THE COMPOSITIONAL ARCHITECTURE A OF THE INTERNET · SECURITY Security attacks are...
35
THE COMPOSITIONAL ARCHITECTURE OF THE INTERNET Pamela Zave Princeton University Princeton, New Jersey, USA Joint work with Jennifer Rexford. * *
Transcript of THE COMPOSITIONAL ARCHITECTURE A OF THE INTERNET · SECURITY Security attacks are...
AAA
A
A
A
THE COMPOSITIONAL ARCHITECTURE
OF THE INTERNET
Pamela Zave
Princeton University
Princeton, New Jersey, USA
Joint work with Jennifer Rexford.
*
*
AAA
A
A
A
IN 1992
THE EXPLOSIVE GROWTH OF THEWORLD-WIDE WEB BEGAN
AND IN 1993
THE LAST MAJOR CHANGE WAS MADETO THE “CLASSIC” INTERNET ARCHITECTURE
AAA
A
A
A
THE LAST MAJOR CHANGE: CLASSLESS ADDRESSING
BEFORE AFTER
a router can advertise a networkof size 256 (Class C)
a router can advertise a networkof size 65,636 (Class B)
a router can advertise a networkof size 16,777,216 (Class A)
with a 24-bit address
with a 12-bit address
with an 8-bit address
a router can advertise a network of
size 2
with an X-bit address “. . . /X”
(32 - X)
WHAT HAS HAPPENED SINCE 1993?
most of the world’s . . .
. . . telecommunication infrastructure
. . . entertainment distribution . . .
has moved to the Internet
an explosion of security threats
most networked devices are mobile
cloud computing
exhaustion of the IP address space
the need for elastic resource allocationinstead of over-provisioning
A CONUNDRUM:
The “classic” Internet architecture (how expertsdescribe the Internet) has not changed since 1993, . . .
. . . yet the Internet has met all these new challenges,at least to some extent.
APPLICATION LAYER
TRANSPORT LAYER
NETWORK LAYER
LINK LAYER
PHYSICAL LAYER diverse physical media (wires,optical fibers, radio channels)
best-effort local packet delivery
best-effort global packet delivery
reliable byte streams, datagrams
applications and mnemonic names
Ethernet header
IP header
TCP header
HTTP header
so we expecta typical packet to look like this
THE “CLASSIC” INTERNET ARCHITECTURE
THE REALITY:
HTTP
TCP
IP
IPsec
IP
GTP
UDP
IP
MPLS
MPLS
Ethernet
THIS IS A TYPICAL PACKET IN THE AT&T BACKBONE
packets sampled elsewherewould look different, but
might be equally complex
General Packet RadioService (GPRS) network
Virtual PrivateNetwork (VPN)
public Internet
distributed Web-basedapplication system
Multi-Protocol LabelSwitching (MPLS) network
another MPLS network
Ethernet network
AAA
A
A
A
WHY WE NEED A BETTER MODEL . . .
. . . instead of just talking about the classic Internet architecture
and saying “there are a lot of exceptions”
IT WOULD BE NICE TO KNOW . . .
How has the Internet evolved tomeet the new challenges?
PROGRAMMABILITY
After 25 years of hard work by thenetworking community, networksare now programmable.
But there has been much lessprogress in knowing what toprogram.
as we all know, you can make abigger mess with software than you
can with hardware
How should it evolve in thefuture?
so far, efforts to design“future Internet architectures”
have convinced no one
SECURITY
Security attacks are unforgiving—detailsand exceptions cannot be ignored.
Verification of trustworthy network servicesrequires a more holistic approach.
A BETTER MODEL: THE INTERNET IS A FLEXIBLE COMPOSITION OF MANY NETWORKS
each network has all the samebasic mechanisms, . . .
. . . but in each network they arespecialized for a particular . . .. . . purpose,. . . membership scope,. . . geographical span, and. . . level of abstraction
because all networks have fundamental similarity, they all havecommon interfaces for composition
the Internet protocol suite implements a general-purpose network design andis available on most networked devices—so it is re-used for many purposes
global networkingas we know it many more than those acknowledged
in the classic architecture
AAA
A
A
A
OLD: THE END-TO-END PRINCIPLE
The functions of a network should beminimized, so that it serves everyoneefficiently, . . .
