SCIONLAB
科学实验室
Hello everyone, Today I will present a paper named SCIONLAB, A Next-Generation Internet Testbed. This paper mainly talks about ···
introduction
Hello everyone, Today I will present a paper named SCIONLAB, A Next-Generation Internet Testbed. This paper mainly talks about how the new internet looks like. It shows scion lab architecture with core design and how it implements and operates.
Before we get started, I would like to introduce some background information. The author found four negative aspects about Today’s internet. These are Poor Availability, Limited Control of Path, Nontransparent, Secure End-to-End Communication.
译文:介绍 新互联网
大家好,今天我要介绍一篇名为 SCIONLAB, A Next-Generation Internet Testbed 的论文。 本文主要讨论新互联网的样子。 它展示了带有核心设计的 scion 实验室架构以及它是如何实现和运行的。在我们开始之前,我想介绍一些背景信息。 作者发现了当今互联网的四个消极方面。 它们是可用性差、路径控制有限、不透明、安全的端到端通信。
For example
Even a well-connected entity still has 90 seconds of unavailability per day in poor availability areas. You cannot reach other entities. And a brief outage will appear when the route changes in the Border gateway protocol. A short-term loop causes the delay. And misconfigurations or internet attacks will also cause the outage.
Currently, the internet offers limited path control. Therefore, the network path can be hijacked and redirected to a different. When the network path has been hijacked, the router run to a different part of the internet. And The actual entity may not realize it is hijacked, they only see the latency on the network path is increase. And BGP Today gives limited inbound traffic control. The system does not support multipath communication and limits the sender and receiver load balancing abilities.
The Nontransparent means that the sender cannot guarantee that the packet will travel along a particular path. And no trust roots that we can rely upon
And Unsecure End-to-End Communication, the hacker can use a fake certificate to capture two end-users. Due to weak security properties, the Current Internet authentication infrastructures does not guarantee a scalability of trust.
Therefore, based on these negative aspects, we found the current internet needs high availability and path control. End-to-end communication path is jointly controlled by the ISP, sender and the receiver to achieve transparency and security. Scion came out to address these problems.
译文:比如 新互联网
即使是连接良好的实体,每天在可用性较差的区域仍有 90 秒的不可用时间。你无法接触到其他实体。当边界网关协议中的路由发生变化时,会出现短暂的中断。短期循环会导致延迟。错误配置或互联网攻击也会导致中断。目前,互联网提供有限的路径控制。因此,网络路径可以被劫持并重定向到不同的。当网络路径被劫持时,路由器运行到互联网的不同部分。而实际的实体可能没有意识到它被劫持了,他们只看到网络路径上的延迟增加。 BGP Today 提供有限的入站流量控制。系统不支持多路径通信,限制了发送方和接收方的负载均衡能力。
非透明意味着发送方不能保证数据包将沿着特定路径传播。并且没有我们可以依赖的信任和不安全的端到端通信,黑客可以使用伪造的证书来捕获两个最终用户。由于安全属性较弱,当前的 Internet 身份验证基础结构不能保证信任的可扩展性。因此,基于这些消极方面,我们发现当前的互联网需要高可用性和路径控制。端到端的通信路径由ISP、发送方和接收方共同控制,以实现透明和安全。 Scion 的出现就是为了解决这些问题。
Because the SCIONLAB is based on the SCION Internet architecture
I would like to talk about the SCION slightly. SCION stand for Scalability, Control, and Isolation on next-generation Networks. SCION improves Security on various levels, such as protection against malicious autonomous systems (ASes). And providing relevant path control and transparency over the forwarded path and trusted routes. Furthermore, SCION provides forwarding information in the packet header, providing substantial scalability. And efficiency by eliminating the routers’ packet state.
SCION network infrastructure comprises of over 35 ASes interconnected through nodes. The network serves over 600 users in different countries across the globe. However, SCION guarantees reliability by integrating heterogeneous systems into the network to provide a reliable connection to all the users connected to the network.
Furthermore, the SCIONLAB Coordinator regulates resource allocation between the network and the users to guarantee seamless networking with comprehensive network topology and user setups.
