Peter A. Steenkiste, CMCL, CMU 1 The Darwin Router Control Interface Peter Steenkiste, Jun Gao, Prashant Chandra, Eduardo Takahashi Computer Science Department.

Slides:

Advertisements

Similar presentations

NetServ Dynamic in-network service deployment Henning Schulzrinne (Columbia University) Srinivasan Seetharaman (Georgia Tech) Volker Hilt (Bell Labs)

Advertisements

Middleware and Management Support for Programmable QoS-Network Architectures Miguel Rio (joint work with Hermann De Meer, Wolfgang Emmerich, Cecilia Mascolo,

Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Internetworking II: MPLS, Security, and Traffic Engineering

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Guide to Network Defense and Countermeasures Second Edition

Page 1 / 14 The Mesh Comparison PLANET’s Layer 3 MAP products v.s. 3 rd ’s Layer 2 Mesh.

PlanetLab Operating System support* *a work in progress.

SEEDING CLOUD-BASED SERVICES: DISTRIBUTED RATE LIMITING (DRL) Kevin Webb, Barath Raghavan, Kashi Vishwanath, Sriram Ramabhadran, Kenneth Yocum, and Alex.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

CSC 450/550 Part 3: The Medium Access Control Sublayer More Contents on the Engineering Side of Ethernet.

1 Improving the Performance of Distributed Applications Using Active Networks Mohamed M. Hefeeda 4/28/1999.

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Resource Management – a Solution for Providing QoS over IP Tudor Dumitraş, Frances Jen-Fung Ning and Humayun Latif.

CS 268: Active Networks Ion Stoica May 6, 2002 (* Based on David Wheterall presentation from SOSP ’99)

4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.

Chapter 4 Network Layer slides are modified from J. Kurose & K. Ross CPE 400 / 600 Computer Communication Networks Lecture 14.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 Towards a Framework for Network Control Composition T. S. Eugene Ng Rice University Hong Yan Carnegie.

Research Gísli Hjálmtýsson - AT&T Research - 1 Programmable Networks of Tomorrow (Pronto): The Programmable Interface of Pronto.

Router modeling using Ptolemy Xuanming Dong and Amit Mahajan May 15, 2002 EE290N.

1 Multi-Protocol Label Switching (MPLS) presented by: chitralekha tamrakar (B.S.E.) divya krit tamrakar (B.S.E.) Rashmi shrivastava(B.S.E.) prakriti.

Active Network Applications Tom Anderson University of Washington.

Intranet, Extranet, Firewall. Intranet and Extranet.

Virtual LAN Design Switches also have enabled the creation of Virtual LANs (VLANs). VLANs provide greater opportunities to manage the flow of traffic on.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

Promile A Management Architecture for Programmable Modular Routers Miguel Rio (joint work with Nicola Pezzi, Luca Zanolin, Hermann De Meer, Wolfgang Emmerich.

End-to-end resource management in DiffServ Networks –DiffServ focuses on singal domain –Users want end-to-end services –No consensus at this time –Two.

Protocol Architectures. Simple Protocol Architecture Not an actual architecture, but a model for how they work Similar to “pseudocode,” used for teaching.

Common Devices Used In Computer Networks

Protocols and the TCP/IP Suite

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.

Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 18 Omar Meqdadi Department of Computer Science and Software Engineering University.

MILCOM 2001 October page 1 Defense Enabling Using Advanced Middleware: An Example Franklin Webber, Partha Pal, Richard Schantz, Michael Atighetchi,

Router Architecture Overview

Management for IP-based Applications Mike Fisher BTexaCT Research

Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.

Refining middleware functions for verification purpose Jérôme Hugues Laurent Pautet Fabrice Kordon

15.1 Chapter 15 Connecting LANs, Backbone Networks, and Virtual LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

1 Integrating security in a quality aware multimedia delivery platform Paul Koster 21 november 2001.

COP 5611 Operating Systems Spring 2010 Dan C. Marinescu Office: HEC 439 B Office hours: M-Wd 2:00-3:00 PM.

Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 20 Omar Meqdadi Department of Computer Science and Software Engineering University.

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid, A. Tevanian, and M. Young MACH: A New Kernel Foundation for UNIX Development Presenter: Wei-Lwun.

1 010/02 Aspect-Oriented Interceptors Pattern 1/4/2016 ACP4IS 2003John Zinky BBN Technologies Aspect-Oriented Interceptors Pattern Dynamic Cross-Cutting.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

OpenFlow MPLS and the Open Source Label Switched Router Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,

Zurich Research Laboratory IBM Zurich Research Laboratory Adaptive End-to-End QoS Guarantees in IP Networks using an Active Network Approach Roman Pletka.

