Penerapan Dynamic Flow Removal untuk Mencegah Flow Table Overflow pada Software-Defined Networking

Software-Defined Networking (SDN) memungkinkan penerusan paket data secara terprogram dalam sebuah jaringan dengan mendefinisikan rincian flow dalam flow table setiap switch jaringan. Namun, kapasitas flow table adalah sumber daya yang terbatas, sehingga memerlukan pengelolaan yang cermat untuk hal ini. Artikel ilmiah ini membahas pengelolaan flow table dengan metode penghapusan rincian flow secara dinamis (dynamic flow removal) untuk mencegah terjadinya flow table overflow pada SDN. Dynamic flow removal yang dimaksud adalah dengan melakukan pemantauan flow expiry dan secara selektif melakukan penghapusan rincian flow yang sudah tidak lagi aktif sehingga dapat mengurangi jumlah okupansi rincian flow pada flow table. Penghapusan rincian flow secara selektif akan dipicu setiap kali kapasitas flow table hampir penuh. Implementasi dynamic flow removal dilakukan dengan studi kasus aplikasi server load-balancing berbasis round-robin pada SDN dengan framework Ryu, Mininet, dan modifikasi kapasitas flow table pada OpenvSwitch. Hasil pengujian menunjukkan bahwa penerapan metode yang diusulkan mampu mencegah terjadinya flow table overflow dengan 100% rincian flow aktif dapat menempati flow table tanpa menyebabkan kegagalan komunikasi client-server. AbstractSoftware-Defined Networking (SDN) enables programmable packet forwarding by defining flow rules in the flow table of each network switch. However, the flow table capacity is a limited resource that requires careful management. This paper discusses the implementation of dynamic flow removal in managing flow tables in an OpenFlow-based SDN switch to prevent flow table overflow. Dynamic flow removal is realized by monitoring flow expiry and selectively removing flow rules that are no longer active to reduce the number of flow rules in the flow table. Selective removal of flow rules will be triggered whenever the flow table capacity is almost full. Dynamic flow removal was implemented using a case study of a round-robin-based load-balancing server application on SDN with Ryu framework, Mininet, and a modified flow table space in OpenvSwitch. The evaluation results indicate that the proposed method can prevent flow table overflow while maintaining 100% of active flow rules in the flow table without compromising client-server communication

Flow Delegation: Flow Table Capacity Bottleneck Mitigation for Software-defined Networks

This dissertation introduces flow delegation, a novel concept to deal with flow table capacity bottlenecks in Software-defined Networks (SDNs). Such bottlenecks occur when SDN switches provide insufficient flow table capacity which can lead to performance degradation and/or network failures. Flow delegation addresses this well-known problem by automatically relocating flow rules from a bottlenecked switch to neighboring switches with spare capacity. Different from existing work, this new approach can be used on-demand in a transparent fashion, i.e., without changes to the network applications or other parts of the infrastructure. The thesis presents a system design and architecture capable of dealing with the numerous practical challenges associated with flow delegation, introduces suitable algorithms to efficiently mitigate bottlenecks taking future knowledge and multiple objectives into account and studies feasibility, performance, overhead, and scalability of the new approach covering different scenarios

On the Edge of Secure Connectivity via Software-Defined Networking

Securing communication in computer networks has been an essential feature ever since the Internet, as we know it today, was started. One of the best known and most common methods for secure communication is to use a Virtual Private Network (VPN) solution, mainly operating with an IP security (IPsec) protocol suite originally published in 1995 (RFC1825). It is clear that the Internet, and networks in general, have changed dramatically since then. In particular, the onset of the Cloud and the Internet-of-Things (IoT) have placed new demands on secure networking. Even though the IPsec suite has been updated over the years, it is starting to reach the limits of its capabilities in its present form. Recent advances in networking have thrown up Software-Defined Networking (SDN), which decouples the control and data planes, and thus centralizes the network control. SDN provides arbitrary network topologies and elastic packet forwarding that have enabled useful innovations at the network level. This thesis studies SDN-powered VPN networking and explains the benefits of this combination. Even though the main context is the Cloud, the approaches described here are also valid for non-Cloud operation and are thus suitable for a variety of other use cases for both SMEs and large corporations. In addition to IPsec, open source TLS-based VPN (e.g. OpenVPN) solutions are often used to establish secure tunnels. Research shows that a full-mesh VPN network between multiple sites can be provided using OpenVPN and it can be utilized by SDN to create a seamless, resilient layer-2 overlay for multiple purposes, including the Cloud. However, such a VPN tunnel suffers from resiliency problems and cannot meet the increasing availability requirements. The network setup proposed here is similar to Software-Defined WAN (SD-WAN) solutions and is extremely useful for applications with strict requirements for resiliency and security, even if best-effort ISP is used. IPsec is still preferred over OpenVPN for some use cases, especially by smaller enterprises. Therefore, this research also examines the possibilities for high availability, load balancing, and faster operational speeds for IPsec. We present a novel approach involving the separation of the Internet Key Exchange (IKE) and the Encapsulation Security Payload (ESP) in SDN fashion to operate from separate devices. This allows central management for the IKE while several separate ESP devices can concentrate on the heavy processing. Initially, our research relied on software solutions for ESP processing. Despite the ingenuity of the architectural concept, and although it provided high availability and good load balancing, there was no anti-replay protection. Since anti-replay protection is vital for secure communication, another approach was required. It thus became clear that the ideal solution for such large IPsec tunneling would be to have a pool of fast ESP devices, but to confine the IKE operation to a single centralized device. This would obviate the need for load balancing but still allow high availability via the device pool. The focus of this research thus turned to the study of pure hardware solutions on an FPGA, and their feasibility and production readiness for application in the Cloud context. Our research shows that FPGA works fluently in an SDN network as a standalone IPsec accelerator for ESP packets. The proposed architecture has 10 Gbps throughput, yet the latency is less than 10 µs, meaning that this architecture is especially efficient for data center use and offers increased performance and latency requirements. The high demands of the network packet processing can be met using several different approaches, so this approach is not just limited to the topics presented in this thesis. Global network traffic is growing all the time, so the development of more efficient methods and devices is inevitable. The increasing number of IoT devices will result in a lot of network traffic utilising the Cloud infrastructures in the near future. Based on the latest research, once SDN and hardware acceleration have become fully integrated into the Cloud, the future for secure networking looks promising. SDN technology will open up a wide range of new possibilities for data forwarding, while hardware acceleration will satisfy the increased performance requirements. Although it still remains to be seen whether SDN can answer all the requirements for performance, high availability and resiliency, this thesis shows that it is a very competent technology, even though we have explored only a minor fraction of its capabilities