More Web Proxy on the site http://driver.im/

research-article

Alpaca: compact network policies with attribute-carrying addresses

Authors:

Ori Rottenstreich,

Jennifer RexfordAuthors Info & Claims

CoNEXT '15: Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies

Article No.: 7, Pages 1 - 13

https://doi.org/10.1145/2716281.2836092

Published: 01 December 2015 Publication History

Abstract

In enterprise networks, policies (e.g., QoS or security) are often defined based on the categorization of hosts along dimensions such as the organizational role of the host (faculty vs. student), and department (engineering vs. sales). While current best practices (VLANs) help when hosts are categorized along a single dimension, policy may often need to be expressed along multiple orthogonal dimensions. In this paper, we make three contributions. First, we argue for Attribute-Carrying IPs (ACIPs), where the IP address allocation process in enterprises considers attributes of a host along all policy dimensions. ACIPs enable flexible policy specification in a manner that may not otherwise be feasible owing to the limited size of switch rule-tables. Second, we present Alpaca, algorithms for realizing ACIPs under practical constraints of limited-length IP addresses. Our algorithms can be applied to different switch architectures, and we provide bounds on their performance. Third, we demonstrate the importance and viability of ACIPs on data collected from real campus networks.

References

[1]

M. Yu, J. Rexford, X. Sun, S. G. Rao, and N. Feamster, "A survey of virtual LAN usage in campus networks," IEEE Communications Magazine, vol. 49, no. 7, pp. 98--103, 2011.

[2]

"Production quality, multilayer open virtual switch." http://openvswitch.org/.

[3]

M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. Gude, N. McKeown, and S. Shenker, "Rethinking enterprise network control," IEEE/ACM Trans. Netw., vol. 17, no. 4, pp. 1270--1283, 2009.

Digital Library

[4]

S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul, "Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags," in NSDI, 2014.

Digital Library

[5]

N. McKeown, T. Anderson, H. Balakrishnan, G. M. Parulkar, L. L. Peterson, J. Rexford, S. Shenker, and J. S. Turner, "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM CCR, vol. 38, no. 2, pp. 69--74, 2008.

Digital Library

[6]

P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese, and D. Walker, "P4: Programming protocol-independent packet processors," ACM SIGCOMM CCR, vol. 44, no. 3, pp. 87--95, 2014.

Digital Library

[7]

P. Bosshart, G. Gibb, H.-S. Kim, G. Varghese, N. McKeown, M. Izzard, F. Mujica, and M. Horowitz, "Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN," in ACM SIGCOMM, 2013.

Digital Library

[8]

R. Ozdag, "Intel®Ethernet Switch FM6000 Series-Software Defined Networking," Intel Corporation, 2012.

[9]

M. Appelman and M. D. Boer, "Performance analysis of OpenFlow hardware," tech. rep., University of Amsterdam, Feb 2012. http://www.delaat.net/rp/2011-2012/p18/report.pdf.

[10]

D. Y. Huang, K. Yocum, and A. C. Snoeren, "High-fidelity switch models for software-defined network emulation," in ACM HotSDN, 2013.

Digital Library

[11]

T. Benson, A. Akella, and D. A. Maltz, "Mining policies from enterprise network configuration," in ACM IMC, 2009.

Digital Library

[12]

X. Jin, L. E. Li, L. Vanbever, and J. Rexford, "SoftCell: Scalable and flexible cellular core network architecture," in ACM CoNEXT, 2013.

Digital Library

[13]

P. Zave and J. Rexford, "The design space of network mobility," in Recent Advances in Networking. ACM SIGCOMM, 2013.

[14]

E. Nordström, D. Shue, P. Gopalan, R. Kiefer, M. Arye, S. Ko, J. Rexford, and M. J. Freedman, "Serval: An end-host stack for service-centric networking," in USENIX NSDI, 2012.

