research-article

Free access

NetQuery: a knowledge plane for reasoning about network properties

Authors:

Emin Gün Sirer,

Fred B. SchneiderAuthors Info & Claims

SIGCOMM '11: Proceedings of the ACM SIGCOMM 2011 conference

Pages 278 - 289

https://doi.org/10.1145/2018436.2018469

Published: 15 August 2011 Publication History

Abstract

This paper presents the design and implementation of NetQuery, a knowledge plane for federated networks such as the Internet. In such networks, not all administrative domains will generate information that an application can trust and many administrative domains may have restrictive policies on disclosing network information. Thus, both the trustworthiness and accessibility of network information pose obstacles to effective reasoning. NetQuery employs trustworthy computing techniques to facilitate reasoning about the trustworthiness of information contained in the knowledge plane while preserving confidentiality guarantees for operator data. By characterizing information disclosure between operators, NetQuery enables remote verification of advertised claims and contractual stipulations; this enables new applications because network guarantees can span administrative boundaries. We have implemented NetQuery, built several NetQuery-enabled devices, and deployed applications for cloud datacenters, enterprise networks, and the Internet. Simulations, testbed experiments, and a deployment on a departmental network indicate NetQuery can support hundreds of thousands of operations per second and can thus scale to large ISPs.

Supplementary Material

MP4 File (sigcomm_9_1.mp4)

Download
160.13 MB

References

[1]

The Quagga routing suite. Available at http://www.quagga.net/.

[2]

D. G. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and S. Shenker. Accountable Internet Protocol. In ACM SIGCOMM, Aug. 2008.

Digital Library

[3]

AOL. AOL Transit Data Network: Settlement-Free Interconnection Policy, 2006. http://www.atdn.net/settlement%5Ffree%5Fint.shtml.

[4]

D. Applegate, A. Archer, V. Gopalakrishnan, S. Lee, and K. K. Ramakrishnan. Optimal Content Placement for a Large-scale VoD System. In ACM CoNEXT, 2010.

Digital Library

[5]

K. Argyraki, P. Maniatis, and A. Singla. Verifiable Network-Performance Measurements. In ACM CoNEXT, 2010.

Digital Library

[6]

AT&T. AT&T Internet Protection Service, Aug. 2009. Available at http://www.corp.att.com/abs/serviceguide/docs/ip_sg.doc.

[7]

I. Avramopoulos and J. Rexford. Stealth Probing: Efficient Data-Plane Security for IP Routing. In USENIX Annual Technical Conference, May 2006.

Digital Library

[8]

K.-H. Baek and S. W. Smith. Preventing Theft of Quality of Service on Open Platforms. In Securecomm, Sept. 2005.

[9]

A. Bender, N. Spring, D. Levin, and B. Bhattacharjee. Accountability as a Service. In SRUTI, June 2007.

Digital Library

[10]

K. Bode. Why Are ISPs Still Advertising Limited Services As Unlimited?, Dec. 2008. http://www.dslreports.com/shownews/Why-Are-ISPs-Still-Advertising-Limited-Services-As-Unlimited-99769.

[11]

R. Bush. An Operational ISP and RIR PKI, Apr. 2006. https://www.arin.net/participate/meetings/reports/ARIN_XVII/PDF/sunday/pki-bush.pdf.

[12]

Z. Cai, F. Dinu, J. Zheng, A. L. Cox, and T. S. E. Ng. The Preliminary Design and Implementation of the Maestro Network Control Platform. Tech. Report TR08-13, Rice University, Oct. 2008.

[13]

M. Casado, P. Cao, A. Akella, and N. Provos. Flow-Cookies: Using Bandwidth Amplification to Defend Against DDoS Flooding Attacks. In IEEE IWQoS, June 2006.

[14]

X. Chen, Y. Mao, Z. M. Mao, and J. V. der Merwe. DECOR: DEClarative network management and OpeRation. ACM SIGCOMM CCR, 40(1):61--66, 2010.

Digital Library

[15]

P. Cheng, R. Pankaj, C. Keser, P. A. Karger, G. M. Wagner, and A. Reninger. Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control. In IEEE Symposium on Security and Privacy, May 2007.

Digital Library

[16]

Cisco Systems. IP SLAs-LSP Health Monitor, June 2006. http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_hmon.html.

[17]

D. D. Clark, C. Partridge, J. C. Ramming, and J. T. Wroclawski. A Knowledge Plane for the Internet. In ACM SIGCOMM, Aug. 2003.

Digital Library

[18]

D. Collins. Is Your Provider Truly Multi-Homed? http://www.webmasterjoint.com/webmaster-articles/web-hosting/10-multi-homed-is-your-provider-truly-multi-homed.html.

