SDN Architecture and Southbound APIs for IPv6 Segment Routing Enabled Wide Area Networks

The SRv6 architecture (Segment Routing based on IPv6 data plane) is a promising solution to support services like Traffic Engineering, Service Function Chaining and Virtual Private Networks in IPv6 backbones and datacenters. The SRv6 architecture has interesting scalability properties as it reduces the amount of state information that needs to be configured in the nodes to support the network services. In this paper, we describe the advantages of complementing the SRv6 technology with an SDN based approach in backbone networks. We discuss the architecture of a SRv6 enabled network based on Linux nodes. In addition, we present the design and implementation of the Southbound API between the SDN controller and the SRv6 device. We have defined a data-model and four different implementations of the API, respectively based on gRPC, REST, NETCONF and remote Command Line Interface (CLI). Since it is important to support both the development and testing aspects we have realized an Intent based emulation system to build realistic and reproducible experiments. This collection of tools automate most of the configuration aspects relieving the experimenter from a significant effort. Finally, we have realized an evaluation of some performance aspects of our architecture and of the different variants of the Southbound APIs and we have analyzed the effects of the configuration updates in the SRv6 enabled nodes

Virtual network function development for NG-PON Access Network Architecture

Dissertação de mestrado em Engenharia de Redes e Serviços TelemáticosThe access to Internet services on a large scale, high throughput and low latency has grown at a very high pace over time, with a growing demand for media content and applications increasingly oriented towards data consumption. This fact about the use of data at the edge of the network requires the Central Offices (CO) of telecommunication providers, to be pre pared to absorb these demands. COs generally offer data from various access methods, such as Passive Optical Network (PON) technologies, mobile networks, copper wired and oth ers. For each of these technologies there may be different manufacturers that support only their respective hardware and software solutions, although they all share different network resources and have management, configuration and monitoring tools (Fault, Configuration, Accounting, Performance, and Security management - FCAPS) similar, but being distinct and isolated from each other, which produces huge investment in Capital Expenditure (CAPEX) and Operational Expenditure (OPEX) and can cause barriers to innovation. Such panora mas forced the development of more flexible, scalable solutions that share platforms and net work architectures that can meet this need and enable the evolution of networks. It is then proposed the architecture of Software-Defined Network (SDN) which has in its proposal to abstract the control plane from the data plane, in addition to the virtualization of several Net work Function Virtualization (NFV). The SDN architecture allows APIs and protocols such as Openflow, NETCONF / YANG, RESTCONF, gRPC and others to be used so that there is communication between the various hardware and software elements that compose the net work and consume network resources, such as services AAA, DHCP, routing, orchestration, management or various applications that may exist in this context. This work then aims at the development of a virtualized network function, namely a VNF in the context of network security to be integrated as a component of an architecture guided by the SDN paradigm applied to broadband networks, and also adherent to the architecture OB-BAA promoted by the Broadband Forum. Such OB-BAA architecture fits into the initia tive to modernize the Information Technology (IT) components of broadband networks, more specifically the Central Offices. With such development, it was intended to explore the con cepts of network security, such as the IEEE 802.1X protocol applied in NG-PON networks for authentication and authorization of new network equipment. To achieve this goal, the development of the applications was based on the Golang language combined with gRPC programmable interfaces for communication between the various elements of the architec ture. Network emulators were initially used, and then the components were ”containerized” and inserted in the Docker and Kubernetes virtualization frameworks. Finally, performance metrics were analyzed in the usage tests, namely computational resource usage metrics (CPU, memory and network I/O), in addition to the execution time of several processes performed by the developed applications.O acesso aos serviços de Internet em larga escala, alto débito e baixa latência têm crescido em um ritmo bastante elevado ao longo dos tempos, com uma demanda crescente por conteúdos de media e aplicações cada vez mais orientadas ao consumo de dados. Tal fato acerca da uti lização de dados na periferia da rede, obriga a que os Central Offices (CO) dos provedores de telecomunicações estejam preparados para absorver estas demandas. Os CO geralmente re cebem dados de diversos métodos de acesso, como tecnologias Passive Optical Network (PON), redes móveis, cabladas em cobre, entre outros. Para cada uma destas tecnologias pode haver diferentes fabricantes que suportam somente suas respetivas soluções de hardware e software, apesar de todas compartilharem diversos recursos de rede e possuírem ferramentas de gestão, configuração e monitoração (Fault-management, Configuration, Accounting, Performance e Segurança - FCAPS) similares, mas serem distintas e isoladas entre si, o que se traduz em um enorme investimento em Capital Expenditure (CAPEX) e Operational Expenditure (OPEX) e pode causar barreiras à inovação. Tais panoramas forçaram o desenvolvimento de soluções mais flexíveis, escaláveis e que compartilhem plataformas e arquiteturas de redes que pos sam suprir tal necessidade e possibilitar a evolução das redes. Propõe-se então a arquitetura de redes definidas por software (Software-Defined Network - SDN) que tem em sua proposta abstrair o plano de controle do plano de dados, além da virtualização de diversas funções de rede (Network Function Virtualization - NFV). A arquitetura SDN possibilita que API’s e pro tocolos como Openflow, NETCONF/YANG, RESTCONF, gRPC e outros, sejam utilizados para que haja comunicação entre os diversos elementos de hardware e software que estejam a compor a rede e a consumir recursos de redes, como serviços de AAA, DHCP, roteamento, orquestração, gestão ou diversas outras aplicações que possam existir neste contexto. Este trabalho visa então o desenvolvimento de uma função de rede virtualizada nomeada mente uma (Virtual Network Function - VNF) no âmbito de segurança de redes a ser integrada como um componente de uma arquitetura orientada pelo paradigma de SDN aplicado a re des de banda larga, e aderente também à arquitetura OB-BAA promovida pelo Broadband Fo rum. Tal arquitetura OB-BAA se enquadra na iniciativa de modernização dos componentes de Tecnologia da Informação (TI) das redes de banda larga, mais especificamente dos Cen tral Offices. Com tal desenvolvimento pretende-se explorar conceitos de segurança de redes, como o protocolo IEEE 802.1X aplicado em redes NG-PON para autenticação e autorização de novos equipamentos de rede. Para atingir tal objetivo, utilizou-se desenvolvimento de aplicações baseadas na linguagem Golang aliado com interfaces programáveis gRPC para comunicação entre os diversos elementos da arquitetura. Para emular tais componentes, utilizou-se inicialmente emuladores de rede, e em um segundo momento os componentes foram ”containerizados” e inseridos nos frameworks de virtualização Docker e Kubernetes.Por fim, foram analisadas métricas de desempenho nos testes executados, nomeadamente métricas de utilização de recursos computacionais (CPU, memória e tráfego de rede), além do tempo de execução de diversos processos desempenhados pelas aplicações desenvolvidas

