E2: a framework for NFV applications

By moving network appliance functionality from proprietary hardware to software, Network Function Virtualization promises to bring the advantages of cloud computing to network packet processing. However, the evolution of cloud computing (particularly for data analytics) has greatly bene- fited from application-independent methods for scaling and placement that achieve high efficiency while relieving programmers of these burdens. NFV has no such general management solutions. In this paper, we present a scalable and application-agnostic scheduling framework for packet processing, and compare its performance to current approaches

Policy Conflict Management in Distributed SDN Environments

abstract: The ease of programmability in Software-Defined Networking (SDN) makes it a great platform for implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. However, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers. In this dissertation, a formalism for flow rule conflicts in SDN environments is introduced. This formalism is realized in Brew, a security policy analysis framework implemented on an OpenDaylight SDN controller. Brew has comprehensive conflict detection and resolution modules to ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage. Techniques for global prioritization of flow rules in a decentralized environment are presented, using which all SDN flow rule conflicts are recognized and classified. Strategies for unassisted resolution of these conflicts are also detailed. Alternately, if administrator input is desired to resolve conflicts, a novel visualization scheme is implemented to help the administrators view the conflicts in an aesthetic manner. The correctness, feasibility and scalability of the Brew proof-of-concept prototype is demonstrated. Flow rule conflict avoidance using a buddy address space management technique is studied as an alternate to conflict detection and resolution in highly dynamic cloud systems attempting to implement an SDN-based Moving Target Defense (MTD) countermeasures.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Throughput optimization for admitting NFV-enabled requests in cloud networks

Network softwarization is emerging as a techno-economic transformation trend that impacts the way that network service providers deliver their network services significantly. As a key ingredient of such a trend, network function virtualization (NFV) is shown to enable elastic and inexpensive network services for next-generation networks, through deploying flexible virtualized network functions (VNFs) running in virtual computing platforms. Different VNFs can be chained together to form different service chains for different network services, to meet various user data routing demands. From the service provider point of view, such services are usually implemented by VNF instances in a cloudlet network consisting of a set of data centers and switches. In this paper we consider provisioning network services in a cloud network for implementing VNF instances of service chains, where the VNF instances in each data center are partitioned into K types with each hosting one type of service chain. We investigate the throughput maximization problem with the aim to admit as many user requests as possible while minimizing the implementation cost of the requests, assuming that limited numbers of instances of each service chain have been instantiated in data centers. We first show the problem is NP-Complete, and propose an optimal algorithm for a special case of the problem when all requests have identical packet rates; otherwise, we devise two approximation algorithms with approximation ratios, depending on whether the packet traffic of each request is splittable. If arrivals of future requests are not known in advance, we study the online throughput maximization problem by proposing an online algorithm with a competitive ratio. We finally conduct experiments to evaluate the performance of the proposed algorithms by simulations. Simulation results show that the performance of the proposed algorithms are promising

Scalable and Reliable Middlebox Deployment

Middleboxes are pervasive in modern computer networks providing functionalities beyond mere packet forwarding. Load balancers, intrusion detection systems, and network address translators are typical examples of middleboxes. Despite their benefits, middleboxes come with several challenges with respect to their scalability and reliability. The goal of this thesis is to devise middlebox deployment solutions that are cost effective, scalable, and fault tolerant. The thesis includes three main contributions: First, distributed service function chaining with multiple instances of a middlebox deployed on different physical servers to optimize resource usage; Second, Constellation, a geo-distributed middlebox framework enabling a middlebox application to operate with high performance across wide area networks; Third, a fault tolerant service function chaining system