Middlebox
   HOME

TheInfoList



Click Here for Items Related To - Middlebox
OR:
Middlebox on:   [Wikipedia]   [Google]   [Amazon]

A middlebox is a
computer networking A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ma ...
device that transforms, inspects, filters, and manipulates traffic for purposes other than
packet forwarding Packet forwarding is the relaying of packets from one network segment to another by nodes in a computer network. The network layer in the OSI model is responsible for packet forwarding. Models The simplest forwarding modelunicastinginvolves ...
. Examples of middleboxes include firewalls, network address translators (NATs),
load balancer In computing, load balancing is the process of distributing a set of tasks over a set of resources (computing units), with the aim of making their overall processing more efficient. Load balancing can optimize the response time and avoid unevenl ...
s, and
deep packet inspection Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is oft ...
(DPI) boxes.
UCLA The University of California, Los Angeles (UCLA) is a public land-grant research university in Los Angeles, California. UCLA's academic roots were established in 1881 as a teachers college then known as the southern branch of the California St ...
computer science professor
Lixia Zhang Lixia Zhang () is the Jonathan B. Postel Professor of Computer Science at the University of California, Los Angeles.. Her expertise is in computer networks; she helped found the Internet Engineering Task Force, designed the Resource Reservation ...
coined the term ''middlebox'' in 1999.


Usage

Middleboxes are widely deployed across both private and public networks. Dedicated middlebox hardware is widely deployed in enterprise networks to improve network
security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
and performance, however, even home network routers often have integrated firewall, NAT, or other middlebox functionality. One 2017 study counting more than 1,000 deployments in
autonomous systems An autonomous robot is a robot that acts without recourse to human control. The first autonomous robots environment were known as Elmer and Elsie, which were constructed in the late 1940s by W. Grey Walter. They were the first robots in history t ...
, in both directions of traffic flows, and across a wide range networks, including mobile operators and data center networks.


Examples

The following are examples of commonly deployed middleboxes: * Firewalls filter traffic based on a set of predefined security rules defined by a network administrator. IP firewalls reject packets "based purely on fields in the IP and transport headers (e.g., disallow incoming traffic to certain
port numbers In computer networking, a port is a number assigned to uniquely identify a connection endpoint and to direct data to a specific service. At the software level, within an operating system, a port is a logical construct that identifies a specific ...
, disallow any traffic to certain
subnets A subnetwork or subnet is a logical subdivision of an IP network. Updated by RFC 6918. The practice of dividing a network into two or more networks is called subnetting. Computers that belong to the same subnet are addressed with an identical ...
etc.)" Other types of firewalls may use more complex rulesets, including those that inspect traffic at the session or application layer. *
Intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
s (IDSs) monitor traffic and collect data for offline analysis for security anomalies. Unlike firewalls, IDSs do not filter packets in real time, as they are capable of more complex inspection and must decide whether to accept or reject each packet as it arrives. * Network address translators (NATs) replace the source and/or destination IP addresses of packets that traverse them. Typically, NATs are deployed to allow multiple end hosts to share a single
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
: hosts "behind" the NAT are assigned a
private IP address In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IP ...
and their packets destined to the public Internet traverse a NAT, which replaces their internal private address with a shared public address. These are widely used by cellular network providers to manage scarce resources. * WAN optimizers improve bandwidth consumption and perceived latency between endpoints. Typically deployed in large enterprises, WAN optimizers are deployed near both sending and receiving endpoints of communication; the devices then coordinate to cache and compress traffic that traverses the Internet. * Load balancers provide one point of entry to a service, but forward traffic flows to one or more hosts that actually provide the service. * Cellular networks use middleboxes to ensure scarce network resources are used efficiently as well as to protect client devices.


Criticism and challenges

Middleboxes have generated technical challenges for application development and have incurred "scorn" and "dismay" in the network architecture community for violating the
end-to-end principle The end-to-end principle is a design framework in computer networking. In networks designed according to this principle, guaranteeing certain application-specific features, such as reliability and security, requires that they reside in the commu ...
of computer system design.


Application interference

Some middleboxes interfere with application functionality, restricting or preventing end host applications from performing properly. In particular, network address translators (NATs) present a challenge in that NAT devices divide traffic destined to a public IP address across several receivers. When connections between a host on the Internet and a host behind the NAT are initiated by the host behind the NAT, the NAT learns that traffic for that connection belongs to the local host. Thus, when traffic coming from the Internet is destined to the public (shared) address on a particular
port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as Ham ...
, the NAT can direct the traffic to the appropriate host. However, connections initiated by a host on the Internet do not present the NAT any opportunity to "learn" which internal host the connection belongs to. Moreover, the internal host itself may not even know its own public IP address to announce to potential clients what address to connect to. To resolve this issue, several new protocols have been proposed. Additionally, because middlebox deployments by cell operators such as
AT&T AT&T Inc. is an American multinational telecommunications holding company headquartered at Whitacre Tower in Downtown Dallas, Texas. It is the world's largest telecommunications company by revenue and the third largest provider of mobile tel ...
and
T-Mobile T-Mobile is the brand name used by some of the mobile communications subsidiaries of the German telecommunications company Deutsche Telekom AG in the Czech Republic (T-Mobile Czech Republic), Poland (T-Mobile Polska), the United States (T-Mobile ...
are opaque, application developers are often "unaware of the middlebox policies enforced by operators" while operators lack full knowledge about application behavior and requirements. For example, one carrier set an "aggressive
timeout Time-out, Time Out, or timeout may refer to: Time * Time-out (sport), in various sports, a break in play, called by a team * Television timeout, a break in sporting action so that a commercial break may be taken * Timeout (computing), an enginee ...
value to quickly recycle the resources held by inactive TCP connections in the firewall, unexpectedly causing frequent disruptions to long-lived and occasionally idle connections maintained by applications such as push-based email and
instant messaging Instant messaging (IM) technology is a type of online chat allowing real-time text transmission over the Internet or another computer network. Messages are typically transmitted between two or more parties, when each user inputs text and trigge ...
". Other common middlebox-induced application challenges include web proxies serving "stale" or out-of-date content, and firewalls rejecting traffic on desired ports.