Digital Library

[15]

C. R. Meiners, A. X. Liu, and E. Torng, "TCAM Razor: A systematic approach towards minimizing packet classifiers in TCAMs," IEEE/ACM Trans. Netw., vol. 18, pp. 490--500, Apr 2010.

Digital Library

[16]

C. R. Meiners, A. X. Liu, and E. Torng, "Bitweaving: A non-prefix approach to compressing packet classifiers in TCAMs," IEEE/ACM Trans. Netw., vol. 20, pp. 488--500, Apr 2012.

Digital Library

[17]

R. McGeer and P. Yalagandula, "Minimizing rulesets for TCAM implementation," in IEEE INFOCOM, 2009.

[18]

R. Draves, C. King, S. Venkatachary, and B. Zill, "Constructing optimal IP routing tables," in IEEE INFOCOM, 1999.

[19]

S. Suri, T. Sandholm, and P. R. Warkhede, "Compressing two-dimensional routing tables," Algorithmica, vol. 35, no. 4, pp. 287--300, 2003.

[20]

D. L. Applegate, G. Calinescu, D. S. Johnson, H. Karloff, K. Ligett, and J. Wang, "Compressing rectilinear pictures and minimizing access control lists," in ACM-SIAM SODA, pp. 1066--1075, 2007.

Digital Library

[21]

O. Rottenstreich and I. Keslassy, "On the code length of TCAM coding schemes," in IEEE ISIT, 2010.

[22]

O. Rottenstreich, I. Keslassy, A. Hassidim, H. Kaplan, and E. Porat, "Optimal In/Out TCAM encodings of ranges," IEEE/ACM Trans. Netw., 2015.

Digital Library

[23]

K. Kogan, S. I. Nikolenko, O. Rottenstreich, W. Culhane, and P. Eugster, "Exploiting order independence for scalable and expressive packet classification," IEEE/ACM Trans. Netw., 2015.

Digital Library

[24]

O. Rottenstreich and J. Tapolcai, "Lossy compression of packet classifiers," in ACM/IEEE ANCS, 2015.

Digital Library

[25]

C. R. Meiners, A. X. Liu, E. Torng, and J. Patel, "Split: Optimizing space, power, and throughput for TCAM-based classification," in ACM/IEEE ANCS, 2011.

Digital Library

[26]

R. Wei, Y. Xu, and H. J. Chao, "Block permutations in boolean space to minimize TCAM for packet classification," in IEEE INFOCOM, 2012.

[27]

O. Rottenstreich, M. Radan, Y. Cassuto, I. Keslassy, C. Arad, T. Mizrahi, Y. Revah, and A. Hassidim, "Compressing forwarding tables for datacenter scalability," IEEE Journal on Selected Areas in Communications (JSAC), vol. 32, no. 1, pp. 138 -- 151, 2014.

[28]

O. Rottenstreich, A. Berman, Y. Cassuto, and I. Keslassy, "Compression for fixed-width memories," in IEEE ISIT, 2013.

[29]

S. Donovan and N. Feamster, "NetAssay: Providing new monitoring primitives for network operators," in ACM HotNets, 2014.

Cited By

Li XSun HHuang Y(2024)Efficient Flow Table Caching Architecture and Replacement Policy for SDN SwitchesJournal of Network and Systems Management10.1007/s10922-024-09824-w32:3Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1007/s10922-024-09824-w
Nagendra VBhattacharya AYegneswaran VRahmati ADas S(2020)An Intent-Based Automation Framework for Securing Dynamic Consumer IoT InfrastructuresProceedings of The Web Conference 202010.1145/3366423.3380234(1625-1636)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3366423.3380234
Nagendra VYegneswaran VPorras PDas SBalenson D(2019)Coordinated dataflow protection for ultra-high bandwidth science networksProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359843(568-583)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359843
Show More Cited By

Recommendations

Alpaca: Compact Network Policies With Attribute-Encoded Addresses

In enterprise networks, policies e.g., QoS or security are often defined based on the categorization of hosts along dimensions, such as the organizational role of the host faculty versus student and department engineering versus sales. While current ...
A posteriori compliance control
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