译文:因为 SCIONLAB 基于 SCION Internet 架构 新互联网
我想稍微谈谈SCION。 SCION 代表下一代网络上的可扩展性、控制和隔离。 SCION 提高了各个级别的安全性,例如针对恶意自治系统 (ASes) 的保护。并提供对转发路径和可信路由的相关路径控制和透明度。此外,SCION 在数据包标头中提供转发信息,提供了可扩展性。并通过消除路由器的数据包状态来提高效率。
SCION 网络基础设施由超过 35 个通过节点互连的 AS 组成。该网络为全球不同国家的 600 多个用户提供服务。但是,SCION 通过将异构系统集成到网络中来为所有连接到网络的用户提供可靠的连接来保证可靠性。此外,SCIONLAB 协调器调节网络和用户之间的资源分配,以保证具有全面网络拓扑和用户设置的无缝联网。
To fully understand the SCION network’s key elements
It is essential to evaluate its background and essential elements. SCION is a clean slate secure internet architecture designed to guarantee reliability in the presence of high traffic and resource demands. However, SCION also ensures network traffic security and transparency in providing a reliable network to many users.
SCION had proved reliable compared to other network architectures such as NIRA, Pathlets and RINA due to its unique properties such as security, multipath communication, and path-aware networking. The network architecture went through five generations of development and around 150 contributors. With such a large team and extensive development life cycle, the network architecture is expected to have fewer bugs than the current systems.
SCION is organized into independent routing planes that connects existing autonomous systems through a set of ASes ISD cores. The ISD cores define the ASes trust routes and issue certificates for the network connection between ASes within an ISD, and provide interconnection between multiple ISDs.
译文:全面了解 SCION 网络的关键要素 新
评估其背景和基本要素至关重要。 SCION 是一种全新的安全互联网架构,旨在在存在高流量和资源需求的情况下保证可靠性。但是,SCION 还确保了网络流量的安全性和透明度,为许多用户提供了可靠的网络。
与 NIRA、Pathlets 和 RINA 等其他网络架构相比,SCION 已被证明是可靠的,因为它具有安全性、多路径通信和路径感知网络等独特的属性。网络架构经历了五代发展和大约 150 名贡献者。拥有如此庞大的团队和广泛的开发生命周期,网络架构有望比当前系统出现更少的错误。
SCION 被组织成独立的路由平面,通过一组 ASes ISD 核心连接现有的自治系统。 ISD 核心为ISD 内AS 之间的网络连接定义AS 信任路由和颁发证书,并提供多个ISD 之间的互连。
Apart from Security
SCION provides a reliable path forwarding and scalable routing infrastructure through the end hosts. The end hosts obtain the interdomain network path segments and combine them to form end-to-end inter-domain paths. The interdomain paths information are recorded in the path headers before forwarding. The network security is generated through embedded cryptography that restrains the path construction to the internet service providers and the users’ route policies.
Therefore, the network can provide significant path choices to the internet service providers, senders, and receivers. The approach guarantees path-aware communication that is expected to revolutionize internet communication. The path-aware communication enables the sender to choose the best path for data transfer, enabling dynamic traffic optimization, improving DDoS defense’s impact, and facilitating rapid failover in case of network failures.
Now, let’s look at some of the significant components of SCION network topology.
译文:除了安全 新互联网
SCION 通过终端主机提供可靠的路径转发和可扩展的路由基础设施。端主机获取域间网络路径段,将它们组合起来形成端到端的域间路径。域间路径信息在转发前记录在路径头中。网络安全是通过嵌入式密码学产生的,该密码学限制了互联网服务提供商的路径构建和用户的路由策略。
因此,网络可以为互联网服务提供商、发送方和接收方提供重要的路径选择。该方法保证了路径感知通信,有望彻底改变互联网通信。路径感知通信使发送方能够选择数据传输的最佳路径,实现动态流量优化,提高 DDoS 防御的影响,并在网络故障时促进快速故障转移。现在,让我们看看 SCION 网络拓扑的一些重要组件。
Control plane
The control plane acts as the pathfinder of the autonomous systems connected in the network. However, the path is chosen according to the users’ routing policy and the ISPs in the network. The control planes are also responsible for protecting interdomain network paths. To determine a suitable path in SCION. As beacon service project a path segment construction beacon to the neighboring ASes. The recipient ASes add the sender information to the path segment then forward the new path information according to their routing policy.
The segment also encodes the identifier of ingress or egress interfaces of the two neighboring ASes, facilitating high network reliability even when handling an extensive network of identical ASes. Apart from path exploration, the path control plane also handles path registration in the ISD core. The beaconing process leads to discovering different paths stored with their corresponding path servers in the ISD core. The path finder stores path information in a database to facilitate quick path finding for new requests.
