On the Optimality of Virtualized Security Function Placement in Multi-Tenant Data Centers

Security and service protection against cyber attacks remain among the primary challenges for virtualized, multi-tenant Data Centres (DCs), for reasons that vary from lack of resource isolation to the monolithic nature of legacy middleboxes. Although security is currently considered a property of the underlying infrastructure, diverse services require protection against different threats and at timescales which are on par with those of service deployment and elastic resource provisioning. We address the resource allocation problem of deploying customised security services over a virtualized, multi-tenant DC. We formulate the problem in Integral Linear Programming (ILP) as an instance of the NP-hard variable size variable cost bin packing problem with the objective of maximising the residual resources after allocation. We propose a modified version of the Best Fit Decreasing algorithm (BFD) to solve the problem in polynomial time and we show that BFD optimises the objective function up to 80% more than other algorithms

Strong Temporal Isolation among Containers in OpenStack for NFV Services

In this paper, the problem of temporal isolation among containerized software components running in shared cloud infrastructures is tackled, proposing an approach based on hierarchical real-time CPU scheduling. This allows for reserving a precise share of the available computing power for each container deployed in a multi-core server, so to provide it with a stable performance, independently from the load of other co-located containers. The proposed technique enables the use of reliable modeling techniques for end-to-end service chains that are effective in controlling the application-level performance. An implementation of the technique within the well-known OpenStack cloud orchestration software is presented, focusing on a use-case framed in the context of network function virtualization. The modified OpenStack is capable of leveraging the special real-time scheduling features made available in the underlying Linux operating system through a patch to the in-kernel process scheduler. The effectiveness of the technique is validated by gathering performance data from two applications running in a real test-bed with the mentioned modifications to OpenStack and the Linux kernel. A performance model is developed that tightly models the application behavior under a variety of conditions. Extensive experimentation shows that the proposed mechanism is successful in guaranteeing isolation of individual containerized activities on the platform

5g new radio access and core network slicing for next-generation network services and management

In recent years, fifth-generation New Radio (5G NR) has attracted much attention owing to its potential in enhancing mobile access networks and enabling better support for heterogeneous services and applications. Network slicing has garnered substantial focus as it promises to offer a higher degree of isolation between subscribers with diverse quality-of-service requirements. Integrating 5G NR technologies, specifically the mmWave waveform and numerology schemes, with network slicing can unlock unparalleled performance so crucial to meeting the demands of high throughput and sub-millisecond latency constraints. While conceding that optimizing next-generation access network performance is extremely important, it needs to be acknowledged that doing so for the core network is equally as significant. This is majorly due to the numerous core network functions that execute control tasks to establish end-to-end user sessions and route access network traffic. Consequently, the core network has a significant impact on the quality-of-experience of the radio access network customers. Currently, the core network lacks true end-to-end slicing isolation and reliability, and thus there is a dire need to examine more stringent configurations that offer the required levels of slicing isolation for the envisioned networking landscape. Considering the factors mentioned above, a sequential approach is adopted starting with the radio access network and progressing to the core network. First, to maximize the downlink average spectral efficiency of an enhanced mobile broadband slice in a time division duplex radio access network while meeting the quality-of-service requirements, an optimization problem is formulated to determine the duplex ratio, numerology scheme, power, and bandwidth allocation. Subsequently, to minimize the uplink transmission power of an ultra-reliable low latency communications slice while satisfying the quality-of-service constraints, a second optimization problem is formulated to determine the above-mentioned parameters and allocations. Because 5G NR supports dual-band transmissions, it also facilitates the usage of different numerology schemes and duplex ratios across bands simultaneously. Both problems, being mixed-integer non-linear programming problems, are relaxed into their respective convex equivalents and subsequently solved. Next, shifting attention to aerial networks, a priority-based 5G NR unmanned aerial vehicle network (UAV) is considered where the enhanced mobile broadband and ultra-reliable low latency communications services are considered as best-effort and high-priority slices, correspondingly. Following the application of a band access policy, an optimization problem is formulated. The goal is to minimize the downlink quality-of-service gap for the best-effort service, while still meeting the quality-of-service constraints of the high-priority service. This involves the allocation of transmission power and assignment of resource blocks. Given that this problem is a mixed-integer nonlinear programming problem, a low-complexity algorithm, PREDICT, i.e., PRiority BasED Resource AllocatIon in Adaptive SliCed NeTwork, which considers the channel quality on each individual resource block over both bands, is designed to solve the problem with a more accurate accounting for high-frequency channel conditions. Transitioning to minimizing the operational latency of the core network, an integer linear programming problem is formulated to instantiate network function instances, assign them to core network servers, assign slices and users to network function instances, and allocate computational resources while maintaining virtual network function isolation and physical separation of the core network control and user planes. The actor-critic method is employed to solve this problem for three proposed core network operation configurations, each offering an added degree of reliability and isolation over the default configuration that is currently standardized by the 3GPP. Looking ahead to potential future research directions, optimizing carrier aggregation-based resource allocation across triple-band sliced access networks emerges as a promising avenue. Additionally, the integration of coordinated multi-point techniques with carrier aggregation in multi-UAV NR aerial networks is especially challenging. The introduction of added carrier frequencies and channel bandwidths, while enhancing flexibility and robustness, complicates band-slice assignments and user-UAV associations. Another layer of intriguing yet complex research involves optimizing handovers in high-mobility UAV networks, where both users and UAVs are mobile. UAV trajectory planning, which is already NP-hard even in static-user scenarios, becomes even more intricate to obtain optimal solutions in high-mobility user cases

Temporal Isolation Among LTE/5G Network Functions by Real-time Scheduling

Radio access networks for future LTE/5G scenarios need to be designed so as to satisfy increasingly stringent requirements in terms of overall capacity, individual user performance, flexibility and power efficiency. This is triggering a major shift in the Telcom industry from statically sized, physically provisioned network appliances towards the use of virtualized network functions that can be elastically deployed within a flexible private cloud of network operators. However, a major issue in delivering strong QoS levels is the one to keep in check the temporal interferences among co-located services, as they compete in accessing shared physical resources. In this paper, this problem is tackled by proposing a solution making use of a real-time scheduler with strong temporal isolation guarantees at the OS/kernel level. This allows for the development of a mathematical model linking major parameters of the system configuration and input traffic characterization with the achieved performance and response-time probabilistic distribution. The model is verified through extensive experiments made on Linux on a synthetic benchmark tuned according to data from a real LTE packet processing scenario