CC*DNI Integration: Enhancing Science Through Custom Paths For Trusted Users

Large data sets drive many research techniques today, including simulation and modeling, data mining and analytics, and visualization. As these techniques become more common in disciplines ranging from biology to business and from pathology to physics, the need to move large data sets in an efficient and secure manner is now a daily reality for many researchers. Although network transmission speeds continue to improve, users who need to move gigabytes or terabytes of data find it difficult to achieve the advertised speeds. A big reason for this is that campus networks today are littered with so-called network appliances, which implement functions such as network address translation, load balancing, traffic shaping, intrusion detection, and firewalling. Unfortunately, the (deep) packet inspection and manipulation these “middleboxes” have to implement poses a serious performance threat and often makes them a bottleneck. The standard approach to address these problems is to build a special purpose, static, secure, high speed “science DMZ” and then allow only trusted machines to connect to it. In this project we propose to develop dynamic mechanisms for establishing trust between users and network providers, allowing users to dynamically create flows that bypass middlebox bottlenecks in exchange for information about the user and the nature of the data transfer. With such mechanisms, the need to bifurcate the world into science DMZ and non-science DMZ nodes disappears, and enables the growing number of mobile/wirelessly connected scientists (users) to receive high speed network service. Moreover, this approach provides the opportunity to optimize data transfer on a per-flow basis, based on the flow’s needs as revealed at setup time. To scalably establish trust, we take a course-grained “trust but verify” approach where authentication occurs at the granularity of users or applications rather than individual flows, but then employs lightweight passive monitoring and offline analysis to verify behavior and maintain trust (as opposed to in-band verification). The result of our work will be a high speed, SDN-enabled segment of the campus network, combined with new services that enables scientists to establish trust with the network and set up connections free from conventional middlebox interference—while maintaining network appliance functionality for normal campus traffic.