Internet extensibility and design

One criticism of middleboxes is they can limit the choice of transport protocols, thus limiting application or service designs. Middleboxes may filter or drop traffic that does not conform to expected behaviors, so new or uncommon protocols or protocol extensions may be filtered out. Specifically, because middleboxes make hosts in private address realms unable to "pass handles allowing other hosts to communicate with them" has hindered the spread of newer protocols like the
Session Initiation Protocol The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telepho ...
(SIP) as well as various peer-to-peer systems. This progressive reduction in flexibility has been described as protocol ossification. Conversely, some middleboxes can assist in protocol deployment by providing a translation between new and old protocols. For example,
IPv6 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...
can be deployed on public endpoints such as load balancers, proxies, or other forms of NAT, with backend traffic routed over
IPv4 Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version de ...
or IPv6.


See also

*
End-to-end connectivity The end-to-end principle is a design framework in computer networking. In networks designed according to this principle, guaranteeing certain application-specific features, such as reliability and security, requires that they reside in the commu ...
*
Interactive Connectivity Establishment Interactive Connectivity Establishment (ICE) is a technique used in computer networking to find ways for two computers to talk to each other as directly as possible in peer-to-peer networking. This is most commonly used for interactive media such a ...
(ICE) *
Session Traversal Utilities for NAT STUN (Session Traversal Utilities for NAT; originally Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) is a standardized set of methods, including a network protocol, for traversal of network address transl ...
(STUN) *
Traversal Using Relay NAT Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications. It may be used with the Transmission Control Protocol (TCP) and User Datagram Protocol ...
(TURN) *
Multilayer switch A multilayer switch (MLS) is a computer networking device that switches on Data link layer, OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI model, OSI layers. The MLS was invented by engineers at Digital Eq ...


References

{{Reflist, 30em, refs={{cite web, last=Ido Dubrawsky and Wes Noonan, title=Broadband Routers and Firewalls, url=http://www.ciscopress.com/articles/article.asp?p=598649&seqNum=5, publisher=CISCO Press, accessdate=15 July 2012 {{cite web, author=Brian Carpenter , title=Middleboxes: Taxonomy and Issues, url= https://tools.ietf.org/html/rfc3234, rfc=3234, author-link=Brian Carpenter (Internet engineer) {{cite web, last=Magalhaes, first=Ricky, title=The Difference Between Application and Session Layer Firewalls, url=http://www.windowsecurity.com/articles/difference-between-application-session-layer-firewalls.html, accessdate=17 July 2012 {{cite web, title=Understanding Intrusion Detection Systems, url=http://www.sans.org/reading_room/whitepapers/detection/understanding-intrusion-detection-systems_337, accessdate=17 July 2012 {{cite web, last=K. Egevang and P. Francis, title=The IP Network Address Translator (NAT), url = https://tools.ietf.org/html/rfc3022, rfc=1631 {{cite web, last=Poe, first=Robert, title=What Is WAN Optimization, and How Can It Help You?, url=http://www.comparebusinessproducts.com/briefs/what-wan-optimization-and-how-can-it-help-you, accessdate=17 July 2012 {{cite web, last=J. Rosenberg, url = https://tools.ietf.org/html/rfc5389 , title=Session Traversal Utilities for NAT (STUN), rfc=5389, display-authors=etal {{cite journal, last=Walfish, title=Middleboxes no longer considered harmful, journal=OSDI, year=2004, url=http://static.usenix.org/event/osdi04/tech/full_papers/walfish/walfish.pdf, accessdate=17 July 2012, display-authors=etal {{cite web, title=Port Control Protocol Working Group, url=http://datatracker.ietf.org/wg/pcp/charter/, accessdate=17 July 2012 {{cite web, title=NAT-PMP, url=http://tools.ietf.org/html/draft-cheshire-nat-pmp-03, accessdate=17 July 2012 {{cite web, title=BlueCoat Knowledge Base: Proxy is displaying stale content, url=https://kb.bluecoat.com/index?page=content&id=KB3286, accessdate=17 July 2012 {{cite web, title=Using FaceTime and iMessage behind a firewall, url=http://support.apple.com/kb/HT4245, accessdate=17 July 2012 {{cite journal, last=Honda, title=Is it still possible to extend TCP?, journal=Internet Measurement Conference, year=2011, url=http://conferences.sigcomm.org/imc/2011/docs/p181.pdf, display-authors=etal Computer network security 1990s neologisms