Middleboxes (also known as network functions) are systems that perform sophisticated and often stateful packet
processing, e.g. load balancers, caching proxies, intrusion
detection systems, etc.

Middlebox

From Wikipedia, the free encyclopedia

A middlebox or network appliance is a computer networking device that transforms, inspects, filters, or otherwise manipulates traffic for purposes other than packet forwarding.[1] Common examples of middleboxes include firewalls, which filter unwanted or malicious traffic, and network address translators, which modify packets' source and destination addresses. Dedicated middlebox hardware is widely deployed in enterprise networks to improve network security and performance, however, even home network routers often have integrated firewall, NAT, or other middlebox functionality.[2] The widespread deployment of middleboxes and other network appliances has resulted in some challenges and criticism due to poor interaction with higher layer protocols.

Lixia Zhang, the Jonathan B. Postel Professor of Computer Science at the University of California, Los Angeles, coined the term "middlebox" in 1999.[3]

Contents

Types of middleboxes

The following are examples of commonly deployed middleboxes:

      • Firewalls filter traffic based on a set of pre-defined security rules defined by a network administrator. IP firewalls reject packets "based purely on fields in the IP and Transport headers (e.g. disallow incoming traffic to certain port numbers, disallow any traffic to certain subnets etc.)"[1] Other types of firewalls may use more complex rulesets, including those that inspect traffic at the session or application layer.[4]
      • Intrusion Detection Systems monitor traffic and collect data for offline analysis for security anomalies. Because IDSs unlike firewalls do not filter packets in real-time, they traditionally are capable of more complex inspection than firewalls which must make an accept/reject decision about each packet as it arrives.[5]
      • Network Address Translators replace the source and/or destination IP addresses of packets that traverse them. Typically, NATs are deployed to allow multiple end hosts to share a single IP address: hosts "behind" the NAT are assigned a private IP address and their packets destined to the public Internet traverse a NAT which replaces their internal, private address with a shared public address.[6]
      • WAN Optimizers improve bandwidth consumption and perceived latency between dedicated endpoints.[7] Typically deployed in large enterprises, WAN optimizers are deployed near both sending and receiving endpoints of communication; the devices then co-ordinate to cache and compress traffic that traverses the Internet.
      • Load balancers provide one point of entry to a service, but forward traffic flows to one or more hosts that actually provide the service.

Criticism and challenges

Although widely deployed, middleboxes have generated some technical challenges for application development and some controversy regarding their impact.

Application interference

Some middleboxes interfere with application functionality, restricting or preventing end host applications from performing properly.

Network Address Translators present a challenge in that NAT devices divide traffic destined to a public IP address across several receivers. When connections between a host on the Internet and a host behind the NAT are initiated by the host behind the NAT, the NAT learns that traffic for that connection belongs to the local host. Thus, when traffic coming from the Internet is destined to the public (shared) address on a particular port, the NAT can direct the traffic to the appropriate host. However, connections initiated by a host on the Internet do not present the NAT any opportunity to "learn" which internal host the connection belongs to. Moreover, the internal host itself may not even know its own public IP address to announce to potential clients what address to connect to. To resolve this issue, several new protocols have been proposed.[8][9][10]

Other common middlebox-induced application challenges include web proxies serving "stale" or out of date content,[11] and firewalls rejecting traffic on desired ports.[12]

Internet extensibility and design

One criticism of middleboxes is they can limit choice of transport protocols, thus placing limits on application or service designs. Middleboxes may filter or drop traffic that does not conform to expected behaviors, so new or uncommon protocols or protocol extensions may be filtered by middleboxes.[13] Conversely, certain types of middlebox can assist in protocol deployment by providing a translation between new and old protocols: IPv6, for example, can be deployed on public endpoints such as load balancers, proxies, or other forms of NAT, with backend traffic routed over IPv4 or IPv6.

More generally, middleboxes are considered to violate the The End to End Principle of computer system design.[14]

References

  1. Walfish; et al. (2004). "Middleboxes no longer considered harmful" (PDF). OSDI. Retrieved 17 July 2012.

See also

中间件(middlebox)的更多相关文章

  1. ASP.NET Core 中的那些认证中间件及一些重要知识点

    前言 在读这篇文章之间,建议先看一下我的 ASP.NET Core 之 Identity 入门系列(一,二,三)奠定一下基础. 有关于 Authentication 的知识太广,所以本篇介绍几个在 A ...

  2. ASP.NET Core应用的错误处理[3]:ExceptionHandlerMiddleware中间件如何呈现“定制化错误页面”

    DeveloperExceptionPageMiddleware中间件利用呈现出来的错误页面实现抛出异常和当前请求的详细信息以辅助开发人员更好地进行纠错诊断工作,而ExceptionHandlerMi ...

