research-article

Colibri: a cooperative lightweight inter-domain bandwidth-reservation infrastructure

Authors:

Giacomo Giuliari,

Juan Angel García-Pardo,

Adrian PerrigAuthors Info & Claims

CoNEXT '21: Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies

Pages 104 - 118

https://doi.org/10.1145/3485983.3494871

Published: 03 December 2021 Publication History

Abstract

Guarantees for traffic traversing the public Internet are hard to come by, as service-level agreements are typically only available for traffic within a single autonomous system or towards direct neighbors. This deficiency leads to unpredictable performance already under normal conditions and can cause outages in the face of networklevel distributed-denial-of-service (DDoS) attacks. In this paper, we present an architecture achieving guaranteed bandwidth properties for global inter-domain network traffic. The control plane of our architecture is based on a distributed server infrastructure, while the data plane enables efficient packet forwarding on per-flow stateless routers. Our implementation demonstrates the technical feasibility and scalability of the design.

Supplementary Material

MP4 File (S3-3-3485983.3494871-presentation - Giacomo Giuliari.mp4)

Presentation Video

Download
392.52 MB

References

[1]

Anapaya Systems. 2021. SCION-Internet: The New Way To Connect. https://www.anapaya.net/scion-the-new-way-to-connect.

[2]

Tom Anderson, Ken Birman, Robert Broberg, Matthew Caesar, Douglas Comer, Chase Cotton, Michael J. Freedman, Andreas Haeberlen, Zachary G. Ives, Arvind Krishnamurthy, William Lehr, Boon Thau Loo, David Mazières, Antonio Nicolosi, Jonathan M. Smith, Ion Stoica, Robbert van Renesse, Michael Walfish, Hakim Weatherspoon, and Christopher S. Yoo. 2013. The NEBULA Future Internet Architecture. In The Future Internet. Springer.

Digital Library

[3]

Tom Anderson, Timothy Roscoe, and David Wetherall. 2004. Preventing Internet denial-of-service with capabilities. ACM SIGCOMM Computer Communication Review (CCR) 34, 1 (2004).

Digital Library

[4]

R. Annessi, J. Fabini, and T. Zseby. 2017. It's about Time: Securing Broadcast Time Synchronization with Data Origin Authentication. In IEEE International Conference on Computer Communication and Networks (ICCCN).

[5]

Robert Annessi, Joachim Fabini, and Tanja Zseby. 2017. SecureTime: Secure Multicast Time Synchronization. https://arxiv.org/abs/1705.10669.

[6]

Luis Arceo-Miquel, Yuriy S Shmaliy, and Oscar Ibarra-Manzano. 2009. Optimal synchronization of local clocks by GPS 1PPS signals using predictive FIR filters. IEEE Transactions on Instrumentation and Measurement 58, 6 (2009).

[7]

Katerina Argyraki and David Cheriton. 2005. Network capabilities: The good, the bad and the ugly. In ACM Workshop on Hot Topics in Networks (HotNets).

[8]

Fred Baker, David L. Black, Kathleen Nichols, and Steven L. Blake. 1998. Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers. RFC 2474.

[9]

Cristina Basescu, Raphael M. Reischuk, Pawel Szalachowski, Adrian Perrig, Yao Zhang, Hsu-Chun Hsiao, Ayumu Kubota, and Jumpei Urakawa. 2016. SIBRA: Scalable Internet Bandwidth Reservation Architecture. In Symposium on Network and Distributed Systems Security (NDSS).

[10]

Tony Bates, Philip Smith, and Geoff Huston. 2021. CIDR Report. https://www.cidr-report.org/as2.0/.

[11]

R. Ben Basat, X. Chen, G. Einziger, R. Friedman, and Y. Kassner. 2019. Randomized Admission Policy for Efficient Top-k, Frequency, and Volume Estimation. IEEE/ACM Transactions on Networking (ToN) 27, 4 (2019).

Digital Library

[12]

Bobby Bhattacharjee, Ken Calvert, Jim Griffioen, Neil Spring, and James P. G. Sterbenz. 2006. Postmodern Internetwork Architecture. NSF Nets FIND Initiative (2006).

[13]

Robert T. Braden, Lixia Zhang, Steven Berson, Shai Herzog, and Sugih Jamin. 1997. Resource ReSerVation Protocol (RSVP) - Version 1 Functional Specification. RFC 2205.

[14]

Lloyd Brown, Ganesh Ananthanarayanan, Ethan Katz-Bassett, Arvind Krishnamurthy, Sylvia Ratnasamy, Michael Schapira, and Scott Shenker. 2020. On the Future of Congestion Control for the Public Internet. In ACM Workshop on Hot Topics in Networks (HotNets).