The path plane also handles the path resolution process. Upon receiving a path request from an end-host, the local path service generates several possible end-to-end paths sent to the end-host. All the control plane information is encrypted and digitally signed with a certificate that can be verified through another certificate issued by the control plane public key infrastructure operated by the certificate service in every AS. Therefore, the network is expected to maintain a high level of security and transparency across all its control planes.
译文:控制平面 新互联网
控制平面充当网络中连接的自治系统的探路者。但是,路径是根据用户的路由策略和网络中的 ISP 选择的。控制平面还负责保护域间网络路径。在 SCION 中确定合适的路径。作为信标服务将路径段构建信标投射到相邻的 AS。接收 AS 将发送者信息添加到路径段中,然后根据其路由策略转发新的路径信息。
该段还对两个相邻 AS 的入口或出口接口的标识符进行编码,即使在处理相同 AS 的广泛网络时也能提高网络可靠性。除了路径探索,路径控制平面还处理 ISD 核心中的路径注册。信标过程导致发现存储在 ISD 核心中的相应路径服务器的不同路径。路径查找器将路径信息存储在数据库中,以方便新请求的快速路径查找。
路径平面还处理路径解析过程。收到来自终端主机的路径请求后,本地路径服务会生成几个可能的端到端路径发送到终端主机。所有控制平面信息都使用证书进行加密和数字签名,该证书可以通过由每个 AS 中的证书服务操作的控制平面公钥基础设施颁发的另一个证书进行验证。因此,网络有望在其所有控制平面上保持高度的安全性和透明度。
Data Plane
SCION uses border routers to facilitate inter-AS packet forwarding between users. All data packets forwarded through the network contain the forwarding information in the packet headers for easy and efficient decoding. The packet header is encoded in per-AS information containing the message authentication code, ingress, expiry time, and the egress link identifier.
The authentication code enables each AS to cryptographically validate its data, further improving the whole network’s security and transparency. After receiving a data packet, the border router verifies the path information’s accuracy. It then sends the packet to the next border router in the path stated.
However, the network also supports multiple interdomain communication for forwarding packet data from SCION ingress to a SCION egress route of a particular AS, through IP switching and MPLS. When data is sent through interdomain communication, the appropriate header is added by the ingress border router and then removed by the egress border router at the destination. Therefore, the border routers do not keep any interdomain routing tables in their database.
译文:数据平面 新互联网
SCION 使用边界路由器来促进用户之间的跨域数据包转发。所有通过网络转发的数据包都在包头中包含转发信息,以便于高效解码。数据包标头在每个 AS 信息中编码,其中包含消息验证代码、入口、到期时间和出口链路标识符。
验证码使每个 AS 能够对其数据进行加密验证,进一步提高整个网络的安全性和透明度。边界路由器收到数据包后,验证路径信息的准确性。然后它将数据包发送到指定路径中的下一个边界路由器。
但是,该网络还支持多个域间通信,用于通过 IP 交换和 MPLS 将来自 SCION 入口的分组数据转发到特定 AS 的 SCION 出口路由。当数据通过域间通信发送时,适当的报头由入口边界路由器添加,然后由目的地的出口边界路由器删除。因此,边界路由器不会在其数据库中保留任何域间路由表。
After looking at the SCION network architect
Let’s now explore the SCION LAB architecture. SCIONLAB provides a global network using the SCION network to provide an experimental testbed for ASes. Different types of ASes can be connected to the network for experimentation purposes. During the connection, a global coordinator organizes the interconnectivity of all the entities in the system. The SCIONLAB network administrator controls the network infrastructure and the Coordinator. The network provides many nodes that the ASes can coordinate to form part of the SCIONLAB network.
Within the lab network, there are two major types of ASes depending on the operator. The infrastructure AS is run by the network administrator, while the user AS is run by the users. All the two types of ASes are standard SCION ASes with all the capabilities of the actual ASes. Therefore, the lab infrastructure has a huge correlation to the real-world SCION network infrastructure. However, some infrastructure AS has nodes that offer connectivity to other users ASes. Furthermore, SCION LAB operates with full cryptographic support, allowing each ISD to determine its trust roots.
The user’s life cycle begins with an account created on the SCIONLAB website. The administrator provides the AS configuration after the user selects the best node to connect to. The user AS begins to receive beacons from the AS of the chosen node. The user AS registers its down path where it can be reached through the SCIONLAB network. Every user is allocated similar bandwidth; however, users can get more bandwidth by operating an attachment point. Therefore, a user who operates an attachment point offers a connection to other users within the network.
译文:看了SCION网络架构师后 新互联网
现在让我们探索 SCION LAB 架构。 SCIONLAB 提供了一个全球网络,使用 SCION 网络为 ASes 提供实验测试平台。出于实验目的,可以将不同类型的 AS 连接到网络。在连接期间,全局协调器组织系统中所有实体的互连。 SCIONLAB 网络管理员控制网络基础设施和协调器。该网络提供了许多节点,AS 可以将这些节点协调成 SCIONLAB 网络的一部分。
在实验室网络中,根据运营商的不同,有两种主要类型的 AS。基础架构AS由网络管理员运行,而用户AS由用户运行。所有两种类型的 AS 都是标准 SCION AS,具有实际 AS 的所有功能。因此,实验室基础设施与现实世界的 SCION 网络基础设施有着巨大的相关性。然而,一些基础设施 AS 具有提供与其他用户 AS 连接的节点。此外,SCION LAB 在完全加密支持下运行,允许每个 ISD 确定其信任根。
用户的生命周期始于在 SCIONLAB 网站上创建的帐户。在用户选择要连接的最佳节点后,管理员提供 AS 配置。用户 AS 开始从所选节点的 AS 接收信标。用户 AS 注册可通过 SCIONLAB 网络到达的下行路径。每个用户都分配了相似的带宽;但是,用户可以通过操作连接点获得更多带宽。因此,操作连接点的用户提供与网络内其他用户的连接。
The SCIONLAB topology was constructed to provide many device routings.
Because the AS becomes part of the network and creates a reliable and scalable global network. Therefore, the network users need to demonstrate their desired connections in various network conditions during the test. SCIONLAB provides changeable parameters that can be altered to generate different network constraints.
SCIONLAB also follows the SCION AS numbering format, where every AS is given a 64-bit long number. The first 16 bits are the ISD identification numbers and the last 48 bits are the AS identification numbers. Apart from the AS numbering, the Coordinator also issues a unique ASN to each AS in the network. New users also obtain an X.509 based certificate authenticated by the core AS’s private keys. All the details of the AS used to facilitate certification and authentication are stored in the coordinator database.
SCIONLAB is designed with different features to handle resource sharing within the network. Due to the challenges experienced in sharing computation resources, SCIONLAB is designed with bring your own computation approach. Therefore, every researcher can bring computation resources that suites their need and environment.
译文:SCIONLAB 拓扑结构旨在提供许多设备路由 新互联网
因为 AS 成为网络的一部分,并创建了一个可靠且可扩展的全球网络。因此,网络用户需要在测试过程中展示他们在各种网络条件下所需的连接。 SCIONLAB 提供可更改的参数,可以更改这些参数以生成不同的网络约束。
SCIONLAB 也遵循 SCION AS 编号格式,其中每个 AS 都有一个 64 位长的数字。前 16 位是 ISD 标识号,后 48 位是 AS 标识号。除了 AS 编号之外,协调器还向网络中的每个 AS 发出唯一的 ASN。新用户还将获得由核心 AS 的私钥验证的基于 X.509 的证书。用于促进认证和认证的 AS 的所有详细信息都存储在协调器数据库中。
SCIONLAB 设计有不同的功能来处理网络内的资源共享。由于共享计算资源所面临的挑战,SCIONLAB 设计为自带计算方法。因此,每个研究人员都可以带来适合其需求和环境的计算资源。
Furthermore
SCIONLAB supports third-party cloud hosts, enabling the researchers to scale their computing capacity at will. The Coordinator coordinates network resource allocation, ensuring that all the network resources are allocated fairly to all the users. However, to improve the allocation process, a QoS system is proposed. A researcher can do user initialization through the website provided by the administrator.
Upon receiving the initialization information, the administrator issues a unique AS number, a public key certificate, and cryptographic keys used to connect and secure data transfer. SCION LAB runs on Linux and can be accessed by other systems through a virtual machine. Therefore, the users can connect to the network through a large number of systems available. User AS also supports end-hosts running different applications by configuring the SCION stack on the host, enabling it to use the path, certificate services, and the user’s border routers.
However, for the users who may not want to run the AS services, installing the SCION end host is supported. The end host joins an existing AS to communicate with the path and certification services, obtaining the relevant path and certificate information, which are then to complete the data transfer. The end host can also use a QUIC or UPD socket to select the best path among the available options.
译文:此外 新互联网
SCIONLAB 支持第三方云主机,使研究人员能够随意扩展其计算能力。 Coordinator协调网络资源分配,保证所有网络资源公平分配给所有用户。然而,为了改进分配过程,提出了QoS系统。研究人员可以通过管理员提供的网站进行用户初始化。
收到初始化信息后,管理员会发布唯一的 AS 编号、公钥证书和用于连接和保护数据传输的加密密钥。 SCION LAB 在 Linux 上运行,其他系统可以通过虚拟机访问。因此,用户可以通过大量可用的系统连接到网络。用户 AS 还通过在主机上配置 SCION 堆栈来支持终端主机运行不同的应用程序,使其能够使用路径、证书服务和用户的边界路由器。
但是,对于可能不想运行AS服务的用户,支持安装SCION终端主机。终端主机加入现有的AS,与路径和认证服务进行通信,获取相关路径和证书信息,完成数据传输。终端主机还可以使用 QUIC 或 UPD 套接字在可用选项中选择最佳路径。
Now let’s look at how SCIONLAB cab be implemented for research purposes.
Even though SCIONLAB begun as an experimental testbed, it received massive support in its first year. Therefore, the system was reconfigured and availed to the public a coordinator web service allowing new users to join the network at any moment. However, over the years, the system has gone through significant changes to improve its versatility and reliability. Furthermore, the Coordinator and all other associated software were made open source to improve its availability and accelerate its development.
SCIONLAB was implemented through Coordinator that consists of a web interface, a database, and a backend. The public access the system through the website where a new user registers by providing an email address, user name and organization. After email verification, a new user can initiate a new user AS registration through the online platform. The event handler handles the request for new user ASes, populates the database with the required information, and updates the necessary infrastructure.
After all the registration process is complete, the event handler sends the user a service configuration files in the correct format. After that, the infrastructure handler updates the service configuration and the topologies for the attachment nodes and makes the necessary adjustments in the database. The database also stores the state of the SCIONLAB network infrastructure, ensuring that all the network infrastructure is updated at all times through a push notification system.
译文:现在让我们看看如何为研究目的实施 SCIONLAB cab。新互联网
尽管 SCIONLAB 最初只是一个实验测试平台,但它在第一年就得到了大量支持。因此,系统进行了重新配置,并向公众提供了一个协调器网络服务,允许新用户随时加入网络。然而,多年来,该系统经历了重大变化,以提高其多功能性和可靠性。此外,协调器和所有其他相关软件均已开源,以提高其可用性并加速其开发。
SCIONLAB 是通过 Coordinator 实现的,它由一个 Web 界面、一个数据库和一个后端组成。公众通过提供电子邮件地址、用户名和组织的新用户注册的网站访问系统。邮箱验证后,新用户可以通过在线平台发起新用户AS注册。事件处理程序处理对新用户 AS 的请求,使用所需信息填充数据库,并更新必要的基础结构。
在所有注册过程完成后,事件处理程序以正确的格式向用户发送服务配置文件。之后,基础架构处理程序更新连接节点的服务配置和拓扑,并在数据库中进行必要的调整。该数据库还存储 SCIONLAB 网络基础设施的状态,确保所有网络基础设施始终通过推送通知系统进行更新。
There are several ways to deploy the SCIONLAB ASes with considerable automation.
The simplest way to deploy the SCIONLAB network is to use a virtual machine configuration obtained from the Coordinator. The configuration can be used to deploy SCIONLAB on any Ubuntu-18.04 based virtual machine. To deploy SCIONLAB in a fully automated manner, one can use a VirtualBox with Vagrant.
The configuration files contain a get folder that initiates a connection to the chosen node. The configuration also installs the necessary SCION applications within the virtual environment and forwards the correct port to the host system. Therefore, the user does not have to worry about the type of applications and operations to perform. Furthermore, the virtual machine installation is automatically updated when new updates are released.
However, some users may prefer to install the AS on a dedicated host instead of the conventional virtual machine environment. For such users, a Debian packaging style is allowed. The user is then instructed on the commands to execute and the correct configuration to generate the right package.
Some users may also want to build the service from the source instead of using the available configuration methods. In such as case, the Coordinator provides a developer-friendly configuration that can be used. SCIONLAB was also introduced for android devices through a SCION app that facilitated running a SCION AS attached to the SCIONLAB network on a smartphone.
