As part of a broader organisational restructure, data networking research at Swinburne University of Technology has moved from the Centre for Advanced Internet Architecture (CAIA) to the Internet For Things (I4T) Research Lab.

Although CAIA no longer exists, this website reflects CAIA's activities and outputs between March 2002 and February 2017, and is being maintained as a service to the broader data networking research community.

DIFFUSE - Architecture


The main goal of the DIFFUSE architecture is the de-coupling of the classification and treatment of traffic flows – functions which are tightly coupled in current packet filtering systems, such as ipfw, pf, and netfilter. This de-coupling will allow the deployment of more scalable and fault-tolerant systems, as potentially computationally intensive per-flow statistics calculations can be offloaded from the packet forwarding path and redundancy of components will allow graceful fail-overs. Furthermore, it will enable a number of novel network control scenarios (such as ISP-assisted, port-independent control of real-time traffic prioritisation in home broadband gateways).


We envisage several key components to our proposed model that decouples the steps of classification from the subsequent action:  

  • ClassifierNodes – network devices that compute statistical characteristics (features) from flows identified by the 5-tuple (source and destination address, source and destination port, protocol) and classify flows based on machine-learning rules entered into a local instance of ipfw.
  • ActionNodes – network devices whose ipfw instantiates locally configured actions (block, redirect, rate shape, etc) on packets belonging to flows that have been identified by a local or remote ClassifierNode.
  • An IP-layer control protocol between ClassifierNode(s) and ActionNode(s) to enable real-time coordination (such as alerting ActionNode(s) when to start and stop acting on flows identified by 5-tuple).
  • An extended set of packet filter configuration operators to express rules in statistical terms and specify the actions to be taken by nominated ActionNode(s) when rules are matched.

ClassifierNodes and ActionNodes are different logical entities, but they can be co-located on the same physical network device. For example, a traditional packet filter combines them in a single device. 

A ClassifierNode records flow identification information (5-tuple) and observed flow characteristics, such as packet length and inter-arrival time statistics. A ClassifierNode continuously compares the statistics of observed flows to the configured set of rules and uses this information to generate traditional header-inspection rules for ActionNodes 

When a flow (flow X) matches a statistical rule, the ClassifierNode then passes the flow’s 5-tuple to ActionNode(s) to actually instantiate the rule’s associated action. The action is then applied to all subsequent packets belonging to flow X. The rule is removed from the ActionNode(s) once the ClassifierNode determines that the flow has stopped.

ClassifierNodes and ActionNodes automatically establish IP based control links to share information as matching flows come and go. If ClassifierNode and ActionNode are instantiated on the same host, equivalent to a traditional packet filter, this control link will be inside the kernel.

ClassifierNodes consist of an extended packet filter in kernel space and an userspace daemon process (called Exporter) that exports the 5-tuple, class and (optionally) an action to the ActionNodes via the control protocol. ActionNodes consist of a userspace daemon (called Collector) that listens for flow information from ClassifierNodes and configures the packet filter and traffic shaper accordingly.

DIFFUSE components

Figure 1: ClassifierNodes and ActionNodes components

Example Scenario

We illustrate the DIFFUSE architecture in an example scenario, where the ISP differentiates a customer's traffic into real-time and non-real-time traffic and subsequently uses this information to prioritise the real-time traffic. The figure below shows the customer and the ISP network. A ClassifierNode with a rule database is located on or connected to an edge router inside the ISP's network. Two ActionNodes are located on the ISP's edge router and customer's router.

During operation the system does the following. The ClassifierNode classifies traffic based on statistical characteristics and stored rules. The ClassifierNode sends real-time flow's 5-tuples and actions to the ActionNodes. The ActionNodes prioritise traffic identified by ClassifierNode.
Example scenario
Figure 2: Automated prioritisation of interactive traffic


Last Updated: Tuesday 26-Jul-2011 08:35:20 AEST | Maintained by: Sebastian Zander ( | Authorised by: Grenville Armitage (