Content uploaded by Mohammad Borhani

Author content

All content in this area was uploaded by Mohammad Borhani on Aug 23, 2022

Content may be subject to copyright.

Optimization of Relay Placement for Scalable

Virtual Private LAN Services

Mohammad Borhani

Linköping University

Linköping, Sweden

mohammad.borhani@liu.se

Ioannis Avgouleas

Linköping University

Linköping, Sweden

ioannisavgouleas@gmail.com

Andrei Gurtov

Linköping University

Linköping, Sweden

gurtov@acm.org

ABSTRACT

Virtual Private LAN Services are becoming popular for securely

connecting geographically dispersed devices to a common pro-

tected LAN network isolated from the rest of the Internet. Tradi-

tional IP routing protocols cannot provide such connectivity; thus

an overlay network of encrypted HIP/IPsec tunnels can be used

instead. However, the number of full-mesh tunnels between com-

municating devices grows exponentially to the number of devices

thereby suggesting the investigation of alternatives. The introduc-

tion of relaying, which entails selecting a subset of hub routers to

retain full-mesh connectivity, allows non-hub routers, the so-called

spokes, to maintain connectivity via a hub. In this work, we study

the eect of relay-based routing that minimizes the number of hubs,

the connection cost between spokes and hubs, the cost of connect-

ing hubs, and the hubs deployment cost. Additionally, we prove

that this minimization problem is NP-hard and, thus, intractable

for large scale networks. Therefore, we propose an algorithm with

provable guarantees that provides an approximate but ecient so-

lution. Initial simulation results indicate a reduction by more than

90% in the memory required for routing tables at the expense of a

minor increase in the tunnel path length.

CCS CONCEPTS

•Networks

→

Network design principles; Network Design; •

Theory of computation

→

Discrete optimization;•Mathematics

of computing →Mathematical optimization.

KEYWORDS

Virtual Private LAN Services, Routing, Host Identity Protocol, Ap-

proximation Algorithm

ACM Reference Format:

Mohammad Borhani, Ioannis Avgouleas, and Andrei Gurtov. 2022. Opti-

mization of Relay Placement for Scalable Virtual Private LAN Services. In

ACM SIGCOMM 2022 Workshop on Future of Internet Routing & Addressing

(FIRA ’22), August 22, 2022, Amsterdam, Netherlands. ACM, New York, NY,

USA, 7 pages. https://doi.org/10.1145/3527974.3545719

Permission to make digital or hard copies of all or part of this work for personal or

classroom use is granted without fee provided that copies are not made or distributed

for prot or commercial advantage and that copies bear this notice and the full citation

on the rst page. Copyrights for components of this work owned by others than the

author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or

republish, to post on servers or to redistribute to lists, requires prior specic permission

and/or a fee. Request permissions from permissions@acm.org.

FIRA ’22, August 22, 2022, Amsterdam, Netherlands

©2022 Copyright held by the owner/author(s). Publication rights licensed to ACM.

ACM ISBN 978-1-4503-9328-7/22/08.

https://doi.org/10.1145/3527974.3545719

1 INTRODUCTION

A massive amount of devices with heterogeneous requirements are

being connected through the Internet daily. These include smart

sensors, valve controls, and trac lights, among others. Recent stud-

ies have revealed thousands of such devices online per a medium-

size country, often using outdated insecure protocols such as Mod-

Bus [

10

]. Such devices are often hard to patch and contain known

vulnerabilities that can be exploited in botnets such as Mirai. Thus,

there is a clear need to hide such devices from the public Internet,

yet allowing authorized connectivity for remote data management

and updates.

The concept of Virtual Private LAN Services (VPLS) is based

on an idea to combine islands of such devices to a single virtual

local-area network using a set of encrypted tunnels [

6

,

11

,

17

]. Pro-

grammable gateways at each island intercept Address Resolution

Protocol (ARP) requests targeted to other islands, capture and en-

capsulate LAN packets for tunneling over the Internet. The Host

Identity Protocol (HIP) oers an appropriate method to establish

IPsec ESP tunnels with a base exchange, maintain with keep-alive

UPDATE messages and gracefully close when not needed. HIP can

be viewed as one internetworking architecture aiming to imple-

ment identier/locator split. Furthermore, other identier/locator

separation approaches exist, such as the Locator/Identier Separa-

tion Protocol (LISP). However, since HIP encompasses end-to-end

security, mobility and multi-homing, we are primarily concerned

with a seamless integration of VPLS with HIP [19].

