Module 10: How Middleboxes Impact Performance

1
Module 10 How Middleboxes Impact Performance
2
WHAT IS A MIDDLEBOX?

• What is a middlebox?
• Any intermediate device performing functions
  other than the normal, standard functions of an
  IP router on the datagram path between a source
  host and a destination host.
• Network Working Group, RFC 3234, Middleboxes
  Taxonomy and Issues.

3
WHAT DO MIDDLEBOXES DO?

• Middleboxes may
• Drop, insert or modify packets.
• Terminate one IP packet flow and originate
  another.
• Transform or divert an IP packet flow in some
  way.
• Middleboxes are never the ultimate end-system of
  an application session.

4
EXAMPLES OF MIDDLEBOXES

• Firewalls
• Network Address Translators
• Traffic Shapers
• Load Balancers

5
MIDDLEBOXES AND CLASSIC TCP / IP

• Traditionally
• Networks have ceded control to the end-points of
  a connection.
• Only function carried out in the middle was IP
  routing
• Middleboxes change this
• They spread functionality throughout the network.

6
WHAT ISSUES DO MIDDLEBOXES INTRODUCE?

• Challenges represented by middleboxes
• Networking protocols were not designed with
  middleboxes in mind.
• We have to deal with connections that are
  compromised by crashed middleboxes.
• Middleboxes are often hidden points of failure.
• Middleboxes may require configuration and
  management.
• You must take middleboxes into account when
  diagnosing network failures or poor performance.
• Some key services may not operate through
  middleboxes (e.g. video conferencing)

7
FIREWALLS

• A firewall is an agent that screens network
  traffic, blocking traffic that it believes to be
  inappropriate or dangerous.
• Examples
• Block telnet connections from the internet
• Block FTP connections to the internet from
  internal systems not authorised to send files
• Act as an intermediate server handling SMTP and
  HTTP connections
• Can be divided into two categories
• IP Firewalls
• Application Firewalls

8
FIREWALLS IN THE PATH EXAMPLE
Backbone Network
Firewalls are potential obstacles to (UDP) media
streams
9
IP FIREWALLS

• Features of an IP firewall
• Simplest form of firewall, usually contained in a
  router
• Inspects each individual packets IP and
  Transport headers. Decides whether to forward or
  discard based on configured policies. Examples
• Disallows incoming traffic to certain port
  numbers
• Disallows traffic to certain subnets
• Does not alter the packets it allows through
• Not visible as protocol end-point
• By rejecting some packets, may cause connectivity
  problems that are difficult to identify and
  resolve.

10
APPLICATION FIREWALLS

• Features of an application firewall
• Acts as protocol end-point and relay
• E.g. SMTP client / server or web proxy agent
• May
• Implement safe subset of the protocol
• Perform extensive protocol validity checks
• Use an implementation methodology to minimise
  likelihood of bugs
• Run in an insulated safe environment

11
PROBLEMS ASSOCIATED WITH FIREWALLS

• ICMP (Internet Control Message Protocol) messages
  are often blocked, as they may be perceived as a
  security risk.
• Applications dependent upon them, such as PING,
  will return fallacious results
• Path discovery black holes can be created
• Legitimate traffic can be delayed or completely
  blocked

12
NETWORK ADDRESS TRANSLATORS

• What does a Network Address Translator do?
• Dynamically assigns unique address to a host
• Translates appropriate address field in inbound
  and outbound packets
• Network Address Translation is often built into
  routers.

13
LOAD BALANCERS

• Motivation is typically to balance load across a
  pool of servers.
• Divert packets from intended IP destination or
  make the destination ambiguous.
• Session state? Debugging?
• Sometimes it works, sometimes it doesnt