Protecting Critical Inter-Domain Communication through Flyover Reservations
Pages 2961 - 2974
Abstract
To protect against naturally occurring or adversely induced congestion in the Internet, we propose the concept of flyover reservations, a fundamentally new approach for addressing the availability demands of critical low-volume applications. In contrast to path-based reservation systems, flyovers are fine-grained "hop-based" bandwidth reservations on the level of individual autonomous systems. We demonstrate the scalability of this approach experimentally through simulations on large graphs. Moreover, we bring the flyovers' potential to full fruition by introducing Helia, a protocol for secure flyover reservation setup and data transmission. We evaluate Helia's performance based on an implementation in DPDK, demonstrating authentication and forwarding of reservation traffic at 160 Gbps. Our security analysis shows that Helia can resist a large variety of powerful attacks against reservation admission and traffic forwarding. Despite its simplicity, Helia outperforms current state-of-the-art reservation systems in many key metrics.
References
[1]
Anapaya Systems. 2020. SCION-Internet and Anapaya Software. https://content.anapaya.net/hubfs/collateral/anapaya-scion-Internet-and-anapaya-software-fs-en.pdf?hsLang=en.
[2]
Anapaya Systems and ETH Zurich. 2021. SCION Extension Header Specification. https://scion.docs.anapaya.net/en/latest/protocols/extension-header.html.
[3]
Odlyzko Andrew, Nabipay Papak, and Zhang Zhi-Li. 2011. Flat Versus Metered Rates, Bundling, and ?Bandwidth Hogs'. In Workshop on the Economics of Networks, Systems, and Computation.
[4]
R. Annessi, J. Fabini, and T. Zseby. 2017. It's about Time: Securing Broadcast Time Synchronization with Data Origin Authentication. In IEEE International Conference on Computer Communication and Networks (ICCCN).
[5]
Robert Annessi, Joachim Fabini, and Tanja Zseby. 2017. SecureTime: Secure Multicast Time Synchronization. https://arxiv.org/abs/1705.10669. arxiv: 1705.10669 [cs.CR]
[6]
Luis Arceo-Miquel, Yuriy S Shmaliy, and Oscar Ibarra-Manzano. 2009. Optimal synchronization of local clocks by GPS 1PPS signals using predictive FIR filters. IEEE Transactions on Instrumentation and Measurement, Vol. 58, 6 (2009).
[7]
Cristina Basescu, Raphael M. Reischuk, Pawel Szalachowski, Adrian Perrig, Yao Zhang, Hsu-Chun Hsiao, Ayumu Kubota, and Jumpei Urakawa. 2016. SIBRA: Scalable Internet Bandwidth Reservation Architecture. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[8]
Tony Bates. 2022. CIDR Report. www.cidr-report.org/as2.0/.
[9]
S. Blake, D. Black, M. Carlson, Elwyn B. Davies, Zheng Wang, and Walter Weiss. 1998. An Architecture for Differentiated Services. IETF RFC 2475.
[10]
Anna D. Broido and Aaron Clauset. 2019. Scale-free networks are rare. Nature Communications, Vol. 10, 1 (2019).
[11]
L. Brown, G. Ananthanarayanan, E. Katz-Bassett, A. Krishnamurthy, S. Ratnasamy, M. Schapira, and S. Shenker. 2020. On the Future of Congestion Control for the Public Internet. In Proceedings of the ACM Workshop on Hot Topics in Networks (HotNets).
[12]
Timm Böttger, Gianni Antichi, Eder L. Fernandes, Roberto di Lallo, Marc Bruyere, Steve Uhlig, Gareth Tyson, and Ignacio Castro. 2019. Shaping the Internet: 10 Years of IXP Growth. https://arxiv.org/abs/1810.10963v3. arxiv: 1810.10963 [cs.NI]
[13]
Laurent Chuat, Markus Legner, David Basin, David Hausheer, Samuel Hitz, Peter Müller, and Adrian Perrig. 2022. The Complete Guide to SCION. From Design Principles to Formal Verification. Springer International Publishing AG.
[14]
S. Deering and R. Hinden. 1998. Internet Protocol, Version 6 (IPv6) Specification. RFC 2460.
[15]
DPDK Project. 2021a. Data Plane Development Kit. https://dpdk.org.
[16]
DPDK Project. 2021b. DPDK: Supported Hardware. https://core.dpdk.org/supported/.
[17]
Extreme Networks. 2021. ExtremeSwitching VSP 7400 Series. https://cloud.kapostcontent.net/pub/2e54ed1d-627e-4b3b-ab12--7a38cbc3b9a4/vsp-7400-data-sheet.