As VPLS uses a single broadcast domain, it has multiple benets,

including low communication latency, support for legacy protocols,

and cost-eective installation and maintenance costs thereby re-

ducing CAPEX and OPEX. The popularity of VPLS is encouraged

by the fact that companies such as Cisco, Juniper, and Nokia are

working on VPLS [

2

,

13

,

20

]. Moreover, HIP-based VPLS (HIPLS) is

successfully implemented for example by Tempered Networks in

USA [

23

]. Their deployment scenarios include securely connecting

several hundred buildings of a university campus, wind generators

of a electrical company, and a network of ATM machines. HIPLS

allows devices to communicate in a LAN-like conguration while,

at the same time, being hardly accessible for breaching their defense

using the Internet. Additionally, the increasing scale of VPLS net-

works gives rise to challenges such as optimal tunnel management,

performance and fault-tolerance.

Maintaining a full-mesh of all-to-all gateway tunnels is ine-

cient, since limited ternary content-addressable memory (TCAM)

constraints the number of tunnels to a few thousand per gateway.

Thus, it makes sense to dynamically establish and close the tunnels

based on the current trac patterns between device islands. By

utilizing the concept of relaying [

14

], packets can be forwarded

FIRA ’22, August 22, 2022, Amsterdam, Netherlands M. Borhani, I. Avgouleas, A. Gurtov

Figure 1: Memory footprint of the routing tables in an example secure HIPLS network with four PEs using: (A) full-mesh and

(B) relay-based routing (the studied approach). In the latter, only the hub PEs are fully-meshed thereby realizing great memory

savings for the spoke PEs at the expense of a minor increase in the tunnel path length for connecting spoke PEs.

through another gateway with an already active tunnel thereby

reducing the need of activating a new gateway router. However,

added latency must be considered as often VPLS trac is of real-

time nature. Finally, to address the single point of failure by using

only the main tunnel, multiple existing paths with appropriate delay

for fault-tolerance should be considered.

Somewhat surprisingly, even if relaying for Multi-Protocol Label

Switching (MPLS) was studied e.g., in [

1

], this the rst paper to con-

sider relaying for encrypted tunnels. This paper makes following

contributions:

•

We propose and formulate the "Relay Placement Problem

(RPP)" for programmable tunnel gateways to minimize the

cost of activating and deploying hub and spoke routers for

relay-based routing.

•We prove that RPP is NP-hard.

•

We develop an approximation algorithm to oer a polynomial-

time solution to the RPP problem, with a guaranteed approx-

imation factor.

•

Numerical experiments for dierent scenarios, including real-

world topologies, demonstrate that our proposed algorithm

decreases the overall amount of router memory required by

more than 90% and lowers network provider costs at the

expense of a minor increase in packets traversed paths.

The rest of the paper is organized as follows. In Section 2, we give a

brief introduction to VPLS. Section 3 formulates the relay placement

problem and develops an approximate but ecient algorithmic

solution. Section 4 discusses the results. Last, Section 5 concludes

the paper and gives directions for future works.

2 BRIEF INTRODUCTION TO VPLS

VPLS is a Layer 2 provider-provisioned VPN that allows multi-point-

to-point connection between remote customer sites via a provider

network. A usual VPLS deployment has multiple key components

including:

•

Customer Network: This is the VPLS network’s user. It

is composed of numerous sites that are geographically dis-

persed and completely managed by the user. Global manu-

facturer, national health care provider, energy cooperative

are few examples for VPLS users.

•

Provider Network: This is the VPLS underlay network

that allows tunnels to be established. The provider networks

are typically Layer 3 networks that use common network

protocols such as MPLS or IP.

•

Provider Edge Equipment (PE): PEs are the gateways for

customer network trac and are located at the provider’s

network’s edge. PEs also have a thorough understanding of

the VPLS network. Tunnels are constructed between PEs.

•

Customer Edge Equipment (CE): CEs are the interconnect-

ing devices between the customer and provider networks.

CEs are owned by the customer and located on the cus-

tomer’s premises.

HIPLS is the secure VPLS architecture containing a logical se-

curity layer for managing VPLS security services. HIPLS oers

payload encryption, secure control protocol, protection from IP

attacks, and PE authentication [11, 18].

