Deliverable DJRA1.2. Solutions and protocols proposal for the network control, management and monitoring in a virtualized network context

This deliverable presents several research proposals for the FEDERICA network, in different subjects, such as monitoring, routing, signalling, resource discovery, and isolation. For each topic one or more possible solutions are elaborated, explaining the background, functioning and the implications of the proposed solutions.This deliverable goes further on the research aspects within FEDERICA. First of all the architecture of the control plane for the FEDERICA infrastructure will be defined. Several possibilities could be implemented, using the basic FEDERICA infrastructure as a starting point. The focus on this document is the intra-domain aspects of the control plane and their properties. Also some inter-domain aspects are addressed. The main objective of this deliverable is to lay great stress on creating and implementing the prototype/tool for the FEDERICA slice-oriented control system using the appropriate framework. This deliverable goes deeply into the definition of the containers between entities and their syntax, preparing this tool for the future implementation of any kind of algorithm related to the control plane, for both to apply UPB policies or to configure it by hand. We opt for an open solution despite the real time limitations that we could have (for instance, opening web services connexions or applying fast recovering mechanisms). The application being developed is the central element in the control plane, and additional features must be added to this application. This control plane, from the functionality point of view, is composed by several procedures that provide a reliable application and that include some mechanisms or algorithms to be able to discover and assign resources to the user. To achieve this, several topics must be researched in order to propose new protocols for the virtual infrastructure. The topics and necessary features covered in this document include resource discovery, resource allocation, signalling, routing, isolation and monitoring. All these topics must be researched in order to find a good solution for the FEDERICA network. Some of these algorithms have started to be analyzed and will be expanded in the next deliverable. Current standardization and existing solutions have been investigated in order to find a good solution for FEDERICA. Resource discovery is an important issue within the FEDERICA network, as manual resource discovery is no option, due to scalability requirement. Furthermore, no standardization exists, so knowledge must be obtained from related work. Ideally, the proposed solutions for these topics should not only be adequate specifically for this infrastructure, but could also be applied to other virtualized networks.Postprint (published version

Implementation of a Private Cloud

The exponential growth of hardware requirements coupled with online services development costs have brought the need to create dynamic and resilient systems with networks able to handle high-density traffic. One of the emerging paradigms to achieve this is called Cloud Computing it proposes the creation of an elastic and modular computing architecture that allows dynamic allocation of hardware and network resources in order to meet the needs of applications. The creation of a Private Cloud based on the OpenStack platform implements this idea. This solution decentralizes the institution resources making it possible to aggregate resources that are physically spread across several areas of the globe and allows an optimization of computing and network resources. With this in mind, in this thesis a private cloud system was implemented that is capable of elastically leasing and releasing computing resources, allows the creation of public and private networks that connect computation instances and the launch of virtual machines that instantiate servers and services, and also isolate projects within the same system. The system expansion should start with the addition of extra nodes and the modernization of the existing ones, this expansion will also lead to the emergence of network problems which can be surpassed with the integration of Software Defined Network controllers

Path Protection Switching in Information Centric Networks (ICN)

Since its formation, the Internet has experienced tremendous growth, constantly increasing traffic and new applications, including voice and video. However, it still keeps its original architecture drafted almost 40 years ago built on the end-to-end principle; this has proven to be problematic when there are failures as routing convergence is slow for unicast networks and even slower for multicast which has to rely upon slow multicast routing as no protection switching exists for multicast. This thesis investigates protection in an alternative approach for network communication, namely information centric networking (ICN) using the architecture proposed by the PSIRP/PURSUIT projects. This uses Bloom Filters to allow both unicast and multicast forwarding. However, the PSIRP/PURSUIT ICN approach did not investigate protection switching and this problem forms the main aim of this thesis. The work builds on the research by Grover and Stamatelakis who introduced the concept of pre-configured protection p-cycles in 2000 for optical networks and, with modification, applicable to unicast IP or packet networks. This thesis shows how the p-cycle concept can be directly applied to packet networks that use PSIRP/PURSUIT ICN and extends the approach to encompass both unicast and multicast protection switching. Furthermore, it shows how the chosen p-cycles can be optimised to reduce the redundancy overhead introduced by the protection mechanism. The work evaluates the approach from two aspects, the first is how the proposed approach compares to existing switching state and traffic in an MPLS multicast architecture. The second considers the redundancy overhead in three known network topologies for synthetic traffic matrices. The thesis is the first work to demonstrate the efficiency of Bloom filter based switching for multicast (and unicast) protection switching

