TY - GEN
T1 - Dynamic service chaining with dysco
AU - Zave, Pamela
AU - Ferreira, Ronaldo A.
AU - Zou, Xuan Kelvin
AU - Morimoto, Masaharu
AU - Rexford, Jennifer L.
N1 - Funding Information:
We thank our shepherd Vyas Sekar and the anonymous SIGCOMM reviewers for their valuable feedback. We also thank Mina Arashloo, Bharath Balasubramanian, Jennifer Gossels, Rob Harrison, Yaron Koral, Robert MacDavid, and Shankaranarayanan Narayanan for their feedback on earlier drafts of this paper. This work was supported in part by NSF grant CNS-116112, and by the Brazilian National Council for Scientific and Technological Development (CNPq) proc. 201983/2014-1.
Publisher Copyright:
© 2017 ACM.
PY - 2017/8/7
Y1 - 2017/8/7
N2 - Middleboxes are crucial for improving network security and performance, but only if the right traffic goes through the right middleboxes at the right time. Existing traffic-steering techniques rely on a central controller to install fine-grained forwarding rules in network elements-at the expense of a large number of rules, a central point of failure, challenges in ensuring all packets of a session traverse the same middleboxes, and difficulties with middleboxes that modify the "five tuple." We argue that a session-level protocol is a fundamentally better approach to traffic steering, while naturally supporting host mobility and multihoming in an integrated fashion. In addition, a session-level protocol can enable new capabilities like dynamic service chaining, where the sequence of middleboxes can change during the life of a session, e.g., to remove a load-balancer that is no longer needed, replace a middlebox undergoing maintenance, or add a packet scrubber when traffic looks suspicious. Our Dysco protocol steers the packets of a TCP session through a service chain, and can dynamically reconfigure the chain for an ongoing session. Dysco requires no changes to end-host and middlebox applications, host TCP stacks, or IP routing. Dysco's distributed reconfiguration protocol handles the removal of proxies that terminate TCP connections, middleboxes that change the size of a byte stream, and concurrent requests to reconfigure different parts of a chain. Through formal verification using Spin and experiments with our Linux-based prototype, we show that Dysco is provably correct, highly scalable, and able to reconfigure service chains across a range of middleboxes.
AB - Middleboxes are crucial for improving network security and performance, but only if the right traffic goes through the right middleboxes at the right time. Existing traffic-steering techniques rely on a central controller to install fine-grained forwarding rules in network elements-at the expense of a large number of rules, a central point of failure, challenges in ensuring all packets of a session traverse the same middleboxes, and difficulties with middleboxes that modify the "five tuple." We argue that a session-level protocol is a fundamentally better approach to traffic steering, while naturally supporting host mobility and multihoming in an integrated fashion. In addition, a session-level protocol can enable new capabilities like dynamic service chaining, where the sequence of middleboxes can change during the life of a session, e.g., to remove a load-balancer that is no longer needed, replace a middlebox undergoing maintenance, or add a packet scrubber when traffic looks suspicious. Our Dysco protocol steers the packets of a TCP session through a service chain, and can dynamically reconfigure the chain for an ongoing session. Dysco requires no changes to end-host and middlebox applications, host TCP stacks, or IP routing. Dysco's distributed reconfiguration protocol handles the removal of proxies that terminate TCP connections, middleboxes that change the size of a byte stream, and concurrent requests to reconfigure different parts of a chain. Through formal verification using Spin and experiments with our Linux-based prototype, we show that Dysco is provably correct, highly scalable, and able to reconfigure service chains across a range of middleboxes.
KW - NFV
KW - Session Protocol
KW - Spin
KW - Verification
UR - http://www.scopus.com/inward/record.url?scp=85029429704&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85029429704&partnerID=8YFLogxK
U2 - 10.1145/3098822.3098827
DO - 10.1145/3098822.3098827
M3 - Conference contribution
AN - SCOPUS:85029429704
T3 - SIGCOMM 2017 - Proceedings of the 2017 Conference of the ACM Special Interest Group on Data Communication
SP - 57
EP - 70
BT - SIGCOMM 2017 - Proceedings of the 2017 Conference of the ACM Special Interest Group on Data Communication
PB - Association for Computing Machinery, Inc
T2 - 2017 Conference of the ACM Special Interest Group on Data Communication, SIGCOMM 2017
Y2 - 21 August 2017 through 25 August 2017
ER -