Digital Library

[15]

Timm Böttger, Gianni Antichi, Eder L. Fernandes, Roberto di Lallo, Marc Bruyere, Steve Uhlig, Gareth Tyson, and Ignacio Castro. 2019. Shaping the Internet: 10 Years of IXP Growth. https://arxiv.org/abs/1810.10963v3.

[16]

Ignacio Castro, Aurojit Panda, Barath Raghavan, Scott Shenker, and Sergey Gorinsky. 2015. Route Bazaar: Automatic Interdomain Contract Negotiation. In USENIX Workshop on Hot Topics in Operating Systems.

[17]

Amogh Dhamdhere, Kc Claffy, David D. Clark, Alexander Gamero-Garrido, Matthew Luckie, Ricky K. P. Mok, Gautam Akiwate, Kabir Gogia, Vaibhav Bajpai, and Alex C. Snoeren. 2018. Inferring persistent interdomain congestion. In ACM SIGCOMM Conference.

Digital Library

[18]

DPDK Project. 2021. Data Plane Development Kit. https://dpdk.org.

[19]

François Le Faucheur, Fred Baker, Dr. Bruce S. Davie, and Carol Iturralde. 2001. Aggregation of RSVP for IPv4 and IPv6 Reservations. RFC 3175.

[20]

Nick Galov. 2021. 39 Jaw-Dropping DDoS Statistics to Keep in Mind for 2021. https://hostingtribunal.com/blog/ddos-statistics/.

[21]

P. Brighten Godfrey, Igor Ganichev, Scott Shenker, and Ion Stoica. 2009. Pathlet Routing. In ACM SIGCOMM Conference.

[22]

Hsu-Chun Hsiao, Tiffany Hyun-Jin Kim, Sangjae Yoo, Xin Zhang, Soo Bum Lee, Virgil Gligor, and Adrian Perrig. 2013. STRIDE: Sanctuary Trail - Refuge from Internet DDoS Entrapment. In ACM Symposium on Information, Computer, and Communications Security (ASIACCS).

Digital Library

[23]

Geoff Huston. 2012. The QoS Emperor's Wardrobe. https://labs.ripe.net/Members/gih/the-qos-emperors-wardrobe.

[24]

IEEE. 2019. IEEE 1588--2019 - IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems.

[25]

Min Suk Kang and Virgil D. Gligor. 2014. Routing Bottlenecks in the Internet. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[26]

Min Suk Kang, Soo Bum Lee, and V. D. Gligor. 2013. The Crossfire Attack. In IEEE Symposium on Security and Privacy (S&P).

Digital Library

[27]

Kalevi Kilkki and Benjamin Finley. 2019. In Search of Lost QoS. https://arxiv.org/abs/1901.06867.

[28]

Cyrill Krähnebühl, Seyedali Tabeiaghdaei, Christelle Gloor, Jonghoon Kwon, Adrian Perrig, David Hausheer, and Dominik Roos. 2021. Deployment and Scalability of an Inter-Domain Multi-Path Routing Infrastructure. In Conference on Emerging Networking Experiments and Technologies (CoNEXT).

Digital Library

[29]

Jonghoon Kwon, Juan A. García-Pardo, Markus Legner, François Wirz, Matthias Frei, David Hausheer, and Adrian Perrig. 2020. SCIONLab: A Next-Generation Internet Testbed. In IEEE Conference on Network Protocols (ICNP).

[30]

Soo Bum Lee and Virgil D. Gligor. 2010. FLoc : Dependable Link Access for Legitimate Traffic in Flooding Attacks. In IEEE International Conference on Distributed Computing Systems.

Digital Library

[31]

Soo Bum Lee, Min Suk Kang, and Virgil D. Gligor. 2013. CoDef: Collaborative defense against large-scale link-flooding attacks. In Conference on Emerging Networking Experiments and Technologies (CoNEXT).

Digital Library

[32]

Taeho Lee, Christos Pappas, Adrian Perrig, Virgil Gligor, and Yih-Chun Hu. 2017. The Case for In-Network Replay Suppression. In ACM Asia Conference on Computer and Communications Security (ASIACCS).

Digital Library

[33]

Markus Legner, Tobias Klenze, Marc Wyss, Christoph Sprenger, and Adrian Perrig. 2020. EPIC: Every Packet Is Checked in the Data Plane of a Path-Aware Internet. In USENIX Security Symposium (USENIX Security).

