Middlebox

A middlebox or network appliance is a computer networking device that transforms, inspects, filters, or otherwise manipulates traffic for purposes other than packet forwarding.[1] Common examples of middleboxes include firewalls, which filter unwanted or malicious traffic, and network address translators, which modify packets' source and destination addresses. Dedicated middlebox hardware is widely deployed in enterprise networks to improve network security and performance, however, even home network routers often have integrated firewall, NAT, or other middlebox functionality.[2] The widespread deployment of middleboxes and other network appliances has resulted in some challenges and criticism due to poor interaction with higher layer protocols.

Lixia Zhang, the Jonathan B. Postel Professor of Computer Science at the University of California, Los Angeles, coined the term "middlebox" in 1999.[3]

Types of middleboxes

The following are examples of commonly deployed middleboxes:

Criticism and challenges

Although widely deployed, middleboxes have generated some technical challenges for application development and some controversy regarding their impact.

Application interference

Some middleboxes interfere with application functionality, restricting or preventing end host applications from performing properly.

Network Address Translators present a challenge in that NAT devices divide traffic destined to a public IP address across several receivers. When connections between a host on the Internet and a host behind the NAT are initiated by the host behind the NAT, the NAT learns that traffic for that connection belongs to the local host. Thus, when traffic coming from the Internet is destined to the public (shared) address on a particular port, the NAT can direct the traffic to the appropriate host. However, connections initiated by a host on the Internet do not present the NAT any opportunity to "learn" which internal host the connection belongs to. Moreover, the internal host itself may not even know its own public IP address to announce to potential clients what address to connect to. To resolve this issue, several new protocols have been proposed.[8][9][10]

Other common middlebox-induced application challenges include web proxies serving "stale" or out of date content,[11] and firewalls rejecting traffic on desired ports.[12]

Internet extensibility and design

One criticism of middleboxes is they can limit choice of transport protocols, thus placing limits on application or service designs. Middleboxes may filter or drop traffic that does not conform to expected behaviors, so new or uncommon protocols or protocol extensions may be filtered by middleboxes.[13] Conversely, certain types of middlebox can assist in protocol deployment by providing a translation between new and old protocols: IPv6, for example, can be deployed on public endpoints such as load balancers, proxies, or other forms of NAT, with backend traffic routed over IPv4 or IPv6.

More generally, middleboxes are considered to violate the The End to End Principle of computer system design.[14]

References

  1. 1 2 Carpenter, B (2002). "Middleboxes: Taxonomy and Issues". RFC 3234.
  2. Ido Dubrawsky and Wes Noonan. "Broadband Routers and Firewalls". CISCO Press. Retrieved 15 July 2012.
  3. Kromhout, Wileen Wong (February 2, 2012), "Lixia Zhang named to UCLA's Jonathan B. Postel Chair in Computer Science", UCLA Newsroom, retrieved 2015-06-14
  4. Magalhaes, Ricky. "The Difference Between Application and Session Layer Firewalls". Retrieved 17 July 2012.
  5. "Understanding Intrusion Detection Systems". Retrieved 17 July 2012.
  6. K. Egevang and P. Francis. "The IP Network Address Translator (NAT)". RFC 1631.
  7. Poe, Robert. "What Is WAN Optimization, and How Can It Help You?". Retrieved 17 July 2012.
  8. J. Rosenberg; et al. "Session Traversal Utilities for NAT (STUN)". RFC 5389.
  9. "NAT-PMP". Retrieved 17 July 2012.
  10. "Port Control Protocol Working Group". Retrieved 17 July 2012.
  11. "BlueCoat Knowledge Base: Proxy is displaying stale content". Retrieved 17 July 2012.
  12. "Using FaceTime and iMessage behind a firewall". Retrieved 17 July 2012.
  13. Honda; et al. (2011). "Is it still possible to extend TCP?" (PDF). Internet Measurement Conference.
  14. Walfish; et al. (2004). "Middleboxes no longer considered harmful" (PDF). OSDI. Retrieved 17 July 2012.

See also

This article is issued from Wikipedia - version of the Friday, November 20, 2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.