计算机网络体系结构新进展

第一章

计算机网络体系结构与Internet（2）RethinkingtheInternetArchitecture徐明伟

OutlineChallengestonetworkarchitectureNewNetworkArchitectureResearchNewArch,GENI,FINDandFIRE973项目“新一代互联网体系结构理论研究”Role-BasedArchitecture(RBA)HostIdentityProtocol(HIP)InternetIndirectionInfrastructure(I3)Information-CentricNetworking(ICN)OutlineChallengestonetworkarchitectureNewNetworkArchitectureResearchNewArch,GENI,FINDandFIRE973项目“新一代互联网体系结构理论研究”Role-BasedArchitecture(RBA)HostIdentityProtocol(HIP)InternetIndirectionInfrastructure(I3)Information-CentricNetworking(ICN)Internetissuccessful,but…TheInternetdesignhasbeenverysuccessfulScaledintoahugeworldwideinfrastructureAdaptedtomanynewcommunicationtechnologiesFrameRelay,ATM,wireless,optical,...Easilyadaptedtounforeseenapplications--Web,P2PAdaptsoverahugedynamicrangeBUT...Seriousnewchallenges--newrequirementsandissuesLossoftechnicalcoherenceNewChallengestoArchitectureCommercialInternetBusinessmodels--ISPsneedtobeabletomakemoneyNeedtoharnesscompetitiontodriveinnovationLegal,political,andpublicpolicyissuesErosionoftrust(Lossofinnocence)Spam/viruses/worms/DDoSattacks/...NewtechnologiesandapplicationsOpticalnetwork,wirelessnetwork…Contentdistribution(IPTV,P2P)…NewChallengestoArchitecture(cont’d)LossofTechnicalCoherenceEquipmentvendorswanttosellboxesTheyarebusilydesigningpointsolutionstospecificproblems;ofteninconflict,lackingingenerality.Lookslikeadownwardspiralintotechnicalchaos.ErosionoftheEnd-to-EndPrincipleArgumentaboutLayeringPrincipleScalabilityErosionoftheEnd-to-EndPrincipleAcurrentarchitecturalbattleground…

“Middleboxes”processuserpacketsinsidethenetwork.E.g.,webcachesandproxies,application-levelfirewalls,NATboxes,performance-enhancingproxies,…TheyperformusefulfunctionsbutviolatetheE2EPrinciple.Thatismorethanreligion--theyreducerobustness,generality,extensibility,andsimplicity.

Linklayer

(subnet-specific)

InternetlayerIP

Transportlayer

TCP,UDP,SCTP...ApplicationlayerSMTP,HTTP,...ArgumentaboutLayeringPrincipleMarblingtheInternetLayerCakePhysicallayer532144.5TLS3.5IPsec2.5MPLSProtocolstackorprotocolheap?CrosslayerdesignScalabilitySincetheARPANETstarted,variousmeasuresofthesizeoftheInternethaveincreasedbyfactorsbetween1,000(backbonespeed)and1,000,000(numberofhosts)IPv4addressdepletionRoutingscalabilityInthisenvironment,somearchitecturalprinciplesinevitablychange.Principlesthatseemedinviolableafewyearsagoaredeprecatedtoday.Principlesthatseemsacredtodaywillbedeprecatedtomorrow.OnBeingtheRightSizePublishedin1928(longbeforecomputernetworkswereinvented)byJ.B.S.Haldane,Discussedsizeinthenatural(biological)worldandsystems.

