Deliverable JRA1.1: Evaluation of current network control and management planes for multi-domain network infrastructure

This deliverable includes a compilation and evaluation of available control and management architectures and protocols applicable to a multilayer infrastructure in a multi-domain Virtual Network environment.The scope of this deliverable is mainly focused on the virtualisation of the resources within a network and at processing nodes. The virtualization of the FEDERICA infrastructure allows the provisioning of its available resources to users by means of FEDERICA slices. A slice is seen by the user as a real physical network under his/her domain, however it maps to a logical partition (a virtual instance) of the physical FEDERICA resources. A slice is built to exhibit to the highest degree all the principles applicable to a physical network (isolation, reproducibility, manageability, ...). Currently, there are no standard definitions available for network virtualization or its associated architectures. Therefore, this deliverable proposes the Virtual Network layer architecture and evaluates a set of Management- and Control Planes that can be used for the partitioning and virtualization of the FEDERICA network resources. This evaluation has been performed taking into account an initial set of FEDERICA requirements; a possible extension of the selected tools will be evaluated in future deliverables. The studies described in this deliverable define the virtual architecture of the FEDERICA infrastructure. During this activity, the need has been recognised to establish a new set of basic definitions (taxonomy) for the building blocks that compose the so-called slice, i.e. the virtual network instantiation (which is virtual with regard to the abstracted view made of the building blocks of the FEDERICA infrastructure) and its architectural plane representation. These definitions will be established as a common nomenclature for the FEDERICA project. Other important aspects when defining a new architecture are the user requirements. It is crucial that the resulting architecture fits the demands that users may have. Since this deliverable has been produced at the same time as the contact process with users, made by the project activities related to the Use Case definitions, JRA1 has proposed a set of basic Use Cases to be considered as starting point for its internal studies. When researchers want to experiment with their developments, they need not only network resources on their slices, but also a slice of the processing resources. These processing slice resources are understood as virtual machine instances that users can use to make them behave as software routers or end nodes, on which to download the software protocols or applications they have produced and want to assess in a realistic environment. Hence, this deliverable also studies the APIs of several virtual machine management software products in order to identify which best suits FEDERICA’s needs.Postprint (published version

GNFC: Towards Network Function Cloudification

An increasing demand is seen from enterprises to host and dynamically manage middlebox services in public clouds in order to leverage the same benefits that network functions provide in traditional, in-house deployments. However, today's public clouds provide only a limited view and programmability for tenants that challenges flexible deployment of transparent, software-defined network functions. Moreover, current virtual network functions can't take full advantage of a virtualized cloud environment, limiting scalability and fault tolerance. In this paper we review and evaluate the current infrastructural limitations imposed by public cloud providers and present the design and implementation of GNFC, a cloud-based Network Function Virtualization (NFV) framework that gives tenants the ability to transparently attach stateless, container-based network functions to their services hosted in public clouds. We evaluate the proposed system over three public cloud providers (Amazon EC2, Microsoft Azure and Google Compute Engine) and show the effects on end-to-end latency and throughput using various instance types for NFV hosts

Container-based network function virtualization for software-defined networks

Today's enterprise networks almost ubiquitously deploy middlebox services to improve in-network security and performance. Although virtualization of middleboxes attracts a significant attention, studies show that such implementations are still proprietary and deployed in a static manner at the boundaries of organisations, hindering open innovation. In this paper, we present an open framework to create, deploy and manage virtual network functions (NF)s in OpenFlow-enabled networks. We exploit container-based NFs to achieve low performance overhead, fast deployment and high reusability missing from today's NFV deployments. Through an SDN northbound API, NFs can be instantiated, traffic can be steered through the desired policy chain and applications can raise notifications. We demonstrate the systems operation through the development of exemplar NFs from common Operating System utility binaries, and we show that container-based NFV improves function instantiation time by up to 68% over existing hypervisor-based alternatives, and scales to one hundred co-located NFs while incurring sub-millisecond latency

Implementation and Provisioning of Federated Networks in Hybrid Clouds (pre-print)

Federated cloud networking is needed to allow the seamless and efficient interconnection of resources distributed among different clouds. This work introduces a new cloud network federation framework for the automatic provision of Layer 2 (L2) and layer 3 (L3) virtual networks to interconnect geographically distributed cloud infrastructures in a hybrid cloud scenario. After a revision of existing encapsulation technologies to implement L2 and L3 overlay networks, the paper analyzes the main topologies that can be used to construct federated network overlays within hybrid clouds. In order to demonstrate the proposed solution and compare the different topologies, the article shows a proof-of-concept of a real federated network deployment in a hybrid cloud, which spans a local private cloud, managed with OpenNebula, and two public clouds, two different regions of mazon EC2. Results show that L2 and L3 overlay connectivity can be achieved with a minimal bandwidth overhead, lower than 10%

