NFShunt: a hybrid SDN firewall for your science DMZ

The science DMZ architecture proposed by ESNet creates a friction-free network path for high bandwidth-delay product connections. Case studies show that (given sufficient switch packet buffers) this network architecture enables reliable high network performance for data-intensive science applications. Site-specific implementations can be adapted to incorporate network security measures beyond the recommended router or switch access control lists. This presentation introduces NFShunt to the NREN community. NFShunt is an open-source OpenFlow controller which (similar to SciPass) performs dynamic per-connection hardware offloading in combination with a software firewall. Details of the design and prototype implementation are provided. The performance of NFShunt was compared to a commercial firewall appliance under high RTT at 10Gbps in lab experiments. The presentation concludes with an analysis of our results and presents our plans for pilot implementation in the SANReN network.


Part of session

4C - SDN traffic control

