SDNsec: Forwarding Accountability for the SDN Data Plane

SDN promises to make networks more flexible, programmable, and easier to manage. Inherent security problems in SDN today, however, pose a threat to the promised benefits. First, the network operator lacks tools to proactively ensure that policies will be followed or to reactively inspect the behavior of the network. Second, the distributed nature of state updates at the data plane leads to inconsistent network behavior during reconfigurations. Third, the large flow space makes the data plane susceptible to state exhaustion attacks. This paper presents SDNsec, an SDN security extension that provides forwarding accountability for the SDN data plane. Forwarding rules are encoded in the packet, ensuring consistent network behavior during reconfigurations and limiting state exhaustion attacks due to table lookups. Symmetric-key cryptography is used to protect the integrity of the forwarding rules and enforce them at each switch. A complementary path validation mechanism allows the controller to reactively examine the actual path taken by the packets. Furthermore, we present mechanisms for secure link-failure recovery and multicast/broadcast forwarding.Comment: 14 page

Adaptive Load Sharing for Network Processors

A novel scheme for processing packets in a router is presented, which provides for load sharing among multiple network processors distributed within the router. It is complemented by a feedback control mechanism designed to prevent processor overload. Incoming traffic is scheduled to multiple processors based on a deterministic mapping. The mapping formula is derived from the robust hash routing (also known as the highest random weight - HRW) scheme, introduced in K.W. Ross, IEEE Network, 11(6), 1997, and D.G. Thaler et al., IEEE Trans. Networking, 6(1), 1998. No state information on individual flow mapping needs to be stored, but for each packet, a mapping function is computed over an identifier vector, a predefined set of fields in the packet. An adaptive extension to the HRW scheme is provided in order to cope with biased traffic patterns. We prove that our adaptation possesses the minimal disruption property with respect to the mapping and exploit that property in order to minimize the probability of flow reordering. Simulation results indicate that the scheme achieves significant improvements in processor utilization. A higher number of router interfaces can thus be supported with the same amount of processing power

Load sharing for multiprocessor network nodes

This thesis discusses techniques for sharing the processing load among multiple processing units within systems that act as nodes in a data communications network. Load-sharing techniques have been explored in the field of computer science for many years and their benefits are well known, including better utilization of processing capacity and enhanced system fault tolerance. We discuss deploying such methods in the specifics of the networking environment. We concentrate particularly on the data plane, or the data packet-processing tasks. After reviewing the main results in the fields of load sharing and multiprocessor networking systems architectures, we conduct a preparatory optimization study of a router system to gain better understanding of the optimization issues in a particular multiprocessor system. The main contribution of this thesis, the adaptive load-sharing method, is presented next. We first formulate the optimization problem of mapping packets to processors. The goal is to minimize the likelihood of flow reordering, while respecting certain system constraints, such as the acceptable probability of a packet loss. As we show that the task is an NP-complete problem, we propose a heuristic method that uses an adaptive hash-based mapping to assign packets to processors. We demonstrate its advantages and prove that the method adaptation policy possesses the key minimal disruption property with respect to the mapping. In other words, the adaptation results in a minimum number of flows being moved among processing units. Further on, the method is validated in an extensive set of simulations designed to imitate the networking environment. Finally, two sample applications, an architecture of a multiprotocol router and an implementation of a server load balancer on a network processor demonstrate the applicability of the method

Deliverable DJRA1.2. Solutions and protocols proposal for the network control, management and monitoring in a virtualized network context

