Analyse und Optimierung von Hybriden Software-Defined Networks

Hybrid IP networks that use both control plane paradigms - distributed and centralized - promise the best of two worlds: programmability and flexible control of Software-Defined Networking (SDN), and at the same time the reliability and fault tolerance of distributed routing protocols like Open Shortest Path First (OSPF). Hybrid SDN/OSPF networks typically deploy OSPF to assure care-free operation of best effort traffic, while SDN can control prioritized traffic. This "ships-passing-in-the-night" approach, where both control planes are unaware of each other's configurations, only require hybrid SDN/OSPF routers that can participate in the domain-wide legacy routing protocol and additionally connect to a central SDN controller. This mode of operation is however known for a number of challenges in operational networks, including those related to network failures, size of forwarding tables, routing convergence time, and the increased complexity of network management. There are alternative modes of hybrid operation that provide a more holistic network control paradigm, either through an OSPF-enabled SDN controller, or a common network management system that allows the joint monitoring and configuration of both control planes, or via the partitioning of the legacy routing domain with SDN border nodes. The latter mode of operation offers to some extent to steer the working of the legacy routing protocol inside the sub-domains, which is new. The analysis, modeling, and evaluative comparison of this approach called SDN Partitioning with other modes of operation is the main contribution of this thesis. This thesis addresses important network planning tasks in hybrid SDN/OSPF networks and provides the according mathematical models to optimize network clustering, capacity planning, SDN node placement, and resource provisioning for a fault tolerant operation. It furthermore provides the mathematical models to optimize traffic engineering, failure recovery, reconfiguration scheduling, and traffic monitoring in hybrid SDN/OSPF networks, which are vital network operational tasks.Hybride IP-Netzwerke, die beide Control-Plane-Paradigmen einsetzen - verteilt und zentralisiert - versprechen das Beste aus beiden Welten: Programmierbarkeit und flexible Kontrolle des Software-Defined Networking (SDN) und gleichzeitig die Zuverlässigkeit und Fehlertoleranz von verteilten Routingprotokollen wie Open Shortest Path First (OSPF). Hybride SDN/OSPF-Netze nutzen typischerweise OSPF für die wartungsarme Bedienung des Best-Effort-Datenverkehrs, während SDN priorisierte Datenströme kontrolliert. Bei diesem Ansatz ist beiden Kontrollinstanzen die Konfiguration der jeweils anderen unbekannt, wodurch hierbei hybride SDN/OSPF Router benötigt werden, die am domänenweiten Routingprotokoll teilnehmen können und zusätzlich eine Verbindung zu einem SDN-Controller herstellen. Diese Arbeitsweise bereitet jedoch bekanntermaßen eine Reihe von Schwierigkeiten in operativen Netzen, wie zum Beispiel die Reaktion auf Störungen, die Größe der Forwarding-Tabellen, die benötigte Zeit zur Konvergenz des Routings, sowie die höhere Komplexität der Netzwerkadministration. Es existieren alternative Betriebsmodi für hybride Netze, die einen ganzheitlicheren Kontrollansatz bieten, entweder mittels OSPF-Erweiterungen im SDN-Controller, oder mittels eines übergreifenden Netzwerkmanagementsystems, dass das Monitoring und die Konfiguration aller Netzelemente erlaubt. Eine weitere Möglichkeit stellt das Clustering der ursprünglichen Routingdomäne in kleinere Subdomänen mittels SDN-Grenzknoten dar. Dieser neue Betriebsmodus erlaubt es zu einem gewissen Grad, die Operationen des Routingprotokolls in den Subdomänen zu steuern. Die Analyse, Modellierung und die vergleichende Evaluation dieses Ansatzes mit dem Namen SDN-Partitionierung und anderen hybriden Betriebsmodi ist der Hauptbeitrag dieser Dissertation. Diese Dissertation behandelt grundlegende Fragen der Netzplanung in hybriden SDN/OSPF-Netzen und beinhaltet entsprechende mathematische Modelle zur Optimierung des Clusterings, zur Kapazitätsplanung, zum Platzieren von SDN-Routern, sowie zur Bestimmung der notwendigen Ressourcen für einen fehlertoleranten Betrieb. Desweiteren enthält diese Dissertation Optimierungsmodelle für Traffic Engineering, zur Störungsbehebung, zur Ablaufplanung von Konfigurationsprozessen, sowie zum Monitoring des Datenverkehrs in hybriden SDN/OSPF-Netzen, was entscheidende Aufgaben der Netzadministration sind