An architectural approach for mitigating next-generation denial of service attacks

It is well known that distributed denial of service attacks are a major threat to the Internet today. Surveys of network operators repeatedly show that the Internet's stakeholders are concerned, and the reasons for this are clear: the frequency, magnitude, and complexity of attacks are growing, and show no signs of slowing down. With the emergence of the Internet of Things, fifth-generation mobile networks, and IPv6, the Internet may soon be exposed to a new generation of sophisticated and powerful DDoS attacks. But how did we get here? In one view, the potency of DDoS attacks is owed to a set of underlying architectural issues at the heart of the Internet. Guiding principles such as simplicity, openness, and autonomy have driven the Internet to be tremendously successful, but have the side effects of making it difficult to verify source addresses, classify unwanted packets, and forge cooperation between networks to stop traffic. These architectural issues make mitigating DDoS attacks a costly, uphill battle for victims, who have been left without an adequate defense. Such a circumstance requires a solution that is aware of, and addresses, the architectural issues at play. Fueled by over 20 years worth of lessons learned from the industry and academic literature, Gatekeeper is a mitigation system that neutralizes the issues that make DDoS attacks so powerful. It does so by enforcing a connection-oriented network layer and by leveraging a global distribution of upstream vantage points. Gatekeeper further distinguishes itself from previous solutions because it circumvents the necessity of mutual deployment between networks, allowing deployers to reap the full benefits alone and on day one. Gatekeeper is an open-source, production-quality DDoS mitigation system. It is modular, scalable, and built using the latest advances in packet processing techniques. It implements the operational features required by today's network administrators, including support for bonded network devices, VLAN tagging, and control plane tools, and has been chosen for deployment by multiple networks. However, an effective Gatekeeper deployment can only be achieved by writing and enforcing fine-grained and accurate network policies. While the basic function of such policies is to simply govern the sending ability of clients, Gatekeeper is capable of much more: multiple bandwidth limits, punishing flows for misbehavior, attack detection via machine learning, and the flexibility to support new protocols. Therefore, we provide a view into the richness and power of Gatekeeper policies in the form of a policy toolkit for network operators. Finally, we must look to the future, and prepare for a potential next generation of powerful and costly DDoS attacks to grace our infrastructure. In particular, link flooding attacks such as Crossfire use massive, distributed sets of bots with low-rate, legitimate-looking traffic to attack upstream links outside of the victim's control. A new generation of these attacks could soon be realized as IoT devices, 5G networks, and IPv6 simultaneously enter the network landscape. Gatekeeper is able to hinder the architectural advantages that fuel link flooding attacks, bounding their effectiveness

