ScienceSDS: A Novel Software Defined Security Framework for Large-scale Data-intensive Science

Experimental science workflows from projects such as Compact Muon Solenoid (CMS) [6] and Laser Interferometer Gravitational Wave Observatory (LIGO) [2] are characterized by data-intensive computational tasks over large datasets transferred over encrypted channels. The Science DMZ [7] approach to network design favors lossless packet forwarding through a separate isolated network over secure lossy forwarding through stateful packet processors (e.g. fire-walls). We propose ScienceSDS, a novel software denied security framework for securely monitoring large-scale science datasets over a software defined networking and network functions virtualization (SDN/NFV) infrastructure

ScienceSDS: A Novel Software Defined Security Framework for Large-scale Data-intensive Science

Experimental science workflows from projects such as Compact Muon Solenoid (CMS) [6] and Laser Interferometer Gravitational Wave Observatory (LIGO) [2] are characterized by data-intensive computational tasks over large datasets transferred over encrypted channels. The Science DMZ [7] approach to network design favors lossless packet forwarding through a separate isolated network over secure lossy forwarding through stateful packet processors (e.g. fire-walls). We propose ScienceSDS, a novel software denied security framework for securely monitoring large-scale science datasets over a software defined networking and network functions virtualization (SDN/NFV) infrastructure

Segment Routing: a Comprehensive Survey of Research Activities, Standardization Efforts and Implementation Results

Fixed and mobile telecom operators, enterprise network operators and cloud providers strive to face the challenging demands coming from the evolution of IP networks (e.g. huge bandwidth requirements, integration of billions of devices and millions of services in the cloud). Proposed in the early 2010s, Segment Routing (SR) architecture helps face these challenging demands, and it is currently being adopted and deployed. SR architecture is based on the concept of source routing and has interesting scalability properties, as it dramatically reduces the amount of state information to be configured in the core nodes to support complex services. SR architecture was first implemented with the MPLS dataplane and then, quite recently, with the IPv6 dataplane (SRv6). IPv6 SR architecture (SRv6) has been extended from the simple steering of packets across nodes to a general network programming approach, making it very suitable for use cases such as Service Function Chaining and Network Function Virtualization. In this paper we present a tutorial and a comprehensive survey on SR technology, analyzing standardization efforts, patents, research activities and implementation results. We start with an introduction on the motivations for Segment Routing and an overview of its evolution and standardization. Then, we provide a tutorial on Segment Routing technology, with a focus on the novel SRv6 solution. We discuss the standardization efforts and the patents providing details on the most important documents and mentioning other ongoing activities. We then thoroughly analyze research activities according to a taxonomy. We have identified 8 main categories during our analysis of the current state of play: Monitoring, Traffic Engineering, Failure Recovery, Centrally Controlled Architectures, Path Encoding, Network Programming, Performance Evaluation and Miscellaneous...Comment: SUBMITTED TO IEEE COMMUNICATIONS SURVEYS & TUTORIAL

Hybrid SDN Evolution: A Comprehensive Survey of the State-of-the-Art

Software-Defined Networking (SDN) is an evolutionary networking paradigm which has been adopted by large network and cloud providers, among which are Tech Giants. However, embracing a new and futuristic paradigm as an alternative to well-established and mature legacy networking paradigm requires a lot of time along with considerable financial resources and technical expertise. Consequently, many enterprises can not afford it. A compromise solution then is a hybrid networking environment (a.k.a. Hybrid SDN (hSDN)) in which SDN functionalities are leveraged while existing traditional network infrastructures are acknowledged. Recently, hSDN has been seen as a viable networking solution for a diverse range of businesses and organizations. Accordingly, the body of literature on hSDN research has improved remarkably. On this account, we present this paper as a comprehensive state-of-the-art survey which expands upon hSDN from many different perspectives

Safe Update of Hybrid SDN Networks

The support for safe network updates, i.e., live modification of device behavior without service disruption, is a critical primitive for current and future networks. Several techniques have been proposed by previous works to implement such a primitive. Unfortunately, existing techniques are not generally applicable to any network architecture, and typically require high overhead (e.g., additional memory) to guarantee strong consistency (i.e., traversal of either initial or final paths, but never a mix of them) during the update. In this paper, we deeply study the problem of computing operational sequences to safely and quickly update arbitrary networks. We characterize cases, for which this computation is easy, and revisit previous algorithmic contributions in the new light of our theoretical findings. We also propose and thoroughly evaluate a generic sequence-computation approach, based on two new algorithms that we combine to overcome limitations of prior proposals. Our approach always finds an operational sequence that provably guarantees strong consistency throughout the update, with very limited overhead. Moreover, it can be applied to update networks running any combination of centralized and distributed control-planes, including different families of IGPs, OpenFlow or other SDN protocols, and hybrid SDN networks. Our approach therefore supports a large set of use cases, ranging from traffic engineering in IGP-only or SDN-only networks to incremental SDN roll-out and advanced requirements (e.g., per-flow path selection or dynamic network function virtualization) in partial SDN deployments

