Policy-Aware Switching Layer for Data Centers

In this paper, the authors attempt to build a new infrastructure for data centers that allows policy-aware arbitrary chainings of middleboxes, which, as we have seen in previous papers, are useful but do not fit into the clean layering semantics of the network protocols. Traditionally, physical connectivity is used to ensure that messages traverse a specific set of middleboxes in a data center, but this is prone to many problems, as the paper spends a section pointing out.

As we've studied the various problems of middleboxes, I'll only mention the one new thing that I hadn't thought about in this paper was the fact that spanning-tree algorithms etc. at layer-2 can be very difficult to coax into the proper topology for actually ensuring the logical topology of middleboxes is enforced; I hadn't thought of the fact that some middleboxes rewrite ethernet frames and/or are not accessibile via IP address, causing this reliance on layer-2.

The actual idea is fairly simple: using modified commodity switches divided into a "switching core" and "policy core" where the two pieces look like normal switch components to each other in order to express a centralized policy that is distributed to each of the so-called pLayer switches in a manner that ensures the policy is enforced.

However, the requirement that unmodified middleboxes work with the system causes a number of headaches. Firstly, stateful boxes must always get the frames/packets that require the state (such a specific instance of a firewall getting all packets associated with a flow). In addition, the authors wish to make sure the policies are respected under all kinds of churn: allowing some laxness in the churn rules would make the resulting implementation quite a bit easier. This is the area where the most "hacky" thing in the paper comes out: the use of intermediate middleboxes of each type in order to ensure robustness under churn. I see no alternative way to implement this, without modifying the middleboxes or allowing some failures when churn occurs.

Overall this paper is a thorough design document for a reasonable system and is useful as such. Performance is less important in this phase of implementation, but I believe that as long as switching decisions can be done quickly, intra-datacenter latencies are low, and pSwitches implement fast matching, the system will not add an appreciable amount of latency when compared to internet latencies, while introducing a mechanism that is useful to almost every datacenter of decent size.