“notonlytentimesashigh,buttentimesaswideandtentimesasthick,sothattheirtotalweightwasathousandtimeshis,…sothateverysquareinchofgiantbonehadtosupporttentimestheweight”Thisiswhygazelleswithlongandthinlegs,whilerhinoceroswithshortandthicklegs.Thinkaboutwhetherthereisa"rightsize"foranetwork,andwhataspectsofanetworkdeterminethe"rightsize“.OutlineChallengestonetworkarchitectureNewNetworkArchitectureResearchNewArch,GENI,FINDandFIRE973项目“新一代互联网体系结构理论研究”Role-BasedArchitecture(RBA)HostIdentityProtocol(HIP)InternetIndirectionInfrastructure(I3)Information-CentricNetworking(ICN)NewArch2000–2003,asmallDARPA-fundedprojectObjective:tofigureoutwhattheInternetarchitecturewouldhavebeenifwehadknownin1979whatweknowtoday.Cleanslatedesign:ignorecompatibility/transitionissuesNewArchPlayers:DaveClark(MIT),BobBraden(ISI),MarkHandley&ScottShenker(ICIR),etc.NewArch--theProcessRe-examinetherequirementsandassumptionsTrytounderstandimplicationsfortheInternetarchitectureofeconomic,political,andsocialforcesExamineasetofpropositionsoftheform:WhatifwerelaxedassumptionX?WhatifweaddedassumptionY?AndpursueafewofthepromisingXsandYsSampleofPropositionsConsideredRelaxedassumptionX:X=Allpackets(e.g.,nobitstreams)X=ProtocollayeringX=Networklocator==End-pointidentifierAddedassumptionY:Y=ProvideregionsoftrustY=SupportubiquitousmobilityY=CarrycongestionstateinpacketheadersY=EmpoweruserstochooseISPs(=>competition)Finaltechnicalreport:GENI:GlobalEnvironmentforNetworkInnovationsAprojectsponsoredbytheNationalScienceFoundationGENIisavirtuallaboratoryatthefrontiersofnetworkscienceandengineeringforexploringfutureinternetsatscale.Somehighlights,suchasOpenFlowMoUbetweenGENIandCERNET

FIND:FutureInternetDesignFINDisalong-terminitiativeoftheNSFNeTSresearchprogramFINDinvitestheresearchcommunitytoconsiderWhattherequirementsshouldbeforaglobalnetworkof15yearsfromnowHowwecouldbuildsuchanetworkifwearenotconstrainedbythecurrentInternet--ifwecoulddesignitfromscratch.

MotivationforFINDChallengescommunitytothinkaboutwhywebuiltwhatwebuiltAlotwegotright(perhapssurprising…)AlotisalmostanaccidentChallengesustoenvisionafutureNotjustimprovethepresentFreeourmindsfromtheconstraintsofwhatis,toimaginewhatwemightbeFIA:FutureInternetArchitecture2010.8.27,NSFannouncedawardsforfournewprojectsaspartoftheFIAprogramNamedDataNetworkingMovethecommunicationparadigmfromtoday'sfocuson"where“to"what“MobilityFirstUseDTNtoproviderobustnessandproposeanarchitecturecenteredonmobilityasthenormNEBULA(nebulaisLatinforcloud)eXpressiveInternetArchitectureAddressthegrowingdiversityofnetworkusemodelsFIRE:FutureInternetResearchandExperimentationFIREisaninitiativeundertheEUFP7TheinitiativehastworelateddimensionsBuildaEuropeanExperimentalFacilityforFutureInternetresearchSupportexperimentally-drivenadvancedresearch