Development of a secure monitoring framework for optical disaggregated data centres

Data center (DC) infrastructures are a key piece of nowadays telecom and cloud services delivery, enabling the access and storage of enormous quantities of information as well as the execution of complex applications and services. Such aspect is being accentuated with the advent of 5G and beyond architectures, since a significant portion of the network and service functions are being deployed as specialized virtual elements inside dedicated DC infrastructures. As such, the development of new architectures to better exploit the resources of DC becomes of paramount importanceThe mismatch between the variability of resources required by running applications and the fixed amount of resources in server units severely limits resource utilization in today's Data Centers (DCs). The Disaggregated DC (DDC) paradigm was recently introduced to address these limitations. The main idea behind DDCs is to divide the various computational resources into independent hardware modules/blades, which are mounted in racks, bringing greater modularity and allowing operators to optimize their deployments for improved efficiency and performance, thus, offering high resource allocation flexibility. Moreover, to efficiently exploit the hardware blades and establish the connections across them according to upper layer requirements, a flexible control and management framework is required. In this regard, following current industrial trends, the Software Defined Networking (SDN) paradigm is one of the leading technologies for the control of DC infrastructures, allowing for the establishment of high-speed, low-latency optical connections between hardware components in DDCs in response to the demands of higher-level services and applications. With these concepts in mind, the primary objective of this thesis is to design and carry out the implementation of the control of a DDC infrastructure layer that is founded on the SDN principles and makes use of optical technologies for the intra-DC network fabric, highlighting the importance of quality control and monitoring. Thanks to several SDN agents, it becomes possible to gather statistics and metrics from the multiple infrastructure elements (computational blades and network equipment), allowing DC operators to monitor and make informed decisions on how to utilize the infrastructure resources to the greatest extent feasible. Indeed, quality assurance operations are of capital importance in modern DC infrastructures, thus, it becomes essential to guarantee a secure communication channel for gathering infrastructure metrics/statistics and enforcing (re-)configurations, closing the full loop, then addressing the security layer to secure the communication channel by encryption and providing authentication for the server and the client

