THIS REPORT HAS BEEN WITHDRAWN

Lucian Popa

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2011-105
September 23, 2011

In this dissertation, we present a network design called Rule-Based Forwarding (RBF) that provides exible and policy-compliant forwarding. Our proposal centers around a new architectural concept: that of packet rules. A rule is a simple if-then-else construct that describes the manner in which the network should { or should not { forward packets. A packet identi es the rule by which it is to be forwarded and routers forward each packet in accordance with its associated rule. On one hand, rules are exible, as they can explicitly specify paths and invoke packet processing inside the network. This enables RBF to support many previously proposed Internet extensions, such as explicit middleboxes, multiple paths, source routing and support for host mobility. On the other hand, rules are certi ed, which guarantees that packets comply with the policies of the parties forwarding them. This property also enables a more secure architecture, since unwanted packets can be dropped in the network, allowing RBF to stop denial of service (DoS) attacks. Using our prototype router implementation we show that the overhead RBF imposes is within the capabilities of modern network equipment.

We also describe how the ideas behind RBF can be used to improve access control in cloud computing, and present CloudPolice an access control mechanism implemented in hypervisors. CloudPolice scales to millions of hosts, is independent of the network topology, routing and addressing, and can specify exible access control policies. These properties are not provided by traditional access control mechanisms, because these mechanisms were originally designed for enterprise environments that do not share the same challenges as cloud computing.

Author Comments: see http://www2.eecs.berkeley.edu/Pubs/TechRpts/2011/EECS-2011-106.html