7 research outputs found
LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed
Running off-site software middleboxes at third-party service providers has
been a popular practice. However, routing large volumes of raw traffic, which
may carry sensitive information, to a remote site for processing raises severe
security concerns. Prior solutions often abstract away important factors
pertinent to real-world deployment. In particular, they overlook the
significance of metadata protection and stateful processing. Unprotected
traffic metadata like low-level headers, size and count, can be exploited to
learn supposedly encrypted application contents. Meanwhile, tracking the states
of 100,000s of flows concurrently is often indispensable in production-level
middleboxes deployed at real networks.
We present LightBox, the first system that can drive off-site middleboxes at
near-native speed with stateful processing and the most comprehensive
protection to date. Built upon commodity trusted hardware, Intel SGX, LightBox
is the product of our systematic investigation of how to overcome the inherent
limitations of secure enclaves using domain knowledge and customization. First,
we introduce an elegant virtual network interface that allows convenient access
to fully protected packets at line rate without leaving the enclave, as if from
the trusted source network. Second, we provide complete flow state management
for efficient stateful processing, by tailoring a set of data structures and
algorithms optimized for the highly constrained enclave space. Extensive
evaluations demonstrate that LightBox, with all security benefits, can achieve
10Gbps packet I/O, and that with case studies on three stateful middleboxes, it
can operate at near-native speed.Comment: Accepted at ACM CCS 201
Recommended from our members
StatelessNF: a Disaggregated Architecture for Network Functions
The networking space is undergoing a transformation. Today’s networks (enterprises, data centers, and service providers) are replacing the expensive hardware network appliances (e.g., firewalls, load balancers, security monitors) with software that can run on commodity servers. This movement significantly reduces capital expenditures, as these devices are an important component of today’s networks.
While this general movement shares a similar vision of a dynamic network, existing solutions fall short to adapt in both scale and function to provide true network agility where network services can be instantly deployed, scale in and out on demand, and be resilient to failure. The reason is that these solutions are simply modifying existing network device designs to have the device run in software.
This design decision is the root of this problem. Specifically, that the network functions that make up the network infrastructure (e.g., firewalls, load balancers, and routers) despite their variety, share a common monolithic architecture where the control plane, data plane, and most importantly the state (e.g., information about network flows) are maintained internally in a single appliance. This tight coupling of all of these components within network functions hinders the agility. Thus, leading to complex and expensive solutions to manage and configure these network functions on a larger scale.
This dissertation is centered on overcoming these limitations through the introductions of what we call Stateless Network Functions, or StatelessNF. StatelessNF aims to provide self-managed and configured agile network functions that are resilient to failure and able to scale in and out without intervention from network administrators. Thus, enabling the network to be invisible to the applications that run on top of it.
To achieve this goal, we have fundamentally re-designed the architecture of network devices with the flexibility of software in mind, rather than other software approaches that mimic the hardware architecture in software, and therefore inherits a design that was designed around the limitations of hardware, not the flexibility of software. The key idea with StatelessNF is to decouple the processing of a network device from its state, storing any needed state in a separate data store. In separating the state and the processing, we enable a highly dynamic management of scalable and failure resilient network functions. StatelessNF’s architecture is especially challenging to realize in the context of network processing, where we need to handle millions of packets per second and where there may be one or more reads and writes to the data store for every packet.
In this dissertation, we ask ”Can we redefine and redesign network functions’ architecture from the ground up, without sacrificing performance, to achieve true network agility?”. Overcoming this challenge was one of the main contribution in this dissertation. As we show in this dissertation, we envision StatelessNF being the core of multiple future research projects in the area of software defined networks (SDN) and Network Function Virsualization (NFV). In addition, StatelessNF has broader impacts that include commercialization opportunity. We validated this through our interaction with over 150 companies in cloud infrastructure and data center industries and two companies that agreed to deploy StatelessNF system in their data center environments
VNF chain allocation and management at data center scale
Algorithms and the Foundations of Software technolog