Transcript Growth Networks Inc

An Architecture for a
Diversified Internet
Jon Turner and Mike Wilson
www.arl.wustl.edu
Outline
 Core
concepts
 Substrate data plane
 Substrate control plane overview
»Substrate Control Metanet
»example uses of SCM
 SCM
specification
»basic service model
»publish/query service
»authentication service
»request filtering
»bootstrapping
 Metanet
connection protocol specification
»how end user devices connect to a metanet
 Metanet
configuration protocol specification
»how metanets request/receive resources from substrates
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Diversifying the Net
 Virtualization
for ongoing progress in networking
» enable new networking paradigms anytime, anyplace
 Diverse
metanetworks sharing common substrate
» enable new architectures to be deployed and used
» support wide range of protocols and service models
» avoid architectural constraints on metanets
 Substrate
provides resource provisioning
» substrate platforms host multiple metarouters
» connect metarouters via metalinks
» substrate supports dynamic configuration of metanets
long-term for metarouters and backbone metalinks
 short-term for access metalinks

» must accommodate distributed management of the substrate
across multiple service providers
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Elements of a Diversified Internet
substrate
link
metalink
substrate
platform
meta
router
metanet
protocol
stack
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
substrate links
may run over
Ethernet, IP,
MPLS, . . .
Multiple Substrate Domains
many
substrate
domains
metanets
span multiple
domains
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Metanet Abstractions
 Metalinks
– abstraction of a physical link
»point-to-point metalinks
may be provisioned, but need not be
 may be implemented over point-to-point substrate links, or
multipoint substrate links

»multipoint metalinks

allow metarouters to use broadcast features of LAN technologies
 Metarouters
– abstraction of multiport net device
»implemented using generic processing resource within
substrate platform
»may include multiple processing engines
 Metaterminal
– abstraction of an end system
»metanet-specific protocol stack
»each metaterm in same physical end system has own metalink
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Secondary Abstractions
 Peering
metalink
»point-to-point metalink joining two metanets operated by
different organizations
»peering subnets may have same or different protocols/services
»up to metanets to address interoperability issues
 Gateway
»connection to a network outside the diversified internet
(e.g., the IPv4 Internet)
»up to metanet to address interoperability issues
»substrate may monitor traffic for policy reasons
 Meta-transport
layer
»allow metanets to easily reallocate transport level capacity
»may be implemented by TDM or optical cross-connects
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Architectural Neutrality
 Allow
maximum diversity among metanets
» enable wide variety of protocols, service models
 Minimize
substrate role, maximize metanet role
» substrate will be difficult to change
» metanets should handle all things that may change
 Security
and mobility
» enable secure metanets
» enable metanets that support mobility
» minimize substrate role in providing security, mobility to
enable on-going improvements
 Limit
substrate to resource provisioning role
» no end-to-end packet delivery at substrate level
» provides “raw” resources to metanets
» diversity of resource types, open to new types
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Role of Substrate
 Substrate
provides resources to metanets
»provide processing resources for metarouters
»implement metalinks – both point-to-point and multipoint
»not intended to provide end-to-end packet delivery
 Support
metanet backbone configuration
»long-term reservations, generally coarse granularity
»support for advance planning
 Access
metalink provisioning
»on-demand (typically when host boots, or re-connects)
»mechanisms that enable metanets to provide mobility
 Multiple
substrate domains
»multi-domain metanets, inter-domain metalink routing
»different trust levels for different substrate domains
 Substrate
Control Metanet (SCM)
»control messages for substrate configuration
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Outline
 Core
concepts
 Substrate data plane
 Substrate control plane overview
»Substrate Control Metanet
»example uses of SCM
 SCM
specification
»basic service model
»publish/query service
»authentication service
»request filtering
»bootstrapping
 Metanet
connection protocol specification
»how end user devices connect to a metanet
 Metanet
configuration protocol specification
»how metanets request/receive resources from substrates
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Metalink Implementation
 Pnt2pnt
metalinks on
multi-access substrate link
 Pnt2pnt
metalinks over
pnt2pnt substrate link
» high priority VLAN for
provisioned substrate link
» substrate router limits usage
metalinks defined by
metalink id (MLI)
shared high
priority VLAN
substrate link defined by VLAN
or MPLS tag, or wavelength
Ethernet
undernet
 Best-effort
shared best-effort
priority VLAN
multipoint metalinks
» so metanets can use broadcast LAN
features
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Substrate Platform Architecture
 Processing
Engines (PEs)
implement metarouters
PEs
»variety of types
 Line
Cards terminate ext.
links, mux/dmx metalinks
 Shared PEs include
substrate component
 Dedicated PEs need not include substrate
»use switch and Line Cards for protection and isolation
 PEs
in larger metarouters linked by metaswitch
 Larger metarouters may own Line Cards
»allows metanet to define transmission format/framing
»configured by lower-level transport network
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Switch
Line
Cards
Current Development System
 Network
Processor blades
»dual IXP 2850 NPs