[18]
Giacomo Giuliari, Dominik Roos, Marc Wyss, Juan Angel García-Pardo, Markus Legner, and Adrian Perrig. 2021a. Colibri: A Cooperative Lightweight Inter-domain Bandwidth-Reservation Infrastructure. In Conference on Emerging Networking Experiments and Technologies (CoNEXT).
[19]
Giacomo Giuliari, Marc Wyss, Markus Legner, and Adrian Perrig. 2021b. GMA: A Pareto Optimal Distributed Resource-Allocation Algorithm. In Structural Information and Communication Complexity - 28th International Colloquium, SIROCCO.
[20]
Shay Gueron. 2010. Intel Advanced Encryption Standard (AES) new instructions set. Technical Report. Intel Corporation. https://www.intel.com.bo/content/dam/doc/white-paper/advanced-encryption-standard-new-instructions-set-paper.pdf
[21]
J. Hawkinson and T. Bates. 1996. Guidelines for creation, selection, and registration of an Autonomous System (AS). RFC 1930.
[22]
Hsu-Chun Hsiao, Tiffany Hyun-Jin Kim, Sangjae Yoo, Xin Zhang, Soo Bum Lee, Virgil Gligor, and Adrian Perrig. 2013. STRIDE: Sanctuary Trail -- Refuge from Internet DDoS Entrapment. In Proceedings of the ACM SIGSAC Symposium on Information, Computer and Communications Security (CCS).
[23]
IEEE. 2019. IEEE 1588--2019 -- IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems.
[24]
Intel Corporation. 2019. 6WIND vRouter. https://www.6wind.com/wp-content/uploads/2019/09/Intel-Border-vRouter-Solution-Brief.pdf.
[25]
I. Keslassy, S. Chuang, K. Yu, D. Miller, M. Horowitz, O. Solgaard, and N. McKeown. 2003. Scaling Internet Routers Using Optics. In Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM '03). 189--200.
[26]
J. Kohl and C. Neuman. 1993. The Kerberos Network Authentication Service (V5). IETF RFC 1510.
[27]
Soo Bum Lee, Min Suk Kang, and Virgil D. Gligor. 2013. CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks. In Proceedings of the ACM Conference on Emerging Networking Experiments and Technologies (CoNEXT).
[28]
Taeho Lee, Christos Pappas, Adrian Perrig, Virgil Gligor, and Yih-Chun Hu. 2017. The Case for In-Network Replay Suppression. In Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIACCS).
[29]
Markus Legner, Tobias Klenze, Marc Wyss, Christoph Sprenger, and Adrian Perrig. 2020. EPIC: Every Packet Is Checked in the Data Plane of a Path-Aware Internet. In Proceedings of the USENIX Security Symposium.
[30]
libsodium. 2021. The Sodium cryptography library. https://github.com/jedisct1/libsodium.
[31]
Xin Liu, Ang Li, Xiaowei Yang, and David Wetherall. 2008. Passport: secure and adoptable source authentication. In USENIX NSDI.
[32]
Jim Martin, Jack Burbank, William Kasch, and Professor David L. Mills. 2010. Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905.
[33]
Deepankar Medhi and Karthikeyan Ramasamy. 2007. Network Routing: Algorithms, Protocols, and Architectures. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA.
[34]
F Mölder, KP Jablonski, B Letcher, MB Hall, CH Tomkins-Tinch, V Sochat, J Forster, S Lee, SO Twardziok, A Kanitz, A Wilm, M Holtgrewe, S Rahmann, S Nahnsen, and J Köster. 2021. Sustainable data analysis with Snakemake [version 1; peer review: 1 approved, 1 approved with reservations]. F1000Research, Vol. 10, 33 (2021).
[35]
Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, and Yih-Chun Hu. 2007. Portcullis: Protecting connection setup from denial-of-capability attacks. In Proceedings of the ACM SIGCOMM Conference.
[36]
RIPE NCC. [n.d.]. Autonomous System Numbers. https://www.ripe.net/manage-ips-and-asns/as-numbers/request-an-as-number.
[37]
E. Rosen, A. Viswanathan, and R. Callon. 2001. Multiprotocol Label Switching Architecture. RFC 3031.
[38]
Benjamin Rothenberger, Dominik Roos, Markus Legner, and Adrian Perrig. 2020. PISKES: Pragmatic Internet-Scale Key-Establishment System. In Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIACCS).
[39]
Lorenzo Saino, Cosmin Cocora, and George Pavlou. 2013. A Toolchain for Simplifying Network Simulation Setup. In Proceedings of the 6th International ICST Conference on Simulation Tools and Techniques (Cannes, France) (SIMUTOOLS '13). ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), ICST, Brussels, Belgium, Belgium, 10.
