BPFabric: Data Plane Programmability for Software Defined Networks

In its current form, OpenFlow, the de facto implementation of SDN, separates the network’s control and data planes allowing a central controller to alter the matchaction pipeline using a limited set of fields and actions. To support new protocols, forwarding logic, telemetry, monitoring or even middlebox-like functions the currently available programmability in SDN is insufficient. In this paper, we introduce BPFabric, a platform, protocol, and language-independent architecture to centrally program and monitor the data plane. BPFabric leverages eBPF, a platform and protocol independent instruction set to define the packet processing and forwarding functionality of the data plane. We introduce a control plane API that allows data plane functions to be deployed onthe-fly, reporting events of interest and exposing network internal state. We present a raw socket and DPDK implementation of the design, the former for large-scale experimentation using environment such as Mininet and the latter for high-performance low-latency deployments. We show through examples that functions unrealisable in OpenFlow can leverage this flexibility while achieving similar or better performance to today’s static design

Arbitrary Packet Matching in OpenFlow

OpenFlow has emerged as the de facto control protocol to implement Software-Defined Networking (SDN). In its current form, the protocol specifies a set of fields on which it matches packets to perform actions, such as forwarding, discarding or modifying specific protocol header fields at a switch. The number of match fields has increased with every version of the protocol to extend matching capabilities, however, it is still not flexible enough to match on arbitrary packet fields which limits innovation and new protocol development with OpenFlow. In this paper, we argue that a fully flexible match structure is superior to continuously extending the number of fields to match upon. We use Berkeley Packet Filters (BPF) for packet classification to provide a protocol-independent, flexible alternative to today’s OpenFlow fixed match fields. We have implemented a prototype system and evaluated the performance of the proposed match scheme, with a focus on the time it takes to execute and the memory required to store different match filter specifications. Our prototype implementation demonstrates that line-rate arbitrary packet classification can be achieved with complex BPF programs

Dataplane Specialization for High-performance OpenFlow Software Switching

OpenFlow is an amazingly expressive dataplane program- ming language, but this expressiveness comes at a severe performance price as switches must do excessive packet clas- sification in the fast path. The prevalent OpenFlow software switch architecture is therefore built on flow caching, but this imposes intricate limitations on the workloads that can be supported efficiently and may even open the door to mali- cious cache overflow attacks. In this paper we argue that in- stead of enforcing the same universal flow cache semantics to all OpenFlow applications and optimize for the common case, a switch should rather automatically specialize its dat- aplane piecemeal with respect to the configured workload. We introduce ES WITCH , a novel switch architecture that uses on-the-fly template-based code generation to compile any OpenFlow pipeline into efficient machine code, which can then be readily used as fast path. We present a proof- of-concept prototype and we demonstrate on illustrative use cases that ES WITCH yields a simpler architecture, superior packet processing speed, improved latency and CPU scala- bility, and predictable performance. Our prototype can eas- ily scale beyond 100 Gbps on a single Intel blade even with complex OpenFlow pipelines

A Survey on Data Plane Programming with P4: Fundamentals, Advances, and Applied Research

With traditional networking, users can configure control plane protocols to match the specific network configuration, but without the ability to fundamentally change the underlying algorithms. With SDN, the users may provide their own control plane, that can control network devices through their data plane APIs. Programmable data planes allow users to define their own data plane algorithms for network devices including appropriate data plane APIs which may be leveraged by user-defined SDN control. Thus, programmable data planes and SDN offer great flexibility for network customization, be it for specialized, commercial appliances, e.g., in 5G or data center networks, or for rapid prototyping in industrial and academic research. Programming protocol-independent packet processors (P4) has emerged as the currently most widespread abstraction, programming language, and concept for data plane programming. It is developed and standardized by an open community and it is supported by various software and hardware platforms. In this paper, we survey the literature from 2015 to 2020 on data plane programming with P4. Our survey covers 497 references of which 367 are scientific publications. We organize our work into two parts. In the first part, we give an overview of data plane programming models, the programming language, architectures, compilers, targets, and data plane APIs. We also consider research efforts to advance P4 technology. In the second part, we analyze a large body of literature considering P4-based applied research. We categorize 241 research papers into different application domains, summarize their contributions, and extract prototypes, target platforms, and source code availability.Comment: Submitted to IEEE Communications Surveys and Tutorials (COMS) on 2021-01-2