P-SCOR: Integration of Constraint Programming Orchestration and Programmable Data Plane

In this manuscript we present an original implementation of network management functions in the context of Software Defined Networking. We demonstrate a full integration of an artificial intelligence driven management, an SDN control plane, and a programmable data plane. Constraint Programming is used to implement a management operating system that accepts high level specifications, via a northbound interface, in terms of operational objective and directives. These are translated in technology-specific constraints and directives for the SDN control plane, leveraging the programmable data plane, which is enriched with functionalities suited to feed data that enable the most effective operation of the “intelligent” control plane, by exploiting the language

API design and implementation of a management interface for SDN whitebox switches

For the past few years, cloud computing has emerged to be one of the most rapidly growing plaforms. This growth must be supported from the data centers, that look to provide the best possible service, while minimising energy and infrastructure costs. As such, many service providers are moving to Software Defined Networking (SDN) based platforms, that allow for new concepts such as the separation of the control and data planes, and the adoption of open source material, in both the switches, in the form of whitebox switches, and the network controllers. BISDN is a company that is developing a SDN controller, that allows to use the linux networking tools, like netlink, to configure and manage ports on switches. The proposed problem, is then extending the existing platform to be able to report statistics such as flow-counts on the switches, the number of packets received, dropped, transmitted in the ports, so that the data center operators can have the best possible information on the state of their network, and act in case of failures and malfunctions

Software defined networking based resource management and quality of service support in wireless sensor network applications

To achieve greater performance in computing networks, a setup of critical computing aspects that ensures efficient network operation, needs to be implemented. One of these computing aspects is, Quality of Service (QoS). Its main functionality is to manage traffic queues by means of prioritizing sensitive network traffic. QoS capable networking allows efficient control of traffic especially for network critical data. However, to achieve this in Wireless Sensor Networks (WSN) is a serious challenge, since these technologies have a lot of computing limitations. It is even difficult to manage networking resources with ease in these types of technologies, due to their communication, processing and memory limitations. Even though this is the case with WSNs, they have been largely used in monitoring/detection systems, and by this proving their application importance. Realizing efficient network control requires intelligent methods of network management, especially for sensitive network data. Different network types implement diverse methods to control and administer network traffic as well as effectively manage network resources. As with WSNs, communication traffic and network resource control are mostly performed depending on independently employed mechanisms to deal with networking events occurring on different levels. It is therefore challenging to realize efficient network performance with guaranteed QoS in WSNs, given their computing limitations. Software defined networking (SDN) is advocated as a potential paradigm to improve and evolve WSNs in terms of capacity and application. A means to apply SDN strategies to these compute-limited WSNs, formulates software defined wireless sensor networks (SDWSN). In this work, a resource-aware OpenFlow-based Active Network Management (OF-ANM) QoS scheme that uses SDN strategies is proposed and implemented to apply QoS requirements for managing traffic congestion in WSNs. This scheme uses SDN programmability strategies to apply network QoS requirements and perform traffic load balancing to ensure congestion control in SDWSN. Our experimental results show that the developed scheme is able to provide congestion avoidance within the network. It also allows opportunities to implement flexible QoS requirements based on the system’s traffic state. Moreover, a QoS Path Selection and Resource-associating (Q-PSR) scheme for adaptive load balancing and intelligent resource control for optimal network performance is proposed and implemented. Our experimental results indicate better performance in terms of computation with load balancing and efficient resource alignment for different networking tasks when compared with other competing schemes.Thesis (PhD)--University of Pretoria, 2018.National Research FoundationUniversity of PretoriaElectrical, Electronic and Computer EngineeringPhDUnrestricte