[40]
Simon Scherrer, Che-Yu Wu, Yu-Hsi Chiang, Benjamin Rothenberger, Daniele Asoni, Arish Sateesan, Jo Vliegen, Nele Mentens, Hsu-Chun Hsiao, and Adrian Perrig. 2021. Low-Rate Overuse Flow Tracer (LOFT): An Efficient and Scalable Algorithm for Detecting Overuse Flows. Proceedings of the Symposium on Reliable Distributed Systems (SRDS) (2021).
[41]
Vibhaalakshmi Sivaraman, Srinivas Narayana, Ori Rottenstreich, S. Muthukrishnan, and Jennifer Rexford. 2017. Heavy-Hitter Detection Entirely in the Data Plane. In Symposium on SDN Research (SOSR).
[42]
SubmarineNetworks. 2022. MAREA. https://www.submarinenetworks.com/systems/trans-atlantic/marea.
[43]
Cun Wang, Zhengmin Li, Xiaohong Huang, and Pei Zhang. 2016. Inferring the average AS path length of the Internet. In IEEE International Conference on Network Infrastructure and Digital Content (IC-NIDC).
[44]
Thilo Weghorn, Si Liu, Christoph Sprenger, Adrian Perrig, and David Basin. 2022. N-Tube: Formally Verified Secure Bandwidth Reservation in Path-Aware Internet Architectures. In Proceedings of IEEE Computer Security Foundations Symposium (CSF).
[45]
Bo Wu, Ke Xu, Qi Li, Zhuotao Liu, Yih-Chun Hu, Martin J. Reed, Meng Shen, and Fan Yang. 2018. Enabling Efficient Source and Path Verification via Probabilistic Packet Marking. In 2018 IEEE/ACM 26th International Symposium on Quality of Service (IWQoS).
[46]
Hao Wu, Hsu-Chun Hsiao, and Yih-Chun Hu. 2014. Efficient Large Flow Detection over Arbitrary Windows: An Algorithm Exact Outside an Ambiguity Region. In Proceedings of Conference on Internet Measurement Conference.
[47]
Marc Wyss, Giacomo Giuliari, Markus Legner, and Adrian Perrig. 2021. Secure and Scalable QoS for Critical Applications. In Proceedings of the IEEE/ACM International Symposium on Quality of Service (IWQoS).
[48]
Marc Wyss, Giacomo Giuliari, Markus Legner, and Adrian Perrig. 2022a. DoCile: Taming Denial-of-Capability Attacks in Inter-Domain Communications. In Proceedings of the IEEE/ACM International Symposium on Quality of Service (IWQoS).
[49]
Marc Wyss, Giacomo Giuliari, Jonas Mohler, and Adrian Perrig. 2022b. Protecting Critical Inter-Domain Communication through Flyover Reservations. https://doi.org/10.48550/arXiv.2208.14892
[50]
XiPeng Xiao. 2008. Technical, Commercial and Regulatory Challenges of QoS: An Internet Service Model Perspective. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA.
Index Terms
- Protecting Critical Inter-Domain Communication through Flyover Reservations
Recommendations
Internet inter-domain traffic
SIGCOMM '10In this paper, we examine changes in Internet inter-domain traffic demands and interconnection policies. We analyze more than 200 Exabytes of commercial Internet traffic over a two year period through the instrumentation of 110 large and geographically ...
Inter-domain routing: Algorithms for QoS guarantees
Quality-of-Service routing satisfies performance requirements of applications and maximizes utilization of network resources by selecting paths based on the resource needs of application sessions and link load. QoS routing can significantly increase the ...
A market-based bandwidth charging framework
The increasing demand for high-bandwidth applications such as video-on-demand and grid computing is reviving interest in bandwidth reservation schemes. Earlier attempts did not catch on for a number of reasons, notably lack of interest on the part of ...
Comments
Information & Contributors
Information
Published In
November 2022
3598 pages
ISBN:9781450394505
DOI:10.1145/3548606
- General Chairs:
- Heng Yin,
- Angelos Stavrou,
- Program Chairs:
- Cas Cremers,
- Elaine Shi
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 November 2022
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CCS '22
Sponsor:
CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security
November 7 - 11, 2022
CA, Los Angeles, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 197Total Downloads
- Downloads (Last 12 months)43
- Downloads (Last 6 weeks)3
Reflects downloads up to 22 Feb 2025
Other Metrics
Citations
Cited By
View allView Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in