Policy-aware Switching Layer for Data Centers

Dilip Antony Joseph, Arsalan Tavakoli, Ion Stoica, "A Policy-aware Switching Layer for Data Centers"

Ideas

• shares some ideas with "Middleboxes no longer considered harmful": traffic can be directed to traverse middleboxes without the middlebox being on the physical path
• but: differs because it is not introducing new properties to IP, but instead replaces Layer II by PLayer
  
• usual approach: put middleboxes on the physical path, hard to configure, possibly multiple physical paths between two nodes, different traffic supposed to go through different middleboxes
• new approach: among Layer II switches, add (policy-aware) pswitches which route the packets through the middleboxes on Layer II based on policy specification
  

Goals

• Correctness: Traffic should traverse middleboxes in the sequence specified by the nework administrator
• Flexibility: sequence of middleboxes should be easily reconfigured
• Efficiency: traffic should not traverse unnecessary middleboxes

Principles

• Separating policy from (physical) reachability
• taking middleboxes off the physical network data path
• policies: [Start,(5-tuple traffic selector)] -> sequence
• translated into rules ([Previous Hop, Traffic Selector]: Next Hop) which is used by pswitch
  
• policy schemas (versioned) are created by administrator and pushed onto the pswitches

Mechanisms

• decoupling switch core (can use traditional core, usual techniques to learn MAX addresses and build spanning trees) from policy core (where the new rules are applied) with additional failure detection
  
• encapsule Ethernet frames in Ethernet-II frames (which contain policy version): the algorithm to build the spanning tree needs another Source-MAC (a more physical one) than the FireWall (a more logical one)
• SrcMacRewrite to decapsulate Ethernet-II frames before entering (legacy) middlebox
• in some situations pswitches require per-flow state
  

Other

• implementation in Click, results
  
• detailed discussions on various topologies
• formal analysis

I like this more than the "Middleboxes no longer considered harmful" because

• it integrates better into exisiting layerII structures instead of adding yet another identifier
• in "Middleboxes no longer considered harmful" nodes had to be configured to use the off the physical path FireWall, it was unclear how an IP packet destined for a computer behind a off-the physical path Firewall will actually be hindered from reaching the computer. In this paper this is clear.

I got a bit confused because MAC addresses are used in two different ways, onc address is used for forwarding between pswitches, but another can be used when the packet is handed to a middlebox. I think the paper should have given these MACs different names, if possible.