Hyper-NF: synthesizing chains of virtualized network functions

Middleboxes are essential to the functioning of today's internet. They are for instance used to secure networks, to enhance performances (e.g., throughput, scalability or end-user latency) or to monitor traffic. Although middleboxes are usually deployed through expensive dedicated hardware, the past 15 years has seen the emergence of a new paradigm: network function virtualisation (NFV). In the NFV context, middleboxes are implemented in software on commodity hardware, thus reducing costs and increasing flexibility. Some of the most recent work even boast performances that are equals to those of hardware middleboxes (e.g., line-rate throughput). However, none of the frameworks that we could find were suited to implement chains of virtualised middleboxes. Indeed, it is often the case that a packet must cross numerous middleboxes when traversing the internet. In order for an NFV deployment to scale out and reduce the network overhead, one would wish to be able to deploy all these middleboxes on the same physical machine. We provide an evaluation of a state-of-the-art NFV framework that shows that the throughput of a chain of 8 middleboxes running on the same server can be as much as 5 times smaller than the throughput of a single middlebox. We then introduce Hyper-NF, a new NFV framework specifically designed for implementing chains of virtualised middleboxes. Hyper-NF eliminates redundant packet and I/O operations. Given a chain of middleboxes, it uses graph search and set theory to generate a single equivalent middlebox that only uses one read and one write operation per packet. Experimentation with middlebox deployments inspired from real-world use cases shows that Hyper-NF achieve constant throughput and latency despite the increasing number of chained middleboxes. Thus, it achieves considerably better performances than traditional deployments. On a chain of 8 virtualised middleboxes, Hyper-NF has a 5 times higher throughput, a 10 times lower latency and uses 8.5 times less CPU cycles per packet.Middleboxes är absolut nödvändiga i internet idag. De behövs för att säkra nätverken, för att förbättra prestanda (till exempel genomströmning, fördröjning eller skalbarhet) eller för att övervaka nätverkstraffik. Middleboxes brukar vara byggd med dyrt och dedikerad hårdvara men ett nytt paradigm utvecklades in senaste åren: virtualisering av nätverksfunktioner (en: Network Function Virtualization - NFV). I NFV, middleboxes skaffas av flexibel mjukvara på billig råvara hårdvara. Några aktuella ramar även ger samma prestanda som hårdvara middleboxes (t.ex. genomströmning med linjehastighet). Denna ramar är dock inte lämpade för att genomföra kedjor av virtualiserade middleboxes. Ett nätverkspaket måste ofta gå igenom många middleboxes när det korsar internet. Därför skulle det vara bättre att utplacera flera virtuella middleboxes på samma maskin. Så skulle man minska belastningen på nätverket och NFV-utplacering skulle kunna skala ut. Vi visar att även med en state of the art NFV-ram, genomströmningen av en kedjor av 8 middleboxes som körs på samma dator är 5 gånger mindre än den av en enda virtuell middlebox. Vi introducerar Hyper-NF, en ny NFV-ram som vi speciellt utformade för att genomföra kedjor av virtualiserade middleboxes. Hyper-NF eliminerar redundanta I/O och pakets verksamhet. Det förvandlar en kedja av middleboxes till en enda middlebox med liknande funktionalitet genom mängdteori och graf sökning. Den producerade middlebox använder bara ett läs och ett skriv operation per paket. Vi testade Hyper-NF med middlebox-utplacering som inspirerades av verkliga användningsfall. Hyper-NF uppnår konstant prestanda (genomströmning och fördröjning) även om vi öka antalet middleboxes i kedjan. Det är alltså betydligt bättre än traditionella ramar. På en kedja av 8 virtualiserade middleboxes har Hyper-NF en 5 gånger högre genomströmning, en 10 gånger lägre latens och använder 8,5 gånger mindre CPU-cykler per paket