Docker-ryppäiden clusterf -kuormantasaajan suunnittelu ja toteutus

Docker uses the Linux container namespace and cgroup primitives to provide isolated application runtime environments, allowing the distribution of self-contained application images that can be run in the form of Docker containers. Container platforms provide the infrastructure needed to deploy horizontally scalable container services into the Cloud, including orchestration, networking, service discovery and load balancing. This thesis studies container networking architectures and existing Cloud load balancer implementations to create a design for a scalable load balancer using the Linux IPVS network-level load balancer implementation. The clusterf load balancer architecture uses a two-level load balancing scheme combining different packet forwarding methods for scalability and compatibility with existing Docker applications. A distributed load balancer control plane is implemented to provide automatic load balancing for Docker containers. The clusterf load balancer is evaluated using a testbed environment, measuring the performance the network-level Linux IPVS implementation. The scalability of the clusterf load balancer is tested using Equal-Cost Multi-Path (ECMP) routing and IPVS connection synchronization The result is that the network-level Linux IPVS load balancer performs significantly better than the application-level HAProxy load balancer in the same configuration. The clusterf design allows for horizontal scaling with connection failover between IPVS load balancers. The current clusterf implementation requires the use of asymmetric routing within a network, such as provided by local Ethernet networks. Extending the clusterf design to support deployment onto existing Cloud infrastructure platforms with different networking implementations would qualify the clusterf load balancer for use in container platforms.Docker tarjoaa omavaraisia sovelluslevykuvia joita voidaan siirtää eri tietokoneille ja tavan suorittaa kyseisiä sovelluslevykuvia Docker konttien muodostamissa eristetyssä sovellusympäristöissä. Konttialustat tarjoavat pilvessä ajettavien skaalautuvien sovelluspalveluiden käyttöönottoon vaadittuja peruspalveluita, kuten orkestrointia, verkkoviestintää, palvelinetsintää sekä kuormantasausta. Tämä työ tutkii konttiverkkojen arkkitehtuuria sekä olemassa olevia pilvikuormantasaajatoteutuksia luodakseen skaalautuvan Linux IPVS-toteutukseen pohjautuvan verkkotason kuormantasaajan toteutusmallin. Tämä clusterf kuormantasaaja käyttää kaksikerroksista kuormantasausmallia joka yhdistää eri kuormantasausmenetelmiä saavuttaakseen sekä skaalautuvuuden että yhteensopivuuden olemassa olevien Docker konttisovelluksien kanssa. Työssä toteutetaan hajautettu ohjauspinta joka tarjoaa automaattisen kuormatasauksen Docker konttisovelluksille. Tämän clusterf kuormantasausmallin toteutusta arvioidaan erillisessä ympäristössä mittaamalla Linux IPVS-toteutuksen tarjoama suorituskyky. Tämän clusterf kuormantasaajan skaalautuvuus arvioidaan käyttäen Equal-Cost Multi-Path (ECMP) reititystä sekä IPVS-yhteystilojen synkronointia. Tutkimustyön tuloksena nähdään että verkkotason IPVS kuormantasaaja suoriutuu huomattavasti paremmin kuin sovellustason HAProxy kuormantasaaja samassa konfiguraatiossa. Tämä clusterf toteutus mahdollistaa myös kuormantasaajan skaalautumisen, sallien yhteyksien siirtämisen kuormantasaajalta toiselle. Nykyinen clusterf toteutus perustuu epäsymmetrisen reitityksen käyttöön, joka onnistuu Ethernet-pohjaisessa paikallisverkoissa. Toteutuksen laajentaminen mahdollistaakseen käyttöönoton erilaisia verkkototeutuksia käyttävien pilvialustojen päällä sallisi clusterf-kuormantasaajan käytön osana yleistä konttialustaa

Integrated IT and SDN Orchestration of multi-domain multi-layer transport networks

