Making Middleboxes Someone Else’s Problem: Network Processing as a Cloud Service: A Critique
Outsourcing non-core competencies through cloud services is a common practice for most successful tech companies to decrease costs, ease management, and provide scalability. So does deploying middlebox services to improve security and performance in their networks. The current middlebox processing schemes involve setting up and managing the infrastructure locally within the network. In their paper, Sherry et al. argue that the same advantages of a cloud service can be utilized for a cloud-based middlebox solution. For that objective, they implement APLOMB, “a practical service for outsourcing enterprise middlebox processing to the cloud.”
The paper is the first of its kind that provides a systematic review of real-world middlebox deployments for 57 enterprises ranging from small ( 10 middleboxes) to very large ( 1946 middleboxes). They are also first in systematically exploring the limitation and the requirements of a real-world cloud solution for a wide variety of middleboxes. They further support this research by providing a concrete implementation of the service they propose using off-the-shelf solutions like EC2 and commodity gateways.
Although Sherry et al. ’s APLOMB reduces the cost of middlebox infrastructure, it inevitably increases the bandwidth costs by needing to pay for the bandwidth twice: once for enterprise to middlebox cloud, and again for middlebox cloud to the outside world. They also state the possible concerns around security, which all cloud computing services face. But as they reported, these concerns have not stopped the adoption of cloud services, nor the compliance certifications provided for such services.
Sherry et al. try to position their research as a practical, real-world solution that might be a profitable business. In that regard, their biggest challenge is the inevitable cost increase APLOMB causes for bandwidth. They try to mitigate this problem by introducing a redundancy elimination and compression schemes that reduce the bandwidth demand by roughly 30%. Even with that solution, a 1.7x bandwidth cost increase would be expected. They further claim a sole APLOMB provider could offer substantially lower prices, based on economies of scale to come into play. But for that to happen, the proposed APLOMB provider would either require a substantial initial investment before profitability, or a rapid early adoption by large enterprises, both of which are hard to achieve. This does not detract from the valuable contribution the paper provides for the research community. It just highlights the complexity of a real-world problem besides technical challenges, which the authors already do a good job about.
The reference APLOMB implementation described at the paper does an incredible job causing a minimal latency (<5ms) for the vast majority of the network traffic while being able to have a straightforward architecture and to support a variety of different middlebox implementations. Apart from the financial challenges mentioned above, the solution provided is technically sound. I think if a significant player like Amazon could get into this business quite easily given their expertise in cloud services, the existing infrastructure, and the customer base they have.
I did not realize this research by the same professor Justine Sherry as BlindBox until after the fact. I was impressed by the level of detail provided for the implementation and the examination conducted for the real-world implications of APLOMB. I wanted to learn more about who led the research and had the realization Sherry et al. was also behind the BlindBox research, which shared similar characteristics in terms of providing thoughtful implementation details and real-world considerations.
J. Sherry, S. Hasan, C. Scott, A. Krishnamurthy, S. Ratnasamy, and V. Sekar. Making middleboxes someone else’s problem: Network processing as a cloud service. In Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM ’12, pages 13–24, New York, NY, USA, 2012. ACM.
J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy. Blindbox: Deep packet inspection over encrypted traffic. In Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM ’15 pages 213–226, New York, NY, USA, 2015. ACM.