fire: flexible intra-as routing environment craig partridge, alex c. snoeren † tim strayer,...
TRANSCRIPT
![Page 1: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/1.jpg)
FIRE: FlexibleIntra-AS Routing Environment
Craig Partridge, Alex C. Snoeren†
Tim Strayer, Beverly Schwartz, Matthew Condell
Isidro Castiñeyra
BBN Technologies† MIT Lab for Computer Science
![Page 2: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/2.jpg)
Route & Traffic Diversity
Secure
Pick every one!
Low latency, but expensive
High bandwidth, low cost
Pick only one?
A B
![Page 3: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/3.jpg)
Mainstream Internet Routing
• Today’s IP routing protocols are closed Algorithms are fixed and hard to change Metrics are fixed and hard to change
• Limited support for traffic engineering Layer 3 may provide different queuing
disciplines for each traffic class (QoS) But specialized class-based “routing” is
implemented at Layer 2
![Page 4: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/4.jpg)
Towards Active Networking
• The Goal: Greater control of packet routing Traffic engineering for quality of service, policy-
based routing, differentiated services… Without the need for pervasive level 2
technologies such as MPLS or ATM VCs
• An approach: Allow individual packets to control routing behavior in data path Imposes greater router performance requirements Creates new security and stability concerns
![Page 5: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/5.jpg)
FIRE Innovations
• Open routing interface – on control path Operator controlled, maintains consistency
• Separate routing protocol components Property Advertisement
• Support vectors of dynamic metrics Path calculation
• Different algorithms for each traffic class State distribution
• Built-in reliable flooding mechanism
![Page 6: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/6.jpg)
FIRE Router Architecture
PacketFilters
FloodingMechanism
PropertyRepository
SAGeneration
RoutingAlgorithms
PropertyApplets
ForwardingTables
überfilter
Data Path
VirtualMachine
![Page 7: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/7.jpg)
Properties
• Each entity advertises sets of properties e.g. cost, utilization, ownership, security level… For nodes, networks, and unidirectional links
• Values can be obtained in three ways: Statically configured Obtained from MIBs Generated by downloadable property applets
• Applets generate dynamic values Cryptographically-secured downloadable applets Invoked occasionally at each router
![Page 8: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/8.jpg)
Routing Algorithms
• Operator specifies which algorithm(s) to run A native SPF implementation is built in; other algorithms may be downloaded, like multi-objective optimization… … or something completely different!
• Multiple algorithms for multiple classes e.g. SPF/cost, SPF/delay, maximum bandwidth Each produces a separate forwarding table
• Invoked upon property advertisement arrival Precautions are taken to prevent thrashing
![Page 9: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/9.jpg)
FIRE Class-Based Forwarding
• Multiple, independent forwarding tables Each algorithm constructs its own forwarding
tables based upon distributed link-state database Traffic classes are assigned to forwarding tables
by operator-specified packet filters FreeBSD prototype performance similar to
standard kernel forwarding
• Multiple, independent FIRE Instances Several FIRE instances may run simultaneously Each instance is managed independently (VPNs) Data traffic is separated by an überfilter
![Page 10: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/10.jpg)
Data Path Flow Diagram
VPN 1
Default
überfilter
IP Packet Header ForwardingTable 1
DefaultForwarding
ForwardingTable 2
ForwardingTable 3
Filter 1
Filter 2
Filter 3
Filter 4
Filter 6
Filter 7
Filter 8
Filter 5
Operator-specifiedfilters
SPF (hop count)
Bottleneck (bandwidth)
SPF (delay)
SPF (cost)
VPN 2VPN 2
![Page 11: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/11.jpg)
Maintaining Stability
• Ensure reliable basic infrastructure Provides robust, OSPF-like link state distribution Pervasive hop-count based SPF routing tables
• Always used for applet and algorithm downloads Enforce global configuration synchronization
• Operator injects configuration updates
• Limit control traffic and route flapping Prevent thrashing of forwarding tables Fine-grained update frequency control
![Page 12: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/12.jpg)
Security through Containment
• Internal X.509 Certificate Hierarchy All control messages are digitally signed Authorization certificates allow subversion
detection and containment
• Denial-of-service / anti-replay protections IPsec provides hop-by-hop authentication Repository and file transfer protocol precautions
• Applet / Algorithm sandboxing Limited privileges for applets, less for algorithms A more secure language would be nice…
![Page 13: FIRE: Flexible Intra-AS Routing Environment Craig Partridge, Alex C. Snoeren † Tim Strayer, Beverly Schwartz, Matthew Condell Isidro Castiñeyra BBN Technologies](https://reader036.vdocuments.net/reader036/viewer/2022082816/56649f3f5503460f94c60080/html5/thumbnails/13.jpg)
Summary
• FIRE provides extensible, remotely configurable, class-based, link-state, intra-AS routing Operator-specified metrics and algorithms Enhanced flexibility compared to traditional
routing protocols Enhanced security and performance
compared to active packet techniques