3 RELAY PLACEMENT PROBLEM (RPP)

3.1 Overview

To interconnect PEs, the provider creates a full-mesh of HIP tunnels

via the IP/MPLS-based provider network. However, this reachability

model forces routing tables in PEs to grow large. For the sake of

illustration, we show a HIPLS network with four sites (connecting

via CEs) in Figure 1. In a full-mesh setup, each PE should install four

routes (prex) to ensure connectivity. Furthermore, the fact that

each PE in a VPLS design can potentially be connected to numerous

CEs increases the size of the PE routing table exponentially.

The concept of relaying can be employed to decrease the growth

of entries in routing tables. The relaying strategy selects a small

Optimization of Relay Placement for Scalable

Virtual Private LAN Services FIRA ’22, August 22, 2022, Amsterdam, Netherlands

subset of PEs as hub nodes while retaining full-mesh reachabil-

ity [

14

]. This allows non-hub PEs, known as spoke PEs, to reach

other PEs by relaying through a specied hub PE. Relaying, as

shown in Figure 1 (B), can substantially reduce the routing entries

on the spoke PEs at the expense of more trac being relayed on the

provider network, which could increase latency for the customer

sites.

Selecting the hub routers for relaying involves minimizing the

number of hubs, as fewer hubs reduce the PE memory footprint

and lowers hubs’ installation and maintenance costs. Moreover, the

trac between two spoke PEs is possibly rerouted via a hub PE

over an indirect path.

Raghunath et al. [

21

] investigated the structure of VPNs and

discovered that hub-spoke architecture is employed in VPNs. Kim

et al. [

14

] explored the scalable routing for MPLS L3VPN as an

optimization problem. Our work diers from theirs as we consider

secure VPLS as our target network. Furthermore, our problem for-

mulation takes into account various costs (for instance, spokes to

hub and hub installation cost) and provides a minimum cost tree

that spans the hubs.

3.2 Problem Formulation

We dene the core network within the provider network to only

contain hub PEs. In other words, a core network is a set of inter-

connected hub PEs that are responsible nodes for relaying data.

Furthermore, transferring trac between hub PEs within the core

network incurs switching costs for the network provider. The fol-

lowing steps are involved in deploying the relaying architecture

within the HIPLS network:

•

Hub PE selection: This step considers selecting a set of PEs

as the hub for data transmission with the aim of minimizing

the hubs’ installation and maintenance costs. Other non-hub

PEs will be considered as spokes.

•

Hub PE assignment: Connecting each spoke PE to its des-

ignated hub PE accomplishes this step.

•

The Hubs link selection: The last stage entails choosing

links (edges) to connect all hub PEs, with the goal of picking

links that lower the total cost of connection between hub

nodes.

We dene the Relay Placement Problem (RPP) in HIPLS as follows:

the provider network is modeled as an undirected graph

𝐺=(𝑉 , 𝐸)

,

where

𝑉={𝑃𝐸1, 𝑃 𝐸2, . . . , 𝑃 𝐸𝑛}

is the set containing all PEs in the

network.

𝐸

denotes the set of edges (links) that connect the PEs,

and

𝑐

:

𝐸−→

Q

+

represents the cost of edges. Latency, bandwidth,

and cost to use specic links are among the possible metrics for

edge costs.

F ⊂ 𝑉

denotes the set containing possible locations for instal-

lation of hub PEs, and spoke PEs are represented by

D ⊂ 𝑉

. The

solution to RPP considers selecting a set of active hub PEs denoted

by

𝐹

such that

𝐹⊂ F

. Then, assigning each spoke PE

𝑗

(

𝑗∈ D

) to

some hub PE. Let

𝑥𝑖 𝑗

denote a binary variable indicating whether

the spoke

𝑗

is connected to hub

𝑖

. Additionally,

𝑦𝑖=

1denotes

whether hub

𝑖

should be activated, and

𝑑𝑖 𝑗

is the communication

cost between spoke PE

𝑗

and hub PE

𝑖

(the cost of routing con-

cerning the edge costs connecting spoke

𝑗

to hub

𝑖

). Moreover,

𝑎𝑖

denotes the cost of activating hub

𝑖

that is congured by the net-

work provider, and represents deployment and maintenance cost

of hubs.

