Adiseshu Hari

Detecting and resolving packet filter conflicts

Packet filters are rules for classifying packets based on their header fields. Packet classification is essential to routers supporting services such as quality of service (QoS), virtual private networks (VPNs), and firewalls. A filter conflict occurs when two or more filters overlap, creating an ambiguity in packet classification. Current techniques for resolving filter conflicts are based on prioritizing conflicting filters, and choosing the higher priority filter. We show that such ordering does not always work. Instead, we propose a new scheme for conflict resolution, which is based on the idea of adding resolve filters. Our main results are algorithms for detecting and resolving conflicts in a filter database. We have tried our algorithm on 3 existing firewall databases, and have found conflicts, which are potential security holes, in each of them.

An architecture for packet-striping protocols

Link-striping algorithms are often used to overcome transmission bottlenecks in computer networks. Traditional striping algorithms suffer from two major disadvantages. They provide inadequate load sharing in the presence of variable-length packets, and may result in non-FIFO delivery of data. We describe a new family of link-striping algorithms that solves both problems. Our scheme applies to any layer that can provide multiple FIFO channels. We deal with variable-sized packets by showing how fair-queuing algorithms can be transformed into load-sharing algorithms. Our transformation results in practical load-sharing protocols, and shows a theoretical connection between two seemingly different problems. The same transformation can be applied to obtain load-sharing protocols for links with different capacities. We deal with the FIFO requirement for two separate cases. If a sequence number can be added to each packet, we show how to speed up packet processing by letting the receiver simulate the sender algorithm. If no header can be added, we show how to provide quasi FIFO delivery. Quasi FIFO is FIFO except during occasional periods of loss of synchronization. We argue that quasi FIFO is adequate for most applications. We also describe a simple technique for speedy restoration of synchronization in the event of loss. We develop an architectural framework for transparently embedding our protocol at the network level by striping IP packets across multiple physical interfaces. The resulting stripe protocol has been implemented within the NetBSD kernel. Our measurements and simulations show that the protocol offers scalable throughput even when striping is done over dissimilar links, and that the protocol synchronized quickly after packet loss. Measurements show performance improvements over conventional round-robin striping schemes and striping schemes that do not resequence packets. Some aspects of our solution have been implemented in Ciscos router operating system (IOS 11.3) in the context of Multilink PPP striping.

Bringing the cloud to the edge

Edge services become increasingly important as the Internet transforms into an Internet of Things (IoT). Edge services require bounded latency, bandwidth reduction between the edge and the core, service resiliency with graceful degradation, and access to resources visible only inside the NATed and secured edge networks. While the data center based cloud excels at providing general purpose computation/storage at scale, it is not suitable for edge services. We present a new model for cloud computing, which we call the Edge Cloud, that addresses edge computing specific issues by augmenting the traditional data center cloud model with service nodes placed at the network edges. We describe the architecture of the Edge Cloud and its implementation as an overlay hybrid cloud using the industry standard OpenStack cloud management framework. We demonstrate the advantages garnered by two new classes of applications enabled by the Edge Cloud - a highly accurate indoor localization that saves on latency, and a scalable and resilient video monitoring that saves on bandwidth.

MobileNAT: a new technique for mobility across heterogeneous address spaces

We propose a new network layer mobility architecture called Mobile NAT to efficiently support micro and macro-mobility in and across heterogeneous address spaces common in emerging public networks. The key ideas in this architecture are as follows: (1) Use of two IP addresses – an invariant virtual IP address for host identification at the application layer and an actual routable address at the network layer that changes due to mobility. Since physical address has routing significance only within a domain, it can be a private address and therefore, does not deplete the public IP address resource. (2) New DHCP enhancements to distribute the two addresses. (3) A new signaling element called Mobility Manager (MM) that uses Middlebox Communication (MIDCOM) framework to signal the changes in packet processing rules to the Network Address Translators (NATs) in the event of node mobility. Our proposal does not require any modifications to the access networks and can seamlessly co-exist with the existing Mobile IP mechanisms and therefore, can be used to provide seamless mobility across heterogeneous wireline and wireless networks. We report implementation details of a subset of our ideas in a testbed with Windows XP clients and Linux based NATs.

The Internet Blockchain: A Distributed, Tamper-Resistant Transaction Framework for the Internet

Existing security mechanisms for managing the Internet infrastructural resources like IP addresses, AS numbers, BGP advertisements and DNS mappings rely on a Public Key Infrastructure (PKI) that can be potentially compromised by state actors and Advanced Persistent Threats (APTs). Ideally the Internet infrastructure needs a distributed and tamper-resistant resource management framework which cannot be subverted by any single entity. A secure, distributed ledger enables such a mechanism and the blockchain is the best known example of distributed ledgers. In this paper, we propose the use of a blockchain based mechanism to secure the Internet BGP and DNS infrastructure. While the blockchain has scaling issues to be overcome, the key advantages of such an approach include the elimination of any PKI-like root of trust, a verifiable and distributed transaction history log, multi-signature based authorizations for enhanced security, easy extensibility and scriptable programmability to secure new types of Internet resources and potential for a built in cryptocurrency. A tamper resistant DNS infrastructure also ensures that it is not possible for the application level PKI to spoof HTTPS traffic.