[34]

Zhuotao Liu, Hao Jin, Yih-Chun Hu, and Michael Bailey. 2016. MiddlePolice: Toward enforcing destination-defined policies in the middle of the Internet. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[35]

Jim Martin, Jack Burbank, William Kasch, and Professor David L. Mills. 2010. Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905.

[36]

Deepankar Medhi and Karthikeyan Ramasamy. 2007. Network Routing: Algorithms, Protocols, and Architectures. Morgan Kaufmann Publishers.

Digital Library

[37]

Rong Pan, B. Prabhakar, and K. Psounis. 2000. CHOKe - a stateless active queue management scheme for approximating fair bandwidth allocation. In IEEE Conference on Computer Communications (INFOCOM).

[38]

Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, and Yih-Chun Hu. 2007. Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks. In ACM SIGCOMM Conference.

Digital Library

[39]

Adrian Perrig, Pawel Szalachowski, Raphael M. Reischuk, and Laurent Chuat. 2017. SCION: A Secure Internet Architecture. Springer.

[40]

Barath Raghavan and Alex C. Snoeren. 2004. A system for authenticated policy-compliant routing. ACM SIGCOMM Computer Communication Review (CCR) 34, 4 (2004).

Digital Library

[41]

Barath Raghavan, Patric Verkaik, and Alex C. Snoeren. 2009. Secure and Policy-Compliant Source Routing. IEEE/ACM Transactions on Networking (ToN) 17, 3 (2009).

Digital Library

[42]

Henrique Rodrigues, Jose Renato Santos, Yoshio Turner, Paolo Soares, and Dorgival O Guedes. 2011. Gatekeeper: Supporting bandwidth guarantees for multitenant datacenter networks. In Conference of I/O virtualization (WIOV).

[43]

Benjamin Rothenberger, Dominik Roos, Markus Legner, and Adrian Perrig. 2020. PISKES: Pragmatic Internet-Scale Key-Establishment System. In ACM Asia Conference on Computer and Communications Security (ASIACCS).

Digital Library

[44]

Simon Scherrer, Che-Yu Wu, Yu-Hsi Chiang, Benjamin Rothenberger, Daniele Asoni, Arish Sateesan, Jo Vliegen, Nele Mentens, Hsu-Chun Hsiao, and Adrian Perrig. 2021. Low-Rate Overuse Flow Tracer (LOFT): An Efficient and Scalable Algorithm for Detecting Overuse Flows. In Symposium on Reliable Distributed Systems (SRDS).

[45]

SCION Project. 2021. SCION Open-Source Implementation. https://github.com/scionproto/scion.

[46]

Chuck Semeria. 2001. Supporting differentiated service classes: queue scheduling disciplines. Technical Report. Juniper Networks.

[47]

M. Shreedhar and G. Varghese. 1996. Efficient fair queuing using deficit round-robin. IEEE/ACM Transactions on Networking (ToN) 4, 3 (1996).

[48]

Devkishen Sisodia, Jun Li, and Lei Jiao. 2020. In-Network Filtering of Distributed Denial-of-Service Traffic with Near-Optimal Rule Selection. In ACM Asia Conference on Computer and Communications Security (ASIACCS).

Digital Library

[49]

Vibhaalakshmi Sivaraman, Srinivas Narayana, Ori Rottenstreich, S. Muthukrishnan, and Jennifer Rexford. 2017. Heavy-Hitter Detection Entirely in the Data Plane. In Symposium on SDN Research (SOSR).

Digital Library

[50]

Jared M Smith and Max Schuchard. 2018. Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing. In IEEE Symposium on Security and Privacy (S&P).

[51]

JoÃo Luís Sobrinho and Miguel Alves Ferreira. 2020. Routing on Multiple Optimality Criteria. In ACM SIGCOMM Conference.

Digital Library

[52]

C. Song, H. Moon, M. Alam, I. Yun, B. Lee, T. Kim, W. Lee, and Y. Paek. 2016. HDFI: Hardware-Assisted Data-Flow Isolation. In IEEE Symposium on Security and Privacy (SP).

[53]

Ahren Studer and Adrian Perrig. 2009. The Coremelt Attack. In Computer Security - ESORICS. Springer.

[54]

Swisscom AG. 2021. Enhancing WAN connectivity and services for Swiss organisations with the next-generation internet. https://www.swisscom.ch/scion.

[55]

The gRPC Authors and The Linux Foundation. 2021. gRPC: A high performance, open source universal RPC framework. https://grpc.io/.

[56]

Muoi Tran, Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, and Yu-Su Wang. 2019. On the Feasibility of Rerouting-based DDoS Defenses. In IEEE Symposium on Security and Privacy (S&P).

