Flow-Aware Elephant Flow Detection for Software-Defined Networks

Software-defined networking (SDN) separates the network control plane from the packet forwarding plane, which provides comprehensive network-state visibility for better network management and resilience. Traffic classification, particularly for elephant flow detection, can lead to improved flow control and resource provisioning in SDN networks. Existing elephant flow detection techniques use pre-set thresholds that cannot scale with the changes in the traffic concept and distribution. This paper proposes a flow-aware elephant flow detection applied to SDN. The proposed technique employs two classifiers, each respectively on SDN switches and controller, to achieve accurate elephant flow detection efficiently. Moreover, this technique allows sharing the elephant flow classification tasks between the controller and switches. Hence, most mice flows can be filtered in the switches, thus avoiding the need to send large numbers of classification requests and signaling messages to the controller. Experimental findings reveal that the proposed technique outperforms contemporary methods in terms of the running time, accuracy, F-measure, and recall

Database-Based IP Network Routing

The Software-Defined Networking (SDN) approach has the goal of simplifying network management. SDN uses a logically centralized approach to enable simpler network programmability and simplify the network architecture. SDN is in general associated with the OpenFlow protocol, which standardizes communication between a controller and network devices. Alternatively, a database approach could be used to tackle data exchange between controller and network devices. This solution requires the installation of a database server inside each switch, and replicas of those local switches databases, in the controller. The database approach offers several potential advantages over OpenFlow such as higher level of abstraction, flexibility and the use of mature implementations of standardised database protocols to propagate information events and commands. The purpose of this work is to apply a Database-Based Control Plane (DBCP) for SDN networks on a wide area environment. The objective is to implement a replacement of the control plane of a wide area network, currently achieved using a link-state protocol such as OSPF or IS-IS, by an SDN approach based on similar techniques as the ones used in [4]. We conducted an experiment, which we called IP-DBCP, that consisted of the definition of data models and the construction of an SDN network with database replication as the means of communication between one controller and multiple switches. To this end, a switch was developed, using OpenSwitch software as a logical hardware layer, that is capable of executing a MySQL database management system, load it with its characteristics and collect data related to its network neighbourhood. A controller was also developed that executes a MySQL database management system with the replicated databases of all switches. The controller uses those replicated databases to construct routing rules, using a shortest-path algorithm. Ultimately we tested the correct functioning of the solution and evaluated the convergence time by performing network state changes and compared the results with the ones found in traditional link state protocols

Applying Formal Methods to Networking: Theory, Techniques and Applications

Despite its great importance, modern network infrastructure is remarkable for the lack of rigor in its engineering. The Internet which began as a research experiment was never designed to handle the users and applications it hosts today. The lack of formalization of the Internet architecture meant limited abstractions and modularity, especially for the control and management planes, thus requiring for every new need a new protocol built from scratch. This led to an unwieldy ossified Internet architecture resistant to any attempts at formal verification, and an Internet culture where expediency and pragmatism are favored over formal correctness. Fortunately, recent work in the space of clean slate Internet design---especially, the software defined networking (SDN) paradigm---offers the Internet community another chance to develop the right kind of architecture and abstractions. This has also led to a great resurgence in interest of applying formal methods to specification, verification, and synthesis of networking protocols and applications. In this paper, we present a self-contained tutorial of the formidable amount of work that has been done in formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial

A Survey on the Contributions of Software-Defined Networking to Traffic Engineering

Since the appearance of OpenFlow back in 2008, software-defined networking (SDN) has gained momentum. Although there are some discrepancies between the standards developing organizations working with SDN about what SDN is and how it is defined, they all outline traffic engineering (TE) as a key application. One of the most common objectives of TE is the congestion minimization, where techniques such as traffic splitting among multiple paths or advanced reservation systems are used. In such a scenario, this manuscript surveys the role of a comprehensive list of SDN protocols in TE solutions, in order to assess how these protocols can benefit TE. The SDN protocols have been categorized using the SDN architecture proposed by the open networking foundation, which differentiates among data-controller plane interfaces, application-controller plane interfaces, and management interfaces, in order to state how the interface type in which they operate influences TE. In addition, the impact of the SDN protocols on TE has been evaluated by comparing them with the path computation element (PCE)-based architecture. The PCE-based architecture has been selected to measure the impact of SDN on TE because it is the most novel TE architecture until the date, and because it already defines a set of metrics to measure the performance of TE solutions. We conclude that using the three types of interfaces simultaneously will result in more powerful and enhanced TE solutions, since they benefit TE in complementary ways.European Commission through the Horizon 2020 Research and Innovation Programme (GN4) under Grant 691567 Spanish Ministry of Economy and Competitiveness under the Secure Deployment of Services Over SDN and NFV-based Networks Project S&NSEC under Grant TEC2013-47960-C4-3-