Telecom operators networks' management and control remains partitioned by technology, equipment supplier and networking layer. In some segments, the network operations are highly costly due to the need of the individual, and even manual, configuration of the network equipment by highly specialized personnel. In multi-vendor networks, expensive and never ending integration processes between Network Management Systems (NMSs) and the rest of systems (OSSs, BSSs) is a common situation, due to lack of adoption of standard interfaces in the management systems of the different equipment suppliers. Moreover, the increasing impact of the new traffic flows introduced by the deployment of massive Data Centers (DCs) is also imposing new challenges that traditional networking is not ready to overcome. The Fifth Generation of Mobile Technology (5G) is also introducing stringent network requirements such as the need of connecting to the network billions of new devices in IoT paradigm, new ultra-low latency applications (i.e., remote surgery) and vehicular communications. All these new services, together with enhanced broadband network access, are supposed to be delivered over the same network infrastructure. In this PhD Thesis, an holistic view of Network and Cloud Computing resources, based on the recent innovations introduced by Software Defined Networking (SDN), is proposed as the solution for designing an end-to-end multi-layer, multi-technology and multi-domain cloud and transport network management architecture, capable to offer end-to-end services from the DC networks to customers access networks and the virtualization of network resources, allowing new ways of slicing the network resources for the forthcoming 5G deployments. The first contribution of this PhD Thesis deals with the design and validation of SDN based network orchestration architectures capable to improve the current solutions for the management and control of multi-layer, multi-domain backbone transport networks. These problems have been assessed and progressively solved by different control and management architectures which has been designed and evaluated in real evaluation environments. One of the major findings of this work has been the need of developed a common information model for transport network's management, capable to describe the resources and services of multilayer networks. In this line, the Control Orchestration Protocol (COP) has been proposed as a first contriution towards an standard management interface based on the main principles driven by SDN. Furthermore, this PhD Thesis introduces a novel architecture capable to coordinate the management of IT computing resources together with inter- and intra-DC networks. The provisioning and migration of virtual machines together with the dynamic reconfiguration of the network has been successfully demonstrated in a feasible timescale. Moreover, a resource optimization engine is introduced in the architecture to introduce optimization algorithms capable to solve allocation problems such the optimal deployment of Virtual Machine Graphs over different DCs locations minimizing the inter-DC network resources allocation. A baseline blocking probability results over different network loads are also presented. The third major contribution is the result of the previous two. With a converged cloud and network infrastructure controlled and operated jointly, the holistic view of the network allows the on-demand provisioning of network slices consisting of dedicated network and cloud resources over a distributed DC infrastructure interconnected by an optical transport network. The last chapters of this thesis discuss the management and orchestration of 5G slices based over the control and management components designed in the previous chapters. The design of one of the first network slicing architectures and the deployment of a 5G network slice in a real Testbed, is one of the major contributions of this PhD Thesis.La gestión y el control de las redes de los operadores de red (Telcos), todavía hoy, está segmentado por tecnología, por proveedor de equipamiento y por capa de red. En algunos segmentos (por ejemplo en IP) la operación de la red es tremendamente costosa, ya que en muchos casos aún se requiere con guración individual, e incluso manual, de los equipos por parte de personal altamente especializado. En redes con múltiples proveedores, los procesos de integración entre los sistemas de gestión de red (NMS) y el resto de sistemas (p. ej., OSS/BSS) son habitualmente largos y extremadamente costosos debido a la falta de adopción de interfaces estándar por parte de los diferentes proveedores de red. Además, el impacto creciente en las redes de transporte de los nuevos flujos de tráfico introducidos por el despliegue masivo de Data Centers (DC), introduce nuevos desafíos que las arquitecturas de gestión y control de las redes tradicionales no están preparadas para afrontar. La quinta generación de tecnología móvil (5G) introduce nuevos requisitos de red, como la necesidad de conectar a la red billones de dispositivos nuevos (Internet de las cosas - IoT), aplicaciones de ultra baja latencia (p. ej., cirugía a distancia) y las comunicaciones vehiculares. Todos estos servicios, junto con un acceso mejorado a la red de banda ancha, deberán ser proporcionados a través de la misma infraestructura de red. Esta tesis doctoral propone una visión holística de los recursos de red y cloud, basada en los principios introducidos por Software Defined Networking (SDN), como la solución para el diseño de una arquitectura de gestión extremo a extremo (E2E) para escenarios de red multi-capa y multi-dominio, capaz de ofrecer servicios de E2E, desde las redes intra-DC hasta las redes de acceso, y ofrecer ademas virtualización de los recursos de la red, permitiendo nuevas formas de segmentación en las redes de transporte y la infrastructura de cloud, para los próximos despliegues de 5G. La primera contribución de esta tesis consiste en la validación de arquitecturas de orquestración de red, basadas en SDN, para la gestión y control de redes de transporte troncales multi-dominio y multi-capa. Estos problemas (gestion de redes multi-capa y multi-dominio), han sido evaluados de manera incremental, mediante el diseño y la evaluación experimental, en entornos de pruebas reales, de diferentes arquitecturas de control y gestión. Uno de los principales hallazgos de este