975 research outputs found
BPFabric: Data Plane Programmability for Software Defined Networks
In its current form, OpenFlow, the de facto implementation
of SDN, separates the network’s control and data
planes allowing a central controller to alter the matchaction
pipeline using a limited set of fields and actions.
To support new protocols, forwarding logic, telemetry,
monitoring or even middlebox-like functions the currently
available programmability in SDN is insufficient.
In this paper, we introduce BPFabric, a platform, protocol,
and language-independent architecture to centrally
program and monitor the data plane. BPFabric leverages
eBPF, a platform and protocol independent instruction
set to define the packet processing and forwarding functionality
of the data plane. We introduce a control plane
API that allows data plane functions to be deployed onthe-fly,
reporting events of interest and exposing network
internal state.
We present a raw socket and DPDK implementation
of the design, the former for large-scale experimentation
using environment such as Mininet and the latter for
high-performance low-latency deployments. We show
through examples that functions unrealisable in OpenFlow
can leverage this flexibility while achieving similar
or better performance to today’s static design
Arbitrary Packet Matching in OpenFlow
OpenFlow has emerged as the de facto control
protocol to implement Software-Defined Networking (SDN). In
its current form, the protocol specifies a set of fields on which
it matches packets to perform actions, such as forwarding,
discarding or modifying specific protocol header fields at a switch.
The number of match fields has increased with every version of
the protocol to extend matching capabilities, however, it is still
not flexible enough to match on arbitrary packet fields which
limits innovation and new protocol development with OpenFlow.
In this paper, we argue that a fully flexible match structure
is superior to continuously extending the number of fields
to match upon. We use Berkeley Packet Filters (BPF) for
packet classification to provide a protocol-independent, flexible
alternative to today’s OpenFlow fixed match fields. We have
implemented a prototype system and evaluated the performance
of the proposed match scheme, with a focus on the time it takes
to execute and the memory required to store different match
filter specifications. Our prototype implementation demonstrates
that line-rate arbitrary packet classification can be achieved with
complex BPF programs
Dataplane Specialization for High-performance OpenFlow Software Switching
OpenFlow is an amazingly expressive dataplane program-
ming language, but this expressiveness comes at a severe
performance price as switches must do excessive packet clas-
sification in the fast path. The prevalent OpenFlow software
switch architecture is therefore built on flow caching, but
this imposes intricate limitations on the workloads that can
be supported efficiently and may even open the door to mali-
cious cache overflow attacks. In this paper we argue that in-
stead of enforcing the same universal flow cache semantics
to all OpenFlow applications and optimize for the common
case, a switch should rather automatically specialize its dat-
aplane piecemeal with respect to the configured workload.
We introduce ES WITCH , a novel switch architecture that
uses on-the-fly template-based code generation to compile
any OpenFlow pipeline into efficient machine code, which
can then be readily used as fast path. We present a proof-
of-concept prototype and we demonstrate on illustrative use
cases that ES WITCH yields a simpler architecture, superior
packet processing speed, improved latency and CPU scala-
bility, and predictable performance. Our prototype can eas-
ily scale beyond 100 Gbps on a single Intel blade even with
complex OpenFlow pipelines
A Survey on Data Plane Programming with P4: Fundamentals, Advances, and Applied Research
With traditional networking, users can configure control plane protocols to
match the specific network configuration, but without the ability to
fundamentally change the underlying algorithms. With SDN, the users may provide
their own control plane, that can control network devices through their data
plane APIs. Programmable data planes allow users to define their own data plane
algorithms for network devices including appropriate data plane APIs which may
be leveraged by user-defined SDN control. Thus, programmable data planes and
SDN offer great flexibility for network customization, be it for specialized,
commercial appliances, e.g., in 5G or data center networks, or for rapid
prototyping in industrial and academic research. Programming
protocol-independent packet processors (P4) has emerged as the currently most
widespread abstraction, programming language, and concept for data plane
programming. It is developed and standardized by an open community and it is
supported by various software and hardware platforms. In this paper, we survey
the literature from 2015 to 2020 on data plane programming with P4. Our survey
covers 497 references of which 367 are scientific publications. We organize our
work into two parts. In the first part, we give an overview of data plane
programming models, the programming language, architectures, compilers,
targets, and data plane APIs. We also consider research efforts to advance P4
technology. In the second part, we analyze a large body of literature
considering P4-based applied research. We categorize 241 research papers into
different application domains, summarize their contributions, and extract
prototypes, target platforms, and source code availability.Comment: Submitted to IEEE Communications Surveys and Tutorials (COMS) on
2021-01-2
MOSAIC: Unified Platform for Dynamic Overlay Selection and Composition
MOSAIC constructs new overlay networks with desired characteristics by composing existing overlays with subsets of those attributes. Thus, MOSAIC overcomes the problem of multiple network infrastructures that are partial solutions, while preserving deployability. Composition of control and/or data planes is possible in the system. MOSAIC overlays are specified in Mozlog, a declarative language that specifies overlay properties without binding them to a particular implementation or underlying network.
