Towards smarter SDN switches:revisiting the balance of intelligence in SDN networks

Software Defined Networks (SDNs) represent a new model for building networks, in which the control plane is separated from the forwarding plane, allowing for centralised, fine grained control of traffic in the network. The benefits of SDN range widely from reducing operational costs of networks to providing better Quality of Service guarantees to its users. Its application has been shown to increase the efficiency of large networks such as data centers and improve security through Denial of Service mitigation systems and other traffic monitoring efforts. While SDN has been shown to be highly beneficial, some of its core features (e.g separation of control and data planes and limited memory) allow malicious users to carry out Denial of Service (DoS) attacks against the network, reducing its availability and performance. Denial of Service attacks are explicit attempts to prevent legitimate users from accessing a service or resource. Such attacks can take many forms but are almost always costly to its victims, both financially and reputationally. SDN applications have been developed to mitigate some forms of DoS attacks aimed at traditional networks however, its intrinsic properties facilitate new attacks. We investigate in this thesis, the opportunity for such Denial of Service attacks in more recent versions of SDN and extensively evaluate its effect on a legitimate user’s throughput. In light of the potential for such DoS attacks which specifically target the SDN infrastructure (controller, switch flow table etc), we propose that increasing the intelligence of SDN switches can increase the resilience of the SDN network by preventing attack traffic from entering the network at its source. To demonstrate this, we put forward in this thesis, designs for an intelligent SDN Switch and implement two additional functionalities towards realising this design into a software version of the SDN switch. These modules allow the switch to efficiently handle high control plane loads, both malicious and legitimate, to ensure the network continues to provide good service even under such circumstances. Evaluation of these modules indicate they effectively preserve the performance of the network under under high control plane loads far better than unmodified switches, with no notable drawbacks

Caching Techniques in Next Generation Cellular Networks

Content caching will be an essential feature in the next generations of cellular networks. Indeed, a network equipped with caching capabilities allows users to retrieve content with reduced access delays and consequently reduces the traffic passing through the network backhaul. However, the deployment of the caching nodes in the network is hindered by the following two challenges. First, the storage space of a cache is limited as well as expensive. So, it is not possible to store in the cache every content that can be possibly requested by the user. This calls for efficient techniques to determine the contents that must be stored in the cache. Second, efficient ways are needed to implement and control the caching node. In this thesis, we investigate caching techniques focussing to address the above-mentioned challenges, so that the overall system performance is increased. In order to tackle the challenge of the limited storage capacity, smart proactive caching strategies are needed. In the context of vehicular users served by edge nodes, we believe a caching strategy should be adapted to the mobility characteristics of the cars. In this regard, we propose a scheme called RICH (RoadsIde CacHe), which optimally caches content at the edge nodes where connected vehicles require it most. In particular, our scheme is designed to ensure in-order delivery of content chunks to end users. Unlike blind popularity decisions, the probabilistic caching used by RICH considers vehicular trajectory predictions as well as content service time by edge nodes. We evaluate our approach on realistic mobility datasets against a popularity-based edge approach called POP, and a mobility-aware caching strategy known as netPredict. In terms of content availability, our RICH edge caching scheme provides an enhancement of up to 33% and 190% when compared with netPredict and POP respectively. At the same time, the backhaul penalty bandwidth is reduced by a factor ranging between 57% and 70%. Caching node is an also a key component in Named Data Networking (NDN) that is an innovative paradigm to provide content based services in future networks. As compared to legacy networks, naming of network packets and in-network caching of content make NDN more feasible for content dissemination. However, the implementation of NDN requires drastic changes to the existing network infrastructure. One feasible approach is to use Software Defined Networking (SDN), according to which the control of the network is delegated to a centralized controller, which configures the forwarding data plane. This approach leads to large signaling overhead as well as large end-to-end (e2e) delays. In order to overcome these issues, in this work, we provide an efficient way to implement and control the NDN node. We propose to enable NDN using a stateful data plane in the SDN network. In particular, we realize the functionality of an NDN node using a stateful SDN switch attached with a local cache for content storage, and use OpenState to implement such an approach. In our solution, no involvement of the controller is required once the OpenState switch has been configured. We benchmark the performance of our solution against the traditional SDN approach considering several relevant metrics. Experimental results highlight the benefits of a stateful approach and of our implementation, which avoids signaling overhead and significantly reduces e2e delays

