DQN-based intelligent controller for multiple edge domains

Advanced technologies like network function virtualization (NFV) and multi-access edge computing (MEC) have been used to build flexible, highly programmable, and autonomously manageable infrastructures close to the end-users, at the edge of the network. In this vein, the use of single-board computers (SBCs) in commodity clusters has gained attention to deploy virtual network functions (VNFs) due to their low cost, low energy consumption, and easy programmability. This paper deals with the problem of deploying VNFs in a multi-cluster system formed by this kind of node which is characterized by limited computational and battery capacities. Additionally, existing platforms to orchestrate and manage VNFs do not consider energy levels during their placement decisions, and therefore, they are not optimized for energy-constrained environments. In this regard, this study proposes an intelligent controller as a global allocation mechanism based on deep reinforcement learning (DRL), specifically on deep Q-network (DQN). The conceived mechanism optimizes energy consumption in SBCs by selecting the most suitable nodes across several clusters to deploy event requests in terms of nodes’ resources and events’ demands. A comparison with available allocation algorithms revealed that our solution required 28% fewer resource costs and reduced 35% the energy consumption in the clusters’ computing nodes while maintaining high levels of acceptance ratio.This work has been supported in part (50%) by the Agencia Estatal de Investigación of Ministerio de Ciencia e Innovación of Spain under projects PID2019-108713RB-C51 & PID2019-108713RB-C52 MCIN/ AEI/10.13039/501100011033; and in part (50%) by AI@EDGE H2020-ICT-52-2020 under grant agreement No. 10101592

Multi-provider network service embedding

[no abstract

Context-based security function orchestration for the network edge

Over the last few years the number of interconnected devices has increased dramatically, generating zettabytes of traffic each year. In order to cater to the requirements of end-users, operators have deployed network services to enhance their infrastructure. Nowadays, telecommunications service providers are making use of virtualised, flexible, and cost-effective network-wide services, under what is known as Network Function Virtualisation (NFV). Future network and application requirements necessitate services to be delivered at the edge of the network, in close proximity to end-users, which has the potential to reduce end-to-end latency and minimise the utilisation of the core infrastructure while providing flexible allocation of resources. One class of functionality that NFV facilitates is the rapid deployment of network security services. However, the urgency for assuring connectivity to an ever increasing number of devices as well as their resource-constrained nature, has led to neglecting security principles and best practices. These low-cost devices are often exploited for malicious purposes in targeting the network infrastructure, with recent volumetric Distributed Denial of Service (DDoS) attacks often surpassing 1 terabyte per second of network traffic. The work presented in this thesis aims to identify the unique requirements of security modules implemented as Virtual Network Functions (VNFs), and the associated challenges in providing management and orchestration of complex chains consisting of multiple VNFs The work presented here focuses on deployment, placement, and lifecycle management of microservice-based security VNFs in resource-constrained environments using contextual information on device behaviour. Furthermore, the thesis presents a formulation of the latency-optimal placement of service chains at the network edge, provides an optimal solution using Integer Linear Programming, and an associated near-optimal heuristic solution that is able to solve larger-size problems in reduced time, which can be used in conjunction with context-based security paradigms. The results of this work demonstrate that lightweight security VNFs can be tailored for, and hosted on, a variety of devices, including commodity resource-constrained systems found in edge networks. Furthermore, using a context-based implementation of the management and orchestration of lightweight services enables the deployment of real-world complex security service chains tailored towards the user’s performance demands from the network. Finally, the results of this work show that on-path placement of service chains reduces the end-to-end latency and minimise the number of service-level agreement violations, therefore enabling secure use of latency-critical networks

Modelling and managing service-level agreements in the context of 5G neutral hosting platforms

