Network coding data planes with programmable switches

Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), Universidade de Lisboa, Faculdade de Ciências, 2017Atualmente, as redes de computadores seguem um paradigma tradicional de store-andforward, ou seja, os dispositivos de rede fazem armazenamento, encaminhamento e/ou replicação de pacotes recebidos, sem os modificar. No virar do milénio, surgiu um artigo seminal [24], no qual foi demonstrado teoricamente que a combinação da informação proveniente de diversos pacotes, permite aumentar a capacidade de uma rede relativamente à capacidade máxima, alcançada por simples encaminhamento. Este resultado representou o nascimento de uma área promissora de investigação, conhecida como Codificação na Rede (Network Coding). A ideia é permitir que os nós intermédios da rede, possam aplicar uma função de codificação sobre o conteúdo dos pacotes antes do seu encaminhamento, proporcionando assim um novo paradigma de store-code-forward. A família de técnicas tradicionais pode ser divida em duas categorias, com propósitos distintos. Codificação na Origem (Source Coding) com o objetivo de comprimir a informação enviada, e Codificação no Canal (Channel Coding) para compensar perdas e alteração de informação em canais ruidosos. Com codificação na rede, surge oportunidade para a definição de técnicas mais elaboradas e que visam outros propósitos. Deste modo, as técnicas de codificação tradicionais podem ser extendidas para além da codificação de pacotes em nós de origem, e da descodificação em nós de destino. De um ponto de vista geral, a codificação na rede tem potencial para melhorar a taxa de transferência de informação na rede; aumentar a resiliência contra perda de pacotes, interrupção de canais e nós da rede; e aumentar a segurança contra ataques maliciosos que visam a captura, interpretação e modificação de pacotes. Como técnica, a codificação na rede pode ser aplicada de dois modos distintos. Por um lado, sobre pacotes provenientes de um único fluxo de comunicação (intraflow network coding) e por outro, sobre múltiplos fluxos sem qualquer relação entre si (interflow network coding). A título de exemplo, se considerarmos dois fluxos que chegam a um switch por dois canais distintos, mas que contestam o mesmo canal de saída, temos um gargalo na rede. Usando codificação na rede, o switch pode aplicar, bit a bit, o Ou-Exclusivo (XOR) sobre dois pacotes (um de cada fluxo) e encaminhar o resultado. A taxa de transferência é melhorada, pois o switch necessita apenas de encaminhar um pacote codificado em vez de dois originais. É de salientar que, de forma a descodificar o pacote, o nó de destino tem de ter um dos pacotes originais usados na codificação. Portanto, as vantagens da codificação na rede estão dependentes da topologia da rede, da própria função de codificação utilizada, e do modo como é aplicada. Numa rede, um nó intermédio terá à partida acesso a vários pacotes. De forma a tirar máximo partido da técnica de codificação na rede, as funções de codificação utilizadas acabam por consistir num código linear (Linear Network Coding). A ideia é considerar todos os pacotes de uma mensagem a enviar (por exemplo, um ficheiro de texto, um vídeo, ou até um simples pedido HTTP) como um vetor de elementos de um dado campo finito. O tamanho de cada elemento, é dado pelo número de bits necessário para representar o maior valor desse campo. Se por exemplo o campo finito for 256, cada elemento terá 8 bits. A um vetor de elementos, damos o nome de símbolo. Associado a cada símbolo transmitido na rede, existe um vetor de coeficientes, necessário para codificação e descodificação. O tamanho do vetor, é ditado pelo número de símbolos originais. Se a mensagem é divida em 5 símbolos, então o vetor tem tamanho 5. Para codificar e criar um novo símbolo, o nó da rede começa por selecionar um novo vetor de coeficientes local. A função de codificação consiste numa combinação linear sobre um dado número de símbolos, utilizando o novo