[19]

C. Dixon, A. Krishnamurthy, and T. Anderson. An End to the Middle. In HotOS, May 2009.

Digital Library

[20]

N. Duffield and M. Grossglauser. Trajectory sampling for direct traffic observation. IEEE/ACM Transactions on Networking, 9(3):280--292, June 2001.

Digital Library

[21]

P. England, B. Lampson, J. Manferdelli, M. Peinado, and B. Willman. A Trusted Open Platform. Computer, 36(7):55--62, 2003.

Digital Library

[22]

P. Faratin, D. Clark, P. Gilmore, S. Bauer, A. Berger, and W. Lehr. Complexity of Internet Interconnections: Technology, Incentives and Implications for Policy. In Annual Telecommunications Policy Research Conference, Sept. 2007.

[23]

W. Feng and T. Schluessler. The Case for Network Witnesses. In NPSec, Oct. 2008.

[24]

P. Francois, C. Filsfils, J. Evans, and O. Bonaventure. Achieving sub-second IGP convergence in large IP networks. ACM SIGCOMM CCR, 35(3):35--44, July 2005.

Digital Library

[25]

M. Gasser, A. Goldstein, C. Kaufman, and B. Lampson. The Digital Distributed System Security Architecture. In NIST-NCSC, pages 305--319, 1989.

[26]

S. Goldberg, A. D. Jaggard, and R. N. Wright. Rationality and Traffic Attraction: Incentives for Honest Path Announcements in BGP. In ACM SIGCOMM, Aug. 2008.

Digital Library

[27]

N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker. NOX: Towards an Operating System for Networks. ACM SIGCOMM CCR, 38(3):105--110, 2008.

Digital Library

[28]

R. Gummadi, H. Balakrishnan, P. Maniatis, and S. Ratnasamy. Not-a-Bot (NAB): Improving Service Availability in the Face of Botnet Attacks. In ACM/USENIX NSDI, Apr. 2009.

Digital Library

[29]

A. Haeberlen, I. Avramopoulos, J. Rexford, and P. Druschel. NetReview: Detecting when interdomain routing goes wrong. In USENIX NSDI, Apr. 2009.

Digital Library

[30]

J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, and E. Felten. Lest we remember: cold-boot attacks on encryption keys. In USENIX Security Symposium, 2008.

Digital Library

[31]

J. Hendricks and L. van Doorn. Secure Bootstrap Is Not Enough: Shoring up the Trusted Computing Base. In SIGOPS European Workshop, Aug. 2004.

Digital Library

[32]

IBM Corporation. IBM Extends Enhanced Data Security to Consumer Electronics Products. Press Release, Apr. 2006. http://www-03.ibm.com/press/us/en/pressrelease/19527.wss.

[33]

IEEE Computer Society. IEEE Std 802.1AE-2006. Aug. 2006.

[34]

G. F. Italiano, R. Rastogi, and B. Yener. Restoration Algorithms for Virtual Private Networks in the Hose Model. In IEEE INFOCOM, 2002.

[35]

T. Karagiannis, R. Mortier, and A. Rowstron. Network Exception Handlers: Host-network Control in Enterprise Networks. In ACM SIGCOMM, Aug. 2008.

Digital Library

[36]

E. Keller, R. Lee, and J. Rexford. Accountability in hosted virtual networks. In ACM VISA, pages 29--36, 2009.

Digital Library

[37]

J. Kirk. 'Evil twin' hotspots proliferate, Apr. 2007. http://www.pcworld.com/businesscenter/article/131199/evil_twin_hotspots_proliferate.html.

[38]

X. Liu, X. Yang, D. Wetherall, and T. Anderson. Efficient and Secure Source Authentication with Packet Passports. In SRUTI, July 2006.

Digital Library

[39]

S. Machiraju and R. H. Katz. Reconciling Cooperation with Confidentiality in Multi-Provider Distributed Systems. Tech. Report UCB/CSD-4-1345, Computer Science Division (EECS), University of California, Berkeley, CA, 2004.

[40]

H. V. Madhyastha, T. Isdal, M. Piatek, C. Dixon, T. Anderson, A. Krishnamurthy, and A. Venkataramani. iPlane: An Information Plane for Distributed Services. In ACM/USENIX OSDI, Nov. 2006.

Digital Library

[41]

D. W. Manchala. E-Commerce Trust Metrics and Models. IEEE Internet Computing, (March-April):36--44, 2000.

Digital Library

[42]

J. Naous, R. Stutsman, D. Mazieres, N. McKeown, and N. Zeldovich. Delegating Network Security Through More Information. In WREN, Aug. 2009.

Digital Library

[43]

J. Z. Pan. Resource Description Framework. In Handbook on Ontologies, pages 71--90. Springer Berlin Heidelberg, Berlin, Heidelberg, 2009.

