SIGCOMM 2017 Poster Sessions

Abstract:

Enforce virtualized congestion control is a new trend for datacenter networks. Virtual Congestion Control (VCC) can also enforce differentiated Quality-of-Service (QoS) for flows. However, current flow differentiation algorithm only provides qualitative rather than quantitative bandwidth allocation. Weighted bandwidth allocation is critical to enforce administrator policy. In this work, we propose Weighted Virtual Congestion Control (WVCC) enforcement for datacenter networks. It is a novel per-flow differentiation mechanism capable of proportionally allocating bandwidth among flows.

Abstract:

3D Fabric, a new data center network algorithm, jointly uses two strategies for congestion avoidance: flow rate adjustment and path switch. 3D Fabric predicts flow’s size and only decelerates large flows in case of light congestion. When the network is heavily congested, it starts to decelerate small flows as well, and meanwhile, considers to switch large flow’s path. 3D Fabric makes novel contributions such as a new artificial flowlet generation method for load balancing which avoids packet reordering. As a network-based solution, 3D Fabric does not modify the end host’s application and protocol stack and makes no assumption on the network topology. The main algorithm can be implemented in virtual switch, NIC, or ToR switch. ns-3 simulation shows 3D Fabric’s FCT outperforms DCTCP by more than 50% for small flows and 3% for large flows with low implementation cost.

Abstract:

SOHO routers act as a gateway to the Internet for Small Office/Home Office networks. They typically run a firewall to filter potentially malicious traffic, and operate services such as NAT, DNS, DHCP, and web proxy. Despite the important role that they fulfill, there is a long history of vulnerabilities allowing attackers to breach security and availability of the clients and services on SOHO networks. Following the multiple disclosures and recommendations for patches in the last two decades it seems an obvious question to verify whether the reality meets the expectation. We focus on an important class of vulnerabilities called ‘authentication bypass’, which allow an attacker to take control over a network device by subverting the authentication procedure. To that end, we perform a stealthy and non disruptive Internet scale evaluation of authentication bypass vulnerabilities in SOHO routers. We systematically scanned portions of the Internet, focusing on a number of selected countries, to detect presence of vulnerable devices. The results of our study are worrisome: we find a large fraction of misconfigurations and insecurity issues in configuration of SOHO routers, which stand in sharp contrast to the awareness of the security and research communities to the vulnerabilities as well as a large body of work studying related topics.

Abstract:

Fog computing, also known as Edge computing, is an emerging computational paradigm, increasingly utilized in Internet of Things (IoT) applications, particularly those that cannot be served efficiently using Cloud computing due to limitations such as bandwidth, latency, Internet connectivity. At present, the norm is the static allocation of tasks by developers of an application, where some IoT applications are allocated to be performed on the Cloud, some on the Fog, and some on a hybrid Cloud-Fog. The applications are pre-programmed and predefined to be run on a platform, and this is unchangeable at run-time. IoT gateways, which are devices that bridge the IoT local network and the Internet, are in a position to make dynamic adjustments and allocation decision between platforms based upon real-time conditions such as an IoT applications’ performance. However, currently there is no (or very little) intelligence embedded into IoT gateways. This paper proposes cognitive IoT gateways powered by cognitive analytics and data mining techniques to improve the performance of IoT applications. These IoT devices are able to automatically learn and decide when and where to run an application, be that on the Cloud or on the Fog. The dynamic task sharing and platform interchanging will enable the IoT applications to be optimized for multiple objectives including task performance.

Abstract:

Remote Direct Memory Access (RDMA) offers ultra-low latency and CPU bypass networking to application programmers. Existing applications are often designed around socket based software stack that manages application buffers separately from networking buffers and do memory copies between them when sending/receiving data. With large sized (up to hundreds MB) application buffers, the overhead of such copies adds non trivial overhead to the end-to-end communication pipeline. In this work, we made an attempt to design a zero copy transport for distribute dataflow frameworks that unifies application and networking buffer management and completely eliminates unnecessary memory copies. Our prototype on top of TensorFlow shows 2.43x performance improvement over gRPC based transport and 1.21x performance improvement over an alternative RDMA transport with private buffers and memory copies.

Abstract:

Network failures continue to plague data center operators as their symptoms may not have any direct correlation with where or why they occur. In this paper we introduce Vigil, a lightweight, always-on monitoring/diagnosis application that pinpoints problems for each TCP connection and is completely contained within the end hosts. Vigil can also be used to find the problematic links in the network.

Abstract:

In the last 20 years the core of the Domain Name System (DNS) has improved in security and privacy, and DNS use broadened from name-to-address mapping to a critical roles in service discovery and anti-spam. However, protocol evolution and expansion of use has been slow because advances must consider a huge and diverse installed base. We suggest that experimentation at scale can fill this gap. To meet the need for experimentation at scale, this paper presents LDplayer, a configurable, general-purpose DNS testbed. LDplayer enables DNS experiments to scale in several dimensions: many zones, multiple levels of DNS hierarchy, high query rates, and diverse query sources. To meet these requirements while providing high fidelity experiments, LDplayer includes a distributed DNS query replay system and methods to rebuild the relevant DNS hierarchy from traces. We show that a single DNS server can correctly emulate multiple independent levels of the DNS hierarchy while providing correct responses as if they were independent. We show the importance of our system to evaluate pressing DNS design questions, using it to evaluate changes in DNSSEC key size.

