ABSTRACT
In enterprise networks, policies (e.g., QoS or security) are often defined based on the categorization of hosts along dimensions such as the organizational role of the host (faculty vs. student), and department (engineering vs. sales). While current best practices (VLANs) help when hosts are categorized along a single dimension, policy may often need to be expressed along multiple orthogonal dimensions. In this paper, we make three contributions. First, we argue for Attribute-Carrying IPs (ACIPs), where the IP address allocation process in enterprises considers attributes of a host along all policy dimensions. ACIPs enable flexible policy specification in a manner that may not otherwise be feasible owing to the limited size of switch rule-tables. Second, we present Alpaca, algorithms for realizing ACIPs under practical constraints of limited-length IP addresses. Our algorithms can be applied to different switch architectures, and we provide bounds on their performance. Third, we demonstrate the importance and viability of ACIPs on data collected from real campus networks.
- M. Yu, J. Rexford, X. Sun, S. G. Rao, and N. Feamster, "A survey of virtual LAN usage in campus networks," IEEE Communications Magazine, vol. 49, no. 7, pp. 98--103, 2011.Google ScholarCross Ref
- "Production quality, multilayer open virtual switch." http://openvswitch.org/.Google Scholar
- M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. Gude, N. McKeown, and S. Shenker, "Rethinking enterprise network control," IEEE/ACM Trans. Netw., vol. 17, no. 4, pp. 1270--1283, 2009. Google ScholarDigital Library
- S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul, "Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags," in NSDI, 2014. Google ScholarDigital Library
- N. McKeown, T. Anderson, H. Balakrishnan, G. M. Parulkar, L. L. Peterson, J. Rexford, S. Shenker, and J. S. Turner, "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM CCR, vol. 38, no. 2, pp. 69--74, 2008. Google ScholarDigital Library
- P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese, and D. Walker, "P4: Programming protocol-independent packet processors," ACM SIGCOMM CCR, vol. 44, no. 3, pp. 87--95, 2014. Google ScholarDigital Library
- P. Bosshart, G. Gibb, H.-S. Kim, G. Varghese, N. McKeown, M. Izzard, F. Mujica, and M. Horowitz, "Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN," in ACM SIGCOMM, 2013. Google ScholarDigital Library
- R. Ozdag, "Intel®Ethernet Switch FM6000 Series-Software Defined Networking," Intel Corporation, 2012.Google Scholar
- M. Appelman and M. D. Boer, "Performance analysis of OpenFlow hardware," tech. rep., University of Amsterdam, Feb 2012. http://www.delaat.net/rp/2011-2012/p18/report.pdf.Google Scholar
- D. Y. Huang, K. Yocum, and A. C. Snoeren, "High-fidelity switch models for software-defined network emulation," in ACM HotSDN, 2013. Google ScholarDigital Library
- T. Benson, A. Akella, and D. A. Maltz, "Mining policies from enterprise network configuration," in ACM IMC, 2009. Google ScholarDigital Library
- X. Jin, L. E. Li, L. Vanbever, and J. Rexford, "SoftCell: Scalable and flexible cellular core network architecture," in ACM CoNEXT, 2013. Google ScholarDigital Library
- P. Zave and J. Rexford, "The design space of network mobility," in Recent Advances in Networking. ACM SIGCOMM, 2013.Google Scholar
- E. Nordström, D. Shue, P. Gopalan, R. Kiefer, M. Arye, S. Ko, J. Rexford, and M. J. Freedman, "Serval: An end-host stack for service-centric networking," in USENIX NSDI, 2012. Google ScholarDigital Library
- C. R. Meiners, A. X. Liu, and E. Torng, "TCAM Razor: A systematic approach towards minimizing packet classifiers in TCAMs," IEEE/ACM Trans. Netw., vol. 18, pp. 490--500, Apr 2010. Google ScholarDigital Library
- C. R. Meiners, A. X. Liu, and E. Torng, "Bitweaving: A non-prefix approach to compressing packet classifiers in TCAMs," IEEE/ACM Trans. Netw., vol. 20, pp. 488--500, Apr 2012. Google ScholarDigital Library
- R. McGeer and P. Yalagandula, "Minimizing rulesets for TCAM implementation," in IEEE INFOCOM, 2009.Google Scholar
- R. Draves, C. King, S. Venkatachary, and B. Zill, "Constructing optimal IP routing tables," in IEEE INFOCOM, 1999.Google Scholar
- S. Suri, T. Sandholm, and P. R. Warkhede, "Compressing two-dimensional routing tables," Algorithmica, vol. 35, no. 4, pp. 287--300, 2003.Google ScholarCross Ref
- D. L. Applegate, G. Calinescu, D. S. Johnson, H. Karloff, K. Ligett, and J. Wang, "Compressing rectilinear pictures and minimizing access control lists," in ACM-SIAM SODA, pp. 1066--1075, 2007. Google ScholarDigital Library
- O. Rottenstreich and I. Keslassy, "On the code length of TCAM coding schemes," in IEEE ISIT, 2010.Google Scholar
- O. Rottenstreich, I. Keslassy, A. Hassidim, H. Kaplan, and E. Porat, "Optimal In/Out TCAM encodings of ranges," IEEE/ACM Trans. Netw., 2015. Google ScholarDigital Library
- K. Kogan, S. I. Nikolenko, O. Rottenstreich, W. Culhane, and P. Eugster, "Exploiting order independence for scalable and expressive packet classification," IEEE/ACM Trans. Netw., 2015. Google ScholarDigital Library
- O. Rottenstreich and J. Tapolcai, "Lossy compression of packet classifiers," in ACM/IEEE ANCS, 2015. Google ScholarDigital Library
- C. R. Meiners, A. X. Liu, E. Torng, and J. Patel, "Split: Optimizing space, power, and throughput for TCAM-based classification," in ACM/IEEE ANCS, 2011. Google ScholarDigital Library
- R. Wei, Y. Xu, and H. J. Chao, "Block permutations in boolean space to minimize TCAM for packet classification," in IEEE INFOCOM, 2012.Google Scholar
- O. Rottenstreich, M. Radan, Y. Cassuto, I. Keslassy, C. Arad, T. Mizrahi, Y. Revah, and A. Hassidim, "Compressing forwarding tables for datacenter scalability," IEEE Journal on Selected Areas in Communications (JSAC), vol. 32, no. 1, pp. 138 -- 151, 2014.Google ScholarCross Ref
- O. Rottenstreich, A. Berman, Y. Cassuto, and I. Keslassy, "Compression for fixed-width memories," in IEEE ISIT, 2013.Google Scholar
- S. Donovan and N. Feamster, "NetAssay: Providing new monitoring primitives for network operators," in ACM HotNets, 2014.Google Scholar
Recommendations
Alpaca: Compact Network Policies With Attribute-Encoded Addresses
In enterprise networks, policies e.g., QoS or security are often defined based on the categorization of hosts along dimensions, such as the organizational role of the host faculty versus student and department engineering versus sales. While current ...
A posteriori compliance control
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologiesWhile preventative policy enforcement mechanisms can provide theoretical guarantees that policy is correctly enforced, they have limitations in practice. They are inflexible when unanticipated circumstances arise, and most are either inflexible with ...
PoCo: A Language for Specifying Obligation-Based Policy Compositions
ICSCA '20: Proceedings of the 2020 9th International Conference on Software and Computer ApplicationsExisting security-policy-specification languages allow users to specify obligations, but challenges remain in the composition of complex obligations, including effective approaches for resolving conflicts between policies and obligations and allowing ...
Comments