Middleboxes
   HOME

TheInfoList



Click Here for Items Related To - Middleboxes
OR:
Middleboxes on:   [Wikipedia]   [Google]   [Amazon]

A middlebox is a
computer networking A computer network is a collection of communicating computers and other devices, such as printers and smart phones. In order to communicate, the computers and devices must be connected by wired media like copper cables, optical fibers, or b ...
device that transforms, inspects, filters, and manipulates traffic for purposes other than
packet forwarding Packet forwarding is the relaying of packets from one network segment to another by nodes in a computer network. Models The simplest forwarding model unicastinginvolves a packet being relayed from link to link along a chain leading from th ...
. Examples of middleboxes include firewalls, network address translators (NATs),
load balancer In computing, load balancing is the process of distributing a set of tasks over a set of resources ''Resource'' refers to all the materials available in our environment which are Technology, technologically accessible, Economics, economically ...
s, and
deep packet inspection Deep packet inspection (DPI) is a type of data processing that inspects in detail the data (Network packet, packets) being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep ...
(DPI) devices. The term ''middlebox'' was coined in 1999 by
UCLA The University of California, Los Angeles (UCLA) is a public land-grant research university in Los Angeles, California, United States. Its academic roots were established in 1881 as a normal school then known as the southern branch of the C ...
computer science professor
Lixia Zhang Lixia Zhang () is the Jonathan B. Postel Professor of Computer Science at the University of California, Los Angeles.. Her expertise is in computer networks; she helped found the Internet Engineering Task Force, designed the Resource Reservation ...
.


Usage

Middleboxes are widely deployed across both private and public networks. Dedicated middlebox hardware is widely deployed in enterprise networks to improve network
security Security is protection from, or resilience against, potential harm (or other unwanted coercion). Beneficiaries (technically referents) of security may be persons and social groups, objects and institutions, ecosystems, or any other entity or ...
and performance; however, even home network routers often have integrated firewall, NAT, or other middlebox functionality. One 2017 study counted more than 1,000 deployments in autonomous systems, in both directions of traffic flows, and across a wide range networks, including mobile operators and data center networks.


Examples

The following are examples of commonly-deployed middleboxes: * Firewalls filter traffic based on a set of predefined security rules defined by a network administrator. IP firewalls reject packets "based purely on fields in the IP and transport headers (e.g., disallow incoming traffic to certain port numbers, disallow any traffic to certain
subnets A subnet, or subnetwork, is a logical subdivision of an IP network. Updated by RFC 6918. The practice of dividing a network into two or more networks is called subnetting. Computers that belong to the same subnet are addressed with an identic ...
etc.)" Other types of firewalls may use more complex rulesets, including those that inspect traffic at the session or application layer. *
Intrusion detection system An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collec ...
s (IDSs) monitor traffic and collect data for offline analysis for security anomalies. Unlike firewalls, IDSs do not filter packets in real time, as they are capable of more complex inspection and must decide whether to accept or reject each packet as it arrives. * Network address translators (NATs) replace the source and/or destination IP addresses of packets that traverse them. Typically, NATs are deployed to allow multiple end hosts to share a single
IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...
: hosts "behind" the NAT are assigned a
private IP address In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 ...
and their packets destined to the public Internet traverse a NAT, which replaces their internal private address with a shared public address. These are widely used by cellular network providers to manage scarce resources. * WAN optimizers improve bandwidth consumption and perceived latency between endpoints. Typically deployed in large enterprises, WAN optimizers are deployed near both sending and receiving endpoints of communication; the devices then coordinate to cache and compress traffic that traverses the Internet. * Load balancers provide one point of entry to a service, but forward traffic flows to one or more hosts that actually provide the service. * Cellular networks use middleboxes to ensure scarce network resources are used efficiently as well as to protect client devices.


Criticism and challenges

Middleboxes have generated technical challenges for application development and have incurred "scorn" and "dismay" in the network architecture community for violating the
end-to-end principle The end-to-end principle is a design principle in computer networking that requires application-specific features (such as reliability and security) to be implemented in the communicating end nodes of the network, instead of in the network itse ...
of computer system design.


Application interference

Some middleboxes interfere with application functionality, restricting or preventing end host applications from performing properly. In particular, network address translators (NATs) present a challenge in that NAT devices divide traffic destined to a public IP address across several receivers. When connections between a host on the Internet and a host behind the NAT are initiated by the host behind the NAT, the NAT learns that traffic for that connection belongs to the local host. Thus, when traffic coming from the Internet is destined to the public (shared) address on a particular
port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as Hamburg, Manch ...
, the NAT can direct the traffic to the appropriate host. However, connections initiated by a host on the Internet do not present the NAT any opportunity to "learn" which internal host the connection belongs to. Moreover, the internal host itself may not even know its own public IP address to announce to potential clients what address to connect to. To resolve this issue, several new protocols have been proposed. Additionally, because middlebox deployments by cell operators such as
AT&T AT&T Inc., an abbreviation for its predecessor's former name, the American Telephone and Telegraph Company, is an American multinational telecommunications holding company headquartered at Whitacre Tower in Downtown Dallas, Texas. It is the w ...
and
T-Mobile T-Mobile is the brand of telecommunications by Deutsche Telekom Deutsche Telekom AG (, ; often just Telekom, DTAG or DT; stylised as ·T·) is a partially state-owned German telecommunications company headquartered in Bonn and the largest telec ...
are opaque, application developers are often "unaware of the middlebox policies enforced by operators", while operators lack full knowledge about application behavior and requirements. For example, one carrier set an "aggressive timeout value to quickly recycle the resources held by inactive TCP connections in the firewall, unexpectedly causing frequent disruptions to long-lived and occasionally idle connections maintained by applications such as push-based email and
instant messaging Instant messaging (IM) technology is a type of synchronous computer-mediated communication involving the immediate ( real-time) transmission of messages between two or more parties over the Internet or another computer network. Originally involv ...
". Other common middlebox-induced application challenges include web proxies serving "stale" or out-of-date content, and firewalls rejecting traffic on desired ports.


