Transcript per_sl_modules_10_version_1.0

Module 10: How Middleboxes Impact
Performance
WHAT IS A MIDDLEBOX?
What is a middlebox?
• “Any intermediate device performing functions other than the
normal, standard functions of an IP router on the datagram
path between a source host and a destination host.”
– Network Working Group, RFC 3234, Middleboxes: Taxonomy and Issues.
Source
Network
1
Middlebox
Network
2
Destination
2
WHAT DO MIDDLEBOXES DO?
Middleboxes may:
• Drop, insert or modify packets.
• Terminate one IP packet flow and originate another.
• Transform or divert an IP packet flow in some way.
Middleboxes are never the ultimate end-system of an
application session.
3
EXAMPLES OF MIDDLEBOXES
• Firewalls
• Network Address Translators
• Traffic Shapers
• Load Balancers
4
MIDDLEBOXES AND ‘CLASSIC’ TCP / IP
Traditionally:
• Networks have ceded control to the end-points of a
connection.
• Only function carried out ‘in the middle’ was IP routing
Middleboxes change this:
• They spread functionality throughout the network.
5
WHAT ISSUES DO MIDDLEBOXES INTRODUCE?
Challenges represented by middleboxes:
• Networking protocols were not designed with middleboxes in
mind.
• We have to deal with connections that are compromised by
crashed middleboxes.
• Middleboxes are often hidden points of failure.
• Middleboxes may require configuration and management.
• You must take middleboxes into account when diagnosing
network failures or poor performance.
• Some key services may not operate ‘through’ middleboxes (e.g. video
conferencing)
6
FIREWALLS
A firewall is an agent that screens network traffic, blocking traffic that it
believes to be inappropriate or dangerous.
Examples:
• Block telnet connections from the internet
• Block FTP connections to the internet from internal systems not
authorised to send files
• Act as an intermediate server handling SMTP and HTTP
connections
Can be divided into two categories:
• IP Firewalls
• Application Firewalls
7
FIREWALLS IN THE PATH: EXAMPLE
Backbone
Network
NREN A
Network
Campus X
Network
NREN B
Network
Campus Y
Network
Firewalls are potential obstacles to (UDP) media streams
Video conference
connection
Video conference
connection
8
IP FIREWALLS
Features of an IP firewall:
• Simplest form of firewall, usually contained in a router
• Inspects each individual packet’s IP and Transport headers.
Decides whether to forward or discard based on configured
policies. Examples:
• Disallows incoming traffic to certain port numbers
• Disallows traffic to certain subnets
• Does not alter the packets it allows through
• Not visible as protocol end-point
By rejecting some packets, may cause connectivity problems
that are difficult to identify and resolve.
9
APPLICATION FIREWALLS
Features of an application firewall:
• Acts as protocol end-point and relay
• E.g. SMTP client / server or web proxy agent
• May:
• Implement ‘safe’ subset of the protocol
• Perform extensive protocol validity checks
• Use an implementation methodology to minimise likelihood of bugs
• Run in an insulated ‘safe’ environment
10
PROBLEMS ASSOCIATED WITH FIREWALLS
ICMP (Internet Control Message Protocol) messages are
often blocked, as they may be perceived as a security risk.
• Applications dependent upon them, such as PING, will return
fallacious results
• Path discovery black holes can be created
• Legitimate traffic can be delayed or completely blocked
11
NETWORK ADDRESS TRANSLATORS
What does a Network Address Translator do?
• Dynamically assigns unique address to a host
• Translates appropriate address field in inbound and
outbound packets
Network Address Translation is often built into routers.
12
LOAD BALANCERS
Motivation is typically to balance load across a pool of
servers.
Divert packets from intended IP destination or make the
destination ambiguous.
Session state? Debugging?
Sometimes it works, sometimes it doesn’t
13