译文:有多种方法可以部署具有相当自动化程度的 SCIONLAB AS。新互联网
部署 SCIONLAB 网络的最简单方法是使用从协调器获得的虚拟机配置。该配置可用于在任何基于 Ubuntu-18.04 的虚拟机上部署 SCIONLAB。要以完全自动化的方式部署 SCIONLAB,可以使用带有 Vagrant 的 VirtualBox。
配置文件包含一个 get 文件夹,用于启动与所选节点的连接。该配置还会在虚拟环境中安装必要的 SCION 应用程序,并将正确的端口转发到主机系统。因此,用户不必担心要执行的应用程序和操作的类型。此外,当发布新更新时,虚拟机安装会自动更新。
但是,一些用户可能更喜欢将 AS 安装在专用主机上,而不是传统的虚拟机环境。对于此类用户,允许使用 Debian 打包风格。然后指导用户执行命令和正确的配置以生成正确的包。
一些用户可能还想从源代码构建服务,而不是使用可用的配置方法。在这种情况下,协调器提供了可以使用的开发人员友好配置。 SCIONLAB 还通过 SCION 应用程序为安卓设备引入,该应用程序有助于在智能手机上运行连接到 SCIONLAB 网络的 SCION AS。
Apart from the local deployment, SCIOLAB also supports global deployment.
To achieve global connectivity, SCIONLAB is deployed in reliable global network infrastructures. Furthermore, a large number of organizations participate in the SCIONLAB network as none core ASes. Therefore, the organization contributes to the network topology by providing network connectivity such as local peer-to-peer connections and multihoming.
However, for large ISPs, the core servers and the multi-software border routers are replaced with ISP-compatible resources. Some of the major ISP available in the network include Swisscom and SWITCH. The network is operated through the ISD 16, which leverages the Amazon EC2 system to provide multiple routes worldwide. The global system also provides a capability to use redundant links for path revocation enabling the users to take advantage of all the idle resources within the network.
The SCIONLAB system also provides reliable systems to facilitate network evaluation. The evaluation benchmark was conducted on an intel-based machine with a 2.9GHz CPU processing speed and 16GB ram. The PT was set to 5, RT to 5, and BSS also set to 5. During the benchmark testing, no other routing policy was set. The evaluation results provided insight into some of the significant constraints and network behavior that every researcher should note.
译文:除了本地部署,SCIOLAB还支持全球部署。新互联网
为实现全球连接,SCIONLAB 部署在可靠的全球网络基础设施中。此外,大量组织作为非核心 AS 参与 SCIONLAB 网络。因此,组织通过提供网络连接(例如本地对等连接和多宿主)来为网络拓扑做出贡献。但是,对于大型 ISP 而言,核心服务器和多软件边界路由器被替换为 ISP 兼容的资源。网络中可用的一些主要 ISP 包括 Swisscom 和 SWITCH。
该网络通过 ISD 16 运营,它利用 Amazon EC2 系统在全球范围内提供多条路线。全局系统还提供使用冗余链路进行路径撤销的能力,使用户能够利用网络内的所有空闲资源。SCIONLAB 系统还提供可靠的系统来促进网络评估。评估基准是在具有 2.9GHz CPU 处理速度和 16GB 内存的基于英特尔的机器上进行的。 PT 设置为 5,RT 设置为 5,BSS 也设置为 5。在基准测试期间,没有设置其他路由策略。评估结果提供了对每个研究人员应该注意的一些重要限制和网络行为的洞察。
The number of ASes downstream of a node was found to affect the path exploration speed significantly.
The impact arises from the fact that the beacon updates the PCBs with their ingress and egress interface IDs depending on the number of ASes available downstream. Therefore, fewer ASes available downstream leads to fewer updates which speed up the path exploration process. However, the PCB processing time of the end nodes remained constant as expected.
The evaluation also determined that the processing time increased by 23ms upon adding a new AS downstream. However, considering that the average degree of ASes in the current internet is about 6, the network’s performance is still sufficient to support internet-like path exploration.Furthermore, an increase in the path registration was observed as the number of ASes increased.
The path registration process increased from 3.3ms to 15ms upon the addition of 100 ASes to the system. Therefore, it is clear that the downstream ASes do not have a significant impact on the path registration process. The behavior is attributed to the fact that the servers only check the registration packet’s authenticity using the AS certificate provided. Therefore, the delay may be caused by the rapid introduction of new path registration requests by file system processes. However, the registration process can be optimized through registration scheduling.
译文:发现节点下游的 AS 数量显着影响路径探索速度。 新互联网
影响源于这样一个事实,即信标根据下游可用的 AS 数量使用其入口和出口接口 ID 更新 PCB。因此,下游可用的 AS 越少,更新越少,从而加快了路径探索过程。然而,终端节点的 PCB 处理时间如预期的那样保持不变。评估还确定在添加新的下游 AS 后,处理时间增加了 23 毫秒。然而,考虑到当前互联网中AS的平均度数约为6,网络的性能仍然足以支持类似互联网的路径探索。此外,随着AS数量的增加,观察到路径注册的增加。
在系统中增加 100 个 AS 后,路径注册过程从 3.3 毫秒增加到 15 毫秒。因此,很明显下游 AS 对路径注册过程没有显着影响。该行为归因于服务器仅使用提供的 AS 证书检查注册数据包的真实性这一事实。因此,延迟可能是由文件系统进程快速引入新的路径注册请求引起的。但是,可以通过注册调度来优化注册过程。
Packet processing was also one of the critical operations evaluated during the test.
The packet processing time was determined by measuring the time taken by the processer to forward the packet from when it received the packet. The processing time included the time taken to validate, route, and payload parse the packet. To obtain reproducible results, the evaluators eliminated all the other processes apart from the border routers. Even though packet processing time depends on the packet size, all the packets were processed under 20 nanoseconds. However, it is possible to speed up the process through kernel bypassing.
CPU resource consumption increased with an increase in the number of ASes downstream. However, only a 36% increase was noted upon adding 100 downstream ASes, indicating that computation for beacon message construction does not significantly increase when many ASes are added to the system. The memory usage was also quite efficient as only 50MBs were used to support 100 downstream ASes.
Furthermore, the test indicated that the core path server required only reasonable resources in most cases. The evaluation team encourages researchers using a large number of ASes to implement local path servers to reduce the load on the core path server leading to a reduction in the path exploration time. SCIONLAB network managed to achieve a low latency through optimization of the path-aware network system. The path-aware network system enables the end hosts to choose the most optimized path for packet transfer.
译文:数据包处理也是测试期间评估的关键操作之一。新互联网
数据包处理时间是通过测量处理器从收到数据包开始转发数据包所用的时间来确定的。处理时间包括验证、路由和有效载荷解析数据包所花费的时间。为了获得可重复的结果,评估人员消除了除边界路由器之外的所有其他过程。尽管数据包处理时间取决于数据包大小,但所有数据包的处理时间都在 20 纳秒以内。但是,可以通过内核绕过来加速该过程。CPU 资源消耗随着下游 AS 数量的增加而增加。
然而,在添加 100 个下游 AS 后仅注意到 36% 的增加,这表明当向系统添加许多 AS 时,信标消息构建的计算不会显着增加。内存使用也非常有效,因为仅使用了 50MB 来支持 100 个下游 AS。此外,测试表明,在大多数情况下,核心路径服务器只需要合理的资源。评估团队鼓励研究人员使用大量 AS 来实现本地路径服务器,以减少核心路径服务器的负载,从而减少路径探索时间。 SCIONLAB 网络通过优化路径感知网络系统设法实现了低延迟。路径感知网络系统使终端主机能够选择最优化的路径进行数据包传输。
At this point
It is essential to explore some of the projects built on the SCIONLAB network and the network’s long-term viability. Path quality prediction is an essential network topology quality that is very hard to obtain from the current network testbeds. However, research on path quality has been achieved in the SCIONLAB by changing the path conditions and evaluating the path prediction model’s performance. SCIONLAB has also facilitated resource fairness and monitoring, enabling researchers to monitor bandwidth allocation on multiple paths.
Furthermore, due to multiple security offered by the SCIONLAB network, blockchain platforms can be tested in the network. The unlimited reachability of the available internet weakens the security of the packet sent. However, each AS in the SCIONLAB network can express its desired path and security level through packet awareness. Furthermore, the network entities can only express path availability to trusted entities, providing reasonable security against path misuse.
SCIONLAB also provides automatic regular updates as new networking procedures arise. Users are also notified of any backward compatibility issues that might affect the day in advance. Therefore, the system is expected to maintain its integrity and usability over a long time. Furthermore, the administrators run regular checks on all the network entities to detect any failures that might affect a user of s node.