3xRDRAM, 3xSRAM, TCAM
»dual 10GE interfaces
»10x1GE IO interfaces
 General
purpose blades
»dual Xeons, 4xGigE, disk
 10
Gb/s Ethernet switch
»VLANs for traffic isolation
 Scalable
architecture
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Outline
 Core
concepts
 Substrate data plane
 Substrate control plane overview
»Substrate Control Metanet
»example uses of SCM
 SCM
specification
»basic service model
»publish/query service
»authentication service
»request filtering
»bootstrapping
 Metanet
connection protocol specification
»how end user devices connect to a metanet
 Metanet
configuration protocol specification
»how metanets request/receive resources from substrates
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Substrate Control Communication
Substrate Domain
Controller (SDC)
Metanet
Controller (MC)
Substrate Control Metanet (SCM)
 SCM
for control communication outside metanets
»user-metanet connection requests, metanet-to-substrate
»may have more than one for reliability, upgradability
 SDCs
provide control interface to substrates
 MCs provide control interface to metanets
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Metanet Configuration
substrate
domains
alternate access
metalink routes
 Metanet
backbone provisioning
» substrates advertise resource availability, cost information
» metanet planner requests bids for metanet segments
» iterate, as needed
 Access
metalink configuration
» users may request connection from anywhere, at anytime
» metanet determines termination point, domain-level route
» substrate domains determine route segments
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Configuring Metanets
1
2
3
2
 Adding
metarouter and metalinks
1.MC requests new metarouter & intra-domain metalink
» configures metarouter within metanet
2.MC requests inter-domain metalink
3.peering domains coordinate metalink configuration
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Configuring Access Metalinks
4
3
2
1
3
 When
host connects to network
1. discover local substrate platform (using broadcast)
2. send metanet connect request to local SDC
» request forwarded through SCM to MC for desired metanet
3. MC requests metalink configuration from SDCs
4. SDCs configure access metalink
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Substrate Advertisements
 Substrates
advertise so metanets can use them
»hosting capabilities advertisements
in region R, type T substrate platforms are available
 multi-scale region specifications

»peering advertisements

D1 peers with D2 in region R, with capacity C
»latency advertisements

latency from R1 to R2 within substrate is D
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Metalink Routing
advertised
peering
relationship

Metanet uses peering adverts to identify paths
» geographic information used to estimate distances

vertices of path are region center points
» for substrates that supply internal region graph, use distances implied
by region graph

