Chang’s Research Blog

Late 2006 IAB RAWS report and presentations:

http://tools.ietf.org/html/rfc4984 (34pp)
http://www.iab.org/about/workshops/routingandaddressing/

Quick intro, for those not already immersed in ITR-ETR schemes:

http://www.firstpr.com.au/ip/ivip/

5pp for the “Short Version” or 17pp including the
longer version.

LISP

http://tools.ietf.org/html/draft-farinacci-lisp-05 (43pp)
http://tools.ietf.org/html/draft-lear-lisp-nerd-02 (29pp)
http://tools.ietf.org/html/draft-meyer-lisp-cons-03 (21pp)
http://tools.ietf.org/html/draft-fuller-lisp-alt-01 (17pp)
http://tools.ietf.org/html/draft-curran-lisp-emacs-00 (9pp)

Recent discussion of ALT and EMACS:

http://psg.com/lists/rrg/2007/msg00540.html
http://psg.com/lists/rrg/2007/msg00545.html
http://psg.com/lists/rrg/2007/msg00546.html
http://psg.com/lists/rrg/2007/msg00550.html
http://psg.com/lists/rrg/2007/msg00551.html
http://psg.com/lists/rrg/2007/msg00558.html

eFIT-APT

http://tools.ietf.org/html/draft-wang-ietf-efit-00 (20pp)
http://tools.ietf.org/html/draft-jen-apt-01 (23pp)

Critique of efit-00 & apt-00 and response:

http://www.firstpr.com.au/ip/ivip/comp/
http://psg.com/lists/rrg/2007/msg00446.html
http://psg.com/lists/rrg/2007/msg00455.html

Ivip

http://tools.ietf.org/html/draft-whittle-ivip-arch-00 (105pp) or

http://www.firstpr.com.au/ip/ivip/draft-whittle-ivip-arch-00.html

77 (A4) or 81 (letter) pages depending on your margins. More
pages and less head scratching than some competing products.

TRRP

http://bill.herrin.us/network/trrp.html (16pp)

Sprite (Path MTU Discovery fix for ITR-ETR schemes and other
tunneling systems)

http://tools.ietf.org/html/draft-templin-inetmtu-06 (19pp)

IPTM (PMTUD, fragmentation etc. fix for Ivip and other
ITR-ETR schemes)

http://tools.ietf.org/html/draft-templin-inetmtu-06 (11pp)

Comparison of LISP-NERD, LISP-CONS, eFIT-APT & Ivip (July 2007)

http://www.firstpr.com.au/ip/ivip/comp/ (17pp)

and some related material (17pp):

http://www.firstpr.com.au/ip/ivip/slides/RAM-2007-07-28-rw.pdf

Chart: NERD, LISP-CONS, eFIT-APT, Ivip & TRRP (Oct 2007)

http://psg.com/lists/rrg/2007/msg00485.html

Discussion of TRRP’s delays and correcting my understanding of
LISP-NERD (Oct 2007)

http://psg.com/lists/rrg/2007/msg00462.html
http://psg.com/lists/rrg/2007/msg00474.html
http://psg.com/lists/rrg/2007/msg00484.html
http://psg.com/lists/rrg/2007/msg00485.html
http://psg.com/lists/rrg/2007/msg00488.html
http://psg.com/lists/rrg/2007/msg00489.html
http://psg.com/lists/rrg/2007/msg00490.html
http://psg.com/lists/rrg/2007/msg00500.html

ieee 802.1x is the standard for authenticating end hosts (stations).

. cabo naming issue

. write up “DHT for Ethernet” idea

. think about flat inter-domain addressing (all /24 addr blocks)

. read AIP

. path optimizer for Cabo (vp –> pp)

[URECA]

. Think about the case where MAC-based rate-limiting is not attainable.
E.g., an Internet connection interface has only one valid peer MAC address.

-> At an Internet connection interface, we could apply a much larger timeout value when installing filters.
This can help minimize the chance of legitimate incoming packets being mixed with DOS traffic.
However, we assume that the probability of coincidence of a DOS onset and an unprecedented legitimate
flow is very low. Note that most “popular” legitimate traffic might have already been permited.

. Since FEQ/FER mechanism is slower than cold filter evaluation, we need to bundle multiple filter queries in one FEQ.
Nevertheless, when DOS is ongoing, packets tend to get accumulated during the request/reply period.
The problem is that some of those accumulated packets might be legitimate. How can we handle this?

