Wednesday, December 11, 2013

Minimizing Network Complexity Through Integrated Top-Down Design

Presenter: Xin Sun
AuthorsXin Sun (Florida International University), Geoffrey Xie (Naval Postgraduate School)

The authors present a novel integrated ensign methodology to minimize network complexity.

E.g.: Reachability control: You want only research and engineering teams to have access to a server, but not the sales team. If subnets are based on physical location, your filter needs to have one entry per hosts. Easy to make mistakes, difficult to maintain. If subnets are assigned based on team, the filter needs only 3 entries: one per team. BUT: how you assign subnets *also* impacts how complicated it is to configure your VLAN.

Takeaway from this example: if you don't consider all aspects of your network at once (e.g., subnets, VLANs, and filters), a design that simplifies one might make the others unnecessarily complex.

As a proof of concept, the authors present an algorithm for designing a local network that minimizes the number of filter rules and VLAN trunk ports subject to constraints (e.g., max num VLANs, max num rules, reachability policy must be enforced correctly).

To evaluate their work, they compare the network designed by their algorithm to the two naive design heuristics: group hosts by location or group hosts by team.

Q: Does the order in which you optimize aspects of your networks matter?
A: In our example, the stages are independent of one another. In the general case, 

Q: How does your algorithm interact w/ routing changes?
A: We assume filters are placed at the edge, so we could ignore routing. If filters are in the middle, the routing could also be a factor in the design process. Future work.