834 research outputs found
Software-defined networking: guidelines for experimentation and validation in large-scale real world scenarios
Part 1: IIVC WorkshopInternational audienceThis article thoroughly details large-scale real world experiments using Software-Defined Networking in the testbed setup. More precisely, it provides a description of the foundation technology behind these experiments, which in turn is focused around OpenFlow and on the OFELIA testbed. In this testbed preliminary experiments were performed in order to tune up settings and procedures, analysing the encountered problems and their respective solutions. A methodology consisting of five large-scale experiments is proposed in order to properly validate and improve the evaluation techniques used in OpenFlow scenarios
Routing-Verification-as-a-Service (RVaaS): Trustworthy Routing Despite Insecure Providers
Computer networks today typically do not provide any mechanisms to the users
to learn, in a reliable manner, which paths have (and have not) been taken by
their packets. Rather, it seems inevitable that as soon as a packet leaves the
network card, the user is forced to trust the network provider to forward the
packets as expected or agreed upon. This can be undesirable, especially in the
light of today's trend toward more programmable networks: after a successful
cyber attack on the network management system or Software-Defined Network (SDN)
control plane, an adversary in principle has complete control over the network.
This paper presents a low-cost and efficient solution to detect misbehaviors
and ensure trustworthy routing over untrusted or insecure providers, in
particular providers whose management system or control plane has been
compromised (e.g., using a cyber attack). We propose
Routing-Verification-as-a-Service (RVaaS): RVaaS offers clients a flexible
interface to query information relevant to their traffic, while respecting the
autonomy of the network provider. RVaaS leverages key features of
OpenFlow-based SDNs to combine (passive and active) configuration monitoring,
logical data plane verification and actual in-band tests, in a novel manner
Know Your Enemy: Stealth Configuration-Information Gathering in SDN
Software Defined Networking (SDN) is a network architecture that aims at
providing high flexibility through the separation of the network logic from the
forwarding functions. The industry has already widely adopted SDN and
researchers thoroughly analyzed its vulnerabilities, proposing solutions to
improve its security. However, we believe important security aspects of SDN are
still left uninvestigated. In this paper, we raise the concern of the
possibility for an attacker to obtain knowledge about an SDN network. In
particular, we introduce a novel attack, named Know Your Enemy (KYE), by means
of which an attacker can gather vital information about the configuration of
the network. This information ranges from the configuration of security tools,
such as attack detection thresholds for network scanning, to general network
policies like QoS and network virtualization. Additionally, we show that an
attacker can perform a KYE attack in a stealthy fashion, i.e., without the risk
of being detected. We underline that the vulnerability exploited by the KYE
attack is proper of SDN and is not present in legacy networks. To address the
KYE attack, we also propose an active defense countermeasure based on network
flows obfuscation, which considerably increases the complexity for a successful
attack. Our solution offers provable security guarantees that can be tailored
to the needs of the specific network under consideratio
Consistent SDNs through Network State Fuzzing
The conventional wisdom is that a software-defined network (SDN) operates under the premise that the logically centralized control plane has an accurate representation of the actual data plane state. Nevertheless, bugs, misconfigurations, faults or attacks can introduce inconsistencies that undermine correct operation. Previous work in this area, however, lacks a holistic methodology to tackle this problem and thus, addresses only certain parts of the problem. Yet, the consistency of the overall system is only as good as its least consistent part. Motivated by an analogy of network consistency checking with program testing, we propose to add active probe-based network state fuzzing to our consistency check repertoire. Hereby, our system, PAZZ, combines production traffic with active probes to continuously test if the actual forwarding path and decision elements (on the data plane) correspond to the expected ones (on the control plane). Our insight is that active traffic covers the inconsistency cases beyond the ones identified by passive traffic. PAZZ prototype was built and evaluated on topologies of varying scale and complexity. Our results show that PAZZ requires minimal network resources to detect persistent data plane faults through fuzzing and localize them quickly
Time4: Time for SDN
With the rise of Software Defined Networks (SDN), there is growing interest
in dynamic and centralized traffic engineering, where decisions about
forwarding paths are taken dynamically from a network-wide perspective.
Frequent path reconfiguration can significantly improve the network
performance, but should be handled with care, so as to minimize disruptions
that may occur during network updates.
In this paper we introduce Time4, an approach that uses accurate time to
coordinate network updates. Time4 is a powerful tool in softwarized
environments, that can be used for various network update scenarios.
Specifically, we characterize a set of update scenarios called flow swaps, for
which Time4 is the optimal update approach, yielding less packet loss than
existing update approaches. We define the lossless flow allocation problem, and
formally show that in environments with frequent path allocation, scenarios
that require simultaneous changes at multiple network devices are inevitable.
We present the design, implementation, and evaluation of a Time4-enabled
OpenFlow prototype. The prototype is publicly available as open source. Our
work includes an extension to the OpenFlow protocol that has been adopted by
the Open Networking Foundation (ONF), and is now included in OpenFlow 1.5. Our
experimental results show the significant advantages of Time4 compared to other
network update approaches, and demonstrate an SDN use case that is infeasible
without Time4.Comment: This report is an extended version of "Software Defined Networks:
It's About Time", which was accepted to IEEE INFOCOM 2016. A preliminary
version of this report was published in arXiv in May, 201
- …