Nebula - The Future Internet Architecture

CS7002 Data Communications
The Nebula Future Internet Architecture
RANJAN DHAR
dharr@tcd.ie

Trinity College Dublin, The University of Dublin
Overview
• Three basic foundations of Nebula.
• Sponsored and supported by National Science
Foundation and CISCO systems.
• Focussed on a future network enabling enabling the
vision of cloud computing.

Motivation/Problem
• The bloom of Cloud Computing.
• Security of network.
• Broad applicability.

Motivation / Problem
“”We need a new network architecture !!!””
• Availability and Dependability.
• Cloud Computing have embraced weak consistency.
• Redefined security.
• Smarter network. (Flexible and Extensible)

Example ( Critical Application)
Monitor current glucose level
Monitor what was being eaten
Monitor exercise activity
Insulin infusion recommendation
Machine Learning

Enters “NEBULA”
• Nebula is an architecture for the cloud based future
Internet.
• Comprehensive, Clean slate and Reliable.
• Basic decisions include use of packet switching, multiple
paths & store-and-forward routers.
• Backbone of Data Centers.

Principles & Architecture
ARCHITECTURE
• Services provided by cloud data
centers.
• Multiple cloud providers, that use
replication
• Variety of access mechanisms.
• Transit networks to interconnect
data centers.
PRINCIPLES
• Ultra reliable interconnecting
data centers.
• Parallel paths between data
centers and core routers.
• Secure and authentic connection
establishment.
• Policy based path selection.

NEBULA – Building blocks
NEBULA
NCORE NDP NVENT
• Nebula Core Architecture.
• Nebula Data Plane.
• Nebula Virtual and Extensible Networking Techniques.

NEBULA

NEBULA (NCORE)
• High Performance Core Routers.
• Highly Reliable.
• Programmable.
• Load balancing.
• Supports features like Network Provence, failure detection
and path diversity.
• Problems can be diagnosed and repaired during runtime.
ROUTERS
FIRE

NEBULA(NCORE)
ROUTERS
Redundant paths.

SCENARIO’S

NEBULA (NDP)
• Primarily focussed on Distributed multiple path
establishment and policy enforcement.
• Policies may include security, privacy and fault tolerance
requests.
• Uses path verification mechanism known as ICING.
• Proof of Consent & Proof of Provenance.
• It must check whether the path is authorized.
• It must also check whether the authorized path was
followed.
DATA PLANE

NEBULA (NDP)
Data Plane
other
ﬁelds
payload...
hop 1
info
hop n
info
hop
#counter
Proof of
Consent
Proof of
Path
Domain ID
MPLS-style
token
42n bytes6 bytes 1 byte 6 bytes
42 bytes
• POC is basically a Cryptographic token.
• As packet traverses the path, it is incrementally marked with POP.
• Enforces network provenance by using POP.
• Denial of service attacks are much difficult to carry out. (Secure)

NEBULA (NVENT)
• Nebula Virtual and Extensible Networking Technology.
• NVENT embodies new control-plane technologies that
focus on policy specification, policy-based path setup and
service naming.
• NVENT uses declarative networking.
CONTROL PLANE

NEBULA (NVENT)
CONTROL PLANE

NEBULA (NVENT)
• Declarative Networking is a programming methodology
that enables developers to concisely
specify network protocols and services, which are directly
compiled to a dataflow framework that executes the
specifications.
• Just as BGP in the current Internet, NVENT provides a set
of default paths to ensure global reachability, but it also
provides an interface to NDP, which is available to users for
requesting custom paths, e.g., for applications that require
high reliability
CONTROL PLANE

NEBULA (NVENT)
CONTROL PLANE
NVENT
NDP
policy
engine
policy
engine
policy
engine
policy
engine
consent
engine
consent
engine
consent
engine
consent
engine
d
a
t
ad
a
t
a
1
2
2
3
4
5
path
req
path
spec
10
d
a
t
a
d
a
t
a
d
a
t
a
8 96 7
SLA
1
SLA
2 gst
employees
lan

PUTTING NEBULA TOGETHER

• Cell phone contacts NVENT & requests a path to NCORE.
• NVENT looks for path compiling to the policy and contacts
NDP policy server to obtain necessary POC’s.
• NVENT returns all the POC’s to the cell phone.
• Cell phone uses these POC’s to send packets via NDP to
nearest NCORE router.
• NCORE performs network provenance to verify the path and
forwards packets to Data Center.

• Nebula’s security can be related to the
immigration process.
• Detailed security with high efficiency.
• POP’s usually happen at boundaries.
• Policy Server may have 0 or more
policies.
• If Policies = 0, then DEFAULT DENY.
• Policies are cacheable.
• Policies can be queried by clients.
• Example: NEBULAPATH = HIPAA.

PROTOTYPE - ZODIAC

RESEARCH QUESTIONS ?
• ICING vs. TorIP vs. TaaS.
• Application interface to specify policy.
• Relationship between Policy enforcing plane and NCORE
routers still in flux.
• Organization contracts ?
• Name service implementation ?

