ISA-Based Trusted Network Functions And Server Applications In The Untrusted Cloud

Nowadays, enterprises widely deploy Network Functions (NFs) and server applications in the cloud. However, processing of sensitive data and trusted execution cannot be securely deployed in the untrusted cloud. Cloud providers themselves could accidentally leak private information (e.g., due to misconfigurations) or rogue users could exploit vulnerabilities of the providers' systems to compromise execution integrity, posing a threat to the confidentiality of internal enterprise and customer data. In this paper, we identify (i) a number of NF and server application use-cases that trusted execution can be applied to, (ii) the assets and impact of compromising the private data and execution integrity of each use-case, and (iii) we leverage Intel's Software Guard Extensions (SGX) architecture to design Trusted Execution Environments (TEEs) for cloud-based NFs and server applications. We combine SGX with the Data Plane Development KIT (DPDK) to prototype and evaluate our TEEs for a number of application scenarios (Layer 2 frame and Layer 3 packet processing for plain and encrypted traffic, traffic load-balancing and back-end server processing). Our results indicate that NFs involving plain traffic can achieve almost native performance (e.g., ~22 Million Packets Per Second for Layer 3 forwarding for 64-byte frames), while NFs involving encrypted traffic and server processing can still achieve competitive performance (e.g., ~12 Million Packets Per Second for server processing for 64-byte frames)

Technical Report: Efficient Buffering and Scheduling for a Single-Chip Crosspoint-Queued Switch

The single-chip crosspoint-queued (CQ) switch is a compact switching architecture that has all its buffers placed at the crosspoints of input and output lines. Scheduling is also performed inside the switching core, and does not rely on latency-limited communications with input or output line-cards. Compared with other legacy switching architectures, the CQ switch has the advantages of high throughput, minimal delay, low scheduling complexity, and no speedup requirement. However, the crosspoint buffers are small and segregated, thus how to efficiently use the buffers and avoid packet drops remains a major problem that needs to be addressed. In this paper, we consider load balancing, deflection routing, and buffer pooling for efficient buffer sharing in the CQ switch. We also design scheduling algorithms to maintain the correct packet order even while employing multi-path switching and resolve contentions caused by multiplexing. All these techniques require modest hardware modifications and memory speedup in the switching core, but can greatly boost the buffer utilizations by up to 10 times and reduce the packet drop rates by one to three orders of magnitude. Extensive simulations and analyses have been done to demonstrate the advantages of the proposed buffering and scheduling techniques in various aspects. By pushing the on-chip memory to the limit of current ASIC technology, we show that a cell drop rate of 10e-8, which is low enough for practical uses, can be achieved under real Internet traffic traces corresponding to a load of 0.9

SDNFV: Flexible and Dynamic Software Defined Control of an Application- and Flow-Aware Data Plane

Software Defined Networking (SDN) promises greater flexibility for directing packet flows, and Network Function Virtualization promises to enable dynamic management of software-based network functions. However, the current divide between an intelligent control plane and an overly simple, stateless data plane results in the inability to exploit the flexibility of a software based network. In this paper we propose SDNFV, a framework that expands the capabilities of network processing-and-forwarding elements to flexibly manage packet flows, while retaining both a high performance data plane and an easily managed control plane. SDNFV proposes a hierarchical control framework where decisions are made across the SDN controller, a host-level manager, and individual VMs to best exploit state available at each level. This increases the network's flexibility compared to existing SDNs where controllers often make decisions solely based on the first packet header of a flow. SDNFV intelligently places network services across hosts and connects them in sequential and parallel chains, giving both the SDN controller and individual network functions the ability to enhance and update flow rules to adapt to changing conditions. Our prototype demonstrates how to efficiently and flexibly reroute flows based on data plane state such as packet payloads and traffic characteristics

A Comprehensive Study on Load Balancers for VNF chains Horizontal Scaling

We present an architectural design and a reference implementation for horizontal scaling of virtual network function chains. Our solution does not require any changes to network functions and is able to handle stateful network functions for which states may depend on both directions of the traffic. We use connection-aware traffic load balancers based on hashing function to maintain mappings between connections and the dynamically changing network function chains. Our references implementation uses OpenFlow switches to route traffic to the assigned network function instances according to the load balancer decisions. We conducted extensive simulations to test the feasibility of the architecture and evaluate the performance of our implementation.Comment: Short version of the paper has been accepted for CNSM 201

SDN Controllers: Benchmarking & Performance Evaluation

Software Defined Networks offer flexible and intelligent network operations by splitting a traditional network into a centralized control plane and a programmable data plane. The intelligent control plane is responsible for providing flow paths to switches and optimizes network performance. The controller in the control plane is the fundamental element used for all operations of data plane management. Hence, the performance and capabilities of the controller itself are extremely important. Furthermore, the tools used to benchmark their performance must be accurate and effective in measuring different evaluation parameters. There are dozens of controller proposals available in existing literature. However, there is no quantitative comparative analysis for them. In this article, we present a comprehensive qualitative comparison of different SDN controllers, along with a quantitative analysis of their performance in different network scenarios. More specifically, we categorize and classify 34 controllers based on their capabilities, and present a qualitative comparison of their properties. We also discuss in-depth capabilities of benchmarking tools used for SDN controllers, along with best practices for quantitative controller evaluation. This work uses three benchmarking tools to compare nine controllers against multiple criteria. Finally, we discuss detailed research findings on the performance, benchmarking criteria, and evaluation testbeds for SDN controllers

