- Extensible Router Design
The existing communication infrastructure provided by the Internet is rigid and is difficult for the deployment of new services and new protocols. The next generation networks are programmable and reprogrammable in that service providers and even end users will be able to directly program network routers for fast service deployment and optimized performance.
We designed and implemented a programmable router architecture in which router's functionality can be extended dynamically through the use of active extensions, which we call delegates. On the data forwarding plane our router supports advanced packet classification at both input and output ports, sophisticated input packet processing and output scheduling. On the control plane, an execution environment is built to support router extensibility in that delegates can be dynamically installed and executed within it. Delegates implement new services, protocols or customize router behavior via a controlled programming interface, Router Control Interface(RCI).
To illustrate the advantages of this flexible architecture, we implemented several useful services fairly easily. One service is used to trace back the malicious sender when the network is under Denial-of-Service attack. And another service enables the deployment of customizable virtual private networks.
PAPER Jun Gao, Peter Steenkiste, Eduardo Takahashi and Allan Fisher. A Programmable Router Architecture Supporting Control Plane Extensibility. IEEE Communications Magazine, March 2000, Vol. 38, No. 3, pp. 152-159.
[ Full text
(80KB); CMU TR version
PostScript (1.4MB) ]
- Security in Programmable Networks
The open architecture of programmable networks allows routers' functionality to be extended dynamically. However, this architecture also makes such a network more vulnerable than the traditional network when confronted by attackers. Safety and security concerns must be properly addressed before programmable networks can be practically deployed.
One particular security question is how to limit what resources and data active extensions can access on programmable routers, so that to protect the services provided by these routers from being disrupted. While there are existing solutions explicitly designed to deal with access control to conventional resources on end systems, we designed a scheme based on access control list (ACL) to restrict the operations active extensions can perform on programmable router's link bandwidth and user's data traffic. A trusted policy manager within each domain associates security policies with active extensions at set up time and these policies are enforced by routers whenever active extensions try to access router's link bandwidth or users' traffic.
Our solution can effectively and efficiently control active extensions' behavior on routers and defeat any potential attacks to router resource and data traffic launched by malicious or faulty extensions.
PAPER Jun Gao and Peter Steenkiste, An Access Control Architecture for Programmable Routers. In Proceedings of the Fourth IEEE Conference on Open Architectures and Network Programming (OPENARCH'01), pages 15-24, Anchorage, Alaska, April 2001.
[ Full text(231KB) ]
- Customizable VPN with QoS
A virtual private network (VPN) service allows customers, typically large corporates that have multiple sites located in different geographic areas, to build a virtual wide-area private network on top of a shared public network infrastructure, such as the Internet, without setting up any costly dedicated physical connections.
Many techniques have been developed to implement such a service, but generally these schemes only address connectivity and data privacy issues, e.g., the widely used IP-tunnel based scheme builds VPN by enabling edge routers to encrypt and encapsulate data when it leaves one corporate site and decrypt and decapsulate data when the traffic arrives at the other site. Harder problems like QoS provisioning, VPN customizability, customer manageability are left unaddressed.
In our work, we proposed and implemented a virtual network service (VNS), a value-added network service for deploying VPNs in a managed IP network. In addition to the conventional properties of connectivity and data secrecy, the VPNs built using VNS are customizable in that the customer can deploy custom routing, signalling protocols. The VPNs are also provisioned with guaranteed QoS, which emulates a dedicated private line.
PAPER L. Keng Lim, Jun Gao, T.S. Eugene Ng, Prashant Chandra, Peter Steenkiste, and Hui Zhang, Customizable Virtual Private Network Service with QoS , Computer Networks, Elsevier Science, Volume: 36, Issue: 2-3, July 2001, pp. 137 - 151.
[ Full text (466KB) ]
- Runtime Resource Management
Advanced network services and applications running on the Internet such as video conferencing and distributed gaming, demand high quality of service (QoS) from the network. This requires the network to support sophisticated resource management mechanisms so that the applications can manage the resources allocated to them for best performance.
Traditionally resource management is done by the participating endpoints and at the application start-up time. The network itself acts passively as a basic data transportation vehicle. This service model can not satisfy the need of these new applications since during the application's runtime, the network conditions are likely to change and the application's resource requirement may also change over time.
We believe that resource management at runtime from inside the network has many advantages that can benefit certain applications greatly. For example, routers can react to network congestions much fast than end systems. We introduce a network mechanism that allows applications to inject application specific mobile code segments into network routers. These code segments are customized to the particular applications and represent the applications' interest and manage the applications' resources to adapt to changes in the network.
We demonstrated the effectiveness of this system by showing improved performance of some example applications including a multimedia application using MPEG, and a data distribution application with replicated servers.
PAPER Eduardo Takahashi, Peter Steenkiste, Jun Gao and Allan Fisher. A Programming Interface For Network Resource Management. In Proceedings of the Second IEEE Open Architectures and Network Programming (OPENARCH'99), pages 34-44, New York, NY, March 1999.
[ Full text(1.1MB) ]
PAPER Prashant Chandra, Yang-Hua Chu, Allan Fisher, Jun Gao, Corey Kosak, T.S. Eugene Ng, Peter Steenkiste, Eduardo Takahashi, and Hui Zhang, Darwin: Customizable Resource Management for Value-Added Network Services, IEEE Network, Volume: 15 Issue: 1, January/Februray 2001, pp. 22-35.
[ Full text(145KB) ]
- Dynamic Service Level Agreement
Network resources, specifically bandwidth is traded as a type of commodity amongst ISPs. Aggregated traffic from one autonomous system (AS) going into another AS is subsequently delivered to possibly multiple ASes downstream.
Currently ISP offers bandwidth to other ISPs based on a pre-negotiated bilateral service agreement. The agreement is often decided statically based on some historical data. In order to warrant the contracted service, ISP may have to over-provision its bandwidth to accommodate occasionally unexpected bursty traffic. This static way of contracting service often wastes the ISP's capacity.
We designed a system that can closely track the traffic pattern of aggregated traffic within an AS and based on the traffic analysis we then devised a probabilistic algorithm for the ISP to intelligently determine the service level agreement with its neighboring ISPs, particularly, an ISP can dynamically decide whether to accept or reject an aggregated bandwidth request.
This system results in a more efficiently used ISP network while maintaining low loss rate and traffic blocking rate inside the network.
PAPER Jun Gao and Dimitrios Pendarakis. Admission Control and Resource Management for a Bandwidth Broker in a DiffServ Domain. Summer intern final report at IBM T.J. Watson Research Center, August, 1999.
[ Full text PostScript (366KB) ]
- Location Privacy for Mobile IP
Mobile IP is the proposed standard protocol to support host mobility in the Internet. Mobile IP enables a host to roam to a foreign network and still be able to communicate with other hosts on the Internet using its previously assigned IP address. With Mobile IP support, other hosts can use a mobile host's original address to communicate with it and the mobile host does not have to reconfigure its IP address every time it moves to a new network.
However the base Mobile IP's routing behavior is suboptimal in that traffic between a mobile host and a corresponding host must always go through the mobile host's home network. To remedy this, an important technique called Route Optimization is proposed for the two parties to communicate directly by revealing the mobile host's current foreign network's address to the corresponding host. However this scheme compromises the location of the mobile host and it is considered as a security violation in many cases.
We designed a scheme that requires simple incremental changes to the Internet routers to preserve the mobile host's location privacy while route optimization is in place when using Mobile IP. The technique is based on IP source routing and a specially designed route encryption algorithm such that each intermediate router knows how to forward a packet only to the next hop without knowing the final destination.
PAPER Yang-hua Chu, Jun Gao, and Sanjay Rao. A Scheme for Route Optimization in Mobile IP without Compromising Location Privacy. Course Project for Mobile and Wireless Networking, Spring 1998.
[ Full text PostScript (145KB) ]
Jun Gao's Previous Research Summary
Programmable Networks
Virtual Private Networks
Resource Management for the Internet
Mobile Networks
| Last modified on July 17th, 2001. | Back to Jun Gao's research page. |