Overcoming the memory limits of network devices in SDN-enabled data centers

Abstract: In extremely connected and dynamic environments, such as data centers, SDN network devices can be exploited to simplify the management of network provisioning. However, they leverage on TCAMs to implement the flow tables, i.e., on size-limited memories that can be quickly filled up when fine-grained traffic control is required, eventually preventing the installation of new forwarding rules. In this work, we demonstrate how this issue can be mitigated by means of a novel flow rule swapping mechanism. Specifically, we first show the negative effects of a full TCAM on a video streaming service provided by an SDN-enabled data center. Then, we show that our swapping mechanism helps in overcoming the inability to properly access a media content available in the data center, by temporarily moving the least matched flow rules from the TCAM to a larger memory outside the SDN device

Towards an automated framework to instantiate virtual networks in OpenFlow-based infrastructures

The explosion of cloud applications and data-centres technologies has recently renewed the interest of both academic and industrial research community on network virtualisation techniques. The increasing availability of programmable network devices and the pervasive adoption of a software-defined networking approach in all segments of the network are paving the way toward novel virtualisation approaches which aim at improving network management operations while guaranteeing a better utilisation of resources especially when compared to traditional overlay-based techniques widely used in data-centre settings. In this paper, the experience gained by the authors in the development and deployment of an innovative network virtualisation framework on an OpenFlow-based programmable experimental facility is provided and discussed in detail. Despite its specific application to a Future Internet testbed scenario, the proposed architecture is a first step toward a completely automatic management of virtual networks in OpenFlow-based software-defined networks

An effective swapping mechanism to overcome the memory limitation of SDN devices

Thanks to its 1-cycle lookup performance, the Ternary Content Addressable Memory (TCAM) is considered an essential hardware component for the deployment of high-performance Software-Defined Networks (SDN). Unfortunately, in many network scenarios, TCAMs can quickly fill due to their limited memory size, thus preventing the installation of new flow-rules and leading to inefficient traffic forwarding. This issue has already been addressed in computer programming, where Virtual Memory is offered to applications to mimic a much larger physical memory, by swapping memory pages to disk. In a previous work, we proposed and discussed the architecture of a Memory Management System (MMS) for SDN controllers that, like the analogous process for computer Operating Systems, optimizes the memory usage and prevents anomalies due to lack of memory space. This work proposes a memory swapping mechanism for SDN controllers, a function of the MMS which gives SDN applications the illusion of unlimited memory space in the forwarding devices, without requiring any hardware modification or changes in the control protocol. The paper discusses the memory swapping mechanism design, its implementation and proves its quality using real traffic traces, demonstrating lower TCAM memory utilization and potentially increased network performance in terms of end-to-end throughput. A prototype of the MMS is available for testing as an open source project

TinyKey, a pragmatic and energy efficient security layer for wireless sensor networks

While sharing some commonalities with a canonical computer network, a Wireless Sensor Network (WSN) presents many aspects which are unique. Security mechanisms in a WSN are mainly devoted to protect both the resources from attacks and misbehaviour of nodes and the information transferred throughout the network itself. While the vast majority of the works on security for WSN in literature are focusing on novel mechanisms or performance evaluation in "protected" environment like simulators or dedicated WSN testbeds, to the best of our knowledge there are no existing works describing the performance of security mechanisms in operational WSN dealing with real-world applications. In this chapter, we present TinyKey, a security architecture for WSNs that takes into account pragmatic concerns of a real-world deployment. For instance, most of the approaches in literature have neglected mechanisms related to key management. TinyKey comes with an integrated key management system that can be used in several deployments. We have developed TinyKey to satisfy the security requirements of two application scenarios aiming at developing and deploying real-world applications based on WSNs. One project aims at improving the safety of the road tunnels around the city of Trento while the second project focuses on improving the quality of life of elderly people with assisted-living technologies. As a result, we have been able to measure the performances of TinyKey in real deployments and not in simulated environments