Finally, the Steiner tree

𝑇

, the tree with the minimum cost that

spans all hub PEs, should be constructed to ensure the connectivity

of hub PEs. We formulate RPP within HIPLS network as:

(𝑃)minimize

𝑖∈𝐹

𝑗∈D

𝑑𝑖 𝑗 𝑥𝑖 𝑗 +𝑁

𝑘∈𝑇 .𝑒𝑑𝑔𝑒𝑠

𝑐(𝑘) +

𝑖∈𝐹

𝑎𝑖𝑦𝑖(1)

The term

Í𝑖∈𝐹𝑎𝑖𝑦𝑖

in the

(𝑃)

calculates the opening cost of hub

PEs; the second term i.e.,

𝑁Í𝑘∈𝑇.𝑒𝑑𝑔𝑒 𝑠 𝑐(𝑘)

, captures the Steiner

cost to connect all hub PEs via the Steiner tree

𝑇

, in which

𝑁≥

1

is a parameter to represent the cost of connecting hub PEs in core

network. The connection cost between spoke PEs and hub PEs is

demonstrated in Í𝑖∈𝐹Í𝑗∈D 𝑑𝑖 𝑗 𝑥𝑖 𝑗 .

Problem

(𝑃)

is a network design problem i.e., a NP-hard problem

[

5

]. Although the RPP seems to be formulated easily, it is a dicult

problem to solve eciently (unless P

=

NP), making the exact

solution intractable for medium to large networks. As a result,

we provide an approximation schema for RPP, which produces

solutions with reasonable running times in reality, as opposed to

exact methods, which are computationally expensive.

3.3 Approximation Algorithm for RPP

Some of the most well-known NP-hard network design problems

can be approximated using simple randomized algorithms [

7

]. A

class of these algorithms, known as Sample-Augment (SA) algo-

rithm, are based on the idea of selecting a random sample from the

problem input, solving a subproblem, and nally augmenting the

result with the solution to the original problem [8, 9].

We dene the Sample-Augment problem for a minimization

problem Pas follows:

(1)

Dene K

={

1

, . . . , 𝑛 }

as a set containing elements, and

sampling probability for the elements as (𝑝1, . . . , 𝑝𝑛)

(2) P𝑠𝑝 (𝐾)is dened as subproblem for any 𝐾⊆K

(3)

For any

𝐾⊆

Kand solution to the previous step’s subprob-

lem (i.e.,

𝑆𝑜𝑙𝑠 𝑝 (𝐾)

), the augmentation problem is dened as

P𝑎𝑢𝑔(𝐾 , 𝑆𝑜𝑙𝑠𝑝 (𝐾)).

The SA algorithm executes the following steps:

•

Obtaining independent samples from Kbased on the sam-

pling probability

•

Finding the solution to the dened subproblem and the aug-

mented problem (for random sample it obtained in the pre-

vious step)

•

The SA algorithm outputs the aggregate solution to the sub-

problem and augmentation problem as nal solution.

Formulating RPP as a minimization problem yields a variation of the

uncapacitated facility location problem (UFLP) and the Steiner tree

problem. Without hubs connection requirements (i.e., removing

the Steiner tree problem from

(

1

)

), the

(𝑃)

problem becomes an

UFLP instance, which has been shown to be NP-hard and widely

investigated in the literature.

Algorithm 1applies a well-established approximation algorithm

to obtain a good solution for the Spoke-to-Hub (SH) assignment

problem, which we will introduce shortly, to choose which hub PEs

FIRA ’22, August 22, 2022, Amsterdam, Netherlands M. Borhani, I. Avgouleas, A. Gurtov

to open from the list of candidate hub locations. Then, in the sam-

pling step of algorithm 1, each spoke PE is marked independently

by the probability of

𝛽

, and in the solution to the SH assignment

problem, we activate the hub PEs to which the marked PEs are allo-

cated. Algorithm 1applies connection requirements on the marked

PEs by using approximated solution to the Steiner tree problem

[

16

,

22

] to link the hub PEs and extends this solution to include the

open hubs (augmentation step).

Algorithm 1: Approximation Algorithm for RPP.

1𝛾∈ (0,1];

2𝐹← ∅;

3𝛽←𝛾

𝑁;

/* Solving UFLP */

4

Execute the 3

−

approximation algorithm for Spokes-to-Hubs

(𝑆𝐻 )Assignment problem, and obtain the solution as

𝐻=(𝐹𝐻, 𝑥𝑖 𝑗 );

/* Sampling */

5Sample (mark) a spoke 𝑃𝐸 ∗at random ;

6Sample every other spoke non-marked PE independently

with probability 𝛽;

7Let 𝑀={set of marked PEs} ;

/* Augmentation */

8for all 𝑖′∈𝐹𝐻if ({𝑗|𝑗∈ D and 𝑥𝑖′𝑗=1} ∩𝑀≠0)then

9𝐹.add(𝑖′);

