Conference PaperPDF Available

Optimization of Relay Placement for Scalable Virtual Private LAN Services

Abstract

Virtual Private LAN Services are becoming popular for securely connecting geographically dispersed devices to a common protected LAN network isolated from the rest of the Internet. Traditional IP routing protocols cannot provide such connectivity; thus an overlay network of encrypted HIP/IPsec tunnels can be used instead. However, the number of full-mesh tunnels between communicating devices grows exponentially to the number of devices thereby suggesting the investigation of alternatives. The introduction of relaying, which entails selecting a subset of hub routers to retain full-mesh connectivity, allows non-hub routers, the so-called spokes, to maintain connectivity via a hub. In this work, we study the effect of relay-based routing that minimizes the number of hubs, the connection cost between spokes and hubs, the cost of connecting hubs, and the hubs deployment cost. Additionally, we prove that this minimization problem is NP-hard and, thus, intractable for large scale networks. Therefore, we propose an algorithm with provable guarantees that provides an approximate but efficient solution. Initial simulation results indicate a reduction by more than 90% in the memory required for routing tables at the expense of a minor increase in the tunnel path length.
Optimization of Relay Placement for Scalable
Virtual Private LAN Services
Mohammad Borhani
Linköping University
Linköping, Sweden
mohammad.borhani@liu.se
Ioannis Avgouleas
Linköping University
Linköping, Sweden
ioannisavgouleas@gmail.com
Andrei Gurtov
Linköping University
Linköping, Sweden
gurtov@acm.org
ABSTRACT
Virtual Private LAN Services are becoming popular for securely
connecting geographically dispersed devices to a common pro-
tected LAN network isolated from the rest of the Internet. Tradi-
tional IP routing protocols cannot provide such connectivity; thus
an overlay network of encrypted HIP/IPsec tunnels can be used
instead. However, the number of full-mesh tunnels between com-
municating devices grows exponentially to the number of devices
thereby suggesting the investigation of alternatives. The introduc-
tion of relaying, which entails selecting a subset of hub routers to
retain full-mesh connectivity, allows non-hub routers, the so-called
spokes, to maintain connectivity via a hub. In this work, we study
the eect of relay-based routing that minimizes the number of hubs,
the connection cost between spokes and hubs, the cost of connect-
ing hubs, and the hubs deployment cost. Additionally, we prove
that this minimization problem is NP-hard and, thus, intractable
for large scale networks. Therefore, we propose an algorithm with
provable guarantees that provides an approximate but ecient so-
lution. Initial simulation results indicate a reduction by more than
90% in the memory required for routing tables at the expense of a
minor increase in the tunnel path length.
CCS CONCEPTS
Networks
Network design principles; Network Design;
Theory of computation
Discrete optimization;Mathematics
of computing Mathematical optimization.
KEYWORDS
Virtual Private LAN Services, Routing, Host Identity Protocol, Ap-
proximation Algorithm
ACM Reference Format:
Mohammad Borhani, Ioannis Avgouleas, and Andrei Gurtov. 2022. Opti-
mization of Relay Placement for Scalable Virtual Private LAN Services. In
ACM SIGCOMM 2022 Workshop on Future of Internet Routing & Addressing
(FIRA ’22), August 22, 2022, Amsterdam, Netherlands. ACM, New York, NY,
USA, 7 pages. https://doi.org/10.1145/3527974.3545719
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specic permission
and/or a fee. Request permissions from permissions@acm.org.
FIRA ’22, August 22, 2022, Amsterdam, Netherlands
©2022 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ACM ISBN 978-1-4503-9328-7/22/08.
https://doi.org/10.1145/3527974.3545719
1 INTRODUCTION
A massive amount of devices with heterogeneous requirements are
being connected through the Internet daily. These include smart
sensors, valve controls, and trac lights, among others. Recent stud-
ies have revealed thousands of such devices online per a medium-
size country, often using outdated insecure protocols such as Mod-
Bus [
10
]. Such devices are often hard to patch and contain known
vulnerabilities that can be exploited in botnets such as Mirai. Thus,
there is a clear need to hide such devices from the public Internet,
yet allowing authorized connectivity for remote data management
and updates.
The concept of Virtual Private LAN Services (VPLS) is based
on an idea to combine islands of such devices to a single virtual
local-area network using a set of encrypted tunnels [
6
,
11
,
17
]. Pro-
grammable gateways at each island intercept Address Resolution
Protocol (ARP) requests targeted to other islands, capture and en-
capsulate LAN packets for tunneling over the Internet. The Host
Identity Protocol (HIP) oers an appropriate method to establish
IPsec ESP tunnels with a base exchange, maintain with keep-alive
UPDATE messages and gracefully close when not needed. HIP can
be viewed as one internetworking architecture aiming to imple-
ment identier/locator split. Furthermore, other identier/locator
separation approaches exist, such as the Locator/Identier Separa-
tion Protocol (LISP). However, since HIP encompasses end-to-end
security, mobility and multi-homing, we are primarily concerned
with a seamless integration of VPLS with HIP [19].
