no task especially well, but it was extremely 鍖exible and general, allowing a proliferation of protocols and applications that the original designers could never have foreseen. [Honda et al. IMC 04]
Protocol Ossification To improve performance, reduce security exposure, enhance control, and work around address space shortages, the Internet has experienced an invasion of middleboxes that do care about what the packets contain, and perform processing at layer 4 or higher within the network. [Honda et al. IMC 04]
The Paper (1 際際滷 Summary) Question: Is it true that middleboxes are threatening our ability to upgrade or evolve TCP? Answer: Yes, in some cases. Ran several tests with non-traditional TCP behaviors (missing segments, TCP options) to test deployability of three real TCP extensions We 鍖nd that MPTCP is likely to work correctly in the Internet or fall-back to regular TCP. TcpCrypt seems ready to be deployed, however it is fragile if resegmentation does happen - for instance with hardware of鍖oad. Finally, TCP extended options in its current form is not safe to deploy.
Why I love this paper Vague claims about architectural issues abound. Middleboxes can or might interfere is different than middleboxes do interfere. This paper took a piece of common wisdom that was thrown around, and thoroughly demonstrated through measurements to what extent it was a problem and how so. Further, their examples arent toys these guys attack the problem as real protocol designers who are trying to get their stuff deployed, and middleboxes are giving them heck.
On to your 界看馨馨艶稼岳壊
Is the data representative? I was not very happy with the dataset used for the experiments. First, the sample size is too small and not divergent enough. (just about everyone) Second, the authors target access networks. But it is anecdotally known that most middleboxes in the Internet are deployed in enterprise (server? datacenter?) networks. While my ex-company had literally thousands of customers, the revenue from consumer ISPs was really tiny. Deploying middleboxes in access networks is not cost-effective (middleboxes are expensive), somewhat pointless (what is the return for the ISP?), politically disputable (network neutrality), and potentially dangerous (dear QA, my online game doesnt work anymore!).
Do we actually need to extend TCP? From an evolveability perspective, the deployment of entirely new transport protocols seems more interesting than the deployment of incremental options to TCP. Has anyone done a study of middlebox's effect on entirely unknown transport protocols? I think this problem could be important if people are still struggling to modify TCP...
To what extent is solving this in the hands of MB vendors? I feel like middleboxes, as elements and players of network, should also follow their own rules, to simplify the work of others and be enablers of network evolution, rather than black boxes and impediments This makes me wonder whether middlebox badness is that big a deal? Isn't it just a matter of fixing a few middleboxes that were not behaving properly? By raising the issue now, it's possible to influence how vendors implement it as it becomes more widely available
Are middleboxes the problem? While I agree that it has become difficult to expand network functionality, I am not fully convinced that middleboxes are the primary cause of this problem. Rather, I think the global nature of modern networks is what makes it hard to implement new features: you need to reach global agreement and acceptance, followed by worldwide deployment to make use of new network features. In my mind, middleboxes play an extremely small role in this regard, and thus, I don't fully buy in to the authors' arguments.
Is it still possible to extend TCP? What do you think? What do the authors think?
Back to Protocol Ossification: is protocol ossification fundamental to middleboxes? Can we redesign things such that it isnt a problem?
Whats next for middleboxes? Should we throw them out? Follow the status quo? Do something in the middle?
Justine still loves middleboxes.

More Related Content

Similar to Middlebox hate blog (20)

PPTX
Innovation is back in the transport and network layers
Olivier Bonaventure
PPTX
RING-TOPOLOGY.pptx
RaymondPuno1
PDF
Disadvantages And Disadvantages Of Wireless Networked And...
Kimberly Jones
PDF
CN R16 -UNIT-6.pdf
Joshuaeeda1
PPT
Networking Basics
R G Mani
PDF
Extending TCP the Major Protocol of Transport Layer
Scientific Review
PDF
Extending TCP the Major Protocol of Transport Layer
Scientific Review SR
PDF
Future Cities Conference卒13 / Peter Steenkiste - "The eXpressive Internet Arc...
Future Cities Project
PDF
Networking Standards ( Osi Layers )
Renee Jones
PDF
Open System Interconnection Model Essay
Jessica Deakin
PDF
Some Notes on New IP
Richard Renwei Li
PDF
Network File System Version 4.2
Nicole Gomez
PDF
An Introduction to RINA
Scott Foster
PDF
10 fn tut1
Scott Foster
PPTX
Topic02-Architecture.pptx
ImXaib
PPT
Practical Routers and Switches (Including TCP/IP and Ethernet) for Engineers ...
Living Online
PPT
Nad710 Introduction To Networks Using Linux
tmavroidis
PDF
Computer Networks An Open Source Approach 1st Edition Ying-Dar Lin
btocilo
DOC
Ccna complete notes
thetechnicalzone
DOCX
1. Software-Defined Networks (SDN) is a new paradigm in network ma.docx
jackiewalcutt
Innovation is back in the transport and network layers
Olivier Bonaventure
RING-TOPOLOGY.pptx
RaymondPuno1
Disadvantages And Disadvantages Of Wireless Networked And...
Kimberly Jones
CN R16 -UNIT-6.pdf
Joshuaeeda1
Networking Basics
R G Mani
Extending TCP the Major Protocol of Transport Layer
Scientific Review
Extending TCP the Major Protocol of Transport Layer
Scientific Review SR
Future Cities Conference卒13 / Peter Steenkiste - "The eXpressive Internet Arc...
Future Cities Project
Networking Standards ( Osi Layers )
Renee Jones
Open System Interconnection Model Essay
Jessica Deakin
Some Notes on New IP
Richard Renwei Li
Network File System Version 4.2
Nicole Gomez
An Introduction to RINA
Scott Foster
10 fn tut1
Scott Foster
Topic02-Architecture.pptx
ImXaib
Practical Routers and Switches (Including TCP/IP and Ethernet) for Engineers ...
Living Online
Nad710 Introduction To Networks Using Linux
tmavroidis
Computer Networks An Open Source Approach 1st Edition Ying-Dar Lin
btocilo
Ccna complete notes
thetechnicalzone
1. Software-Defined Networks (SDN) is a new paradigm in network ma.docx
jackiewalcutt