Metanet requests route segments from substrates
» request to domain D: metalink L, from D1 in R1 to D2 in R2
» request may include a provisioned capacity
» adjacent substrate domains use metalink identifier (L) to coordinate
across domain boundary
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Metanet Backbone Configuration
 Inputs
to metanet planner
» substrate domain adverts
» expected users/traffic
 Planner
» selects regions for metarouters


typically driven by users in region
may also include transit metrouters
» selects metanet topology


determination of metalink capacities
peering points for inter-domain metalinks
» determines metarouter configurations


number and capacity of interfaces
number and type of PEs
 Metanet
negotiates with substrate domains
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Security Issues
 Enable
secure metanets; minimize substrate role
»enable continuing evolution of security mechanisms
 Diversity
of trust
»most substrate domains cannot be trusted and should
not be burdened with onerous security requirements
»domains that host metarouters must be trustworthy
»some metanets (e.g. SCM) must be trustworthy
 Accreditation
of selected substrates and metanets
»accreditation is optional
»carries with it certain responsibilities (maybe legal)
»requires authentication, secure interaction
 What
level of isolation do metanets require?
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Securing Metanets
access metalink
single endpoint for
spoof-prevention
accredited
substrate
domain
unaccredited
substrate
domain
 Use
only accredited substrate domains for metarouters
»substrate provides isolation to protect against DoS
 Protect
backbone metalinks using encryption
»prevents eavesdropping, traffic insertion
»can detect lost packets and hold substrate accountable
 Protect
access metalinks from misuse
»prevent address spoofing by allowing only one endpoint
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Outline
 Core
concepts
 Substrate data plane
 Substrate control plane overview
»Substrate Control Metanet
»example uses of SCM
 SCM
specification
»basic service model
»publish/query service
»authentication service
»request filtering
»bootstrapping
 Metanet
connection protocol specification
»how end user devices connect to a metanet
 Metanet
configuration protocol specification
»how metanets request/receive resources from substrates
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
SCM Service Model
 Unicast
datagrams in a request/response paradigm
 Best Effort delivery
»Requests include an arbitrary transaction id to ensure
single operation on re-transmission
 Hierarchical
addresses with top half encoding location
 Address spoofing prevention
»All SCM clients are attached by point-to-point metalinks
 OSPF-like
protocol for routing
»SCM metarouters exchange tree-image link state database
 Receiver-requested
filtering of requests
»“No more requests from that client”
»“Restrict client to 100 requests per minute”
»“Connection requests at no more than 20 per second”
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
SCM Services: Advertisement

Publish/query service
»Advertisement Servers
»used by substrates and metanets to advertise services
substrate domains advertise substrate platform locations, peering
relationships, etc.
 metanets advertise SCM addresses of metanet controllers providing
connection services for different geographic regions
 authenticated data with secure update protocols
 may restrict distribution of information

»published information can be queried by SCM clients


Queries include wildcards and value ranges
SCM addresses of some Publish/Query services provided
at SCM connection time
»Analogous to DNS servers provided during DHCP

It may be worthwhile to create some form of anycast for
publish/query requests, in case of address changes
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
SCM Services: Advertisement




