ICING

What is ICING?

ICING is a new way of building a network in which the network can enforce participants' policies about the paths that their packets take. ICING started from the observation that while there were dozens of projects about expressing routing policy, there was no work about how to enforce policy. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path?

Our solution, ICING, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no Public Key Infrastructure (PKI). We have demonstrated ICING's plausibility with a NetFPGA hardware implementation.

In addition, we have demonstrated the use of ICING in two contexts: in an overlay (called ICING-ON or PoComON) and at layer-3 (in a network architecture called ICING-L3).

Publications

• Verifying and enforcing network paths with ICING
  Jad Naous, Michael Walfish, Antonio Nicolosi, David Mazières, Michael Miller, and Arun Seehra
  ACM CoNEXT, Tokyo, Japan, December 2011.
• PoComON: A POlicy-COMpliant Overlay Network
  Michael Miller
  Undergraduate honors thesis HR-11-04, CS Dept, UT Austin, October 2011.
• Path-policy Compliant Networking and a Platform for Heterogeneous IAAS Management
  Jad Naous
  PhD dissertation, Stanford University, March 2011.
• A policy framework for the future Internet
  Arun Seehra, Jad Naous, Michael Walfish, David Mazières, Antonio Nicolosi, and Scott Shenker
  ACM Workshop on Hot Topics in Networks (HotNets), New York, NY, October 2009.

External talks

• Verifiable network paths for the Nebula data plane, Antonio Nicolosi, IEEE Computer Communications Workshop (CCW), October, 2011
• Policy and mechanism in the future Internet, Michael Walfish, Colloquium at UCSD, May 2010
• A policy framework for a secure future Internet, Jad Naous, DIMACS Workshop on Secure Routing, March 2010
• A policy framework for the future Internet, Michael Walfish, Hotnets, October 2009

Source code

The source code is available here. To replicate our experiments (or to compile the code), please extract the archive and follow the instructions in the README file. Please let us know if you have questions.

People

• David Mazières
• Michael Miller
• Jad Naous
• Antonio Nicolosi
• Michael Walfish

Support

ICING is part of the NEBULA future Internet project and is supported by the following:

• The National Science Foundation, under the Future Internet Architecture program (grants 1040083, 1040784, 1040190)
• The Air Force Office of Scientific Research (grant FA9550-10-1-0073)

ICING has also received support from the following:

• The National Science Foundation (under grants 0716806, 1052985, 0627112, and 1117679)
• The Office of Naval Research (under grant N00014-09-10757)
• The Stanford Clean Slate Program