Middlebox hate blog

  • 1. Middleboxes: Why all the Hate? Justine Sherry (Neither taking nor TAing this class, but somehow presenting.)
  • 5. Why all the hate?
  • 6. Why all the hate? Middleboxes violate the E2E principle. Middleboxes encourage architectural ossification. Middleboxes create reachability problems. Its like the formerly two-way Internet has a bunch of one- way streets. Middleboxes cause new and wonky failures. "Middleboxes create management complexity theyre just confusing to administer.
  • 7. Quick Taxonomy Architectural Issues Managerial Issues Confusing & One-Way Expensive Complex Streets E2E Reliability Architectural Ossification
  • 8. Hold up. These are a lot of issues! Why have middleboxes been so successful despite these problems? Whats good about them?
  • 9. The Good Stuff The features they provide are desirable! Security, performance, etc. Ability to impose centralized, unilateral control over protocol usage, resource consumption, etc, /without/ control of end host itself. Ease of deployment . just drop in Nevertheless
  • 10. Back to Our Taxonomy Architectural Issues Managerial Issues Confusing & One-Way Expensive Complex Streets E2E Reliability Protocol Ossification
  • 11. Back to Our Taxonomy Architectural Issues Managerial Issues Confusing & One-Way Expensive Complex Streets E2E Reliability Protocol Ossification APLOMB (+Steves Discussion)
  • 12. Back to Our Taxonomy Architectural Issues Managerial Issues Confusing & One-Way Expensive Complex Streets E2E Reliability Protocol Ossification Where Im headed with this. Lets go through these one-by-one.
  • 13. The End to End Argument The function in question can completely and correctly be implemented only with the knowledge and help of the application standing at the end points of the communication system. Therefore, providing that questioned function as a feature of the communication system itself is not possible. (Sometimes an incomplete version of the function provided by the communication system may be useful as a performance enhancement.) We call this line of reasoning against low-level function implementation the "end-to-end argument." [Saltzer, Reed, and Clark 89]
  • 14. The One-Way Street Problem Inbound connections to a host are blocked/filtered by a middlebox, but outbound connections work just fine.
  • 15. The One-Way Street Problem Network address translation: Goal: allow multiple internal hosts to all share a public external IP address Problem: When an inbound SYN comes to the shared IP address, how do we know which host to send it to? Firewalls: Goal: protect internal hosts from traffic that appears malicious; e.g., destined to inbound ports that are often abused Problem: What if I really do want to enable SSH logins, host an IRC server, or run an FTP server on my internal server?
  • 16. Is the One-Way Street Problem fundamental to middleboxes? Can we design middleboxes to solve the One-Way Street Problem?
  • 17. Some Proposals Stuart Cheshire and Marc Krochmal. NAT Port Mapping Protocol (NAT-PMP). RFC Internet Draft. http://tools.ietf.org/html/draft-cheshire- nat-pmp-07 Michael Walfish, Jeremy Stribling, Maxwell Krohn, Hari Balakrishnan, Robert Morris, and Scott Shenker. 2004. Middleboxes no longer considered harmful. In Proceedings of the 6th conference on Symposium on Operating Systems Design & Implementation - Volume 6 (OSDI'04), Vol. 6. USENIX Association, Berkeley, CA, USA, 15-15. Justine Sherry, Daniel C. Kim, Seshadri S. Mahalingam, Amy Tang, Steve Wang and Sylvia Ratnasamy. Netcalls: End Host Function Calls to Network Traffic Processing Services. UC Berkeley Technical Report No. UCB/EECS-2012-175
  • 18. Protocol Ossification Aha! Now she gets to the paper: Michio Honda, Yoshifumi Nishida, Costin Raiciu, Adam Greenhalgh, Mark Handley, and Hideyuki Tokuda. 2011. Is it still possible to extend TCP?. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference (IMC '11). ACM, New York, NY, USA, 181-194.
  • 19. Protocol Ossification The great virtue of the Internet was always that it was stupid; it did no task especially well, but it was extremely 鍖exible and general, allowing a proliferation of protocols and applications that the original designers could never have foreseen. [Honda et al. IMC 04]
  • 20. Protocol Ossification To improve performance, reduce security exposure, enhance control, and work around address space shortages, the Internet has experienced an invasion of middleboxes that do care about what the packets contain, and perform processing at layer 4 or higher within the network. [Honda et al. IMC 04]
  • 21. The Paper (1 際際滷 Summary) Question: Is it true that middleboxes are threatening our ability to upgrade or evolve TCP? Answer: Yes, in some cases. Ran several tests with non-traditional TCP behaviors (missing segments, TCP options) to test deployability of three real TCP extensions We 鍖nd that MPTCP is likely to work correctly in the Internet or fall-back to regular TCP. TcpCrypt seems ready to be deployed, however it is fragile if resegmentation does happen - for instance with hardware of鍖oad. Finally, TCP extended options in its current form is not safe to deploy.
  • 22. Why I love this paper Vague claims about architectural issues abound. Middleboxes can or might interfere is different than middleboxes do interfere. This paper took a piece of common wisdom that was thrown around, and thoroughly demonstrated through measurements to what extent it was a problem and how so. Further, their examples arent toys these guys attack the problem as real protocol designers who are trying to get their stuff deployed, and middleboxes are giving them heck.
  • 23. On to your 界看馨馨艶稼岳壊
  • 24. Is the data representative? I was not very happy with the dataset used for the experiments. First, the sample size is too small and not divergent enough. (just about everyone) Second, the authors target access networks. But it is anecdotally known that most middleboxes in the Internet are deployed in enterprise (server? datacenter?) networks. While my ex-company had literally thousands of customers, the revenue from consumer ISPs was really tiny. Deploying middleboxes in access networks is not cost-effective (middleboxes are expensive), somewhat pointless (what is the return for the ISP?), politically disputable (network neutrality), and potentially dangerous (dear QA, my online game doesnt work anymore!).
  • 25. Do we actually need to extend TCP? From an evolveability perspective, the deployment of entirely new transport protocols seems more interesting than the deployment of incremental options to TCP. Has anyone done a study of middlebox's effect on entirely unknown transport protocols? I think this problem could be important if people are still struggling to modify TCP...
  • 26. To what extent is solving this in the hands of MB vendors? I feel like middleboxes, as elements and players of network, should also follow their own rules, to simplify the work of others and be enablers of network evolution, rather than black boxes and impediments This makes me wonder whether middlebox badness is that big a deal? Isn't it just a matter of fixing a few middleboxes that were not behaving properly? By raising the issue now, it's possible to influence how vendors implement it as it becomes more widely available
  • 27. Are middleboxes the problem? While I agree that it has become difficult to expand network functionality, I am not fully convinced that middleboxes are the primary cause of this problem. Rather, I think the global nature of modern networks is what makes it hard to implement new features: you need to reach global agreement and acceptance, followed by worldwide deployment to make use of new network features. In my mind, middleboxes play an extremely small role in this regard, and thus, I don't fully buy in to the authors' arguments.
  • 28. Is it still possible to extend TCP? What do you think? What do the authors think?
  • 29. Back to Protocol Ossification: is protocol ossification fundamental to middleboxes? Can we redesign things such that it isnt a problem?
  • 30. Whats next for middleboxes? Should we throw them out? Follow the status quo? Do something in the middle?
  • 31. Justine still loves middleboxes.

