network support for sharing. 2 cabo: concurrent architectures are better than one no single set of...
TRANSCRIPT
![Page 1: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/1.jpg)
Network Support for Sharing
![Page 2: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/2.jpg)
2
CABO: Concurrent Architectures are Better than One
• No single set of protocols or functions– Different applications with different needs– Multiple parties offering end-to-end services
• Instead, multiple networks in parallel– Virtual networks on a common substrate– Customization of the network functions
![Page 3: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/3.jpg)
3
Separate Infrastructure from Service
• Infrastructure: physical infrastructure needed to build networks
• Service: “slices” of physical infrastructure from one or more providers
The same entity may sometimes play these two roles.
![Page 4: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/4.jpg)
4
CABO as a New Architecture
• Virtualization– Multiple logical routers on shared hardware– Resource isolation in CPU, FIBs, and bandwidth
• Programmability– General-purpose CPUs for control & manipulation– Network processors & FPGAs for fast forwarding
• Economic refactoring– Infrastructure provider: manage routers and links– Service provider: offer end-to-end services
![Page 5: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/5.jpg)
5
VINI/Trellis Deployment Platform
• Lightweight containers on a single OS
• Each virtual host sees virtual Ethernet links
• Packet forwarding and traffic shaping remain outside of the container
![Page 6: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/6.jpg)
Network Support for Accountability
![Page 7: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/7.jpg)
7
Internet Accountability
• Mechanisms to identify, isolate, punish “bad behavior”• Distinct from accounting (cf. original Clark design goals)
What is it?
Why might the network need to support it?
• Attacks on the routing system• Control over traffic • Tracking and mitigating malice
– Spam– Botnets– Phishing
![Page 8: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/8.jpg)
8
Facets of Internet Accountability
• Source: defense against address forgery• Data-plane: identify faulty network elements• Control-plane: identify forged routing messages
• Recourse to avoid faulty or malicious elements– Scalable network support for path diversity– Better mechanisms to curtail unwanted traffic
![Page 9: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/9.jpg)
9
AIP: Accountable IP
• Refactoring of Internet addresses: AD:EID– AD: The autonomous domain of the host– EID: A globally unique endpoint identifier
• Addresses are self-certifying
• Why change addressing?– Forms the cornerstone of routing, forwarding, identity– Current address structure makes existing mechanisms clumsy– New structure retains simplicity at the network layer and above
AD EID
Hash of autonomous domain’s public key
Globally valid endpoint identifier(cf. IPv6 CGA, HIP, etc.)
![Page 10: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/10.jpg)
10
Source Accountability• Problem: Sources can forge IP addresses
– Can complete three-way handshakes (LAN spoofing)
• Why it matters: Complicates filtering, blacklisting.– Spam campaigns regularly have 70% “fresh” IP addresses
• Solution: Self-certification + Challenge/Response
![Page 11: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/11.jpg)
11
Control-Plane Accountability
• Problem: Routing messages can be forged
• Why it matters:– Misconfiguration: AS 7007, ConEdison route leak– Malice: Spammers stealing address space
• Solution: S-BGP-style attestations + self-cert– Interdomain routing and forwarding is on Ads– The AD is the public key and the address– Eliminates the need for a mapping between IP address space
and organizations
![Page 12: Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with](https://reader035.vdocuments.net/reader035/viewer/2022081907/551498d4550346b2598b5710/html5/thumbnails/12.jpg)
12
Data-Plane Accountability
• Problem: Network elements drop packets, fail, and otherwise give rise to poor performance
• One Solution: In-Band Path Diagnosis
• Routers keep track of number of packets seen per flow
• Each router stamps each packet with current flow counter value
• If current counter value does not equal router’s expected packet count for that flow, router marks packet
IP Header
New Shim Header
Transport header
Method Overview