As VPLS uses a single broadcast domain, it has multiple benets,
including low communication latency, support for legacy protocols,
and cost-eective installation and maintenance costs thereby re-
ducing CAPEX and OPEX. The popularity of VPLS is encouraged
by the fact that companies such as Cisco, Juniper, and Nokia are
working on VPLS [
2
,
13
,
20
]. Moreover, HIP-based VPLS (HIPLS) is
successfully implemented for example by Tempered Networks in
USA [
23
]. Their deployment scenarios include securely connecting
several hundred buildings of a university campus, wind generators
of a electrical company, and a network of ATM machines. HIPLS
allows devices to communicate in a LAN-like conguration while,
at the same time, being hardly accessible for breaching their defense
using the Internet. Additionally, the increasing scale of VPLS net-
works gives rise to challenges such as optimal tunnel management,
performance and fault-tolerance.
Maintaining a full-mesh of all-to-all gateway tunnels is ine-
cient, since limited ternary content-addressable memory (TCAM)
constraints the number of tunnels to a few thousand per gateway.
Thus, it makes sense to dynamically establish and close the tunnels
based on the current trac patterns between device islands. By
utilizing the concept of relaying [
14
], packets can be forwarded
FIRA ’22, August 22, 2022, Amsterdam, Netherlands M. Borhani, I. Avgouleas, A. Gurtov
Figure 1: Memory footprint of the routing tables in an example secure HIPLS network with four PEs using: (A) full-mesh and
(B) relay-based routing (the studied approach). In the latter, only the hub PEs are fully-meshed thereby realizing great memory
savings for the spoke PEs at the expense of a minor increase in the tunnel path length for connecting spoke PEs.
through another gateway with an already active tunnel thereby
reducing the need of activating a new gateway router. However,
added latency must be considered as often VPLS trac is of real-
time nature. Finally, to address the single point of failure by using
only the main tunnel, multiple existing paths with appropriate delay
for fault-tolerance should be considered.
Somewhat surprisingly, even if relaying for Multi-Protocol Label
Switching (MPLS) was studied e.g., in [
1
], this the rst paper to con-
sider relaying for encrypted tunnels. This paper makes following
contributions:
We propose and formulate the "Relay Placement Problem
(RPP)" for programmable tunnel gateways to minimize the
cost of activating and deploying hub and spoke routers for
relay-based routing.
We prove that RPP is NP-hard.
We develop an approximation algorithm to oer a polynomial-
time solution to the RPP problem, with a guaranteed approx-
imation factor.
Numerical experiments for dierent scenarios, including real-
world topologies, demonstrate that our proposed algorithm
decreases the overall amount of router memory required by
more than 90% and lowers network provider costs at the
expense of a minor increase in packets traversed paths.
The rest of the paper is organized as follows. In Section 2, we give a
brief introduction to VPLS. Section 3 formulates the relay placement
problem and develops an approximate but ecient algorithmic
solution. Section 4 discusses the results. Last, Section 5 concludes
the paper and gives directions for future works.
2 BRIEF INTRODUCTION TO VPLS
VPLS is a Layer 2 provider-provisioned VPN that allows multi-point-
to-point connection between remote customer sites via a provider
network. A usual VPLS deployment has multiple key components
including:
Customer Network: This is the VPLS network’s user. It
is composed of numerous sites that are geographically dis-
persed and completely managed by the user. Global manu-
facturer, national health care provider, energy cooperative
are few examples for VPLS users.
Provider Network: This is the VPLS underlay network
that allows tunnels to be established. The provider networks
are typically Layer 3 networks that use common network
protocols such as MPLS or IP.
Provider Edge Equipment (PE): PEs are the gateways for
customer network trac and are located at the provider’s
network’s edge. PEs also have a thorough understanding of
the VPLS network. Tunnels are constructed between PEs.
Customer Edge Equipment (CE): CEs are the interconnect-
ing devices between the customer and provider networks.
CEs are owned by the customer and located on the cus-
tomer’s premises.
HIPLS is the secure VPLS architecture containing a logical se-
curity layer for managing VPLS security services. HIPLS oers
payload encryption, secure control protocol, protection from IP
attacks, and PE authentication [11, 18].
3 RELAY PLACEMENT PROBLEM (RPP)
3.1 Overview
To interconnect PEs, the provider creates a full-mesh of HIP tunnels
via the IP/MPLS-based provider network. However, this reachability
model forces routing tables in PEs to grow large. For the sake of
illustration, we show a HIPLS network with four sites (connecting
via CEs) in Figure 1. In a full-mesh setup, each PE should install four
routes (prex) to ensure connectivity. Furthermore, the fact that
each PE in a VPLS design can potentially be connected to numerous
CEs increases the size of the PE routing table exponentially.
The concept of relaying can be employed to decrease the growth
of entries in routing tables. The relaying strategy selects a small
Optimization of Relay Placement for Scalable
Virtual Private LAN Services FIRA ’22, August 22, 2022, Amsterdam, Netherlands
subset of PEs as hub nodes while retaining full-mesh reachabil-
ity [
14
]. This allows non-hub PEs, known as spoke PEs, to reach
other PEs by relaying through a specied hub PE. Relaying, as
shown in Figure 1 (B), can substantially reduce the routing entries
on the spoke PEs at the expense of more trac being relayed on the
provider network, which could increase latency for the customer
sites.