. . . and whenever possible,services should be implemented
in endpoint machines.
or, “smart edge, dumb network”
endpointmachine
user interfaceto the network
the End-to-EndPrinciple is adesign principle,but it has beenso influentialthat it is assumedto be descriptive
AAA
A
A
A
OLD: THE END-TO-END PRINCIPLE
The functions of a network should beminimized, so that it serves everyoneefficiently, . . .
. . . and whenever possible,services should be implemented
in endpoint machines.
or, “smart edge, dumb network”
endpointmachine
user interfaceto the network
the End-to-EndPrinciple is adesign principle,but it has beenso influentialthat it is assumedto be descriptive
today there are many exceptions:
many services areimplemented inside the network, . . .
. . . by middleboxes andprogrammable routers
today we know . . .
. . . that if we want toverify networkservices . . .
. . . we must includein our model all theagents involved inproviding thoseservices
cannot control networkcongestion without thecooperation of endpoints
AAA
A
A
A
machine machine
NEW: USER INTERFACES ARE INSIDE MACHINES
destinationsource
sender receiver
the user of a network is adistributed application system—its modules must communicatethrough network services
a member of a network is a software or hardware modulethat implements some of thenetwork protocols
modules on thesame machinecommunicatethrough itsoperating systemor hardware
an instance ofnetwork serviceis a session;a session transmitsa group of packetsthat the user seesas related
sessionnetworkboundary
send (packet,sessionIdent)
deliver (packet,sessionIdent)
user interface
HTTP
TCP
IP
IPsec
IP
GTP
UDP
IP
MPLS
MPLS
Ethernet
GPRS network:city-wide routing tomobile devices
VPN: routing throughencryption servers
public Internet:global routing
MPLS networks:performanceengineering foraggregated trafficon high-speed links
OLD: LAYERS ARE FIXED, HAVE DISTINCT FUNCTIONS
classic Internet architecture has 5 layers, OSI model has the same 5 plus 2 others
routing is the control mechanism that choosespacket paths and encodespaths in forwarding tables
forwarding is the mechanismthat pushes packets alongtheir paths
in both reference architectures,there is routing and forwardingonly in the link layer (local) andnetwork layer (global)
in this realistic example, there isrouting and forwarding in each ofthe six networks, . . .
. . . with different purposes,
. . . over different spans,
. . . allocating different resources Ethernet: local routing
AAA
A
A
A1 2
3
4
5
(dest=E, in=4, out=5)(dest=E, in=1, out=4)
each network is a microcosm of networkingwith all of the basic mechanisms, . . .. . . all of which can be specialized,. . . and some of which can be vestigial
membershave namesfrom anamespace
A C E
B D
(src=A,dest=E,ident=s)
NEW: LAYERS IN A COMPOSITION HIERARCHY ARE SELF-CONTAINED NETWORKS
members areconnected bylinks(communicationchannels)
routing chooses packetpaths and populatesforwarding tables,which are used by theforwarding protocol
a session is aninstance ofnetwork service
the service isimplemented by asession protocol,with session statein members
s
AAA
A
A
A
REQUIREMENTS ON NETWORKS
sender receiver
session
send (packet,sessionIdent)
deliver (packet,sessionIdent)
user interface
The network delivers communication services with desirable properties.
The users put a load (of sessionsand packets) on the network.
A network has asingle administrativeauthority . . .
. . . that isresponsiblefor its services.
REACHABILITYwhat are the possibledestinations? SECURITY
access controlDoS protectionauthenticationprivacydata integritylaw enforcement
PERFORMANCEmaximum latencyminimum bandwidthpacket loss rateavailability
SERVICE-SPECIFIC BEHAVIORinteroperationsynchronizationguaranteed, ordered deliveryload-balancingsession persistencedespite endpoint mobility
SESSIONPERFORMANCE
session path
session s
what is the minimum bandwidth,maximum latency?
is E protected from DoS attacks and malware?
