Policy enforcement in traditional non-SDN networks

Journal of Parallel and Distributed Computing(2023)

引用 0|浏览0
暂无评分
摘要
Middleboxes are widely used in modern networks for a variety of network functions in cybersecurity, performance enhancement, and monitoring. Middlebox policy enforcement is however complex and tedious with unreliable manual re-configuration of legacy routers. The existing solution on automated policy enforcement relies on software-defined networking and does not apply to the traditional non-SDN networks, which remain popular today in enterprise deployment and core networks. This paper proposes a new architecture based entirely on software-defined middleboxes (instead of using software-defined switches in the prior art) to enable dependable and automated policy enforcement in non-SDN networks whose routers forward packets based on traditional routing protocols that are not policy-sensitive. We present a hot-potato enforcement strategy, which is then enhanced with two optimizations for load-balanced policy enforcement among software-defined middleboxes. Next, we propose two additional optimizations that minimize total traffic and aggregate end-to-end delays subject to link capacity constraints. Further enhancements are made to relieve middlebox processing overhead, avoid packet fragmentation due to policy enforcement, recover from failures, and mitigate delay for time-sensitive applications. We evaluate the proposed architecture on a real-life campus network topology and two simulated topologies to demonstrate the superior performance of our load-balanced enforcement strategies.
更多
查看译文
关键词
Computer network,Network security,Policy enforcement,Network optimization,Middleboxes
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要