Selecting the hub routers for relaying involves minimizing the
number of hubs, as fewer hubs reduce the PE memory footprint
and lowers hubs’ installation and maintenance costs. Moreover, the
trac between two spoke PEs is possibly rerouted via a hub PE
over an indirect path.
Raghunath et al. [
21
] investigated the structure of VPNs and
discovered that hub-spoke architecture is employed in VPNs. Kim
et al. [
14
] explored the scalable routing for MPLS L3VPN as an
optimization problem. Our work diers from theirs as we consider
secure VPLS as our target network. Furthermore, our problem for-
mulation takes into account various costs (for instance, spokes to
hub and hub installation cost) and provides a minimum cost tree
that spans the hubs.
3.2 Problem Formulation
We dene the core network within the provider network to only
contain hub PEs. In other words, a core network is a set of inter-
connected hub PEs that are responsible nodes for relaying data.
Furthermore, transferring trac between hub PEs within the core
network incurs switching costs for the network provider. The fol-
lowing steps are involved in deploying the relaying architecture
within the HIPLS network:
Hub PE selection: This step considers selecting a set of PEs
as the hub for data transmission with the aim of minimizing
the hubs’ installation and maintenance costs. Other non-hub
PEs will be considered as spokes.
Hub PE assignment: Connecting each spoke PE to its des-
ignated hub PE accomplishes this step.
The Hubs link selection: The last stage entails choosing
links (edges) to connect all hub PEs, with the goal of picking
links that lower the total cost of connection between hub
nodes.
We dene the Relay Placement Problem (RPP) in HIPLS as follows:
the provider network is modeled as an undirected graph
𝐺=(𝑉 , 𝐸)
,
where
𝑉={𝑃𝐸1, 𝑃 𝐸2, . . . , 𝑃 𝐸𝑛}
is the set containing all PEs in the
network.
𝐸
denotes the set of edges (links) that connect the PEs,
and
𝑐
:
𝐸
Q
+
represents the cost of edges. Latency, bandwidth,
and cost to use specic links are among the possible metrics for
edge costs.
F 𝑉
denotes the set containing possible locations for instal-
lation of hub PEs, and spoke PEs are represented by
D 𝑉
. The
solution to RPP considers selecting a set of active hub PEs denoted
by
𝐹
such that
𝐹 F
. Then, assigning each spoke PE
𝑗
(
𝑗 D
) to
some hub PE. Let
𝑥𝑖 𝑗
denote a binary variable indicating whether
the spoke
𝑗
is connected to hub
𝑖
. Additionally,
𝑦𝑖=
1denotes
whether hub
𝑖
should be activated, and
𝑑𝑖 𝑗
is the communication
cost between spoke PE
𝑗
and hub PE
𝑖
(the cost of routing con-
cerning the edge costs connecting spoke
𝑗
to hub
𝑖
). Moreover,
𝑎𝑖
denotes the cost of activating hub
𝑖
that is congured by the net-
work provider, and represents deployment and maintenance cost
of hubs.
Finally, the Steiner tree
𝑇
, the tree with the minimum cost that
spans all hub PEs, should be constructed to ensure the connectivity
of hub PEs. We formulate RPP within HIPLS network as:
(𝑃)minimize
𝑖𝐹
𝑗∈D
𝑑𝑖 𝑗 𝑥𝑖 𝑗 +𝑁
𝑘𝑇 .𝑒𝑑𝑔𝑒𝑠
𝑐(𝑘) +
𝑖𝐹
𝑎𝑖𝑦𝑖(1)
The term
Í𝑖𝐹𝑎𝑖𝑦𝑖
in the
(𝑃)
calculates the opening cost of hub
PEs; the second term i.e.,
𝑁Í𝑘𝑇.𝑒𝑑𝑔𝑒 𝑠 𝑐(𝑘)
, captures the Steiner
cost to connect all hub PEs via the Steiner tree
𝑇
, in which
𝑁
1
is a parameter to represent the cost of connecting hub PEs in core
network. The connection cost between spoke PEs and hub PEs is
demonstrated in Í𝑖𝐹Í𝑗∈D 𝑑𝑖 𝑗 𝑥𝑖 𝑗 .
Problem
(𝑃)
is a network design problem i.e., a NP-hard problem
[
5
]. Although the RPP seems to be formulated easily, it is a dicult
problem to solve eciently (unless P
=
NP), making the exact
solution intractable for medium to large networks. As a result,
we provide an approximation schema for RPP, which produces
solutions with reasonable running times in reality, as opposed to
exact methods, which are computationally expensive.
3.3 Approximation Algorithm for RPP
Some of the most well-known NP-hard network design problems
can be approximated using simple randomized algorithms [
7
]. A
class of these algorithms, known as Sample-Augment (SA) algo-
rithm, are based on the idea of selecting a random sample from the
problem input, solving a subproblem, and nally augmenting the
result with the solution to the original problem [8, 9].
