Policy enforcement in traditional non-SDN networks

Authors

Olufemi Odegbile, Clark UniversityFollow
Chaoyi Ma, University of Florida
Shingang Chen, University of Florida
Yuanda Wang, University of Florida

Document Type

Article

Abstract

Middleboxes are widely used in modern networks for a variety of network functions in cybersecurity, performance enhancement, and monitoring. Middlebox policy enforcement is however complex and tedious with unreliable manual re-configuration of legacy routers. The existing solution on automated policy enforcement relies on software-defined networking and does not apply to the traditional non-SDN networks, which remain popular today in enterprise deployment and core networks. This paper proposes a new architecture based entirely on software-defined middleboxes (instead of using software-defined switches in the prior art) to enable dependable and automated policy enforcement in non-SDN networks whose routers forward packets based on traditional routing protocols that are not policy-sensitive. We present a hot-potato enforcement strategy, which is then enhanced with two optimizations for load-balanced policy enforcement among software-defined middleboxes. Next, we propose two additional optimizations that minimize total traffic and aggregate end-to-end delays subject to link capacity constraints. Further enhancements are made to relieve middlebox processing overhead, avoid packet fragmentation due to policy enforcement, recover from failures, and mitigate delay for time-sensitive applications. We evaluate the proposed architecture on a real-life campus network topology and two simulated topologies to demonstrate the superior performance of our load-balanced enforcement strategies. © 2023 Elsevier Inc.

Publication Title

Journal of Parallel and Distributed Computing

Publication Date

7-2023

Volume

177

First Page

39

Last Page

52

ISSN

0743-7315

DOI

10.1016/j.jpdc.2023.02.005

Keywords

computer network, middleboxes, network optimization, network security, policy enforcement

Repository Citation

Odegbile, Olufemi; Ma, Chaoyi; Chen, Shingang; and Wang, Yuanda, "Policy enforcement in traditional non-SDN networks" (2023). Computer Science. 2.
https://commons.clarku.edu/faculty_computer_sciences/2

APA Citation

Odegbile, O., Ma, C., Chen, S., & Wang, Y. (2023). Policy enforcement in traditional non-SDN networks. Journal of Parallel and Distributed Computing, 177, 39-52.