BPFabric: Data Plane Programmability for Software Defined Networks

In its current form, OpenFlow, the de facto implementation of SDN, separates the network’s control and data planes allowing a central controller to alter the matchaction pipeline using a limited set of fields and actions. To support new protocols, forwarding logic, telemetry, monitoring or even middlebox-like functions the currently available programmability in SDN is insufficient. In this paper, we introduce BPFabric, a platform, protocol, and language-independent architecture to centrally program and monitor the data plane. BPFabric leverages eBPF, a platform and protocol independent instruction set to define the packet processing and forwarding functionality of the data plane. We introduce a control plane API that allows data plane functions to be deployed onthe-fly, reporting events of interest and exposing network internal state. We present a raw socket and DPDK implementation of the design, the former for large-scale experimentation using environment such as Mininet and the latter for high-performance low-latency deployments. We show through examples that functions unrealisable in OpenFlow can leverage this flexibility while achieving similar or better performance to today’s static design

GNFC: Towards Network Function Cloudification

An increasing demand is seen from enterprises to host and dynamically manage middlebox services in public clouds in order to leverage the same benefits that network functions provide in traditional, in-house deployments. However, today's public clouds provide only a limited view and programmability for tenants that challenges flexible deployment of transparent, software-defined network functions. Moreover, current virtual network functions can't take full advantage of a virtualized cloud environment, limiting scalability and fault tolerance. In this paper we review and evaluate the current infrastructural limitations imposed by public cloud providers and present the design and implementation of GNFC, a cloud-based Network Function Virtualization (NFV) framework that gives tenants the ability to transparently attach stateless, container-based network functions to their services hosted in public clouds. We evaluate the proposed system over three public cloud providers (Amazon EC2, Microsoft Azure and Google Compute Engine) and show the effects on end-to-end latency and throughput using various instance types for NFV hosts

Roaming Edge vNFs using Glasgow Network Functions

While the network edge is becoming more important for the provision of customized services in next generation mobile networks, current NFV architectures are unsuitable to meet the increasing future demand. They rely on commodity servers with resource-hungry Virtual Machines that are unable to provide the high network function density and mobility requirements necessary for upcoming wide-area and 5G networks. In this demo, we showcase Glasgow Network Functions (GNF), a virtualization framework suitable for next generation mobile networks that exploits lightweight network functions (NFs) deployed at the edge and transparently following users' devices as they roam between cells

Arbitrary Packet Matching in OpenFlow

OpenFlow has emerged as the de facto control protocol to implement Software-Defined Networking (SDN). In its current form, the protocol specifies a set of fields on which it matches packets to perform actions, such as forwarding, discarding or modifying specific protocol header fields at a switch. The number of match fields has increased with every version of the protocol to extend matching capabilities, however, it is still not flexible enough to match on arbitrary packet fields which limits innovation and new protocol development with OpenFlow. In this paper, we argue that a fully flexible match structure is superior to continuously extending the number of fields to match upon. We use Berkeley Packet Filters (BPF) for packet classification to provide a protocol-independent, flexible alternative to today’s OpenFlow fixed match fields. We have implemented a prototype system and evaluated the performance of the proposed match scheme, with a focus on the time it takes to execute and the memory required to store different match filter specifications. Our prototype implementation demonstrates that line-rate arbitrary packet classification can be achieved with complex BPF programs

Distributed Network Anomaly Detection on an Event Processing Framework

Network Intrusion Detection Systems (NIDS) are an integral part of modern data centres to ensure high availability and compliance with Service Level Agreements (SLAs). Currently, NIDS are deployed on high-performance, high-cost middleboxes that are responsible for monitoring a limited section of the network. The fast increasing size and aggregate throughput of modern data centre networks have come to challenge the current approach to anomaly detection to satisfy the fast growing compute demand. In this paper, we propose a novel approach to distributed intrusion detection systems based on the architecture of recently proposed event processing frameworks. We have designed and implemented a prototype system using Apache Storm to show the benefits of the proposed approach as well as the architectural differences with traditional systems. Our system distributes modules across the available devices within the network fabric and uses a centralised controller for orchestration, management and correlation. Following the Software Defined Networking (SDN) paradigm, the controller maintains a complete view of the network but distributes the processing logic for quick event processing while performing complex event correlation centrally. We have evaluated the proposed system using publicly available data centre traces and demonstrated that the system can scale with the network topology while providing high performance and minimal impact on packet latency

Judging Leaders Who Facilitate Crimes by a Foreign Army: International Courts Differ on a Novel Legal Issue

In one of the most significant cases in the history of international criminal law, Prosecutor v. Perisic, the International Criminal Tribunal for the Former Yugoslavia (ICTY) effectively addressed an issue of first impression: may a military or political leader be convicted for knowingly facilitating crimes by another state\u27s army? The influential tribunal answered this question in the negative--knowledge that the recipients of military assistance are perpetrating crimes is essentially irrelevant absent evidence that the facilitator specifically intended that crimes occur. The ICTY Appeals Chamber thus acquitted Serbian General Momilo Peridid, who had been convicted at trial of knowingly aiding and abetting atrocities by the Bosnian Serb army in Sarajevo and Srebrenica between 1993 and 1995. The record suggests that certain judges were concerned that convicting individuals like Perisic could potentially disrupt international relations by casting too wide a net for convicting leaders whose provision of military aid facilitates crimes by a foreign army. The Special Court for Sierra Leone subsequently held that the controversial Perisic precedent did not comport with customary international law, and therefore affirmed the conviction of Charles Taylor, the former Liberian President, for knowingly assisting atrocities by rebel forces during the Sierra Leone Civil War. In an even more striking development, a different ICTY appellate panel thereafter reversed the Perisic legal standard on the ground that it neither comported with ICTY jurisprudence nor customary international law. This Article analyzes this historic turn of events and explores the appropriate legal standard to convict leaders who enable atrocities by a foreign army