| Abstract: |
During the last decades the original Internet architecture evolved dramatically with new functionality being added to the network layer to support a wide range of emerging applications.
Network services such as firewalls, congestion control, media gateways, and traffic engineering all require a network that not only forwards packets based on the destination address, but also
performs packet processing on nodes interior to the network. In an effort to support such application-specific packet handling requirements, router manufacturers have embedded programmable
elements into routers for providing network services in a more flexible way. However, deploying new services in an existing network is usually a manual and time consuming process, requiring the
installation of code on multiple routers distributed all over the network. Given the complexity of how services can be composed, the only feasible approach is to automate this process. For this
reason, it is crucial to have a suitable service infrastructure built on top of raw processing capabilities to enable programmability of each node. This thesis presents a service framework that
allows router resources to be programmed and coordinated such that the underlying network provides the anticipated services on behalf of applications. We have developed the ANCS (Active Network
Control Software), which can be seen as an additional control layer in an active network environment that offers a generic service abstraction and automates the configuration of processing
resources to form network services. Our system accepts processing demands from applications, maps their processing requirements onto the available network resources, and configures the
appropriate resources on network nodes. In this thesis we focus on all the control mechanisms needed by such a service framework. First, we propose active pipes as a high-level programming
interface to the active network. An active pipe models the processing requirements as a sequence of processing steps performed on a data flow, without the application having to know about the
underlying topology and location of processing resources. A processing step can be either mandatory or optional, meaning that the execution can depend on the state of the network. Each processing
step can have multiple attribute constraints refining the location of processing. Second, we describe a resource discovery protocol for the dissemination of information about processing
resources. Our approach is based on extending a link-state routing protocol such as OSPF and distributing the processing capabilities as opaque link-state advertisements. Third, we describe an
algorithm that maps the processing requirements expressed as an active pipe onto physically available network resources. This mapping algorithm solves the problem of finding the optimal location
of all specified mandatory and optional processing steps including a path transiting the sites, while minimizing network costs. Since our solution optimizes for both link and processing costs,
paths can become non-simple, meaning that a given node can be visited repeatedly. The runtime complexity of the algorithm is polynomial, thus scales to large networks. Fourth, we have designed a
signaling mechanism for the installation of processing code on selected nodes along with the establishment of explicit forwarding state such that traffic gets routed through these nodes as
determined by the mapping algorithm. We have implemented our service framework along with all the necessary control operations and protocols on top of our modular and extensible PromethOS router
architecture. We have demonstrated the viability of our approach in a realistic environment using two applications that benefit from network-interior packet processing. For a video distribution
application, we deploy application-specific congestion control modules before congested links. Using these video scaling modules, we have shown that the perceived video quality improves
significantly compared to traditional best-effort packet queuing. A second application implements a security gateway that performs data encryption on routers in a way completely transparent for
end systems. Furthermore, our performance evaluation shows that services can be established efficiently with minimal overhead. |
