|
|
Part I, The General Framework
Abstract: We describe the design of Sapheniea, a framework that enables network administrators to easily implement policies in large-scale networks. The goal of Sapheniea is to capture as much configuration information as possible into a single parameter, which we define as class. The key idea is to categorize network traffic into different classes and embed the same class parameter as a configuration knob in routing. Network administrators only need to define the various classes, specify the relationship between them, and assign classes to links. We provide two applications that illustrate how Sapheniea can be used in enterprise networks to perform: (a) access control within a domain; (b) traffic channeling through choke-points.
Part II, An Application of Classes: Access Control Routing
In this paper, we propose Access Control Routing (ACR), a
clean-slate and flexible approach to simplify access control
configuration in large-scale enterprise networks. ACR uses a single
parameter, class, to couple access control and routing. It
requires that each end-host specify its access control policies at
the granularity of a class. On the network side,
the control plane establishes
logical reachability networks for every class, and the data plane
explicitly labels each packet with a class based on the source.
Unlike traditional access control configuration approaches, ACR can
easily adapt to network topology or routing changes and is better
suited to handle network failures.
ACR eliminates the need for VLANs and also provides the flexibility
of automatically routing traffic through arbitrary middle-boxes
without physical topology manipulation. Using a software-based
router implementation of ACR and access control policies gathered
from four large commercial enterprise networks, we show that ACR can
easily be adopted in large enterprise environments with little
additional performance overhead.
People:
Papers, Slides: |