Electrical Engineering
      and Computer Sciences

Electrical Engineering and Computer Sciences


UC Berkeley


2009 Research Summary

A Policy-Aware Switching Layer for Data Centers

View Current Project Information

Dilip Antony Joseph, Arsalan Tavakoli and Ion Stoica

Different applications in a data center require their traffic to traverse different sequences of firewalls, load balancers, and other middleboxes. Current best practices involve carefully placing middleboxes in sequence on the physical network path and relying on packet routing and configuration hacks to send traffic through the desired middlebox sequences. Physical on-path placement of middleboxes results in networks that are hard to configure and manage when application requirements or network topologies change. The implicit reliance on often unpredictable underlying mechanisms to select the sequence of middleboxes traversed by traffic precludes guaranteed traversal. For example, a crucial firewall may be bypassed when the network is in flux. We present the design and implementation of a policy-aware switching layer for data centers that simplifies the construction and management of physical network topologies conforming to complex logical topologies, and guarantees middlebox traversal in the sequence specified by application policy. The policy-aware switching layer achieves this by separating policy from reachability and explicitly redirecting traffic through unmodified off-path middleboxes easily plugged into the policy-aware switching layer like regular servers.