Architectural approaches to a science network software-defined exchange

To interconnect research facilities across wide geographic areas, network operators deploy science networks, also referred to as Research and Education (R&E) networks. These networks allow experimenters to establish dedicated circuits between research facilities for transferring large amounts of data, by using advanced reservation systems. Intercontinental dedicated circuits typically require coordination between multiple administrative domains, which need to reach an agreement on a suitable advance reservation. To enhance provisioning capabilities of multi-domain advance reservations, we propose an architecture for end-to-end service orchestration in multi-domain science networks that leverages software-defined networking (SDN) and software-defined exchanges (SDX) for providing multi-path, multi-domain advance reservations. Our simulations show our orchestration architecture increases the reservation success rate. We evaluate our solution using GridFTP, one of the most popular tools for data transfers in the scientific community. Additionally, we propose an interface that domain scientists can use to request science network services from our orchestration framework. Furthermore, we propose a federated auditing framework (FAS) that allows an SDX to verify whether the configurations requested by a user are correctly enforced by participating SDN domains, whether the configurations requested are correctly removed after their expiration time, and whether configurations exist that are performing non-requested actions. We also propose an architecture for advance reservation access control using SDN and tokens.Ph.D

IoT MUD enforcement in the edge cloud using programmable switch

Targeted data breaches and cybersecurity attacks involving IoT devices are becoming ever more concerning. To combat these threats and risks, the IETF standardized Manufacturer Usage Description (MUD), which allows IoT device vendors to specify the intended communication patterns (MUD profile) of an IoT device. MUD profile enables validation of the actual communication pattern of an IoT device with the intended behavior at run-time. However, the MUD specification was primarily intended for enforcement at the Local Area Network (LAN) of the IoT device, thus fragmenting the solution across multiple heterogeneous networks. MUD enforcement at higher levels in the network hierarchy (e.g., private edge for enterprise networks) eases security policy management and reduces processing overheads on the existing security infrastructure. To realize MUD enforcement at the edge, there are mainly two challenges: (1) How to identify an IoT device at the edge so that enforcing device-specific MUD profile on the IoT traffic is possible. (2) How to scale MUD enforcement to a large network of IoT devices. In this paper, we present our approach to address these challenges and validate IoT device communication at the edge. In order to scale MUD enforcement to a large IoT network, we leverage multi-stage pipeline architecture and stateful ALUs of P4 programmable switch and process IoT traffic in the dataplane. © 2022 ACM

On the Rollout of Network Slicing in Carrier Networks: A Technology Radar

Network slicing is a powerful paradigm for network operators to support use cases with widely diverse requirements atop a common infrastructure. As 5G standards are completed, and commercial solutions mature, operators need to start thinking about how to integrate network slicing capabilities in their assets, so that customer-facing solutions can be made available in their portfolio. This integration is, however, not an easy task, due to the heterogeneity of assets that typically exist in carrier networks. In this regard, 5G commercial networks may consist of a number of domains, each with a different technological pace, and built out of products from multiple vendors, including legacy network devices and functions. These multi-technology, multi-vendor and brownfield features constitute a challenge for the operator, which is required to deploy and operate slices across all these domains in order to satisfy the end-to-end nature of the services hosted by these slices. In this context, the only realistic option for operators is to introduce slicing capabilities progressively, following a phased approach in their roll-out. The purpose of this paper is to precisely help designing this kind of plan, by means of a technology radar. The radar identifies a set of solutions enabling network slicing on the individual domains, and classifies these solutions into four rings, each corresponding to a different timeline: (i) as-is ring, covering today’s slicing solutions; (ii) deploy ring, corresponding to solutions available in the short term; (iii) test ring, considering medium-term solutions; and (iv) explore ring, with solutions expected in the long run. This classification is done based on the technical availability of the solutions, together with the foreseen market demands. The value of this radar lies in its ability to provide a complete view of the slicing landscape with one single snapshot, by linking solutions to information that operators may use for decision making in their individual go-to-market strategies.H2020 European Projects 5G-VINNI (grant agreement No. 815279) and 5G-CLARITY (grant agreement No. 871428)Spanish national project TRUE-5G (PID2019-108713RB-C53