Internet extensibility and design

One criticism of middleboxes is they can limit the choice of transport protocols, thus limiting application or service designs. Middleboxes may filter or drop traffic that does not conform to expected behaviors, so new or uncommon protocols or protocol extensions may be filtered out. Specifically, because middleboxes make hosts in private address realms unable to "pass handles allowing other hosts to communicate with them", they have hindered the spread of newer protocols like the
Session Initiation Protocol The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telepho ...
(SIP) as well as various peer-to-peer systems. This progressive reduction in flexibility has been described as
protocol ossification Protocol ossification is the loss of flexibility, extensibility and evolvability of network protocols. This is largely due to middleboxes that are sensitive to the wire image (networking), wire image of the protocol, and which can interrupt or int ...
. Conversely, some middleboxes can assist in protocol deployment by providing a translation between new and old protocols. For example,
IPv6 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...
can be deployed on public endpoints such as load balancers, proxies, or other forms of NAT, with backend traffic routed over
IPv4 Internet Protocol version 4 (IPv4) is the first version of the Internet Protocol (IP) as a standalone specification. It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. ...
or
IPv6 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...
.


See also

* End-to-end connectivity *
Interactive Connectivity Establishment Interactive Connectivity Establishment (ICE) is a technique used in computer networking to find ways for two computers to talk to each other as directly as possible in peer-to-peer networking. This is most commonly used for interactive media such ...
(ICE) *
Session Traversal Utilities for NAT STUN (Session Traversal Utilities for NAT; originally Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) is a standardized set of methods, including a network protocol, for traversal of network address transl ...
(STUN) *
Traversal Using Relay NAT Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications. It may be used with the Transmission Control Protocol (TCP) and User Datagram Protoco ...
(TURN) *
Multilayer switch A multilayer switch (MLS) is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers. The MLS was invented by engineers at Digital Equipment Corporation. Swit ...


References

{{Reflist, 30em, refs={{cite web, last=Ido Dubrawsky and Wes Noonan, title=Broadband Routers and Firewalls, url=http://www.ciscopress.com/articles/article.asp?p=598649&seqNum=5, publisher=CISCO Press, accessdate=15 July 2012 {{cite journal, author=Brian Carpenter , title=Middleboxes: Taxonomy and Issues, newspaper=Ietf Datatracker , year=2002 , doi=10.17487/RFC3234 , url= https://tools.ietf.org/html/rfc3234, rfc=3234, author-link=Brian Carpenter (Internet engineer) {{cite web, last=Magalhaes, first=Ricky, title=The Difference Between Application and Session Layer Firewalls, url=http://www.windowsecurity.com/articles/difference-between-application-session-layer-firewalls.html, accessdate=17 July 2012 {{cite web, title=Understanding Intrusion Detection Systems, url=http://www.sans.org/reading_room/whitepapers/detection/understanding-intrusion-detection-systems_337, accessdate=17 July 2012 {{cite journal, last=K. Egevang and P. Francis, title=The IP Network Address Translator (NAT), newspaper=Ietf Datatracker , year=2001 , doi=10.17487/RFC3022 , url = https://tools.ietf.org/html/rfc3022, rfc=1631 {{cite web, last=Poe, first=Robert, title=What Is WAN Optimization, and How Can It Help You?, url=http://www.comparebusinessproducts.com/briefs/what-wan-optimization-and-how-can-it-help-you, accessdate=17 July 2012 {{cite journal, last=J. Rosenberg, url = https://tools.ietf.org/html/rfc5389 , title=Session Traversal Utilities for NAT (STUN), newspaper = Ietf Datatracker , year = 2008 , doi = 10.17487/RFC5389 , rfc=5389, s2cid = 6777753 , display-authors=etal, doi-access = free {{cite journal, last=Walfish, title=Middleboxes no longer considered harmful, journal=OSDI, year=2004, url=http://static.usenix.org/event/osdi04/tech/full_papers/walfish/walfish.pdf, accessdate=17 July 2012, display-authors=etal {{cite web, title=Port Control Protocol Working Group, url=http://datatracker.ietf.org/wg/pcp/charter/, accessdate=17 July 2012 {{cite news, title=NAT-PMP, newspaper=Ietf Datatracker , url=http://tools.ietf.org/html/draft-cheshire-nat-pmp-03, accessdate=17 July 2012 {{cite web, title=BlueCoat Knowledge Base: Proxy is displaying stale content, url=https://kb.bluecoat.com/index?page=content&id=KB3286, accessdate=17 July 2012 {{cite web, title=Using FaceTime and iMessage behind a firewall, url=http://support.apple.com/kb/HT4245, accessdate=17 July 2012 {{cite journal, last=Honda, title=Is it still possible to extend TCP?, journal=Internet Measurement Conference, year=2011, url=http://conferences.sigcomm.org/imc/2011/docs/p181.pdf, display-authors=etal Computer network security 1990s neologisms