This project has received funding from the European Union’s Horizon 2020 research andinnovation programme under grant agreement No 761508 (5GCity project) and theSpanish national project 5GCity (TEC2016-76795-C6-1-R)This document contains the study and development of Service-Level Agreement (SLA) management mechanisms in the context of a 5G neutral host platform. The infrastructure involved in a neutral host platform is evaluated by an SLA Manager that handles the database of agreements for all the users, and verifies if the monitored data complies with the thresholds stated in the Service-Level Objectives (SLO) agreed in the SLAs. Neutral host is a platform that has different levels of virtualization over a 5G infrastructure. It starts from a sliced network infrastructure for logic separation between tenants, which in the next level of virtualization, can host 5G services with Network Functions Virtualization (NFV) techniques. This virtual platform runs on top of a physical infrastructure that not only covers data centres like in cloud platforms, but also includes access networks, edge computing and distributed cloud elements. Evaluating through all this infrastructure adds new levels of complexity for monitoring and obtaining an accurate value for any Key Performance Indicator, or high-level parameters for Quality of Service. This challenge is faced with a software module, called SLA Manager, which identifies the different involved infrastructure elements and creates monitoring jobs according to highlevel requirements described in each SLO to obtain low-level infrastructure data. This data is then computed to obtain a high-level value to compare latter with an SLO threshold and verify if there is a violation. Availability is the main KPI on which this study focuses. A generic SLA template body is presented for being stored in a NoSQL database solution, able to adapt to any new service deployed over new technologies that may be deployed by the neutral host, and to add flexibility and scalability to the solution. Results show that the accuracy and reliability of the high-level objectives stated in the SLOs obey the standards required for 5G applications. The system quickly detects any outage and gives feedback to the platform to recover and avoid any violation. Delay times for detection are observed in order to provide exact measurements for availability levels. The report ends with conclusions and future development lines, as well as ethical and sustainability considerations the study involves

On the placement of security-related Virtualised Network Functions over data center networks

Middleboxes are typically hardware-accelerated appliances such as firewalls, proxies, WAN optimizers, and NATs that play an important role in service provisioning over today's data centers. Reports show that the number of middleboxes is on par with the number of routers, and consequently represent a significant commitment from an operator's capital and operational expenditure budgets. Over the past few years, software middleboxes known as Virtual Network Functions (VNFs) are replacing the hardware appliances to reduce cost, improve the flexibility of deployment, and allow for extending network functionality in short timescales. This dissertation aims at identifying the unique characteristics of security modules implementation as VNFs in virtualised environments. We focus on the placement of the security VNFs to minimise resource usage without violating the security imposed constraints as a challenge faced by operators today who want to increase the usable capacity of their infrastructures. The work presented here, focuses on the multi-tenant environment where customised security services are provided to tenants. The services are implemented as a software module deployed as a VNF collocated with network switches to reduce overhead. Furthermore, the thesis presents a formalisation for the resource-aware placement of security VNFs and provides a constraint programming solution along with examining heuristic, meta-heuristic and near-optimal/subset-sum solutions to solve larger size problems in reduced time. The results of this work identify the unique and vital constraints of the placement of security functions. They demonstrate that the granularity of the traffic required by the security functions imposes traffic constraints that increase the resource overhead of the deployment. The work identifies the north-south traffic in data centers as the traffic designed for processing for security functions rather than east-west traffic. It asserts that the non-sharing strategy of security modules will reduce the complexity in case of the multi-tenant environment. Furthermore, the work adopts on-path deployment of security VNF traffic strategy, which is shown to reduce resources overhead compared to previous approaches

Käyttäjätason ohjelmistokontittaminen pilviradioliityntäverkossa

The amount of devices connected through mobile networks has been growing rapidly. This growth will create a demand for network capacity that cannot be met with traditional methods. This problem could be solved by implementing a cloud radio access network (RAN), a new concept, to adapt cloud computing technologies, such as software containers, from the software industry to RANs. This adaptation will also create a need to modify working practices in order to better comply with these new cloud computing technologies. While cloud RAN has recently received much research attention, the actual software implementations have not been widely discussed in the literature. Therefore, this thesis evaluates the feasibility of using software containers in the user-plane applications of cloud RAN in terms of networking and inter-container communications (ICC). This is accomplished by identifying potential approaches for ICC and for container networking as well as measuring the performance of these approaches. Two approaches are proposed for ICC and container networking. The approaches were evaluated in terms of throughput and latency. These approaches were found to be suitable for use in cloud RAN user-plane applications. However, since the measurements were performed in a simplified environment, implementing the approaches into a cloud RAN component will require further work.Mobiiliverkkoihin liitettävien laitteiden määrä kasvaa nopeasti. Tämä kasvu tulee luomaan verkon kapasiteetille kysynnän, johon ei kyetä vastaamaan perinteisin menetelmin. Tämä ongelma voitaineen ratkaista implementoimalla pilviradioliityntäverkko (Cloud RAN), uusi konsepti, joka sovittaa ohjelmistoalalla vakiintuneita pilvilaskentateknologioita käytettäväksi radioliityntäverkoissa (radio access network, RAN). Tämä sovitusprosessi luo tarpeen mukauttaa myös työskentelytavat yhteensopiviksi uusien pilvilaskentateknologioiden kanssa. Vaikka pilviradioliityntäverkkoa on tutkittu aktiivisesti viime aikoina, käytännön ohjelmistototeutukset eivät juuri ole olleet esillä kirjallisuudessa. Tämä diplomityö arvioi ohjelmistokonttien (software containers) soveltuvuutta käytettäväksi pilviradioliityntäverkon käyttäjätason (user-plane) applikaatioissa verkottamisen (networking) ja ohjelmistokonttien välisen kommunikoinnin (inter-container communications, ICC) suhteen. Tämä arviointi suoritetaan identifioimalla mahdollisia toteutuksia ohjelmistokonttien väliselle kommunikaatiolle ja ohjelmistokonttien verkottamiselle sekä mittaamalla näiden toteutuksien suorituskyky. Tässä diplomityössä ehdotetaan tutkittavaksi kaksi toteutusta ohjelmistokonttien väliselle kommunikaatiolle ja ohjelmistokonttien verkottamiselle. Nämä toteutukset arvioitiin välityskyvyn (throughput) ja latenssin suhteen. Näiden toteutuksien todettiin olevan soveliaita käytettäväksi pilviradioliityntäverkon käyttäjätason applikaatioissa. Kuitenkin, koska mittaukset toteutettiin yksinkertaistetussa ympäristössä, vaatii toteutuksien implementointi pilviradioliityntäverkon komponenttiin lisätyötä

Contribution to multi-domain network slicing : resource orchestration framework and algorithms

