Policy and mechanism in the future Internet

Michael WalfishThe University of Texas at Austin

in collaboration with:Arun Seehra (UT Austin), Jad Naous (Stanford),

David Mazières (Stanford), Antonio Nicolosi (Stevens),and Scott Shenker (UC Berkeley/ICSI)

• Many stakeholders: senders, receivers, transit providers, edge providers, middleboxes, …

• Each has many policy- and security-related goals

scrubbing service

• Where do your sympathies lie?

Who should control communications?

What should they control?

Many network-layer proposals and defenses

• ACLs, NATs, VPNs, Platypus, TVA, NUTSS, i3, DOA, NIRA, LSRR, firewalls, source routing, whitelisting, blacklisting, securing BGP, provider filtering based on sender, provider filtering based on receiver, signature matching, network capabilities, telephoning your ISP, telephoning your attacker’s ISP, …

Prior works: large union, small intersection

x o o o o o source routing

o - - - - xCapabilities

x o o - - -- - - o o x

NIRA

Platypusx o o o o oo - - x - oo - x - - oo x - - - o

Secure BGP- - - o x o- - o x o o- o x o o oo x o o o o

Filterso - - - x oo - - x - oo - x - - oo x - - - o

• Proposals generally choose particular concerns To the exclusion of other concerns

What are our options?• Embrace the status quo: do nothing

This is unsatisfactory

• Make a hard choice: select the “right” subset This would be a gamble … … on a choice that might last another 30 years … … by a community not known for accurate

predictions

• Choose “all of the above”: take a principled union This is the most future-proof strategy possible And it empowers all stakeholders (at least

potentially)

We propose a unified policy framework

x o o o o o oo o o o o o xo o o x o o oo x o o o o oo o o o o x oo o x o o o oo o o o x o o

• Let every participant formulate policies based on: Packets’ end-to-end paths at the domain level Intra-domain handling (links, router queues, …) Arbitrary other information (billing, time of day,

…)

• Subsumes goals of prior network-layer proposals Obvious in hindsight

policy principle:

• What policy considerations should a future Internet support?

• Can we build a supporting mechanism? There are many challenges here My goal is to convince you it’s feasible … … with ICING, which we implemented in

hardware

• What are the uses of ICING?

x o o o o o oo o o o o o xo o o x o o oo x o o o o oo o o o o x oo o x o o o oo o o o x o o

What are the technical challenges?

• Letting the control plane specify arbitrary policies Requires new interface between control/data

planes

• Enforcing policy decisions in the data plane Requires new packet authentication

techniques

• Delegating policy decisions

• Bootstrapping

What should be the control/data plane interface?

General-purpose serverspath, info.

stuff

other stuff

• Policy decisions need to be prior to packet flow

• So move policy from routers to evolvable servers

• Servers can delegate or abdicate their control

payload

What is needed to enforce policy at high speed?

• Data plane must check that path is authorized

• Data plane must check that path was followed This is a hard technical problem

• Status quo not even close (BGP only advisory)

• Target environment rules out previous techniques Backbone speeds preclude digital signatures Federated nature of Internet precludes central

root of trust, pre-configured shared secrets, etc.

ICING’s data plane in a nutshell• Binds a packet to its path

Packet carries path (list of public keys), verifiers

Realms use ki,j to transform verifiers

For j<i, Ri verifies provenance using kj,i

For j>i, Ri proves provenance to Rj using ki,j

• No key distribution: Ri derives ki,j from Rj’s name

• Resists attack: forgery, injection, short-circuiting, …

• Feasibility: is required space, computation tolerable?

ICING is feasible• Space overhead?

Average ICING header: ~250 bytes Average packet size: ~1300 bytes [CAIDA] So, total overhead from ICING: ~20% more

space

• What is the hardware cost?

NetFPGA gate counts: ICING is 13.4 M, IP is 8.7 M NetFPGA forwarding speed: ICING is ~80% of IP ICING vs. simple IP in gates/(Gbits/sec): ~2x

R0 R1 R2 R3 R4

M

24 bytes (ECC) 18 bytes

• What policy considerations should a future Internet support? (A: Those given by the policy principle)

• Can we build a supporting mechanism? (A: Yes. ICING is an existence proof.)

• What are the uses of ICING? (Quick preview:

New kinds of routing, Flexible network access control, New provider business models, and more)

x o o o o o oo o o o o o xo o o x o o oo x o o o o oo o o o o x oo o x o o o oo o o o x o o

BGP’s choice of paths, enforced

Data plane

sender

dest.

R1 R2

Data plane

Data plane

consent

server 1

consent

server 2

consent

server 3

R3

path = <sender R1 R2 R3 dest>

use <PoC1 PoC2 PoC3 PoCdest>

BGP BGP

<R2 R3 dest>,<s2 s3 sdest >

“dest”

ICING permits “sink routing”

consent server 3

• Analogous to source routing

• Lets receivers choose paths to minimize latency, cost (As CDNs do today using crude DNS tricks)

• Lets receivers choose trustworthy providers to carry sensitive data to them

S R1

R2

R3

<S R1 R2 R3 dest>

< PoC2 PoC3 PoCdest

>

dest

Special case of sink routing:forcing flows through offsite

scrubbing servicesconsent server

enterprise

offsite scrubber

sender

dest.

ICING provides flexible access controlconsen

t server

• Can delegate consent-granting to specialist• Or let some clients (employees) mint PoCs• And restrict which servers employees can

reach

employee

Other uses of ICING

• Many control planes work with ICING’s data plane ICING can emulate TVA, NIRA, Pathlets, LSRR, etc.

• New provider business models Sell transit to anyone, not just direct neighbors (Not a new vision, but ICING’s enforcement is key)

• Fine-grained intra-domain packet disposition Senders, providers can negotiate over this Key mechanism: per-realm vnodes in packets

Limitations, future work, and recap

Limitations….

… of this talk• Didn’t talk about network failure

• Didn’t talk about expiration and revocation

• Didn’t talk about deployment

… of ICING• Does not prevent transparent outsourcing of

transit But lets senders choose whom to trust

• Cannot forward packets differently based on payload

• Cannot modify packet payload during transit

• Defending against intelligent replay attacks

• Detecting unsatisfactory service by providers

• Preventing unauthorized subcontracting of transit E.g., prevent ISP from redirecting through

country X

Future work

Recap• Many good policies; no consensus on “best”

• So try to uphold “all of the above”:

• ICING is our candidate mechanism Binds data plane to dictates of control plane

Today: not implausible. Tomorrow: not impractical.

100,000-foot view: bandwidth and computation keep increasing, so use them to buy new properties

• We think ICING’s properties are worth its price

x o o o o o oo o o o o o xo o o x o o oo x o o o o oo o o o o x oo o x o o o oo o o o x o o