NEBULA CONFIGURATION & OPERATION
• Policy Configuration – API level work in NVENT to
determine client requirements.
• Path Setup – Policy request.
• Forwarding - POC’s & POP’s.
• Naming – TorIP (ISP, ID) “ID indentifies a mailbox”
ICING (DNS augmented by policy enforcement)
www. foo . comEXAMPLE(ICING):
POC1 POC2
Remember POC’s
are cacheable

NEBULA ARCHITECTURAL CHOICES
Design Goal NEBULA
Communication must continue despite loss
of networks, links, or gateways.
NEBULA uses multiple dynamically allocated
paths and reliable transport.
Allow host attachment and operation with
a low level of effort
NVENT/NDP is as easy to automate and use
as DHCP/IP.
Support secure communication
(authentication, authorization, integrity,
confidentiality) among trusted nodes.
Mutually suspicious NDP nodes self-select
paths exhibiting cryptographic proofs of
properties required for security.
Provide a cost-effective communications
infrastructure
NCORE places resources where
architecturally needed; policy analysis.
Implement network and user policies Policies implemented with NDP and NVENT.
The architecture must accommodate a
variety of networks.
NDP sends packets by encapsulation, NVENT
networks by virtualization
The architecture must permit distributed
management of its resources.
NDP path establishment decentralized,
NVENT

FUTURE

HOW NEBULA WILL REDEFINE INTERNET ?
• From best effort to delivery assurance.
• Dynamic routers.
• Evolution in network rather than at end points.
• Revolutionising cloud infrastructure.

EVALUATION
• The design choices for NDP was strongly focused on the
following parameters:
1. Assured Paths.
2. Controlled Access.
3. Availability.
4. Autonomous control of resources.
5. Privacy enhanced communication.
“NDP provides a superset of the union of the features
provided by other projects.” Eg : BGP, Byzantine routing.
Average header = 250 bytes
Average packet = 1300 bytes
20 % more space

• Nebula is a future internet architecture that is intrinsically more
secure and addresses threats to the emerging computer utility
capabilities (cloud computing) while meeting the challenges of
flexibility, extensibility and economic viability.
• Architecture divided into NDP, NCORE and NVENT.
• Interconnecting data centers is the primary focus.
• Highly secure, realiable & efficient.
• Can be used in areas such as Biotelemetry & Defence.
SUMMARY

• Tom Anderson, Ken Birman, Robert Broberg, Matthew Caesar, Douglas Comer,
Chase Cotton, Michael J. Freedman, Andreas Haeberlen, Zachary G. Ives,
Arvind Krishnamurthy, William Lehr, Boon Thau Loo, David Mazières, Antonio
Nicolosi, Jonathan M. Smith, Ion Stoica, Robbert van Renesse, Michael
Walfish, Hakim Weatherspoon, and Christopher S. Yoo. The NEBULA Future
Internet Architecture, volume 7858 of LNCS. Springer Verlag, 2013.
• NEBULA project web page - http://nebula-fia.org/.
• Douglas Comer. A future Internet architecture that supports Cloud
Computing. In Proc. 6th International Conference on Future Internet
Technologies (CFI), June 2011.
• Andrei Agapi, Ken Birman, Robert M. Broberg, Chase Cotton, Thilo Kielmann,
Martin Millnert, Rick Payne, Robert Surton, and Robbert van Renesse. Routers
for the Cloud: Can the Internet achieve 5-nines availability? IEEE Internet
Computing, 15(5):72–77, 2011.
ACKNOWLEDGEMENTS

• Birman, K.P., Huang, Q., Freedman, D.: Overcoming the “D” in CAP: Using
Isis2 to build locally responsive cloud services. IEEE Internet Computing 12,
50–58 (2012)Aditya, P., Zhao, M., Lin, Y., Haeberlen, A., Druschel, P., Maggs,
B., Wishon, B.Reliable client accounting for hybrid contentdistribution
networks. In: Proc. NSDI(April 2012)
• Wenchao Zhou, Qiong Fei, Arjun Narayan, Andreas Haeberlen, Boon Thau
Loo, and Micah Sherr. 23rd ACM Symposium on Operating Systems Principles
(SOSP '11), Cascais, Portugal, Oct 2011. DOI 10.1145/2043556.2043584.
• Setty, S., McPherson, R., Blumberg, A.J., Walfish, M.: Making argument
systemsfor outsourced computation practical (sometimes). In: Proc. NDSS
(February 2012)
• Zhou,W., Fei, Q., Narayan, A., Haeberlen, A., Loo, B.T., Sherr, M.: Secure
network provenance. In: Proc. SOSP (October 2011)
ACKNOWLEDGEMENTS

Nebula - The Future Internet Architecture

Recommended

Recommended

More Related Content

Similar to Nebula - The Future Internet Architecture

Similar to Nebula - The Future Internet Architecture (20)

Recently uploaded

Recently uploaded (20)

Nebula - The Future Internet Architecture