We dene the Sample-Augment problem for a minimization
problem Pas follows:
(1)
Dene K
={
1
, . . . , 𝑛 }
as a set containing elements, and
sampling probability for the elements as (𝑝1, . . . , 𝑝𝑛)
(2) P𝑠𝑝 (𝐾)is dened as subproblem for any 𝐾K
(3)
For any
𝐾
Kand solution to the previous step’s subprob-
lem (i.e.,
𝑆𝑜𝑙𝑠 𝑝 (𝐾)
), the augmentation problem is dened as
P𝑎𝑢𝑔(𝐾 , 𝑆𝑜𝑙𝑠𝑝 (𝐾)).
The SA algorithm executes the following steps:
Obtaining independent samples from Kbased on the sam-
pling probability
Finding the solution to the dened subproblem and the aug-
mented problem (for random sample it obtained in the pre-
vious step)
The SA algorithm outputs the aggregate solution to the sub-
problem and augmentation problem as nal solution.
Formulating RPP as a minimization problem yields a variation of the
uncapacitated facility location problem (UFLP) and the Steiner tree
problem. Without hubs connection requirements (i.e., removing
the Steiner tree problem from
(
1
)
), the
(𝑃)
problem becomes an
UFLP instance, which has been shown to be NP-hard and widely
investigated in the literature.
Algorithm 1applies a well-established approximation algorithm
to obtain a good solution for the Spoke-to-Hub (SH) assignment
problem, which we will introduce shortly, to choose which hub PEs
FIRA ’22, August 22, 2022, Amsterdam, Netherlands M. Borhani, I. Avgouleas, A. Gurtov
to open from the list of candidate hub locations. Then, in the sam-
pling step of algorithm 1, each spoke PE is marked independently
by the probability of
𝛽
, and in the solution to the SH assignment
problem, we activate the hub PEs to which the marked PEs are allo-
cated. Algorithm 1applies connection requirements on the marked
PEs by using approximated solution to the Steiner tree problem
[
16
,
22
] to link the hub PEs and extends this solution to include the
open hubs (augmentation step).
Algorithm 1: Approximation Algorithm for RPP.
1𝛾 (0,1];
2𝐹 ;
3𝛽𝛾
𝑁;
/* Solving UFLP */
4
Execute the 3
approximation algorithm for Spokes-to-Hubs
(𝑆𝐻 )Assignment problem, and obtain the solution as
𝐻=(𝐹𝐻, 𝑥𝑖 𝑗 );
/* Sampling */
5Sample (mark) a spoke 𝑃𝐸 at random ;
6Sample every other spoke non-marked PE independently
with probability 𝛽;
7Let 𝑀={set of marked PEs} ;
/* Augmentation */
8for all 𝑖𝐹𝐻if ({𝑗|𝑗 D and 𝑥𝑖𝑗=1} 𝑀0)then
9𝐹.add(𝑖);
10 end
11 Execute the 2approximated Steiner Tree 𝑇on the set 𝑀;
12
Augment
𝑇
with adding the shortest paths from each spoke
PE 𝑗𝑀and its associated hub PE;
13 Find a tree 𝑇′′ which spans the 𝐹;
14 Allocate each spoke PE 𝑗 D to its closest hub PE in 𝐹;
15 return {𝐹, 𝑇 ′′}
3.4 Spokes-to-Hubs (SH) Assignment
The problem of assigning spoke to hub PEs can be formulated as
follows:
(𝑆𝐻 )minimize
𝑖𝐹
𝑗∈D
𝑑𝑖 𝑗 𝑥𝑖 𝑗 +
𝑖𝐹
𝑎𝑖𝑦𝑖(2a)
subject to
𝑖𝐹
𝑥𝑖 𝑗 1, 𝑗 D (2b)
𝑥𝑖 𝑗 𝑦𝑖, 𝑗 D and 𝑖𝐹(2c)
𝑥𝑖 𝑗 {0,1}, 𝑗 D and 𝑖𝐹(2d)
𝑦𝑖 {0,1}, 𝑖 𝐹(2e)
Constraint (2b) forces each spoke to be assigned to at least one hub.
By (2c), only active hubs should be assigned to spokes, and the last
two constraints set the domain of the binary decision variables.
3.4.1 Approximation Algorithm of Spokes-to-Hubs
(𝑆𝐻 )
Assign-
ment. Since
(𝑆𝐻 )
is a form of the Uncapacitated Facility Location
Problem (UFLP), which has been shown to be NP-hard, we used
3
approximation algorithm based on primal-dual schema and La-
grangian relaxation to approximate its exact solution [12].
Table 1: Routing Entries for mid-size AS network with sup-
ported CE(1-10).
#Entries in Routing Tables for All PEs
#PEs Full-mesh Hub-Spoke #Hubs
100 50100 2092 3
150 109950 3794 5
200 192800 7879 7
250 302250 9889 7
300 440100 12303 9
Theorem 1. By using 3-approximation algorithm for SH assign-
ment problem, 2-approximation for the Steiner Tree problem, and
proper choice of
𝛽
[
3
], Algorithm 1 is an expected 6
.
6-approximation
algorithm for the RPP problem.
Proof. See Appendix A.
4 EVALUATION AND DISCUSSION
To evaluate the proposed algorithm’s performance, we implemented
Algorithm 1 on a PC running Windows 10 (4-core 2.60 GHz CPU),
equipped with 8GB of RAM. For performance evaluation, we em-
ployed various types of provider network topologies, including:
AS Network Topology: Since VPLS can be employed in large-
scale networks and there exists a demand for using VPLS
across multiple Autonomous Systems (AS), we generate AS
network graph with properties stated in [4].
