xPF: Packet Filtering for Low-Cost Network Monitoring

The ever-increasing complexity in network infrastructures is making critical the demand for network monitoring tools. While the majority of network operators rely on low-cost open-source tools based on commodity hardware and operating systems, the increasing link speeds and complexity of network monitoring applications have revealed inefficiencies in the existing software organization, which may prohibit the use of such tools in high-speed networks. Although several new architectures have been proposed to address these problems, they require significant effort in re-engineering the existing body of applications. We present an alternative approach that addresses the primary sources of inefficiency without significantly altering the software structure. Specifically, we enhance the computational model of the Berkeley packet filter (BPF) to move much of the processing associated with monitoring into the kernel, thereby removing the overhead associated with context switching between kernel and applications. The resulting packet filter, called xPF, allows new tools to be more efficiently implemented and existing tools to be easily optimized for high-speed networks. We present the design and implementation of xPF as well as several example applications that demonstrate the efficiency of our approach

Safety and Performance in an Open Packet Monitoring Architecture

Packet monitoring arguably needs the flexibility of open architectures and active networking. A significant challenge in the design of open packet monitoring systems is how to effectively strike a balance between flexibility, safety and performance. In this paper we investigate the performance of FLAME, a system that emphasizes flexibility by allowing applications to execute arbitrary code for each packet received. Our system attempts to achieve high performance without sacrificing safety by combining the use of a type-safe language, lightweight run-time checks, and fine-grained policy restrictions. Experiments with our prototype implementation demonstrate the ability of our system to support representative application workloads on Bgit/s links. Such performance indicates the overall efficiency of our approach; more narrowly targeted experiments demonstrate that the overhead required to provide safety is acceptable

Virtual Private Services: Coordinated Policy Enforcement for Distributed Applications

Large scale distributed applications combine network access with multiple storage and computational elements. The distributed responsibility for resource control creates new security issues, caused by the complexity of the operating environment. In particular, policies at multiple layers and locations force conventional mechanisms such as firewalls and compartmented file storage into roles where they are clumsy and failure-prone. Our approach relies on two functional divisions. First, we split policy specification and policy enforcement, providing local autonomy within the constraints of the global security policy. Second, we create virtual security domains each with its own security policy. Every domain has an associated set of privileges and permissions restricting it to the resources it needs to use and the services it must perform. Virtual private services ensure security and privacy policies are adhered to through coordinated policy enforcement points

Flexible Network Monitoring with FLAME

Increases in scale, complexity, dependency and security for networks have motivated increased automation of activities such as network monitoring. We have employed technology derived from active networking research to develop a series of network monitoring systems, but unlike most previous work, made application needs the priority over infrastructure properties. This choice has produced the following results: (1) the techniques for general infrastructure are both applicable and portable to specific applications such as network monitoring; (2) tradeoffs can benefit our applications while preserving considerable flexibility; and (3) careful engineering allows applications with open architectures to perform competitively with custom-built static implementations. These results are demonstrated via measurements of the lightweight active measurement environment (LAME), its successor, flexible LAME (FLAME), and their application to monitoring for performance and security

Scalable Resource Control in Active Networks

The increased complexity of the service model relative to store-and-forward routers has made resource management one of the paramount concerns in active networking research and engineering. In this paper,we address two major challenges in scaling resource management-to-many-node active networks. The first is the use of market mechanisms and trading amongst nodes and programs with varying degrees of competition and cooperation to provide a scalable approach to managing active network resources. The second is the use of a trust-management architecture to ensure that the participants in the resource management marketplace have a policy-driven "rule of law" in which marketplace decisions can be made and relied upon. We have used lottery scheduling and the Keynote trust-management system for our implementation, for which we provide some initial performance indications

Managing Access Control in Large Scale Heterogeneous Networks

The design principle of maximizing local autonomy except when it conflicts with global robustness has led to a scalable Internet with enormous heterogeneity of both applications and infrastructure. These properties have not been achieved in the mechanisms for specifying and enforcing security policies. The STRONGMAN (for Scalable TRust Of Next Generation MANagement) system [9], [10] offers three new approaches to scalability, applying the principle of local policy enforcement complying with global security policies. First is the use of a compliance checker to provide great local autonomy within the constraints of a global security policy. Second is a mechanism to compose policy rules into a coherent enforceable set, e.g., at the boundaries of two locally autonomous application domains. Third is the "lazy instantiation" of policies to reduce the amount of state that enforcement points need to maintain. In this paper, we focus on the issues of scalability and heterogeneity

On the Impact of Practical P2P Incentive Mechanisms on User Behavior

In this paper we report on the results of a large-scale measurement study of two popular peer-topeer systems, namely BitTorrent and eMule, that use practical and lightweight incentive mechanisms to encourage cooperation between users. We focus on identifying the strategic behavior of users in response to those incentive mechanisms. Our results illustrate a gap between what system designers and researchers expect from users in reaction to an incentive mechanism, and how users react to those incentives. In particular, we observe that the majority of BitTorrent users appear to cooperate well, despite the existence of known ways to tamper with the incentive mechanism, users engaging in behavior that could be regarded as cheating comprised only around 10% of BitTorrent’s population. That is, although we know that users can easily cheat, they actually do not currently appear to cheat at a large enough scale. In the eMule system, we identify several distinct classes of users based on their behavior. A large fraction of users appears to perceive cooperation as a good strategy, and openly share all the files they obtained. Other users engage in more subtle strategic choices, by actively optimizing the number and types of files they share in order to improve their standing in eMule’s waiting queues; they tend to remove files for which downloading is complete and keep a limited total volume of files shared

On the Impact of Practical P2P Incentive Mechanisms on User Behavior

In this paper we report on the results of a large-scale measurement study of two popular peer-topeer systems, namely BitTorrent and eMule, that use practical and lightweight incentive mechanisms to encourage cooperation between users. We focus on identifying the strategic behavior of users in response to those incentive mechanisms. Our results illustrate a gap between what system designers and researchers expect from users in reaction to an incentive mechanism, and how users react to those incentives. In particular, we observe that the majority of BitTorrent users appear to cooperate well, despite the existence of known ways to tamper with the incentive mechanism, users engaging in behavior that could be regarded as cheating comprised only around 10% of BitTorrent’s population. That is, although we know that users can easily cheat, they actually do not currently appear to cheat at a large enough scale. In the eMule system, we identify several distinct classes of users based on their behavior. A large fraction of users appears to perceive cooperation as a good strategy, and openly share all the files they obtained. Other users engage in more subtle strategic choices, by actively optimizing the number and types of files they share in order to improve their standing in eMule’s waiting queues; they tend to remove files for which downloading is complete and keep a limited total volume of files shared