vetor local. O vetor do novo símbolo codificado é obtido da mesma forma. Sobre os vetores dos símbolos utilizados, é feita uma combinação linear utilizando o vetor local. Para descodificar os símbolos originais, são necessários um número igual de símbolos codificados, linearmente independentes. De forma a que os símbolos codificados e recodificados na rede, sejam linearmente independentes, podem ser utilizados algoritmos de tempo polinomial [59], para estabelecer os vetores locais utilizados por cada nó intermédio da rede. De forma a simplificar o problema, os vetores locais podem ser aleatórios (Random Linear Network Coding). Se o campo finito for suficientemente grande, a probabilidade de obter símbolos codificados linearmente independentes chega perto dos 100%. De forma a ter vetores mais reduzidos, tornando as operações mais simples, e permitindo uma descodificação gradual, os símbolos originais da mensagem podem ser organizados em gerações. Por cada geração, são gerados e injetados pela rede, símbolos codificados. Quando uma geração é descodificada, procede-se para a geração seguinte. Repare-se que a função de codificação referida anteriormente, com base em XOR, é o caso base e mais simples de um código linear. Neste caso, o campo finito é de tamanho 2. Apesar de ser um conceito relativamente simples, implementar e usar técnicas de codificação no plano de dados dos próprios dispositivos de rede é uma tarefa bastante complicada. Até mesmo quase impossível na maioria dos casos, visto que a payload dos pacotes é sujeita a alterações. O seu funcionamento baseia-se em protocolos fixos, que correm no próprio hardware de forma a maximizar o desempenho, o que torna difícil a tarefa de configurar e gerir uma rede para além das simples operações de encaminhamento de pacotes. Por este motivo, as implementações práticas de codificação na rede que têm vindo a surgir nos últimos anos, operam em redes overlay. Uma rede overlay reside logicamente na camada de aplicação, implicando que os dispositivos de rede propriamente ditos não são alterados. O interesse crescente em operações mais complexas e exigentes na rede, mas condicionado pelo funcionamento rígido e fechado dos routers e switches tradicionais, motivou uma mudança de paradigma: de redes configuráveis para redes programáveis. A primeira instância de uma rede programável é conhecida como Rede Definida por Software (SDN). Numa rede SDN, o plano de controlo é separado do plano de dados, e reside num dispositivo à parte - um controlador logicamente centralizado. Utilizando a informação de pacotes provenientes do plano de dados dos switches, o controlador pode definir políticas de configuração mais flexíveis e instalar regras nas tabelas match-action dos mesmos. A comunicação entre os switches e o controlador está estandardizada, sendo utilizado um protocolo conhecido como OpenFlow. A limitação de switches e controladores Open- Flow está no processamento de pacotes, que continua a ser fixo. De facto, o OpenFlow atua sobre um conjunto fixo de protocolos. Além disso, a sequência de tabelas e ações de um switch Openflow também é fixa. Portanto, o OpenFlow não permite realmente definir nova funcionalidade no plano de dados de um switch. Apenas fornece um meio para o controlador tomar decisões e instalar regras nas tabelas match-action, dos mesmos. No âmbito de codificação na rede, este fator impossibilita a alteração da payload dos pacotes, e consequentemente a sua combinação. No entanto, têm vindo a surgir recentemente switches programáveis, alguns até já em produção (por exemplo, Tofino da Barefoot Networks). Estes dispositivos permitem a programação e reprogramação do plano de dados, o que possibilita uma definição precisa e customizada do modo de processamento de pacotes. Com esta liberdade, a codificação na rede torna-se possível, no plano de dados. Porém, a sua programação é baseada em interfaces de baixo nível, tornando-se um processo demorado e doloroso. Esta dificuldade, acrescida também às limitações