10 end

11 Execute the 2−approximated Steiner Tree 𝑇on the set 𝑀;

12

Augment

𝑇

with adding the shortest paths from each spoke

PE 𝑗∈𝑀and its associated hub PE;

13 Find a tree 𝑇′′ which spans the 𝐹;

14 Allocate each spoke PE 𝑗∈ D to its closest hub PE in 𝐹;

15 return {𝐹, 𝑇 ′′}

3.4 Spokes-to-Hubs (SH) Assignment

The problem of assigning spoke to hub PEs can be formulated as

follows:

(𝑆𝐻 )minimize

𝑖∈𝐹

𝑗∈D

𝑑𝑖 𝑗 𝑥𝑖 𝑗 +

𝑖∈𝐹

𝑎𝑖𝑦𝑖(2a)

subject to

𝑖∈𝐹

𝑥𝑖 𝑗 ≥1, 𝑗 ∈ D (2b)

𝑥𝑖 𝑗 ≤𝑦𝑖, 𝑗 ∈ D and 𝑖∈𝐹(2c)

𝑥𝑖 𝑗 ∈ {0,1}, 𝑗 ∈ D and 𝑖∈𝐹(2d)

𝑦𝑖∈ {0,1}, 𝑖 ∈𝐹(2e)

Constraint (2b) forces each spoke to be assigned to at least one hub.

By (2c), only active hubs should be assigned to spokes, and the last

two constraints set the domain of the binary decision variables.

3.4.1 Approximation Algorithm of Spokes-to-Hubs

(𝑆𝐻 )

Assign-

ment. Since

(𝑆𝐻 )

is a form of the Uncapacitated Facility Location

Problem (UFLP), which has been shown to be NP-hard, we used

3

−

approximation algorithm based on primal-dual schema and La-

grangian relaxation to approximate its exact solution [12].

Table 1: Routing Entries for mid-size AS network with sup-

ported CE(1-10).

#Entries in Routing Tables for All PEs

#PEs Full-mesh Hub-Spoke #Hubs

100 50100 2092 3

150 109950 3794 5

200 192800 7879 7

250 302250 9889 7

300 440100 12303 9

Theorem 1. By using 3-approximation algorithm for SH assign-

ment problem, 2-approximation for the Steiner Tree problem, and

proper choice of

𝛽

[

3

], Algorithm 1 is an expected 6

.

6-approximation

algorithm for the RPP problem.

Proof. See Appendix A.

4 EVALUATION AND DISCUSSION

To evaluate the proposed algorithm’s performance, we implemented

Algorithm 1 on a PC running Windows 10 (4-core 2.60 GHz CPU),

equipped with 8GB of RAM. For performance evaluation, we em-

ployed various types of provider network topologies, including:

•

AS Network Topology: Since VPLS can be employed in large-

scale networks and there exists a demand for using VPLS

across multiple Autonomous Systems (AS), we generate AS

network graph with properties stated in [4].

•

Backbone Network Topology: We utilized backbone topolo-

gies from The Internet Topology Zoo [

15

] to evaluate the

path traversal in hub-spoke.

Table 1 compares the number of routing entries installed in all

PEs for full-mesh and hub-spoke. As motivated by the example in

Figure 1, the total number of routing entries in full-mesh equals

#PE ×#routing entries of each PE

, in which the latter term

for each PE is calculated by summing the number of CEs in the

network.

The number of routing entries for all PEs in hub-spoke obtained

by adding the routing entries installed for each spoke and hub PE

in the network. The number of routing entries for a spoke PE is

comprised of the number of its supported CEs plus the number of

hubs to which the spoke PE is connected. Furthermore, because

the hub PE should contain all of the network’s routing information,

the number of routing entries in the hub PE is computed by adding

all supported CEs in the network. Table 1 shows that for a random

number of CEs chosen from the interval (1-10), the number of

installed routing entries is signicantly reduced by leveraging the

hub-spoke relaying.

Figure 2 depicts the cost of the solution (i.e., summing the con-

nection cost between spoke PEs to hub PEs, opening cost of hub

PEs and cost of connecting all hub PEs in Steiner Tree) for proposed

Algorithm 1 and random hub placement. In random hub placement,

a subset of PE is randomly chosen to be hub PEs such that the

number of hubs in both approaches (Random Hub Placement and

Optimization of Relay Placement for Scalable

Virtual Private LAN Services FIRA ’22, August 22, 2022, Amsterdam, Netherlands

Figure 2: Solution cost for Random Hub Placement vs. Algo-

rithm 1.