Path switching: reduced-state flow handling in SDN using path information

The advent of virtualization, containerization and the Internet of Things (IoT) is leading to an explosive growth in the number of endpoints. Ideally with Software Defined Networking (SDN), one would like to customize packet handling for each of these endpoints or applications. However this typically leads to a large growth in forwarding state. This growth is avoided in current networks by using aggregation which trades off fine-grained control of micro-flows for reduced forwarding state. It is worthwhile to ask whether the benefits of micro-flow control can be retained without a large growth in forwarding state and without using aggregation. In this paper we describe an incrementally deployable SDN-friendly packet forwarding mechanism called Path Switching that achieves this by compactly encoding a packets path through the network in the packets existing address fields. Path Switching provides the same reduction in forwarding state as source routing while retaining the benefits and use of fixed size packet headers and existing protocols. We have extended Open vSwitch (OVS) to transparently support Path Switching as well as an inline service component for folding middlebox services into OVS. The extensions include advanced failover mechanisms like fast reroute. These extensions require no protocol changes as Path Switching leaves header formats unchanged.

Intelligent media gateway selection in a VoIP network

Efficient call routing between voice over Internet Protocol (VoIP) networks and the PSTN is crucial for the success of VoIP. One fundamental problem to be solved is the selection of an appropriate media gateway for calls originating from the VoIP networks and terminating in the PSTN. Media gateways differ in their characteristics. On the PSTN side, they may have different costs for reaching the destination number. On the IP side, the path delay may vary and gateways may provide differing audio qualities due to the availability of different feature sets (e.g., codecs). While a simplistic gateway selection algorithm routes incoming calls solely on the basis of the destination number, an ideal algorithm should be able to make more sophisticated routing decisions (e.g., trading costs against voice quality). In this paper, we motivate the need for such advanced routing algorithms and discuss the issues that surface in the implementation of intelligent media gateway selection algorithms. We further show the benefits of integrating wireless and wireline number portability dips and home location register (HLR) lookups into the routing decision.

An Efficient and Robust Overlay Routing Scheme for VoIP

Even though voice over Internet protocol (VoIP) provides good call quality in most cases, there are occasions in which the delay, jitter and loss rate in the Internet exceeds the values tolerable for voice traffic. This leads to a degradation in voice quality or may cause a VoIP call to fail entirely. Overlay networks provide a solution to increase the quality of service (QoS) in the Internet. However, application-agnostic overlay networks cannot fully exploit the characteristics of VoIP traffic. In this paper, we propose a new overlay routing scheme for VoIP. By utilizing the signaling phase that precedes a VoIP call and passively monitoring VoIP flows, our VoIP overlay routing scheme can effectively select a route that meets a given quality of service criteria. It is robust in that it quickly reroutes traffic around network failures and efficient by creating only a minimal overhead through the tight integration with VoIP protocols

Scalable and elastic telecommunication services in the cloud

We consider the problem of virtualization of telecommunication (telecom) services, which are session-oriented by nature and currently run on dedicated hardware. Such virtualization involves eliminating the dedicated hardware and moving the software to run in virtual machines within a standard cloud computing infrastructure. Existing mechanisms for running services in the cloud are typically targeted towards web services with short-lived sessions where the services are often resilient to intermittent failures of the network or endpoints. We claim that such mechanisms are inadequate for implementations of typical telecom services where sessions are often long-lived and service users are intolerant of service and network interruptions. We present a framework, which we refer to as Telecom as a Service (TaaS), and the associated TaaS primitives for realizing highly scalable and elastic session-oriented telecommunications services in the cloud while imposing minimal changes to existing services and no changes to client implementations. We show through empirical data that our mechanisms scale with network load.

The Swiss Army smartphone: cloud-based delivery of USB services

A smartphone can be configured to look like any Universal Serial Bus (USB) peripheral and can be managed remotely through its wireless data connection. By virtue of these features, smartphones are ideal vehicles for the delivery of a variety of brand-new, USB-powered services that support the management and troubleshooting of mobile laptops. We provide examples of such USB services and describe a general architecture for their implementation. The services are easy to deploy, because they can be extended to remote laptops without prior installation of new software, and well-suited for delivery through virtualization in a cloud infrastructure. While our examples target mostly the enterprise, USB services, especially virtualized ones, can easily be tailored to suit a broad set of consumer applications.