This deliverable presents several research proposals for the FEDERICA network, in different subjects, such as monitoring, routing, signalling, resource discovery, and isolation. For each topic one or more possible solutions are elaborated, explaining the background, functioning and the implications of the proposed solutions.This deliverable goes further on the research aspects within FEDERICA. First of all the architecture of the control plane for the FEDERICA infrastructure will be defined. Several possibilities could be implemented, using the basic FEDERICA infrastructure as a starting point. The focus on this document is the intra-domain aspects of the control plane and their properties. Also some inter-domain aspects are addressed. The main objective of this deliverable is to lay great stress on creating and implementing the prototype/tool for the FEDERICA slice-oriented control system using the appropriate framework. This deliverable goes deeply into the definition of the containers between entities and their syntax, preparing this tool for the future implementation of any kind of algorithm related to the control plane, for both to apply UPB policies or to configure it by hand. We opt for an open solution despite the real time limitations that we could have (for instance, opening web services connexions or applying fast recovering mechanisms). The application being developed is the central element in the control plane, and additional features must be added to this application. This control plane, from the functionality point of view, is composed by several procedures that provide a reliable application and that include some mechanisms or algorithms to be able to discover and assign resources to the user. To achieve this, several topics must be researched in order to propose new protocols for the virtual infrastructure. The topics and necessary features covered in this document include resource discovery, resource allocation, signalling, routing, isolation and monitoring. All these topics must be researched in order to find a good solution for the FEDERICA network. Some of these algorithms have started to be analyzed and will be expanded in the next deliverable. Current standardization and existing solutions have been investigated in order to find a good solution for FEDERICA. Resource discovery is an important issue within the FEDERICA network, as manual resource discovery is no option, due to scalability requirement. Furthermore, no standardization exists, so knowledge must be obtained from related work. Ideally, the proposed solutions for these topics should not only be adequate specifically for this infrastructure, but could also be applied to other virtualized networks.Postprint (published version

Predicting Traffic Flow Size and Duration

Current networks suffer from poor traffic management that leads to traffic congestion, even when some parts of the network are still unused. In traditional networks each node decides how to forward traffic based only on local reachability knowledge in a setting where optimizing the cost and efficiency of the network is a complex task. Modern networking technologies like Software-Defined Networking (SDN) provide automation and programmability to Networks. In such networks control functions can be applied in a different manner to each specific traffic flow and a variety of traffic information can be gathered from several different sources. This dissertation studies the feasibility of an intelligent network that can predict traffic characteristics, when the first packets arrive. The goal is to know the duration and size of flow to improve scheduling, load balancing and routing capabilities. An OpenFlow application is implemented in an SDN Data Collecting Controller (DCC), that shows how the first few packets of a traffic flow can be gathered with scalability concerns and in a non-intrusive way. The use of different classifiers such as Random Forest, Naive Bayes, Support Vector Machines, Multi-layer Perceptron and K-Neighbour for effective flow duration and size classification is studied. The results of using each of these classifiers to predict flow size and duration using the DCC gathered data are presented and compared

TAF: A Temporal Adaptation Framework for Hybrid Routing in Mobile AdHoc Networks

A central challenge in ad hoc networks is the design of routing protocols that can adapt their behavior to frequent and rapid changes at the network level. Choosing between reactive, proactive, or hybrid routing regimes and selecting appropriate configuration parameters for a chosen protocol are difficult tasks. This paper introduces a framework, called TAF, for seamlessly adapting between proactive and reactive routing protocols. This general framework enables a proactive and reactive protocol to coexist on the same network, provides a low-overhead mechanism by which these two routing strategies can be combined at fine grain and proposes an analytical model for automatically adjusting protocol parameters. Combined, this mechanism and model enable a protocol within our framework to find a near-optimal mix of proactive and reactive routing strategies for the mobility rate and traffic patterns observed on the network. We examine the application of this temporal adaptation framework to the construction of three specialized ad hoc rout- ing protocols. These protocols minimize packet overhead, achieve a targeted loss rate, and minimize routing latency using the TAF framework. In all three cases, hybrid protocols based on the TAF framework perform as well as or better than a proactive (TORA) and a reactive (AODV) protocol

Howdah: Load Profiling via In-Band Flow Classification and P4

The challenges of managing datacenter traffic increase with the complexity and variety of new Internet and Web applications. Efficient network management systems are often required to thwart delays and minimize failures. In this regard, it appears helpful to identify in advance the different classes of flows that (co)exist in the network, characterizing them into different types according to the different latency/bandwidth requirements. In this paper, we propose Howdah, a traffic identification and profiling mechanism that uses Machine Learning and a congestion-aware forwarding strategy to offer adaptation to different traffic classes with the support of programmable data-planes. With Howdah, sender and gateway elements inject in-band traffic information obtained using supervised learning. When a switch or a router receives a packet, it exploits such host-based traffic classification to adapt to a desirable traffic profile, for example, balancing the load. We compare our solutions against recent traffic engineering solutions and show the efficacy of cooperation between host traffic classification and P4-based switch forwarding policies, reducing packet transmission time in datacenter scenarios