  3. ASP.NET Core应用的错误处理[2]:DeveloperExceptionPageMiddleware中间件如何呈现“开发者异常页面”

    在<ASP.NET Core应用的错误处理[1]:三种呈现错误页面的方式>中,我们通过几个简单的实例演示了如何呈现一个错误页面,这些错误页面的呈现分别由三个对应的中间件来完成,接下来我们将 ...

  4. ASP.NET Core 中间件之压缩、缓存

    前言 今天给大家介绍一下在 ASP.NET Core 日常开发中用的比较多的两个中间件,它们都是出自于微软的 ASP.NET 团队,他们分别是 Microsoft.AspNetCore.Respons ...

  5. .NET Core中间件的注册和管道的构建(3) ---- 使用Map/MapWhen扩展方法

    .NET Core中间件的注册和管道的构建(3) ---- 使用Map/MapWhen扩展方法 0x00 为什么需要Map(MapWhen)扩展 如果业务逻辑比较简单的话,一条主管道就够了,确实用不到 ...

  6. .NET Core中间件的注册和管道的构建(2)---- 用UseMiddleware扩展方法注册中间件类

    .NET Core中间件的注册和管道的构建(2)---- 用UseMiddleware扩展方法注册中间件类 0x00 为什么要引入扩展方法 有的中间件功能比较简单,有的则比较复杂,并且依赖其它组件.除 ...

  7. .NET Core中间件的注册和管道的构建(1)---- 注册和构建原理

    .NET Core中间件的注册和管道的构建(1)---- 注册和构建原理 0x00 问题的产生 管道是.NET Core中非常关键的一个概念,很多重要的组件都以中间件的形式存在,包括权限管理.会话管理 ...

  8. 从中间件的历史来看移动App开发的未来

    在移动开发领域我们发现一个很奇怪的现象:普通菜鸟新手经过3个月的培训就可以拿到 8K 甚至上万的工作:在北京稍微有点工作经验的 iOS 开发,就要求 2 万一个月的工资.不知道大家是否想过:移动应用开 ...

  9. ASP.NET Core的路由[4]:来认识一下实现路由的RouterMiddleware中间件

    虽然ASP.NET Core应用的路由是通过RouterMiddleware这个中间件来完成的,但是具体的路由解析功能都落在指定的Router对象上,不过我们依然有必要以代码实现的角度来介绍一下这个中 ...

随机推荐

  1. Tomcat 目录详解

     一.文字版本: bin: 该目录下存放的是二进制可执行文件,如果是安装版,那么这个目录下会有两个exe文件:tomcat6.exe.tomcat6w.exe,前者是在控制台下启动Tomcat,后者是 ...

  2. mkfifo

    管道是Linux的十种文件类型之一,使用管道通信本质上还是以文件作为通信的媒介 有名管道+无名管道=管道 有名管道(FIFO文件):就是 有文件名的管道, 可以用于任意两个进程间的通信 无名管道(pi ...

  3. C++ 中指针与引用的区别

    指向不同类型的指针的区别在于指针类型可以知道编译器解释某个特定地址(指针指向的地址)中的内存内容及大小,而void*指针则只表示一个内存地址,编译器不能通过该指针所指向对象的类型和大小,因此想要通过v ...

  4. 超链接a的target属性

    <a>标签的target意思很明确就是在哪里打开目标文档. 第一种情况: 默认情况:当我们没有设置超链接属性target的value值时默认是_self,即<a target=&qu ...

  5. [转]学习Nop中Routes的使用

    本文转自:http://www.cnblogs.com/miku/archive/2012/09/27/2706276.html 1. 映射路由 大型MVC项目为了扩展性,可维护性不能像一般项目在Gl ...

  6. 使用 React.js 的渐进式 Web 应用程序:第 1 部分 - 介绍

      使用 React.js 的渐进式 Web 应用程序:第 1 部分 - 介绍 使用 React.js 的渐进式 Web 应用程序:第 1 部分 - 介绍 来自译者 markzhai:大家也知道最近 ...

  7. document对象补充

    五.相关元素操作: var a = document.getElementById("id");                找到a: var b = a.nextSibling ...

  8. [No000034]知乎-长期接收碎片化知识有什么弊端?

    你所接受的一切信息,构成了你的思维方式. 所以,长期接受碎片信息的后果,就是让你的思维变得狭隘,难以进行复杂的思考. 碎片信息通常具备这样的特征: •它们往往是一些事实的集合而非逻辑 •它们往往大量简 ...

  9. 当一名黑客获得一份WebShell后,会做什么

    当你获得一份webshell后,你会干嘛? 我曾获得N多webshell.什么discuz.dedecms.phpwind.phpweb.aspcms等等,甚至还包括N多自己研发的线上平台. 可是,问 ...

  10. 实现鼠标拖动canvas绘制的图片

    不啰嗦上代码: <html> <head> <meta http-equiv="Content-Type" content="text/ht ...