[44]

J. Pang, B. Greenstein, M. Kaminsky, and D. Mccoy. Improving Wireless Network Selection with Collaboration. In MobiSys, June 2009.

Digital Library

[45]

B. Parno, Z. Zhou, and A. Perrig. Help Me Help You: Using Trustworthy Host-Based Information in the Network. Tech. Report Carnegie Mellon University-CyLab-09-016, Carnegie Mellon CyLab, 2009.

[46]

A. Ramachandran, K. Bhandankar, M. B. Tariq, and N. Feamster. Packets with Provenance. Tech. Report GT-CS-08-02, Georgia Institute of Technology, 2008.

[47]

P. Reynolds, O. Kennedy, E. Sirer, and F. Schneider. Securing BGP using external security monitors. Tech. Report TR2006-2065, Computer Science Department, Cornell University, Ithaca, NY, USA, 2006.

[48]

R. Sailer, T. Jaeger, X. Zhang, and L. van Doorn. Attestation-based policy enforcement for remote access. In ACM CCS, pages 308--317, 2004.

Digital Library

[49]

F. B. Schneider, K. Walsh, and E. G. Sirer. Nexus Authorization Logic (NAL): Design Rationale and Applications. In TOSSEC, Sept. 2010.

Digital Library

[50]

V. Sekar, M. K. Reiter, W. Willinger, H. Zhang, R. R. Kompella, and D. G. Andersen. CSAMP: A System for Network-Wide Flow Monitoring. In ACM/USENIX NSDI, pages 233--246, 2008.

Digital Library

[51]

A. Shieh, D. Williams, E. G. Sirer, and F. B. Schneider. Nexus: A New Operating System for Trustworthy Computing. In ACM SOSP Work-in-Progress Session, Oct. 2005.

Digital Library

[52]

N. So and H.-H. Huang. Building a Highly Adaptive, Resilient, and Scalable MPLS Backbone. MPLS World Congress, 2007.

[53]

G. Suh, D. Clarke, B. Gasend, M. van Dijk, and S. Devadas. Efficient memory integrity verification and encryption for secure processors. In IEEE MICRO, Dec. 2003.

Digital Library

[54]

Trusted Computing Group. TCG Trusted Network Connect: TNC Architecture for Interoperability, Specification Version 1.3. Trusted Computing Group, Apr. 2008.

[55]

T.W. Arnold and L. P. Van Doorn. The IBM PCIXCC: A new cryptographic coprocessor for the IBM eServer. IBM Journal of Research and Development, 48(3/4):491--503, 2004.

Digital Library

[56]

V. Valancius, N. Feamster, R. Johari, and V. Vazirani. MINT: A Market for INternet Transit. In ReArch, Dec. 2008.

Digital Library

[57]

B. Woodcock and V. Adhikari. Survey of Characteristics of Internet Carrier Interconnection Agreements. Tech. report, Packet Clearing House, May 2011.

[58]

W. Zhou, Y. Mao, B. T. Loo, and M. Abadi. Unified Declarative Platform for Secure Networked Information Systems. In IEEE ICDE, Apr. 2009.

Digital Library

Cited By

Rossi DZhang LFinamore AFiore MJoe-Wong C(2022)Network artificial intelligence, fast and slowProceedings of the 1st International Workshop on Native Network Intelligence10.1145/3565009.3569521(14-20)Online publication date: 9-Dec-2022
https://dl.acm.org/doi/10.1145/3565009.3569521
Narayana SArashloo MRexford JWalker DArgyraki KIsaacs R(2016)Compiling path queriesProceedings of the 13th Usenix Conference on Networked Systems Design and Implementation10.5555/2930611.2930626(207-222)Online publication date: 16-Mar-2016
https://dl.acm.org/doi/10.5555/2930611.2930626
Schiff LThimmaraju KSchmid S(2016)Routing-Verification-as-a-Service (RVaaS): Trustworthy Routing Despite Insecure Providers2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W)10.1109/DSN-W.2016.42(113-119)Online publication date: Jun-2016
https://doi.org/10.1109/DSN-W.2016.42
Show More Cited By

Index Terms

NetQuery: a knowledge plane for reasoning about network properties
1. Networks
  1. Network services
    1. Network management
    2. Network monitoring

Recommendations

NetQuery: a knowledge plane for reasoning about network properties
SIGCOMM '11

This paper presents the design and implementation of NetQuery, a knowledge plane for federated networks such as the Internet. In such networks, not all administrative domains will generate information that an application can trust and many ...
Direct anonymous attestation on the road: efficient and privacy-preserving revocation in C-ITS
WiSec '21: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Vehicular networks rely on Public Key Infrastructure (PKIs) to generate long-term and short-term pseudonyms that protect vehicle's privacy. Instead of relying on a complex and centralized ecosystem of PKI entities, a more scalable solution is to rely on ...
Real-time remote attestation with privacy protection
TrustBus'10: Proceedings of the 7th international conference on Trust, privacy and security in digital business