Developing a Virtual Appliance to Simulate Broken Networks

The objective of this thesis is to develop a virtual appliance that will simulate broken networks. A virtual appliance is a ready-to-use server that can be run on a virtualization platform. This thesis was commissioned by HowNetWorks Oy. HowNetWorks is a startup based in Oulu and Helsinki, Finland, developing tools to measure networks in ways that most tests do not. The objective of this appliance is therefore to simulate the network properties that HowNetWorks is testing, to help their development. The appliance, called hnwProxy, is created using infrastructure-as-code methodologies. This can be downloaded from GitHub at github.com/hownetworks/hnwproxy. Infrastructure-as-code is a new paradigm in infrastructure management, using practices from software engineering along with automation tools to create higher quality, more reliable and higher performing systems. The theoretical background of this thesis consists of network quality and infrastructure as code. Network quality describes what factors affect the quality of a connection, i.e. what we can simu-late with hnwProxy. For infrastructure-as-code, the book Infrastructure as Code by Kief Morris is used almost exclusively as reference. Network quality is more dispersed. There is no single book about the topic, the most used reference is Kurose & Ross’s Computer Networking: A Top-Down Approach. This covers computer networking quite exhaustively, but further references for more niche or loosely related topics are still needed. The result of this thesis is the virtual appliance, hnwProxy. This can simulate a broken network connection is several different ways and can run on a few different virtualization platforms, so it has met all requirements.Opinnäytetyön tavoite on kehittää sovellus, joka simuloi rikkinäistä verkkoyhteyttä. Aihe tuli toimeksiantajalta, HowNetWorks Oy:ltä. HowNetWorks on suomalainen startup-yritys, joka on kehittämässä verkon testaustyökaluja ominaisuuksille mitä perinteiset testit eivät testaa. Sovelluksen nimi on hnwProxy. Kyseessä on virtual appliance, eli käyttövalmis virtuaalipalvelin jonka kuka tahansa saa vapaasti ladattua. Tämä löytyy GitHub:sta osoitteesta github.com/hownetworks/hnwproxy. hnwProxy on kehitetty infrastruktuuri koodina -menetelmillä avoimen lähdekoodin lisenssillä. Infrastruktuuri koodina on uusi ajattelutapa palvelininfrastruktuurin hallinnassa, jossa pyritään käyttämään automaatiotyökaluja ja ohjelmistokehityksestä tuttuja menetelmiä järjestelmän laadun parantamiseksi. Teoriaosuudessa esitellään verkkojen laatutekijät sekä infrastruktuuri koodina. Tässä ensimmäisessä luvussa pyritään selvittämään mitkä asiat vaikuttavat verkkoyhteyden laatuun, eli mitä hnwProxy tulee simuloimaan. Infrastruktuuri koodina -luvussa on käytössä aihetta laajasti katta-va, Kief Morrisin kirjoittama, Infrastructure as Code kirja lähteenä. Verkkojen Laatutekijät -luvussa käytetään monta eri lähdettä, näistä kattavin on Kurose & Rossin Computer Networking: A Top-Down Approach. Lopputulos on palvelinjärjestelmä joka täyttää projektin alussa asetetut vaatimukset. hnwProxy pystyy simuloimaan erilaisia rikkinäisiä verkkoja, ja sitä voidaan käyttää useammassa eri virtuali-sointialustassa

Dynamic Virtual Network Restoration with Optimal Standby Virtual Router Selection