Abstract:

The filter technologies, e.g., Bloom filters, have been used for IP lookup for their compactness and efficiency. We investigate the performance of cuckoo filters with Cisco’s VPP (Vector Packet Processing) for IP lookup. We also introduce a variant called a length-aware cuckoo filter that treats incoming IP addresses discriminatively, and study its performance with VPP. As proof-of-concept, we implement cuckoo filters with VPP, and test them on both functions and performance with focus on the ip6-input node in VPP.

Abstract:

Telco-CDNs are ISP-managed CDNs deployed inside ISP networks. We propose a new content distribution system inside telco-CDN called CAD. In CAD, Content Provider and ISP collaborate to distribute multimedia content to users inside the ISP network. CAD manages both the overlay and underlay of the network to reduce the ISP interdomain traffic, improve the service latency, and minimize the intradomain link utilization. CAD achieves these goals by allowing caching servers to fetch content from other caching servers, and create videos on-demand inside the telco-CDN. We propose an algorithm to calculate the overlay and underlay of the CAD-managed telco-CDN in polynomial time. Compared against the closest approach in the literature, our initial results showed that CAD achieves up to 30% reduction in the interdomain traffic and up to 230% improvement in the service latency, while not increasing the intradomain link utilization.

Abstract:

Mobile web page load time depends on three key factors: (1) complexity of website, (2) underlying network conditions, and (3) processing capability of devices. While there is substantial work focusing on Web complexity and network, there is little work in understanding the hardware bottlenecks in page load process. In this poster, we analyze the effect of hardware bottlenecks of Web pages. We also analyze the effect of GPU offloading, a commonly used solution to speed up Web page loads.

Abstract:

This paper proposes bitFA, a novel data structure optimized for fast and update-friendly regular expression matching. bitFA leverages fast bit manipulation, instruction-level parallelism and bitmap compression techniques to achieve 5x to 25x acceleration compared to existing NFA or DFA based regular expression matching methods.

Abstract:

The Domain Name System (DNS) is part of the core of the Internet. Over the past decade, much-needed security features were added to this protocol, with the introduction of the DNS Security Extensions. DNSSEC adds authenticity and integrity to the protocol using digital signatures, and turns the DNS into a public key infrastructure (PKI). At the top of this PKI is a single key, the so-called Key Signing Key (KSK) for the DNS root. The current Root KSK was introduced in 2010, and has not changed since. This year, the Root KSK will be replaced for the rst time ever. This event potentially has a major impact on the Internet. Thousands of DNS resolvers worldwide rely on this key to validate DNSSEC signatures, and must start using the new key, either through an automated process, or manual intervention. Failure to pick up the new key will result in resolvers becoming completely unavailable to end users. This work presents the “Root Canary”, a system to monitor and measure this event from the perspective of validating DNS resolvers for its entire nine-month duration. The system combines three active measurement platforms to have the broadest possible coverage of validating resolvers. Results will be presented in near real-time, to allow the global DNS community to act if problems arise. Furthermore, after the Root KSK rollover concludes in March 2018, we will use the recorded datasets for an in-depth analysis, from which the Internet community can draw lessons for future key rollovers.

Abstract:

TCP throughput and latency models are useful tools to characterize the TCP performance. The canonical throughput model, while useful, has some limitations since it does not consider how packet loss rate changes over time. This approach leads to poor predictions for short flows. We present a new modeling approach that characterizes the throughput and latency models by: (i) discovering the relationship between the packet loss rate and the congestion window size, and (ii) incorporating the starting congestion window and the number of parallel connections. Experimental results show that our models significantly improve modeling accuracy.

Abstract:

Unikernels are increasingly gaining traction in real-world deployments, especially for NFV and microservices, where their low footprint and high performance are especially beneficial. However, they still suffer from a lack of tools to support developers. uniprof is a stack profiler that supports Xen unikernels on x86 and ARM and does not requires any code changes or instrumentation. Its high speed and low overhead (0.1% at 100 samples/s) makes it usable even in production environments, allowing the collection of realistic and highly credible data.

Abstract:

SDN approaches to inter-domain routing promise better traffic engineering, enhanced security, and higher automation. Yet, naive deployment of SDN on the Internet is dangerous as the control-plane expressiveness of BGP is significantly more limited than the data-plane expressiveness of SDN, which allows fine-grained rules to deflect traffic from BGP’s default routes. Most notably, this mismatch may lead to incorrect forwarding behaviors such as forwarding loops and blackholes, ultimately hindering SDN deployment at the inter-domain level.

In this work, we make a first step towards verifying the correctness of inter-domain forwarding state with a focus on loop freedom while keeping private the SDN rules, as they comprise confidential routing information. To this end, we design a simple yet powerful primitive that allows two networks to verify whether their SDN rules overlap, i.e., the set of packets matched by these rules is non-empty, without leaking any information about the SDN rules. We propose an efficient implementation of this primitive by using recent advancements in Secure Multi-Party Computation and we then leverage it as the main building block for designing a system that detects Internet-wide forwarding loops among any set of SDN-enabled Internet eXchange Points.