Backbone Network Topology: We utilized backbone topolo-
gies from The Internet Topology Zoo [
15
] to evaluate the
path traversal in hub-spoke.
Table 1 compares the number of routing entries installed in all
PEs for full-mesh and hub-spoke. As motivated by the example in
Figure 1, the total number of routing entries in full-mesh equals
#PE ×#routing entries of each PE
, in which the latter term
for each PE is calculated by summing the number of CEs in the
network.
The number of routing entries for all PEs in hub-spoke obtained
by adding the routing entries installed for each spoke and hub PE
in the network. The number of routing entries for a spoke PE is
comprised of the number of its supported CEs plus the number of
hubs to which the spoke PE is connected. Furthermore, because
the hub PE should contain all of the network’s routing information,
the number of routing entries in the hub PE is computed by adding
all supported CEs in the network. Table 1 shows that for a random
number of CEs chosen from the interval (1-10), the number of
installed routing entries is signicantly reduced by leveraging the
hub-spoke relaying.
Figure 2 depicts the cost of the solution (i.e., summing the con-
nection cost between spoke PEs to hub PEs, opening cost of hub
PEs and cost of connecting all hub PEs in Steiner Tree) for proposed
Algorithm 1 and random hub placement. In random hub placement,
a subset of PE is randomly chosen to be hub PEs such that the
number of hubs in both approaches (Random Hub Placement and
Optimization of Relay Placement for Scalable
Virtual Private LAN Services FIRA ’22, August 22, 2022, Amsterdam, Netherlands
Figure 2: Solution cost for Random Hub Placement vs. Algo-
rithm 1.
Algorithm1) is the same. Moreover, in random hub placement, ran-
dom spoke PE assigned to hubs. Figure 2 shows that the Algorithm 1
generates less costly solutions for RPP than random hub placement.
Figure 3 illustrates the number of routing entries for large-scale
AS networks (400 to 800 PEs) in full-mesh. Furthermore, the routing
entries for hub-spoke for the same networks are depicted in Figure 4.
Obviously, as the number of PEs in the network grows, the routing
entries also increase. However, the increase is signicantly greater
with full-mesh. As a result, hub-spoke may be eectively used in
large networks.
Figure 3: Routing entries for a full-mesh large-scale AS Net-
work.
In hub-spoke data transmission, the source node transfers data to
its corresponding hub. The data is then forwarded to the second hub
associated with the destination PE, if necessary. Finally, the data is
sent to the nal PE destination through the second hub. We used
the two backbone networks to evaluate the additional path taken
Table 2: Comparison of path traversed by full-mesh vs hub-
spoke.
Extra Path Traversed by Hub-Spoke
Network Location #Nodes Ratio Margin of
Error
Backbone,
Transit
US 51 1.387 1.3873
±0.115
(±8.26%)
Backbone,
Customer
NL 50 1.536 1.5361
±0.0774
(±5.04%)
by the hub-spoke, in which each link (edge) of the network graph
is represented by the distance between corresponding nodes (PE)
creating that link in kilometers. Furthermore, a random number of
Figure 4: Routing entries for a hub-spoke Large-scale AS
Network.
PE is chosen to create source_destination pairings for communi-
cation. The average amount of routing cost (i.e., path length with
respect to the edge cost) in the hub-spoke divided by the same
value for full-mesh is the ratio for several selections of random
source_destination pairs in Table 2. The average increase in path
length in traversed distance caused by hub-spoke design is repre-
sented by this ratio. Table 2 includes the ratio for both backbones
with 95% condence interval reported.
In the next experiment, we used Mininet to implement HIPLS in
full-mesh and hub-spoke for a network topology in the USA. We
purposefully chose a geographically dispersed network graph to
examine the proposed approach in the extreme hub-spoke scenarios,
in which relaying can add considerable latency
1
. In Mininet, the
propagation delay of the link was estimated using the distance
between nodes. Figure 5 depicts the Mininet simulation results from
four distinct scenarios. In hub-spoke scenarios, algorithm 1 is given
1http://www.topology-zoo.org/maps/Compuserve.jpg
FIRA ’22, August 22, 2022, Amsterdam, Netherlands M. Borhani, I. Avgouleas, A. Gurtov
Figure 5: Mininet latency experiment for full-mesh and hub-
spoke.
the network graph and the cost of placing a hub in the network
as inputs, and the output contains the number of hubs and their
locations, as well as the spokes’ associations with hubs. Comparing
the HIPLS (secure HIP-based VPLS) and IP connectivity (no security)
shows the cost of the delay one should pay to secure the VPLS
network (5
.
553
𝑚𝑠
more delay to secure full-mesh VPLS). Comparing
HIPLS and IP connectivity in both full-mesh and hub-spoke stressed,
as predicted, that oering a relaying imposes increase in path length
(higher RTT delay) to decrease routing entries in PEs. For instance,
the HIPLS needs to endure an extra 3
.
685
𝑚𝑠
delay in hub-spoke
compared to full-mesh on average RTT.