descritas do OpenFlow, motivou a criação da linguagem de alto nível, P4. A linguagem P4 permite definir cabeçalhos, parsers e a sequência de tabelas de matchaction, para qualquer dispositivo de rede compatível. As ações podem ser definidas utilizando um conjunto de primitivas básicas oferecidas pela linguagem. A linguagem P4 oferece três vantagens. Primeiro, não está dependente de protocolos e formatos de pacotes específicos, uma vez que a sua definição pode ser feita pelo programador. Segundo, permite a reconfiguração do switch a qualquer momento. Terceiro, não depende do hardware subjacente, podendo ser escrita, da mesma forma, para qualquer dispositivo que tenha o compilador adequado. O objetivo desta dissertação consiste no desenho, implementação e avaliação do primeiro switch capaz de realizar codificação no plano de dados, recorrendo à linguagem P4. Mais concretamente, a nossa solução consiste em dois switches: um que executa XOR (P4- XOR Switch), e outro que executa uma variante de Random Linear Network Coding (P4-RLNC Switch). Durante a implementação enfrentámos vários desafios, devido às peculiaridades da linguagem. Entre os principais fatores que dificultaram a implementação, está o facto de a linguagem ser declarativa, não permitindo a criação de estruturas de dados auxiliares em tempo de execução; e a impossibilidade de criar ciclos, essencial para repetir o mesmo processo de codificação sobre os vários elementos dos símbolos, no caso do P4-RLNC Switch. Sendo um trabalho inovador, a avaliação focou-se essencialmente na funcionalidade dos dois switches concretizados. Adicionalmente, a performance do P4-XOR Switch também foi avaliada.Network Coding (NC) is a technique that can be used to improve a network’s throughput. In addition, it has significant potential to improve the security, manageability, resilience (to packet losses, link failures and node departures) and the support of quality of service, in both wired and wireless network environments. The idea is to allow intermediate nodes of the network (i.e. switches and/or routers) to mix the contents of incoming data packets before forwarding them. Something that, traditionally carried out at source nodes, is therefore extended to the network, creating an array of new options. The difficulty of deploying NC on traditional switches lies in the impossibility to change or extend their operation with the requirements of this new paradigm. The devices are closed, the software and underlying hardware are vendor specific, and follow a fixed set of protocols and processing pipeline. This rigidity precludes NC in today’s switches and routers. Fortunately, programmable switches are beginning to emerge, with some already achieving production-levels and reaching the market (e.g., Barefoot Tofino). A new high-level language to program these switches has recently been proposed: P4. The P4 language allows the precise definition of how packets are processed in these programmable switches. Namely, it enables the definition of headers, parsers, match-action tables, and the processing pipeline itself. Therefore, by taking advantage of these constructs, P4 enables the deployment of NC, on the switch’s data plane, for the first time. In this dissertation, we design and implement two NC switches using the P4 language. Both switches employ Linear Network Coding (LNC). The main difference is that the first (P4-XOR Switch), simply performs the XOR of packets (i.e., a linear code with field size 2). The second (P4-RLNC Switch) is more generic, allowing larger field sizes. For this purpose it performs Random Linear Network Coding (RLNC), which is a random variant of LNC. The evaluation was performed on Mininet (a network emulator) and focused on the functionality of both switches. Additionally, the performance of the P4-XOR Switch was tested as well. The main conclusion is that our implementations correctly perform the required operations allowing, for the first time, NC to be performed in real data planes

