Communications of the ACM

other only through IP routers, where filtering rules are installed to allow only approved communication among groups. Note that the machines with IP addresses 2. 7 and 2. 8 are close together in the IP topology, but far apart in the physical topology.

At the middle level of the figure there is an isolated VLAN for each group. Like the LANs, a VLAN uses the Ethernet design in which names are MAC addresses (abbreviated “M”). These VLANs do their own routing, separate from the routing in the LANs. A virtual link in the IP network must be implemented by a path in a VLAN and a link in a VLAN must be implemented by a physical path. As a result, a packet from 1. 3 to 2. 6 must go through IP router 0.5 and be screened, even though the shortest physical path between the red and green machines does not go through an IP router. The VLAN architecture has been found to simplify administration, enhance security, and improve the efficiency of campus networks. 22

A completely different kind of virtual network is often found in mul-titenant clouds, which may offer to their tenants various services such as load-balancing, packet filtering by firewalls, and application-specific performance enhancements. Such clouds have virtual networks that implement these services by inserting middleboxes into the paths of sessions. In these virtual networks, the major purpose of routing and forwarding is to direct the packets of sessions through middleboxes according to the tenant’s service specification. 3, 16

The most unusual networks in
this article are named data networks
(NDN). 25 In NDN each piece of data has
a unique name. For purposes of the
networking functions of routing and
forwarding, a data server has the name
of every piece of data available from
it; a server can have many names, and
a name can be assigned to many serv-
ers. The routing protocol uses advertis-
ing and other conventional techniques
so that a request for data is usually
forwarded to the nearest server with
the requested data. In NDN, a session
consists of a single request and its re-
sponse, and there is no source name
in the request packet. (A source name
would be useless for returning the re-
ly, the table at each member is a map-
ping from headerPattern and inLink to
outLink, where headerPattern matches
some subset of packet headers, and
inLink and outLink are local identifiers
for the links of that member. The map-
ping tells the member that on receiv-
ing a packet on incoming link inLink
whose header matches headerPattern,
it should forward the packet onto out-
going link outLink. The mapping can
also tell the member, explicitly or im-
plicitly, to drop the packet.

A session protocol is a set of conventions governing a specific kind of session; it always includes the behavior of the session endpoint members, and may include the behavior of other network members on the session path. It covers packet headers, packet sequence, member state, and member actions. The header format of a session protocol is a specialization of its network’s forwarding format, so a header must conform to both. The new model makes particular use of the following header fields:

• the name of the destination endpoint;

• a session protocol identifier;

• a session identifier;

• a user network to identify the network being served by the session (as we will discuss).

These fields are always present
in headers unless they are vestigial
(which means they would be identify-
ing elements in a set of size zero or one)
or unless the information they carry is
already stored in members along the
path of the session.
Examples of new networks. Many
campus architectures have networks
called virtual local area networks
(VLANs) that are not found in the
classic architecture. 22 The purpose of
VLANs is to maintain an important
network topology that is not present
in either the IP network or local area
networks (LANs) on campus, as shown
in Figure 3. In the figure, each physical
machine is assigned a color and final
name digit for its network members,
so that it is easy to see which network
members are on the same machine.

At the bottom level we see there are physical LANs covering different areas of campus, and some high-speed physical links across campus.b At the top level the campus has a private IP network. User machines are divided into groups depending on whether they belong to students, administrators, departments, or others. Members of a group are identifiable by the pre-fixes of their IP addresses (abbreviated in the figure). Within each group each user machine is connected by a virtual link to every other group member and to one or more IP routers that serve as security gateways to the group. Members of different groups can reach each

b The “campus IP network” at the bottom level is a tricky part of the architecture, and will be explained in section entitled The Usage Graph.

Figure 3. The architecture of campus network.

In this diagram, all lines between members are bidirectional pairs of links.

Administrators’ Group
Physical LAN Physical LAN
IP Network
Physical Link
Virtual Links
Campus
IP Network
Administrators’
Virtual LAN
(Extends
Across Campus)