Du routage centré contenu pour l'internet des objets

As the Internet of Things (IoT) has brought upon new communication patterns and challenges, Information-Centric Networking (ICN) has been touted as a potential solution. To confirm that hypothesis, the fundamental issue of routing and forwarding in the ICN-IoT must be addressed. This thesis investigates this topic across the IoT architecture.First, a scheme to securely forward ICN interests packets based on geographic coordinates is proposed for low-power wireless sensor networks (WSN). Its efficiency is compared to an optimized flooding-based scheme similar to current ICN-WSN approaches in terms of deployability and scalability using an analytical model. Realistic data for the model is derived from a mixture of simulation, literature study, and experiments on state-of-the-art sensor boards. Geographic forwarding is shown to halve the memory footprint of the ICN stack on reference deployments and to yield significant energy savings, especially for dynamic topologies. Second, ICN is used to enhance admission control (AC) to fixed-capacity Edge-computing platforms to guarantee request-completion time for latency-constrained applications. The LRU-AC, a request-aware AC strategy based on online learning of the request popularity distribution through a Least-Recently-Used (LRU) filter, is proposed. Using a queueing model, the LRU-AC is shown to decrease the number of requests that must be offloaded to the Cloud. An implementation of the LRU-AC on FPGA hardware is then proposed, using Ageing Bloom Filters (ABF) to provide a compact memory representation. The validity of using ABFs for the LRU-AC is proven through analytical modelling. The implementation provides high throughput and low latency.Finally, the management and virtualization of ICN-IoT networks are considered.vICN (virtualized ICN), a unified intent-based framework for network configuration and management that uses recent progress in resource isolation and virtualization techniques is introduced. It offers a single, flexible and scalable platform to serve different purposes, ranging from reproducible large-scale research experimentation to demonstrations with emulated and/or physical devices and network resources and to real deployments of ICN in existing IP networks.Les réseaux centrés contenus (ICN) sont considérés comme une solution aux nouveaux défis et modes de communication liés à l'émergence de l'Internet des Objets (IoT). Pour confirmer cette hypothèse, la problématique fondamentale du routage sur les réseaux ICN-IoT doit être abordée. Cette thèse traite de ce sujet à travers l'architecture IoT.Premièrement, une méthode sécurisée est introduite pour acheminer des paquets ICN à partir de coordonnées géographiques dans un réseau sans-fil de capteurs à faible puissance. Elle est comparée à une inondation optimisée du réseau inspirée des approches existant dans la littérature. En particulier, leur faisabilité et passage à l'échelle sont évalués via un modèle mathématique. Le modèle est paramétré grâce à des données réalistes issues de simulation, de la littérature, et d'expériences sur des capteurs. Il est montré que le routage géographique permet de diviser la mémoire nécessaire sur les capteurs par deux et de réduire considérablement le coût énergétique du routage, en particulier pour des topologies dynamiques.Ensuite, ICN est utilisé pour contrôler l'admission à une plate-forme de calcul de type Fog afin de garantir le temps de réponse. La stratégie de contrôle d'admission proposée, le LRU-AC, utilise l'algorithme Least-Recently-Used (LRU) pour apprendre en direct la distribution de popularité des requêtes. Son efficacité est démontrée grâce à un modèle fondé sur un réseau de files d'attente. Une implémentation du LRU-AC est proposé, utilisant des filtres de Bloom pour satisfaire aux contraintes des cartes FPGA. Son bien-fondé est prouvé par un modèle mathématique et son efficacité en termes de latence et débit démontrée.Enfin, on présente vICN, un outil pour la gestion et la virtualisation de réseaux ICN-IoT. Il s'agit d'une plate-forme qui unifie la configuration et la gestion des réseaux et des applications en exploitant les progrès des techniques d'isolation et de virtualisation. vICN est flexible, passe à l'échelle, et peut remplir différents buts : expériences à grande échelle reproductibles pour la recherche, démonstrations mélangeant machines émulées et physiques, et déploiements réels des technologies ICN dans les réseaux IP existants