While preventative policy enforcement mechanisms can provide theoretical guarantees that policy is correctly enforced, they have limitations in practice. They are inflexible when unanticipated circumstances arise, and most are either inflexible with ...
PoCo: A Language for Specifying Obligation-Based Policy Compositions
ICSCA '20: Proceedings of the 2020 9th International Conference on Software and Computer Applications

Existing security-policy-specification languages allow users to specify obligations, but challenges remain in the composition of complex obligations, including effective approaches for resolving conflicts between policies and obligations and allowing ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CoNEXT '15: Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies

December 2015

483 pages

ISBN:9781450334129

DOI:10.1145/2716281

General Chairs:
Felipe Huici
NEC Europe Ltd
,
Giuseppe Bianchi
University of Rome Tor Vergata

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Natinoal Science Foundation

Conference

CoNEXT '15

Sponsor:

SIGCOMM

CoNEXT '15: Conference on emerging Networking Experiments and Technologies

December 1 - 4, 2015

Heidelberg, Germany

Acceptance Rates

Overall Acceptance Rate 198 of 789 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
74
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li XSun HHuang Y(2024)Efficient Flow Table Caching Architecture and Replacement Policy for SDN SwitchesJournal of Network and Systems Management10.1007/s10922-024-09824-w32:3Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1007/s10922-024-09824-w
Nagendra VBhattacharya AYegneswaran VRahmati ADas S(2020)An Intent-Based Automation Framework for Securing Dynamic Consumer IoT InfrastructuresProceedings of The Web Conference 202010.1145/3366423.3380234(1625-1636)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3366423.3380234
Nagendra VYegneswaran VPorras PDas SBalenson D(2019)Coordinated dataflow protection for ultra-high bandwidth science networksProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359843(568-583)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359843
Abhashkumar AKang JBanerjee SAkella AZhang YWu W(2017)Supporting Diverse Dynamic Intent-based Policies using JanusProceedings of the 13th International Conference on emerging Networking EXperiments and Technologies10.1145/3143361.3143380(296-309)Online publication date: 28-Nov-2017
https://dl.acm.org/doi/10.1145/3143361.3143380
MacDavid RBirkner RRottenstreich OGupta AFeamster NRexford J(2017)Concise Encoding of Flow Attributes in SDN SwitchesProceedings of the Symposium on SDN Research10.1145/3050220.3050227(48-60)Online publication date: 3-Apr-2017
https://dl.acm.org/doi/10.1145/3050220.3050227
Kogan KNikolenko SEugster PShalimov ARottenstreich O(2017)Efficient FIB Representations on Distributed PlatformsIEEE/ACM Transactions on Networking10.1109/TNET.2017.272864225:6(3309-3322)Online publication date: 1-Dec-2017
https://dl.acm.org/doi/10.1109/TNET.2017.2728642
Rottenstreich OTapolcai J(2017)Optimal Rule Caching and Lossy Compression for Longest Prefix MatchingIEEE/ACM Transactions on Networking10.1109/TNET.2016.261148225:2(864-878)Online publication date: 1-Apr-2017
https://dl.acm.org/doi/10.1109/TNET.2016.2611482
Mizrahi TRottenstreich OMoses Y(2017)TimeFlipIEEE/ACM Transactions on Networking10.1109/TNET.2016.260844125:2(849-863)Online publication date: 1-Apr-2017
https://dl.acm.org/doi/10.1109/TNET.2016.2608441
Kogan KNikolenko SEugster PShalimov ARottenstreich O(2016)FIB efficiency in distributed platforms2016 IEEE 24th International Conference on Network Protocols (ICNP)10.1109/ICNP.2016.7784452(1-10)Online publication date: Nov-2016
https://doi.org/10.1109/ICNP.2016.7784452

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents