Category Archives: CCR January 2018

The January 2018 issue

Computer Communication Review (CCR) continues to promote reproducible re- search by encouraging the submission of papers providing artifacts (software, datasets, . . . ). The editorial board also evolves. Katherina Argyraki, Athina Markopoulos and Fabian Bustamante have stepped down after several years of service to our community. Thanks again for all your effort in handling papers submitted to CCR. I’m happy to announce that four new editors have agreed to serve the community : KC Claffy (CAIDA), Phillipa Gill (UMass), Anna Sperotto (University of Twente) and Hamed Haddadi (Imperial College).

The first three technical papers provide artefacts to enable other researchers to reproduce and expand their work. In Relaxing state-access constraints in stateful programmable data planes, C. Cascone and his colleagues propose a new model for pipelined stateful packet processing in hardware and evaluate this design with trace-driven simulations. They release their trace-driven simulator. In Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering, A. Reuter and his colleagues study interdomain routing security. After many discussions, the ISP community has agreed to deploy Route Origin Authorization (ROA) to improve the security of interdomain routing. As we are currently at the beginning of this deployment, little is known about how those ROAs are actually used by network operators. One question is whether network operators use ROAs to validate interdomain routes before accepting them. A. Reuter et al. first tried to reproduce a measurement methodology proposed in a recent paper that unfortunately did not release software or datasets. They explain why they could not succeed to repro- duce those results and propose a more accurate methodology that enables them to correctly identify which network operators validate ROAs. They release the source code for their methodology and have launched a companion website that tracks this deployment at

In Open Connect Everywhere: A Glimpse at the Internet Ecosystem through the Lens of the Netflix CDN, T. Bottger and his colleagues analyse the role that Internet eXchange Points (IXPs) play in the deployment of a large content provider such as Netflix. K. Foerster et al. propose in Local Fast Failover Routing With Low Stretch new algorithms to reroute flows in case of failures. In Charting the Algorithmic Complexity of Waypoint Routing S. Amiri et al. provide an overview of algorithmic techniques to route flows through specific waypoints, e.g. to support Network Function Virtualisation. Finally, M. Arashloo et al. propose and evaluate A Scalable VPN Gateway for Multi-Tenant Cloud Services.

In addition to the technical papers, this issue also contains four editorial notes. The first editorial note, ex uno pluria: The Service-Infrastructure Cycle, Ossification, and the Fragmentation of the Internet, was initially written as a conference keynote by M. Ammar. In this note, he takes a step back and look at some examples of successful deployments of network services. He identifies the Service-Infrastructure Cycle as one of the reasons to explain the success of some network services. P. Sermpezis reports in A Survey among Network Operators on BGP Prefix Hijacking the results of a recent survey that will be of interest for researchers working on interdomain routing or security.

The last two editorial notes discuss the reproducibility of networking research. In Thoughts and Recommendations from the ACM SIGCOMM 2017 Reproducibility Workshop, D. Saucez and L. Iannone sum- marise the main conclusions of a workshop organised during SIGCOMM 2017. Finally, M. Flittner et al. analyse in A Survey on Artifacts from CoNEXT, ICN, IMC, and SIGCOMM Conferences in 2017 the artifacts re- leased by the authors of the papers published at CoNEXT, ICN, IMC and SIGCOMM last year. This survey shows that there is a growing interest in releasing artefacts within the broad SIGCOMM community.

I hope that you will enjoy reading this new issue and welcome comments and suggestions on CCR Online or by email at ccr-editor at

Olivier Bonaventure

CCR Editor

Relaxing state-access constraints in stateful programmable data planes

Carmelo Cascone, Roberto Bifulco, Salvatore Pontarelli, Antonio Capone


Supporting programmable stateful packet forwarding functions in hardware requires a tight balance between functionality and performance. Current state-of-the-art solutions are based on a very conservative model that assumes worst-case workloads. This finally limits the programmability of the system, even if actual deployment conditions may be very different from the worst-case scenario.

We use trace-based simulations to highlight the benefits of accounting for specific workload characteristics. Furthermore, we show that relatively simple additions to a switching chip design can take advantage of such characteristics. In particular, we argue that introducing stalls in the switching chip pipeline enables stateful functions to be executed in a larger but bounded time without harming the overall forwarding performance. Our results show that, in some cases, the stateful processing of a packet could use 30x the time budget provided by state of the art solutions.

Download the full article DOI:10.1145/3211852.3211854

A longitudinal study of IP Anycast

Danilo Cicalese, Dario Rossi


IP anycast is a commonly used technique to share the load of a variety of global services. For more than one year, leveraging a lightweight technique for IP anycast detection, enumeration and geolocation, we perform regular IP monthly censuses. This paper provides a brief longitudinal study of the anycast ecosystem, and we additionally make all our datasets (raw measurements from PlanetLab and RIPE Atlas), results (monthly geolocated anycast replicas for all IP/24) and code available to the community.

Download the full article DOI:10.1145/3211852.3211855

Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering

Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch


A proposal to improve routing security—Route Origin Authorization (ROA)—has been standardized. A ROA specifies which network is allowed to announce a set of Internet destinations. While some networks now specify ROAs, little is known about whether other networks check routes they receive against these ROAs, a process known as Route Origin Validation (ROV). Which networks blindly accept invalid routes? Which reject them outright? Which de-preference them if alternatives exist?

Recent analysis attempts to use uncontrolled experiments to characterize ROV adoption by comparing valid routes and invalid routes. However, we argue that gaining a solid understanding of ROV adoption is impossible using currently available data sets and techniques. Instead, we devise a verifiable methodology of controlled experiments for measuring ROV. Our measurements suggest that, although some ISPs are not observed using invalid routes in uncontrolled experiments, they are actually using different routes for (non-security) traffic engineering purposes, without performing ROV. We conclude with presenting three AS that do implement ROV as confirmed by the operators.

Download the full article DOI:10.1145/3211852.3211856

Open Connect Everywhere: A Glimpse at the Internet Ecosystem through the Lens of the Netflix CDN

Timm Böttger, Felix Cuadrado, Gareth Tyson, Ignacio Castro, Steve Uhlig


The importance of IXPs to interconnect different networks and exchange traffic locally has been well studied over the last few years. However, far less is known about the role IXPs play as a platform to enable large-scale content delivery and to reach a world-wide customer base. In this paper, we study the infrastructure deployment of a content hypergiant, Netflix, and show that the combined worldwide IXP substrate is the major corner stone of its Content Delivery Network. This highlights the additional role that IXPs play in the Internet ecosystem, not just in terms of interconnection, but also allowing players such as Netflix to deliver significant amounts of traffic.

Download the full article DOI:10.1145/3211852.3211857

Local Fast Failover Routing With Low Stretch

Klaus-Tycho Foerster, Yvonne-Anne Pignolet, Stefan Schmid, Gilles Tredan


Network failures are frequent and disruptive, and can significantly reduce the throughput even in highly connected and regular networks such as datacenters. While many modern networks support some kind of local fast failover to quickly reroute flows encountering link failures to new paths, employing such mechanisms is known to be non-trivial, as conditional failover rules can only depend on local failure information.

While over the last years, important insights have been gained on how to design failover schemes providing high resiliency, existing approaches have the shortcoming that the resulting failover routes may be unnecessarily long, i.e., they have a large stretch compared to the original route length. This is a serious drawback, as long routes entail higher latencies and introduce loads, which may cause the rerouted flows to interfere with existing flows and harm throughput.

This paper presents the first deterministic local fast failover algorithms providing provable resiliency and failover route lengths, even in the presence of many concurrent failures. We present stretch-optimal failover algorithms for different network topologies, including multi-dimensional grids, hypercubes and Clos networks, as they are frequently deployed in the context of HPC clusters and datacenters. We show that the computed failover routes are optimal in the sense that no failover algorithm can provide shorter paths for a given number of link failures.

Download the full article DOI:10.1145/3211852.3211858

Charting the Algorithmic Complexity of Waypoint Routing

Saeed Akhoondian Amiri, Klaus-Tycho Foerster, Riko Jacob, Stefan Schmid


Modern computer networks support interesting new routing models in which traffic flows from a source sto a destination t can be flexibly steered through a sequence of waypoints, such as (hardware) middleboxes or (virtualized) network functions (VNFs), to create innovative network services like service chains or segment routing. While the benefits and technological challenges of providing such routing models have been articulated and studied intensively over the last years, less is known about the underlying algorithmic traffic routing problems.

The goal of this paper is to provide the network community with an overview of algorithmic techniques for waypoint routing and also inform about limitations due to computational hardness. In particular, we put the waypoint routing problem into perspective with respect to classic graph theoretical problems. For example, we find that while computing a shortest path from a source s to a destination t is simple (e.g., using Dijkstra’s algorithm), the problem of finding a shortest route from s to t via a single waypoint already features a deep combinatorial structure.

Download the full article DOI: 10.1145/3211852.3211859

A Scalable VPN Gateway for Multi-Tenant Cloud Services

Mina Tahmasbi Arashloo, Pavel Shirshov, Rohan Gandhi, Guohan Lu, Lihua Yuan, Jennifer Rexford


Major cloud providers offer networks of virtual machines with private IP addresses as a service on the cloud. To isolate the address space of different customers, customers are required to tunnel their traffic to a Virtual Private Network (VPN) gateway, which is typically a middlebox inside the cloud that internally tunnels each packet to the correct destination. To improve performance, an increasing number of enterprises connect directly to the cloud provider’s network at the edge, to a device we call the provider’s edge (PE). PE is a chokepoint for customer’s traffic to the cloud, and therefore a natural candidate for implementing network functions concerning customers’ virtual networks, including the VPN gateway, to avoid a detour to middleboxes inside the cloud.

At the scale of today’s cloud providers, VPN gateways need to maintain information for around a million internal tunnels. We argue that no single commodity device can handle these many tunnels while providing a high enough port density to connect to hundreds of cloud customers at the edge. Thus, in this paper, we propose a hybrid architecture for the PE, consisting of a commodity switch, connected to a commodity server which uses Data-Plane Development Kit (DPDK) for fast packet processing. This architecture enables a variety of network functions at the edge by offering the benefits of both hardware and software data planes. We implement a scalable VPN gateway on our proposed PE and show that it matches the scale requirements of today’s cloud providers while processing packets close to line rate.

Download the full article DOI: 10.1145/3211852.3211860

ex uno pluria: The Service-Infrastructure Cycle, Ossification, and the Fragmentation of the Internet

Mostafa Ammar


In this article I will first argue that a Service-Infrastructure Cycle is fundamental to networking evolution. Networks are built to accommodate certain services at an expected scale. New applications and/or a significant increase in scale require a rethinking of network mechanisms which results in new deployments. Four decades-worth of iterations of this process have yielded the Internet as we know it today, a common and shared global networking infrastructure that delivers almost all services. I will further argue, using brief historical case studies, that success of network mechanism deployments often hinges on whether or not mechanism evolution follows the iterations of this Cycle. Many have observed that this network, the Internet, has become ossified and unable to change in response to new demands. In other words, after decades of operation, the Service-Infrastructure Cycle has become stuck. However, novel service requirements and scale increases continue to exert significant pressure on this ossified infrastructure. The result, I will conjecture, will be a fragmentation, the beginnings of which are evident today, that will ultimately fundamentally change the character of the network infrastructure. By ushering in a ManyNets world, this fragmentation will lubricate the Service-Infrastructure Cycle so that it can continue to govern the evolution of networking. I conclude this article with a brief discussion of the possible implications of this emerging ManyNets world on networking research.

Download the full article DOI: 10.1145/3211852.3211861

A Survey among Network Operators on BGP Prefix Hijacking

Pavlos Sermpezis, Vasileios Kotronis, Alberto Dainotti, Xenofontas Dimitropoulos


BGP prefix hijacking is a threat to Internet operators and users. Several mechanisms or modifications to BGP that protect the Internet against it have been proposed. However, the reality is that most operators have not deployed them and are reluctant to do so in the near future. Instead, they rely on basic – and often inefficient – proactive defenses to reduce the impact of hijacking events, or on detection based on third party services and reactive approaches that might take up to several hours. In this work, we present the results of a survey we conducted among 75 network operators to study: (a) the operators’ awareness of BGP prefix hijacking attacks, (b) presently used defenses (if any) against BGP prefix hijacking, (c) the willingness to adopt new defense mechanisms, and (d) reasons that may hinder the deployment of BGP prefix hijacking defenses. We expect the findings of this survey to increase the understanding of existing BGP hijacking defenses and the needs of network operators, as well as contribute towards designing new defense mechanisms that satisfy the requirements of the operators.

Download the full article DOI: 10.1145/3211852.3211862