Modern communications networks typically include a number of network appliances, including so-called “middleboxes,” In recent years, middleboxes have become a prevalent and important component in modern network infrastructures. Middleboxes typically perform various types of traffic manipulation as routers, firewalls, network address translators, and the like. Middleboxes can provide datacenter and enterprise network operators with an ability to deploy new network functionality as add-on components, which can directly inspect, modify, and block or re-direct network traffic. This, in turn, can help increase the security and/or performance of those networks.
While some conventional middleboxes are deployed as physical appliances, middleboxes are increasingly being virtualized. For example, with the introduction of Network Functions Virtualization (NFV), many network functions (e.g., firewalls, network address translators, and load balancers), which formerly ran on proprietary hardware, now are implemented in software (e.g., on commodity servers in a virtualized environment). In general, moving away from fixed physical appliances can add elastically to the network, which can allow the network to scale as needed (on demand) and to quickly recover from failure. For example, rather than implementing network functions on underutilized devices (e.g., with 5-20% utilization), which can still become overloaded to the point of failure with large swings in demand, a NFV-based infrastructure can be quickly and efficiently scaled as needed. This can help avoid business failures and/or other undesirable outcomes.
However, full virtualization benefits, such as increased elasticity and failure recovery, may not be achievable unless the network can freely launch new instances of functions and reassign traffic to those instances. While this type of virtualization can be relatively straightforward for some types of network functions, middlebox functions have proven rife with difficulty. In particular, middlebox functions tend to rely on a state locked into the network function. For example, firewalls often rely on maintaining connection information states, network address translators often rely on maintaining address mapping states, load balancers often rely on maintaining server selection mapping states, etc. Maintaining such states can depend on any packet for a given flow of traffic passing through a same network function instance every time. State reliance can tend to limit such network functions' ability to be elastic, to be failure resilient, and to handle other challenges, such as asymmetric/multi-path routing and middlebox software updates.