SDNにおけるネットワーク機能仮想化を用いたフローテーブルオーバーフロー攻撃低減手法

Tohoku University菅沼拓夫課

QOE-AWARE CONTENT DISTRIBUTION SYSTEMS FOR ADAPTIVE BITRATE VIDEO STREAMING

A prodigious increase in video streaming content along with a simultaneous rise in end system capabilities has led to the proliferation of adaptive bit rate video streaming users in the Internet. Today, video streaming services range from Video-on-Demand services like traditional IP TV to more recent technologies such as immersive 3D experiences for live sports events. In order to meet the demands of these services, the multimedia and networking research community continues to strive toward efficiently delivering high quality content across the Internet while also trying to minimize content storage and delivery costs. The introduction of flexible and adaptable technologies such as compute and storage clouds, Network Function Virtualization and Software Defined Networking continue to fuel content provider revenue. Today, content providers such as Google and Facebook build their own Software-Defined WANs to efficiently serve millions of users worldwide, while NetFlix partners with ISPs such as ATT (using OpenConnect) and cloud providers such as Amazon EC2 to serve their content and manage the delivery of several petabytes of high-quality video content for millions of subscribers at a global scale, respectively. In recent years, the unprecedented growth of video traffic in the Internet has seen several innovative systems such as Software Defined Networks and Information Centric Networks as well as inventive protocols such as QUIC, in an effort to keep up with the effects of this remarkable growth. While most existing systems continue to sub-optimally satisfy user requirements, future video streaming systems will require optimal management of storage and bandwidth resources that are several orders of magnitude larger than what is implemented today. Moreover, Quality-of-Experience metrics are becoming increasingly fine-grained in order to accurately quantify diverse content and consumer needs. In this dissertation, we design and investigate innovative adaptive bit rate video streaming systems and analyze the implications of recent technologies on traditional streaming approaches using real-world experimentation methods. We provide useful insights for current and future content distribution network administrators to tackle Quality-of-Experience dilemmas and serve high quality video content to several users at a global scale. In order to show how Quality-of-Experience can benefit from core network architectural modifications, we design and evaluate prototypes for video streaming in Information Centric Networks and Software-Defined Networks. We also present a real-world, in-depth analysis of adaptive bitrate video streaming over protocols such as QUIC and MPQUIC to show how end-to-end protocol innovation can contribute to substantial Quality-of-Experience benefits for adaptive bit rate video streaming systems. We investigate a cross-layer approach based on QUIC and observe that application layer-based information can be successfully used to determine transport layer parameters for ABR streaming applications

Per-host DDoS mitigation by direct-control reinforcement learning

DDoS attacks plague the availability of online services today, yet like many cybersecurity problems are evolving and non-stationary. Normal and attack patterns shift as new protocols and applications are introduced, further compounded by burstiness and seasonal variation. Accordingly, it is difficult to apply machine learning-based techniques and defences in practice. Reinforcement learning (RL) may overcome this detection problem for DDoS attacks by managing and monitoring consequences; an agent’s role is to learn to optimise performance criteria (which are always available) in an online manner. We advance the state-of-the-art in RL-based DDoS mitigation by introducing two agent classes designed to act on a per-flow basis, in a protocol-agnostic manner for any network topology. This is supported by an in-depth investigation of feature suitability and empirical evaluation. Our results show the existence of flow features with high predictive power for different traffic classes, when used as a basis for feedback-loop-like control. We show that the new RL agent models can offer a significant increase in goodput of legitimate TCP traffic for many choices of host density

Flow Delegation: Flow Table Capacity Bottleneck Mitigation for Software-defined Networks

This dissertation introduces flow delegation, a novel concept to deal with flow table capacity bottlenecks in Software-defined Networks (SDNs). Such bottlenecks occur when SDN switches provide insufficient flow table capacity which can lead to performance degradation and/or network failures. Flow delegation addresses this well-known problem by automatically relocating flow rules from a bottlenecked switch to neighboring switches with spare capacity. Different from existing work, this new approach can be used on-demand in a transparent fashion, i.e., without changes to the network applications or other parts of the infrastructure. The thesis presents a system design and architecture capable of dealing with the numerous practical challenges associated with flow delegation, introduces suitable algorithms to efficiently mitigate bottlenecks taking future knowledge and multiple objectives into account and studies feasibility, performance, overhead, and scalability of the new approach covering different scenarios