AMP: A Better Multipath TCP for Data Center Networks

In recent years several multipath data transport mechanisms, such as MPTCP and XMP, have been introduced to effectively exploit the path diversity of data center networks (DCNs). However, these multipath schemes have not been widely deployed in DCNs. We argue that two key factors among others impeded their adoption: TCP incast and minimum window syndrome. First, these mechanisms are ill-suited for workloads with a many-to-one communication pattern, commonly found in DCNs, causing frequent TCP incast collapses. Second, the syndrome we discover for the first time, results in 2-5 times lower throughput for single-path flows than multipath flows, thus severely violating network fairness. To effectively tackle these problems, we propose AMP: an adaptive multipath congestion control mechanism that quickly detects the onset of these problems and transforms its multipath flow into a single-path flow. Once these problems disappear, AMP safely reverses this transformation and continues its data transmission via multiple paths. Our evaluation results under a diverse set of scenarios in a fat-tree topology with realistic workloads demonstrate that AMP is robust to the TCP incast problem and improves network fairness between multipath and single-path flows significantly with little performance loss

A Survey of Controller Placement Problem in Software Defined Networks

Software Defined Network (SDN) is an emerging network paradigm which provides a centralized view of the network by decoupling the network control plane from the data plane. This strategy of maintaining a global view of the network optimizes resource management. However, the implementation of SDN using a single physical controller lead to issues of scalability and robustness. A physically distributed but logically centralized SDN controller architecture promises to resolve both these issues. Distributed SDN along with its benefits brings along the problem of the number of controllers required and their placement in the network. This problem is referred to as the controller placement problem (CPP) and this paper is mainly concerned with the CPP solution techniques. The paper formally defines CPP, gives a comprehensive review of the various performance metrics and characteristics of the available CPP solutions. Finally, we point out the existing literature gap and discuss the future research direction in this domain

Fractal: Automated Application Scaling

To date, cloud applications have used datacenter resources through manual configuration and deployment of virtual machines and containers. Current trends see increasing use of microservices, where larger applications are split into many small containers, to be developed and deployed independently. However, even with the rise of the devops movement and orchestration facilities such as Kubernetes, there is a tendency to separate development from deployment. We present an exploration of a more extreme point on the devops spectrum: Fractal. Developers embed orchestration logic inside their application, fully automating the processes of scaling up and down. Providing a set of extensions to and an API over the Jitsu platform, we outline the design of Fractal and describe the key features of its implementation: how an application is self-replicated, how replica lifecycles are managed, how failure recovery is handled, and how network traffic is transparently distributed between replicas. We present evaluation of a self-scaling website, and demonstrate that Fractal is both useful and feasible

Dual-structure Data Center Multicast Using Software Defined Networking

Data center applications use multicast as an effective method to reduce bandwidth cost. However, traditional multicast protocols designed for IP networks are usually bottlenecked by the limited state capacity on switches. In this paper, we propose a scalable multicast solution on fat tree networks based on the observation that data center multicast traffic has strong heterogeneity. We propose to remove the multicast management logic from switches and use the SDN controller to manage multicast groups. The proposed Dual-structure Multicast (DuSM) determines elephant and mice groups according to their traffic amounts and treats them separately. For each elephant group, the controller installs multicast state to maintain multiple shared trees and the group traffic will be balanced evenly among the trees to avoid congestion. For mice groups, the controller applies state-free mutlicast that trades bandwidth capacity for state capacity, such as multicast-to-unicast translation. Our experiments using real multicast traffic data show that the number of groups DuSM supports can be 300% of that of IP multicast. DuSM also achieves traffic balance among links

A Survey of Energy Efficiency in SDN Software Based Methods and Optimization Models

Software Defined Networking (SDN) paradigm has the benefits of programmable network elements by separating the control and the forwarding planes, efficiency through optimized routing and flexibility in network management. As the energy costs contribute largely to the overall costs in networks, energy efficiency has become a significant design requirement for modern networking mechanisms. However, designing energy efficient solutions is non-trivial since they need to tackle the trade-off between energy efficiency and network performance. In this article, we address the energy efficiency capabilities that can be utilized in the emerging SDN. We provide a comprehensive and novel classification of software-based energy efficient solutions into subcategories of traffic aware, end system aware and rule placement. We propose general optimization models for each subcategory, and present the objective function, the parameters and constraints to be considered in each model. Detailed information on the characteristics of state-of-the-art methods, their advantages, drawbacks are provided. Hardware-based solutions used to enhance the efficiency of switches are also described. Furthermore, we discuss the open issues and future research directions in the area of energy efficiency in SDN.Comment: 17 double column pages, 3 figures, 6 table