Empowering Network Operating Systems with Memory Management Techniques

Similarly to computer operating systems which guarantee safe access to memory resources, Network Operating Systems shall grant SDN applications a reliable access to neatly organized flow table resources. This paper presents the architecture for a controller-agnostic Memory Management System and some of its functionalities that aim at improving flow table usage and preventing network misconfigurations. From the implementation perspective, this work discusses the applicability of the proposed system, a strategy to evaluate it and current open challenges

An Approach to Exposing and Sharing Network Services in Software-Defined Networking

The ecosystem of SDN controllers and programmable devices is extremely fragmented: a number of controller platforms and companion tools is available, each of them based on a very different set of features. Moreover, most of the SDN controller frameworks provide a limited set of functionalities to applications that can be deployed on top (usually leveraging on a set of northbound APIs

A datapath-centric virtualization mechanism for OpenFlow networks

Abstract: The adoption of a robust and scalable network virtualization framework is a key requirement in order to make the vision of a shareable network infrastructure a reality. To this aim, one of the most suitable approaches is the one which takes advantage of the emerging paradigm of Software-Defined Networking (SDN) and OpenFlow, its de-facto standard. Several virtualization frameworks have been proposed in the last few years, however, they are either based on proxy-based solutions that raises scalability and robustness issues (FlowVisor), or they rely on a simplified view of the data path (generally based on Open vSwitch instances) that have little chances to be adopted in production network settings. This paper presents a novel OpenFlow-based network virtualization mechanism exploiting a recent open-source data path project named extensible Data path Daemon (xDPd), the proposed multi-platform data path is based on a robust distributed virtualization architecture that is able to run on multi-version OpenFlow switch network scenarios, has a minimal overhead from a performance point of view and can be easily ported on several hardware platforms via xDPd libraries

A Non-disruptive Automated Approach to Update SDN Applications at Runtime

The Memory Management Subsystem (MMS) provides automated services for SDN controllers that optimize the management of network devices' memory. Among other functions, it cleans the memory of network devices upon the update or the removal of SDN applications. The potential of this MMS function is demonstrated in a scenario where a critical security update for a network application would be otherwise ineffective

Dynamic and Application-Aware Provisioning of Chained Virtual Security Network Functions

A promising area of application for Network Function Virtualization is in network security, where chains of Virtual Security Network Functions (VSNFs), i.e., security-specific virtual functions such as firewalls or Intrusion Prevention Systems, can be dynamically created and configured to inspect, filter or monitor the network traffic. However, the traffic handled by VSNFs could be sensitive to specific network requirements, such as minimum bandwidth or maximum end-to-end latency. Therefore, the decision on which VSNFs should apply for a given application, where to place them and how to connect them, should take such requirements into consideration. Otherwise, security services could affect the quality of service experienced by customers. In this paper we propose PESS (Progressive Embedding of Security Services), a solution to efficiently deploy chains of virtualised security functions based on the security requirements of individual applications and operators' policies, while optimizing resource utilization. We provide the PESS mathematical model and heuristic solution. Simulation results show that, compared to state-of-the-art application-agnostic VSNF provisioning models, PESS reduces computational resource utilization by up to 50%, in different network scenarios. This result ultimately leads to a higher number of provisioned security services and to up to a 40% reduction in end-to-end latency of application traffic

Policy-based Restoration in IP/Optical Transport Networks

Restoration in transport networks is typically facilitated using reactive techniques at different layers, namely optical and IP restoration [1]. Optical restoration involves re-routing an existing optical connection (i.e., a lightpath) around a failure (e.g. link, amplifier, switch and transponder failures) in the optical layer. This strategy is efficient in terms of resource utilization, as backup resources are reserved dynamically after the failure and therefore are not blocked during normal operation. However, equipment reconfiguration and power equalization processes in the optical domain are relatively slow (order of seconds), and are thus not suitable for time critical services