A Policy-aware Switching Layer for Data Centers

This paper presents a policy-aware switch design that routes data through a specified set of middle-boxes.

Summary

This paper addresses the problem of inserting middle-boxes such as firewalls, load balancers, etc. into a network. The current approach is to place these boxes in series on the physical path or to modify path weights in the spanning tree to force data through these boxes. This method makes it difficult to provide the following desirable properties:

1. Correctness. Traffic should traverse middle boxes in a specified order.
2. Flexibility. It should be easy to reconfigure the sequence of middle boxes or to add new ones.
3. Efficiency. Traffic should only traverse the required middle boxes.

To achieve these goals the authors propose a policy-aware switching layer (pswitch). The goal of this layer is to

1. Separate policy from reachability. Explicitly dictate which middle boxes traffic should traverse, not by changing network paths.
2. Take middle boxes off the physical network path. Data is explicitly forwarded to middle boxes so they no longer have to be on choke points in the network.

The pswitch will match packets based on the source IP, destination IP, port number and protocol type and then forward them to a specified middle box. Middle boxes can be put in series by next hop forwarding rules e.g. [previous hop, traffic selector]: next hop.

The authors use a formal model to verify the correctness of the proposed deign.

Thoughts

Overall, this sounds like a good solution to a real problem in data centers. One concern is that the pswitch mechanism introduces extra overhead. For example, data must make an additional round trip through each middle box instead of traversing all of them in series.