. What is the rationale for having an on-line architecture?
I.e., the demand-based filter enforcement can be simulated by an off-line architecture.
Why do we want to have an on-line version then?

-> In an on-line model, denial logs are kepted at a centralized location.
Denial pattern across the entire network can indicate an anomaly as well.
By making use of such information, URECA can proactively fortify the perimeter.

. Some key features that “must” be verified:

-> Pareto principle in filter usage

-> Denial consistency

[An enhanced filtering method (the off-line version)]

. Filter classification (hot vs. cold) and early evaluation of default action

[Use of VLAN as a Cabo enabler for metro-area service providers]

[Validating data path conformance to control decision]

Use a challenge-based mechanism

- Checking out whether data traffic really passes through a certain AS by throwing an encrypted chellenge to the AS

- One bit in the TOS byte and an optional header might suffice. Optional header contains:

. True (a response must be sent.)/ Fake (respose isn’t required.)

. An AS number to chellenge

. A challenge

. A sequence number

. IP address of a VA (a reply-to address)

- Upon receiving a packet with challenge header, a router tries to decrypt the header using its own secret key.
If it matches and the challenge requires a reply, the router generate a report and transmit it to a VA that requested it.
Replies are sent via UDP. A reply contains:

. Its AS number and IP address

. Answer to the challenge

. Sequence number

. From which AS the pkt was passed over

. To which AS it handed the pkt

(Mind that a router can fake all of the above information.)

- Some critical applications make use of this optional IP header

- A separate, data-path validation agent (VA) can be employed. What VA does is:

. to passively receive all BGP updates from all BGP speakers in the AS

. to generate an optional IP header in response to a client’s request

. to validate data path conformance by comparing challenge-reponses with routing information

. to notify clients of validation result

- Some questions

. How can a VA obtain the public key of a target AS to challenge

.

• Why are packet filters applied to internal links? Some possible answers might be …

- ease of maintenance (reducing duplication)
- restriction in the number of acls per intf
- increased cpu load
(especially at some older routers which process filters using software processes)
- ??

• In commodity routers, how many different acl clauses (or sets of clauses) can practically be set on an interface?

• How is acl-based filtering implemented?¼br /> How serious is it to have a large number of acls in terms of forwarding performance and CPU load?

• What are the differences between the policy decription model of Firmato and that of KeyNote?

Š

Network Architectures

• Andy Myers, T. S. Eugene Ng, Hui Zhang, “Rethinking the Service Model: Scaling Ethernet to a Million Nodes,” HotNets-III, 2004

Flooding and broadcasting make it very hard to extend Ethernet into a scale of million nodes. In stead of flooding and spanning trees, the paper proposes to use an explicit host registration mechanism in conjunction with a link-state protocol for routing. To realized a LS method, a centralized decision plane, as it is proposed in the 4D architecture, or a distributed control plane can be used. The paper also introduces alternatives for some existing protocols which rely higly on broadcast, such as ARP and DHCP. The modification of DHCP is an interesting idea.

• H. Ballani, et al., “Off by default,” HotNets-IV, 2005

Positive reachability specifications are explicitly generated by receivers and disseminated through routing protocols. At routers, acces permits are maintained on a per-prefix basis, and the consequence of this model is that it does not naturally support anti-spoofing filters. Bloom filters are utilzed to support enconding large number of states, but this approach is limited in that withdrawing a previously allowed specification is not possible in the conventional Bloom filters. In addition to that, false positives resulting from Bloom filters can also be a problem when a path is short.

• Latest 4D paperCompared to the previous version, this paper contains a number of quantitative evaluation results advocating 4D architecture’s benefit.

Compared to the previous version, this paper contains a number of quantitative evaluation results advocating 4D architecture’s benefit.

• Martin Casado, et al., “SANE: A Protection Architecture for Enterprise Network,” Usenix Security 2006

This is one of the capability-based access control architectures. Unlike previous papers, capabilities are realized by adopting a new layer between L2 and L3. A header in this layer contains secured source routes assigned to a particular service flow.

L2 Routing Enhancement

• Radia Perlman, “RBridges: Transparent Routing,” Infocomm 2004

The paper points out that lack of TTL field in the Ethernet header is the biggest reason that we must avoid forwarding loop very cautiously. This also made the conventional spanning tree protocol convergence slower, compared with LS routing protocols. The paper proposes to have an encapsulation header between Ethernet and IP to hold a ttl value.

• T. L. Rodeheffer, et al., “SmartBridge: A Scalable Bridge Architecture,” ACM SigComm 2000

The paper introduces a distributed-systems-style consistency maintenance model for sharing L2 topologies, so that we can avoid inefficient traffic distribution in Ethernet.