Algorithm1) is the same. Moreover, in random hub placement, ran-

dom spoke PE assigned to hubs. Figure 2 shows that the Algorithm 1

generates less costly solutions for RPP than random hub placement.

Figure 3 illustrates the number of routing entries for large-scale

AS networks (400 to 800 PEs) in full-mesh. Furthermore, the routing

entries for hub-spoke for the same networks are depicted in Figure 4.

Obviously, as the number of PEs in the network grows, the routing

entries also increase. However, the increase is signicantly greater

with full-mesh. As a result, hub-spoke may be eectively used in

large networks.

Figure 3: Routing entries for a full-mesh large-scale AS Net-

work.

In hub-spoke data transmission, the source node transfers data to

its corresponding hub. The data is then forwarded to the second hub

associated with the destination PE, if necessary. Finally, the data is

sent to the nal PE destination through the second hub. We used

the two backbone networks to evaluate the additional path taken

Table 2: Comparison of path traversed by full-mesh vs hub-

spoke.

Extra Path Traversed by Hub-Spoke

Network Location #Nodes Ratio Margin of

Error

Backbone,

Transit

US 51 1.387 1.3873

±0.115

(±8.26%)

Backbone,

Customer

NL 50 1.536 1.5361

±0.0774

(±5.04%)

by the hub-spoke, in which each link (edge) of the network graph

is represented by the distance between corresponding nodes (PE)

creating that link in kilometers. Furthermore, a random number of

Figure 4: Routing entries for a hub-spoke Large-scale AS

Network.

PE is chosen to create source_destination pairings for communi-

cation. The average amount of routing cost (i.e., path length with

respect to the edge cost) in the hub-spoke divided by the same

value for full-mesh is the ratio for several selections of random

source_destination pairs in Table 2. The average increase in path

length in traversed distance caused by hub-spoke design is repre-

sented by this ratio. Table 2 includes the ratio for both backbones

with 95% condence interval reported.

In the next experiment, we used Mininet to implement HIPLS in

full-mesh and hub-spoke for a network topology in the USA. We

purposefully chose a geographically dispersed network graph to

examine the proposed approach in the extreme hub-spoke scenarios,

in which relaying can add considerable latency

1

. In Mininet, the

propagation delay of the link was estimated using the distance

between nodes. Figure 5 depicts the Mininet simulation results from

four distinct scenarios. In hub-spoke scenarios, algorithm 1 is given

1http://www.topology-zoo.org/maps/Compuserve.jpg

FIRA ’22, August 22, 2022, Amsterdam, Netherlands M. Borhani, I. Avgouleas, A. Gurtov

Figure 5: Mininet latency experiment for full-mesh and hub-

spoke.

the network graph and the cost of placing a hub in the network

as inputs, and the output contains the number of hubs and their

locations, as well as the spokes’ associations with hubs. Comparing

the HIPLS (secure HIP-based VPLS) and IP connectivity (no security)

shows the cost of the delay one should pay to secure the VPLS

network (5

.

553

𝑚𝑠

more delay to secure full-mesh VPLS). Comparing

HIPLS and IP connectivity in both full-mesh and hub-spoke stressed,

as predicted, that oering a relaying imposes increase in path length

(higher RTT delay) to decrease routing entries in PEs. For instance,

the HIPLS needs to endure an extra 3

.

685

𝑚𝑠

delay in hub-spoke

compared to full-mesh on average RTT.

5 CONCLUSIONS AND FUTURE WORK

We studied the relay placement problem in the context of Virtual

Private LAN Services. To our knowledge, this is the rst attempt to

extend the VPN relaying problem to the case of encrypted tunnels

between the PE nodes with Host Identity Protocol (HIP). Although

the main problem is intractable due to NP-hardness, we propose

a fast approximation algorithm. Initial simulations show that it

can decrease fast memory demands in PE nodes up to a hundred

times with proper hub-spoke relays, compared to full tunnel mesh

between PE nodes. This comes at a moderate increase in the latency,

as VPLS often carry real-time trac expecting LAN-level delays.