Threats and Defenses in SDN Control Plane

abstract: Network Management is a critical process for an enterprise to configure and monitor the network devices using cost effective methods. It is imperative for it to be robust and free from adversarial or accidental security flaws. With the advent of cloud computing and increasing demands for centralized network control, conventional management protocols like Simple Network Management Protocol (SNMP) appear inadequate and newer techniques like Network Management Datastore Architecture (NMDA) design and Network Configuration (NETCONF) have been invented. However, unlike SNMP which underwent improvements concentrating on security, the new data management and storage techniques have not been scrutinized for the inherent security flaws. In this thesis, I identify several vulnerabilities in the widely used critical infrastructures which leverage the NMDA design. Software Defined Networking (SDN), a proponent of NMDA, heavily relies on its datastores to program and manage the network. I base my research on the security challenges put forth by the existing datastore’s design as implemented by the SDN controllers. The vulnerabilities identified in this work have a direct impact on the controllers like OpenDayLight, Open Network Operating System and their proprietary implementations (by CISCO, Ericsson, RedHat, Brocade, Juniper, etc). Using the threat detection methodology, I demonstrate how the NMDA-based implementations are vulnerable to attacks which compromise availability, integrity, and confidentiality of the network. I finally propose defense measures to address the security threats in the existing design and discuss the challenges faced while employing these countermeasures.Dissertation/ThesisMasters Thesis Computer Science 201

Redes definidas por software flexíveis

The fifth generation of mobile networks (5G) are able to offer better services than its predecessors mainly through the usage of software defined networks (SDN) and network functions virtualization (NFV) However, after multiple solutions developed using OpenFlow, the conclusion was that the even after several years of the first version released, OpenFlow fails to offer full flexibility and cannot handle unknown protocols. With that in mind, the community got together and created what is known today as P4. P4 is a language designed to program the data plane behavior, that, with the help of P4Runtime, the alternative of OpenFlow to P4 enabled devices, it allows the management of the data plane behavior regarding the target or the protocol. All of that because, unlike OpenFlow, P4Runtime does not assume that network devices have a fixed and well defined behavior, usually described by the ASIC chip. In this work, P4 ecosystem is used to implement offloading of functions to the network devices and evaluate whether that is impactful for the network performance. Given the low amount of work developed with P4 regarding publish-subscribe systems, that traditionally rely on brokers, it was decided to offload several functions of such systems to the dataplane with P4, leading that the overall solution can be comparable to distributed broker ones. However, P4 is limited regarding the management of state related data, just like of TCP sessions, which many publish-subscribe system rely on. Zenoh, a new publish-subscribe protocol that is still in early phases and directed to IoT, is also able to run over UDP and therefore is a great candidate to be implemented in P4 to overcome such issues. It is then used to show the advantages of doing offloading of processing to the dataplane. The conceptualized system was then compared to two more traditional ones, that do not make use of offloading. The overall results achieved are promising. Results show that there are benefits in the offloading of certain tasks to the dataplane and therefore be closer to the end user and with that improve latency. However, regarding the pure Zenoh, the results achieved are poorer. That can be explained by the usage of software switches that are not production grade ready and whose performance is highly impacted by several data plane factors. That makes it necessary to do more tests on expensive hardware equipment for a more concrete conclusion.As redes móveis de quinta geração (5G) conseguem oferecer melhores serviços que as suas anteriores gerações maioritariamente através do uso de tecnologias como redes definidas por software (SDN) e virtualização das funções da rede (NFV). No entanto, após vários anos de implementações de soluções usando OpenFlow, chegou-se à conclusão que este tem limitações relativamente a protocolos desconhecidos, mesmo após vários anos da primeira versão. Então, a comunidade juntou-se e criou o que hoje é o ecossistema P4/P4Runtime. Sendo o P4 uma linguagem destinada à programação do comportamento do plano de dados e o P4Runtime o equivalente ao OpenFlow para equipamentos que suportam P4, no entanto permite uma gestão do comportamento do plano de dados independente do dispositivo e do protocolo, uma vez que não assume que os equipamentos de rede têm um comportamento fixo bem definido, normalmente descrito pelo chip ASIC. Neste trabalho, faz-se uso do ecossistema do P4 para implementação de offloading de funções para os próprios equipamentos de rede e avalia-se se esta solução traz benefícios para a performance da rede. Devido à pouca exploração em P4 de sistemas publish-subscribe, que dependem tradicionalmente de brokers, foi decidido fazer offloading de funções de um desses sistemas através do uso de P4, permitindo ainda que a solução como um todo possa ser comparável com as oferecidas por um broker distribuído. No entanto, o P4 tem limitações ao nível de gestão de sessões TCP. O Zenoh, um protocol publish-subscribe ainda em evolução e direcionado para IoT, permite também transporte sobre UDP, e é por isso um grande candidato a ser implementado em P4 para demonstrar as vantagens de fazer offloading de processamento para o plano de dados. O sistema conceptualizado e desenvolvido foi então comparado com outros dois sistemas mais tradicionais que não fazem uso de offloading. Os resultados são animadores mostrando que existe benefício em fazer ffloading de certas funções para o plano de dados, visto que certas operações podem ser feitas mais perto do utilizador final. No entanto, comparando os resultados com os oferecidos pelo Zenoh puro, os resultados são piores, sendo isto explicado pelo facto de os equipamentos de rede utilizados serem switches em software que não estão preparados para ambientes de produção e são muito penalizados por diversos fatores do comportamento do plano de dados. É por isso necessário fazer testes em equipamentos de hardware para uma avaliação mais profunda e consequente conclusão.Mestrado em Engenharia de Computadores e Telemátic