HotSDN’13 author pdf
… the dynamic and traffic-dependent modifications induced by middleboxes … a flow tracking capability to ensure consistent policy enforcement … FlowTags, an extended SDN architecture in which middleboxes add Tags to outgoing packets, to provide the necessary causal context (e.g., source hosts or internal cache/miss rate).
stateful policy routing (e.g., a packet traverses a given sequence of middleboxes), access control (e.g., rate limiting traffic)
a new “southbound” controller-middlebox interface that enables SDN controllers to configure the flow tagging capability, and the support needed from middleboxes to implement FlowTags-related functions.
Middleboxes, such as proxies, that implement optimizations such as content caching and connection caching make it harder to reason about policy correctness. … can no longer assume a one-to-one mapping between incoming and outgoing flows at such middleboxes. … these actions may dynamically depend on the actual traffic patterns.
Consolidation: consolidate middlebox functionality; e.g., run the ACRL logic inside the proxy or have SDN switches emulate some middleboxes (e.g., NAT, load balancers).