We currently lack accurate trac pattern and topologies data

for real-world VPLS deployments. We plan to construct realistic

topologies based on deployment scenarios by the Tempered com-

pany (tempered.io). One such scenario includes connecting several

hundred building within a university campus to a VPLS. Another

is connecting all wind generators within a single energy provider

together. Obviously, trac patterns can be also very dierent, rang-

ing from all-to-all communication closer to a full-mesh of tunnels,

up to strictly leaf devices reporting to a single server. We will use

these data to improve the accuracy of our model and simulations.

ACKNOWLEDGMENT

This work was in part supported by the Excellence Center at Linköping

– Lund in Information Technology (ELLIIT) and Graduate School

in Computer Science (CUGS).

REFERENCES

[1]

MohammadHossein Bateni, Alexandre Gerber, Mohammad Taghi Hajiaghayi,

and Subhabrata Sen. 2009. Multi-VPN Optimization for Scalable Routing via

Relaying. In INFOCOM 2009. IEEE, 2756–2760.

[2]

Cisco. 2019. Cisco VPLS Project. https://www.cisco.com/c/en/us/products/ios-

nx-os- software/virtual-private- lan- services-vpls

[3]

Friedrich Eisenbrand, Fabrizio Grandoni, Thomas Rothvoß, and Guido Schäfer.

2008. Approximating Connected Facility Location Problems via Random Facility

Sampling and Core Detouring. In Proceedings of the Nineteenth Annual ACM-SIAM

Symposium on Discrete Algorithms (SODA ’08). Society for Industrial and Applied

Mathematics, USA, 1174–1183.

[4]

Ahmed Elmokash, Amund Kvalbein, and Constantine Dovrolis. 2010. On the

Scalability of BGP: The Role of Topology Growth. IEEE Journal on Selected Areas

in Communications 28 (2010), 1250–1261.

[5]

Michael R. Garey and David S. Johnson. 1979. Computers and Intractability: A

Guide to the Theory of NP-Completeness. W. H. Freeman & Co., USA.

[6]

Kuntal Gaur, Anshuman Kalla, Jyoti Grover, Mohammad Borhani, Andrei Gurtov,

and Madhusanka Liyanage. 2021. A Survey of Virtual Private LAN Services

(VPLS): Past, Present and Future. Computer Networks 196 (2021).

[7]

Anupam Gupta, Amit Kumar, Martin P

´

al, and Tim Roughgarden. 2007. Ap-

proximation via Cost Sharing: Simpler and Better Approximation Algorithms for

Network Design. J. ACM 54, 3 (2007).

[8]

Anupam Gupta, Amit Kumar, and Tim Roughgarden. 2003. Simpler and Better

Approximation Algorithms for Network Design. In Proceedings of the Thirty-Fifth

Annual ACM Symposium on Theory of Computing (STOC ’03). Association for

Computing Machinery, New York, NY, USA, 365–372.

[9]

Anupam Gupta, Martin Pál, R. Ravi, and Amitabh Sinha. 2004. Boosted Sampling:

Approximation Algorithms for Stochastic Optimization (STOC ’04). Association

for Computing Machinery, New York, NY, USA, 417–426.

[10]

David Hasselquist, Abhimanyu Rawat, and Andrei Gurtov. 2019. Trends and

Detection Avoidance of Internet-Connected Industrial Control Systems. IEEE

Access 7 (2019), 155504–155512.

[11]

T Henderson, S Venema, and D Mattes. 2011. HIP-based virtual private LAN

service (HIPLS). Internet Draft, IETF (2011).

[12]

Kamal Jain and Vijay V. Vazirani. 2001. Approximation Algorithms for Metric

Facility Location and k-Median Problems Using the Primal-Dual Schema and

Lagrangian Relaxation. J. ACM 48, 2 (2001), 274–296.

[13]

Juniper. 2019. Juniper Networks-VPLS. https://www.juniper.net/documentation/

junos/topics/concept/vpls-security- overview.html

[14]

Changhoon Kim, Alexandre Gerber, Carsten Lund, Dan Pei, and Subhabrata

Sen. 2008. Scalable VPN Routing via Relaying. In Proceedings of the 2008 ACM

SIGMETRICS International Conference on Measurement and Modeling of Computer

Systems (SIGMETRICS ’08). ACM, New York, NY, USA, 61–72.

[15]

Simon Knight, Hung X. Nguyen, Nickolas Falkner, Rhys Bowden, and Matthew

Roughan. 2011. The Internet Topology Zoo. IEEE Journal on Selected Areas in

Communications 29 (2011), 1765–1775.

