Dependable Policy Enforcement in Traditional Non-SDN Networks

Middleboxes are widely used in modern networks for a variety of network functions in cybersecurity, performance enhancement, and monitoring. Middlebox policy enforcement is however complex and tedious with unreliable manual re-configuration of legacy routers. The existing solution on automated policy enforcement relies on software-defined networking and does not apply to the traditional non-SDN networks, which remain popular today in enterprise deployment and core networks. This paper proposes a new architecture based entirely on software-defined middleboxes (instead of using software-defined switches in the prior art) to enable dependable and automated policy enforcement in non-SDN networks whose routers forward packets based on traditional routing protocols that are not policy-sensitive. We present a hot-potato enforcement strategy, which is then enhanced with two optimizations for load-balanced policy enforcement. Further enhancements are made to relieve middlebox processing overhead and avoid packet fragmentation due to policy enforcement.