AAA
A
A
A A E
REACHABILITY
SECURITY
PROTOCOLS
which memberscan be reachedfrom A?
SELF-CONTAINED REASONING ABOUT A NETWORK
send(s, p)
deliver(s, p)
S
SESSIONPERFORMANCE
session path
session s
reasoningoften requiresassumptionsabout thebehavior oflinks
AAA
A
A
A
minimum bandwidth = min (S (B ))k
k
klinksin path
linksin path
session’s shareof bandwidth
maximum latency = sum (L )
A E
REACHABILITY
reachabilityfrom A is thetransitiveclosure of theforwardingrelation
SECURITY all paths to E go throughmiddleboxes that protect it fromDoS attacks and malware
PROTOCOLS
reasoningabout controland sessionprotocols
SELF-CONTAINED REASONING ABOUT A NETWORK
send(s, p)
deliver(s, p)
S
AAA
A
A
A
now user of a networkcan be a networkinstead of a distributedapplication system
send (packet,sessionIdent)
deliver (packet,sessionIdent)
dis-assemblepacket into smallerpackets; encapsulateeach in sessionheader
decapsulate(removesessionheaders), assemble intosent packet
setting up adynamic sessionrequires adirectory, whichsays that D isattached to D’
OVERLAYNETWORK
UNDERLAYNETWORK
A COMPOSITION OPERATOR: LAYERING
a link in an “overlay” network . . . is implemented by a session in an “underlay” network
link
session
uses implements
D
D’
compositional reasoningrequires nothing new—assumed properties ofoverlay link are specifiedproperties of underlay session
S
S’
AAA
A
A
A
LAYERING NOT IN CLASSIC ARCHITECTURE:CAMPUS NETWORK WITH VLANS FOR SECURITY
administrators’group
physical LANphysical LAN
campusIP network
physical link
students’groupcampus
IPnetwork
administrators’Virtual LAN
(extendsacross campus)
2.72.60.4 0.5
0.5
2.81.3
0.4
M8
M8
M4
M4
M7
M7
M5
M5
M3 M6
M6
IP routersvirtual
link
AAA
A
A
A
administrators’group
physical LAN
students’groupcampus
IPnetwork
administrators’Virtual LAN
(extendsacross campus)
2.72.60.4 0.5 2.81.3
M8M4
M4
M7
M7
M5 M6
IP routersvirtual
link
IP header src = 2.7, dst = 2.8
Ethernet header src = M7, dst = M8
Ethernet header src = M7, dst = M4, VLAN = admin
payload*
AAA
A
A
A
VLANs and LANsall re-use the Ethernetdesign—each networkis isolated for safety,and small enoughfor efficient broadcast
WHY?
which ishowEthernetsdo routing
TWO VIEWS OF SAME NETWORK, WITH DIFFERENT TOPOLOGIES
administrators’group
each LANis local
students’group
IP network isthe securityview—prefixidentifies amachine’sgroup 2.72.60.4 0.5 2.81.3
M8M4
M4
M7
M7
M5 M6
IP routersvirtual
link
VLAN is a group’sphysical view—knowshow to connectgroup membersacross campus
AAA
A
A
A
VERIFICATION OF INTER-GROUP SECURITY
administrators’group
physical LAN
students’group
campusIP
network
administrators’Virtual LAN
students’Virtual LAN
2.72.60.4 0.5 2.81.3
M8
M8M5
M3 M6
M6M5
IP routers
M3 M5*
packet from 1.3 to 2.8 subject tofiltering rules at 0.5, to protectthe security of administrators’group—IP prefix tells filter whatgroup the packet comes from
packet must not travel by theshortest physical path betweenmachines . . . so the architecturemust be implemented correctly!
