Dont Call Them Middleboxes, Call Them Middlepipes Hani Jamjoom Dan - - PowerPoint PPT Presentation

don t call them middleboxes call them middlepipes
SMART_READER_LITE
LIVE PREVIEW

Dont Call Them Middleboxes, Call Them Middlepipes Hani Jamjoom Dan - - PowerPoint PPT Presentation

Nov 29, 2022 463 likes •637 views

Dont Call Them Middleboxes, Call Them Middlepipes Hani Jamjoom Dan Williams Upendra Sharma IBM T. J. Watson Research Center PaaS Makes Things Easy Abstract out infrastructure resource management e.g., BlueMix, Cloud Foundry,

slide-1
SLIDE 1

Don’t Call Them Middleboxes, Call Them Middlepipes

Hani Jamjoom – Dan Williams – Upendra Sharma IBM T. J. Watson Research Center

slide-2
SLIDE 2

Service (e.g., MongoDB)

PaaS Makes Things Easy

2

  • Abstract out infrastructure resource management

– e.g., BlueMix, Cloud Foundry, Heroku, Azure, AppEngine

  • Simplify consumption of runtimes and services

– e.g., “I want a Ruby runtime or a MongoDB service”

– Automate provisioning, load balancing, auto-scaling, etc.

App Runtime (e.g., Ruby)

slide-3
SLIDE 3

What About NFV & Middleboxes?

  • PaaS hides most network configurations

– Virtual networking, SDN, routing, firewalling

  • Opportunity 1: Simplify consumability of traditional

middlebox functionality

– Intrusion detection, WAN optimizers, etc.

  • Opportunity 2: Support DevOps lifecycle

– Monitoring, circuit breaker, failure injection, A/B testing, etc.

3

slide-4
SLIDE 4

Example 1: Adding Intrusion Detection

  • Scans packet headers and

payloads

  • Alerts or drops packets if

intrusion is detected

  • Typically, IDS/IPS are placed at

the entry point of an application

  • However, services can be
  • ffered by third-party vendors;

intrusion can happen from anywhere

IDS App pp alert!!! something fishy here Ser Service vice

4

slide-5
SLIDE 5

Example 2: Mimicking Circuit Breaker

  • Stateful monitoring of requests
  • Detect failure in downstream

services

  • Isolate failure quickly
  • Return default value, raise

exception at app, etc.

  • Usually implemented in app

logic

  • Conceptually, a lot of the

functionality can be separated from application logic.

Circuit Breaker App pp if response time > X Ser Service vice Return Return Default Default

5

slide-6
SLIDE 6

Don’t Shoehorn Middleboxes Into PaaS Services

App Service (e.g., MongoDB) Middlebox 1 (e.g., IDS) Middlebox 2

Issues with middleboxes-as-services

  • They do not run close to apps
  • They are difficult to chain
  • They only operate on requests (not packets)
  • They do not support callbacks into application

6

slide-7
SLIDE 7

Middlepipes

Middlebox-like functionality in a software-defined pipe abstraction Efficient interposition close to invocation Arbitrary chaining is supported outside of app logic Access to requests and packets Can generate callbacks to application

App pp Ser Service vice (e.g., (e.g., MongoDB MongoDB)

Middlepipe

7

slide-8
SLIDE 8

Under The Covers

Middlepipe Controller Performance Debugging Circuit Breaker Intrusion detection App Svc

I. Filters: Lightweight “code” that runs in the app container II. Aggregators: Control filters and asynchronously receive data

  • III. Controller: Inserts/removes filters;

binds filters to aggregators.

Aggregators Filters

Exchange Exchange control & control & data data Request path Container Provisions aggregators Inserts/removes filters

8

slide-9
SLIDE 9
  • R1. Move Closer to Invocation Path

Middlepipe Controller Middlepipe Controller Performance Debugging Circuit Breaker Intrusion detection App Svc

Why place filters inside App container?

  • Naturally distribute computation across the

underlying infrastructure

  • Reduce overhead on the network substrate
  • Minimize copying of requests and packets

Aggregators Filters ilters

Request path Container Provisions aggregators Inserts/removes filters

9

Exchange control & data

slide-10
SLIDE 10

R2+3. Chaining Different Filter Types

Middlepipe Controller

Circuit Breaker Intrusion detection

App

Aggregators

Exchange control & data Request path Provisions aggregators

Body Markers Custom filter Standard filter

Filter chain

Custom filter

SHARED SEGMENT Shared page between all filters

Packet level filter Network packets

Request Level

Header 10 10

slide-11
SLIDE 11
  • R4. Supporting Callbacks
  • Thin application library facilitates access to

middlepipes

– Shared memory buffers, etc.

  • What if the application needs to be notified?

– Middlepipes insert “markers” in response – Application can look for markers and react (e.g., library can raise exception) – Other middlepipes can look for markers and react

11 11

slide-12
SLIDE 12

Apps MongoDB Router Inbound requests go through an elastic L7 router

Apps bind to services via VCAP_SERVICES Load Balancer Cloud controller Service Node

Warden container

DEA (VM)

App

Language runtime

App

Lifecycle management

Middlepipe filters

12 12

Embed Inside Cloud Foundry

slide-13
SLIDE 13

How to Add Middlepipes

$ cf create-middlepipe breaker create instance of middlepipe $ cf bind-middlepipe breaker myapp mongodb bind the “breaker” middlepipe to any communication between my app and mongodb $ cf bind-middlepipe bro myapp mongodb bind the “bro” middlepipe to any communication between my app and mongodb (in addition to the breaker)

13 13

slide-14
SLIDE 14

Related Work

  • APLOMB (SIGCOMM’12)
  • CloudNaaS (SoCC’11)
  • CoMb (NSDI’12)
  • End to the Middle (HotOS’09)
  • Split/Merge (NSDI’13) …
  • Emerging of OSS frameworks that focus on

“DevOps” lifecycle

– e.g., Netflix OSS, Airbnb, Etsy, etc. – Canary testing, Circuit Breaker, Stress testing

14 14

slide-15
SLIDE 15

Middlebox as a Service

  • VS. ¡

15 15

App pp Ser Service vice

Middlepipe

App Service Middlebox 1 Middlebox 2

Summary