5 CONCLUSIONS AND FUTURE WORK
We studied the relay placement problem in the context of Virtual
Private LAN Services. To our knowledge, this is the rst attempt to
extend the VPN relaying problem to the case of encrypted tunnels
between the PE nodes with Host Identity Protocol (HIP). Although
the main problem is intractable due to NP-hardness, we propose
a fast approximation algorithm. Initial simulations show that it
can decrease fast memory demands in PE nodes up to a hundred
times with proper hub-spoke relays, compared to full tunnel mesh
between PE nodes. This comes at a moderate increase in the latency,
as VPLS often carry real-time trac expecting LAN-level delays.
We currently lack accurate trac pattern and topologies data
for real-world VPLS deployments. We plan to construct realistic
topologies based on deployment scenarios by the Tempered com-
pany (tempered.io). One such scenario includes connecting several
hundred building within a university campus to a VPLS. Another
is connecting all wind generators within a single energy provider
together. Obviously, trac patterns can be also very dierent, rang-
ing from all-to-all communication closer to a full-mesh of tunnels,
up to strictly leaf devices reporting to a single server. We will use
these data to improve the accuracy of our model and simulations.
ACKNOWLEDGMENT
This work was in part supported by the Excellence Center at Linköping
Lund in Information Technology (ELLIIT) and Graduate School
in Computer Science (CUGS).
REFERENCES
[1]
MohammadHossein Bateni, Alexandre Gerber, Mohammad Taghi Hajiaghayi,
and Subhabrata Sen. 2009. Multi-VPN Optimization for Scalable Routing via
Relaying. In INFOCOM 2009. IEEE, 2756–2760.
[2]
Cisco. 2019. Cisco VPLS Project. https://www.cisco.com/c/en/us/products/ios-
nx-os- software/virtual-private- lan- services-vpls
[3]
Friedrich Eisenbrand, Fabrizio Grandoni, Thomas Rothvoß, and Guido Schäfer.
2008. Approximating Connected Facility Location Problems via Random Facility
Sampling and Core Detouring. In Proceedings of the Nineteenth Annual ACM-SIAM
Symposium on Discrete Algorithms (SODA ’08). Society for Industrial and Applied
Mathematics, USA, 1174–1183.
[4]
Ahmed Elmokash, Amund Kvalbein, and Constantine Dovrolis. 2010. On the
Scalability of BGP: The Role of Topology Growth. IEEE Journal on Selected Areas
in Communications 28 (2010), 1250–1261.
[5]
Michael R. Garey and David S. Johnson. 1979. Computers and Intractability: A
Guide to the Theory of NP-Completeness. W. H. Freeman & Co., USA.
[6]
Kuntal Gaur, Anshuman Kalla, Jyoti Grover, Mohammad Borhani, Andrei Gurtov,
and Madhusanka Liyanage. 2021. A Survey of Virtual Private LAN Services
(VPLS): Past, Present and Future. Computer Networks 196 (2021).
[7]
Anupam Gupta, Amit Kumar, Martin P
´
al, and Tim Roughgarden. 2007. Ap-
proximation via Cost Sharing: Simpler and Better Approximation Algorithms for
Network Design. J. ACM 54, 3 (2007).
[8]
Anupam Gupta, Amit Kumar, and Tim Roughgarden. 2003. Simpler and Better
Approximation Algorithms for Network Design. In Proceedings of the Thirty-Fifth
Annual ACM Symposium on Theory of Computing (STOC ’03). Association for
Computing Machinery, New York, NY, USA, 365–372.
[9]
Anupam Gupta, Martin Pál, R. Ravi, and Amitabh Sinha. 2004. Boosted Sampling:
Approximation Algorithms for Stochastic Optimization (STOC ’04). Association
for Computing Machinery, New York, NY, USA, 417–426.
[10]
David Hasselquist, Abhimanyu Rawat, and Andrei Gurtov. 2019. Trends and
Detection Avoidance of Internet-Connected Industrial Control Systems. IEEE
Access 7 (2019), 155504–155512.
[11]
T Henderson, S Venema, and D Mattes. 2011. HIP-based virtual private LAN
service (HIPLS). Internet Draft, IETF (2011).
[12]
Kamal Jain and Vijay V. Vazirani. 2001. Approximation Algorithms for Metric
Facility Location and k-Median Problems Using the Primal-Dual Schema and
Lagrangian Relaxation. J. ACM 48, 2 (2001), 274–296.
[13]
Juniper. 2019. Juniper Networks-VPLS. https://www.juniper.net/documentation/
junos/topics/concept/vpls-security- overview.html
[14]
Changhoon Kim, Alexandre Gerber, Carsten Lund, Dan Pei, and Subhabrata
Sen. 2008. Scalable VPN Routing via Relaying. In Proceedings of the 2008 ACM
SIGMETRICS International Conference on Measurement and Modeling of Computer
Systems (SIGMETRICS ’08). ACM, New York, NY, USA, 61–72.
[15]
Simon Knight, Hung X. Nguyen, Nickolas Falkner, Rhys Bowden, and Matthew
Roughan. 2011. The Internet Topology Zoo. IEEE Journal on Selected Areas in
Communications 29 (2011), 1765–1775.