[57]

JP Vasseur, Adrian Farrel, and Gerald Ash. 2006. A Path Computation Element (PCE)-Based Architecture. RFC 4655.

[58]

JP Vasseur and Jean-Louis Le Roux. 2009. Path Computation Element (PCE) Communication Protocol (PCEP). RFC 5440.

[59]

Thomas Vissers, Tom Van Goethem, Wouter Joosen, and Nick Nikiforakis. 2015. Maneuvering around clouds: Bypassing cloud-based security providers. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[60]

VMware. 2020. vSphere Resource Management. https://docs.vmware.com/en/VMware-vSphere/7.0/vsphere-esxi-vcenter-server-701-resource-management-guide.pdf.

[61]

Cun Wang, Zhengmin Li, Xiaohong Huang, and Pei Zhang. 2016. Inferring the average AS path length of the Internet. In IEEE International Conference on Network Infrastructure and Digital Content (IC-NIDC).

[62]

Thilo Weghorn. 2019. Qualitative and Quantitative Guarantees for Access Control. Ph.D. Dissertation. ETH Zürich.

[63]

Emmett Witchel, Josh Cates, and Krste Asanović. 2002. Mondrian Memory Protection. SIGPLAN Notices 37, 10 (2002).

Digital Library

[64]

Hao Wu, Hsu-Chun Hsiao, and Yih-Chun Hu. 2014. Efficient Large Flow Detection over Arbitrary Windows. In ACM Internet Measurement Conference (IMC).

Digital Library

[65]

Marc Wyss, Giacomo Giuliari, Markus Legner, and Adrian Perrig. 2021. Secure and Scalable QoS for Critical Applications. In IEEE/ACM International Symposium on Quality of Service (IWQoS).

[66]

A. Yaar, A. Perrig, and D. Song. 2004. SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks. In IEEE Symposium on Security and Privacy (S&P).

[67]

T. Yang, H. Zhang, J. Li, J. Gong, S. Uhlig, S. Chen, and X. Li. 2019. HeavyKeeper: An Accurate Algorithm for Finding Top-k Elephant Flows. IEEE/ACM Transactions on Networking (ToN) 27, 5 (2019).

Digital Library

[68]

Xiaowei Yang, David Clark, and Arthur W. Berger. 2007. NIRA: A New InterDomain Routing Architecture. IEEE/ACM Transactions on Networking (ToN) (2007).

[69]

Xiaowei Yang, David Wetherall, and Thomas Anderson. 2005. A DoS-limiting network architecture. In ACM SIGCOMM Conference.

Digital Library

[70]

Omer Yoachimik and Vivek Ganti. 2020. Network-layer DDoS attack trends for Q3 2020. https://blog.cloudflare.com/network-layer-ddos-attack-trends-for-q3-2020/.

[71]

S. T. Zargar, J. Joshi, and D. Tipper. 2013. A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. IEEE Communications Surveys & Tutorials 15, 4 (2013).

[72]

Lixia Zhang, S. Deering, D. Estrin, S. Shenker, and D. Zappala. 2002. RSVP: a new resource reservation protocol. IEEE Communications Magazine 40, 5 (2002).

Digital Library

[73]

Xin Zhang, Hsu-Chun Hsiao, Geoffrey Hasker, Haowen Chan, Adrian Perrig, and David Andersen. 2011. SCION: Scalability, Control, and Isolation On Next-Generation Networks. In IEEE Symposium on Security and Privacy (S&P).

Cited By

Schulz LHausheer D(2024)ID-INT: Secure Inter-Domain In-Band Telemetry2024 20th International Conference on Network and Service Management (CNSM)10.23919/CNSM62983.2024.10814310(1-9)Online publication date: 28-Oct-2024
https://doi.org/10.23919/CNSM62983.2024.10814310
Wehner RJohn TSchulz LHausheer D(2024)Secure in-Band Network Telemetry for the SCION Internet Architecture on Tofino2024 IEEE 32nd International Conference on Network Protocols (ICNP)10.1109/ICNP61940.2024.10858524(1-6)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ICNP61940.2024.10858524
Scherrer SVliegen JSateesan AHsiao HMentens NPerrig A(2023)ALBUS: a Probabilistic Monitoring Algorithm to Counter Burst-Flood Attacks2023 42nd International Symposium on Reliable Distributed Systems (SRDS)10.1109/SRDS60354.2023.00025(162-172)Online publication date: 25-Sep-2023
https://doi.org/10.1109/SRDS60354.2023.00025
Show More Cited By