Gestion de la mobilité dans les réseaux Ad Hoc par anticipation des métriques de routage

With the success of wireless communications, it becomes possible to access the network anywhere at any time without the need for physically connect communicating devices in an infrastructure. The nodes (laptops, smartphones, etc.) can analyze different radio channels to be able to associate with an available wireless network (base station, access point, etc.). An undeniable advantage of wireless technologies is the ability to be mobile while staying connected. However, mobility is difficult to manage because it must be addressed at different layers to be transparent to users. In MANET (Mobile Ad hoc Network) routing protocols use metrics to select the best routes. The metric can reflect the quality of the wireless link and help manage mobility.But a significant delay between the estimate metrics and their inclusion in the routing process makes this approach ineffective.The work of this thesis are interested in proposing new methods for calculating routing metrics to manage the problem of mobility in ad hoc networks. The new metrics should reflect the quality of the link and be sensitive to the mobility simultaneously. We consider the classical metrics, particularly ETX (Expected Transmission Count) and ETT (Expected Transmission Time). We introduce new methods to predict the values of these metrics using prediction algorithms.We use a cross layer approach, which allows the joint use of information from layers 1, 2 and 3. The validation of new methods for calculating routing metrics requires evaluation through a real bench test. So we also implemented new routing metrics in a testbed to assess and compare their performance with classical metrics.Avec le succès des communications sans fil, il devient possible d'accéder au réseau partout et à tout moment sans avoir recours à connecter physiquement les appareils communicants à une infrastructure. Les nœuds (ordinateurs portables, smartphones, etc) peuvent analyser les différents canaux radio afin de pouvoir s'associer à un réseau sans fil disponible (station de base, point d'accès, etc.). Un avantage indéniable de ses technologies sans fil est la possibilité d'être mobile tout en restant connecté. Cependant, la mobilité est une tâche difficile à gérer car elle doit être abordée à différentes couches pour être transparente aux utilisateurs. Dans les MANET (Mobile Ad hoc Network), les protocoles de routage utilisent des métriques pour sélectionner les meilleures routes. Les métriques peuvent refléter la qualité de la liaison sans fil et aider à gérer la mobilité.Mais, un retard important entre l'estimation des métriques et leur inclusion dans le processus de routage rend cette approche inefficace.Les travaux de cette thèse s'intéressent à la proposition de nouvelles méthodes de calcul des métriques de routage pour gérer le problème de la mobilité dans les réseaux ad hoc. Les nouvelles métriques doivent refléter la qualité du lien et être sensibles à la mobilité en même temps. Nous considérons les métriques classiques, en particulier ETX (Expected Transmission Count) et ETT (Expected Transmission Time). Nous introduisons de nouvelles méthodes pour anticiper les valeurs de ces métriques en utilisant des algorithmes de prédiction. Nous utilisons une approche Cross layer, qui permet l'utilisation conjointe de l'information à partir des couches 1, 2 et 3. La validation de nouvelles méthodes de calcul des métriques de routage nécessite une évaluation au travers d'un véritable banc d'essai. Nous avons donc également mis en œuvre les nouvelles métriques de routage dans un testbed afin d'évaluer et de comparer leurs performances avec les métriques classiques

An ontology-based approach toward the configuration of heterogeneous network devices