Editor's Notes

  • #6: Ask the class to list off reasons perhaps write on whiteboard?
  • #8: Colin is going to argue that there is overlap between these two sets of concerns and I think thats fair.
  • #9: <Discuss>
  • #10: <Discuss>
  • #11: Colin is going to argue that there is overlap between these two sets of concerns and I think thats fair.
  • #12: The managerial issues stem from the assumption that middleboxes are the right way to do things, and only deal with making them work well /once we have them/.The architectural issues more challenge whether or not middleboxes, as they stand, are the right way to do things at all.
  • #13: The managerial issues stem from the assumption that middleboxes are the way to do things, and only deal with making them work well /once we have them/.The architectural issues more challenge whether or not middleboxes, as they stand, are the right way to do things at all.
  • #14: Do Middleboxes violate End to End? Broader question than just one way streets or ossification.
  • #15: Assume everyone understands this problem fairly well; can whiteboard it if people are confused.
  • #16: Assume everyone understands this problem fairly well; can whiteboard it if people are confused.
  • #17: <Discuss>
  • #18: I will not describe only but briefly, putting the cites here so that people can look up later if they want.NAT-PMP is a per-MB solution; the later two are research proposals that suggest big architectural changes.
  • #23: I agree that the middle is super detailed but that is almost a pro for the case. Are we really going to have to worry about this stuff whenever we deploy a new TCP? Shouldnt the Internet just play dumb and let us be?
  • #31: Do Middleboxes violate End to End?
About
息 2025 際際滷