In this dissertation, we present a network design called Rule-Based Forwarding (RBF) that provides exible and policy-compliant forwarding. Our proposal centers around a new architectural concept: that of packet rules. A rule is a simple if-then-else construct that describes the manner in which the network should - or should not - forward packets. A packet identinulles the rule by which it is to be forwarded and routers forward each packet in accordance with its associated rule. On one hand, rules are exible, as they can explicitly specify paths and invoke packet processing inside the network. This enables RBF to support many previously proposed Internet extensions, such as explicit middleboxes, multiple paths, source routing and support for host mobility. On the other hand, rules are certinulled, which guarantees that packets comply with the policies of the parties forwarding them. This property also enables a more secure architecture, since unwanted packets can be dropped in the network, allowing RBF to stop denial of service (DoS) attacks. Using our prototype router implementation we show that the overhead RBF imposes is within the capabilities of modern network equipment.

We also describe how the ideas behind RBF can be used to improve access control in cloud computing, and present CloudPolice an access control mechanism implemented in hypervisors. CloudPolice scales to millions of hosts, is independent of the network topology, routing and addressing, and can specify exible access control policies. These properties are not provided by traditional access control mechanisms, because these mechanisms were originally designed for enterprise environments that do not share the same challenges as cloud computing.





Download Full History