[16]
L. Kou, George Markowsky, and L. Berman. 1981. A Fast Algorithm for Steiner
Trees. Acta Informatica 15 (1981), 141–145.
[17]
Madhusanka Liyanage and Andrei Gurtov. 2013. A scalable and secure VPLS
architecture for provider provisioned networks. In 2013 IEEE Wireless Communi-
cations and Networking Conference (WCNC). IEEE, 1115–1120.
[18]
Madhusanka Liyanage, Jude Okwuibe, Mika Ylianttila, and Andrei Gurtov. 2015.
Secure Virtual Private LAN Services: An overview with performance evaluation.
In 2015 IEEE International Conference on Communication Workshop (ICCW). 2231–
2237.
[19]
Pekka Nikander, Andrei Gurtov, and Thomas R. Henderson. 2010. Host Identity
Protocol (HIP): Connectivity, Mobility, Multi-Homing, Security, and Privacy
over IPv4 and IPv6 Networks. IEEE Communications Surveys Tutorials 12 (2010),
186–204.
[20]
Nokia. 2019. Nokia VPLS Course. https://networks.nokia.com/src/course/virtual-
private-lan- services
[21]
Satish Raghunath, K. K. Ramakrishnan, Shivkumar Kalyanaraman, and Chris
Chase. 2004. Measurement Based Characterization and Provisioning of IP VPNs.
In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement
(IMC ’04). ACM, New York, NY, USA, 342–355.
[22]
Gabriel Robins and Alexander Zelikovsky. 2005. Tighter Bounds for Graph Steiner
Tree Approximation. SIAM Journal on Discrete Mathematics 19 (2005), 122–134.
[23] Tempered. 2022. Whitepaper IDN. https://www.tempered.io
Optimization of Relay Placement for Scalable
Virtual Private LAN Services FIRA ’22, August 22, 2022, Amsterdam, Netherlands
A PROOFS
We need to bound the below costs:
Cost of opening hubs
Cost of connecting spokes to hubs
Cost of connecting hubs through Steiner Tree
In optimal solution, we have:
𝑂: Opening cost of hub PEs
𝐶: Connection cost between spoke PEs and hub PE
𝑇: Steiner Tree cost
Moreover, in Algorithm 1, we have:
𝑂𝑠ℎ
: Opening cost for approximation solution to SH assign-
ment
𝐶𝑠ℎ
: Connection cost for approximation solution to SH as-
signment
By considering 𝑂𝑃𝑇 =𝑂+𝐶+𝑇, and Section 3.4 we obtain
𝑂𝑠ℎ +𝐶𝑠ℎ 3𝑂𝑃𝑇𝑠ℎ 3𝑂𝑃𝑇
Lemma 1 [
3
]: By considering
𝜌𝑠𝑡 =
2as the approximation ratio for
Steiner Tree solution, the Steiner cost of T in Algorithm 1 is:
𝐸[𝑇] 𝜌𝑠𝑡 (𝛽 𝑁 (1+𝑜(1))𝐶+𝑇) + 𝛽𝑁 (1+𝑜(1) )𝐶𝑠ℎ )
Lemma 2 [3]: The connection cost of 𝐶in Algorithm 1 is:
𝐸[𝐶] 𝐶𝑠 +2𝐶+𝑇
𝛽𝑁
Now, we can obtain the expected approximation ratio for Algorithm
1 as (considering the approximation ratio for (sh) problem as
𝜌𝑠ℎ =
3):
𝐸[Solution Cost] 𝐶𝑠ℎ +2𝐶+𝑇
𝛽𝑁 +𝛽 𝑁 𝐶𝑠
+𝜌𝑠𝑡 (𝛽𝑁𝐶+𝑇) + 𝑂𝑠ℎ
𝜌𝑠𝑡 (𝛽𝑁𝐶+𝑇) + 2𝐶+𝑇
𝛽𝑁
+ (𝑂𝑠ℎ +𝐶𝑠ℎ ) (1+𝛽 𝑁 )
𝜌𝑠𝑡 (𝛽𝑁𝐶+𝑇) + 2𝐶+𝑇
𝛽𝑁
+𝜌𝑠ℎ (𝑂+𝐶) (1+𝛽 𝑁 )
6.6𝑂𝑃𝑇 for 𝛽=0.33/𝑁
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
Virtual Private LAN services (VPLS) is a Layer 2 Virtual Private Network (L2VPN) service that has gained immense popularity due to a number of its features, such as protocol independence, multipoint-to-multipoint mesh connectivity, robust security, low operational cost (in terms of optimal resource utilization), and high scalability. In addition to the traditional VPLS architectures, novel VPLS solutions have been designed leveraging new emerging paradigms, such as Software Defined Networking (SDN) and Network Function Virtualization (NFV), to keep up with the increasing demand. These emerging solutions help in enhancing scalability, strengthening security, and optimizing resource utilization. This paper aims to conduct an in-depth survey of various VPLS architectures and highlight different characteristics through insightful comparisons. Moreover, the article discusses numerous technical aspects such as security, scalability, compatibility, tunnel management, operational issues, and complexity, along with the lessons learned. Finally, the paper outlines future research directions related to VPLS. To the best of our knowledge, this paper is the first to furnish a detailed survey of VPLS.