译文:在此刻 新互联网
探索一些建立在 SCIONLAB 网络上的项目以及网络的长期可行性至关重要。路径质量预测是一种基本的网络拓扑质量,很难从当前的网络测试平台中获得。然而,通过改变路径条件和评估路径预测模型的性能,在 SCIONLAB 中实现了路径质量的研究。 SCIONLAB 还促进了资源公平和监控,使研究人员能够监控多条路径上的带宽分配。此外,由于 SCIONLAB 网络提供的多重安全性,可以在网络中测试区块链平台。
可用互联网的无限可达性削弱了发送数据包的安全性。但是,SCIONLAB 网络中的每个 AS 都可以通过数据包感知来表达其所需的路径和安全级别。此外,网络实体只能向可信实体表达路径可用性,提供合理的安全性以防止路径滥用。SCIONLAB 还会在新的网络程序出现时提供自动定期更新。还会提前通知用户可能影响当天的任何向后兼容性问题。因此,该系统有望在很长一段时间内保持其完整性和可用性。此外,管理员会定期检查所有网络实体,以检测可能影响 s 节点用户的任何故障。
Therefore, the administrators are always aware of any significant changes in stability and performance.
Furthermore, the SCIONLAB system also comes with a service management system that monitors the SCION application status. The service management system automatically restarts crashed applications. Crash logs and status data are also collected for further investigations.
However, the system still experiences several challenges that affect its reliability and usability. A large number of users operating behind NAT devices were not authorized to implement the port forwarding rules. The challenge was resolved through the implementation of an open VPN mechanism on each attached server. The current topology relies on the Amazon Web Service for the backbone ISD. Therefore, the project might incur high long-term costs as the cost depends on the bandwidth use.
However, there is a plan to collaborate with the international network research partners to reduce the bandwidth cost. Furthermore, the network depends on the Coordinator as the central authority, making it vulnerable due to the availability of a single point of failure. However, the coordinators may be located in multiple locations, managing different sections of network infrastructure. Therefore, there is still a possibility to have multiple coordinators within the network. The SCIONLAB team expects the network to expand to various universities and cloud-based research centers.
译文:因此,管理员始终了解稳定性和性能方面的任何重大变化。新互联网
此外,SCIONLAB 系统还配备了一个服务管理系统,用于监控 SCION 应用程序状态。服务管理系统会自动重启崩溃的应用程序。还收集崩溃日志和状态数据以进行进一步调查。然而,该系统仍然面临一些影响其可靠性和可用性的挑战。大量在 NAT 设备后面操作的用户无权实施端口转发规则。通过在每个连接的服务器上实施开放式 VPN 机制解决了这一挑战。当前拓扑依赖于 Amazon Web Service 作为主干 ISD。
因此,该项目可能会产生高额的长期成本,因为成本取决于带宽使用情况。但是,有计划与国际网络研究合作伙伴合作以降低带宽成本。此外,网络依赖协调器作为中央机构,由于存在单点故障,因此很容易受到攻击。然而,协调器可能位于多个位置,管理网络基础设施的不同部分。因此,仍然有可能在网络内有多个协调器。 SCIONLAB 团队预计该网络将扩展到各个大学和基于云的研究中心。
In conclusion
SCIONLAB provides a suitable testbed for next-generation interdomain research activities. SCIONLAB introduced various services that are expected to improve the research process and reliability of the result obtained. Users can create their ASes with custom cryptographic keys to take part in the global interdomain routing. Furthermore, the test resources can be scaled to meet the real-world application without a significant change in the core elements.
Since the researcher uses their own computation infrastructure, the results are expected to match their target systems chosen as the test system. SCIONLAB also provides resources to conduct new networking research such as path-aware communication and multipath transport protocol while maintaining a high-security level through the AS level certificates. Therefore, SCIONLAB is expected to expand over time to cater to many researchers developing novel network communication protocols.
译文:综上所述 新互联网
SCIONLAB 为下一代跨域研究活动提供了合适的测试平台。 SCIONLAB 推出了各种服务,有望改进研究过程和所得结果的可靠性。 用户可以使用自定义加密密钥创建他们的 AS,以参与全局域间路由。 此外,测试资源可以扩展以满足实际应用程序,而不会对核心元素进行重大更改。
由于研究人员使用他们自己的计算基础设施,因此预计结果将与他们选择作为测试系统的目标系统相匹配。 SCIONLAB 还提供资源来进行新的网络研究,例如路径感知通信和多路径传输协议,同时通过 AS 级证书保持高安全级别。 因此,预计 SCIONLAB 会随着时间的推移而扩展,以满足许多开发新型网络通信协议的研究人员的需求。