Addressing TCAM limitations in an SDN-based pub/sub system

Content-based publish/subscribe is a popular paradigm that enables asynchronous exchange of events between decoupled applications that is practiced in a wide range of domains. Hence, extensive research has been conducted in the area of efficient large-scale pub/sub system. A more recent development are content-based pub/sub systems that utilize software-defined networking (SDN) in order to implement event-filtering in the network layer. By installing content-filters in the ternary content-addressable memory (TCAM) of switches, these systems are able to achieve event filtering and forwarding at line-rate performance. While offering great performance, TCAM is also expensive, power hunger and limited in size. However, current SDN-based pub/sub systems don't address these limitations, thus using TCAM excessively. Therefore, this thesis provides techniques for constraining TCAM usage in such systems. The proposed methods enforce concrete flow limits without dropping any events by selectively merging content-filters into more coarse granular filters. The proposed algorithms leverage information about filter properties, traffic statistics, event distribution and global filter state in order to minimize the increase of unnecessary traffic introduced through merges. The proposed approach is twofold. A local enforcement algorithm ensures that the flow limit of a particular switch is never violated. This local approach is complemented by a periodically executed global optimization algorithm that tries to find a flow configuration on all switches, which minimized to increase in unnecessary traffic, given the current set of advertisements and subscriptions. For both classes, two algorithms with different properties are outlined. The proposed algorithms are integrated into the PLEROMA middleware and evaluated thoroughly in a real SDN testbed as well as in a large-scale network emulation. The evaluations demonstrate the effectiveness of the approaches under diverse and realistic workloads. In some cases, reducing the number of flows by more than 70% while increasing the false positive rate by less than 1% is possible

Accurate and Resource-Efficient Monitoring for Future Networks

Monitoring functionality is a key component of any network management system. It is essential for profiling network resource usage, detecting attacks, and capturing the performance of a multitude of services using the network. Traditional monitoring solutions operate on long timescales producing periodic reports, which are mostly used for manual and infrequent network management tasks. However, these practices have been recently questioned by the advent of Software Defined Networking (SDN). By empowering management applications with the right tools to perform automatic, frequent, and fine-grained network reconfigurations, SDN has made these applications more dependent than before on the accuracy and timeliness of monitoring reports. As a result, monitoring systems are required to collect considerable amounts of heterogeneous measurement data, process them in real-time, and expose the resulting knowledge in short timescales to network decision-making processes. Satisfying these requirements is extremely challenging given today’s larger network scales, massive and dynamic traffic volumes, and the stringent constraints on time availability and hardware resources. This PhD thesis tackles this important challenge by investigating how an accurate and resource-efficient monitoring function can be realised in the context of future, software-defined networks. Novel monitoring methodologies, designs, and frameworks are provided in this thesis, which scale with increasing network sizes and automatically adjust to changes in the operating conditions. These achieve the goal of efficient measurement collection and reporting, lightweight measurement- data processing, and timely monitoring knowledge delivery

Contributions towards softwarization and energy saving in passive optical networks

