A Case for a Stateful Middlebox Networking Stack

摘要

Statful middleboxes such as intrustion detection systems, application-layer firewalls, and protocol analyzers are increasingly popular as they perform critical operations in modern networks. Such middleboxes typically operate by maintaining flow states of live TCP connections that pass through a network. Despite its growing demand, developing a stateful middlebox remains a challenging task. The root of complexity stems from a lack of common programming abstraction for middleboxes that clearly separates flow management from custom middlebox logic. As a result, middlebox developers often resort to writing a complex flow management module from scratch, which results in tens of thousands of code lines that are hardly portable. This is in stark contrast to developing networking applications for end nodes, which significantly benefits from a nice network abstraction layer such as Berkeley socket API. The lack of a reusable networking stack for middleboxes makes the code highly dependent on a custom packet library, which greatly reduces readability, modularity, and extensibility.