Abstract
Campus networks and enterprise networks increasingly depend on middleboxes (e.g., firewalls, NAT, load balancers, IDS/IDP) to provide essential services or enforce network policies. These middleboxes often limit the performance of network applications, especially those involved in big data transfer. To address this problem, we propose a Software Defined Networking (SDN) campus network architecture, called VIP Lanes, that provides the ability for pre-authorized, trusted users to create flows that bypass middleboxes, thereby enabling those users to achieve substantially better performance while maintaining security and policy compliance for other network traffic. In this paper, we present the VIP Lanes abstraction and describe an authorization and policy-enforcement service used to establish trusted VIP Lanes. We describe an initial prototype implementation that not only demonstrates the viability of the VIP Lanes approach, but also gives an indication of the types of performance improvements that are possible - in some cases approaching a two order of magnitude reduction in transmission times.
Original language | English |
---|---|
Title of host publication | 2017 26th International Conference on Computer Communications and Networks, ICCCN 2017 |
ISBN (Electronic) | 9781509029914 |
DOIs | |
State | Published - Sep 14 2017 |
Event | 26th International Conference on Computer Communications and Networks, ICCCN 2017 - Vancouver, Canada Duration: Jul 31 2017 → Aug 3 2017 |
Publication series
Name | 2017 26th International Conference on Computer Communications and Networks, ICCCN 2017 |
---|
Conference
Conference | 26th International Conference on Computer Communications and Networks, ICCCN 2017 |
---|---|
Country/Territory | Canada |
City | Vancouver |
Period | 7/31/17 → 8/3/17 |
Bibliographical note
Publisher Copyright:© 2017 IEEE.
Funding
In the future, we plan to extend the VIP Lanes system in several ways. For example, the path service could be used to compute paths for a flow originating from a host with an internally routed address. In this case, address translation is required to talk to the Internet and so the path service will need to build a path that traverse NAT functionality (ideally performed using SDN itself). In addition, the path service could collect counters from switches to calculate the available capacity of the links and use that information to build paths that meets the quality of service requirement of a flow. In regards to the VIP Lane server, the permission tree could be augmented to enforce other policies. For example, it could be used to deny VIPlane creation during certain hours of the day, or to deny new VIPlanes if the existing VIPlane capacity used on a link is exceeded. In some cases, setting up a VIP Lane for a very short time might not be worth it, implying that the permission tree should require a minimum flow duration for a VIP Lane. Acknowledgment: This work was supported in part by the National Science Foundation under Grants ACI-1541380, ACI-1541426, and ACI-1642134. The work of Kenneth L. Calvert was supported by (while working at) the National Science Foundation. The authors also thank Lowell Pike, Matthew Moseley, and Cody Bumgardner for installing and configuring the OpenFlow infrastructure on campus that was used in our testing and evaluation.
Funders | Funder number |
---|---|
National Science Foundation (NSF) | ACI-1642134, ACI-1541426, ACI-1541380 |
Keywords
- Big data
- Campus network
- Middleboxes
- Software defined networks
ASJC Scopus subject areas
- Artificial Intelligence
- Computer Networks and Communications
- Software
- Management of Technology and Innovation
- Information Systems and Management
- Safety, Risk, Reliability and Quality
- Media Technology
- Control and Optimization