SLICT: Secure Localized Information Centric Things

While the potential advantages of geographic forwarding in wireless sensor networks (WSN) have been demonstrated for a while now, research in applying Information Centric Networking (ICN) has only gained momentum in the last few years. In this paper, we bridge these two worlds by proposing an ICN-compliant and secure implementation of geographic forwarding for ICN. We implement as a proof of concept the Greedy Perimeter Stateless Routing (GPSR) algorithm and compare its performance to that of vanilla ICN forwarding. We also evaluate the cost of security in 802.15.4 networks in terms of energy, memory and CPU footprint. We show that in sparse but large networks, GPSR outperforms vanilla ICN forwarding in both memory footprint and CPU consumption. However, GPSR is more energy intensive because of the cost of communications

On the Cost of Secure Association of Information Centric Things

Information Centric Networking (ICN) paradigms nicely fit the world of wireless sensors, whose devices have tight constraints. In this poster, we compare two alternative designs for secure association of new IoT devices in existing ICN deployments, which are based on asymmetric and symmetric cryptography respectively. While the security properties of both approaches are equivalent, an interesting trade-off arises between properties of the protocol vs properties of its implementation in current IoT boards. Indeed, while the asymmetric-keys based approach incurs a lower traffic overhead (of about 30%), we find that its implementation is significantly more energy- and time-consuming due to the cost of cryptographic operations (it requires up to 41x more energy and 8x more time)

Joint Monitorless Load-Balancing and Autoscaling for Zero-Wait-Time in Data Centers

International audienceCloud architectures achieve scaling through two main functions: (i) load-balancers, which dispatch queries among replicated virtualized application instances, and (ii) autoscalers, which automatically adjust the number of replicated instances to accommodate variations in load patterns. These functions are often provided through centralized load monitoring, incurring operational complexity. This paper introduces a unified and centralized-monitoring-free architecture achieving both autoscaling and load-balancing, reducing operational overhead while increasing response time performance. Application instances are virtually ordered in a chain, and new queries are forwarded along this chain until an instance, based on its local load, accepts the query. Autoscaling is triggered by the last application instance, which inspects its average load and infers if its chain is under-or over-provisioned. An analytical model of the system is derived, and proves that the proposed technique can achieve asymptotic zero-wait time with high (and controlable) probability. This result is confirmed by extensive simulations, which highlight close-toideal performance in terms of both response time and resource costs

On the Cost of Geographic Forwarding for Information-Centric Things

International audienc

SNF: synthesizing high performance NFV service chains

In this paper we introduce SNF, a framework that synthesizes (S) network function (NF) service chains by eliminating redundant I/O and repeated elements, while consolidating stateful cross layer packet operations across the chain. SNF uses graph composition and set theory to determine traffic classes handled by a service chain composed of multiple elements. It then synthesizes each traffic class using a minimal set of new elements that apply single-read-single-write and early-discard operations. Our SNF prototype takes a baseline state of the art network functions virtualization (NFV) framework to the level of performance required for practical NFV service deployments. Software-based SNF realizes long (up to 10 NFs) and stateful service chains that achieve line-rate 40 Gbps throughput (up to 8.5x greater than the baseline NFV framework). Hardware-assisted SNF, using a commodity OpenFlow switch, shows that our approach scales at 40 Gbps for Internet Service Provider-level NFV deployments

Distributed under Creative Commons CC-BY 4.0 SNF: synthesizing high performance NFV service chains

ABSTRACT In this paper we introduce SNF, a framework that synthesizes (S) network function (NF) service chains by eliminating redundant I/O and repeated elements, while consolidating stateful cross layer packet operations across the chain. SNF uses graph composition and set theory to determine traffic classes handled by a service chain composed of multiple elements. It then synthesizes each traffic class using a minimal set of new elements that apply single-read-single-write and early-discard operations. Our SNF prototype takes a baseline state of the art network functions virtualization (NFV) framework to the level of performance required for practical NFV service deployments. Software-based SNF realizes long (up to 10 NFs) and stateful service chains that achieve line-rate 40 Gbps throughput (up to 8.5x greater than the baseline NFV framework). Hardware-assisted SNF, using a commodity OpenFlow switch, shows that our approach scales at 40 Gbps for Internet Service Provider-level NFV deployments. Subjects Computer Networks and Communication