Ths thesis is a result of contributions to optimize and improve the network management systme and power consumption in Passive Optical Network (PON). Passive Optical Network elements such as Optical Line Terminal (OLT) and Optical Network Units (ONUs) are currently managed by inflexible legacy network management systems. Software-Defined Networking (SDN) is a new networking paradigm that improves the operation and management of networks by decoupling control plane from data plane. Currently, network management in PON networks is not always automated nor normalized. One goal of the researchers in optical networking is to improve the programmability, efficiency, and global optimization of network operations, in order to minimize both Capital Expenditure (CAPEX) and Operational Expenditure (OPEX) by reducing the complexity of devices and its operation. Therefore, it makes sense to use an SDN approach in order to manage the passive optical network functionalities and migrating must of the upper layer functions to the SDN controller. Many approaches have already addressed the topic of applying the SDN architecture in PON networks. However; the focus was usually on facilitating the deployment of SDN-based service and so Service Interoperability remains unexplored in detail. The main challenge toward this goal is how to make compatible the synchronous nature of the EPON media access control protocols with the asynchronous architecture of SDN, and in particular, OpenFlow. In our proposed architecture, the OLT is partially virtualized and some of its functionalities are allocated to the core network management system, while the OLT itself is replaced by an OpenFlow switch. A new MultiPoint MAC Control (MPMC) sublayer extension based on the OpenFlow protocol is presented. The OpenFlow switch is extended with synchronous ports to retain the time-critical nature of the EPON network. Our simulation-based results demonstrate the effectiveness of the new architecture, while retaining a similar (or improved) performance in term of delay and throughput when compared to legacy PONs. Nowadays, many researchers are working simultaneously to develop power saving techniques and improves energy efficiency in the PON network, and since the contribution of access networks to the global energy consumption is large, energy efficiency has become an increasingly important requirement in designing access networks. Therefore, energy-saving approaches are being investigated to provide high performance and consume less energy. Several techniques have been proposed to increase energy efficiency in PON networks. Such techniques are related to the centeralized DBA but the advantage of power saving in a distributed DBA remains untouched. We present a distributed energy-efficient Dynamic Bandwidth Allocation (DBA) algorithm for both the upstream and downstream channels of EPON to improve energy efficiency in EPON networks. The proposed algorithm analyzes the queue status of the ONUs and OLT in order to power-off the transmitter and/or receiver of an ONU whenever there is no upstream or downstream traffic. We have been able to combine the advantage of a distributed DBA such as DDSPON (a smaller packet delay, due to the shorter time needed by DDSPON to allocate the transmission slots) and the energy-saving features (that come at a price of longer packet delays due to the fact that switching off the transmitters make the packet queues grow). Our proposed DBA algorithm minimizes the ONU energy consumption across a wide range of network loads, while maintaining at an acceptable level the penalty introduced in terms of channel utilization and packet delay.Las contribuciones de esta tesis se centran en mejorar el sistema de gestión de red y el consumo de energía en redes de acceso ópticas pasivas (PON). Los elementos de las redes PON, como el terminal de línea óptica (OLT) y las unidades de red ópticas (ONU), se gestionan actualmente mediante sistemas poco flexibles. El nuevo paradigma de redes definidas por software (SDN) mejora la gestión de redes al desacoplar el plano de control del plano de datos. Actualmente, la gestión de redes PON no está automatizada ni normalizada. Uno de los objetivos de los investigadores en redes ópticas es mejorar la programabilidad, la eficiencia y la optimización global de las operaciones de red, con el fin de minimizar tanto el gasto de capital (CAPEX) como el gasto operativo (OPEX) al reducir la complejidad de los dispositivos y su funcionamiento. Por lo tanto, tiene sentido utilizar un enfoque SDN para gestionar las funciones de red óptica pasiva y migrar algunas de las funciones PON de capas superiores al controlador SDN. Otros investigadores han estudiado esta aproximación. sin embargo; el enfoque generalmente estaba en facilitar la implementación del servicio basado en SDN y, por lo tanto, la interoperabilidad de los servicios permanecía sin ser explorado en detalle. El principal desafío hacia este objetivo es cómo compatibilizar la naturaleza síncrona de los protocolos de control de acceso a medios EPON con la arquitectura asíncrona de SDN y, en particular, OpenFlow. En nuestra propuesta de arquitectura, la OLT se virtualiza parcialmente y algunas de sus funcionalidades se asignan al sistema de gestión de red centralizado, mientras que la OLT se reemplaza por un conmutador OpenFlow. Proponemos una nueva extensión de la subcapa de control múltiple de MAC (MPMC) basada en el protocolo OpenFlow. El conmutador OpenFlow se amplía con puertos síncronos para asegurar la naturaleza de tiempo real de la red EPON. Nuestros resultados basados ¿¿en simulaciones demuestran la efectividad de la nueva arquitectura, al tiempo que se mantiene un rendimiento similar (o mejorado) en términos de retardos y rendimiento en comparación con las PON clásicas. Por otro lado, se están desarrollando técnicas de ahorro de energía y mejora de la eficiencia energética en redes PON, y dado que la contribución de las redes de acceso al consumo total de energía es importante, la eficiencia energética se ha convertido en un requisito cada vez más importante. Se han propuesto varias técnicas por parte de otros autores para aumentar la eficiencia energética en las redes PON, relacionadas con algoritmos DBA (Dynamic Bandwidth Allocation) centralizados, pero las ventaja del ahorro de energía en un DBA distribuido no se ha explorado todavía. Por ello nuestra segunda contiribución es un algoritmo distribuido de asignación dinámica de ancho de banda energéticamente eficiente tanto para los canales ascendentes como descendentes de EPON para mejorar la eficiencia energética en las redes EPON. El algoritmo propuesto analiza el estado de cola de las ONU y la OLT para apagar el transmisor y/o el receptor de una ONU cuando no hay tráfico en sentido ascendente o descendente. Hemos podido combinar la ventaja de un DBA distribuido como DDSPON (que asegura retardos más pequeños, debido al menor tiempo que DDSPON necesita para asignar las ranuras de transmisión) y las características de ahorro de energía (al precio de tener retardos de paquete más grandes debido al hecho de que apagar los transmisores hace que las colas de paquetes crezcan). Nuestro algoritmo de DBA propuesto minimiza el consumo de energía de la ONU en una amplia gama de cargas de red, mientras mantiene a un nivel aceptable la penalización introducida en términos de utilización del canal y retardos