Despite the numerous efforts of standardization, semantic issues remain in effect in many subfields of networking. The inability to exchange data unambiguously between information systems and human resources is an issue that hinders technology implementation, semantic interoperability, service deployment, network management, technology migration, among many others. In this thesis, we will approach the semantic issues in two critical subfields of networking, namely, network configuration management and network addressing architectures. The fact that makes the study in these areas rather appealing is that in both scenarios semantic issues have been around from the very early days of networking. However, as networks continue to grow in size and complexity current practices are becoming neither scalable nor practical. One of the most complex and essential tasks in network management is the configuration of network devices. The lack of comprehensive and standard means for modifying and controlling the configuration of network elements has led to the continuous and extended use of proprietary Command Line Interfaces (CLIs). Unfortunately, CLIs are generally both, device and vendor-specific. In the context of heterogeneous network infrastructures---i.e., networks typically composed of multiple devices from different vendors---the use of several CLIs raises serious Operation, Administration and Management (OAM) issues. Accordingly, network administrators are forced to gain specialized expertise and to continuously keep knowledge and skills up to date as new features, system upgrades or technologies appear. Overall, the utilization of proprietary mechanisms allows neither sharing knowledge consistently between vendors' domains nor reusing configurations to achieve full automation of network configuration tasks---which are typically required in autonomic management. Due to this heterogeneity, CLIs typically provide a help feature which is in turn an useful source of knowledge to enable semantic interpretation of a vendor's configuration space. The large amount of information a network administrator must learn and manage makes Information Extraction (IE) and other forms of natural language analysis of the Artificial Intelligence (AI) field key enablers for the network device configuration space. This thesis presents the design and implementation specification of the first Ontology-Based Information Extraction (OBIE) System from the CLI of network devices for the automation and abstraction of device configurations. Moreover, the so-called semantic overload of IP addresses---wherein addresses are both identifiers and locators of a node at the same time---is one of the main constraints over mobility of network hosts, multi-homing and scalability of the routing system. In light of this, numerous approaches have emerged in an effort to decouple the semantics of the network addressing scheme. In this thesis, we approach this issue from two perspectives, namely, a non-disruptive (i.e., evolutionary) solution to the current Internet and a clean-slate approach for Future Internet. In the first scenario, we analyze the Locator/Identifier Separation Protocol (LISP) as it is currently one of the strongest solutions to the semantic overload issue. However, its adoption is hindered by existing problems in the proposed mapping systems. Herein, we propose the LISP Redundancy Protocol (LRP) aimed to complement the LISP framework and strengthen feasibility of deployment, while at the same time, minimize mapping table size, latency time and maximize reachability in the network. In the second scenario, we explore TARIFA a Next Generation Internet architecture and introduce a novel service-centric addressing scheme which aims to overcome the issues related to routing and semantic overload of IP addresses.A pesar de los numerosos esfuerzos de estandarización, los problemas de semántica continúan en efecto en muchas subáreas de networking. La inabilidad de intercambiar data sin ambiguedad entre sistemas es un problema que limita la interoperabilidad semántica. En esta tesis, abordamos los problemas de semántica en dos áreas: (i) la gestión de configuración y (ii) arquitecturas de direccionamiento. El hecho que hace el estudio en estas áreas de interés, es que los problemas de semántica datan desde los inicios del Internet. Sin embargo, mientras las redes continúan creciendo en tamaño y complejidad, los mecanismos desplegados dejan de ser escalabales y prácticos. Una de las tareas más complejas y esenciales en la gestión de redes es la configuración de equipos. La falta de mecanismos estándar para la modificación y control de la configuración de equipos ha llevado al uso continuado y extendido de interfaces por líneas de comando (CLI). Desafortunadamente, las CLIs son generalmente, específicos por fabricante y dispositivo. En el contexto de redes heterogéneas--es decir, redes típicamente compuestas por múltiples dispositivos de distintos fabricantes--el uso de varias CLIs trae consigo serios problemas de operación, administración y gestión. En consecuencia, los administradores de red se ven forzados a adquirir experiencia en el manejo específico de múltiples tecnologías y además, a mantenerse continuamente actualizados en la medida en que nuevas funcionalidades o tecnologías emergen, o bien con actualizaciones de sistemas operativos. En general, la utilización de mecanismos propietarios no permite compartir conocimientos de forma consistente a lo largo de plataformas heterogéneas, ni reutilizar configuraciones con el objetivo de alcanzar la completa automatización de tareas de configuración--que son típicamente requeridas en el área de gestión autonómica. Debido a esta heterogeneidad, las CLIs suelen proporcionar una función de ayuda que fundamentalmente aporta información para la interpretación semántica del entorno de configuración de un fabricante. La gran cantidad de información que un administrador debe aprender y manejar, hace de la extracción de información y otras formas de análisis de lenguaje natural del campo de Inteligencia Artificial, potenciales herramientas para la configuración de equipos en entornos heterogéneos. Esta tesis presenta el diseño y especificaciones de implementación del primer sistema de extracción de información basada en ontologías desde el CLI de dispositivos de red, para la automatización y abstracción de configuraciones. Por otra parte, la denominada sobrecarga semántica de direcciones IP--en donde, las direcciones son identificadores y localizadores al mismo tiempo--es una de las principales limitaciones sobre mobilidad, multi-homing y escalabilidad del sistema de enrutamiento. Por esta razón, numerosas propuestas han emergido en un esfuerzo por desacoplar la semántica del esquema de direccionamiento de las redes actuales. En esta tesis, abordamos este problema desde dos perspectivas, la primera de ellas una aproximación no-disruptiva (es decir, evolucionaria) al problema del Internet actual y la segunda, una nueva propuesta en torno a futuras arquitecturas del Internet. En el primer escenario, analizamos el protocolo LISP (del inglés, Locator/Identifier Separation Protocol) ya que es en efecto, una de las soluciones con mayor potencial para la resolucion del problema de semántica. Sin embargo, su adopción está limitada por problemas en los sistemas de mapeo propuestos. En esta tesis, proponemos LRP (del inglés, LISP Redundancy Protocol) un protocolo destinado a complementar LISP e incrementar la factibilidad de despliegue, a la vez que, reduce el tamaño de las tablas de mapeo, tiempo de latencia y maximiza accesibilidad. En el segundo escenario, exploramos TARIFA una arquitectura de red de nueva generación e introducimos un novedoso esquema de direccionamiento orientado a servicios

