Programmable overlays via OpenOverlayRouter

Among the different options to instantiate overlays, the Locator/ID Separation Protocol (LISP) [7] has gained significant traction among industry and academia [5], [6], [8]–[11], [14], [15]. Interestingly, LISP offers a standard, inter-domain, and dynamic overlay that enables low capital expenditure (CAPEX) innovation at the network layer [8]. LISP follows a map-and-encap approach where overlay identifiers are mapped to underlay locators. Overlay traffic is encapsulated into locator-based packets and routed through the underlay. LISP leverages a public database to store overlay-to-underlay mappings and on a pull mechanism to retrieve those mappings on demand from the data plane. Therefore, LISP effectively decouples the control and data planes, since control plane policies are pushed to the database rather than to the data plane. Forwarding elements reflect control policies on the data plane by pulling them from the database. In that sense, LISP can be used as an SDN southbound protocol to enable programmable overlay networks [5].Peer ReviewedPostprint (published version

Advances in Networking Software

The six articles in this special section focus on advancements in networking software. Networking and communications systems are currently undergoing a substantive transformation on several fronts, promising substantially lower cost, simplified operations, and dramatically faster innovation cycles as traditional barriers to the deployment of innovations are removed. Where in the past networking functions were predominantly implemented using purpose-built hardware, custom protocols, and firmware images, those networking functions are increasingly instantiated through software that is abstracted from hardware, freely programmable, and relying on algorithmic invocation of generic application programming interfaces (APIs). This transformation is best summarized as “softwarization” of the network, which is, in turn, realized through advances in networking software. These articles exemplify this transformation, providing an excellent cross-section across these facets

A control plane for WireGuard

WireGuard is a VPN protocol that has gained significant interest recently. Its main advantages are: (i) simple configuration (via pre-shared SSH-like public keys), (ii) mobility support, (iii) reduced codebase to ease auditing, and (iv) Linux kernel implementation that yields high performance. However, WireGuard (intentionally) lacks a control plane. This means that each peer in a WireGuard network has to be manually configured with the other peers’ public key and IP addresses, or by other means. In this paper we present an architecture based on a centralized server to automatically distribute this information. In a nutshell, first we manually establish a WireGuard tunnel to the centralized server, and ask all the peers to store their public keys and IP addresses in it. Then, WireGuard peers use this secure channel to retrieve on-demand the information for the peers they want to communicate to. Our design strives to: (i) offer a key distribution scheme simpler than PKI-based ones, (ii) limit the number of public keys sent to the peers, and (iii) reduce tunnel establishment latency by means of an UDP-based protocol. We argue that such automation can help the deployment in enterprise or ISP scenarios. We also describe in detail our implementation and analyze several performance metrics. Finally, we discuss possible improvements regarding several shortcomings we found during implementation.This work was partially supported by the Spanish MINECO under contract TEC2017-90034-C2-1-R (ALLIANCE) and the Catalan Institution for Research and Advanced Studies (ICREA).Peer ReviewedPostprint (author's final draft

Enhancement of LivCloud for live cloud migration

Virtualization techniques aim at handling the growing demand for computing, storage and communication resources in cloud computing. However, cloud providers often offer their own proprietary virtualization platforms. As a result, cloud users’ VMs are tightly coupled to providers’ IaaS, hindering live migration of VMs to different providers. A number of live cloud migration approaches have been proposed to solve this coupling issue. Our approach, named LivCloud, is among those approaches. It is designed over two stages, basic design stage and the enhancement stage. The implementation of the basic design has been introduced and evaluated on Amazon EC2 and Packet bare metal cloud. This paper discusses the implementation of the second stage, the enhancement of the basic design on Packet. In particular, it illustrates how LivCloud is implemented in two different scenarios. The first scenario deploys KVM bridge networking, OpenvSwitch and C scripts used to meet the network configuration changes during the VMs relocating. This scenario achieves better downtime of one second compared to the basic design of LivCloud. The second scenario uses OpenVPN, OpenDayLight (ODL) and Cisco OpenFlow Manager (OFM) to successfully live migrate VMs back and forth between LivCloud and Packet. This scenario achieves better downtime between 400 and 600 milliseconds. As part of the discussion, the paper proposes a third potential scenario to successfully meet the live cloud migration requirements. This scenario aims to eliminate any downtime occurred in the first two scenarios by utilizing the Open Overlay Router (OOR), Locator Identifier Separator Protocol (LISP) and ODL

