Deliverable DJRA1.3: Tool prototype for creating and stitching multiple network resources for virtual infrastructures

This document describes the prototype FEDERICA Slice Tool developed for the virtualization of network elements in FEDERICA and for creating and stitching network resources over this virtual infrastructure. An SNMP-based resource discovery prototype is also introduced as a new functionality to be integrated in the tool.The deliverable also presents aviability study for the use of traffic prioritization in the FEDERICA infrastructure and some network performance measurements on a real slice within FEDERICA.This document reports the final results of JRA1.2 Activity in the development of a tool prototype for creating sets ofvirtual resourcesinFEDERICA.The prototype goal is to simplify and automate part of the work for NOC.The tool may also serve,with different privileges, a FEDERICA user to operate on his/her slice. The tool described here was designed with the objective of providing an interactive application with a graphical interface to operate on resources for the NOC and the end users (researchers). The tool simplify the creation and configuration of resources in a slice and it is a mandatory step to ensure scalability of the NOC effort. It offers an interactive Graphical User Interface that translates the users’ actions to commands in the substrate (networknodesandV-nodes)andslice elements(VirtualMachines).User accounts may be created for the NOC and for researchers, each with specific privileges to enable different sets of capabilities. The NOC account has full access to all the resources in the substrate, while each user’account has full access only to the virtual resources in his/her slice. The tool has been developed using the Java programming language as Open Source code and relies on the open source Globus® Toolkit. Testing has been performed in a laboratory environment and on some FEDERICA substrate equipment (1switch, 2VMwareServers) in their standard configuration. For testing the router, web services and GUI an additional computer was used, using a public IP address.Postprint (published version

Deliverable JRA1.1: Evaluation of current network control and management planes for multi-domain network infrastructure

This deliverable includes a compilation and evaluation of available control and management architectures and protocols applicable to a multilayer infrastructure in a multi-domain Virtual Network environment.The scope of this deliverable is mainly focused on the virtualisation of the resources within a network and at processing nodes. The virtualization of the FEDERICA infrastructure allows the provisioning of its available resources to users by means of FEDERICA slices. A slice is seen by the user as a real physical network under his/her domain, however it maps to a logical partition (a virtual instance) of the physical FEDERICA resources. A slice is built to exhibit to the highest degree all the principles applicable to a physical network (isolation, reproducibility, manageability, ...). Currently, there are no standard definitions available for network virtualization or its associated architectures. Therefore, this deliverable proposes the Virtual Network layer architecture and evaluates a set of Management- and Control Planes that can be used for the partitioning and virtualization of the FEDERICA network resources. This evaluation has been performed taking into account an initial set of FEDERICA requirements; a possible extension of the selected tools will be evaluated in future deliverables. The studies described in this deliverable define the virtual architecture of the FEDERICA infrastructure. During this activity, the need has been recognised to establish a new set of basic definitions (taxonomy) for the building blocks that compose the so-called slice, i.e. the virtual network instantiation (which is virtual with regard to the abstracted view made of the building blocks of the FEDERICA infrastructure) and its architectural plane representation. These definitions will be established as a common nomenclature for the FEDERICA project. Other important aspects when defining a new architecture are the user requirements. It is crucial that the resulting architecture fits the demands that users may have. Since this deliverable has been produced at the same time as the contact process with users, made by the project activities related to the Use Case definitions, JRA1 has proposed a set of basic Use Cases to be considered as starting point for its internal studies. When researchers want to experiment with their developments, they need not only network resources on their slices, but also a slice of the processing resources. These processing slice resources are understood as virtual machine instances that users can use to make them behave as software routers or end nodes, on which to download the software protocols or applications they have produced and want to assess in a realistic environment. Hence, this deliverable also studies the APIs of several virtual machine management software products in order to identify which best suits FEDERICA’s needs.Postprint (published version

An Iterative and Toolchain-Based Approach to Automate Scanning and Mapping Computer Networks

