PABO: Mitigating Congestion via Packet Bounce in Data Center Networks

In today's data center, a diverse mix of throughput-sensitive long flows and delay-sensitive short flows are commonly presented in shallow-buffered switches. Long flows could potentially block the transmission of delay-sensitive short flows, leading to degraded performance. Congestion can also be caused by the synchronization of multiple TCP connections for short flows, as typically seen in the partition/aggregate traffic pattern. While multiple end-to-end transport-layer solutions have been proposed, none of them have tackled the real challenge: reliable transmission in the network. In this paper, we fill this gap by presenting PABO -- a novel link-layer design that can mitigate congestion by temporarily bouncing packets to upstream switches. PABO's design fulfills the following goals: i) providing per-flow based flow control on the link layer, ii) handling transient congestion without the intervention of end devices, and iii) gradually back propagating the congestion signal to the source when the network is not capable to handle the congestion.Experiment results show that PABO can provide prominent advantage of mitigating transient congestions and can achieve significant gain on end-to-end delay

Vicinity-based Replica Finding in Named Data Networking

In Named Data Networking (NDN) architectures, a content object is located according to the content's identifier and can be retrieved from all nodes that hold a replica of the content. The default forwarding strategy of NDN is to forward an Interest packet along the default path from the requester to the server to find a content object according to its name prefix. However, the best path may not be the default path, since content might also be located nearby. Hence, the default strategy could result in a sub-optimal delivery efficiency. To address this issue we introduce a vicinity-based replica finding scheme. This is based on the observation that content objects might be requested several times. Therefore, replicas can be often cached within a particular neighbourhood and thus it might be efficient to specifically look for them in order to improve the content delivery performance. Within this paper, we evaluate the optimal size of the vicinity within which content should be located (i.e. the distance between the requester and its neighbours that are considered within the content search). We also compare the proposed scheme with the default NDN forwarding strategy with respect to replica finding efficiency and network overhead. Using the proposed scheme, we demonstrate that the replica finding mechanism reduces the delivery time effectively with acceptable overhead costs

On the realization of VANET using named data networking: On improvement of VANET using NDN-based routing, caching, and security

Named data networking (NDN) presents a huge opportunity to tackle some of the unsolved issues of IP-based vehicular ad hoc networks (VANET). The core characteristics of NDN such as the name-based routing, in-network caching, and built-in data security provide better management of VANET proprieties (e.g., the high mobility, link intermittency, and dynamic topology). This study aims at providing a clear view of the state-of-the-art on the developments in place, in order to leverage the characteristics of NDN in VANET. We resort to a systematic literature review (SLR) to perform a reproducible study, gathering the proposed solutions and summarizing the main open challenges on implementing NDN-based VANET. There exist several related studies, but they are more focused on other topics such as forwarding. This work specifically restricts the focus on VANET improvements by NDN-based routing (not forwarding), caching, and security. The surveyed solution herein presented is performed between 2010 and 2021. The results show that proposals on the selected topics for NDN-based VANET are recent (mainly from 2016 to 2021). Among them, caching is the most investigated topic. Finally, the main findings and the possible roadmaps for further development are highlighted

Tracking Normalized Network Traffic Entropy to Detect DDoS Attacks in P4

Distributed Denial-of-Service (DDoS) attacks represent a persistent threat to modern telecommunications networks: detecting and counteracting them is still a crucial unresolved challenge for network operators. DDoS attack detection is usually carried out in one or more central nodes that collect significant amounts of monitoring data from networking devices, potentially creating issues related to network overload or delay in detection. The dawn of programmable data planes in Software-Defined Networks can help mitigate this issue, opening the door to the detection of DDoS attacks directly in the data plane of the switches. However, the most widely-adopted data plane programming language, namely P4, lacks supporting many arithmetic operations, therefore, some of the advanced network monitoring functionalities needed for DDoS detection cannot be straightforwardly implemented in P4. This work overcomes such a limitation and presents two novel strategies for flow cardinality and for normalized network traffic entropy estimation that only use P4-supported operations and guarantee a low relative error. Additionally, based on these contributions, we propose a DDoS detection strategy relying on variations of the normalized network traffic entropy. Results show that it has comparable or higher detection accuracy than state-of-the-art solutions, yet being simpler and entirely executed in the data plane.Comment: Accepted by TDSC on 24/09/202

