3 research outputs found
The Road to BOFUSS: The Basic OpenFlow User-space Software Switch
Software switches are pivotal in the Software-Defined Networking (SDN)
paradigm, particularly in the early phases of development, deployment and
testing. Currently, the most popular one is Open vSwitch (OVS), leveraged in
many production-based environments. However, due to its kernel-based nature,
OVS is typically complex to modify when additional features or adaptation is
required. To this regard, a simpler user-space is key to perform these
modifications.
In this article, we present a rich overview of BOFUSS, the basic OpenFlow
user-space software switch. BOFUSS has been widely used in the research
community for diverse reasons, but it lacked a proper reference document. For
this purpose, we describe the switch, its history, architecture, uses cases and
evaluation, together with a survey of works that leverage this switch. The main
goal is to provide a comprehensive overview of the switch and its
characteristics. Although the original BOFUSS is not expected to surpass the
high performance of OVS, it is a useful complementary artifact that provides
some OpenFlow features missing in OVS and it can be easily modified for
extended functionality. Moreover, enhancements provided by the BEBA project
brought the performance from BOFUSS close to OVS. In any case, this paper sheds
light to researchers looking for the trade-offs between performance and
customization of BOFUSS.Comment: 24 pages, 7 figures; submitted to Telecommunications Systems journa
Mecanismos dinâmicos de segurança para redes softwarizadas e virtualizadas
The relationship between attackers and defenders has traditionally been
asymmetric, with attackers having time as an upper hand to devise an exploit
that compromises the defender. The push towards the Cloudification of
the world makes matters more challenging, as it lowers the cost of an attack,
with a de facto standardization on a set of protocols. The discovery of a vulnerability
now has a broader impact on various verticals (business use cases),
while previously, some were in a segregated protocol stack requiring independent
vulnerability research. Furthermore, defining a perimeter within a cloudified
system is non-trivial, whereas before, the dedicated equipment already
created a perimeter. This proposal takes the newer technologies of network
softwarization and virtualization, both Cloud-enablers, to create new dynamic
security mechanisms that address this asymmetric relationship using novel
Moving Target Defense (MTD) approaches. The effective use of the exploration
space, combined with the reconfiguration capabilities of frameworks like
Network Function Virtualization (NFV) and Management and Orchestration
(MANO), should allow for adjusting defense levels dynamically to achieve the
required security as defined by the currently acceptable risk. The optimization
tasks and integration tasks of this thesis explore these concepts. Furthermore,
the proposed novel mechanisms were evaluated in real-world use cases, such
as 5G networks or other Network Slicing enabled infrastructures.A relação entre atacantes e defensores tem sido tradicionalmente assimétrica,
com os atacantes a terem o tempo como vantagem para conceberem
uma exploração que comprometa o defensor. O impulso para a Cloudificação
do mundo torna a situação mais desafiante, pois reduz o custo de um
ataque, com uma padronização de facto sobre um conjunto de protocolos.
A descoberta de uma vulnerabilidade tem agora um impacto mais amplo em
várias verticais (casos de uso empresarial), enquanto anteriormente, alguns
estavam numa pilha de protocolos segregados que exigiam uma investigação
independente das suas vulnerabilidades. Além disso, a definição de um
perímetro dentro de um sistema Cloud não é trivial, enquanto antes, o equipamento
dedicado já criava um perímetro. Esta proposta toma as mais recentes
tecnologias de softwarização e virtualização da rede, ambas facilitadoras da
Cloud, para criar novos mecanismos dinâmicos de segurança que incidem sobre
esta relação assimétrica utilizando novas abordagens de Moving Target
Defense (MTD). A utilização eficaz do espaço de exploração, combinada com
as capacidades de reconfiguração de frameworks como Network Function
Virtualization (NFV) e Management and Orchestration (MANO), deverá permitir
ajustar dinamicamente os níveis de defesa para alcançar a segurança
necessária, tal como definida pelo risco actualmente aceitável. As tarefas de
optimização e de integração desta tese exploram estes conceitos. Além disso,
os novos mecanismos propostos foram avaliados em casos de utilização no
mundo real, tais como redes 5G ou outras infraestruturas de Network Slicing.Programa Doutoral em Engenharia Informátic