Advertisements in Advertisement Servers
»Only accredited SDs and MCs can publish
»Anyone can query
»All records have a timeout, and author can change/revoke
Metanets can publish MC SCM addresses
Substrate Domains can publish substrate resources (hosting platforms,
link capacities, latencies, etc.)
Records are in XML and are extensible. Clients use the parts they
understand. (DTD not yet developed)
<link type=”peering”>
<endpoint>
<ID>42</ID>
<region>
<value>0x66800000FF800000</value>
</region>
</endpoint>
<endpoint>
<ID>63</ID>
<region>
<value>0x66800000FF800000</value>
</region>
</endpoint>
<capacity units=”Mbps”>
<value>45</value>
</capacity>
<latency units=”ms”>
<value>7</value>
</latency>
</link>
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
<component type=”router”>
<provider>
<value>42</value>
</provider>
<platform>
<value>IXP2400</value>
</platform>
<region>
<value>0x66800000FF800000</value>
</region>
<ID type=”SDAddr”>
<value>0xBA1FA702</value>
</ID>
<storage>
<capacity type=”dram” units=”GB”>
<value>2</value>
</capacity>
</storage>
</component>
SCM Services: Authentication
 Authentication
service
»trusted repository for (identifier, public key) pairs
 Run
by a central authority
»Diversified Internet Governing Authority (DIGA)
»Accredits trusted SDs and metanets
»Accredited groups must meet minimum levels of
functionality or lose accreditation
 Certificate
Authorities may use a chain of delegation
 Any request that allocates (or de-allocates) SCM or
Substrate resources must be authenticated and
signed
»Publishing, metalink allocation, metarouter allocation,
»Filters are an exception, as even non-accredited clients
must be protected
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
SCM Services: Bootstrapping
 Connecting
the SCM
to a metanet requires being connected to
»The SCM itself is a metanet, with one or more MCs
 New
MCs and SDCs can connect to the SCM just like
end systems connect to other metanets
»Need a trusted substrate domain to “vouch” for them
 SDs
connect through the “parent” SD
»A customer relationship usually exists, with real-world
accountability
 Top-level
band
SDs are configured manually and out-of-
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
SCM Entities
SCM MC
MC
SDCs
Trusted SDs
DIGA CA
SDCs
Advertisement
Server
Untrusted SDs
Metaterminal
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
MC
Outline
 Core
concepts
 Substrate data plane
 Substrate control plane overview
»Substrate Control Metanet
»example uses of SCM
 SCM
specification
»basic service model
»publish/query service
»authentication service
»request filtering
»bootstrapping
 Metanet
connection protocol specification
»how end user devices connect to a metanet
 Metanet
configuration protocol specification
»how metanets request/receive resources from substrates
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Metanet Connection Protocol Specification
End systems connect to Metanets via their SDCs.
 Discover local SDC (broadcast, DHCP-like)
 Send metanet connect request to local SDC

»Request contains optional metanet-specific authentication block

SDC queries for the MC associated with this metanet, if not
specified by end system
»Because end systems may already be connected to directory
service metanets, end systems may specify the MC to use.

SDC sends connect request to the MC
»Request includes an opaque SD address for the end system
»If the SD is not accredited, the request includes a path from the
nearest accredited SD

The SCM is just a metanet, and has a MC on the SCM. New
SCM clients connect the same way.
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Metanet Connection Protocol
SCM MC Where
Query:
is
Metanet 17?
MC
SDCs
Reply: Metanet 17’s MC is at
SCM address
0xa4435a22f812bc01
Connect my SD ID
Trusted SDs
0x48e7f12c to your
metanet. My path to the
nearest trusted SD is
2. SDC lookups up
SD 3
<SD3:SD3-Addr,
MC for metanet SD6:SD6A-Addr>
<SD6:SD6B-Addr, SD221:SD221-Addr>
Advertisement
Connect
me to Metanet
17.
Server
MC
(No MC, no authentication)
DIGA CA
SDCs
Untrusted SDs
SD 6
3. SDC
Requests MC to
connect metaterminal
Metaterminal
SD 221
1. End system requests
metanet connection
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Outline
 Core
concepts
 Substrate data plane
 Substrate control plane overview
»Substrate Control Metanet
»example uses of SCM
 SCM
specification
»basic service model
»publish/query service
»authentication service
»request filtering
»bootstrapping
 Metanet
connection protocol specification
»how end user devices connect to a metanet
 Metanet
configuration protocol specification
»how metanets request/receive resources from substrates
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Metanet Configuration Protocol Specification

Two types of configuration
 Add
Metarouter
»Select SD, platform, region from queries
»Send instantiation request to SDC, including code block
 Add
Metalink
»Metanet selects SDs and peering points through which to route
metalink (via queries)
»MC sends instantiation requests to SDCs in each SD along the
route

Request includes arbitrary metalink identifier (for inter-SD
coordination)
»Each SD instantiates metalink segment, coordinating peering
points with arbitrary identifier
»Terminal segments call a substrate stack service to allocate a
metainterface number and finalize metalink

