CONTRACT: Incorporating Coordination into the IP Network Control Plane Zheng Cai Florin Dinu Jie Zheng Alan L. Cox T. S. Eugene Ng Department of Computer Science Rice University Abstract—This paper presents the CONTRACT framework to address a fundamental deficiency of the IP network control plane, namely the lack of coordination between an IGP and other control functions involved in achieving a high level objective. For example, an IGP’s default automatic reaction to a network failure may result in an SLA violation, even if the IGP link weights have been carefully chosen. This is because an IGP blindly routes traffic along the shortest paths based on link weights, and it is completely oblivious to the interactions between SLA compliance, load balancing and traffic policing objectives in a network. The CONTRACT framework makes it possible to coordinate these objectives. Under this framework, routers continue to operate autonomously, but they also coordinate their actions with a centralized network controller, which evaluates the impact of routing changes, decides whether the changes are SLA compliant, and performs load rebalancing and/or packet filter reconfiguration as necessary. The key contribution of CONTRACT is a set of coordination algorithms. We show that CONTRACT can effectively coordinate the actions of routing, load balancing and traffic policing to improve a network’s SLA compliance. Keywords-network coordination; traffic control; coordination algorithms; SLA compliance I. I NTRODUCTION Today, a network operator must carefully handle numerous control tasks to ensure that service level agreements (SLAs) are met. First, the operator must perform careful network capacity planning to ensure that the network has enough bandwidth to meet the traffic demand [1]. Second, load- balanced routing is necessary to mitigate network hot spots and to enhance the network’s ability to absorb temporary spikes in traffic [2]. Furthermore, in today’s hostile Internet environment where a single DDoS attack could generate more than 40 Gbps of sustained unwanted traffic [3], it is crucial to use traffic filters to stop such unwanted traffic from overwhelming the network. The possibility of network failures further complicates the network operator’s task. This is because when a failure occurs, an Interior Gateway Protocol (IGP) such as IS-IS [4] and OSPF [5] will immediately re-route traffic around the failure. Although automatic failure recovery is generally desirable, the re-routed traffic may congest the network even if the IGP link weights have already been carefully chosen by a load balancing mechanism. Furthermore, changing routing without regard to DDoS traffic filtering could mistakenly re-route DDoS flows around the filters that aim to block them. The resulting service level agreement violations can be serious and can persist for over 10 minutes [6], even in a tier-1 backbone network. The fundamental problem is the lack of coordination in the control plane. Specifically, the IGP is allowed to operate in isolation from the SLA compliance, load balancing and traffic policing functions. In reality, however, these functions are intertwined and need to coordinate their actions. To address this problem, we propose the COordiNated TRAffic ConTrol (CONTRACT) framework. In CONTRACT, routers continue to recover from failures in a distributed autonomous fashion. However, the key difference is that routers coordinate their actions with a centralized network controller who is respon- sible for network-wide control tasks. Numerous studies have experimentally demonstrated the feasibility of using a central- ized controller for a variety of network-wide control tasks even for large networks (e.g. BGP routing decision making [7][8], network-wide access control [9], intra-domain routing and packet filter configuration [10], data center network layer-2 routing [11]). In contrast, the novel focus of CONTRACT is to provide a set of algorithms for achieving coordination, thereby improving SLA compliance in the network. There are three key mechanisms underlying the CON- TRACT framework. First, under CONTRACT, routers partic- ipate in a distributed coordination protocol with the network controller. The controller programmatically evaluates the im- pact of the routing changes, decides whether the changes are SLA compliant, and performs load rebalancing and/or packet filter reconfiguration as necessary. Second, because the overall impact of re-routed traffic cannot be locally determined by a router, under CONTRACT, routers temporarily lower the priority of the re-routed traffic, thus protecting other traffic. The priority will return to normal once the changes are deemed SLA compliant by the controller. Finally, CONTRACT enables routers to autonomously adapt their packet filter configuration as routing changes to retain (when feasible) the packet filtering behavior. The CONTRACT mechanisms work transparently beneath the IGP. Therefore, they can be deployed without changes to the IGP. The CONTRACT coordination protocol guaran- tees that all routers in the network partition containing the controller reach a consistent coordinated routing state despite arbitrary network failures. Furthermore, if the controller itself has failed or the network has been partitioned, and coordi- nation is no longer possible, the IGP continues to function autonomously; network survivability is thus not compromised.