Index Terms

Colibri: a cooperative lightweight inter-domain bandwidth-reservation infrastructure

Recommendations

Protecting Critical Inter-Domain Communication through Flyover Reservations
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

To protect against naturally occurring or adversely induced congestion in the Internet, we propose the concept of flyover reservations, a fundamentally new approach for addressing the availability demands of critical low-volume applications. In contrast ...
A market-based bandwidth charging framework

The increasing demand for high-bandwidth applications such as video-on-demand and grid computing is reviving interest in bandwidth reservation schemes. Earlier attempts did not catch on for a number of reasons, notably lack of interest on the part of ...
An autonomous defense against SYN flooding attacks: Detect and throttle attacks at the victim side independently

Distributed denial of service (DDoS) attacks seriously threaten Internet services yet there is currently no defence against such attacks that provides both early detection, allowing time for counteraction, and an accurate response. Traditional detection ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CoNEXT '21: Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies

December 2021

507 pages

ISBN:9781450390989

DOI:10.1145/3485983

General Chairs:
Georg Carle
Technical University of Munich, Germany
,
Jörg Ott
Technical University of Munich, Germany

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CoNEXT '21

Sponsor:

SIGCOMM

CoNEXT '21: The 17th International Conference on emerging Networking EXperiments and Technologies

December 7 - 10, 2021

Virtual Event, Germany

Acceptance Rates

Overall Acceptance Rate 198 of 789 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
290
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)5

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Schulz LHausheer D(2024)ID-INT: Secure Inter-Domain In-Band Telemetry2024 20th International Conference on Network and Service Management (CNSM)10.23919/CNSM62983.2024.10814310(1-9)Online publication date: 28-Oct-2024
https://doi.org/10.23919/CNSM62983.2024.10814310
Wehner RJohn TSchulz LHausheer D(2024)Secure in-Band Network Telemetry for the SCION Internet Architecture on Tofino2024 IEEE 32nd International Conference on Network Protocols (ICNP)10.1109/ICNP61940.2024.10858524(1-6)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ICNP61940.2024.10858524
Scherrer SVliegen JSateesan AHsiao HMentens NPerrig A(2023)ALBUS: a Probabilistic Monitoring Algorithm to Counter Burst-Flood Attacks2023 42nd International Symposium on Reliable Distributed Systems (SRDS)10.1109/SRDS60354.2023.00025(162-172)Online publication date: 25-Sep-2023
https://doi.org/10.1109/SRDS60354.2023.00025
Cao WKottmann FMa R(2023)Towards a Bandwidth Market for the Metaverse2023 IEEE International Conference on Metaverse Computing, Networking and Applications (MetaCom)10.1109/MetaCom57706.2023.00066(345-349)Online publication date: Jun-2023
https://doi.org/10.1109/MetaCom57706.2023.00066
Bao BYao QLi CSun ZLi XBai WYang HLiu SLi Y(2022)Cross-Domain Resource Allocation Scheme with Unified Control Architecture in Software Defined Optical Access NetworkPhotonics10.3390/photonics91007409:10(740)Online publication date: 8-Oct-2022
https://doi.org/10.3390/photonics9100740
Dalt FScherrer SPerrig A(2022)Bayesian Sketches for Volume Estimation in Data StreamsProceedings of the VLDB Endowment10.14778/3574245.357425216:4(657-669)Online publication date: 1-Dec-2022
https://dl.acm.org/doi/10.14778/3574245.3574252
Liu SMeseguer JÖlveczky PZhang MBasin D(2022)Bridging the semantic gap between qualitative and quantitative models of distributed systemsProceedings of the ACM on Programming Languages10.1145/35632996:OOPSLA2(315-344)Online publication date: 31-Oct-2022
https://dl.acm.org/doi/10.1145/3563299
Wyss MGiuliari GLegner MPerrig A(2022)DoCile: Taming Denial-of-Capability Attacks in Inter-Domain Communications2022 IEEE/ACM 30th International Symposium on Quality of Service (IWQoS)10.1109/IWQoS54832.2022.9812889(1-10)Online publication date: 10-Jun-2022
https://doi.org/10.1109/IWQoS54832.2022.9812889
Schulz LMoghadam EGarcia-Pardo JHausheer DCalvert K(2022)Supporting Dynamic Secure Interdomain Routing2022 IEEE 30th International Conference on Network Protocols (ICNP)10.1109/ICNP55882.2022.9940382(1-6)Online publication date: 30-Oct-2022
https://doi.org/10.1109/ICNP55882.2022.9940382

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten