158 research outputs found
ScienceSDS: A Novel Software Defined Security Framework for Large-scale Data-intensive Science
Experimental science workflows from projects such as Compact Muon Solenoid (CMS) [6] and Laser Interferometer Gravitational Wave Observatory (LIGO) [2] are characterized by data-intensive computational tasks over large datasets transferred over encrypted channels. The Science DMZ [7] approach to network design favors lossless packet forwarding through a separate isolated network over secure lossy forwarding through stateful packet processors (e.g. fire-walls). We propose ScienceSDS, a novel software denied security framework for securely monitoring large-scale science datasets over a software defined networking and network functions virtualization (SDN/NFV) infrastructure
ScienceSDS: A Novel Software Defined Security Framework for Large-scale Data-intensive Science
Experimental science workflows from projects such as Compact Muon Solenoid (CMS) [6] and Laser Interferometer Gravitational Wave Observatory (LIGO) [2] are characterized by data-intensive computational tasks over large datasets transferred over encrypted channels. The Science DMZ [7] approach to network design favors lossless packet forwarding through a separate isolated network over secure lossy forwarding through stateful packet processors (e.g. fire-walls). We propose ScienceSDS, a novel software denied security framework for securely monitoring large-scale science datasets over a software defined networking and network functions virtualization (SDN/NFV) infrastructure
Segment Routing: a Comprehensive Survey of Research Activities, Standardization Efforts and Implementation Results
Fixed and mobile telecom operators, enterprise network operators and cloud
providers strive to face the challenging demands coming from the evolution of
IP networks (e.g. huge bandwidth requirements, integration of billions of
devices and millions of services in the cloud). Proposed in the early 2010s,
Segment Routing (SR) architecture helps face these challenging demands, and it
is currently being adopted and deployed. SR architecture is based on the
concept of source routing and has interesting scalability properties, as it
dramatically reduces the amount of state information to be configured in the
core nodes to support complex services. SR architecture was first implemented
with the MPLS dataplane and then, quite recently, with the IPv6 dataplane
(SRv6). IPv6 SR architecture (SRv6) has been extended from the simple steering
of packets across nodes to a general network programming approach, making it
very suitable for use cases such as Service Function Chaining and Network
Function Virtualization. In this paper we present a tutorial and a
comprehensive survey on SR technology, analyzing standardization efforts,
patents, research activities and implementation results. We start with an
introduction on the motivations for Segment Routing and an overview of its
evolution and standardization. Then, we provide a tutorial on Segment Routing
technology, with a focus on the novel SRv6 solution. We discuss the
standardization efforts and the patents providing details on the most important
documents and mentioning other ongoing activities. We then thoroughly analyze
research activities according to a taxonomy. We have identified 8 main
categories during our analysis of the current state of play: Monitoring,
Traffic Engineering, Failure Recovery, Centrally Controlled Architectures, Path
Encoding, Network Programming, Performance Evaluation and Miscellaneous...Comment: SUBMITTED TO IEEE COMMUNICATIONS SURVEYS & TUTORIAL
Hybrid SDN Evolution: A Comprehensive Survey of the State-of-the-Art
Software-Defined Networking (SDN) is an evolutionary networking paradigm
which has been adopted by large network and cloud providers, among which are
Tech Giants. However, embracing a new and futuristic paradigm as an alternative
to well-established and mature legacy networking paradigm requires a lot of
time along with considerable financial resources and technical expertise.
Consequently, many enterprises can not afford it. A compromise solution then is
a hybrid networking environment (a.k.a. Hybrid SDN (hSDN)) in which SDN
functionalities are leveraged while existing traditional network
infrastructures are acknowledged. Recently, hSDN has been seen as a viable
networking solution for a diverse range of businesses and organizations.
Accordingly, the body of literature on hSDN research has improved remarkably.
On this account, we present this paper as a comprehensive state-of-the-art
survey which expands upon hSDN from many different perspectives
Safe Update of Hybrid SDN Networks
The support for safe network updates, i.e., live modification of device behavior without service disruption, is a critical primitive for current and future networks. Several techniques have been proposed by previous works to implement such a primitive. Unfortunately, existing techniques are not generally applicable to any network architecture, and typically require high overhead (e.g., additional memory) to guarantee strong consistency (i.e., traversal of either initial or final paths, but never a mix of them) during the update. In this paper, we deeply study the problem of computing operational sequences to safely and quickly update arbitrary networks. We characterize cases, for which this computation is easy, and revisit previous algorithmic contributions in the new light of our theoretical findings. We also propose and thoroughly evaluate a generic sequence-computation approach, based on two new algorithms that we combine to overcome limitations of prior proposals. Our approach always finds an operational sequence that provably guarantees strong consistency throughout the update, with very limited overhead. Moreover, it can be applied to update networks running any combination of centralized and distributed control-planes, including different families of IGPs, OpenFlow or other SDN protocols, and hybrid SDN networks. Our approach therefore supports a large set of use cases, ranging from traffic engineering in IGP-only or SDN-only networks to incremental SDN roll-out and advanced requirements (e.g., per-flow path selection or dynamic network function virtualization) in partial SDN deployments
Threats and Defenses in SDN Control Plane
abstract: Network Management is a critical process for an enterprise to configure and monitor the network devices using cost effective methods. It is imperative for it to be robust and free from adversarial or accidental security flaws. With the advent of cloud computing and increasing demands for centralized network control, conventional management protocols like Simple Network Management Protocol (SNMP) appear inadequate and newer techniques like Network Management Datastore Architecture (NMDA) design and Network Configuration (NETCONF) have been invented. However, unlike SNMP which underwent improvements concentrating on security, the new data management and storage techniques have not been scrutinized for the inherent security flaws.
In this thesis, I identify several vulnerabilities in the widely used critical infrastructures which leverage the NMDA design. Software Defined Networking (SDN), a proponent of NMDA, heavily relies on its datastores to program and manage the network. I base my research on the security challenges put forth by the existing datastore’s design as implemented by the SDN controllers. The vulnerabilities identified in this work have a direct impact on the controllers like OpenDayLight, Open Network Operating System and their proprietary implementations (by CISCO, Ericsson, RedHat, Brocade, Juniper, etc). Using the threat detection methodology, I demonstrate how the NMDA-based implementations are vulnerable to attacks which compromise availability, integrity, and confidentiality of the network. I finally propose defense measures to address the security threats in the existing design and discuss the challenges faced while employing these countermeasures.Dissertation/ThesisMasters Thesis Computer Science 201
Redes definidas por software flexíveis
The fifth generation of mobile networks (5G) are able to offer better
services than its predecessors mainly through the usage of software
defined networks (SDN) and network functions virtualization (NFV)
However, after multiple solutions developed using OpenFlow, the conclusion
was that the even after several years of the first version released,
OpenFlow fails to offer full flexibility and cannot handle unknown protocols.
With that in mind, the community got together and created
what is known today as P4. P4 is a language designed to program the
data plane behavior, that, with the help of P4Runtime, the alternative
of OpenFlow to P4 enabled devices, it allows the management of the
data plane behavior regarding the target or the protocol. All of that
because, unlike OpenFlow, P4Runtime does not assume that network
devices have a fixed and well defined behavior, usually described by
the ASIC chip.
In this work, P4 ecosystem is used to implement offloading of functions
to the network devices and evaluate whether that is impactful for the
network performance. Given the low amount of work developed with
P4 regarding publish-subscribe systems, that traditionally rely on brokers,
it was decided to offload several functions of such systems to the
dataplane with P4, leading that the overall solution can be comparable
to distributed broker ones. However, P4 is limited regarding the management
of state related data, just like of TCP sessions, which many
publish-subscribe system rely on. Zenoh, a new publish-subscribe protocol
that is still in early phases and directed to IoT, is also able to
run over UDP and therefore is a great candidate to be implemented in
P4 to overcome such issues. It is then used to show the advantages of
doing offloading of processing to the dataplane.
The conceptualized system was then compared to two more traditional
ones, that do not make use of offloading. The overall results achieved
are promising. Results show that there are benefits in the offloading of
certain tasks to the dataplane and therefore be closer to the end user
and with that improve latency. However, regarding the pure Zenoh,
the results achieved are poorer. That can be explained by the usage
of software switches that are not production grade ready and whose
performance is highly impacted by several data plane factors. That
makes it necessary to do more tests on expensive hardware equipment
for a more concrete conclusion.As redes móveis de quinta geração (5G) conseguem oferecer melhores
serviços que as suas anteriores gerações maioritariamente através do
uso de tecnologias como redes definidas por software (SDN) e virtualização das funções da rede (NFV).
No entanto, após vários anos de implementações de soluções usando
OpenFlow, chegou-se à conclusão que este tem limitações relativamente
a protocolos desconhecidos, mesmo após vários anos da primeira
versão. Então, a comunidade juntou-se e criou o que hoje é o
ecossistema P4/P4Runtime. Sendo o P4 uma linguagem destinada à
programação do comportamento do plano de dados e o P4Runtime
o equivalente ao OpenFlow para equipamentos que suportam P4, no
entanto permite uma gestão do comportamento do plano de dados independente
do dispositivo e do protocolo, uma vez que não assume que
os equipamentos de rede têm um comportamento fixo bem definido,
normalmente descrito pelo chip ASIC.
Neste trabalho, faz-se uso do ecossistema do P4 para implementação de
offloading de funções para os próprios equipamentos de rede e avalia-se
se esta solução traz benefícios para a performance da rede. Devido à
pouca exploração em P4 de sistemas publish-subscribe, que dependem
tradicionalmente de brokers, foi decidido fazer offloading de funções
de um desses sistemas através do uso de P4, permitindo ainda que a
solução como um todo possa ser comparável com as oferecidas por
um broker distribuído. No entanto, o P4 tem limitações ao nível de
gestão de sessões TCP. O Zenoh, um protocol publish-subscribe ainda
em evolução e direcionado para IoT, permite também transporte sobre
UDP, e é por isso um grande candidato a ser implementado em P4 para
demonstrar as vantagens de fazer offloading de processamento para o
plano de dados.
O sistema conceptualizado e desenvolvido foi então comparado com
outros dois sistemas mais tradicionais que não fazem uso de offloading.
Os resultados são animadores mostrando que existe benefício
em fazer ffloading de certas funções para o plano de dados, visto que
certas operações podem ser feitas mais perto do utilizador final. No
entanto, comparando os resultados com os oferecidos pelo Zenoh puro,
os resultados são piores, sendo isto explicado pelo facto de os equipamentos
de rede utilizados serem switches em software que não estão
preparados para ambientes de produção e são muito penalizados por
diversos fatores do comportamento do plano de dados. É por isso necessário fazer testes em equipamentos de hardware para uma avaliação
mais profunda e consequente conclusão.Mestrado em Engenharia de Computadores e Telemátic
- …