Provider-Controlled Bandwidth Management for HTTP-based Video Delivery

Over the past few years, a revolution in video delivery technology has taken place as mobile viewers and over-the-top (OTT) distribution paradigms have significantly changed the landscape of video delivery services. For decades, high quality video was only available in the home via linear television or physical media. Though Web-based services brought video to desktop and laptop computers, the dominance of proprietary delivery protocols and codecs inhibited research efforts. The recent emergence of HTTP adaptive streaming protocols has prompted a re-evaluation of legacy video delivery paradigms and introduced new questions as to the scalability and manageability of OTT video delivery. This dissertation addresses the question of how to enable for content and network service providers the ability to monitor and manage large numbers of HTTP adaptive streaming clients in an OTT environment. Our early work focused on demonstrating the viability of server-side pacing schemes to produce an HTTP-based streaming server. We also investigated the ability of client-side pacing schemes to work with both commodity HTTP servers and our HTTP streaming server. Continuing our client-side pacing research, we developed our own client-side data proxy architecture which was implemented on a variety of mobile devices and operating systems. We used the portable client architecture as a platform for investigating different rate adaptation schemes and algorithms. We then concentrated on evaluating the network impact of multiple adaptive bitrate clients competing for limited network resources, and developing schemes for enforcing fair access to network resources. The main contribution of this dissertation is the definition of segment-level client and network techniques for enforcing class of service (CoS) differentiation between OTT HTTP adaptive streaming clients. We developed a segment-level network proxy architecture which works transparently with adaptive bitrate clients through the use of segment replacement. We also defined a segment-level rate adaptation algorithm which uses download aborts to enforce CoS differentiation across distributed independent clients. The segment-level abstraction more accurately models application-network interactions and highlights the difference between segment-level and packet-level time scales. Our segment-level CoS enforcement techniques provide a foundation for creating scalable managed OTT video delivery services

ACUTA Journal of Telecommunications in Higher Education

In This Issue lT Market Clock for Enterprise Networking lnfrastructure, 2010 Emerging Technology Trends-Finding the Next Big Thing Money and Mobile Access Challenge Community Colleges A Business Perspective on Hosted Communications FMC: Ready to Fly or Flop? Challenges Facing Broadband Wireless Providers Deploying IEEE 802.11n Data and Security Networks Campuswide While Optimizing Energy Efficiency Interview President\u27s Message. From the Executive Director O&A from the CI

ACUTA Journal of Telecommunications in Higher Education

In This Issue lT Market Clock for Enterprise Networking lnfrastructure, 2010 Emerging Technology Trends-Finding the Next Big Thing Money and Mobile Access Challenge Community Colleges A Business Perspective on Hosted Communications FMC: Ready to Fly or Flop? Challenges Facing Broadband Wireless Providers Deploying IEEE 802.11n Data and Security Networks Campuswide While Optimizing Energy Efficiency Interview President\u27s Message. From the Executive Director O&A from the CI

Security and Privacy in Dynamic Spectrum Access: Challenges and Solutions

abstract: Dynamic spectrum access (DSA) has great potential to address worldwide spectrum shortage by enhancing spectrum efficiency. It allows unlicensed secondary users to access the under-utilized spectrum when the primary users are not transmitting. On the other hand, the open wireless medium subjects DSA systems to various security and privacy issues, which might hinder the practical deployment. This dissertation consists of two parts to discuss the potential challenges and solutions. The first part consists of three chapters, with a focus on secondary-user authentication. Chapter One gives an overview of the challenges and existing solutions in spectrum-misuse detection. Chapter Two presents SpecGuard, the first crowdsourced spectrum-misuse detection framework for DSA systems. In SpecGuard, three novel schemes are proposed for embedding and detecting a spectrum permit at the physical layer. Chapter Three proposes SafeDSA, a novel PHY-based scheme utilizing temporal features for authenticating secondary users. In SafeDSA, the secondary user embeds his spectrum authorization into the cyclic prefix of each physical-layer symbol, which can be detected and authenticated by a verifier. The second part also consists of three chapters, with a focus on crowdsourced spectrum sensing (CSS) with privacy consideration. CSS allows a spectrum sensing provider (SSP) to outsource the spectrum sensing to distributed mobile users. Without strong incentives and location-privacy protection in place, however, mobile users are reluctant to act as crowdsourcing workers for spectrum-sensing tasks. Chapter Four gives an overview of the challenges and existing solutions. Chapter Five presents PriCSS, where the SSP selects participants based on the exponential mechanism such that the participants' sensing cost, associated with their locations, are privacy-preserved. Chapter Six further proposes DPSense, a framework that allows the honest-but-curious SSP to select mobile users for executing spatiotemporal spectrum-sensing tasks without violating the location privacy of mobile users. By collecting perturbed location traces with differential privacy guarantee from participants, the SSP assigns spectrum-sensing tasks to participants with the consideration of both spatial and temporal factors. Through theoretical analysis and simulations, the efficacy and effectiveness of the proposed schemes are validated.Dissertation/ThesisDoctoral Dissertation Electrical Engineering 201