trabajo ha sido la necesidad de un modelo de información común para las interfaces de gestión entre entidades de control SDN. En esta línea, el Protocolo de Control Orchestration (COP) ha sido propuesto como interfaz de gestión de red estándar para redes SDN de transporte multi-capa. Además, en esta tesis presentamos una arquitectura capaz de coordinar la gestión de los recursos IT y red. La provisión y la migración de máquinas virtuales junto con la reconfiguración dinámica de la red, han sido demostradas con éxito en una escala de tiempo factible. Además, la arquitectura incorpora una plataforma para la ejecución de algoritmos de optimización de recursos capaces de resolver diferentes problemas de asignación, como el despliegue óptimo de Grafos de Máquinas Virtuales (VMG) en diferentes DCs que minimizan la asignación de recursos de red. Esta tesis propone una solución para este problema, que ha sido evaluada en terminos de probabilidad de bloqueo para diferentes cargas de red. La tercera contribución es el resultado de las dos anteriores. La arquitectura integrada de red y cloud presentada permite la creación bajo demanda de "network slices", que consisten en sub-conjuntos de recursos de red y cloud dedicados para diferentes clientes sobre una infraestructura común. El diseño de una de las primeras arquitecturas de "network slicing" y el despliegue de un "slice" de red 5G totalmente operativo en un Testbed real, es una de las principales contribuciones de esta tesis.La gestió i el control de les xarxes dels operadors de telecomunicacions (Telcos), encara avui, està segmentat per tecnologia, per proveïdors d’equipament i per capes de xarxa. En alguns segments (Per exemple en IP) l’operació de la xarxa és tremendament costosa, ja que en molts casos encara es requereix de configuració individual, i fins i tot manual, dels equips per part de personal altament especialitzat. En xarxes amb múltiples proveïdors, els processos d’integració entre els Sistemes de gestió de xarxa (NMS) i la resta de sistemes (per exemple, Sistemes de suport d’operacions - OSS i Sistemes de suport de negocis - BSS) són habitualment interminables i extremadament costosos a causa de la falta d’adopció d’interfícies estàndard per part dels diferents proveïdors de xarxa. A més, l’impacte creixent en les xarxes de transport dels nous fluxos de trànsit introduïts pel desplegament massius de Data Centers (DC), introdueix nous desafiaments que les arquitectures de gestió i control de les xarxes tradicionals que no estan llestes per afrontar. Per acabar de descriure el context, la cinquena generació de tecnologia mòbil (5G) també presenta nous requisits de xarxa altament exigents, com la necessitat de connectar a la xarxa milers de milions de dispositius nous, dins el context de l’Internet de les coses (IOT), o les noves aplicacions d’ultra baixa latència (com ara la cirurgia a distància) i les comunicacions vehiculars. Se suposa que tots aquests nous serveis, juntament amb l’accés millorat a la xarxa de banda ampla, es lliuraran a través de la mateixa infraestructura de xarxa. Aquesta tesi doctoral proposa una visió holística dels recursos de xarxa i cloud, basada en els principis introduïts per Software Defined Networking (SDN), com la solució per al disseny de una arquitectura de gestió extrem a extrem per a escenaris de xarxa multi-capa, multi-domini i consistents en múltiples tecnologies de transport. Aquesta arquitectura de gestió i control de xarxes transport i recursos IT, ha de ser capaç d’oferir serveis d’extrem a extrem, des de les xarxes intra-DC fins a les xarxes d’accés dels clients i oferir a més virtualització dels recursos de la xarxa, obrint la porta a noves formes de segmentació a les xarxes de transport i la infrastructura de cloud, pels propers desplegaments de 5G. La primera contribució d’aquesta tesi doctoral consisteix en la validació de diferents arquitectures d’orquestració de xarxa basades en SDN capaces de millorar les solucions existents per a la gestió i control de xarxes de transport troncals multi-domini i multicapa. Aquests problemes (gestió de xarxes multicapa i multi-domini), han estat avaluats de manera incremental, mitjançant el disseny i l’avaluació experimental, en entorns de proves reals, de diferents arquitectures de control i gestió. Un dels principals troballes d’aquest treball ha estat la necessitat de dissenyar un model d’informació comú per a les interfícies de gestió de xarxes, capaç de descriure els recursos i serveis de la xarxes transport multicapa. En aquesta línia, el Protocol de Control Orchestration (COP, en les seves sigles en anglès) ha estat proposat en aquesta Tesi, com una primera contribució cap a una interfície de gestió de xarxa estàndard basada en els principis bàsics de SDN. A més, en aquesta tesi presentem una arquitectura innovadora capaç de coordinar la gestió de els recursos IT juntament amb les xarxes inter i intra-DC. L’aprovisionament i la migració de màquines virtuals juntament amb la reconfiguració dinàmica de la xarxa, ha estat demostrat amb èxit en una escala de temps factible. A més, l’arquitectura incorpora una plataforma per a l’execució d’algorismes d’optimització de recursos, capaços de resoldre diferents problemes d’assignació, com el desplegament òptim de Grafs de Màquines Virtuals (VMG) en diferents ubicacions de DC que minimitzen la assignació de recursos de xarxa entre DC. També es presenta una solució bàsica per a aquest problema, així com els resultats de probabilitat de bloqueig per a diferents càrregues de xarxa. La tercera contribució principal és el resultat dels dos anteriors. Amb una infraestructura de xarxa i cloud convergent, controlada i operada de manera conjunta, la visió holística de la xarxa permet l’aprovisionament sota demanda de "network slices" que consisteixen en subconjunts de recursos d’xarxa i cloud, dedicats per a diferents clients, sobre una infraestructura de Data Centers distribuïda i interconnectada per una xarxa de transport òptica. Els últims capítols d’aquesta tesi tracten sobre la gestió i organització de "network slices" per a xarxes 5G en funció dels components de control i administració dissenyats i desenvolupats en els capítols anteriors. El disseny d’una de les primeres arquitectures de "network slicing" i el desplegament d’un "slice" de xarxa 5G totalment operatiu en un Testbed real, és una de les principals contribucions d’aquesta tesi.Postprint (published version

