1

The Middlebox Manifesto:Enabling Innovation in Middlebox Deployment

Vyas Sekar Sylvia Ratnasamy Michael Reiter Norbert Egi Guangyu Shi

2

Growing literature on network innovation

Build programmable elements using commodity hardware

e.g., PacketShader, RouterBricks, ServerSwitch, SwitchBlade

Centralized management with open interfaces

e.g., 4D, NOX/OpenFlow, RCP

3

Type of appliance NumberFirewalls 166NIDS 127Media gateways 110Load balancers 67Proxies 66VPN gateways 45WAN Optimizers 44Voice gateways 11Total Middleboxes 636Total routers ~900

Most innovation today: Middleboxes!Data from a large enterprise: >80K users across tens of sites

Just network security ~ 6 billion $ (2010) 10 billion $ (2016)

4

Type of appliance Number

Firewalls 166

NIDS 127

Media gateways 110

Load balancers 67

Proxies 66

VPN gateways 45

WAN Optimizers 44

Voice gateways 11

Middleboxes are valuable, but have many painpoints

1. Device Sprawl, High CapEx

2. High OpExe.g., separate management teamsneed manual tuning

3. Inflexible, difficult to extend need for new boxes!

?“consumerization”

• Most network innovation occurs via middleboxes– Not by changes to routers or switches

• Suffer similar, and maybe more, pain points– Significant capital and operating expenses– Narrow, closed management interfaces – Difficult to extend

• Surprisingly MIA in the innovation discussion

5

The Middlebox Manifesto

• Most network innovation occurs via middleboxes– Not via routers or switches

• Suffer almost same, if not more, pain points– Too many of them– Narrow, closed interfaces & difficult to extend– Significant capital and operating expenses

• Surprisingly MIA in the innovation discussion

6

The Middlebox Manifesto

How to build?

How to manage?

Our vision: Enabling innovation in middlebox deployments

7

Network-WideManagement

1. Software-centric implementations 2. Consolidated

physical platform

3. Logically centralized open management APIs

Easy to deploy, extendReduce sprawl

Direct control, expressive

Our vision: Enabling innovation in middlebox deployments

8

Network-WideManagement

1. Software-centric implementations 2. Consolidated

physical platform

3. Logically centralized open management APIs

Easy to deploy, extendReduce sprawl

Direct control, expressive

In a general context, ideas aren’t especially new!But, middleboxes raise new opportunities and challenges

New Efficiency Opportunities• “Software-centric”, “extensible” sounds nice ..

• But, usually very resource inefficient– Compared to “specialized” solutions

• New efficiency avenues, at least for middleboxes– Multiplexing– Reuse– Spatial distribution

9

Opportunity 1: Multiplexing Benefits

10

Multiplexing benefit = 1 - Peak_Sum / Sum_Peak = 28%

Opportunity 2: Reusing Modules

11

Session Management

Protocol Parsers

VPN Web Mail IDS Proxy

Firewall

How much traffic overlap? > 60 %Contribution of reusable modules? 18 – 54 %

New Challenges

12

Network-wide Management

Session

Protocol

Extensible functions Standalone functions

Heterogeneity Complex processingPolicy constraints

Challenges in Management

13

Network-wide Management

Session

Protocol

Extensible functions Standalone functions

Policydependencies?e.g. IDS < Proxy

What is aminimal interface?

Is it tractable?e.g., reuse

Challenges in Single-box Design

14

Session

Protocol

Extensible functions Standalone functions

Accelerators?

Primitives? Performance,Isolation?

• Most network innovation occurs via middleboxes– Little presence in the innovation discussion!

• Our vision:– Software-based, consolidated– Logically unified, open management APIs

• New opportunities – Multiplexing, reuse, and spatial distribution

• Practical challenges: Management + Platform15

Conclusions