A pragmatic approach toward securing inter-domain routing

Internet security poses complex challenges at different levels, where even the basic requirement of availability of Internet connectivity becomes a conundrum sometimes. Recent Internet service disruption events have made the vulnerability of the Internet apparent, and exposed the current limitations of Internet security measures as well. Usually, the main cause of such incidents, even in the presence of the security measures proposed so far, is the unintended or intended exploitation of the loop holes in the protocols that govern the Internet. In this thesis, we focus on the security of two different protocols that were conceived with little or no security mechanisms but play a key role both in the present and the future of the Internet, namely the Border Gateway Protocol (BGP) and the Locator Identifier Separation Protocol (LISP). The BGP protocol, being the de-facto inter-domain routing protocol in the Internet, plays a crucial role in current communications. Due to lack of any intrinsic security mechanism, it is prone to a number of vulnerabilities that can result in partial paralysis of the Internet. In light of this, numerous security strategies were proposed but none of them were pragmatic enough to be widely accepted and only minor security tweaks have found the pathway to be adopted. Even the recent IETF Secure Inter-Domain Routing (SIDR) Working Group (WG) efforts including, the Resource Public Key Infrastructure (RPKI), Route Origin authorizations (ROAs), and BGP Security (BGPSEC) do not address the policy related security issues, such as Route Leaks (RL). Route leaks occur due to violation of the export routing policies among the Autonomous Systems (ASes). Route leaks not only have the potential to cause large scale Internet service disruptions but can result in traffic hijacking as well. In this part of the thesis, we examine the route leak problem and propose pragmatic security methodologies which a) require no changes to the BGP protocol, b) are neither dependent on third party information nor on third party security infrastructure, and c) are self-beneficial regardless of their adoption by other players. Our main contributions in this part of the thesis include a) a theoretical framework, which, under realistic assumptions, enables a domain to autonomously determine if a particular received route advertisement corresponds to a route leak, and b) three incremental detection techniques, namely Cross-Path (CP), Benign Fool Back (BFB), and Reverse Benign Fool Back (R-BFB). Our strength resides in the fact that these detection techniques solely require the analytical usage of in-house control-plane, data-plane and direct neighbor relationships information. We evaluate the performance of the three proposed route leak detection techniques both through real-time experiments as well as using simulations at large scale. Our results show that the proposed detection techniques achieve high success rates for countering route leaks in different scenarios. The motivation behind LISP protocol has shifted over time from solving routing scalability issues in the core Internet to a set of vital use cases for which LISP stands as a technology enabler. The IETF's LISP WG has recently started to work toward securing LISP, but the protocol still lacks end-to-end mechanisms for securing the overall registration process on the mapping system ensuring RLOC authorization and EID authorization. As a result LISP is unprotected against different attacks, such as RLOC spoofing, which can cripple even its basic functionality. For that purpose, in this part of the thesis we address the above mentioned issues and propose practical solutions that counter them. Our solutions take advantage of the low technological inertia of the LISP protocol. The changes proposed for the LISP protocol and the utilization of existing security infrastructure in our solutions enable resource authorizations and lay the foundation for the needed end-to-end security