As today's organizational computer networks are ever evolving and becoming more and more complex, finding potential vulnerabilities and conducting security audits has become a crucial element in securing these networks. The first step in auditing a network is reconnaissance by mapping it to get a comprehensive overview over its structure. The growing complexity, however, makes this task increasingly effortful, even more as mapping (instead of plain scanning), presently, still involves a lot of manual work. Therefore, the concept proposed in this paper automates the scanning and mapping of unknown and non-cooperative computer networks in order to find security weaknesses or verify access controls. It further helps to conduct audits by allowing comparing documented with actual networks and finding unauthorized network devices, as well as evaluating access control methods by conducting delta scans. It uses a novel approach of augmenting data from iteratively chained existing scanning tools with context, using genuine analytics modules to allow assessing a network's topology instead of just generating a list of scanned devices. It further contains a visualization model that provides a clear, lucid topology map and a special graph for comparative analysis. The goal is to provide maximum insight with a minimum of a priori knowledge.Comment: 7 pages, 6 figure

A Lightweight and Flexible Mobile Agent Platform Tailored to Management Applications

Mobile Agents (MAs) represent a distributed computing technology that promises to address the scalability problems of centralized network management. A critical issue that will affect the wider adoption of MA paradigm in management applications is the development of MA Platforms (MAPs) expressly oriented to distributed management. However, most of available platforms impose considerable burden on network and system resources and also lack of essential functionality. In this paper, we discuss the design considerations and implementation details of a complete MAP research prototype that sufficiently addresses all the aforementioned issues. Our MAP has been implemented in Java and tailored for network and systems management applications.Comment: 7 pages, 5 figures; Proceedings of the 2006 Conference on Mobile Computing and Wireless Communications (MCWC'2006

VINEA: a policy-based virtual network embedding architecture

Network virtualization has enabled new business models by allowing infrastructure providers to lease or share their physical network. To concurrently run multiple customized virtual network services, such infrastructure providers need to run a virtual network embedding protocol. The virtual network embedding is the (NP-hard) problem of matching constrained virtual networks onto the physical network. We present the design and implementation of a policy-based architecture for the virtual network embedding problem. By policy, we mean a variant aspect of any of the (invariant) embedding mechanisms: resource discovery, virtual network mapping, and allocation on the physical infrastructure. Our architecture adapts to different scenarios by instantiating appropriate policies, and has bounds on embedding efficiency and on convergence embedding time, over a single provider, or across multiple federated providers. The performance of representative novel policy configurations are compared over a prototype implementation. We also present an object model as a foundation for a protocol specification, and we release a testbed to enable users to test their own embedding policies, and to run applications within their virtual networks. The testbed uses a Linux system architecture to reserve virtual node and link capacities.National Science Foundation (CNS-0963974

Research and Implement of an Algorithm for Physical Topology Automatic Discovery in Switched Ethernet

AbstractIn this paper, a novel practical algorithmic solution for automatic discovering the physical topology of switched Ethernet was proposed. Our algorithm collects standard SNMP MIB information that is widely supported in modern IP networks and then builds the physical topology of the active network. We described the relative definitions, system model and proved the correctness of the algorithm. Practically, the algorithm was implemented in our visualization network monitoring system. We also presented the main steps of the algorithm, core codes and running results on the lab network. The experimental results clearly validate our approach, demonstrating that our algorithm is simple and effective which can discover the accurate up-to-date physical network topology

Network Automation Methodology for Detecting Rogue Switch

The issue of detecting malicious switches on the network is still a concern even as networks continue to grow more complex. Even though Wired networks are considered more secure than wireless, the wireless rogue device problem has been solved. However, the wired rogue switch problem remains unsolved. In this project, we apply core networking concepts and demonstrate a smart solution by combining the latest Automation techniques with highly effective software tool-sets available for detecting malicious systems connected to a rogue switch. This solution promises quick detection and requires Zero Downtime which could prove to be an ideal solution for enterprises having managed switch production networks. We achieve this by continuously filtering and analyzing network traffic for any broadcast storms or new Address Resolution protocol packets using Packet Analyzers and then effectively tracing the malicious host connected to the rogue switch by deploying automation techniques. This technique also helps detecting rogue unmanaged switches (“plug and play” devices) having pre-loaded configuration