Towards Deployable, Distributed ISP Traffic Filtering for the Cloud-Era

Abstract

Traditionally Internet Service Providers (ISPs) have used a centralized traffic filtering architecture, wherein unwanted traffic heading towards a customer who subscribes to their filtering service is diverted to a security data center (SDC); from where only traffic deemed wanted is re-routed back to the customer using an overlay network of tunnels. Given the huge volumes of traffic that are being seen today, this centralized architecture’s scalability is already being stretched from a network capacity point of view. Moreover, the traffic diversion mechanism used necessitates configuring and maintaining tunnels, which is a network management overhead. We argue that this centralized architecture and tunnel necessitating traffic diversion mechanism will not scale as we move further along into the era where ISPs are becoming or providing connectivity to cloud providers. We propose a distributed architecture with multiple SDCs that scales from a capacity perspective, and describe how a standardized router capability, Border Gateway Protocol—Flow Specifications, can be used to selectively propagate traffic diversion routes which eliminates the need for tunnels. Furthermore, we show how the assigning of arriving traffic to specific SDCs can be modeled and solved as a mathematical optimization problem, which enables automated instantiation of the filtering service and also helps quantify the benefits of the distributed architecture from a capacity utilization perspective.