Experiences deploying a transparent split TCP middlebox and the implications for NFV

Abstract

This paper summarizes our experiences deploying a transparent Split TCP middlebox for WiFi networks in Enterprise customer environments. Since Split TCP is nearly two decades old, we believed this would be a straightforward application of well-known technology. Reality, however, would teach us otherwise. While we began our deployment in our own office with 3,000 users, we encountered several challenges in deploying this technology at customer sites. Each customer had different network architectures, security policies, and non-negotiable requirements. In particular, modifying the network architecture was frequently impossible. Deployment challenges tended to fall into two related but distinct categories. First, making the box transparent to both clients and servers required extending the notion of transparency from beyond just layer 3 and layer 4 to include layer 2. Second, the interaction of our middlebox with other middleboxes resulted in unexpected behaviors. Our deployments supported up to 15,000 simultaneous users and lasted up to 2 years. We offer up our experiences so that others need not repeat them. We discuss some implications of our experiences on deploying network functionality in virtual environments, or Network Function Virtualization (NFV). If NFV is to be successful in real environments, these challenges will need to be overcome.