This paper focuses on the runtime aspects of MOSAIC: how it enables interoperability between different overlay networks and how it implements switching between different overlay compositions, permitting dynamic compositions with both existing overlay networks and legacy applications. The system is validated experimentally using declarative overlay compositions concisely specified in Mozlog: an indirection overlay that supports mobility (i3), a resilient overlay (RON), and scalable lookups (Chord), all of which are combined to provide new functionality. MOSAIC provides the benefits of runtime composition to simultaneously deliver application-aware mobility, NAT traversal and reliability with low performance overhead, demonstrated by measurements on both a local cluster and PlanetLab
Újgenerációs adat- és hálózatbiztonsági módszerek
Az Ă©rtekezĂ©s a szolgáltatĂłkat Ă©s felhasználĂłkat Ă©rintĹ‘ adat- Ă©s hálĂłzatbiztonsági problĂ©mákkal foglalkozott. Adataink vĂ©delmĂ©re kĂvántam felhĂvni a figyelmet, bemutattam több támadási mĂłdszert, kivĂ©dĂ©sĂĽkre kliens proxy Ă©s szerver oldalon is vĂ©delmi eljárásokat kĂnálva.
Kezdetben bemutattam az Ăşj generáciĂłs csomagtovábbĂtás által kĂnált lehetĹ‘sĂ©geket, illetve a P4-et mint magas absztrakciĂłs szintű csomagtovábbĂtási logikát leĂrĂł nyelv. Ismertettem a T4P4S nevű P4 fordĂtĂłnk működĂ©sĂ©t, megmutattam, hogy a fordĂtott switch program kĂ©pes a hardverre optimalizált binárisokĂ©val közel megegyezĹ‘ sebessĂ©gű csomagtovábbĂtásra. Ezután pedig adtam egy lehetsĂ©ges mĂłdszert a P4 használatára mint állapottal rendelkezĹ‘ csomagszűrĹ‘ tűzfal.
Megmutattam, hogyan Ă©pĂĽlnek fel az elosztott szolgáltatásmegtagadással járĂł (DDoS) támadások. Eljárást dolgoztam ki annak Ă©rdekĂ©ben, hogy az elárasztás tĂpusĂş DDoS támadások modellezhetĹ‘ek legyenek. A HTTP forgalomra Ă©rvĂ©nyes tulajdonságokat megtartva olyan gazdagon paramĂ©terezhetĹ‘ forgalomgenerátort kĂ©szĂtettem, amivel a behatolásdetektálĂł (IDS) rendszerek tesztelhetĹ‘ek.
Bemutattam a munkamenet eltĂ©rĂtĂ©ses Ă©s a data breach támadásokat, ami elĹ‘kelĹ‘ helyet foglalnak el a legmagasabb prioritásĂş fenyegetĂ©sek listáján. Elemeztem a HTTP Ă©s HTTPS forgalmak veszĂ©lyeit, a munkamenet eltĂ©rĂtĂ©ses támadások nĂ©hány lehetsĂ©ges mĂłdját, illetve felvázoltam egy one time token alapĂş hitelesĂtĹ‘ működĂ©si modelljĂ©t. Megmutattam, hogy a TooKie nevű eszközöm az egyszer használhatĂł tokenekkel, hogyan tudja HTTP-n keresztĂĽl is biztonságossá tenni a munkameneteinket.
MĂłdszereket mutattam be az egyszerű felhasználĂłk, Ă©s a nagyobb cĂ©ges hálĂłzatok extra vĂ©delmi rĂ©tegĂ©nek implementálására. Az OpenWebCrypt kliens oldali böngĂ©szĹ‘ bĹ‘vĂtmĂ©nnyel elĂ©rhetĹ‘ egyes szolgáltatásokban tárolt felhasználĂłi adatok elkĂłdolása. CrypStorePI-vel pedig egy teljes hálĂłzat válik vĂ©dhetĹ‘vĂ© egy proxy elven működĹ‘ security middleware használatával. VĂ©gĂĽl megmutattam, azt is hogyan használhatĂł a szteganográfia bizonyos szolgáltatások esetĂ©n arra, hogy elfedjĂĽk az adatok titkosĂtásának tĂ©nyĂ©t a támadĂłk elĹ‘l
Performance Benchmarking of State-of-the-Art Software Switches for NFV
With the ultimate goal of replacing proprietary hardware appliances with
Virtual Network Functions (VNFs) implemented in software, Network Function
Virtualization (NFV) has been gaining popularity in the past few years.
Software switches route traffic between VNFs and physical Network Interface
Cards (NICs). It is of paramount importance to compare the performance of
different switch designs and architectures. In this paper, we propose a
methodology to compare fairly and comprehensively the performance of software
switches. We first explore the design spaces of seven state-of-the-art software
switches and then compare their performance under four representative test
scenarios. Each scenario corresponds to a specific case of routing NFV traffic
between NICs and/or VNFs. In our experiments, we evaluate the throughput and
latency between VNFs in two of the most popular virtualization environments,
namely virtual machines (VMs) and containers. Our experimental results show
that no single software switch prevails in all scenarios. It is, therefore,
crucial to choose the most suitable solution for the given use case. At the
same time, the presented results and analysis provide a deeper insight into the
design tradeoffs and identifies potential performance bottlenecks that could
inspire new designs.Comment: 17 page
- …