973项目新一代互联网体系结构理论研究互联网面临的重大理论挑战超高速光传输的科学进步，使基于不可靠低速通信线路的分组交换理论及其互联网体系结构面临重大挑战互联网“尽力而为、边缘复杂、核心简单”的体系结构如何满足新一代互联网多目标服务质量控制的需求计算机网络、电信网、电视网的功能融合对互联网体系结构提出新的挑战互联网中大量通信协议软件的开发对传统软件理论提出重大挑战：形式化描述、验证、测试和可重用性传统的基于泊松过程的马尔可夫理论无法描述互联网突发流量的自相似性和无连接特性人们对互联网日益依赖与互联网体系结构脆弱和不可信的矛盾问题日益加据：单一性带来巨大安全隐患拟解决的关键科学问题互联网体系结构的多维可扩展性研究解决现有网络体系结构的单一可扩展性和网络功能的复杂多样性之间的矛盾。探索从单一的规模可扩展，到功能可扩展、性能可扩展、安全可扩展和服务可扩展的多维可扩展理论。网络动态行为及其可控性研究解决未知的网络行为与确定的传输控制目标之间的矛盾。探索互联网动态行为模型和基于该模型的自适应控制方法。脆弱复杂巨系统的可信性研究解决网络的脆弱性和安全可信需求之间的矛盾。研究脆弱复杂互联网的安全可信模型和控制方法。稳定网络体系结构的服务多样性研究解决网络体系结构的相对稳定性和网络服务需求的复杂多变之间的矛盾。探索大规模互联网服务理论，研究多样性网络服务模型和服务可管理性问题。其他网络体系结构相关的973项目一体化可信网络与普适服务体系基础研究面向服务的未来互联网体系结构可重构信息通信基础网络体系研究OutlineChallengestonetworkarchitectureNewNetworkArchitectureResearchNewArch,GENI,FINDandFIRE973项目“新一代互联网体系结构理论研究”Role-BasedArchitecture(RBA)HostIdentityProtocol(HIP)InternetIndirectionInfrastructure(I3)Information-CentricNetworking(ICN)RBASupportedbyNewArchMotivationTheIETFhaseanarchitecturalpretzelfactory.LayerviolationsSub-layerproliferationE.g.,MPLSat2.5,IPsecat3.5ErosionofE2Emodel--middleboxesFirewalls,NATs,proxies,caches,...Canwesomehowreducethecomplexityandincreasethearchitecturalflexibility?SuggestionSuggestion1:Replacethetraditionalprotocollayeringparadigmwithamoregeneralmodel.Manyoftheseproblemsseemtoberelatedtotraditionallayering.Suggestion2:Provideaprotocolmechanismtoattachadditionalmetadatatodatapackets--“in-bandsignaling”--formiddleboxes.Attachcolor-coded“stickies”topacketsinthenetwork.ThesesuggestionsledtotheconceptsofRole-BasedArchitecture(RBA)Givinguplayeringhasprofoundconsequencesforhowwethinkaboutprotocols.WhatDoesNon-LayeredMean?TraditionallayeredarchitectureModularityFunctionalunitforeachprotocollayer.Packetheaderformat:Sub-headerforeachlayer,formingalogicalstack.Headerprocessingrules:Order:Headersprocessedinorderbylayer(LIFO)Access:Afunctionalmodulecanread/writeonlyitsownsub-headerWhatDoesNon-LayeredMean?(Cont’d)Non-LayeredarchitectureModularity:Role:Functionalspecofacommunicationbuildingblock.Packetheaderformat:Anarbitrarycollectionofsub-headers:“roledata”.TheseareRole-SpecificHeaders(RSHs).RSHsareaddressedtoroles.HeaderdatastructureisnowalogicalheapofRSHs.Processingrules:neednewrulesfororder,access.RSHProcessinginaNodeRoleARoleBRoleCNetworkNodePayloadRSH1RSH2RSH3HeapPacketWriteReadObjectivesofRBAClarity:Replace“layerviolations”witharchitectedroleinteractionsFlexibilityRoleshavemoreflexiblerelationshipsthanlayersExtensibilityRolesaremodularandhopefullyorthogonal.Nolayerrestrictions.InbandSignalingRSHscanactas“stickies”,e.g.,tocontrolmiddleboxes.AuditabilityCanleaveRSHsaftertheyhavebeen“consumed”,tosignaltodownstreamnodesthatafunctionhasbeenperformed.ObjectivesofRBA(Cont’d)PortabilityAllowrolestobesitedarbitrarilyonnodes.Forextracredit:mobilerolesthatmigrateamongnodesRe-ModularizationCurrentmonolithicprotocollayersarelargeandcomplex;