Local Area Networks Honolulu Community College

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Company LOGO Network Architecture By Dr. Shadi Masadeh 1.

Spawning Networks COMET Group Columbia University.

K. Salah1 Security Protocols in the Internet IPSec.

Graciela Perera Department of Computer Science and Information Systems Slide 1 of 18 INTRODUCTION NETWORKING CONCEPTS AND ADMINISTRATION CSIS 3723 Graciela.

Network Layer COMPUTER NETWORKS Networking Standards (Network LAYER)

Advanced Computer Networks

Local Area Networks Honolulu Community College

EE 122: Lecture 16/17 (Integrated Services)

CS 31006: Computer Networks – The Routers

* Essential Network Security Book Slides.

Software Defined Networking (SDN)

Network Core and QoS.

Computer Science Division

Chapter 4 Network Layer Computer Networking: A Top Down Approach 5th edition. Jim Kurose, Keith Ross Addison-Wesley, April Network Layer.

Network Architecture By Dr. Shadi Masadeh 1.

Network Core and QoS.

Presentation transcript:

Peter A. Steenkiste, CMCL, CMU 1 The Darwin Router Control Interface Peter Steenkiste, Jun Gao, Prashant Chandra, Eduardo Takahashi Computer Science Department Department of Electical and Computer Engineering Carnegie Mellon University OPENSIG ‘99 Carnegie Mellon University, October 1999

Peter A. Steenkiste, CMCL, CMU 2 Outline l Motivation l Router Control Interface l Security and safety l Conclusion

Peter A. Steenkiste, CMCL, CMU 3 Motivation l Open up the network: have a larger community develop services and applications for networks »Not just vendor sofware »Imagine a PC on which you can only run vendor software l Advanced services and applications need customized, runtime resource management support »Quality of execution depends on how resources are managed »Example: Corba + QoS (QuO) at BBN l Network management and control applications. »Support flexible QoS policies, monitoring tools, etc. »Convenient and fast software deployment and upgrading »Example: virtual private network service

Peter A. Steenkiste, CMCL, CMU 4 Example: A Virtual Private Network Service ISIEPC UCL CMU DARPA2 MIT UCLAPC LBLPC PARCPC A C D F ISIPC B E G Hierarchical scheduler manages VPN resources Delegates support customized control protocols VPN team: Keng Lim Jun Gao Eugene Ng Hui Zhang Peter Steenkiste

Peter A. Steenkiste, CMCL, CMU 5 Virtual Mesh: Resources + Control

Peter A. Steenkiste, CMCL, CMU 6 Darwin Node Architecture Route Lookup Classifier + Scheduler Local Resource Manager Beagle Control Delegates Routing Client Beagle Other Routing Entities Applications Other Delegates Router Control Interface Classifier + Action

Peter A. Steenkiste, CMCL, CMU 7 Router Control Interface (RCI) l RCI operates on a flow-based network model »Flows are the basic data type: RCI is an instruction set that operates on flows »Flow is defined using IP and transport layer header fields l Four categories of functions »Collecting information –Bandwidth usage, Monitor queue length, etc. »Local resource management actions –Set QoS parameters, selectively drop packets, etc. »Flow redirection –Tunneling, flow redirecting to delegate, route changes, etc. »Inter-delegate communication –Allow delegates to interact with peers and endpoints

Peter A. Steenkiste, CMCL, CMU 8 Darwin Delegate Implementation l Implemented as Java code segments »Also more restricted support for C delegates l Delegate runtime environment based on a Java Virtual Machine »RCI is implemented as a set of C native methods »Use Java sandboxing for basic safety support l Delegates can be dynamically installed by the Beagle signaling protocol »Client specifies the delegates as part of the mesh »Beagle carries delegate bytecode to routers »Verifies, instantiates and initializes delegates

Peter A. Steenkiste, CMCL, CMU 9 A Hierarchical Network Model l Hierarchical resource management in support of service hierarchies »Translates into a hierarchy of meshes »Representation on a router is a resource tree »Realized using the Hierarchical Fair Service Curve Scheduler (HFSC) l Delegates are associated with nodes in the resource tree »Scheduler provides isolation of network resource (data plane) »Delegates provide isolation of resource management and control (control plane) Control Delegates Hierarchical Resource Tree Link Org 1 Org 2 App 1 Flow 1

Peter A. Steenkiste, CMCL, CMU 10 Delegate Examples l Selective packet dropping for MPEG video streams »Monitoring, selective dropping l Dynamic control of MJPEG video encoding »Monitoring, control/data delegates coordination l Selective dropping of non-adaptive flows »Monitoring, selective dropping, inter-delegate communication l Load-sensitive flow redirecting »Monitoring, inter-delegate communication l On-going projects »QoS virtual private networks, active monitoring, etc.

