Colibri: a cooperative lightweight inter-domain bandwidth-reservation infrastructure

Guarantees for traffic traversing the public Internet are hard to come by, as service-level agreements are typically only available for traffic within a single autonomous system or towards direct neighbors. This deficiency leads to unpredictable performance already under normal conditions and can cause outages in the face of networklevel distributed-denial-of-service (DDoS) attacks. In this paper, we present an architecture achieving guaranteed bandwidth properties for global inter-domain network traffic. The control plane of our architecture is based on a distributed server infrastructure, while the data plane enables efficient packet forwarding on per-flow stateless routers. Our implementation demonstrates the technical feasibility and scalability of the design.

[1]  Joachim Fabini,et al.  It's about Time: Securing Broadcast Time Synchronization with Data Origin Authentication , 2017, 2017 26th International Conference on Computer Communication and Networks (ICCCN).

[2]  D. Estrin,et al.  RSVP: a new resource reservation protocol , 1993, IEEE Communications Magazine.

[3]  Adrian Perrig,et al.  SCION: A Secure Internet Architecture , 2017, Information Security and Cryptography.

[4]  Jean-Louis Le Roux,et al.  Path Computation Element (PCE) Communication Protocol (PCEP) , 2009, RFC.

[5]  Steve Uhlig,et al.  HeavyKeeper: An Accurate Algorithm for Finding Top- $k$ Elephant Flows , 2019, IEEE/ACM Transactions on Networking.

[6]  Yuriy S. Shmaliy,et al.  Optimal Synchronization of Local Clocks by GPS 1PPS Signals Using Predictive FIR Filters , 2009, IEEE Transactions on Instrumentation and Measurement.

[7]  Steve Uhlig,et al.  Shaping the Internet: 10 Years of IXP Growth , 2018 .

[8]  Argyraki,et al.  Network Capabilities : The Good , the Bad and the Ugly Katerina , 2022 .

[9]  Thilo Weghorn Qualitative and Quantitative Guarantees for Access Control , 2019 .

[10]  Konstantinos Psounis,et al.  CHOKe - a stateless active queue management scheme for approximating fair bandwidth allocation , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[11]  Vaibhav Bajpai,et al.  Inferring persistent interdomain congestion , 2018, SIGCOMM.

[12]  David L. Mills,et al.  Internet Engineering Task Force (ietf) Network Time Protocol Version 4: Protocol and Algorithms Specification , 2010 .

[13]  Wouter Joosen,et al.  Maneuvering Around Clouds: Bypassing Cloud-based Security Providers , 2015, CCS.

[14]  Adrian Perrig,et al.  Secure and Scalable QoS for Critical Applications , 2021, 2021 IEEE/ACM 29th International Symposium on Quality of Service (IWQOS).

[15]  Virgil D. Gligor,et al.  FLoc : Dependable Link Access for Legitimate Traffic in Flooding Attacks , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[16]  Xin Zhang,et al.  STRIDE: sanctuary trail -- refuge from internet DDoS entrapment , 2013, ASIA CCS '13.

[17]  Xin Zhang,et al.  SCION: Scalability, Control, and Isolation on Next-Generation Networks , 2011, 2011 IEEE Symposium on Security and Privacy.

[18]  Yih-Chun Hu,et al.  The Case for In-Network Replay Suppression , 2017, AsiaCCS.

[19]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[20]  Jared M. Smith,et al.  Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[21]  Yih-Chun Hu,et al.  MiddlePolice: Toward Enforcing Destination-Defined Policies in the Middle of the Internet , 2016, CCS.

[22]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[23]  Adrian Farrel,et al.  A Path Computation Element (PCE)-Based Architecture , 2006, RFC.

[24]  David Hausheer,et al.  SCIONLAB: A Next-Generation Internet Testbed , 2020, 2020 IEEE 28th International Conference on Network Protocols (ICNP).

[25]  Xiaohong Huang,et al.  Inferring the average as path length of the Internet , 2016, 2016 IEEE International Conference on Network Infrastructure and Digital Content (IC-NIDC).

[26]  Lixia Zhang,et al.  Resource ReSerVation Protocol (RSVP) - Version 1 Functional Specification , 1997, RFC.

[27]  Scott Shenker,et al.  Route Bazaar: Automatic Interdomain Contract Negotiation , 2015, HotOS.

[28]  Min Suk Kang,et al.  On the Feasibility of Rerouting-Based DDoS Defenses , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[29]  Fred Baker,et al.  Network Working Group Aggregation of Rsvp for Ipv4 and Ipv6 Reservations , 2002 .

[30]  X.. Yang,et al.  NIRA: A New Inter-Domain Routing Architecture , 2007, IEEE/ACM Transactions on Networking.

[31]  Virgil D. Gligor,et al.  CoDef: collaborative defense against large-scale link-flooding attacks , 2013, CoNEXT.

[32]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[33]  David Hausheer,et al.  Deployment and scalability of an inter-domain multi-path routing infrastructure , 2021, CoNEXT.

[34]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[35]  Roy Friedman,et al.  Randomized Admission Policy for Efficient Top-k, Frequency, and Volume Estimation , 2019, IEEE/ACM Transactions on Networking.

[36]  Scott Shenker,et al.  On the Future of Congestion Control for the Public Internet , 2020, HotNets.

[37]  Yao Zhang,et al.  SIBRA: Scalable Internet Bandwidth Reservation Architecture , 2015, NDSS.

[38]  Andreas Haeberlen,et al.  The Nebula Future Internet Architecture , 2013, Future Internet Assembly.

[39]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[40]  Nele Mentens,et al.  Low-Rate Overuse Flow Tracer (LOFT): An Efficient and Scalable Algorithm for Detecting Overuse Flows , 2021, 2021 40th International Symposium on Reliable Distributed Systems (SRDS).

[41]  Adrian Perrig,et al.  PISKES: Pragmatic Internet-Scale Key-Establishment System , 2020, AsiaCCS.

[42]  Joachim Fabini,et al.  SecureTime: Secure Multicast Time Synchronization , 2017, ArXiv.

[43]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[44]  João Luís Sobrinho,et al.  Routing on Multiple Optimality Criteria , 2020, SIGCOMM.

[45]  Deep Medhi,et al.  Network routing - algorithms, protocols, and architectures , 2007 .

[46]  David L. Black,et al.  Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers , 1998, RFC.

[47]  Adrian Perrig,et al.  The Coremelt Attack , 2009, ESORICS.

[48]  R. Shreedhar,et al.  Efficient Fair Queuing Using Deficit Round - , 1997 .

[49]  S. Muthukrishnan,et al.  Heavy-Hitter Detection Entirely in the Data Plane , 2016, SOSR.

[50]  Alex C. Snoeren,et al.  Secure and policy-compliant source routing , 2009, TNET.

[51]  B. Bhattacharjee,et al.  Postmodern Internetwork Architecture , 2006 .

[52]  Yunheung Paek,et al.  HDFI: Hardware-Assisted Data-Flow Isolation , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[53]  Lei Jiao,et al.  In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection , 2020, AsiaCCS.

[54]  Adrian Perrig,et al.  EPIC: Every Packet Is Checked in the Data Plane of a Path-Aware Internet , 2020, USENIX Security Symposium.

[55]  Dorgival O. Guedes,et al.  Gatekeeper: Supporting Bandwidth Guarantees for Multi-tenant Datacenter Networks , 2011, WIOV.