canre-modularizeintosmallerunits.ThisisnotanewideaItisunclearhowfaroneshouldgotowardsmicro-rolesButRBAgivesusfreedomofchoiceonfunctionalgranularitySecurityHideparticularroledata(Don’tmuckwithmymeta-data!)RSHmightbeunitforencryptionofroledataConclusionsAdvantagesofRBAModularizesfunctionalitybetterthanlayeringdoes.ProvidesanexplicitplaceformiddleboxmetadataShouldcreatefewerunexpectedfeatureinteractionsDisadvantagesofRBAReplacementofdeployedprotocolsLessefficient(headerspace,processing).GreaterflexibilitymayitselfincreasecomplexityandconfusionOutlineChallengestonetworkarchitectureNewNetworkArchitectureResearchNewArch,GENI,FINDandFIRE973项目“新一代互联网体系结构理论研究”Role-BasedArchitecture(RBA)HostIdentityProtocol(HIP)InternetIndirectionInfrastructure(I3)Information-CentricNetworking(ICN)TheHIPProtocolOverviewProtocolproposalcontains:Anewnamespace/newidentityAnauthenticationandkeyexchangeprotocolArchitecturalthoughtsHostIdentityUsinganIPaddresstoidentifyahostisnotthebestidea(seemulti-homedhosts,virtualinterfaces)AnewnamespacefortheInternetCryptograpicallybasedNon-spoofable‘Statistically’globalscopeUsedinsecurityassociationbindingsandpacketforwardingmechanismsSeparatesroutingfromendpointidentificationHostIdentity(cont’d)Newlyintroducedidentities:HostIdentity(=publickey)HostIdentityTag(=hashofthepublickey,128bit)LSI(32-bitLocalScopeIdentity)Higherlayersonlyseeidentities,notaddressesIPv6applicationsusethe128bitHITIPv4applicationsusethe32bitLSIHostIdentitiescanbewell-knownoranonymousEachhosthasatleastoneidentityTheProtocolStackApplication-specificidentifiersDataLinkLayer

NetworkLayer

TransportLayer

ApplicationLayerPairs<IPaddress,Port#>+TransportProtocolID

HostIdentityHostIdentity(HI)IPaddressesLinklayeraddressesTheHIPProtocol

AnauthenticationandkeyexchangeprotocolTheHIPprotocolisusedtoverifytheHostIdentityandtocreateanIPsecESPsecurityassociationHIPisalwayscombinedwithIPsecESPwheretheHIPIdentityis“compressed”intoIPsecESPSPITheprotocolhasthefollowingproperties:Denial-of-Serviceprotectionwiththeclient-puzzlemechanismDigitalsignatures,identitiesandcertificatesareexchangedSummaryHIPintroducesnewandinterestingconcepts.Theintroductionofanewaddressspacebasedonacryptographicidentitymakesalotofthingseasier:MobilityMulti-HomingSolutionsarealreadytherefortheseproblems;

HIPsolvestheproblemsinadifferentway.AdditionallyHIPhassecurityintegratedintotheprotocolWorkinIETFandIRTFOutlineChallengestonetworkarchitectureNewNetworkArchitectureResearchNewArch,GENIandFINDFIRE973项目“新一代互联网体系结构理论研究”Role-BasedArchitecture(RBA)HostIdentityProtocol(HIP)InternetIndirectionInfrastructure(I3)Information-CentricNetworking(ICN)InternetIndirectionInfrastructure(I3)

MotivationsToday’sInternetisbuiltaroundaunicastpoint-to-pointcommunicationabstraction:Sendpacket“p”fromhost“A”tohost“B”ThisabstractionallowsInternettobehighlyscalableandefficient,but……notappropriateforapplicationsthatrequiremoregeneralcommunicationabstractions:MulticastAnycastMobility…