Detecting and defeating advanced man-in-the-middle attacks against TLS

Sobre los derechos de acceso: Permission to make digital or hard copies of this publication for internal use within NATO and for personal or educational use when for non-profi t or non-commercial purposes is granted providing that copies bear this notice and a full citation on the first page. Any other reproduction or transmission requires prior written permission by NATO CCD COE.TLS es un bloque esencial para la construcción de redes privadas. Un aspecto crítico para la seguridad de TLS es la autenticación y el intercambio de claves, que habitualmente se realiza mediante certificados. Un intercambio inseguro de claves puede conducir a un ataque de hombre en el medio (MITM). La confianza en los certificados se consigue habitualmente gracias a la utilización de una infraestructura de clave pública (PKI), que emplea autoridades de certificación (CA) de confianza para el establecimiento de cadenas de validez de certificados. En los últimos años, han surgido una serie de problemas relacionados con el uso del PKI: lo certificados pueden ser emitidos para cualquier entidad de Internet, con independencia de la posición de la CA en el árbol jerárquico. Esto implica que un ataque exitoso contra una CA tiene el potencial de permitir la generación de certificados válidos que posibilitarán la realización de ataques de hombre en el medio. No podemos descartar la posibilidad de usos malicioso de CA intermedias para llevar a cabo ataques dirigidos mediante la emisión de certificados ad-hoc, que serían extremadamente difíciles de detectar. La infraestructura PKI actual es susceptible a este tipo de ataques, por lo que se hace necesaria la creación de nuevos mecanismos para la detección y neutralización de los mismos. El IETF y otros organismos de estandarización han lanzado distintas iniciativas para posibilitar la detección de certificados falsificados. La mayoría de estas iniciativas intentan solucionar los problemas existentes mantenimiento el modelo PKI y agregando la técnica de 'certificate pinning', que asocia certificados concretos a servidores. Estas técnicas tienen limitaciones significativas, como la necesidad de un proceso de arranque seguro, o el establecimiento de la asociación para cada host de forma individual y uno por uno. Este trabajo proporciona una evolución desde el esquema de 'pinning' realizado en el host a un esquema de 'pinning' en la red, mediante la habilitación de mecanismos para la validación de certificados cuando atraviesan una red determinada. Los certificados se clasificarán como confiables o no como resultado del cruce de información obtenida de distintas fuentes. Esto resultaría en la detección temprana de certificados sospechosos y lanzaría mecanismos para rechazar el ataque, minimizar su impacto y recopilar información sobre los atacantes. Junto con lo anterior, se podría realizar un análisis más detallado y pormenorizado.TLS is an essential building block for virtual private networks. A critical aspect for the security of TLS dialogs is authentication and key exchange, usually performed by means of certificates. An insecure key exchange can lead to a man-in-the-middle attack (MITM). Trust in certificates is generally achieved using Public Key Infrastructures (PKIs), which employ trusted certificate authorities (CAs) to establish certificate validity chains. In the last years, a number of security concerns regarding PKI usage have arisen: certificates can be issued for entities in the Internet, regardless of its position in the CA hierarchy tree. This means that successful attacks on CAs have the potential to generate valid certificates enabling man-in-the-middle attacks. The possibility of malicious use of intermediate CAs to perform targeted attacks through ad-hoc certificates cannot be neglected and are extremely difficult to detect. Current PKI infrastructure for TLS is prone to MITM attacks, and new mechanisms for detection and avoidance of those attacks are needed. IETF and other standardization bodies have launched several initiatives to enable the detection of “forged” certificates. Most of these initiatives attempt to solve the existing problems by maintaining the current PKI model and using certificate pinning, which associates certificates and servers on use. These techniques have significant limitations, such as the need of a secure bootstrap procedure, or pinning requiring some host-by-host basis. This study proposes an evolution from pinning-in-the-host to pinning-in-the-net, by enabling mechanisms to validate certificates as they travel through a given network. Certificates would be classified as trusted or not trusted as a result of cross-information obtained from different sources. This would result in early detection of suspicious certificates and would trigger mechanisms to defeat the attack; minimize its impact; and gather information on the attackers. Additionally, a more detailed and thorough analysis could be performed