Requests to terminal SDCs include initialization block to pass along
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Metanet Configuration Protocol
SCM MC
MC
SD 2
1. Query to
determine best path
SDCs
2. MC contacts all SDCs
along SD path
SD 3
SD3: connect MR 0x044516 to
Trusted
SDs
<SD3:SD3-Addr,
SD6:SD6-Addr>
SD6: connect
Meta-protocol Stack for Metanet
17,
<SD3:SD3-Addr,
SD6:SD6A-Addr> to
you have new metainterface
3, with
<SD6:SD6B-Addr, SD221:SD221-Addr>
initialization
block { … }
Advertisement
SD221:
connect
Server
MC
SDCs
<SD6:SD6B-Addr, SD221:SD221-Addr>
toUntrusted
your SD SDs
ID 0x48e7f12c
Query: ShowSD
me
6 all peering links between
DIGA CA
SD 3 and SD 2 with 3 Mbps available
Metaterminal
capacity.
SD 221
3. Metainterface
Reply: <SD3:SD3-Addr, SD2:SD2-addr>
allocated, initialized
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Supplementary Slides
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
SCM Message Types
 Request
Metanet Connection (SDC to MC)
 Allocate Metalink Segment (MC to SDC)
 Allocate Metarouter (MC to SDC)
 Release Substrate Resource (MC to SDC)
»Used for both Metarouters and Metalinks
»There should be a way to request a change in resource limits
 Publish
(SDC or MC to AS)
 Query (SDC or MC to AS)
 Get Certificate (SDC or MC to CA)
 Reply (In response to requests)
 Filter (SDC or MC to first hop MR)
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
SCM Message Format
 Most
messages share the following fields
»Destination SCM Address
»Source SCM Address (Enforced by first hop SCM MR)
»Message Type
»Transaction ID
»Payload in XML, when applicable
»Identity and Message Digest (digital signature)
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Region Specifiers

Geographical notation provides
scalable regions
» Regions are a bit stream selecting
segments of the globe. Alternate bits
represent East/West divisions vs.
North/South divisions.
» East/West at prime meridian; 0=west,
1=east.
» North/South at equator; 0=south,
1=north.
» St Louis, Missouri, is contained in
011001101.


For scaling, we encode regions as a
32-bit geographical string followed by
a corresponding 32-bit bitmask. Only
those bits selected by the mask are
considered to be significant. Thus, St
Louis is 0x66800000FF800000.
We permit masks that may not be
strictly left-justified, and regions that
do not approximate a square.
s
» E/W portion and N/S portion of mask are
left-justified, but overall mask should
allow constructs such as
0x66800000F9800000, which includes
most of the Mississippi River.
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
e
w
n
w
e
s
w
s
n
e
n
w
e
s
w
n
e
wneswnese
(011001101)
Addressing
 Each
metanet may define its own addressing
»hierarchical, geographical, flat, whatever
»substrates need not be aware of metanet addressing
»substrate and metanet do agree on metarouter identifiers and
metarouter logical interface numbers
 No
common addressing needed for substrates
»each domain can define and assign addresses independently of
every other domain
»metanet-to-substrate interaction does not require use of
substrate addresses
metarouter locations specified by geographic regions
 metarouters identified by a label and metarouter interfaces
by local interface number

»substrate-to-substrate interaction does require common label to
identify peering substrate links

use label {domain1:address1,domain2:address2}
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015
Substrate Addressing

Each substrate domain assigns a 64 bit address to all
physical interfaces of substrate platforms
» initial prefix specifies region containing substrate platform
» assignment of remaining bits is at discretion domain admin
» scope of addresses limited to substrate domain

Addresses are mostly private to substrate domain
» exception for peering links
» peering domains exchange addresses assigned to peering links
» for control purposes, links are identified by unordered pair
{domain1:address1,domain2:address2}
» peering links must be point-to-point

Metanets need not be aware of substrate addresses
» know metarouter region, but not hosting substrate platform
» metalinks specified by metarouter+meta-interface of endpoints

sufficient for metarouter and hosting substrate domain to associate
meta-interface numbers with same PE in metarouter
‹#› - Jonathan Turner and Michael Wilson - 7/16/2015