Why?Point-to-pointcommunication

implicitlyassumesthereisonesenderandonereceiver,andthattheyaremostlyplacedatfixedandwell-knownlocationsE.g.,ahostidentifiedbytheIPaddress166.111.xxx.xxxislocatedinTsinghuaE.g.,anapplicationincommunicationisusuallyidentifiedbyher/hisIPaddress+portnumberWeWantMoreGeneralCommunicationTheidentitiesofthereceivinghostsareunknown:multicastandanycast.Thereceivinglocationnofixed:mobility.Strictbindingofsendingandreceiving(asitistoday)causesthestatedproblemsKeyObservationVirtuallyallpreviousproposalsuseindirection,e.g.,PhysicalindirectionpointmobileIPLogicalindirectionpointIPmulticast“Anyproblemincomputersciencecanbesolvedbyaddingalayerofindirection”I3SolutionUseanoverlaynetworktoimplementindirectionIncrementallydeployable;don’tneedtochangeIPBuildanefficientindirectionlayerontopofIPIPTCP/UDPApplicationIndir.layerServiceModelLogicalidentifier(Rendezvous-Based)“glue”ofsendingandreceivingAsourcesendspacketsassociatedtoalogicalidentifier

id

intotheoverlaynetworkAreceiverexpressesinterestinreceivingapacketwithidentifieridbyinsertingatrigger

(id,R)intotheoverlaynetworkServiceModel(cont’d)Rendezvous/i3ServerMaintaintriggersReceiveandforwardpacketsOthermodificationsAPIsendPacket(p);insertTrigger(t);removeTrigger(t)//optionalBest-effortservicemodel(likeIP)Controlatend-hostsAnExampleTrigger(id,R)

Sender(id,data)

Receiver(R,data)IPinformationhiddenfromendusersSendingonlywhenallowedSenderidRtriggeriddataReceiver(R)iddataRdataPacket/TriggerLogicSimplestform:CompletematchPacket(id,

data)

Trigger(id,

addr)addr:(IP,

port),towherethedataisforwardedonIPlayerGeneralization:Inexactmatchofididt

in

(id,data)isalongestprefixmatchofidAtleastkbitsmatch(exactmatchthreshold)Challenge:efficientlymatchpacketsandtriggersMobilityHostjustneedstoupdateitstriggerasitmovesfromonesubnettoanotherSenderReceiver(R1)Receiver(R2)idR1idR2MulticastiddataReceiversinserttriggerswithsameidentifierCandynamicallyswitchbetweenmulticastandunicastReceiver(R1)idR1Receiver(R2)idR2SenderR1dataR2dataiddataAnycastUselongestprefixmatchinginsteadofexactmatchingPrefixp:anycastgroupidentifierSuffixsi:encodeapplicationsemantics,e.g.,location SenderReceiver(R1)p|s1R1Receiver(R2)p|s2R2p|s3R3Receiver(R3)R1datap|adatap|adataPerformanceIssuesRobustnessRouting:LargelydependsonDHTManagement:SoftstateTriggerloss:reinsert,backupid,successorreplicaProblem:alltriggerswiththesameprefixshouldbecachedtogetherEfficiencyandloadbalancingCachingservers’IPaddressesofrecentidsSamplingmorei3servers/rendezvouspointsScalabilityConflictwithefficiency?HierarchyAnindirectionlayerbasedonoverlaynetworkdecouplingsendingandreceivingMulticastAnycastMobilityServiceCompositionIPLayerDHTDesignPrinciplesHostInfrastructureInternet&InfrastructureoverlaysDataplaneControlplanep2p&End-hostoverlaysDataplaneControlplanei3DataplaneControlplaneOutlineChallengestonetworkarchitectureNewNetworkArchitectureResearchNewArch,GENI,FINDandFIRE973项目“新一代互联网体系结构理论研究”Role-BasedArchitecture(RBA)HostIdentityProtocol(HIP)InternetIndirectionInfrastructure(I3)Information-CentricNetworking(ICN)PopularConception:

ContentDistributionOvertheInternetDoesNotScaleAttemptstoMitigateP2PEnhancingscalabilitybydistributingservingloadBut:trafficmanagementandpeerselectioncontroldeemednecessaryAlso:combiningP2Pwithdedicatedin-networkstorage(DECADE)CDNEnhancingscalabilityandperformancebyoperatingdedicatedcachesclosetoaccessnetworksBut:proprietary,standalonenetworks–increasingdemandforinterconnect:CDNIRequirementRepresentsaneedfor

Accessingnamedresources,nothostsScalabledistributionthroughreplicationandcachi