D1.1 Refined scenarios and requirements, consolidated use cases, and qualitative techno-economic feasibility assessment

This document describes scenarios, consolidated use cases and associated requirements for wireless access networks in the 2020-2030 timeframe. These are based on METIS project and also taking into account work done in other 5G projects and forums such as ITU-R and NGMN. The document introduces spectrum authorization modes and describes spectrum usages scenarios, spectrum bands and spectrum demand for 5G services. Finally, this document provides qualitative techno-economic feasibility assessment by analyzing main players involved in service delivery, from the radio access network point of view, and describing their mutual positions and relationships.Monserrat Del Río, JF.; Martín-Sacristán Gandía, D. (2016). D1.1 Refined scenarios and requirements, consolidated use cases, and qualitative techno-economic feasibility assessment. https://doi.org/10.13140/RG.2.2.32091.7760

A composable approach to design of newer techniques for large-scale denial-of-service attack attribution

Since its early days, the Internet has witnessed not only a phenomenal growth, but also a large number of security attacks, and in recent years, denial-of-service (DoS) attacks have emerged as one of the top threats. The stateless and destination-oriented Internet routing combined with the ability to harness a large number of compromised machines and the relative ease and low costs of launching such attacks has made this a hard problem to address. Additionally, the myriad requirements of scalability, incremental deployment, adequate user privacy protections, and appropriate economic incentives has further complicated the design of DDoS defense mechanisms. While the many research proposals to date have focussed differently on prevention, mitigation, or traceback of DDoS attacks, the lack of a comprehensive approach satisfying the different design criteria for successful attack attribution is indeed disturbing. Our first contribution here has been the design of a composable data model that has helped us represent the various dimensions of the attack attribution problem, particularly the performance attributes of accuracy, effectiveness, speed and overhead, as orthogonal and mutually independent design considerations. We have then designed custom optimizations along each of these dimensions, and have further integrated them into a single composite model, to provide strong performance guarantees. Thus, the proposed model has given us a single framework that can not only address the individual shortcomings of the various known attack attribution techniques, but also provide a more wholesome counter-measure against DDoS attacks. Our second contribution here has been a concrete implementation based on the proposed composable data model, having adopted a graph-theoretic approach to identify and subsequently stitch together individual edge fragments in the Internet graph to reveal the true routing path of any network data packet. The proposed approach has been analyzed through theoretical and experimental evaluation across multiple metrics, including scalability, incremental deployment, speed and efficiency of the distributed algorithm, and finally the total overhead associated with its deployment. We have thereby shown that it is realistically feasible to provide strong performance and scalability guarantees for Internet-wide attack attribution. Our third contribution here has further advanced the state of the art by directly identifying individual path fragments in the Internet graph, having adopted a distributed divide-and-conquer approach employing simple recurrence relations as individual building blocks. A detailed analysis of the proposed approach on real-life Internet topologies with respect to network storage and traffic overhead, has provided a more realistic characterization. Thus, not only does the proposed approach lend well for simplified operations at scale but can also provide robust network-wide performance and security guarantees for Internet-wide attack attribution. Our final contribution here has introduced the notion of anonymity in the overall attack attribution process to significantly broaden its scope. The highly invasive nature of wide-spread data gathering for network traceback continues to violate one of the key principles of Internet use today - the ability to stay anonymous and operate freely without retribution. In this regard, we have successfully reconciled these mutually divergent requirements to make it not only economically feasible and politically viable but also socially acceptable. This work opens up several directions for future research - analysis of existing attack attribution techniques to identify further scope for improvements, incorporation of newer attributes into the design framework of the composable data model abstraction, and finally design of newer attack attribution techniques that comprehensively integrate the various attack prevention, mitigation and traceback techniques in an efficient manner