[16]

L. Kou, George Markowsky, and L. Berman. 1981. A Fast Algorithm for Steiner

Trees. Acta Informatica 15 (1981), 141–145.

[17]

Madhusanka Liyanage and Andrei Gurtov. 2013. A scalable and secure VPLS

architecture for provider provisioned networks. In 2013 IEEE Wireless Communi-

cations and Networking Conference (WCNC). IEEE, 1115–1120.

[18]

Madhusanka Liyanage, Jude Okwuibe, Mika Ylianttila, and Andrei Gurtov. 2015.

Secure Virtual Private LAN Services: An overview with performance evaluation.

In 2015 IEEE International Conference on Communication Workshop (ICCW). 2231–

2237.

[19]

Pekka Nikander, Andrei Gurtov, and Thomas R. Henderson. 2010. Host Identity

Protocol (HIP): Connectivity, Mobility, Multi-Homing, Security, and Privacy

over IPv4 and IPv6 Networks. IEEE Communications Surveys Tutorials 12 (2010),

186–204.

[20]

Nokia. 2019. Nokia VPLS Course. https://networks.nokia.com/src/course/virtual-

private-lan- services

[21]

Satish Raghunath, K. K. Ramakrishnan, Shivkumar Kalyanaraman, and Chris

Chase. 2004. Measurement Based Characterization and Provisioning of IP VPNs.

In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement

(IMC ’04). ACM, New York, NY, USA, 342–355.

[22]

Gabriel Robins and Alexander Zelikovsky. 2005. Tighter Bounds for Graph Steiner

Tree Approximation. SIAM Journal on Discrete Mathematics 19 (2005), 122–134.

[23] Tempered. 2022. Whitepaper IDN. https://www.tempered.io

Optimization of Relay Placement for Scalable

Virtual Private LAN Services FIRA ’22, August 22, 2022, Amsterdam, Netherlands

A PROOFS

We need to bound the below costs:

•Cost of opening hubs

•Cost of connecting spokes to hubs

•Cost of connecting hubs through Steiner Tree

In optimal solution, we have:

•𝑂∗: Opening cost of hub PEs

•𝐶∗: Connection cost between spoke PEs and hub PE

•𝑇∗: Steiner Tree cost

Moreover, in Algorithm 1, we have:

•𝑂𝑠ℎ

: Opening cost for approximation solution to SH assign-

ment

•𝐶𝑠ℎ

: Connection cost for approximation solution to SH as-

signment

By considering 𝑂𝑃𝑇 =𝑂∗+𝐶∗+𝑇∗, and Section 3.4 we obtain

𝑂𝑠ℎ +𝐶𝑠ℎ ≤3𝑂𝑃𝑇𝑠ℎ ≤3𝑂𝑃𝑇

Lemma 1 [

3

]: By considering

𝜌𝑠𝑡 =

2as the approximation ratio for

Steiner Tree solution, the Steiner cost of T in Algorithm 1 is:

𝐸[𝑇] ≤ 𝜌𝑠𝑡 (𝛽 𝑁 (1+𝑜(1))𝐶∗+𝑇∗) + 𝛽𝑁 (1+𝑜(1) )𝐶𝑠ℎ )

Lemma 2 [3]: The connection cost of 𝐶in Algorithm 1 is:

𝐸[𝐶] ≤ 𝐶𝑠ℎ +2𝐶∗+𝑇∗

𝛽𝑁

Now, we can obtain the expected approximation ratio for Algorithm

1 as (considering the approximation ratio for (sh) problem as

𝜌𝑠ℎ =

3):

𝐸[Solution Cost] ≤ 𝐶𝑠ℎ +2𝐶∗+𝑇∗

𝛽𝑁 +𝛽 𝑁 𝐶𝑠ℎ

+𝜌𝑠𝑡 (𝛽𝑁𝐶∗+𝑇∗) + 𝑂𝑠ℎ

≤𝜌𝑠𝑡 (𝛽𝑁𝐶∗+𝑇∗) + 2𝐶∗+𝑇∗

𝛽𝑁

+ (𝑂𝑠ℎ +𝐶𝑠ℎ ) (1+𝛽 𝑁 )

≤𝜌𝑠𝑡 (𝛽𝑁𝐶∗+𝑇∗) + 2𝐶∗+𝑇∗

𝛽𝑁

+𝜌𝑠ℎ (𝑂∗+𝐶∗) (1+𝛽 𝑁 )

≤6.6𝑂𝑃𝑇 for 𝛽=0.33/𝑁