Software-defined middlebox networking

[no abstract

Intelligent Network Infrastructures: New Functional Perspectives on Leveraging Future Internet Services

The Internet experience of the 21st century is by far very different from that of the early '80s. The Internet has adapted itself to become what it really is today, a very successful business platform of global scale. As every highly successful technology, the Internet has suffered from a natural process of ossification. Over the last 30 years, the technical solutions adopted to leverage emerging applications can be divided in two categories. First, the addition of new functionalities either patching existing protocols or adding new upper layers. Second, accommodating traffic grow with higher bandwidth links. Unfortunately, this approach is not suitable to provide the proper ground for a wide gamma of new applications. To be deployed, these future Internet applications require from the network layer advanced capabilities that the TCP/IP stack and its derived protocols can not provide by design in a robust, scalable fashion. NGNs (Next Generation Networks) on top of intelligent telecommunication infrastructures are being envisioned to support future Internet Services. This thesis contributes with three proposals to achieve this ambitious goal. The first proposal presents a preliminary architecture to allow NGNs to seamlessly request advanced services from layer 1 transport networks, such as QoS guaranteed point-to-multipoint circuits. This architecture is based on virtualization techniques applied to layer 1 networks, and hides from NGNs all complexities of interdomain provisioning. Moreover, the economic aspects involved were also considered, making the architecture attractive to carriers. The second contribution regards a framework to develop DiffServ-MPLS capable networks based exclusively on open source software and commodity PCs. The developed DiffServ-MPLS flexible software router was designed to allow NGN prototyping, that make use of pseudo virtual circuits and assured QoS as a starting point of development. The third proposal presents a state of the art routing and wavelength assignment algorithm for photonic networks. This algorithm considers physical layer impairments to 100% guarantee the requested QoS profile, even in case of single network failures. A number of novel techniques were applied to offer lower blocking probability when compared with recent proposed algorithms, without impacting on setup delay time

Blind packet forwarding: a clean-slate security approach for future networks

Meanwhile, there exist a wealth of approaches for a Future Network Architecture (FNA). Although these approaches differ in their orientation, they all suggest that a network should be service-oriented and flexibly orchestrated from atomic smart in-network services. In order to utilise the complete functionality of the orchestrated network, the in-network services require access to various control data that is exchanged in different ways. Hence, the communication endpoints have to expose more and more information about themselves. However, the in-network services as well as third parties are able to sniff information while it is transferred in cleartext. Beside these considerations, end-to-end encryption is the de facto method applied to provide information confidentiality for two communicating endpoints. But if the communicating endpoints perform end-to-end encryption, in-network services cannot accomplish their tasks anymore, since they cannot access the encrypted control data. Thus, it becomes impossible to fully utilise the benefits of FNA approaches. These issues indicate that it is only possible to realise one of the two goals – information confidentiality and smart in-network services – at once. But we demonstrate the feasibility to simultaneously establish smart in-network services and to provide information confidentiality by redesigning the packet forwarding service to make it operate blindly, which we call Blind Packet Forwarding (BPF). We choose this in-network service as an example because packet forwarding is one of the basic services required for most network architectures. Moreover, packet addresses act as the basis for operations performed by further in-network services. Furthermore, it was not possible so far to transfer packet addresses in end-to-end encrypted form. BPF provides confidentiality for packet addresses during transmission as well as during processing by network nodes