Furies: A Scalable Framework for Traffic Policing and Admission Control
Chen-Nee Chuah and Lakshminarayanan Subramanian and Randy H. Katz
EECS Department, University of California, Berkeley
Technical Report No. UCB/CSD-01-1144
, 2001
http://www2.eecs.berkeley.edu/Pubs/TechRpts/2001/CSD-01-1144.pdf
Furies provides a control framework for scalable, efficient admission control and traffic policing. Furies leverages the knowledge of traffic demand distributions between ingress-egress pairs and the network topology within an ISP in making admission control decisions. We propose to aggregate admitted flows for policing at edge routers instead of monitoring individual flows. Furies achieves this by assigning a unique flow-identifier to every admitted flow based on its ingress and egress point. As a result, the amount of states maintained by the edge routers can be reduced from <i>O</i>(<i>n</i>) to <i>O</i>(square root of <i>n</i>), where <i>n</i> is the number of admitted flows, while core routers are stateless. Simulation results show that we can successfully detect a majority (64-83%) of the malicious flows with virtually zero false-alarms without maintaining per-flow state at the edge. Our implementation demonstrates that Furies adds minimal processing overhead to edge routers and can be incrementally deployed.
BibTeX citation:
@techreport{Chuah:CSD-01-1144, Author= {Chuah, Chen-Nee and Subramanian, Lakshminarayanan and Katz, Randy H.}, Title= {Furies: A Scalable Framework for Traffic Policing and Admission Control}, Year= {2001}, Month= {May}, Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2001/5818.html}, Number= {UCB/CSD-01-1144}, Abstract= {Furies provides a control framework for scalable, efficient admission control and traffic policing. Furies leverages the knowledge of traffic demand distributions between ingress-egress pairs and the network topology within an ISP in making admission control decisions. We propose to aggregate admitted flows for policing at edge routers instead of monitoring individual flows. Furies achieves this by assigning a unique flow-identifier to every admitted flow based on its ingress and egress point. As a result, the amount of states maintained by the edge routers can be reduced from <i>O</i>(<i>n</i>) to <i>O</i>(square root of <i>n</i>), where <i>n</i> is the number of admitted flows, while core routers are stateless. Simulation results show that we can successfully detect a majority (64-83%) of the malicious flows with virtually zero false-alarms without maintaining per-flow state at the edge. Our implementation demonstrates that Furies adds minimal processing overhead to edge routers and can be incrementally deployed.}, }
EndNote citation:
%0 Report %A Chuah, Chen-Nee %A Subramanian, Lakshminarayanan %A Katz, Randy H. %T Furies: A Scalable Framework for Traffic Policing and Admission Control %I EECS Department, University of California, Berkeley %D 2001 %@ UCB/CSD-01-1144 %U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2001/5818.html %F Chuah:CSD-01-1144