Security and Privacy Issues in Wireless Mesh Networks: A Survey

This book chapter identifies various security threats in wireless mesh network (WMN). Keeping in mind the critical requirement of security and user privacy in WMNs, this chapter provides a comprehensive overview of various possible attacks on different layers of the communication protocol stack for WMNs and their corresponding defense mechanisms. First, it identifies the security vulnerabilities in the physical, link, network, transport, application layers. Furthermore, various possible attacks on the key management protocols, user authentication and access control protocols, and user privacy preservation protocols are presented. After enumerating various possible attacks, the chapter provides a detailed discussion on various existing security mechanisms and protocols to defend against and wherever possible prevent the possible attacks. Comparative analyses are also presented on the security schemes with regards to the cryptographic schemes used, key management strategies deployed, use of any trusted third party, computation and communication overhead involved etc. The chapter then presents a brief discussion on various trust management approaches for WMNs since trust and reputation-based schemes are increasingly becoming popular for enforcing security in wireless networks. A number of open problems in security and privacy issues for WMNs are subsequently discussed before the chapter is finally concluded.Comment: 62 pages, 12 figures, 6 tables. This chapter is an extension of the author's previous submission in arXiv submission: arXiv:1102.1226. There are some text overlaps with the previous submissio

In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches

Volumetric distributed Denial-of-Service (DDoS) attacks have become one of the most significant threats to modern telecommunication networks. However, most existing defense systems require that detection software operates from a centralized monitoring collector, leading to increased traffic load and delayed response. The recent advent of Data Plane Programmability (DPP) enables an alternative solution: threshold-based volumetric DDoS detection can be performed directly in programmable switches to skim only potentially hazardous traffic, to be analyzed in depth at the controller. In this paper, we first introduce the BACON data structure based on sketches, to estimate per-destination flow cardinality, and theoretically analyze it. Then we employ it in a simple in-network DDoS victim identification strategy, INDDoS, to detect the destination IPs for which the number of incoming connections exceeds a pre-defined threshold. We describe its hardware implementation on a Tofino-based programmable switch using the domain-specific P4 language, proving that some limitations imposed by real hardware to safeguard processing speed can be overcome to implement relatively complex packet manipulations. Finally, we present some experimental performance measurements, showing that our programmable switch is able to keep processing packets at line-rate while performing volumetric DDoS detection, and also achieves a high F1 score on DDoS victim identification.Comment: Accepted by IEEE Transactions on Network and Service Management Special issue on Latest Developments for Security Management of Networks and Service

Self-Modeling based Diagnosis of Services over Programmable Networks

International audienceIn this paper, we propose a multi-layer self-diagnosis framework for networking services within SDN and NFV environments. The framework encompasses three main contributions: 1) the definition of multi-layered templates to identify what to supervise while taking into account the physical, logical, virtual and service layers. These templates are also finer-granular, extendable and machine-readable; 2) a self-modeling module that takes as input these templates, instantiates them and generates on-the-fly the diagnosis model that includes the physical, logical, and the virtual dependencies of networking services; 3) a service-aware root-cause analysis module that takes into account the networking services' views and their underlying network resources observations within the aforementioned layers. We also present extensive simulations to prove the fully automated, finer granularity and reduced uncertainty of the root cause of networking services failures and their underlying network resources

Flexpop: A popularity-based caching strategy for multimedia applications in information-centric networking

Information-Centric Networking (ICN) is the dominant architecture for the future Internet. In ICN, the content items are stored temporarily in network nodes such as routers. When the memory of routers becomes full and there is no room for a new arriving content, the stored contents are evicted to cope with the limited cache size of the routers. Therefore, it is crucial to develop an effective caching strategy for keeping popular contents for a longer period of time. This study proposes a new caching strategy, named Flexible Popularity-based Caching (FlexPop) for storing popular contents. The FlexPop comprises two mechanisms, i.e., Content Placement Mechanism (CPM), which is responsible for content caching, and Content Eviction Mechanism (CEM) that deals with content eviction when the router cache is full and there is no space for the new incoming content. Both mechanisms are validated using Fuzzy Set Theory, following the Design Research Methodology (DRM) to manifest that the research is rigorous and repeatable under comparable conditions. The performance of FlexPop is evaluated through simulations and the results are compared with those of the Leave Copy Everywhere (LCE), ProbCache, and Most Popular Content (MPC) strategies. The results show that the FlexPop strategy outperforms LCE, ProbCache, and MPC with respect to cache hit rate, redundancy, content retrieval delay, memory utilization, and stretch ratio, which are regarded as extremely important metrics (in various studies) for the evaluation of ICN caching. The outcomes exhibited in this study are noteworthy in terms of making FlexPop acceptable to users as they can verify the performance of ICN before selecting the right caching strategy. Thus FlexPop has potential in the use of ICN for the future Internet such as in deployment of the IoT technology