Securing the inter-domain routing system with blockchain

La seguretat de l'encaminament entre dominis és fonamental per al funcionament d'Internet, ja que impedeix redireccions de trànsit no desitjades. El protocol actualment utilitzat, el Border Gateway Protocol (BGP), té problemes de seguretat. En aquest projecte, provarem i avaluarem IPChain, una solució que usa blockchain proposada per resoldre aquests problemes de seguretat. Avaluarem la viabilitat del projecte per resoldre aquest problema. Per fer-ho hem dissenyat i analitzat un conjunt d'experiments que intenten emular les condicions reals. També trobarem colls d'ampolla i altres problemes que impedeixen que el prototip funcioni de manera eficient.Inter-domain routing security is of critical importance to the Internet since it prevents unwanted traffic redirections. The currently used protocol, the Border Gateway Protocol (BGP), is proven to have security issues. In this project, we will test and evaluate IPChain, a blockchain solution proposed to solve these security issues. In this thesis, we will evaluate the feasibility of the project for solving this issue. To do it we designed and analyzed a set of experiments that try to emulate real-life conditions. We will also find bottlenecks and other issues that prevent the solution from performing in an efficient way

Design and implementation of the Transactional and Communication layer of a Blockchain to secure IP prefixes

El objetivo principal del proyecto es construir un prototipo funcional de blockchain que asegure la información del enrutamiento de Internet con fines de investigación para el análisis de sus beneficios. En este TFG se trata la implementación de las transacciones y la red P2P

Interfacing Open Overlay Router with Blockchain to secure the allocation and delegation of IP prefixes

El proyecto pretende eliminar la dependencia de las Autoridades Certificadoras en el uso de los DDT de LISP mediante el uso de una BlockChain.This project pretends to eliminate the dedendency from Certificate Authorities in the use of LISP's DDT using a BlockChain

Enabling Resilient and Efficient Communication for the XRP Ledger and Interledger

The blockchain technology is relatively new and still evolving. Its development was fostered by an enthusiastic community of developers, which sometimes forgot about the lessons from the past related to security, resilience and efficiency of communication which can impact network scalability, service quality and even service availability. These challenges can be addressed at network level but also at operating system level. At network level, the protocols and the architecture used play a major role, and overlays have interesting advantages like custom protocols and the possibility of arbitrary deployments. This thesis shows how overlay networks can be designed and deployed to benefit the security and performance in communication for consensus-validation based blockchains and blockchain inter-operativity, taking as concrete cases the XRP ledger and respectively the Interledger protocol. XRP Ledger is a consensus-validation based blockchain focused on payments which currently uses a flooding mechanism for peer to peer communication, with a negative impact on scalability. One of the proposed overlays is based on Named Data Networking, an Internet architecture using for propagation the data name instead of data location. The second proposed overlay is based on Spines, a solution offering improved latency on lossy paths, intrusion tolerance and resilience to routing attacks. The system component was also interesting to study, and the contribution of this thesis centers around methodologies to evaluate the system performance of a node and increase the security from the system level. The value added by the presented work can be synthesized as follows: i) investigate and propose a Named Data Networking-based overlay solution to improve the efficiency of intra-blockchain communication at network level, taking as a working case the XRP Ledger; ii) investigate and propose an overlay solution based on Spines, which improves the security and resilience of inter-blockchain communication at network level, taking as a working case the Interledger protocol; iii) investigate and propose a host-level solution for non-intrusive instrumentation and monitoring which helps improve the performance and security of inter-blockchain communication at the system level of machines running Distributed Ledger infrastructure applications treated as black-boxes, with Interledger Connectors as a concrete case

Programmable overlays via OpenOverlayRouter

Among the different options to instantiate overlays, the Locator/ID Separation Protocol (LISP) [7] has gained significant traction among industry and academia [5], [6], [8]–[11], [14], [15]. Interestingly, LISP offers a standard, inter-domain, and dynamic overlay that enables low capital expenditure (CAPEX) innovation at the network layer [8]. LISP follows a map-and-encap approach where overlay identifiers are mapped to underlay locators. Overlay traffic is encapsulated into locator-based packets and routed through the underlay. LISP leverages a public database to store overlay-to-underlay mappings and on a pull mechanism to retrieve those mappings on demand from the data plane. Therefore, LISP effectively decouples the control and data planes, since control plane policies are pushed to the database rather than to the data plane. Forwarding elements reflect control policies on the data plane by pulling them from the database. In that sense, LISP can be used as an SDN southbound protocol to enable programmable overlay networks [5].Peer Reviewe