Some questions and answers

Q: Why does L2 use a spanning tree to deliver frames to a known destination, instead of using a shortest path between the source and the destination?

A: L2 devices do not learn the entire topology of a L2 network. According the self-learning mechanism, an L2 device learns a host’s location only by remembering a port through which a frame from the host is received. Since L2 devices flood an initial frame to an unknown destination along a spanning tree, when an L2 device learn’s a host’s location, the only chance for the device to receive the initial frame is through an active port. Therefore, under the self learning mechanism and the flooding for an unknown destination, an L2 device doesn’t have enough information to compute a shortest path to a destination.

Q: On which specific fields of a packet/frame does Cisco VMPS (Vlan Membership Policy Server) works?

A: VMPS make use of only the MAC address of a L2 frame.

Q: Can’t we make the current DHCP a bit more flexible? Can an immediate switch/router work as an agent to retrieve an IP address? For example, an immediate router can relay a DHCP solicit frame using IP. In this case, not every L2 segment needs to possess connectivity with a DHCP server. Also, the idea in Ethernet scalability paper, HotNets-III, can also be an alternative service model of DHCP.

A: DHCP already has a relay mechanism called “forwarding agent”.

To do list

- Develop the unified access control architecture.

- Think about right mix of L2 and L3.

Can we generate a neat design criteria which summarizes the strong and weak points of L2 and L3 technologies respectively?

Possible research direction

- Configuration analysis

• enterprise/campus characterization
• automatic misconfiguration check-up

- Architectural design

What is a graceful way to control rechability?
Why should an admin has to know every hairy detail to implement a simple access policy? Why an admin has to re-design the access policy when routing or switching behavior changes?

1. Trunked vlan id mismatches

• On ge6/4 of gigagate1 vlan 504 is trunked. Its corresponding port in gigagate2, port 3/1, does not allow trunking 504.
• On ge3/1 of vgate1 vlan only about a dozen vlans are trunked, but its corresponding port in gigagate2, port 3/8, allows trunking all vlans from 1 to 4094.
• On port 3/2 of gigagate2, vlan 27, 88, and 200 are trunked, whereas its corresponding port in gigagate4, port 1/1, doesn’t allow those. On the other hand, port 1/1 of gigagate4 allows truking vlan 1, which is not allowed on 3/2 or gigagate2.
• In gigagate1, port 6/7-8 are grouped into a channel. Trunked vlans on either 6/7 or 6/8 do not match those on port-channel1. (vlan 898 is additionally allowed on port-channel1.)

2. Use of undefined vlans

• Gigagate2 allows trunking vlan 27 and 200 on 3/2, but those vlans are not defined.

3. Use of PortChannels (or EtherChannels)

• What is the purpose of grouping a number of ports when each port of a group is physically connected to different switches, has different IP addresses, and is assigned different set of vlans to trunk? For example, port 1/1 and 1/2 of gigagate4 is grouped as a port-channel, whereas 1/1 is connected to gigagate2 and 1/2 is connected to gigagate1. Each port has its own IP address as well. Gigagate2 and gigagate4 have many more similar cases.

4. Intention of vlan trunking

• Some vlans (e.g. vlan 1400) are trunked between gigagate4 and all the other switches, but non of the other switches but gigagate4 have an access port assigned to vlan 1400. What are the trukings for?

5. Vlan loops and spanning tree settings

• The way vlan 1400 is trunked forms a loop (gigagate4-gigagate2-vgate1-gigagate4), but only gigagate4 runs a spanning tree algorithm. Couldn’t this setting cause a problem when vgate1 or gigagate2 comes to have an access port of vlan 1400?

6. Dynamic trunking negotiation mismatches

• (This is minor.) On 3/8 of gigagate2 dynamic trunking negotiation is set to be “off”, but its corresponding port in vgate1, port ge3/11, negotiation mode is set to be “nonegotiation”. Is this intentional?

Comments that I’ve received at EdgeNet.

- operators’ point of view
- chat with Dave

Examining the OIT configuration for a proof of concept

- found some mis-matches
- sub-optimal inter-vlan routing couldn’t be identified because all the sw’s have routing function as well

Designing a network model and Topology construction

- constructing physical connectivity (topology) seems not to be easy especially when a vlan spans multiple switches/bridges via trunking

L2 visualization

- thinking about two options:

1. web-based configuration browsing
2. GUI via graphviz