AAA
A
A
A
shared
so members of private networks cannot reach each otherX
ANOTHER COMPOSITION OPERATOR: BRIDGING
THE EASY WAY
THE HARD WAY
bridging allows services to be implemented by networks chained end-to-end
A B C D E F
A B C D E FD E F
networks have . . .. . . same namespace. . . same protocols. . . globally unique names. . . access to other networks’ routing and directories
this is how the networks of the publicInternet are composed—they differ onlyin their administrative authorities
some constraints above do not hold, e.g., private IP networks re-use names
public Internet private IP networkprivate IP network
AAA
A
A
A
IN ADDITION TO COMPOSITION OF NETWORKS . . .THERE IS SESSION COMPOSITION, . . .
NATbox SX
private IP network public Internet
src = X, dest = S src = NAT, dest = S
two-way compound session with joinbox
WHICH IS ALSO NOT RECOGNIZED IN THE CLASSIC ARCHITECTURE
network addresstranslation
employee’s laptop is trusted in enterprise network (because it divulges secretcredentials), but not in coffee shop(where is it an anonymous visitor)A
AA
A
A
Alink is implemented by the compound IPsec session,providing encryption service
NATbox SX
private network incoffee shop
public Internet
VPNserver WU
private enterprise IP network
source = U, destination = WTCP session
secure virtual link
reasoning onlyabout the enterprise network,can verify that thecompute server Wreceives no external packets
BRIDGING, COMPOUND SESSIONS, AND LAYERING:VIRTUAL PRIVATE NETWORKS
A DEFINITION OF MOBILITY
communi-cating entity
communi-cating entity
persistent linkor sessioneither endpoint
can initiatethe channel,provided thatboth are connectedto the network
the channelpersists evenwhen one or
both endpointschanges its
connection tothe network
common example: cellphone voice service
wearablehealth-monitoringdevice
personalizeddata analysis
and abnormalityalerting
persistent link supportingperiodic monitoring
this is a data service—no application programming needed
person moves around
device uses both cellular and WiFi connections,alternatively or simultaneously
minimal keep-alive signaling,to reduce battery drain
virtual-machine migration
re-routing aroundfailed links to data center
down theprotocolstack down the
protocolstack
true mobility: a member has a persistent name by which itcan be reached at any time, even if it moves during a session
fragment of public Internet
fragment of public Internet
private mobility network
Ident2Addr1 Addr3
Addr3
dest = Ident2dest = Ident2
Addr3
Loc2
src = Addr1src = Addr1
Loc2
legacyhost
mobiledevice
in mobility network, device hasa persistent identifier (looks likean IP address)
in public Internet, identifiersare routed to bridging (shared) member Addr3
location: Ident2 -> Loc2
COMPOSITION NOT IN CLASSIC ARCHITECTURE:LISP-MN FOR MOBILITY
mobility network maintains:
mobility network is alsolayered on public Internet,which implements itsvirtual links with sessions
IP addresses are location-dependentand aggregated for efficient globalrouting . . .
. . . native Internet mobility wouldrequire millions of global routingexceptions, frequently updated
most people get true mobility from cellularservice, which is expensive because it doesimplement dynamic routing to individual devices
mobile device needs specialsoftware
need extra signaling, securedagainst rogue devices
all packets between endpointsmust go through proxy
Ident2Addr1 Addr3
Addr3
dest = Ident2dest = Ident2
Addr3
Loc2
src = Addr1src = Addr1
Loc2
legacyhost
mobiledevice
location: Ident2 -> Loc2
WHY? CAPABILITY IS VERY DIFFICULT TO IMPLEMENT IN THE CLASSIC INTERNET ARCHITECTURE
costs of LISP-MN:
TCP runs unchanged
the “observable Internet” is constructed by bridging
although the “usage hierarchy” ofnetworks sometimes has cycles . . .
. . . a dependency graph of linksand paths must not have cycles
application system
THIS IS A COMMON PATTERN FOR INTEROPERATIONOF SPECIAL NETWORKS WITH THE PUBLIC INTERNET
Ident2Addr1 Addr3
Addr3 Loc2
AAA
A
A
A
SUMMARY OF COMPOSITION EXAMPLES
EXAMPLE WHY IS THERE EXTRACOMPOSITION?