Next generation control of transport networks

It is widely understood by telecom operators and industry analysts that bandwidth demand is increasing dramatically, year on year, with typical growth figures of 50% for Internet-based traffic [5]. This trend means that the consumers will have both a wide variety of devices attaching to their networks and a range of high bandwidth service requirements. The corresponding impact is the effect on the traffic engineered network (often referred to as the “transport network”) to ensure that the current rate of growth of network traffic is supported and meets predicted future demands. As traffic demands increase and newer services continuously arise, novel network elements are needed to provide more flexibility, scalability, resilience, and adaptability to today’s transport network. The transport network provides transparent traffic engineered communication of user, application, and device traffic between attached clients (software and hardware) and establishing and maintaining point-to-point or point-to-multipoint connections. The research documented in this thesis was based on three initial research questions posed while performing research at British Telecom research labs and investigating control of transport networks of future transport networks: 1. How can we meet Internet bandwidth growth yet minimise network costs? 2. Which enabling network technologies might be leveraged to control network layers and functions cooperatively, instead of separated network layer and technology control? 3. Is it possible to utilise both centralised and distributed control mechanisms for automation and traffic optimisation? This thesis aims to provide the classification, motivation, invention, and evolution of a next generation control framework for transport networks, and special consideration of delivering broadcast video traffic to UK subscribers. The document outlines pertinent telecoms technology and current art, how requirements I gathered, and research I conducted, and by which the transport control framework functional components are identified and selected, and by which method the architecture was implemented and applied to key research projects requiring next generation control capabilities, both at British Telecom and the wider research community. Finally, in the closing chapters, the thesis outlines the next steps for ongoing research and development of the transport network framework and key areas for further study

Management qualitätsbasierter Gruppenkommunikation im Internet

Zugangs- und Nutzungskontrolle bei Unicast bedarf allein der Überwachung am Netzeingang. Diese Arbeit entwirft das Verfahren DSMC (Diffserv Multicast), das die für Multicast zusätzlich benötigte Kontrolle im Netzinneren ergänzt. Es erweitert die Paketweiterleitung (MFC) der Router nur gering und ohne Eingriff in das Multicastrouting, unterstützt so alle Multicastroutingprotokolle des Internets und bietet eine skalierbare Signalisierung zur Steuerung durch zentrales Dienstgütemanagement