Tech Reports | EECS at UC Berkeley

Lucian Popa

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2011-106

September 23, 2011

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2011/EECS-2011-106.pdf

In this dissertation, we present a network design called Rule-Based Forwarding (RBF) that provides flexible and policy-compliant forwarding. Our proposal centers around a new architectural concept: that of packet rules. A rule is a simple if-then-else construct that describes the manner in which the network should - or should not - forward packets. A packet identifies the rule by which it is to be forwarded and routers forward each packet in accordance with its associated rule. On one hand, rules are flexible, as they can explicitly specify paths and invoke packet processing inside the network. This enables RBF to support many previously proposed Internet extensions, such as explicit middleboxes, multiple paths, source routing and support for host mobility. On the other hand, rules are certified, which guarantees that packets comply with the policies of the parties forwarding them. This property also enables a more secure architecture, since unwanted packets can be dropped in the network, allowing RBF to stop denial of service (DoS) attacks. Using our prototype router implementation we show that the overhead RBF imposes is within the capabilities of modern network equipment.

We also describe how the ideas behind RBF can be used to improve access control in cloud computing, and present CloudPolice an access control mechanism implemented in hypervisors. CloudPolice scales to millions of hosts, is independent of the network topology, routing and addressing, and can specify flexible access control policies. These properties are not provided by traditional access control mechanisms, because these mechanisms were originally designed for enterprise environments that do not share the same challenges as cloud computing.

BibTeX citation:

@phdthesis{Popa:EECS-2011-106,
Author= {Popa, Lucian},
Title= {Building Extensible and Secure Networks},
School= {EECS Department, University of California, Berkeley},
Year= {2011},
Month= {Sep},
Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2011/EECS-2011-106.html},
Number= {UCB/EECS-2011-106},
Abstract= {In this dissertation, we present a network design called Rule-Based Forwarding (RBF) that provides flexible and policy-compliant forwarding. Our proposal centers around a new architectural concept: that of packet rules. A rule is a simple if-then-else construct that describes the manner in which the network should - or should not - forward packets. A packet identifies the rule by which it is to be forwarded and routers forward each packet in accordance with its associated rule. On one hand, rules are flexible, as they can explicitly specify paths and invoke packet processing inside the network. This enables RBF to support many previously proposed Internet extensions, such as explicit middleboxes, multiple paths, source routing and support for host mobility. On the other hand, rules are certified, which guarantees that packets comply with the policies of the parties forwarding them. This property also enables a more secure architecture, since unwanted packets can be dropped in the network, allowing RBF to stop denial of service (DoS) attacks. Using our prototype router implementation we show that the overhead RBF imposes is within the capabilities of
modern network equipment.

EndNote citation:

%0 Thesis
%A Popa, Lucian 
%T Building Extensible and Secure Networks
%I EECS Department, University of California, Berkeley
%D 2011
%8 September 23
%@ UCB/EECS-2011-106
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2011/EECS-2011-106.html
%F Popa:EECS-2011-106