Policy enforcement in traditional non-SDN networks
Middleboxes are widely used in modern networks for a variety of network functions in cybersecurity, performance enhancement, and monitoring. Middlebox policy enforcement is however complex and tedious with unreliable manual re-configuration of legacy routers. The existing solution on automated policy enforcement relies on software-defined networking and does not apply to the traditional non-SDN networks, which remain popular today in enterprise deployment and core networks. This paper proposes a new architecture based entirely on software-defined middleboxes (instead of using software-defined switches in the prior art) to enable dependable and automated policy enforcement in non-SDN networks whose routers forward packets based on traditional routing protocols that are not policy-sensitive. We present a hot-potato enforcement strategy, which is then enhanced with two optimizations for load-balanced policy enforcement among software-defined middleboxes. Next, we propose two additional optimizations that minimize total traffic and aggregate end-to-end delays subject to link capacity constraints. Further enhancements are made to relieve middlebox processing overhead, avoid packet fragmentation due to policy enforcement, recover from failures, and mitigate delay for time-sensitive applications. We evaluate the proposed architecture on a real-life campus network topology and two simulated topologies to demonstrate the superior performance of our load-balanced enforcement strategies. © 2023 Elsevier Inc.
Journal of Parallel and Distributed Computing
computer network, middleboxes, network optimization, network security, policy enforcement
Odegbile, Olufemi; Ma, Chaoyi; Chen, Shingang; and Wang, Yuanda, "Policy enforcement in traditional non-SDN networks" (2023). Computer Science. 2.
Odegbile, O., Ma, C., Chen, S., & Wang, Y. (2023). Policy enforcement in traditional non-SDN networks. Journal of Parallel and Distributed Computing, 177, 39-52.