Software Defined Application Delivery Networking

In this thesis we present the architecture, design, and prototype implementation details of AppFabric. AppFabric is a next generation application delivery platform for easily creating, managing and controlling massively distributed and very dynamic application deployments that may span multiple datacenters. Over the last few years, the need for more flexibility, finer control, and automatic management of large (and messy) datacenters has stimulated technologies for virtualizing the infrastructure components and placing them under software-based management and control; generically called Software-defined Infrastructure (SDI). However, current applications are not designed to leverage this dynamism and flexibility offered by SDI and they mostly depend on a mix of different techniques including manual configuration, specialized appliances (middleboxes), and (mostly) proprietary middleware solutions together with a team of extremely conscientious and talented system engineers to get their applications deployed and running. AppFabric, 1) automates the whole control and management stack of application deployment and delivery, 2) allows application architects to define logical workflows consisting of application servers, message-level middleboxes, packet-level middleboxes and network services (both, local and wide-area) composed over application-level routing policies, and 3) provides the abstraction of an application cloud that allows the application to dynamically (and automatically) expand and shrink its distributed footprint across multiple geographically distributed datacenters operated by different cloud providers. The architecture consists of a hierarchical control plane system called Lighthouse and a fully distributed data plane design (with no special hardware components such as service orchestrators, load balancers, message brokers, etc.) called OpenADN . The current implementation (under active development) consists of ~10000 lines of python and C code. AppFabric will allow applications to fully leverage the opportunities provided by modern virtualized Software-Defined Infrastructures. It will serve as the platform for deploying massively distributed, and extremely dynamic next generation application use-cases, including: Internet-of-Things/Cyber-Physical Systems: Through support for managing distributed gather-aggregate topologies common to most Internet-of-Things(IoT) and Cyber-Physical Systems(CPS) use-cases. By their very nature, IoT and CPS use cases are massively distributed and have different levels of computation and storage requirements at different locations. Also, they have variable latency requirements for their different distributed sites. Some services, such as device controllers, in an Iot/CPS application workflow may need to gather, process and forward data under near-real time constraints and hence need to be as close to the device as possible. Other services may need more computation to process aggregated data to drive long term business intelligence functions. AppFabric has been designed to provide support for such very dynamic, highly diversified and massively distributed application use-cases. Network Function Virtualization: Through support for heterogeneous workflows, application-aware networking, and network-aware application deployments, AppFabric will enable new partnerships between Application Service Providers (ASPs) and Network Service Providers (NSPs). An application workflow in AppFabric may comprise of application services, packet and message-level middleboxes, and network transport services chained together over an application-level routing substrate. The Application-level routing substrate allows policy-based service chaining where the application may specify policies for routing their application traffic over different services based on application-level content or context. Virtual worlds/multiplayer games: Through support for creating, managing and controlling dynamic and distributed application clouds needed by these applications. AppFabric allows the application to easily specify policies to dynamically grow and shrink the application\u27s footprint over different geographical sites, on-demand. Mobile Apps: Through support for extremely diversified and very dynamic application contexts typical of such applications. Also, AppFabric provides support for automatically managing massively distributed service deployment and controlling application traffic based on application-level policies. This allows mobile applications to provide the best Quality-of-Experience to its users without This thesis is the first to handle and provide a complete solution for such a complex and relevant architectural problem that is expected to touch each of our lives by enabling exciting new application use-cases that are not possible today. Also, AppFabric is a non-proprietary platform that is expected to spawn lots of innovations both in the design of the platform itself and the features it provides to applications. AppFabric still needs many iterations, both in terms of design and implementation maturity. This thesis is not the end of journey for AppFabric but rather just the beginning