5G/6G services and applications, in the context of the eMBB, mMTC and uRLLC network slicing framework, whose network infrastructure requirements may span beyond the coverage area of a single Infrastructure Provider (InP), are envisaged to be supported by leasing resources from multiple InPs. A challenging aspect for a Service Provider (SP) is how to obtain an optimal set of InPs on which to provision the requests and the particular substrate nodes and links within each InP on which to map the different VNFs and virtual links of the service requests, respectively, for a seamless, reliable and cost-effective orchestration of service requests. Existing works in this area either perform service mapping in uncoordinated manner, do not incorporate service reliability or do so from the perspective of stateless VNFs. Also they assume full information disclosure, or are based on exact approaches, which considerations are not well suited for future network scenarios characterized by delay sensitive mission critical applications and resource constrained networks. This thesis contributes to the above challenge by breaking the multi-domain service orchestration problem into two interlinked sub-problems that are solved in a coordinated manner: (1) Request splitting/partitioning (sub-problem 1), involving obtaining a subset of InPs and the corresponding inter-domain links on which to provision the different VNFs and virtual links of the service request; (2) Intra-domain VNF orchestration (sub-problem 2), involving obtaining the intra-domain nodes and links to provision the VNFs and virtual links of the sub-SFC associated with each InP. In this way, the thesis sets out four key targets that are necessary to align with the mission critical and delay sensitive use-cases envisaged in 5G and future networks in terms of service deployment cost and QoS: (1) coordinated mapping of service requests, with a view of realizing better utilization of the substrate resources; (2) survivability and fault-tolerant orchestration of service requests, to tame both QoS violations and the penalties from such violations; (3) limited disclosure of InP internal information, in order adhere to the privacy requirements InPs, and (4) achieving all the above targets in polynomial time. In order to realize the above targets, the thesis sought for solution techniques that are: (1) able to incorporate information learned in the previous solutions search space and historical mapping decisions, hence, resulting in acceptable performance even in scenarios of limited information exposure and fuzzy environments; (2) robust and less problem specific, hence, can be tailored to different optimization objectives, network topologies and service request constraints, thus enabling to deal with requests with either chained topologies or with bifurcated paths; (3) capable of dealing with an optimization problem that is jointly affected by multiple attributes, since in practice, the service deployment cost is jointly affected by multiple conflicting costs; (4) able to realize near-optimal solutions in practical run-times, thus rendering well suited approaches for delay sensitive and resource constrained scenarios. Three different algorithms namely, an RL, Genetic Algorithm (GA) and a fully distributed multi-stage graph-based algorithms are proposed for sub-problem 1. In addition, five different algorithms based on GA, Harmony search, RL, and multi-stage graph approach are proposed for sub-problem 2. Finally, in order to guide the implementation and adherence of the thesis proposals to the four main targets of the thesis, an architectural framework is proposed, aligned with the ETSI NFV-MANO architectural framework. Overall, the simulations results proved that the thesis proposals are optimized in terms of request acceptance ratios, mapping cost and execution time, hence, rendering such proposals well suited for 5G and future scenarios.Els serveis que es poden presentar en el marc de la tecnologia de “slicing” de xarxa de 5G/6G, com ara eMBB, mMTC o uRLLC, es possible que no els pugui oferir un sol proveïdor d’infraestructura (InP) degut a les limitacions que pot tenir la seva xarxa, i per tant que faci necessària la cooperació de múltiples InPs. En aquest cas, el primer repte que afronta el Proveïdor de Servei (SP) que rep la sol·licitud de desplegament es determinar el conjunt òptim de InPs que hi han d’intervenir i en concret els nodes i enllaços de cada un d’ells que s’han d’utilitzar per al mapatge de les diferents VNFs i enllaços virtuals de la sol·licitud. Els treballs que existeixen en aquesta àrea duen a terme el mapatge del servei be sigui de manera no coordinada, o no incorporen la fiabilitat, o ho fan des de la perspectiva de VNFs sense estat. També, pressuposen la divulgació total de la informació, o estan basats en metodologies exactes que fa que no siguin idonis per a escenaris de xarxes del futur, caracteritzats per aplicacions de missió critica, sensibles al retard i sobre xarxes amb recursos limitats. Aquesta tesi contribueix a afrontar aquests reptes dividint el problema d’orquestració de serveis multi domini en dos subproblemes relacionats, que es resolen de manera coordinada. (1) Divisió / partició de la sol·licitud de servei (sub-problema 1), que implica l'obtenció d'un subconjunt d'InPs i els enllaços interdomini corresponents sobre els quals proporcionar les diferents VNF i enllaços virtuals de la sol·licitud de servei; (2) Orquestració VNF intradomini (sub-problema 2), que implica l'obtenció dels nodes i enllaços intradomini per aprovisionar les VNF i enllaços virtuals dels sub-SFC associats a cada InP. D'aquesta manera, la tesi estableix quatre objectius clau que són necessaris per alinear-se amb els casos d'ús de missió crítica i sensibles al retard previstos en 5G i xarxes futures en termes de cost de desplegament del servei i QoS: (1) mapatge coordinat de les sol·licituds de servei, amb l'objectiu de realitzar una millor utilització dels recursos del substrat; (2) orquestració de les sol·licituds de servei contemplant la supervivència del servei en situacions de fallides, minimitzant les violacions de la QoS i les sancions derivades d'aquestes violacions; (3) divulgació limitada de la informació interna de l’InP, per tal d'adherir-se als requisits de privadesa dels InPs, i (4) aconseguir tots els objectius anteriors en temps polinòmic. Per tal de realitzar els objectius anteriors, la tesi busca solucions que siguin: (1) capaces d'incorporar informació apresa en les solucions anteriors de l'espai de cerca i decisions de mapatge històric, donant lloc a un rendiment acceptable fins i tot en escenaris d'exposició limitada a la informació i entorns difusos; (2) robustes i menys dependents dels problemes específics, i per tant, que es poden adaptar a diferents objectius d'optimització, topologies de xarxa i restriccions de sol·licitud de servei, permetent així fer front a sol·licituds amb cadenes de funcions de topologies molt diverses; (3) capaces de fer front a un problema d'optimització de múltiples atributs, ja que a la pràctica, el cost de desplegament del servei depèn de múltiples costos; (4) capaces de trobar solucions gairebé òptimes en temps suficientment breus, resultant així adequades a escenaris sensibles al retard i amb limitació de recursos. La tesi proposa tres algorismes diferents per al sub-problema 1: un algorisme de RL, un algorisme genètic (GA) i un algorisme multi etapa basat en grafs i completament distribuït. A més, es proposen cinc algorismes diferents basats en l'enfocament de grafs, un algorisme GA, un algorisme de cerca d’harmonia, un algorisme de RL i un algorisme multi-etapa per al sub-problema 2. Finalment, per tal de guiar la implementació i l'adhesió de les propostes als quatre objectius principals de la tesi, es proposa...Postprint (published version

Enabling Network Flexibility by Decomposing Network Functions

Next-generation networks are expected to serve a wide range of use cases, each of which features a set of diverse and stringent requirements. For instance, video streaming and industrial automation are becoming more and more prominent in our society, but while the first use case requires high bandwidth, the second one mandates sub-millisecond latency. To accommodate these requirements, networks must be flexible, i.e., they must provide cost-efficient ways of adapting to different requirements. For example, networks must be able to scale with the traffic load to support the bandwidth requirements of the video streaming use case. In response to the need for flexibility, the scientific community has proposed Software Defined Networking (SDN), Network Function Virtualization (NFV), and network slicing. SDN simplifies the management of networks by separating control plane and data plane, while NFV allows scaling the network functions with the traffic load. Network slicing provides the operators with virtual networks which can be tailored to meet the requirements of the use cases. While these technologies pave the way towards network flexibility, the capability of networks to adapt to different use cases is still limited by several inefficiencies. For example, to improve the scalability of network functions, network operators use dedicated systems which manage the state of network functions by keeping it in a data store. These systems are designed to offer specific features, such as reliability or performance, which determine the data store adopted and the Application Programming Interface (API) exposed to the network functions. Network operators need to change the data store depending on the features required by the use case served, but this operation involves refactoring the network functions, thus implying significant costs. Furthermore, network operators need to migrate the network functions, for example to minimize bandwidth usage during traffic peaks. Nevertheless, network slices convey the traffic coming from a multitude of sources through a small set of network functions, which are consequently resource-hungry and difficult to migrate, forcing the network operator to overprovision the network. Due to these inefficiencies, adapting the network to different use cases requires a significant increase in both Capital Expenditure (CapEx) and Operational Expenditure (OpEx), thus resulting in a showstopper for network operators. Addressing these inefficiencies would lower the costs of adapting networks to different use cases, thus improving network flexibility. To this end, we propose to decompose the network functions into fine-grained network functions, each providing only a subset of the functionalities, or processing only a share of the traffic, thus obtaining network functions which are less resource-hungry, easier to migrate, and easier to upgrade. We examine three directions along which we can perform the decomposition. The first direction is leveraging the networking planes, such as control and data planes, for example separating the functionalities for packet processing from the ones for network management. The second direction is leveraging the sources and destinations of the traffic flowing through each network function and creating a dedicated network function for each source-destination pair. The third direction is decoupling the state management of the network functions from the data store by leveraging an API which is independent from the data store adopted. We show that each decomposition addresses a specific inefficiency. For example, decoupling the state management from the data store enables network operators to change the data store adopted without the need for refactoring the network functions. Decomposing network functions also brings some drawbacks. For example, it can result in an increase of the number of network functions, thus making network management tasks, such as network reconfiguration, more challenging. We study two key drawbacks and we discuss the solutions we designed to contrast them. In this thesis, we show that decomposing network functions allows improving network flexibility, but it must be complemented with techniques to mitigate any negative side effect.Uuden sukupolven verkkojen odotetaan palvelevan monenlaisia käyttötapauksia, joista jokaisella on erilaisia vaatimuksia verkon toimintojen ja ominaisuuksien suhteen. Esimerkiksi videoiden suoratoisto ja teollisuusautomaatio ovat yhä tärkeämmässä asemassa yhteiskunnassamme, mutta vaikka ensimmäinen käyttötapaus vaatii suurta kaistanleveyttä, toinen edellyttää alle millisekunnin viivettä. Näiden vaatimusten täyttämiseksi verkkojen on oltava joustavia, toisin sanoen niiden on tarjottava kustannustehokkaita tapoja sopeutua erilaisiin vaatimuksiin. Vastauksena joustavuuden tarpeeseen tiedeyhteisö on ehdottanut ohjelmistopohjaista verkkoa (Software Defined Networking, SDN), verkkotoimintojen virtualisointia (Network Function Virtualization, NFV) ja verkon viipalointia (network slicing). SDN yksinkertaistaa verkkojen hallintaa erottamalla ohjaustason ja datatason, kun taas NFV sallii verkon toimintojen skaalaamisen liikenteen kuormituksella. Verkon viipalointi tarjoaa operaattoreille virtuaaliverkkoja, jotka voidaan räätälöidä vastaamaan käyttötapausten vaatimuksia. Vaikka nämä tekniikat tasoittavat tietä verkon joustavuuteen, verkkojen kykyä sopeutua erilaisiin käyttötapauksiin rajoittavat edelleen monet tehottomuudet. Esimerkiksi verkkotoimintojen skaalautuvuuden parantamiseksi verkko-operaattorit käyttävät erillisiä tilatiedon tallennusjärjestelmiä. Verkko-operaattorien on vaihdettava tietovarasto palvelun käyttötapauksessa vaadittujen ominaisuuksien mukaan, mutta tähän toimintaan sisältyy verkkotoimintojen uudelleenrakentaminen, mikä merkitsee merkittäviä kustannuksia. Näiden tehottomuuksien vuoksi verkon sopeuttaminen erilaisiin käyttötapauksiin edellyttää sekä investointien (Capital Expenditure, CapEx) että toimintamenojen (Operational Expenditure, OpEx) merkittävää kasvua. Tässä väitöskirjassa esitetään uusi menetelmä verkkotoimintojen osittamiseen sekä hajauttamiseen hienorakeisemmiksi toiminnoiksi, joista kukin tarjoaa osan alkuperäisestä toiminnallisuudesta. Menetelmän avulla saadaan hajautettuja ja yhteentoimivia verkkotoimintoja, jotka käyttävät vähemmän verkon resursseja ja ovat helpommin siirrettävissä ja käytettävissä erilaisissa käyttötapauksissa. Väitöskirja osoittaa, että kukin osa-alue auttaa korjaamaan tietyn tehottomuuden järjestelmässä. Esimerkiksi tilahallinnan eriyttäminen tietovarastosta antaa verkko-operaattoreille mahdollisuuden muuttaa käyttöön otettua tietovarastoa ilman, että verkkotoimintoja on muutettava. Verkkotoimintojen ositus ja hajautus voi myös joissain tilanteissa heikentää tietoverkon ominaisuuksia. Väitöskirja tutkii menetelmän keskeisiä heikkouksia ja esittää niihin ratkaisuita. Tässä tutkimuksessa osoitetaan, että verkkotoimintojen osittaminen ja hajauttaminen parantavat verkon joustavuutta, mutta menetelmää on täydennettävä mahdollisten haitallisten sivuvaikutusten lieventämiseksi