How to ensure the freshness of measurement and protect the concrete system configuration from leaking are two major challenges faced by existing remote attestation solutions. This paper proposes a new attestation architecture, called RTRA, to resolve ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '11: Proceedings of the ACM SIGCOMM 2011 conference

August 2011

502 pages

ISBN:9781450307970

DOI:10.1145/2018436

General Chairs:
Srinivasan Keshav
University of Waterloo, Canada
,
Jörg Liebeherr
University of Toronto, Canada
,
Program Chairs:
John Byers
Boston University, USA
,
Jeffrey Mogul
HP Labs, USA

ACM SIGCOMM Computer Communication Review Volume 41, Issue 4
SIGCOMM '11
August 2011
480 pages
ISSN:0146-4833
DOI:10.1145/2043164
Issue’s Table of Contents

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 August 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGCOMM '11

Sponsor:

SIGCOMM

SIGCOMM '11: ACM SIGCOMM 2011 Conference

August 15 - 19, 2011

Ontario, Toronto, Canada

Acceptance Rates

SIGCOMM '11 Paper Acceptance Rate 32 of 223 submissions, 14%;

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
1,042
Total Downloads

Downloads (Last 12 months)203
Downloads (Last 6 weeks)19

Reflects downloads up to 10 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rossi DZhang LFinamore AFiore MJoe-Wong C(2022)Network artificial intelligence, fast and slowProceedings of the 1st International Workshop on Native Network Intelligence10.1145/3565009.3569521(14-20)Online publication date: 9-Dec-2022
https://dl.acm.org/doi/10.1145/3565009.3569521
Narayana SArashloo MRexford JWalker DArgyraki KIsaacs R(2016)Compiling path queriesProceedings of the 13th Usenix Conference on Networked Systems Design and Implementation10.5555/2930611.2930626(207-222)Online publication date: 16-Mar-2016
https://dl.acm.org/doi/10.5555/2930611.2930626
Schiff LThimmaraju KSchmid S(2016)Routing-Verification-as-a-Service (RVaaS): Trustworthy Routing Despite Insecure Providers2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W)10.1109/DSN-W.2016.42(113-119)Online publication date: Jun-2016
https://doi.org/10.1109/DSN-W.2016.42
Ohshima RKawaguchi SKamatani OAkashi OKaneko KTeraoka F(2015)Construction of Routing Information Knowledge Base towards Wide Area Network ManagementThe 10th International Conference on Future Internet10.1145/2775088.2775097(76-83)Online publication date: 8-Jun-2015
https://dl.acm.org/doi/10.1145/2775088.2775097
Leners JGupta TAguilera MWalfish MRéveillère LHarris THerlihy M(2015)Taming uncertainty in distributed systems with help from the networkProceedings of the Tenth European Conference on Computer Systems10.1145/2741948.2741976(1-16)Online publication date: 17-Apr-2015
https://dl.acm.org/doi/10.1145/2741948.2741976
Ferguson AGuha ALiang CFonseca RKrishnamurthi S(2013)Participatory networkingACM SIGCOMM Computer Communication Review10.1145/2534169.248600343:4(327-338)Online publication date: 27-Aug-2013
https://dl.acm.org/doi/10.1145/2534169.2486003
Ferguson AGuha ALiang CFonseca RKrishnamurthi SChiu DWang JBarford PSeshan S(2013)Participatory networkingProceedings of the ACM SIGCOMM 2013 conference on SIGCOMM10.1145/2486001.2486003(327-338)Online publication date: 12-Aug-2013
https://dl.acm.org/doi/10.1145/2486001.2486003
Parno BZhou ZPerrig AXu SYu TZhang XDing X(2012)Using trustworthy host-based information in the networkProceedings of the seventh ACM workshop on Scalable trusted computing10.1145/2382536.2382544(33-44)Online publication date: 15-Oct-2012
https://dl.acm.org/doi/10.1145/2382536.2382544
Birman KBirman K(2012)Network PerspectiveGuide to Reliable Distributed Systems10.1007/978-1-4471-2416-0_4(101-143)Online publication date: 2012
https://doi.org/10.1007/978-1-4471-2416-0_4
Tabaeiaghdaei SCosta FKwon JBamert PHu YPerrig A(2024)Debuglet: Programmable and Verifiable Inter-Domain Network Telemetry2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00032(255-265)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00032
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents