12 Dec 2015

Dynamic Connectivity Management with an Intelligent Route Service Control Point

MS research page cited 54

Increased use of demanding network applications, as well as the increase of unwanted network traffic in the form of DDoS attacks, are putting new pressures on service providers to meet the expectations of customers in terms of network availability and performance.

dynamic connectivity management, which we broadly define as the ability to dynamically manage how and where traffic flows across a network.

simplification introduced by a centralized Intelligent Route Service Control Point (IRSCP)

… increased occurrence of distributed denial of service (DDoS) attacks likewise require more sophisticated and responsive network management practices from providers. We broadly define this timely control of how traffic flows through a network as dynamic connectivity management.

connectivity management tasks:
Selective blackholing of DDoS traffic
Planned maintenance dryout
The IRSCP allows the operator to move traffic away from routers on which maintenance is to be performed
VPN gateway selection
explicitly select which VPN sites should use which gateways
Network-aware load balancing
load balancing across multiple egress points leading to the same destination.

In the early 1980’s the circuit switched voice network underwent a revolution with the introduction of a technology called the Network Control Point (NCP) [1].

our work … enable (arbitrary) external information to inform the route selection process

3. INTELLIGENT ROUTE SERVICE CONTROL POINT (IRSCP)

The IRSCP is a logically centralized network control element, i.e., it takes part in “control plane” functions but is not in the data path. In particular the IRSCP communicates with routers via iBGP: receiving routes from routers, performing route selection on behalf of each router and communicating the selected routes back to the routers (i.e., “phase one” as defined in [7])

Figure 1 shows two forms of input into the IRSCP. First is direct operator input, for example when a task like blackholing of DDoS traffic is performed. The second IRSCP input is what we broadly call “network intelligence” and represents the fact that the IRSCP platform allows external information to directly impact the routing process.

4.1 Selective DDoS Blackholing

Blackholing of DDoS traffic … by operators … in two steps
a static route to a pre-defined “blackhole destination” is configured on all edge routers in the network. This static route is set up such that any traffic sent to this destination will be dropped on the edge router.
when a DDoS attack against a specific target prefix is detected: A BGP speaking entity in the network (i.e., a router or in our case the IRSCP), generates a more specific route (called the blackhole-route), for the target destination and sets the next-hop attribute of this blackhole-route to point to the previously configured blackhole destination.
blackholing does mitigate the DDoS problem … drawback
Once invoked on a particular router, all traffic towards the destination passing through that router will be dropped, thus in effect fulfilling the intent of the attacker because the destination is now unreachable through that router.
The IRSCP solution
selectively send the blackhole-route only to those edge routers that carry DDoS traffic or carry a significant portion of DDoS traffic… significant mitigation can be realized by blackholing traffic on a small number of edge routers

critically important advantage because DDoS attacks are in fact not that distributed… a recent study [9] showed that for DDoS attacks observed in an ISP network, over a four week period, only 0.1% of ingress interfaces contributed more than 90% of the DDoS traffic volume.

4.2 Planned Maintenance Dryout

ISPs routinely perform planned maintenance on routers to replace faulty hardware or install new router software.

when customer-edge (CE) routers are dual homed to two provider-edge (PE) routers

for all prefixes advertised by the dryout-router, if those prefixes are available from another router, make them more preferred.

common practice to- day to realize dryout is to change the IGP weight of selected links in the network to force traffic off the dryout router

4.3 VPN Gateway Selection

The provider network has no knowledge of these customer goals and simply route traffic across the backbone network according to default shortest path behavior.

4.4 Network Aware Load-balancing

a significant portion of the traffic destined to the data center (or customer network) is entering the IRSCP-enabled network from AS 1. Assuming that all IGP links weights are the same, both PE3 and PE4 will prefer to reach the data center using the routes advertised by PE2. Either way the net result is that the link between PE2 and CE will carry most of the traffic while the link between PE1 and CE will be mostly idle.

common problem for providers and customers alike … a CDF of the traffic ratio between the most loaded link and the least loaded link for each multi-homed customer in a large ISP over a typical day.

reference