WHAT ABOUTEFFICIENCY?
LISP-MN formobility
campus networkwith VLANs
need two campus-wide views,one for security and one forconnectivity, with differenttopologies
Virtual PrivateNetwork
need a secure network builton top of the public Internet
need a capability that isdifficult to implement in theclassic Internet architecture
all Ethernets have limitedsize for efficient broadcast
and many others
scalable design, withdifferent costs and securityvulnerabilities
Named Data Networkingis an experiment with acompletely differentarchitecture
SIMPLE makes policy-basedrouting feasible, by reducingsize of forwarding tables
AAA
A
A
A
NOW THAT WE HAVE A BETTER MODEL . . .
USE IT TO TEACH NETWORKING
Compositional Network Architecture
Introduction to CompositionalNetwork Architecture
Compositional View of the Classic Internet Architecture
Routing and Forwarding
Session Protocols
Middleboxes
Directories and Mobility
Network Security
Ideas for a Better Internet
graduate-level textbook
each chapter describes how animportant aspect of networkingis realized, across . . .
. . . large and small networks,
. . . general-purpose and special- purpose networks,
. . . high- and low-level networks
we are emphasizing theinteractions among these architectural aspects
AAA
A
A
A
NOW THAT WE HAVE A BETTER MODEL . . .
USE IT TO PROGRAM NETWORKS
from the patternsthere is asmooth path toformalization andautomated analysis
the important optimizationsmove functions up (virtualization)or down (hardware acceleration)in the network hierarchy . . . . . . and these can be
automated!
src = W, dst = X,sess = S1, user = N0
src = Y, dst = Z,sess = S2, user = N0
L1 implemented by S1 L2 implemented by S2
NET-WORK
N0
W X Y Z
the model gives us re-usable, customizable patternsto implement (especially for packet processing)
AAA
A
A
A
targetmachine
NOW THAT WE HAVE A BETTER MODEL . . .
VERIFICATION OF TRUSTWORTHY SERVICES
sess = S1, user = N0 sess = S2, user = N0
L1 implemented by S1 L2 implemented by S2
. . . service verification is impossiblewithout compositional reasoning
because compositionis ubiquitous . . .
with programs derived from the model,it should be possible to verify propertiessuch as “any packet received by targetmachine is also received by A in N0”
so higher-level networks (withapplication knowledge) can providereal security for machines—everyexample uses properties like this
because we can describe securitymechanisms precisely in a commonmodel, we are working on a unifiedproof template for filtering
it includes proofs from opposingsides! (security by filtering versusevasion of censorship)
A
AAA
A
A
A
NOW THAT WE HAVE A BETTER MODEL . . .
USE IT TO UNDERSTAND INTERNET EVOLUTION
COMPOSITION ALLOWS THE CLASSICINTERNET ARCHITECTURE TO . . .
interoperate with new concepts
evolve toward the successful ones
SMOOTHER COMPOSITION WILL MAKETHE PROCESS EASIER AND SAFER
IN THE LONG TERM . . .
What is the optimal way tocombine capabilities for networkservices, e.g., mobility, middleboxes, multihoming,group names, security, enhancedsession protocols, etc.?
get rid of unnecessary impediments
What is the best way to satisfyrequirements for truly specializednetworks, without losing theperformance benefits of globalbest-effort service?
AAA
A
A
A
COMPOSITIONAL NETWORK ARCHITECTUREIS A PRECISE AND COMPREHENSIVE MODELFOR DESCRIBING TODAY’S NETWORKS
CONCLUSION
WHAT ABOUT FORMALIZATION?
we can’t just charge ahead and formalize all of networking
as always, we must be clever aboutformalizing pieces that we reallyneed for analysis and verification
the informal model will help us make sure that the pieces fittogether
the modelreally matters
WHAT ABOUT HAVING AN IMPACT?
there is not much hope for holisticverification of today’s services
too muchimplementation mess
we must exploit programmability!
make new implementationsthat embody the model