Title form PDF of title page, viewed on September 4, 2015Dissertation advisor: Deep MedhiVitaIncludes bibliographic references (pages 141-157)Thesis (Ph.D.)--School of Computing and Engineering and Department of Mathematics and Statistics. University of Missouri--Kansas City, 2015Network virtualization technologies allow service providers to request partitioned, QoS guaranteed and fault-tolerant virtual networks provisioned by the substrate network provider (i.e., physical infrastructure provider). A virtualized networking environment (VNE) has common features such as partition, flexibility, etc., but fault-tolerance requires additional efforts to provide survivability against failures on either virtual networks or the substrate network. Two common survivability paradigms are protection (proactive) and restoration (reactive). In the protection scheme, the substrate network provider (SNP) allocates redundant resources (e.g., nodes, paths, bandwidths, etc) to protect against potential failures in the VNE. In the restoration scheme, the SNP dynamically allocates resources to restore the networks, and it usually occurs after the failure is detected. In this dissertation, we design a restoration scheme that can be dynamically implemented in a centralized manner by an SNP to achieve survivability against node failures in the VNE. The proposed restoration scheme is designed to be integrated with a protection scheme, where the SNP allocates spare virtual routers (VRs) as standbys for the virtual networks (VN) and they are ready to serve in the restoration scheme after a node failure has been identified. These standby virtual routers (S-VR) are reserved as a sharedbackup for any single node failure, and during the restoration procedure, one of the S-VR will be selected to replace the failed VR. In this work, we present an optimal S-VR selection approach to simultaneously restore multiple VNs affected by failed VRs, where these VRs may be affected by failures within themselves or at their substrate host (i.e., power outage, hardware failures, maintenance, etc.). Furthermore, the restoration scheme is embedded into a dynamic reconfiguration scheme (DRS), so that the affected VNs can be dynamically restored by a centralized virtual network manager (VNM). We first introduce a dynamic reconfiguration scheme (DRS) against node failures in a VNE, and then present an experimental study by implementing this DRS over a realistic VNE using GpENI testbed. For this experimental study, we ran the DRS to restore one VN with a single-VR failure, and the results showed that with a proper S-VR selection, the performance of the affected VN could be well restored. Next, we proposed an Mixed-Integer Linear Programming (MILP) model with dual–goals to optimally select S-VRs to restore all VNs affected by VR failures while load balancing. We also present a heuristic algorithm based on the model. By considering a number of factors, we present numerical studies to show how the optimal selection is affected. The results show that the proposed heuristic’s performance is close to the optimization model when there were sufficient standby virtual routers for each virtual network and the substrate nodes have the capability to support multiple standby virtual routers to be in service simultaneously. Finally, we present the design of a software-defined resilient VNE with the optimal S-VR selection model, and discuss a prototype implementation on the GENI testbed.Introduction -- Literature survey -- Dynamic reconfiguration scheme in a VNE -- An experimental study on GpENI-VNI -- Optimal standby virtual router selection model -- Prototype design and implementation on GENI -- Conclusion and future work -- Appendix A. Resource Specification (RSpec) in GENI -- Appendix B. Optimal S-VR Selection Model in AMP

Resilience options for provisioning anycast cloud services with virtual optical networks

Optical networks are crucial to support increasingly demanding cloud services. Delivering the requested quality of services (in particular latency) is key to successfully provisioning end-to-end services in clouds. Therefore, as for traditional optical network services, it is of utter importance to guarantee that clouds are resilient to any failure of either network infrastructure (links and/or nodes) or data centers. A crucial concept in establishing cloud services is that of network virtualization: the physical infrastructure is logically partitioned in separate virtual networks. To guarantee end-to-end resilience for cloud services in such a set-up, we need to simultaneously route the services and map the virtual network, in such a way that an alternate routing in case of physical resource failures is always available. Note that combined control of the network and data center resources is exploited, and the anycast routing concept applies: we can choose the data center to provide server resources requested by the customer to optimize resource usage and/or resiliency. This paper investigates the design of scalable optimization models to perform the virtual network mapping resiliently. We compare various resilience options, and analyze their compromise between bandwidth requirements and resiliency quality

Security at the Edge for Resource-Limited IoT Devices

The Internet of Things (IoT) is rapidly growing, with an estimated 14.4 billion active endpoints in 2022 and a forecast of approximately 30 billion connected devices by 2027. This proliferation of IoT devices has come with significant security challenges, including intrinsic security vulnerabilities, limited computing power, and the absence of timely security updates. Attacks leveraging such shortcomings could lead to severe consequences, including data breaches and potential disruptions to critical infrastructures. In response to these challenges, this research paper presents the IoT Proxy, a modular component designed to create a more resilient and secure IoT environment, especially in resource-limited scenarios. The core idea behind the IoT Proxy is to externalize security-related aspects of IoT devices by channeling their traffic through a secure network gateway equipped with different Virtual Network Security Functions (VNSFs). Our solution includes a Virtual Private Network (VPN) terminator and an Intrusion Prevention System (IPS) that uses a machine learning-based technique called oblivious authentication to identify connected devices. The IoT Proxy’s modular, scalable, and externalized security approach creates a more resilient and secure IoT environment, especially for resource-limited IoT devices. The promising experimental results from laboratory testing demonstrate the suitability of IoT Proxy to secure real-world IoT ecosystems