Rethinking enterprise network control

This paper presents Ethane, a new network architecture for the enterprise. Ethane allows managers to define a single network-wide fine-grain policy and then enforces it directly. Ethane couples extremely simple flow-based Ethernet switches with a centralized controller that manages the admittance and routing of flows. While radical, this design is backwards-compatible with existing hosts and switches. We have implemented Ethane in both hardware and software, supporting both wired and wireless hosts.We also show that it is compatible with existing high-fanout switches by porting it to popular commodity switching chipsets. We have deployed and managed two operational Ethane networks, one in the Stanford University Computer Science Department supporting over 300 hosts, and another within a small business of 30 hosts. Our deployment experiences have significantly affected Ethane's design.

[1]  Martín Casado,et al.  Practical declarative network management , 2009, WREN '09.

[2]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[3]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[4]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[5]  Timothy Roscoe,et al.  Predicate routing: enabling controlled networking , 2003, CCRV.

[6]  Andrei Z. Broder,et al.  Using multiple hash functions to improve IP lookups , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[7]  Giuseppe F. Italiano,et al.  A new approach to dynamic all pairs shortest paths , 2003, STOC '03.

[8]  David A. Maltz,et al.  Network-Wide Decision Making: Toward A Wafer-Thin Control Plane , 2004 .

[9]  Radia J. Perlman,et al.  Rbridges: transparent routing , 2004, IEEE INFOCOM 2004.

[10]  Scott Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM.

[11]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[12]  Greg Minshall,et al.  Flow labelled IP: a connectionless approach to ATM , 1996, Proceedings of IEEE INFOCOM '96. Conference on Computer Communications.

[13]  David A. Maltz,et al.  Routing design in operational networks: a look from the inside , 2004, SIGCOMM.

[14]  Avishai Wool,et al.  The use and usability of direction-based filtering in firewalls , 2004, Comput. Secur..

[15]  Albert G. Greenberg,et al.  The cutting EDGE of IP router configuration , 2004, Comput. Commun. Rev..

[16]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.