A Monitoring-based Load Balancing Scheme for Network Security Functions

This paper proposes an enhanced Interface to Network Security Functions (I2NSF) framework. To improve the whole packet throughput and manage resource of Network Security Functions (NSFs), the enhanced I2NSF framework monitors NSFs and distributes incoming packets to NSFs efficiently. Even if the legacy framework that provides security services using Software-Defined Networking (SDN) and Network Functions Virtualization (NFV) has the similar NSFs, it is inefficient to be unable to distribute the packets to multiple NSFs. Based on the legacy I2NSF framework, therefore, we add two kinds of communication such as (i) communication between NSFs and security controller to monitor NSFs and (ii) communication between Security Function Forwarder (SFF) and security controller to perform the load balance for the packets to multiple NSFs. For the further communications between NSFs with security controller, we present a message format based on the information model proposed by Internet Engineering Task Force (IETF) I2NSF Working Group. We use capability data model proposed by IETF I2NSF WG, which describes the capability of an NSF. In order to show the feasibility of the proposed framework, we implemented the enhanced framework using IETF standards and open sources.