SDN Access Control for the Masses

The evolution of Software-Defined Networking (SDN) has so far been predominantly geared towards defining and refining the abstractions on the forwarding and control planes. However, despite a maturing south-bound interface and a range of proposed network operating systems, the network management application layer is yet to be specified and standardized. It has currently poorly defined access control mechanisms that could be exposed to network applications. Available mechanisms allow only rudimentary control and lack procedures to partition resource access across multiple dimensions. We address this by extending the SDN north-bound interface to provide control over shared resources to key stakeholders of network infrastructure: network providers, operators and application developers. We introduce a taxonomy of SDN access models, describe a comprehensive design for SDN access control and implement the proposed solution as an extension of the ONOS network controller intent framework

Redes definidas por software flexíveis

The fifth generation of mobile networks (5G) are able to offer better services than its predecessors mainly through the usage of software defined networks (SDN) and network functions virtualization (NFV) However, after multiple solutions developed using OpenFlow, the conclusion was that the even after several years of the first version released, OpenFlow fails to offer full flexibility and cannot handle unknown protocols. With that in mind, the community got together and created what is known today as P4. P4 is a language designed to program the data plane behavior, that, with the help of P4Runtime, the alternative of OpenFlow to P4 enabled devices, it allows the management of the data plane behavior regarding the target or the protocol. All of that because, unlike OpenFlow, P4Runtime does not assume that network devices have a fixed and well defined behavior, usually described by the ASIC chip. In this work, P4 ecosystem is used to implement offloading of functions to the network devices and evaluate whether that is impactful for the network performance. Given the low amount of work developed with P4 regarding publish-subscribe systems, that traditionally rely on brokers, it was decided to offload several functions of such systems to the dataplane with P4, leading that the overall solution can be comparable to distributed broker ones. However, P4 is limited regarding the management of state related data, just like of TCP sessions, which many publish-subscribe system rely on. Zenoh, a new publish-subscribe protocol that is still in early phases and directed to IoT, is also able to run over UDP and therefore is a great candidate to be implemented in P4 to overcome such issues. It is then used to show the advantages of doing offloading of processing to the dataplane. The conceptualized system was then compared to two more traditional ones, that do not make use of offloading. The overall results achieved are promising. Results show that there are benefits in the offloading of certain tasks to the dataplane and therefore be closer to the end user and with that improve latency. However, regarding the pure Zenoh, the results achieved are poorer. That can be explained by the usage of software switches that are not production grade ready and whose performance is highly impacted by several data plane factors. That makes it necessary to do more tests on expensive hardware equipment for a more concrete conclusion.As redes móveis de quinta geração (5G) conseguem oferecer melhores serviços que as suas anteriores gerações maioritariamente através do uso de tecnologias como redes definidas por software (SDN) e virtualização das funções da rede (NFV). No entanto, após vários anos de implementações de soluções usando OpenFlow, chegou-se à conclusão que este tem limitações relativamente a protocolos desconhecidos, mesmo após vários anos da primeira versão. Então, a comunidade juntou-se e criou o que hoje é o ecossistema P4/P4Runtime. Sendo o P4 uma linguagem destinada à programação do comportamento do plano de dados e o P4Runtime o equivalente ao OpenFlow para equipamentos que suportam P4, no entanto permite uma gestão do comportamento do plano de dados independente do dispositivo e do protocolo, uma vez que não assume que os equipamentos de rede têm um comportamento fixo bem definido, normalmente descrito pelo chip ASIC. Neste trabalho, faz-se uso do ecossistema do P4 para implementação de offloading de funções para os próprios equipamentos de rede e avalia-se se esta solução traz benefícios para a performance da rede. Devido à pouca exploração em P4 de sistemas publish-subscribe, que dependem tradicionalmente de brokers, foi decidido fazer offloading de funções de um desses sistemas através do uso de P4, permitindo ainda que a solução como um todo possa ser comparável com as oferecidas por um broker distribuído. No entanto, o P4 tem limitações ao nível de gestão de sessões TCP. O Zenoh, um protocol publish-subscribe ainda em evolução e direcionado para IoT, permite também transporte sobre UDP, e é por isso um grande candidato a ser implementado em P4 para demonstrar as vantagens de fazer offloading de processamento para o plano de dados. O sistema conceptualizado e desenvolvido foi então comparado com outros dois sistemas mais tradicionais que não fazem uso de offloading. Os resultados são animadores mostrando que existe benefício em fazer ffloading de certas funções para o plano de dados, visto que certas operações podem ser feitas mais perto do utilizador final. No entanto, comparando os resultados com os oferecidos pelo Zenoh puro, os resultados são piores, sendo isto explicado pelo facto de os equipamentos de rede utilizados serem switches em software que não estão preparados para ambientes de produção e são muito penalizados por diversos fatores do comportamento do plano de dados. É por isso necessário fazer testes em equipamentos de hardware para uma avaliação mais profunda e consequente conclusão.Mestrado em Engenharia de Computadores e Telemátic

P-SCOR: Integration of Constraint Programming Orchestration and Programmable Data Plane

In this manuscript we present an original implementation of network management functions in the context of Software Defined Networking. We demonstrate a full integration of an artificial intelligence driven management, an SDN control plane, and a programmable data plane. Constraint Programming is used to implement a management operating system that accepts high level specifications, via a northbound interface, in terms of operational objective and directives. These are translated in technology-specific constraints and directives for the SDN control plane, leveraging the programmable data plane, which is enriched with functionalities suited to feed data that enable the most effective operation of the “intelligent” control plane, by exploiting the language

A unifying operating platform for 5G end-to-end and multi-layer orchestration

Heterogeneity of current software solutions for 5G is heading for complex and costly situations, with high fragmentation, which in turn creates uncertainty and the risk of delaying 5G innovations. This context motivated the definition of a novel Operating Platform for 5G (5G-OP), a unifying reference functional framework supporting end-to-end and multi-layer orchestration. 5G-OP aims at integrated management, control and orchestration of computing, storage, memory, networking core and edge resources up to the end-user devices and terminals (e.g., robots and smart vehicles). 5G-OP is an overarching architecture, with agnostic interfaces and well-defined abstractions, offering the seamless integration of current and future infrastructure control and orchestration solutions (e.g., OpenDaylight, ONOS, OpenStack, Apache Mesos, OpenSource MANO, Docker, LXC, etc.) The paper provides also the description of a prototype that can be seen as a simplified version of a 5G-OP, whose feasibility has been demonstrated in Focus Group IMT2020 of ITU-T

Managing NFV using SDN and control theory

Control theory and SDN (Software Defined Networking) are key components for NFV (Network Function Virtualization) deployment. However little has been done to use a control-theoretic approach for SDN and NFV management. In this paper, we describe a use case for NFV management using control theory and SDN. We use the management architecture of RINA (a clean-slate Recursive InterNetwork Architecture) to manage Virtual Network Function (VNF) instances over the GENI testbed. We deploy Snort, an Intrusion Detection System (IDS) as the VNF. Our network topology has source and destination hosts, multiple IDSes, an Open vSwitch (OVS) and an OpenFlow controller. A distributed management application running on RINA measures the state of the VNF instances and communicates this information to a Proportional Integral (PI) controller, which then provides load balancing information to the OpenFlow controller. The latter controller in turn updates traffic flow forwarding rules on the OVS switch, thus balancing load across the VNF instances. This paper demonstrates the benefits of using such a control-theoretic load balancing approach and the RINA management architecture in virtualized environments for NFV management. It also illustrates that GENI can easily support a wide range of SDN and NFV related experiments