148 research outputs found

    Dynamic deployment of context-aware access control policies for constrained security devices

    Get PDF
    Securing the access to a server, guaranteeing a certain level of protection over an encrypted communication channel, executing particular counter measures when attacks are detected are examples of security requirements. Such requirements are identi ed based on organizational purposes and expectations in terms of resource access and availability and also on system vulnerabilities and threats. All these requirements belong to the so-called security policy. Deploying the policy means enforcing, i.e., con guring, those security components and mechanisms so that the system behavior be nally the one speci ed by the policy. The deployment issue becomes more di cult as the growing organizational requirements and expectations generally leave behind the integration of new security functionalities in the information system: the information system will not always embed the necessary security functionalities for the proper deployment of contextual security requirements. To overcome this issue, our solution is based on a central entity approach which takes in charge unmanaged contextual requirements and dynamically redeploys the policy when context changes are detected by this central entity. We also present an improvement over the OrBAC (Organization-Based Access Control) model. Up to now, a controller based on a contextual OrBAC policy is passive, in the sense that it assumes policy evaluation triggered by access requests. Therefore, it does not allow reasoning about policy state evolution when actions occur. The modi cations introduced by our work overcome this limitation and provide a proactive version of the model by integrating concepts from action speci cation languages

    Towards Automated Network Configuration Management

    Get PDF
    Modern networks are designed to satisfy a wide variety of competing goals related to network operation requirements such as reachability, security, performance, reliability and availability. These high level goals are realized through a complex chain of low level configuration commands performed on network devices. As networks become larger, more complex and more heterogeneous, human errors become the most significant threat to network operation and the main cause of network outage. In addition, the gap between high-level requirements and low-level configuration data is continuously increasing and difficult to close. Although many solutions have been introduced to reduce the complexity of configuration management, network changes, in most cases, are still manually performed via low--level command line interfaces (CLIs). The Internet Engineering Task Force (IETF) has introduced NETwork CONFiguration (NETCONF) protocol along with its associated data--modeling language, YANG, that significantly reduce network configuration complexity. However, NETCONF is limited to the interaction between managers and agents, and it has weak support for compliance to high-level management functionalities. We design and develop a network configuration management system called AutoConf that addresses the aforementioned problems. AutoConf is a distributed system that manages, validates, and automates the configuration of IP networks. We propose a new framework to augment NETCONF/YANG framework. This framework includes a Configuration Semantic Model (CSM), which provides a formal representation of domain knowledge needed to deploy a successful management system. Along with CSM, we develop a domain--specific language called Structured Configuration language to specify configuration tasks as well as high--level requirements. CSM/SCL together with NETCONF/YANG makes a powerful management system that supports network--wide configuration. AutoConf supports two levels of verifications: consistency verification and behavioral verification. We apply a set of logical formalizations to verifying the consistency and dependency of configuration parameters. In behavioral verification, we present a set of formal models and algorithms based on Binary Decision Diagram (BDD) to capture the behaviors of forwarding control lists that are deployed in firewalls, routers, and NAT devices. We also adopt an enhanced version of Dyna-Q algorithm to support dynamic adaptation of network configuration in response to changes occurred during network operation. This adaptation approach maintains a coherent relationship between high level requirements and low level device configuration. We evaluate AutoConf by running several configuration scenarios such as interface configuration, RIP configuration, OSPF configuration and MPLS configuration. We also evaluate AutoConf by running several simulation models to demonstrate the effectiveness and the scalability of handling large-scale networks

    A Survey on the Contributions of Software-Defined Networking to Traffic Engineering

    Get PDF
    Since the appearance of OpenFlow back in 2008, software-defined networking (SDN) has gained momentum. Although there are some discrepancies between the standards developing organizations working with SDN about what SDN is and how it is defined, they all outline traffic engineering (TE) as a key application. One of the most common objectives of TE is the congestion minimization, where techniques such as traffic splitting among multiple paths or advanced reservation systems are used. In such a scenario, this manuscript surveys the role of a comprehensive list of SDN protocols in TE solutions, in order to assess how these protocols can benefit TE. The SDN protocols have been categorized using the SDN architecture proposed by the open networking foundation, which differentiates among data-controller plane interfaces, application-controller plane interfaces, and management interfaces, in order to state how the interface type in which they operate influences TE. In addition, the impact of the SDN protocols on TE has been evaluated by comparing them with the path computation element (PCE)-based architecture. The PCE-based architecture has been selected to measure the impact of SDN on TE because it is the most novel TE architecture until the date, and because it already defines a set of metrics to measure the performance of TE solutions. We conclude that using the three types of interfaces simultaneously will result in more powerful and enhanced TE solutions, since they benefit TE in complementary ways.European Commission through the Horizon 2020 Research and Innovation Programme (GN4) under Grant 691567 Spanish Ministry of Economy and Competitiveness under the Secure Deployment of Services Over SDN and NFV-based Networks Project S&NSEC under Grant TEC2013-47960-C4-3-

    Algorithms for advance bandwidth reservation in media production networks

    Get PDF
    Media production generally requires many geographically distributed actors (e.g., production houses, broadcasters, advertisers) to exchange huge amounts of raw video and audio data. Traditional distribution techniques, such as dedicated point-to-point optical links, are highly inefficient in terms of installation time and cost. To improve efficiency, shared media production networks that connect all involved actors over a large geographical area, are currently being deployed. The traffic in such networks is often predictable, as the timing and bandwidth requirements of data transfers are generally known hours or even days in advance. As such, the use of advance bandwidth reservation (AR) can greatly increase resource utilization and cost efficiency. In this paper, we propose an Integer Linear Programming formulation of the bandwidth scheduling problem, which takes into account the specific characteristics of media production networks, is presented. Two novel optimization algorithms based on this model are thoroughly evaluated and compared by means of in-depth simulation results

    Emulating software-defined disaggregated optical networks in a containerized framework

    Get PDF
    Telecom operators’ infrastructure is undergoing high pressure to keep the pace with the traffic demand generated by the societal need of remote communications, bandwidth-hungry applications, and the fulfilment of 5G requirements. Software-defined networking (SDN) entered in scene decoupling the data-plane forwarding actions from the control-plane decisions, hence boosting network programmability and innovation. Optical networks are also capitalizing on SDN benefits jointly with a disaggregation trend that holds the promise of overcoming traditional vendor-locked island limitations. In this work, we present our framework for disaggregated optical networks that leverages on SDN and container-based management for a realistic emulation of deployment scenarios. Our proposal relies on Kubernetes for the containers’ control and management, while employing the NETCONF protocol for the interaction with the light-weight software entities, i.e., agents, which govern the emulated optical devices. Remarkably, our agents’ structure relies on components that offer high versatility for accommodating the wide variety of components and systems in the optical domain. We showcase our proposal with the emulation of an 18-node European topology employing Cassini-compliant optical models, i.e., a state-of-the-art optical transponder proposed in the Telecom Infrastructure Project. The combination of our versatile framework based on containerized entities, the automatic creation of agents and the optical-layer characteristics represents a novel approach suitable for operationally complex carrier-grade transport infrastructure with SDN-based disaggregated optical systems.This research was funded Spanish Government: ONOFRE-2 project under Grant TEC2017-84423-C3-2-P (MINECO/AEI/FEDER, UE) and the Go2Edge project under Grant RED2018-102585-T; and by the European Commission: METRO-HAUL project (G.A. 761727)

    jYang : A YANG parser in java

    Get PDF
    The NETCONF configuration protocol of the IETF Network Work- ing Group provides mechanisms to manipulate the configuration of network devices. YANG is the language currently under consideration within the IETF to specify the data models to be used in NETCONF . This report describes the design and development of a syntax and semantics parser for YANG in java

    Runtime Configuration Validation for Self-configurable Systems

    Get PDF
    International audienceRuntime configuration validation is a critical requirement if we are to build reliable self-adaptive systems. This paper describes a model-based approach that supports runtime validation of candidate configurations. The approach is based on MeCSV, a metamodel we propose, that allows a technologyneutral specification of systems' configurations and validity constraints. A constraint-checker relying on this specification verifies dynamically candidate configurations before their deployment. Experimental results with a messaging platform show viable validation overhead demonstrating the feasibility of the approach

    Seamless configuration of virtual network functions in data center provider networks

    Get PDF
    Network function virtualization has enabled data center providers to offer new service provisioning models. Through the use of data center management software (cloud managers), providers allow their tenants to customize their virtual network infrastructure, enabling them to create a network topology that includes network functions (e.g., routers, firewalls), either chosen among the natively supported catalog or provided by third-parties. In order to deploy a ready-to-go service, providers have also to take care of pushing functional configurations into each network function (e.g., IP addresses for routers and policy rules in firewalls). This paper proposes an architecture that extends current cloud management software to enable the configuration of network functions. We propose a model-based approach that exploits the use of additional software components, i.e. translators and gateways, which are network function-agnostic, i.e. they are vendor-neutral and not specific for a particular type of network function, and do not require any change in the network functions. A prototype of this solution has been also implemented and tested, in order to validate our approach and evaluate its effectiveness in the configuration phase

    Netconf Element Management System : Design and Implementation

    Get PDF
    The Network Configuration Protocol (Netconf) is an IETF network management protocol using an RPCbased communication model. It was developed in the Netconf working group and published in December 2006 as RFC 4741 and later revised in June 2011 (RFC 6241). This protocol defines a simple mechanism through which a network device can be managed, configuration data information can be retrieved, and new configuration data can be uploaded and manipulated. The protocol allows the device to expose a full and formal application programming interface (API). Applications can use this straightforward API to send and receive full and partial configuration data sets.Resumen de la tesis presentada por el autor presentada en el año 2012 para obtener el título de Magister en Redes de Datos (Universidad Nacional de La Plata).Es revisión de: http://sedici.unlp.edu.ar/handle/10915/23421Facultad de Informátic
    • …
    corecore