Article
Full-text available
The search engine Shodan crawls the Internet for, among other things, Industrial Control Systems (ICS). ICS are devices used to operate and automate industrial processes. Due to the increasing popularity of the Internet, these devices are getting more and more connected to the Internet. These devices will, if not hidden, be shown on Shodan. This study uses Shodan, together with data found by other researches to plot the trends of these ICS devices. The studied trends focus on the country percentage distribution and the usage of ICS protocols. The results show that all studied countries, except the United States, have decreased their percentage of world total ICS devices. We suspect that this does not represent the real story, as companies are getting better at hiding their devices from online crawlers. Our results also show that the usage of old ICS protocols is increasing. One of the explanations is that industrial devices, running old communication protocols, are increasingly getting connected to the Internet. In addition to the trend study, we evaluate Shodan by studying the time it takes for Shodan to index one of our devices on several networks. We also study ways of avoiding detection by Shodan and show that, by using a method called port knocking, it is relatively easy for a device to hide from Shodan, but remain accessible for legitimate users.
Conference Paper
Full-text available
Virtual Private LAN Services (VPLS) is a widely utilized Layer 2 (L2) Virtual Private Network (VPN) architecture in industrial networks. In the last few years, VPLS networks gained an immense popularity as an ideal network architecture to interconnect industrial legacy SCADA (Supervisory Control and Data Acquisition) and process control devices over a shared network. However, legacy VPLS architectures are highly vulnerable to security threats which are initiated at the insecure shared network segment. Thus, secure VPLS architectures are becoming popular among industrial enterprises.In this article, we provide an overview of existing secure VPLS architectures with a performance evaluation. We evaluate the performance penalty of security on throughput, latency and jitter in a real world testbed. From these experiments, we seek to highlight the drawbacks of existing secure VPLS architectures after implementing them in a real networking environment.Moreover, we try to underscore future research questions that will help to improve the performance of secure VPLS networks.
Conference Paper
Full-text available
Virtual Private LAN Service (VPLS) is a Layer 2 Virtual Private Network (VPN) service. Internet Engineering Task Force (IETF) defined the essential system requirements of a VPLS network. Among them, Security is a key requirement as a VPLS delivers the customer data frames via untrusted public networks. However, the existing secure VPLS architectures are suffering from scalability issues and they are infeasible to implement in large scale networks. In this paper, we propose a novel VPLS architecture based on Host Identity Protocol (HIP). It includes a new session key based security mechanism which provides the scalability both in forwarding and security planes. Initial simulations verify that the proposed architecture reduces the key storage in a VPLS node, the total key storage in the network and the number of encryption per broadcast frame than other secure VPLS architectures. Additionally, our proposal provides an efficient broadcast mechanism and comparably higher degree of security features than other existing VPLS proposals.
Article
Full-text available
We present approximation algorithms for the metric uncapacitated facility location problem and the metric k-median problem achieving guarantees of 3 and 6 respectively. The distinguishing feature of our algorithms is their low running time: O(m log m) and O(m log m(L + log(n))) respectively, where n and m are the total number of vertices and edges in the underlying complete bipartite graph on cities and facilities. The main algorithmic ideas are a new extension of the primal-dual schema and the use of Lagrangian relaxation to derive approximation algorithms.
Article
Full-text available
Given an undirected distance graph G=(V, E, d) and a set S, where V is the set of vertices in G, E is the set of edges in G, d is a distance function which maps E into the set of nonnegative numbers and SV is a subset of the vertices of V, the Steiner tree problem is to find a tree of G that spans S with minimal total distance on its edges. In this paper, we analyze a heuristic algorithm for the Steiner tree problem. The heuristic algorithm has a worst case time complexity of O(SV 2) on a random access computer and it guarantees to output a tree that spans S with total distance on its edges no more than 2(1–1/l) times that of the optimal tree, where l is the number of leaves in the optimal tree.
Article
Full-text available
The study of network topology has attracted a great deal of attention in the last decade, but has been hampered by a lack of accurate data. Existing methods for measuring topology have flaws, and arguments about the importance of these have overshadowed the more interesting questions about network structure. The Internet Topology Zoo is a store of network data created from the information that network operators make public. As such it is the most accurate large-scale collection of network topologies available, and includes meta-data that couldn't have been measured. With this data we can answer questions about network structure with more certainty than ever before - we illustrate its power through a preliminary analysis of the PoP-level topology of over 140 networks. We find a wide range of network designs not conforming as a whole to any obvious model.
Article
We present a simple randomized algorithmic framework for connected facility location problems. The basic idea is as follows: We run a black-box approximation algorithm for the unconnected facility location problem, randomly sample the clients, and open the facilities serving sampled clients in the approximate solution. Via a novel analytical tool, which we term core detouring, we show that this approach significantly improves over the previously best known approximation ratios for several NP-hard network design problems. For example, we reduce the approximation ratio for the connected facility location problem from 8.55 to 4.00 and for the single-sink rent-or-buy problem from 3.55 to 2.92. We show that our connected facility location algorithms can be derandomized at the expense of a slightly worse approximation ratio. The versatility of our framework is demonstrated by devising improved approximation algorithms also for other related problems.