MOSAIC: Unified Platform for Dynamic Overlay Selection and Composition

MOSAIC constructs new overlay networks with desired characteristics by composing existing overlays with subsets of those attributes. Thus, MOSAIC overcomes the problem of multiple network infrastructures that are partial solutions, while preserving deployability. Composition of control and/or data planes is possible in the system. MOSAIC overlays are specified in Mozlog, a declarative language that specifies overlay properties without binding them to a particular implementation or underlying network. This paper focuses on the runtime aspects of MOSAIC: how it enables interoperability between different overlay networks and how it implements switching between different overlay compositions, permitting dynamic compositions with both existing overlay networks and legacy applications. The system is validated experimentally using declarative overlay compositions concisely specified in Mozlog: an indirection overlay that supports mobility (i3), a resilient overlay (RON), and scalable lookups (Chord), all of which are combined to provide new functionality. MOSAIC provides the benefits of runtime composition to simultaneously deliver application-aware mobility, NAT traversal and reliability with low performance overhead, demonstrated by measurements on both a local cluster and PlanetLab

Újgenerációs adat- és hálózatbiztonsági módszerek

Az értekezés a szolgáltatókat és felhasználókat érintő adat- és hálózatbiztonsági problémákkal foglalkozott. Adataink védelmére kívántam felhívni a figyelmet, bemutattam több támadási módszert, kivédésükre kliens proxy és szerver oldalon is védelmi eljárásokat kínálva. Kezdetben bemutattam az új generációs csomagtovábbítás által kínált lehetőségeket, illetve a P4-et mint magas absztrakciós szintű csomagtovábbítási logikát leíró nyelv. Ismertettem a T4P4S nevű P4 fordítónk működését, megmutattam, hogy a fordított switch program képes a hardverre optimalizált binárisokéval közel megegyező sebességű csomagtovábbításra. Ezután pedig adtam egy lehetséges módszert a P4 használatára mint állapottal rendelkező csomagszűrő tűzfal. Megmutattam, hogyan épülnek fel az elosztott szolgáltatásmegtagadással járó (DDoS) támadások. Eljárást dolgoztam ki annak érdekében, hogy az elárasztás típusú DDoS támadások modellezhetőek legyenek. A HTTP forgalomra érvényes tulajdonságokat megtartva olyan gazdagon paraméterezhető forgalomgenerátort készítettem, amivel a behatolásdetektáló (IDS) rendszerek tesztelhetőek. Bemutattam a munkamenet eltérítéses és a data breach támadásokat, ami előkelő helyet foglalnak el a legmagasabb prioritású fenyegetések listáján. Elemeztem a HTTP és HTTPS forgalmak veszélyeit, a munkamenet eltérítéses támadások néhány lehetséges módját, illetve felvázoltam egy one time token alapú hitelesítő működési modelljét. Megmutattam, hogy a TooKie nevű eszközöm az egyszer használható tokenekkel, hogyan tudja HTTP-n keresztül is biztonságossá tenni a munkameneteinket. Módszereket mutattam be az egyszerű felhasználók, és a nagyobb céges hálózatok extra védelmi rétegének implementálására. Az OpenWebCrypt kliens oldali böngésző bővítménnyel elérhető egyes szolgáltatásokban tárolt felhasználói adatok elkódolása. CrypStorePI-vel pedig egy teljes hálózat válik védhetővé egy proxy elven működő security middleware használatával. Végül megmutattam, azt is hogyan használható a szteganográfia bizonyos szolgáltatások esetén arra, hogy elfedjük az adatok titkosításának tényét a támadók elől

Performance Benchmarking of State-of-the-Art Software Switches for NFV

With the ultimate goal of replacing proprietary hardware appliances with Virtual Network Functions (VNFs) implemented in software, Network Function Virtualization (NFV) has been gaining popularity in the past few years. Software switches route traffic between VNFs and physical Network Interface Cards (NICs). It is of paramount importance to compare the performance of different switch designs and architectures. In this paper, we propose a methodology to compare fairly and comprehensively the performance of software switches. We first explore the design spaces of seven state-of-the-art software switches and then compare their performance under four representative test scenarios. Each scenario corresponds to a specific case of routing NFV traffic between NICs and/or VNFs. In our experiments, we evaluate the throughput and latency between VNFs in two of the most popular virtualization environments, namely virtual machines (VMs) and containers. Our experimental results show that no single software switch prevails in all scenarios. It is, therefore, crucial to choose the most suitable solution for the given use case. At the same time, the presented results and analysis provide a deeper insight into the design tradeoffs and identifies potential performance bottlenecks that could inspire new designs.Comment: 17 page