Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Module 10: How Middleboxes Impact Performance WHAT IS A MIDDLEBOX? What is a middlebox? • “Any intermediate device performing functions other than the normal, standard functions of an IP router on the datagram path between a source host and a destination host.” – Network Working Group, RFC 3234, Middleboxes: Taxonomy and Issues. Source Network 1 Middlebox Network 2 Destination 2 WHAT DO MIDDLEBOXES DO? Middleboxes may: • Drop, insert or modify packets. • Terminate one IP packet flow and originate another. • Transform or divert an IP packet flow in some way. Middleboxes are never the ultimate end-system of an application session. 3 EXAMPLES OF MIDDLEBOXES • Firewalls • Network Address Translators • Traffic Shapers • Load Balancers 4 MIDDLEBOXES AND ‘CLASSIC’ TCP / IP Traditionally: • Networks have ceded control to the end-points of a connection. • Only function carried out ‘in the middle’ was IP routing Middleboxes change this: • They spread functionality throughout the network. 5 WHAT ISSUES DO MIDDLEBOXES INTRODUCE? Challenges represented by middleboxes: • Networking protocols were not designed with middleboxes in mind. • We have to deal with connections that are compromised by crashed middleboxes. • Middleboxes are often hidden points of failure. • Middleboxes may require configuration and management. • You must take middleboxes into account when diagnosing network failures or poor performance. • Some key services may not operate ‘through’ middleboxes (e.g. video conferencing) 6 FIREWALLS A firewall is an agent that screens network traffic, blocking traffic that it believes to be inappropriate or dangerous. Examples: • Block telnet connections from the internet • Block FTP connections to the internet from internal systems not authorised to send files • Act as an intermediate server handling SMTP and HTTP connections Can be divided into two categories: • IP Firewalls • Application Firewalls 7 FIREWALLS IN THE PATH: EXAMPLE Backbone Network NREN A Network Campus X Network NREN B Network Campus Y Network Firewalls are potential obstacles to (UDP) media streams Video conference connection Video conference connection 8 IP FIREWALLS Features of an IP firewall: • Simplest form of firewall, usually contained in a router • Inspects each individual packet’s IP and Transport headers. Decides whether to forward or discard based on configured policies. Examples: • Disallows incoming traffic to certain port numbers • Disallows traffic to certain subnets • Does not alter the packets it allows through • Not visible as protocol end-point By rejecting some packets, may cause connectivity problems that are difficult to identify and resolve. 9 APPLICATION FIREWALLS Features of an application firewall: • Acts as protocol end-point and relay • E.g. SMTP client / server or web proxy agent • May: • Implement ‘safe’ subset of the protocol • Perform extensive protocol validity checks • Use an implementation methodology to minimise likelihood of bugs • Run in an insulated ‘safe’ environment 10 PROBLEMS ASSOCIATED WITH FIREWALLS ICMP (Internet Control Message Protocol) messages are often blocked, as they may be perceived as a security risk. • Applications dependent upon them, such as PING, will return fallacious results • Path discovery black holes can be created • Legitimate traffic can be delayed or completely blocked 11 NETWORK ADDRESS TRANSLATORS What does a Network Address Translator do? • Dynamically assigns unique address to a host • Translates appropriate address field in inbound and outbound packets Network Address Translation is often built into routers. 12 LOAD BALANCERS Motivation is typically to balance load across a pool of servers. Divert packets from intended IP destination or make the destination ambiguous. Session state? Debugging? Sometimes it works, sometimes it doesn’t 13