Peter A. Steenkiste, CMCL, CMU 11 Comparison with Related Projects l Active Nets node architecture (Peterson) »The delegate runtime environment can be viewed as an execution environment that handles “control” packets »“Data” packets follow the “cut through” path »What path that a packet takes through the router is controlled through a general classifier on the input port l Pronto (Hjalmtysson) »It has a similar architecture but has a stronger coupling between data/control plane »Darwin hierarchy provides more structure l Active signaling (Braden) »Also control and data plane separation but single network wide control »Focus on controlling versions instead of customization

Peter A. Steenkiste, CMCL, CMU 12 Security and Safety: Where is the Problem? l Everywhere! »Harm the base router or other users (crash, corrupt,..) »Allocate or use other user’s resources »Affect the treatment of other user’s traffic l We focus is on traffic management related threats »Other groups are addressing some of the other issues. –E.g., allocation of CPU time, efficient safety mechanisms,.. l Address the problem piece-wise by looking at an increasingly more powerful delegate »Delegates perform only local actions »Delegates can also perform global actions »Delegates can create peers and delegate responsibility.

Peter A. Steenkiste, CMCL, CMU 13 Local Actions Only l Beagle creates all delegates and sets up all permissions l Delegates can modify flow definitions and resource allocations »Modify flow weights,.. »Control over an output port (roughly) l Probably useful to have different levels of permission: »monitor traffic only »modify weights »change structure of the tree »peek at contents of packets Classifier + Scheduler Local Resource Manager Beagle Control Delegates Routing Router Control Interface Classifier + Action

Peter A. Steenkiste, CMCL, CMU 14 Local Actions Only: Possible Solutions l Leverage the hierarchical resource management abstraction l Beagle must verify that client can add a node and associated delegate »Check with owner of the parent l Runtime checking for every delegate RCI call »Is the call allowed on this resource? »Does the flow filter only match traffic that is controlled by this delegate l Usual runtime versus install time verification tradeoff »Fewer runtime checks for trusted code Control Delegates Hierarchical Resource Tree Link Org 1 Org 2 App 1 Flow 1

Peter A. Steenkiste, CMCL, CMU 15 Global Actions l Beagle creates all delegates and sets up all permissions l Delegates can redirect flows »Example: routing delegates in a VPN service application »Affects what parts of the network are used: RCI is used for distributed programming »Changes input port functions l How to implement? »Tunneling seems manageable »Routing is more difficult! –How many routing tables? –How do you control and verify changes to a shared routing table? –What is the right model? Classifier + Scheduler Local Resource Manager Beagle Control Delegates Routing Router Control Interface Classifier + Action

Peter A. Steenkiste, CMCL, CMU 16 Global Actions: Possible Solutions l Restricted delegate actions to stay inside the mesh »Only affect traffic and only use links that are part of the mesh »Delegate has choice of outgoing link and path l Demonstrated this capability for the VPN services application »Use multiple routing daemons and forwarding tables »view of each routing daemon is restricted to its mesh

Peter A. Steenkiste, CMCL, CMU 17 Delegation l Beagle is no longer the only manager of delegates or delegate permissions »It is “only” the signaling protocol for the root node l Delegates for interior nodes can also manage delegates and their permissions »Delegate authority, create peers or delegates for children,.. l Example: A VPN-specific signaling protocol creates delegates l Solution will have to combine local protection with “space” or mesh aspect. Control Delegates Hierarchical Resource Tree Link Org 1 Org 2 App 1 Flow 1

Peter A. Steenkiste, CMCL, CMU 18 Conclusion l Darwin delegates support the development of customized network control protocols »Use the RCI to affect the data forwarding path l Key question: what router functions do you want to be able to “delegate” (securely) »Resource management and QoS? »Routing? »Signaling and delegate management? »Desired degree of customization depends on user »Security becomes harder as you expand the scope l Version 1.0 of Darwin is available » »includes the HFSC scheduler, Beagle, and the delegate runtime environment